diff options
| author | Henning Baldersheim <balder@yahoo-inc.com> | 2022-12-05 13:52:45 +0000 |
|---|---|---|
| committer | Henning Baldersheim <balder@yahoo-inc.com> | 2022-12-05 13:52:45 +0000 |
| commit | 9f366b35f293bddc9ebb727d29210b694deffef2 (patch) | |
| tree | e4b08bb7c1988725017369b573e01e6b4b59c923 /security-tools/src | |
| parent | 4892496ed1cd0e6b420f68c77fb46f29df47889e (diff) | |
GC unused security-tools
Diffstat (limited to 'security-tools/src')
10 files changed, 0 insertions, 534 deletions
diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/CliOptions.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/CliOptions.java deleted file mode 100644 index 38c6483a184..00000000000 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/CliOptions.java +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.security.tool.securityenv; - -import com.yahoo.security.tls.TransportSecurityUtils; -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.CommandLineParser; -import org.apache.commons.cli.DefaultParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Option; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; - -import java.io.PrintStream; -import java.io.PrintWriter; -import java.util.Arrays; - -import static java.util.stream.Collectors.joining; - -/** - * Defines the program's command line parameters. - * - * @author bjorncs - */ -class CliOptions { - static final String SHELL_OPTION = "shell"; - static final String HELP_OPTION = "help"; - - private static final Options OPTIONS = new Options() - .addOption( - Option.builder("s") - .longOpt(SHELL_OPTION) - .hasArg(true) - .required(false) - .desc(String.format("Shell type. Shell type is auto-detected if option not present. Valid values: %s.", - Arrays.stream(UnixShell.values()) - .map(shell -> String.format("'%s'", shell.configName())) - .collect(joining(", ", "[", "]")))) - .build()) - .addOption(Option.builder("h") - .longOpt(HELP_OPTION) - .hasArg(false) - .required(false) - .desc("Show help") - .build()); - - static CommandLine parseCliArguments(String[] cliArgs) throws ParseException { - CommandLineParser parser = new DefaultParser(); - return parser.parse(OPTIONS, cliArgs); - } - - static void printHelp(PrintStream out) { - HelpFormatter formatter = new HelpFormatter(); - PrintWriter writer = new PrintWriter(out); - formatter.printHelp( - writer, - formatter.getWidth(), - "vespa-security-env <options>", - String.format("Generates shell commands that defines environments variables based on the content of %s.", - TransportSecurityUtils.CONFIG_FILE_ENVIRONMENT_VARIABLE), - OPTIONS, - formatter.getLeftPadding(), - formatter.getDescPadding(), - String.format("The output may include the following variables:\n%s\n", - Arrays.stream(OutputVariable.values()) - .map(variable -> String.format(" - '%s': %s", variable.variableName(), variable.description())) - .collect(joining("\n")))); - writer.flush(); - } -} diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java deleted file mode 100644 index 1dcff1d27ab..00000000000 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/Main.java +++ /dev/null @@ -1,89 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.security.tool.securityenv; - -import com.yahoo.security.tls.MixedMode; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.TransportSecurityUtils; -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.ParseException; - -import java.io.PrintStream; -import java.util.EnumSet; -import java.util.Map; -import java.util.Optional; -import java.util.TreeMap; - -import static com.yahoo.vespa.security.tool.securityenv.CliOptions.HELP_OPTION; -import static com.yahoo.vespa.security.tool.securityenv.CliOptions.SHELL_OPTION; - -/** - * Implementation of the 'vespa-security-env' command line utility. - * - * @author bjorncs - */ -public class Main { - - private final PrintStream stdOut; - private final PrintStream stdError; - - Main(PrintStream stdOut, PrintStream stdError) { - this.stdOut = stdOut; - this.stdError = stdError; - } - - public static void main(String[] args) { - Main program = new Main(System.out, System.err); - int statusCode = program.execute(args, System.getenv()); - System.exit(statusCode); - } - - int execute(String[] cliArgs, Map<String, String> envVars) { - boolean debugMode = envVars.containsKey("VESPA_DEBUG"); - try { - CommandLine arguments = CliOptions.parseCliArguments(cliArgs); - if (arguments.hasOption(HELP_OPTION)) { - CliOptions.printHelp(stdOut); - return 0; - } - UnixShell shell = arguments.hasOption(SHELL_OPTION) - ? UnixShell.fromConfigName(arguments.getOptionValue(SHELL_OPTION)) - : UnixShell.detect(envVars.get("SHELL")); - - Map<OutputVariable, String> outputVariables = new TreeMap<>(); - Optional<TransportSecurityOptions> options = TransportSecurityUtils.getOptions(envVars); - MixedMode mixedMode = TransportSecurityUtils.getInsecureMixedMode(envVars); - if (options.isPresent() && mixedMode != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) { - outputVariables.put(OutputVariable.TLS_ENABLED, "1"); - if (options.get().isHostnameValidationDisabled()) { - outputVariables.put(OutputVariable.DISABLE_HOSTNAME_VALIDATION, "1"); - } - options.get().getCaCertificatesFile() - .ifPresent(caCertFile -> outputVariables.put(OutputVariable.CA_CERTIFICATE, caCertFile.toString())); - options.get().getCertificatesFile() - .ifPresent(certificateFile -> outputVariables.put(OutputVariable.CERTIFICATE, certificateFile.toString())); - options.get().getPrivateKeyFile() - .ifPresent(privateKeyFile -> outputVariables.put(OutputVariable.PRIVATE_KEY, privateKeyFile.toString())); - } - shell.writeOutputVariables(stdOut, outputVariables); - EnumSet<OutputVariable> unusedVariables = outputVariables.isEmpty() - ? EnumSet.allOf(OutputVariable.class) - : EnumSet.complementOf(EnumSet.copyOf(outputVariables.keySet())); - shell.unsetVariables(stdOut, unusedVariables); - return 0; - } catch (ParseException e) { - return handleException("Failed to parse command line arguments: " + e.getMessage(), e, debugMode); - } catch (IllegalArgumentException e) { - return handleException("Invalid command line arguments: " + e.getMessage(), e, debugMode); - } catch (Exception e) { - return handleException("Failed to generate security environment variables: " + e.getMessage(), e, debugMode); - } - } - - private int handleException(String message, Exception exception, boolean debugMode) { - stdError.println(message); - if (debugMode) { - exception.printStackTrace(stdError); - } - return 1; - } -} diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java deleted file mode 100644 index 0dc4b573e66..00000000000 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/OutputVariable.java +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.security.tool.securityenv; - -/** - * Define the possible environment variables that the program may output. - * - * @author bjorncs - */ -enum OutputVariable { - TLS_ENABLED("VESPA_TLS_ENABLED", "Set to '1' if TLS is enabled in Vespa"), - CA_CERTIFICATE("VESPA_TLS_CA_CERT", "Path to CA certificates file"), - CERTIFICATE("VESPA_TLS_CERT", "Path to certificate file"), - PRIVATE_KEY("VESPA_TLS_PRIVATE_KEY", "Path to private key file"), - DISABLE_HOSTNAME_VALIDATION("VESPA_TLS_HOSTNAME_VALIDATION_DISABLED", "Set to '1' if TLS hostname validation is disabled"); - - private final String variableName; - private final String description; - - OutputVariable(String variableName, String description) { - this.variableName = variableName; - this.description = description; - } - - String variableName() { - return variableName; - } - - String description() { - return description; - } -} diff --git a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/UnixShell.java b/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/UnixShell.java deleted file mode 100644 index e50c2420126..00000000000 --- a/security-tools/src/main/java/com/yahoo/vespa/security/tool/securityenv/UnixShell.java +++ /dev/null @@ -1,92 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.security.tool.securityenv; - -import java.io.PrintStream; -import java.util.Arrays; -import java.util.List; -import java.util.Map; -import java.util.Set; - -/** - * Definition of some unix shell variants and how to export environments variable for those supported. - * The output format is inspired by ssh-agent's output. - * - * @author bjorncs - */ -enum UnixShell { - BOURNE("bourne", List.of("bash", "sh")) { - @Override - void writeOutputVariables(PrintStream out, Map<OutputVariable, String> variables) { - variables.forEach((variable, value) -> { - out.print(variable.variableName()); - out.print("=\""); - out.print(value); // note: value is assumed to need no escaping - out.print("\"; export "); - out.print(variable.variableName()); - out.println(';'); - }); - } - @Override - void unsetVariables(PrintStream out, Set<OutputVariable> variables) { - variables.forEach(variable -> { - out.print("unset "); - out.print(variable.variableName()); - out.println(';'); - }); - } - }, - CSHELL("cshell", List.of("csh", "fish")) { - @Override - void writeOutputVariables(PrintStream out, Map<OutputVariable, String> variables) { - variables.forEach((variable, value) -> { - out.print("setenv "); - out.print(variable.variableName()); - out.print(" \""); - out.print(value); // note: value is assumed to need no escaping - out.println("\";"); - }); - } - @Override - void unsetVariables(PrintStream out, Set<OutputVariable> variables) { - variables.forEach(variable -> { - out.print("unsetenv "); - out.print(variable.variableName()); - out.println(';'); - }); - } - }; - - private static final UnixShell DEFAULT = BOURNE; - - private final String configName; - private final List<String> knownShellBinaries; - - UnixShell(String configName, List<String> knownShellBinaries) { - this.configName = configName; - this.knownShellBinaries = knownShellBinaries; - } - - abstract void writeOutputVariables(PrintStream out, Map<OutputVariable, String> variables); - abstract void unsetVariables(PrintStream out, Set<OutputVariable> variables); - - String configName() { - return configName; - } - - static UnixShell fromConfigName(String configName) { - return Arrays.stream(values()) - .filter(shell -> shell.configName.equals(configName)) - .findAny() - .orElseThrow(() -> new IllegalArgumentException("Unknown shell: " + configName)); - } - - static UnixShell detect(String shellEnvVariable) { - if (shellEnvVariable == null || shellEnvVariable.isEmpty()) return DEFAULT; - int lastSlash = shellEnvVariable.lastIndexOf('/'); - String shellName = lastSlash != -1 ? shellEnvVariable.substring(lastSlash + 1) : shellEnvVariable; - return Arrays.stream(values()) - .filter(shell -> shell.knownShellBinaries.contains(shellName)) - .findAny() - .orElse(DEFAULT); - } -} diff --git a/security-tools/src/main/sh/vespa-curl-wrapper b/security-tools/src/main/sh/vespa-curl-wrapper deleted file mode 100755 index 9381d6f898b..00000000000 --- a/security-tools/src/main/sh/vespa-curl-wrapper +++ /dev/null @@ -1,109 +0,0 @@ -#!/usr/bin/env bash -# Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. - -# Uses security-env to call curl with paths to credentials. -# This script should be installed in libexec only. It is not public api. - -# BEGIN environment bootstrap section -# Do not edit between here and END as this section should stay identical in all scripts - -findpath () { - myname=${0} - mypath=${myname%/*} - myname=${myname##*/} - empty_if_start_slash=${mypath%%/*} - if [ "${empty_if_start_slash}" ]; then - mypath=$(pwd)/${mypath} - fi - if [ "$mypath" ] && [ -d "$mypath" ]; then - return - fi - mypath=$(pwd) - if [ -f "${mypath}/${myname}" ]; then - return - fi - echo "FATAL: Could not figure out the path where $myname lives from $0" - exit 1 -} - -COMMON_ENV=libexec/vespa/common-env.sh - -source_common_env () { - if [ "$VESPA_HOME" ] && [ -d "$VESPA_HOME" ]; then - export VESPA_HOME - common_env=$VESPA_HOME/$COMMON_ENV - if [ -f "$common_env" ]; then - . $common_env - return - fi - fi - return 1 -} - -findroot () { - source_common_env && return - if [ "$VESPA_HOME" ]; then - echo "FATAL: bad VESPA_HOME value '$VESPA_HOME'" - exit 1 - fi - if [ "$ROOT" ] && [ -d "$ROOT" ]; then - VESPA_HOME="$ROOT" - source_common_env && return - fi - findpath - while [ "$mypath" ]; do - VESPA_HOME=${mypath} - source_common_env && return - mypath=${mypath%/*} - done - echo "FATAL: missing VESPA_HOME environment variable" - echo "Could not locate $COMMON_ENV anywhere" - exit 1 -} - -findhost () { - if [ "${VESPA_HOSTNAME}" = "" ]; then - VESPA_HOSTNAME=$(vespa-detect-hostname || hostname -f || hostname || echo "localhost") || exit 1 - fi - validate="${VESPA_HOME}/bin/vespa-validate-hostname" - if [ -f "$validate" ]; then - "$validate" "${VESPA_HOSTNAME}" || exit 1 - fi - export VESPA_HOSTNAME -} - -findroot -findhost - -ROOT=${VESPA_HOME%/} -export ROOT - -# END environment bootstrap section - -set -e - -eval $(${VESPA_HOME}/libexec/vespa/script-utils security-env) - -CURL_PARAMETERS=("$@") - -if [ -n "${VESPA_TLS_ENABLED}" ] -then - CURL_PARAMETERS=("${CURL_PARAMETERS[@]/http:/https:}") -fi - -if [ -n "${VESPA_TLS_HOSTNAME_VALIDATION_DISABLED}" ] -then - CURL_PARAMETERS=("--insecure" "${CURL_PARAMETERS[@]}") -fi - -if [ -n "${VESPA_TLS_CA_CERT}" ] -then - CURL_PARAMETERS=("--cacert" "${VESPA_TLS_CA_CERT}" "${CURL_PARAMETERS[@]}") -fi - -if [[ -n "${VESPA_TLS_CERT}" && -n "${VESPA_TLS_PRIVATE_KEY}" ]] -then - CURL_PARAMETERS=("--cert" "${VESPA_TLS_CERT}" "--key" "${VESPA_TLS_PRIVATE_KEY}" "${CURL_PARAMETERS[@]}") -fi - -curl "${CURL_PARAMETERS[@]}" diff --git a/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java b/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java deleted file mode 100644 index b1d263a1a82..00000000000 --- a/security-tools/src/test/java/com/yahoo/vespa/security/tool/securityenv/MainTest.java +++ /dev/null @@ -1,116 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.security.tool.securityenv; - -import com.yahoo.security.tls.MixedMode; -import com.yahoo.security.tls.TransportSecurityOptions; -import com.yahoo.security.tls.TransportSecurityUtils; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.io.TempDir; - -import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.IOException; -import java.io.PrintStream; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.util.List; -import java.util.Map; - -import static org.assertj.core.api.Assertions.assertThat; - - -/** - * @author bjorncs - */ -public class MainTest { - - private final ByteArrayOutputStream stdOutBytes = new ByteArrayOutputStream(); - private final ByteArrayOutputStream stdErrBytes = new ByteArrayOutputStream(); - private final PrintStream stdOut = new PrintStream(stdOutBytes); - private final PrintStream stdError = new PrintStream(stdErrBytes); - - @TempDir - public File tmpFolder; - - @Test - void prints_help_page_on_help_option() throws IOException { - int exitCode = runMain(List.of("--help"), Map.of()); - assertThat(exitCode).isEqualTo(0); - assertThat(stdOut()).isEqualTo(readTestResource("expected-help-output.txt")); - } - - @Test - void unsets_all_variables_when_no_security_config() throws IOException { - int exitCode = runMain(List.of(), Map.of()); - assertThat(exitCode).isEqualTo(0); - assertThat(stdErr()).isEmpty(); - assertThat(stdOut()).isEqualTo(readTestResource("no-security-output.txt")); - } - - @Test - void prints_security_variables_with_specified_shell() throws IOException { - Path configFile = generateConfigFile(); - Map<String, String> env = Map.of(TransportSecurityUtils.CONFIG_FILE_ENVIRONMENT_VARIABLE, configFile.toString()); - int exitCode = runMain(List.of(), env); - assertThat(exitCode).isEqualTo(0); - assertThat(stdOut()).isEqualTo(readTestResource("bash-output.txt")); - } - - @Test - void prints_security_variables_with_auto_detected_shell() throws IOException { - Path configFile = generateConfigFile(); - Map<String, String> env = Map.of( - TransportSecurityUtils.CONFIG_FILE_ENVIRONMENT_VARIABLE, configFile.toString(), - TransportSecurityUtils.INSECURE_MIXED_MODE_ENVIRONMENT_VARIABLE, MixedMode.TLS_CLIENT_MIXED_SERVER.configValue(), - "SHELL", "/usr/local/bin/fish"); - int exitCode = runMain(List.of(), env); - assertThat(exitCode).isEqualTo(0); - assertThat(stdOut()).isEqualTo(readTestResource("csh-output.txt")); - } - - - @Test - void prints_error_message_on_unknown_shell_name() { - int exitCode = runMain(List.of("--shell", "invalid-shell-name"), Map.of()); - assertThat(exitCode).isEqualTo(1); - assertThat(stdErr()).isEqualTo("Invalid command line arguments: Unknown shell: invalid-shell-name\n"); - } - - @Test - void prints_error_message_on_unknown_command_line_parameter() { - int exitCode = runMain(List.of("--unknown-parameter"), Map.of()); - assertThat(exitCode).isEqualTo(1); - assertThat(stdErr()).isEqualTo("Failed to parse command line arguments: Unrecognized option: --unknown-parameter\n"); - } - - private int runMain(List<String> args, Map<String, String> env) { - return new Main(stdOut, stdError).execute(args.toArray(new String[0]), env); - } - - private String stdOut() { - stdOut.flush(); - return stdOutBytes.toString(); - } - - private String stdErr() { - stdError.flush(); - return stdErrBytes.toString(); - } - - private static String readTestResource(String fileName) throws IOException { - return Files.readString(Paths.get(MainTest.class.getResource('/' + fileName).getFile())); - } - - private Path generateConfigFile() throws IOException { - TransportSecurityOptions options = new TransportSecurityOptions.Builder() - .withCertificates(Paths.get("/path/to/certificate"), Paths.get("/path/to/key")) - .withCaCertificates(Paths.get("/path/to/cacerts")) - .withHostnameValidationDisabled(true) - .build(); - Path configFile = File.createTempFile("junit", null, tmpFolder).toPath(); - options.toJsonFile(configFile); - return configFile; - } - -}
\ No newline at end of file diff --git a/security-tools/src/test/resources/bash-output.txt b/security-tools/src/test/resources/bash-output.txt deleted file mode 100644 index 182dc177d42..00000000000 --- a/security-tools/src/test/resources/bash-output.txt +++ /dev/null @@ -1,5 +0,0 @@ -VESPA_TLS_ENABLED="1"; export VESPA_TLS_ENABLED; -VESPA_TLS_CA_CERT="/path/to/cacerts"; export VESPA_TLS_CA_CERT; -VESPA_TLS_CERT="/path/to/certificate"; export VESPA_TLS_CERT; -VESPA_TLS_PRIVATE_KEY="/path/to/key"; export VESPA_TLS_PRIVATE_KEY; -VESPA_TLS_HOSTNAME_VALIDATION_DISABLED="1"; export VESPA_TLS_HOSTNAME_VALIDATION_DISABLED; diff --git a/security-tools/src/test/resources/csh-output.txt b/security-tools/src/test/resources/csh-output.txt deleted file mode 100644 index 2e6cd886c26..00000000000 --- a/security-tools/src/test/resources/csh-output.txt +++ /dev/null @@ -1,5 +0,0 @@ -setenv VESPA_TLS_ENABLED "1"; -setenv VESPA_TLS_CA_CERT "/path/to/cacerts"; -setenv VESPA_TLS_CERT "/path/to/certificate"; -setenv VESPA_TLS_PRIVATE_KEY "/path/to/key"; -setenv VESPA_TLS_HOSTNAME_VALIDATION_DISABLED "1"; diff --git a/security-tools/src/test/resources/expected-help-output.txt b/security-tools/src/test/resources/expected-help-output.txt deleted file mode 100644 index 33ad3b6d232..00000000000 --- a/security-tools/src/test/resources/expected-help-output.txt +++ /dev/null @@ -1,13 +0,0 @@ -usage: vespa-security-env <options> -Generates shell commands that defines environments variables based on the -content of VESPA_TLS_CONFIG_FILE. - -h,--help Show help - -s,--shell <arg> Shell type. Shell type is auto-detected if option not - present. Valid values: ['bourne', 'cshell']. -The output may include the following variables: - - 'VESPA_TLS_ENABLED': Set to '1' if TLS is enabled in Vespa - - 'VESPA_TLS_CA_CERT': Path to CA certificates file - - 'VESPA_TLS_CERT': Path to certificate file - - 'VESPA_TLS_PRIVATE_KEY': Path to private key file - - 'VESPA_TLS_HOSTNAME_VALIDATION_DISABLED': Set to '1' if TLS hostname -validation is disabled diff --git a/security-tools/src/test/resources/no-security-output.txt b/security-tools/src/test/resources/no-security-output.txt deleted file mode 100644 index 257a2747ee2..00000000000 --- a/security-tools/src/test/resources/no-security-output.txt +++ /dev/null @@ -1,5 +0,0 @@ -unset VESPA_TLS_ENABLED; -unset VESPA_TLS_CA_CERT; -unset VESPA_TLS_CERT; -unset VESPA_TLS_PRIVATE_KEY; -unset VESPA_TLS_HOSTNAME_VALIDATION_DISABLED; |