JAVA based implementation for Asherah gRPC server

server/README.md

@@ -337,4 +337,22 @@ Navigate to the `server` directory and run the following:
 ```
 
 ### Java
-Coming soon.
+Use the following to regenerate the gRPC service code for the Java server implementation.
+
+#### Prerequisites
+Ensure that you have a working JAVA installation, protobuf and protocol compiler.
+
+* [Installing Java](https://adoptopenjdk.net/installation.html)
+* [protbuf](https://github.com/protocolbuffers/protobuf/blob/master/README.md)
+* [protoc compiler](https://github.com/grpc/grpc-java/tree/master/compiler)
+
+Navigate to the `server` directory and run the following:
+```console
+[user@machine server]$ mkdir -p java/target/generated-sources/protobuf/grpc-java
+[user@machine server]$ mkdir -p java/target/generated-sources/protobuf/java
+[user@machine server]$ protoc --java_out=java/target/generated-sources/protobuf/java protos/appencryption.proto
+[user@machine server]$ protoc \
+    --plugin=protoc-gen-grpc-java=<dowloaded_proto_plugin> \ 
+    --grpc-java_out=java/target/generated-sources/protobuf/grpc-java \
+    --proto_path=protos appencryption.proto 
+```

server/java/.dockerignore

@@ -0,0 +1,2 @@
+bin/
+cover.*

server/java/.gitignore

@@ -0,0 +1,124 @@
+.idea/sonarlint
+
+# Compiled class file
+*.class
+
+# Log file
+*.log
+
+# BlueJ files
+*.ctxt
+
+# Mobile Tools for Java (J2ME)
+.mtj.tmp/
+
+# Package Files #
+*.jar
+*.war
+*.ear
+*.zip
+*.tar.gz
+*.rar
+
+# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+hs_err_pid*
+
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+
+# Avoid ignoring Maven wrapper jar file (.jar files are usually ignored)
+!/.mvn/wrapper/maven-wrapper.jar
+
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+# Eclipse IDE
+.project
+.classpath
+.settings
+.checkstyle
+.pydevproject
+
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+# Gradle:
+.idea/**/gradle.xml
+.idea/**/libraries
+
+# CMake
+cmake-build-debug/
+cmake-build-release/
+
+# Mongo Explorer plugin:
+.idea/**/mongoSettings.xml
+
+## File-based project format:
+*.iws
+
+## Plugin-specific files:
+
+# IntelliJ
+out/
+
+# mpeltonen/sbt-idea plugin
+.idea_modules/
+
+# JIRA plugin
+atlassian-ide-plugin.xml
+
+# Cursive Clojure plugin
+.idea/replstate.xml
+
+# Crashlytics plugin (for Android Studio and IntelliJ)
+com_crashlytics_export_strings.xml
+crashlytics.properties
+crashlytics-build.properties
+fabric.properties
+
+
+# Adding *.iml since we're maven-based and this (https://intellij-support.jetbrains.com/hc/en-us/articles/206544839)
+# article says it's ok to ignore it.
+*.iml

server/java/Dockerfile

@@ -0,0 +1,28 @@
+FROM openjdk:8-jre-alpine
+
+# jna native lib install to support RO filesystems
+RUN apk update && \
+    apk upgrade && \
+    apk add java-jna-native
+
+# TODO Add a multi-stage build once we have a public artifact released.
+
+# artifact setup
+ARG JAR_FILE
+
+ENV APP_DIR=/usr/app
+RUN mkdir -p ${APP_DIR}
+
+# user setup
+RUN addgroup -S aeljava && \
+    adduser -S -G aeljava -H -D -s /bin/false -g "Docker image user" aeljava && \
+    chown -R aeljava:aeljava ${APP_DIR}
+
+ADD ${JAR_FILE} ${APP_DIR}/app.jar
+
+WORKDIR ${APP_DIR}
+
+USER aeljava
+
+# TODO Consider refactoring to a shell script
+ENTRYPOINT ["java", "-Djna.nounpack=true", "-jar", "app.jar"]

server/java/README.md

@@ -0,0 +1,115 @@
+# Asherah Server - Java
+
+## Running the server
+The following makes use of the `JDBC` metastore implementation and assumes mysql is running on localhost and 
+a preexisting Asherah database. See [metastore documentation](/docs/Metastore.md) for more.
+
+#### Development notes: 
+* Make sure you have JAVA 1.8
+* Create an aws credentials file
+```console
+[user@machine java]$ cat ~/.aws/credentials
+[default]
+aws_access_key_id = secret
+aws_secret_access_key = access
+```
+* Create a aws config file
+```console
+[user@machine java]$ cat ~/.aws/config
+[default]
+region = us-west-2
+```
+
+Running the server:
+```console
+[user@machine java]$ mvn clean install
+[user@machine java]$ java -jar <jar-path> --uds='/tmp/appencryption.sock' \
+    --product-id=product \
+    --service-id=service \
+    --metastore-type=JDBC \
+    --jdbc-url='jdbc:mysql://localhost/test?user=root&password=password' \
+    --kms-type=static \
+    --key-expiration-days 90 \
+    --revoke-check-minutes 60
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - using static KMS...
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - using JDBC-based metastore...
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - key expiration days set to = 90 days
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - revoke check minutes set to = 60 minutes
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionServer - server has started listening on /tmp/appencryption.sock
+```
+
+Arguments can also be supplied using environment variables
+
+```bash
+export ASHERAH_PRODUCT_NAME=product
+export ASHERAH_SERVICE_NAME=service
+export ASHERAH_EXPIRE_AFTER=90
+export ASHERAH_CHECK_INTERVAL=60
+export ASHERAH_METASTORE_MODE=jdbc
+export ASHERAH_CONNECTION_STRING='jdbc:mysql://localhost/test?user=root&password=password'
+export ASHERAH_KMS_MODE=static
+
+mvn clean install
+java -jar <jar-path> --uds='/tmp/appencryption.sock'
+```
+
+### Using the provided docker image
+> **NOTE**: This docker image would not work as is with the [Amazon ECS example](../README.md#amazon-ecs).
+> This is because the configuration options supported by the Java server slightly differ from those expected by the 
+> alternative [Go server](../go).
+
+```console
+[user@machine java]$ mvn clean install
+[user@machine java]$ docker build --build-arg JAR_FILE=<path-to-jar-file-with-dependencies> .
+Sending build context to Docker daemon  47.37MB
+Step 1/11 : FROM openjdk:8-jre-alpine
+ ---> f7a292bbb70c
+... snipped
+Step 10/11 : USER aeljava
+ ---> Running in 83998149b2f7
+Removing intermediate container 83998149b2f7
+ ---> 01d9203abe43
+Step 11/11 : ENTRYPOINT ["java", "-Djna.nounpack=true", "-jar", "app.jar"]
+ ---> Running in 9651fa614533
+Removing intermediate container 9651fa614533
+ ---> e9cb70abb481
+Successfully built e9cb70abb481
+[user@machine java]$ docker run -it e9cb70abb481 
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - using static KMS...
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - using in-memory metastore...
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - key expiration days set to = 90 days
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionConfig - revoke check minutes set to = 60 minutes
+[main] INFO com.godaddy.asherah.grpc.AppEncryptionServer - server has started listening on /tmp/appencryption.sock
+```
+
+## Configuring the server
+Configuration options are provided via command-line arguments or environment variables. Supported options are as
+follows:
+
+```console
+--jdbc-url=<jdbcUrl>      JDBC URL to use for JDBC metastore. Required for JDBC metastore.
+--key-expiration-days=<keyExpirationDays>
+                          The number of days after which a key will expire
+--kms-type=<kmsType>      Type of key management service to use.
+                          Possible values: STATIC, AWS
+--metastore-type=<metastoreType>
+                          Type of metastore to use. 
+                          Possible values: MEMORY, JDBC, DYNAMODB
+--preferred-region=<preferredRegion>
+                          Preferred region to use for KMS if using AWS KMS.
+                          Required for AWS KMS.
+--product-id=<productId>
+                          Specify the product id
+--region-arn-tuples=<String=String>[,<String=String>...]
+                          Comma separated list of <region>=<kms_arn> tuples.
+                          Required for AWS KMS.
+--revoke-check-minutes=<revokeCheckMinutes>
+                          Sets the cache's TTL in minutes to revoke the keys in the cache
+--service-id=<serviceId>   Specify the service id
+--session-cache-expire-minutes=<sessionCacheExpireMinutes>
+                          Evict the session from cache after some minutes.
+--session-cache-max-size=<sessionCacheMaxSize>
+                          Define the number of maximum sessions to cache.
+--session-caching         Enable/disable the session caching
+--uds                     File path for unix domain socket
+```