Skip to content

Commit

Permalink
[EDGORDERS-83-ENV]. Refactor for TLS configuration for Spring-based E…
Browse files Browse the repository at this point in the history
…nvironment (#105)

* [EDGORDERS-83-ENV]. Refactor for TLS configuration for Spring-based Environment
  • Loading branch information
BKadirkhodjaev authored May 24, 2024
1 parent a17448c commit 6199ebc
Show file tree
Hide file tree
Showing 7 changed files with 117 additions and 185 deletions.
49 changes: 23 additions & 26 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -165,34 +165,31 @@ Configuration information is specified in two forms:
| `request_timeout_ms` | `30000` | Request Timeout |
| `api_key_sources` | `PARAM,HEADER,PATH` | Defines the sources (order of precendence) of the API key. |

### System Properties for TLS configuration for Http server
### Env variables for TLS configuration for Http server

To configure Transport Layer Security (TLS) for the HTTP server in an edge module, the following configuration parameters should be used.
Parameters marked as Required are required only in case when ssl_enabled is set to true.

| Property | Default | Description |
|-----------------------------------|-------------------|---------------------------------------------------------------------------------------------|
| `http-server.ssl_enabled` | `false` | Set whether SSL/TLS is enabled for Vertx Http Server |
| `http-server.keystore_type` | `NA` | (Required). Set the type of the keystore. Common types include `JKS`, `PKCS12`, and `BCFKS` |
| `http-server.keystore_provider` | `NA` | Set the provider name of the key store |
| `http-server.keystore_path` | `NA` | (Required). Set the location of the keystore file in the local file system |
| `http-server.keystore_password` | `NA` | (Required). Set the password for the keystore |
| `http-server.key_alias` | `NA` | Set the alias of the key within the keystore. |
| `http-server.key_alias_password` | `NA` | Optional param that points to a password of `key_alias` if it protected |

### System Properties for TLS configuration for Web Client
Parameters marked as Required are required only in case when TLS for the server should be enabled.

| Property | Default | Description |
|-----------------------------------------------------|------------------|---------------------------------------------------------------------------------------------|
| `SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_TYPE` | `NA` | (Required). Set the type of the keystore. Common types include `JKS`, `PKCS12`, and `BCFKS` |
| `SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_LOCATION` | `NA` | (Required). Set the location of the keystore file in the local file system |
| `SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_PASSWORD` | `NA` | (Required). Set the password for the keystore |
| `SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_ALIAS` | `NA` | Set the alias of the key within the keystore. |
| `SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_PASSWORD` | `NA` | Optional param that points to a password of `KEY_ALIAS` if it protected |

### Env variables for TLS configuration for Web Client

To configure Transport Layer Security (TLS) for Web clients in the edge module, you can use the following configuration parameters.
Truststore parameters for configuring Web clients are optional even when ssl_enabled = true.
If truststore parameters need to be populated, truststore_type, truststore_path and truststore_password are required.

| Property | Default | Description |
|-----------------------------------|-------------------|----------------------------------------------------------------------------------|
| `web-client.ssl_enabled` | `false` | Set whether SSL/TLS is enabled for Vertx Http Server |
| `web-client.truststore_type` | `NA` | Set the type of the keystore. Common types include `JKS`, `PKCS12`, and `BCFKS` |
| `web-client.truststore_provider` | `NA` | Set the provider name of the key store |
| `web-client.truststore_path` | `NA` | Set the location of the keystore file in the local file system |
| `web-client.truststore_password` | `NA` | Set the password for the keystore |
| `web-client.key_alias` | `NA` | Set the alias of the key within the keystore. |
| `web-client.key_alias_password` | `NA` | Optional param that points to a password of `key_alias` if it protected |
Truststore parameters for configuring Web clients are optional even when `FOLIO_CLIENT_TLS_ENABLED = true`.
If truststore parameters need to be populated, `FOLIO_CLIENT_TLS_TRUSTSTORETYPE`, `FOLIO_CLIENT_TLS_TRUSTSTOREPATH` and `FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD` are required.

| Property | Default | Description |
|-----------------------------------------|-------------------|----------------------------------------------------------------------------------|
| `FOLIO_CLIENT_TLS_ENABLED` | `false` | Set whether SSL/TLS is enabled for Vertx Http Server |
| `FOLIO_CLIENT_TLS_TRUSTSTORETYPE` | `NA` | Set the type of the keystore. Common types include `JKS`, `PKCS12`, and `BCFKS` |
| `FOLIO_CLIENT_TLS_TRUSTSTOREPATH` | `NA` | Set the location of the keystore file in the local file system |
| `FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD` | `NA` | Set the password for the keystore |


## Additional information
Expand Down
89 changes: 37 additions & 52 deletions src/main/java/org/folio/edge/core/Constants.java
Original file line number Diff line number Diff line change
Expand Up @@ -25,22 +25,18 @@ private Constants() {
public static final String SYS_API_KEY_SOURCES = "api_key_sources";
public static final String SYS_RESPONSE_COMPRESSION = "response_compression";

// System properties for SSL/TLS http server configuration
public static final String SYS_HTTP_SERVER_SSL_ENABLED = "http-server.ssl_enabled";
public static final String SYS_HTTP_SERVER_KEYSTORE_TYPE = "http-server.keystore_type";
public static final String SYS_HTTP_SERVER_KEYSTORE_PROVIDER = "http-server.keystore_provider";
public static final String SYS_HTTP_SERVER_KEYSTORE_PATH = "http-server.keystore_path";
public static final String SYS_HTTP_SERVER_KEYSTORE_PASSWORD = "http-server.keystore_password";
public static final String SYS_HTTP_SERVER_KEY_ALIAS = "http-server.key_alias";
public static final String SYS_HTTP_SERVER_KEY_ALIAS_PASSWORD = "http-server.key_alias_password";
public static final String SYS_WEB_CLIENT_SSL_ENABLED = "web-client.ssl_enabled";
// System properties for SSL/TLS web client configuration
public static final String SYS_WEB_CLIENT_TRUSTSTORE_TYPE = "web-client.truststore_type";
public static final String SYS_WEB_CLIENT_TRUSTSTORE_PROVIDER = "web-client.truststore_provider";
public static final String SYS_WEB_CLIENT_TRUSTSTORE_PATH = "web-client.truststore_path";
public static final String SYS_WEB_CLIENT_TRUSTSTORE_PASSWORD = "web-client.truststore_password";
public static final String SYS_WEB_CLIENT_KEY_ALIAS = "web-client.key_alias";
public static final String SYS_WEB_CLIENT_KEY_ALIAS_PASSWORD = "web-client.key_alias_password";
// Env variables for SSL/TLS http server configuration
public static final String SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_TYPE = "SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_TYPE";
public static final String SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_LOCATION = "SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_LOCATION";
public static final String SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_PASSWORD = "SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_PASSWORD";
public static final String SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_ALIAS = "SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_ALIAS";
public static final String SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_PASSWORD = "SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_PASSWORD";

// Env variables for SSL/TLS web client configuration
public static final String FOLIO_CLIENT_TLS_ENABLED = "FOLIO_CLIENT_TLS_ENABLED";
public static final String FOLIO_CLIENT_TLS_TRUSTSTORETYPE = "FOLIO_CLIENT_TLS_TRUSTSTORETYPE";
public static final String FOLIO_CLIENT_TLS_TRUSTSTOREPATH = "FOLIO_CLIENT_TLS_TRUSTSTOREPATH";
public static final String FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD = "FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD";

// Property names
public static final String PROP_SECURE_STORE_TYPE = "secureStore.type";
Expand Down Expand Up @@ -100,51 +96,40 @@ private Constants() {
System.getProperty(SYS_API_KEY_SOURCES, DEFAULT_API_KEY_SOURCES));
defaultMap.put(SYS_REQUEST_TIMEOUT_MS,
Long.parseLong(System.getProperty(SYS_REQUEST_TIMEOUT_MS,
Long.toString(DEFAULT_REQUEST_TIMEOUT_MS))));
Long.toString(DEFAULT_REQUEST_TIMEOUT_MS))));
defaultMap.put(SYS_TOKEN_CACHE_TTL_MS,
Long.parseLong(System.getProperty(SYS_TOKEN_CACHE_TTL_MS,
Long.toString(DEFAULT_TOKEN_CACHE_TTL_MS))));
Long.toString(DEFAULT_TOKEN_CACHE_TTL_MS))));
defaultMap.put(SYS_NULL_TOKEN_CACHE_TTL_MS,
Long.parseLong(System.getProperty(SYS_NULL_TOKEN_CACHE_TTL_MS,
Long.toString(DEFAULT_NULL_TOKEN_CACHE_TTL_MS))));
Long.toString(DEFAULT_NULL_TOKEN_CACHE_TTL_MS))));
defaultMap.put(SYS_TOKEN_CACHE_CAPACITY,
Integer.parseInt(System.getProperty(SYS_TOKEN_CACHE_CAPACITY,
Integer.toString(DEFAULT_TOKEN_CACHE_CAPACITY))));
Integer.toString(DEFAULT_TOKEN_CACHE_CAPACITY))));
defaultMap.put(SYS_SECURE_STORE_TYPE,
System.getProperty(SYS_SECURE_STORE_TYPE, DEFAULT_SECURE_STORE_TYPE));
System.getProperty(SYS_SECURE_STORE_TYPE, DEFAULT_SECURE_STORE_TYPE));
defaultMap.put(SYS_RESPONSE_COMPRESSION,
Boolean.parseBoolean(System.getProperty(SYS_RESPONSE_COMPRESSION,
Boolean.toString(DEFAULT_RESPONSE_COMPRESSION))));
defaultMap.put(SYS_HTTP_SERVER_SSL_ENABLED,
Boolean.parseBoolean(System.getProperty(SYS_HTTP_SERVER_SSL_ENABLED,
Boolean.toString(DEFAULT_SSL_ENABLED))));
defaultMap.put(SYS_HTTP_SERVER_KEYSTORE_TYPE,
System.getProperty(SYS_HTTP_SERVER_KEYSTORE_TYPE));
defaultMap.put(SYS_HTTP_SERVER_KEYSTORE_PROVIDER,
System.getProperty(SYS_HTTP_SERVER_KEYSTORE_PROVIDER));
defaultMap.put(SYS_HTTP_SERVER_KEYSTORE_PATH,
System.getProperty(SYS_HTTP_SERVER_KEYSTORE_PATH));
defaultMap.put(SYS_HTTP_SERVER_KEYSTORE_PASSWORD,
System.getProperty(SYS_HTTP_SERVER_KEYSTORE_PASSWORD));
defaultMap.put(SYS_HTTP_SERVER_KEY_ALIAS,
System.getProperty(SYS_HTTP_SERVER_KEY_ALIAS));
defaultMap.put(SYS_HTTP_SERVER_KEY_ALIAS_PASSWORD,
System.getProperty(SYS_HTTP_SERVER_KEY_ALIAS_PASSWORD));
defaultMap.put(SYS_WEB_CLIENT_SSL_ENABLED,
Boolean.parseBoolean(System.getProperty(SYS_WEB_CLIENT_SSL_ENABLED,
Boolean.toString(DEFAULT_SSL_ENABLED))));
defaultMap.put(SYS_WEB_CLIENT_TRUSTSTORE_TYPE,
System.getProperty(SYS_WEB_CLIENT_TRUSTSTORE_TYPE));
defaultMap.put(SYS_WEB_CLIENT_TRUSTSTORE_PROVIDER,
System.getProperty(SYS_WEB_CLIENT_TRUSTSTORE_PROVIDER));
defaultMap.put(SYS_WEB_CLIENT_TRUSTSTORE_PATH,
System.getProperty(SYS_WEB_CLIENT_TRUSTSTORE_PATH));
defaultMap.put(SYS_WEB_CLIENT_TRUSTSTORE_PASSWORD,
System.getProperty(SYS_WEB_CLIENT_TRUSTSTORE_PASSWORD));
defaultMap.put(SYS_WEB_CLIENT_KEY_ALIAS,
System.getProperty(SYS_WEB_CLIENT_KEY_ALIAS));
defaultMap.put(SYS_WEB_CLIENT_KEY_ALIAS_PASSWORD,
System.getProperty(SYS_WEB_CLIENT_KEY_ALIAS_PASSWORD));
Boolean.toString(DEFAULT_RESPONSE_COMPRESSION))));
defaultMap.put(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_TYPE,
System.getenv().get(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_TYPE));
defaultMap.put(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_LOCATION,
System.getenv().get(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_LOCATION));
defaultMap.put(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_PASSWORD,
System.getenv().get(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEYSTORE_PASSWORD));
defaultMap.put(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_ALIAS,
System.getenv().get(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_ALIAS));
defaultMap.put(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_PASSWORD,
System.getenv().get(SPRING_SSL_BUNDLE_JKS_WEBSERVER_KEY_PASSWORD));
defaultMap.put(FOLIO_CLIENT_TLS_ENABLED,
Boolean.parseBoolean(System.getenv().getOrDefault(FOLIO_CLIENT_TLS_ENABLED,
Boolean.toString(DEFAULT_SSL_ENABLED))));
defaultMap.put(FOLIO_CLIENT_TLS_TRUSTSTORETYPE,
System.getenv().get(FOLIO_CLIENT_TLS_TRUSTSTORETYPE));
defaultMap.put(FOLIO_CLIENT_TLS_TRUSTSTOREPATH,
System.getenv().get(FOLIO_CLIENT_TLS_TRUSTSTOREPATH));
defaultMap.put(FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD,
System.getenv().get(FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD));
defaultMap.put(SYS_SECURE_STORE_PROP_FILE,
System.getProperty(SYS_SECURE_STORE_PROP_FILE));
defaultMap.put(SYS_OKAPI_URL,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,10 @@

import static org.folio.edge.core.Constants.SYS_OKAPI_URL;
import static org.folio.edge.core.Constants.SYS_REQUEST_TIMEOUT_MS;
import static org.folio.edge.core.Constants.SYS_WEB_CLIENT_KEY_ALIAS;
import static org.folio.edge.core.Constants.SYS_WEB_CLIENT_KEY_ALIAS_PASSWORD;
import static org.folio.edge.core.Constants.SYS_WEB_CLIENT_SSL_ENABLED;
import static org.folio.edge.core.Constants.SYS_WEB_CLIENT_TRUSTSTORE_PASSWORD;
import static org.folio.edge.core.Constants.SYS_WEB_CLIENT_TRUSTSTORE_PATH;
import static org.folio.edge.core.Constants.SYS_WEB_CLIENT_TRUSTSTORE_PROVIDER;
import static org.folio.edge.core.Constants.SYS_WEB_CLIENT_TRUSTSTORE_TYPE;
import static org.folio.edge.core.Constants.FOLIO_CLIENT_TLS_ENABLED;
import static org.folio.edge.core.Constants.FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD;
import static org.folio.edge.core.Constants.FOLIO_CLIENT_TLS_TRUSTSTOREPATH;
import static org.folio.edge.core.Constants.FOLIO_CLIENT_TLS_TRUSTSTORETYPE;

import com.amazonaws.util.StringUtils;
import io.vertx.core.Vertx;
Expand All @@ -27,27 +24,21 @@ private OkapiClientFactoryInitializer() {
public static OkapiClientFactory createInstance(Vertx vertx, JsonObject config) {
String okapiUrl = config.getString(SYS_OKAPI_URL);
Integer requestTimeout = config.getInteger(SYS_REQUEST_TIMEOUT_MS);
boolean isSslEnabled = config.getBoolean(SYS_WEB_CLIENT_SSL_ENABLED);
boolean isSslEnabled = config.getBoolean(FOLIO_CLIENT_TLS_ENABLED);
if (isSslEnabled) {
logger.info("Creating OkapiClientFactory with Enhance HTTP Endpoint Security and TLS mode enabled");
String truststoreType = config.getString(SYS_WEB_CLIENT_TRUSTSTORE_TYPE);
String truststoreProvider = config.getString(SYS_WEB_CLIENT_TRUSTSTORE_PROVIDER);
String truststorePath = config.getString(SYS_WEB_CLIENT_TRUSTSTORE_PATH);
String truststorePassword = config.getString(SYS_WEB_CLIENT_TRUSTSTORE_PASSWORD);
String keyAlias = config.getString(SYS_WEB_CLIENT_KEY_ALIAS);
String keyAliasPassword = config.getString(SYS_WEB_CLIENT_KEY_ALIAS_PASSWORD);
String truststoreType = config.getString(FOLIO_CLIENT_TLS_TRUSTSTORETYPE);
String truststorePath = config.getString(FOLIO_CLIENT_TLS_TRUSTSTOREPATH);
String truststorePassword = config.getString(FOLIO_CLIENT_TLS_TRUSTSTOREPASSWORD);
if (!StringUtils.isNullOrEmpty(truststoreType)
&& !StringUtils.isNullOrEmpty(truststorePath)
&& !StringUtils.isNullOrEmpty(truststorePassword)) {

logger.info("Web client truststore options for type: {} are set, configuring Web Client with them", truststoreType);
TrustOptions trustOptions = new KeyStoreOptions()
.setType(truststoreType)
.setProvider(truststoreProvider)
.setPath(truststorePath)
.setPassword(truststorePassword)
.setAlias(keyAlias)
.setAliasPassword(keyAliasPassword);
.setPassword(truststorePassword);
return new OkapiClientFactory(vertx, okapiUrl, requestTimeout, trustOptions);
} else {
return new OkapiClientFactory(vertx, okapiUrl, requestTimeout, null);
Expand Down
Loading

0 comments on commit 6199ebc

Please sign in to comment.