Manager Properties

Previously, the addition of the SecurityProvider to an application meant that you always got both the KeyManager and TrustManager for in that application (although if certain artifacts were missing, these might be no ops). There are certain circumstances where you might want one or the other of the managers though, so being able to disable them individually is useful. This change adds an inspection of the org.cloudfoundry.security.keymanager.enabled and org.cloudfoundry.security.trustmanager.enabled properties to determine if they should be disabled. These properties default to true if unspecified. [cloudfoundry/java-buildpack#552]
cloudfoundry · Feb 15, 2018 · d2c0d0a · d2c0d0a
1 parent 8779807
commit d2c0d0a
Show file tree

Hide file tree

Showing 3 changed files with 100 additions and 13 deletions.
diff --git a/.idea/dictionaries/bhale.xml b/.idea/dictionaries/bhale.xml
diff --git a/src/main/java/org/cloudfoundry/security/CloudFoundryContainerProvider.java b/src/main/java/org/cloudfoundry/security/CloudFoundryContainerProvider.java
@@ -26,9 +26,13 @@
  */
 public final class CloudFoundryContainerProvider extends Provider {
 
-    private final Logger logger = Logger.getLogger(this.getClass().getName());
+    static final String KEY_MANAGER_ENABLED = "org.cloudfoundry.security.keymanager.enabled";
+
+    static final String TRUST_MANAGER_ENABLED = "org.cloudfoundry.security.trustmanager.enabled";
 
-    private static final long serialVersionUID = -254669391239963192L;
+    private static final long serialVersionUID = -2667509590306131953L;
+
+    private final Logger logger = Logger.getLogger(this.getClass().getName());
 
     /**
      * Creates a new instance of the provider.  This registers the following components
@@ -40,17 +44,30 @@ public final class CloudFoundryContainerProvider extends Provider {
     public CloudFoundryContainerProvider() {
         super("Cloud Foundry Container", 1.0, "KeyManagerFactory and TrustManagerFactory based on artifacts within a Cloud Foundry application container");
 
-        put("KeyManagerFactory.SunX509", "org.cloudfoundry.security.CloudFoundryContainerKeyManagerFactory$SunX509");
-        put("KeyManagerFactory.NewSunX509", "org.cloudfoundry.security.CloudFoundryContainerKeyManagerFactory$X509");
-        put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
+        if (get(KEY_MANAGER_ENABLED)) {
+            this.logger.fine("KeyManager enabled");
 
-        put("TrustManagerFactory.SunX509", "org.cloudfoundry.security.CloudFoundryContainerTrustManagerFactory$SimpleFactory");
-        put("TrustManagerFactory.PKIX", "org.cloudfoundry.security.CloudFoundryContainerTrustManagerFactory$PKIXFactory");
-        put("Alg.Alias.TrustManagerFactory.SunPKIX", "PKIX");
-        put("Alg.Alias.TrustManagerFactory.X509", "PKIX");
-        put("Alg.Alias.TrustManagerFactory.X.509", "PKIX");
+            put("KeyManagerFactory.SunX509", "org.cloudfoundry.security.CloudFoundryContainerKeyManagerFactory$SunX509");
+            put("KeyManagerFactory.NewSunX509", "org.cloudfoundry.security.CloudFoundryContainerKeyManagerFactory$X509");
+            put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
+        }
+
+        if (get(TRUST_MANAGER_ENABLED)) {
+            this.logger.fine("TrustManager enabled");
+
+            put("TrustManagerFactory.SunX509", "org.cloudfoundry.security.CloudFoundryContainerTrustManagerFactory$SimpleFactory");
+            put("TrustManagerFactory.PKIX", "org.cloudfoundry.security.CloudFoundryContainerTrustManagerFactory$PKIXFactory");
+            put("Alg.Alias.TrustManagerFactory.SunPKIX", "PKIX");
+            put("Alg.Alias.TrustManagerFactory.X509", "PKIX");
+            put("Alg.Alias.TrustManagerFactory.X.509", "PKIX");
+        }
 
         this.logger.fine("Provider loaded");
     }
 
+    private static boolean get(String key) {
+        String value = System.getProperty(key);
+        return value == null || value.trim().isEmpty() ? true : Boolean.valueOf(value);
+    }
+
 }
diff --git a/src/test/java/org/cloudfoundry/security/CloudFoundryContainerProviderTest.java b/src/test/java/org/cloudfoundry/security/CloudFoundryContainerProviderTest.java
@@ -17,7 +17,6 @@
 package org.cloudfoundry.security;
 
 import org.junit.After;
-import org.junit.Before;
 import org.junit.Test;
 
 import javax.net.ssl.KeyManagerFactory;
@@ -26,23 +25,90 @@
 import java.security.Security;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.cloudfoundry.security.CloudFoundryContainerProvider.KEY_MANAGER_ENABLED;
+import static org.cloudfoundry.security.CloudFoundryContainerProvider.TRUST_MANAGER_ENABLED;
 
 public final class CloudFoundryContainerProviderTest {
 
-    @Before
-    public void addProvider() {
+    @Test
+    public void doesNotProvideKeyManagerDisabled() throws NoSuchAlgorithmException {
+        System.setProperty(KEY_MANAGER_ENABLED, "false");
+        Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
+        assertThat(KeyManagerFactory.getInstance("SunX509").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(KeyManagerFactory.getInstance("NewSunX509").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(KeyManagerFactory.getInstance("PKIX").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
+    }
+
+    @Test
+    public void doesNotProviderTrustManagerFactoryDisabled() throws NoSuchAlgorithmException {
+        System.setProperty(TRUST_MANAGER_ENABLED, "false");
         Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
+        assertThat(TrustManagerFactory.getInstance("SunX509").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("PKIX").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("SunPKIX").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("X509").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("X.509").getProvider()).isNotInstanceOf(CloudFoundryContainerProvider.class);
     }
 
     @Test
     public void providesKeyManagerFactory() throws NoSuchAlgorithmException {
+        Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
+        assertThat(KeyManagerFactory.getInstance("SunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(KeyManagerFactory.getInstance("NewSunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(KeyManagerFactory.getInstance("PKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+    }
+
+    @Test
+    public void providesKeyManagerFactoryEmpty() throws NoSuchAlgorithmException {
+        System.setProperty(KEY_MANAGER_ENABLED, "");
+        Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
+        assertThat(KeyManagerFactory.getInstance("SunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(KeyManagerFactory.getInstance("NewSunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(KeyManagerFactory.getInstance("PKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+    }
+
+    @Test
+    public void providesKeyManagerFactoryEnabled() throws NoSuchAlgorithmException {
+        System.setProperty(KEY_MANAGER_ENABLED, "true");
+        Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
         assertThat(KeyManagerFactory.getInstance("SunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
         assertThat(KeyManagerFactory.getInstance("NewSunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
         assertThat(KeyManagerFactory.getInstance("PKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
     }
 
     @Test
     public void providesTrustManagerFactory() throws NoSuchAlgorithmException {
+        Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
+        assertThat(TrustManagerFactory.getInstance("SunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("PKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("SunPKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("X509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("X.509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+    }
+
+    @Test
+    public void providesTrustManagerFactoryEmpty() throws NoSuchAlgorithmException {
+        System.setProperty(TRUST_MANAGER_ENABLED, "");
+        Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
+        assertThat(TrustManagerFactory.getInstance("SunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("PKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("SunPKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("X509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+        assertThat(TrustManagerFactory.getInstance("X.509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
+    }
+
+    @Test
+    public void providesTrustManagerFactoryEnabled() throws NoSuchAlgorithmException {
+        System.setProperty(TRUST_MANAGER_ENABLED, "true");
+        Security.insertProviderAt(new CloudFoundryContainerProvider(), 2);
+
         assertThat(TrustManagerFactory.getInstance("SunX509").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
         assertThat(TrustManagerFactory.getInstance("PKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
         assertThat(TrustManagerFactory.getInstance("SunPKIX").getProvider()).isInstanceOf(CloudFoundryContainerProvider.class);
@@ -53,6 +119,8 @@ public void providesTrustManagerFactory() throws NoSuchAlgorithmException {
     @After
     public void removeProvider() {
         Security.removeProvider("Cloud Foundry Container");
+        System.clearProperty(KEY_MANAGER_ENABLED);
+        System.clearProperty(TRUST_MANAGER_ENABLED);
     }
 
 }