MLE-14474 Can now provide a passphrase for a host certificate

Author: rjrudin

ml-app-deployer/src/main/java/com/marklogic/appdeployer/AppConfig.java

@@ -286,6 +286,8 @@ public class AppConfig {
 	private DataConfig dataConfig;
 	private PluginConfig pluginConfig;
 
+	private Map<String, String> hostCertificatePassphrases;
+
 	public AppConfig() {
 		this(null);
 	}
@@ -1869,4 +1871,18 @@ public String getAppServicesTrustStoreAlgorithm() {
 	public void setAppServicesTrustStoreAlgorithm(String appServicesTrustStoreAlgorithm) {
 		this.appServicesTrustStoreAlgorithm = appServicesTrustStoreAlgorithm;
 	}
+
+	/**
+	 * @since 5.1.0
+	 */
+	public Map<String, String> getHostCertificatePassphrases() {
+		return hostCertificatePassphrases;
+	}
+
+	/**
+	 * @since 5.1.0
+	 */
+	public void setHostCertificatePassphrases(Map<String, String> hostCertificatePassphrases) {
+		this.hostCertificatePassphrases = hostCertificatePassphrases;
+	}
 }

ml-app-deployer/src/main/java/com/marklogic/appdeployer/DefaultAppConfigFactory.java

@@ -54,8 +54,12 @@ public AppConfig newAppConfig() {
 				try {
 					propertyConsumerMap.get(propertyName).accept(appConfig, value);
 				} catch (Exception ex) {
-					throw new IllegalArgumentException(
-						format("Unable to parse value '%s' for property '%s'; cause: %s", value, propertyName, ex.getMessage()), ex);
+					String lowerCaseProperty = propertyName.toLowerCase();
+					boolean isSensitive = lowerCaseProperty.contains("password") || lowerCaseProperty.contains("passphrase");
+					String message = isSensitive ?
+						format("Unable to parse value for property '%s'; cause: %s", propertyName, ex.getMessage()) :
+						format("Unable to parse value '%s' for property '%s'; cause: %s", value, propertyName, ex.getMessage());
+					throw new IllegalArgumentException(message, ex);
 				}
 			}
 		}
@@ -996,6 +1000,15 @@ public void initialize() {
 
 		registerDataLoadingProperties();
 		registerPluginProperties();
+
+		// Added in 5.1.0
+		propertyConsumerMap.put("mlHostCertificatePassphrases", (config, prop) -> {
+			String customDelimiter = this.getPropertySource().getProperty("mlHostCertificatePassphrasesDelimiter");
+			final String delimiter = StringUtils.hasText(customDelimiter) ? customDelimiter : ",";
+			Map<String, String> hostPassphrases = buildMapFromDelimitedString(prop, delimiter);
+			logger.info("Setting host certificate passphrases; count: {}", hostPassphrases.size());
+			config.setHostCertificatePassphrases(hostPassphrases);
+		});
 	}
 
 	protected void registerDataLoadingProperties() {
@@ -1082,10 +1095,18 @@ protected List<String> buildPathListFromCommaDelimitedString(String prop) {
 		return list;
 	}
 
-	protected Map<String, String> buildMapFromCommaDelimitedString(String str) {
+	protected Map<String, String> buildMapFromCommaDelimitedString(String propertyValue) {
+		return buildMapFromDelimitedString(propertyValue, ",");
+	}
+
+	private Map<String, String> buildMapFromDelimitedString(String propertyValue, String delimiter) {
 		Map<String, String> map = new HashMap<>();
-		String[] tokens = str.split(",");
+		String[] tokens = propertyValue.split(delimiter);
 		for (int i = 0; i < tokens.length; i += 2) {
+			if (i + 1 >= tokens.length) {
+				String message = String.format("Must have an even number of values delimited by '%s' in the property value", delimiter);
+				throw new IllegalArgumentException(message);
+			}
 			map.put(tokens[i], tokens[i + 1]);
 		}
 		return map;

ml-app-deployer/src/main/java/com/marklogic/appdeployer/command/security/InsertCertificateHostsTemplateCommand.java

@@ -26,6 +26,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.util.List;
+import java.util.Map;
 
 /**
  * Inserts host certificates for each certificate template returned by the Manage API. Host certificates are inserted
@@ -101,9 +102,15 @@ protected File determinePrivateKeyFile(File publicCertificateFile) {
 	protected void insertHostCertificate(CommandContext context, String templateName, File publicCertFile, File privateKeyFile) {
 		if (!certificateExists(templateName, publicCertFile, context.getManageClient())) {
 			logger.info(format("Inserting host certificate for certificate template '%s'", templateName));
-			String pubCertString = copyFileToString(publicCertFile);
-			String privateKeyString = copyFileToString(privateKeyFile);
-			new CertificateTemplateManager(context.getManageClient()).insertHostCertificate(templateName, pubCertString, privateKeyString);
+
+			final String pubCertString = copyFileToString(publicCertFile);
+			final String privateKeyString = copyFileToString(privateKeyFile);
+			final Map<String, String> passphrases = context.getAppConfig().getHostCertificatePassphrases();
+			final String passphraseKey = privateKeyFile.getName().replace(privateKeyFileExtension, "");
+			final String passphrase = passphrases != null ? passphrases.get(passphraseKey) : null;
+
+			new CertificateTemplateManager(context.getManageClient()).insertHostCertificate(templateName, pubCertString, privateKeyString, passphrase);
+
 			logger.info(format("Inserted host certificate for certificate template '%s'", templateName));
 		} else {
 			logger.info(format("Host certificate already exists for certificate template '%s', so not inserting host certificate found at: %s",

ml-app-deployer/src/main/java/com/marklogic/mgmt/AbstractManager.java

@@ -21,21 +21,21 @@
 
 public class AbstractManager extends LoggingObject {
 
-    protected PayloadParser payloadParser = new PayloadParser();
+	protected PayloadParser payloadParser = new PayloadParser();
 
-    /**
-     * Manager classes that need to connect to ML as a user with the manage-admin and security roles (e.g. all the
-     * classes for Security resources) should override this to return true.
-     *
-     * The main use case for this is while an application may define a user with the manage-admin role that can be used
-     * for deploying most resources, that user must first be created. And thus, some user with at least the manage-admin
-     * and security roles must already exist and must be used to create that user.
-     *
-     * @return
-     */
-    protected boolean useSecurityUser() {
-        return false;
-    }
+	/**
+	 * Manager classes that need to connect to ML as a user with the manage-admin and security roles (e.g. all the
+	 * classes for Security resources) should override this to return true.
+	 * <p>
+	 * The main use case for this is while an application may define a user with the manage-admin role that can be used
+	 * for deploying most resources, that user must first be created. And thus, some user with at least the manage-admin
+	 * and security roles must already exist and must be used to create that user.
+	 *
+	 * @return
+	 */
+	protected boolean useSecurityUser() {
+		return false;
+	}
 
 	/**
 	 * Some payloads - such as a server payload that uses external security - require a condition to determine if the
@@ -45,57 +45,76 @@ protected boolean useSecurityUser() {
 	 * @return
 	 */
 	protected boolean useSecurityUser(String payload) {
-    	return useSecurityUser();
-    }
+		return useSecurityUser();
+	}
+
+	/**
+	 * Assumes the resource name is based on the class name - e.g. RoleManager would have a resource name of "role".
+	 *
+	 * @return
+	 */
+	protected String getResourceName() {
+		String name = ClassUtils.getShortName(getClass());
+		name = name.replace("Manager", "");
+		return name.toLowerCase();
+	}
+
+	/**
+	 * Assumes the field name of the resource ID - which is used to determine existence - is the resource name plus
+	 * "-name". So RoleManager would have an ID field name of "role-name".
+	 *
+	 * @return
+	 */
+	protected String getIdFieldName() {
+		return getResourceName() + "-name";
+	}
 
-    /**
-     * Assumes the resource name is based on the class name - e.g. RoleManager would have a resource name of "role".
-     *
-     * @return
-     */
-    protected String getResourceName() {
-        String name = ClassUtils.getShortName(getClass());
-        name = name.replace("Manager", "");
-        return name.toLowerCase();
-    }
+	protected String getResourceId(String payload) {
+		return payloadParser.getPayloadFieldValue(payload, getIdFieldName());
+	}
 
-    /**
-     * Assumes the field name of the resource ID - which is used to determine existence - is the resource name plus
-     * "-name". So RoleManager would have an ID field name of "role-name".
-     *
-     * @return
-     */
-    protected String getIdFieldName() {
-        return getResourceName() + "-name";
-    }
+	protected ResponseEntity<String> putPayload(ManageClient client, String path, String payload) {
+		boolean requiresSecurityUser = useSecurityUser(payload);
+		try {
+			if (payloadParser.isJsonPayload(payload)) {
+				return requiresSecurityUser ? client.putJsonAsSecurityUser(path, payload) : client.putJson(path, payload);
+			}
+			return requiresSecurityUser ? client.putXmlAsSecurityUser(path, payload) : client.putXml(path, payload);
+		} catch (RuntimeException ex) {
+			logRequestBodyToAssistWithDebugging("PUT", path, payload);
+			throw ex;
+		}
+	}
 
-    protected String getResourceId(String payload) {
-        return payloadParser.getPayloadFieldValue(payload, getIdFieldName());
-    }
+	protected ResponseEntity<String> postPayload(ManageClient client, String path, String payload) {
+		boolean requiresSecurityUser = useSecurityUser(payload);
+		try {
+			if (payloadParser.isJsonPayload(payload)) {
+				return requiresSecurityUser ? client.postJsonAsSecurityUser(path, payload) : client.postJson(path, payload);
+			}
+			return requiresSecurityUser ? client.postXmlAsSecurityUser(path, payload) : client.postXml(path, payload);
+		} catch (RuntimeException ex) {
+			logRequestBodyToAssistWithDebugging("POST", path, payload);
+			throw ex;
+		}
+	}
 
-    protected ResponseEntity<String> putPayload(ManageClient client, String path, String payload) {
-        boolean requiresSecurityUser = useSecurityUser(payload);
-        try {
-	        if (payloadParser.isJsonPayload(payload)) {
-		        return requiresSecurityUser ? client.putJsonAsSecurityUser(path, payload) : client.putJson(path, payload);
-	        }
-	        return requiresSecurityUser ? client.putXmlAsSecurityUser(path, payload) : client.putXml(path, payload);
-        } catch (RuntimeException ex) {
-	        logger.error(format("Error occurred while sending PUT request to %s; logging request body to assist with debugging: %s", path, payload));
-	        throw ex;
-        }
-    }
+	protected void logRequestBodyToAssistWithDebugging(String httpMethod, String path, String payload) {
+		if (!payloadContainsSensitiveValues(payload)) {
+			logger.error(format("Error occurred while sending %s request to %s; not logging request body to avoid leaking sensitive values.",
+				httpMethod, path));
+		} else {
+			logger.error(format("Error occurred while sending %s request to %s; logging request body to assist with debugging: %s",
+				httpMethod, path, payload));
+		}
+	}
 
-    protected ResponseEntity<String> postPayload(ManageClient client, String path, String payload) {
-        boolean requiresSecurityUser = useSecurityUser(payload);
-        try {
-	        if (payloadParser.isJsonPayload(payload)) {
-		        return requiresSecurityUser ? client.postJsonAsSecurityUser(path, payload) : client.postJson(path, payload);
-	        }
-	        return requiresSecurityUser ? client.postXmlAsSecurityUser(path, payload) : client.postXml(path, payload);
-        } catch (RuntimeException ex) {
-        	logger.error(format("Error occurred while sending POST request to %s; logging request body to assist with debugging: %s", path, payload));
-        	throw ex;
-        }
-    }
+	protected boolean payloadContainsSensitiveValues(String payload) {
+		// pkey is a common field name for private keys in requests to the MarkLogic Manage API.
+		return payload != null && (payload.contains("\"pkey\"") ||
+			payload.contains("PRIVATE KEY") ||
+			payload.contains("\"password\"") ||
+			payload.contains("\"passphrase\"")
+		);
+	}
 }

ml-app-deployer/src/main/java/com/marklogic/mgmt/resource/security/CertificateTemplateManager.java

@@ -96,14 +96,18 @@ public ResponseEntity<String> generateTemporaryCertificate(String templateIdOrNa
 	 *
 	 * Even though service allows multiple inserts in one call, this only inserts one host cert at a time.
 	 *
-	 * Note that the docs as of ML 9.0-5 are not correct for this operation - this method submits the correct JSON
-	 * structure.
-	 *
 	 * @param templateIdOrName The template name to insert the host certificates
 	 * @param pubCert the Public PEM formatted certificate
 	 * @param privateKey the Private PEM formatted certificate
 	 */
 	public ResponseEntity<String> insertHostCertificate(String templateIdOrName, String pubCert, String privateKey) {
+		return insertHostCertificate(templateIdOrName, pubCert, privateKey, null);
+	}
+
+	/**
+	 * @since 5.1.0
+	 */
+	public ResponseEntity<String> insertHostCertificate(String templateIdOrName, String pubCert, String privateKey, String passphrase) {
 		ObjectNode command = ObjectMapperFactory.getObjectMapper().createObjectNode();
 		command.put("operation", "insert-host-certificates");
 		ArrayNode certs = ObjectMapperFactory.getObjectMapper().createArrayNode();
@@ -113,14 +117,16 @@ public ResponseEntity<String> insertHostCertificate(String templateIdOrName, Str
 
 		certificate.put("cert", pubCert);
 		certificate.put("pkey", privateKey);
+		if (passphrase != null) {
+			certificate.put("passphrase", passphrase);
+		}
 		cert.set("certificate", certificate);
 		certs.add(cert);
 
 		command.set("certificates", certs);
 
 		String json = command.toString();
 		if (logger.isInfoEnabled()) {
-			// NOTE - should NOT print out private key - EVER
 			logger.info(format("Inserting host certificate for template %s", templateIdOrName));
 		}
 		return postPayload(getManageClient(), getResourcePath(templateIdOrName), json);