cred: stripped down to make skeleton certificate generator service

cred/README.md

@@ -18,9 +18,19 @@ org.opencadc.cred.url=jdbc:postgresql://{server}/{database}
 ```
 
 The `cred` account owns and manages (create, alter, drop) inventory database objects and manages
-all the content (insert, update, delete). The database is specified in the JDBC URL and the schema name is specified 
-in the minoc.properties (below). Failure to connect or initialize the database will show up in logs and in the 
-VOSI-availability output.
+all the content (insert, update, delete). The database is specified in the JDBC URL and the schema 
+name is specified in the cred.properties (below). Failure to connect or initialize the database 
+will show up in logs and in the VOSI-availability output.
+
+See <a href="https://github.com/opencadc/docker-base/tree/master/cadc-tomcat">cadc-tomcat</a>
+for system properties related to the deployment environment.
+
+See <a href="https://github.com/opencadc/core/tree/master/cadc-util">cadc-util</a>
+for common system properties.
+
+`dap` includes multiple IdentityManager implementations to support authenticated access:
+ - See <a href="https://github.com/opencadc/ac/tree/master/cadc-access-control-identity">cadc-access-control-identity</a> for CADC access-control system support.
+ - See <a href="https://github.com/opencadc/ac/tree/master/cadc-gms">cadc-gms</a> for OIDC token support.
 
 ### cred.properties
 
@@ -48,24 +58,18 @@ org.opencadc.cred.proxy.allowedUser = cn=alt,ou=acme,o=example,c=com
 org.opencadc.cred.proxy.maxDaysValid = 0.5
 ```
 
-### cred-logControl.properties
-
+### cadc-log.properties (optional)
+See <a href="https://github.com/opencadc/core/tree/master/cadc-log">cadc-log</a> for common 
+dynamic logging control.
 
-## integration testing
+### cadc-vosi.properties (optional)
+See <a href="https://github.com/opencadc/reg/tree/master/cadc-vosi">cadc-vosi</a> for common 
+service state control.
 
-A client certificates named `cred-test.pem` must exist in the directory $A/test-certificates.
-This can be a normal user certificate (or proxy) and is used to delegate (itself) to the cred service (the 
-normal use of CDP).
-
-A client certificate named `cred-test-super.pem` must exist in the directory $A/test-certificates and the 
-distinguished name must be configured as an `org.opencadc.cred.proxy.allowedUser`. This is used to test that
-a special operational user can retrieve a proxy cert for another user.
-
-There is currently no test for `org.opencadc.cred.delegate.allowedUser` as that requires a CA cert in the
-test environment and essentially the whole `cadc-cert-gen` functionality.
+### cadcproxy.pem (optional)
+This client certificate is used to make authenticated server-to-server calls for system-level A&A purposes.
 
 ## building
-
 ```
 gradle clean build
 docker build -t cred -f Dockerfile .
@@ -81,13 +85,4 @@ docker run -it cred:latest /bin/bash
 docker run --user tomcat:tomcat --volume=/path/to/external/config:/config:ro --name cred cred:latest
 ```
 
-## apply version tags
-```bash
-. VERSION && echo "tags: $TAGS" 
-for t in $TAGS; do
-   docker image tag cred:latest cred:$t
-done
-unset TAGS
-docker image list cred
-```
 

cred/build.gradle

@@ -22,21 +22,17 @@ war {
 }
 
 dependencies {
-    providedCompile 'javax.servlet:javax.servlet-api:[3.1.0,)'
-    compile 'org.jdom:jdom2:[2.0,)'
-    compile 'org.json:json:20160212'
-
-    compile 'org.opencadc:cadc-util:[1.6,2.0)'
-    compile 'org.opencadc:cadc-rest:[1.3.10,)'
-    compile 'org.opencadc:cadc-vosi:[1.3.9,)'
-    compile 'org.opencadc:cadc-log:[1.1.1,)'
-    compile 'org.opencadc:cadc-cdp:[1.3,)'
-    compile 'org.opencadc:cadc-cdp-server:[1.3.0,1.4)'
+    compile 'org.opencadc:cadc-util:[1.11.2,2.0)'
+    compile 'org.opencadc:cadc-rest:[1.3.20,)'
+    compile 'org.opencadc:cadc-vosi:[1.4.6,)'
+    compile 'org.opencadc:cadc-log:[1.2.1,)'
+    compile 'org.opencadc:cadc-cdp:[1.4.0,)'
 
-    runtime 'org.opencadc:cadc-registry:[1.2.1,)'
-    runtime 'org.opencadc:cadc-access-control-identity:[1.1.0,)'
+    runtime 'org.opencadc:cadc-registry:[1.7.6,)'
+    runtime 'org.opencadc:cadc-gms:[1.0.12,)'
+    runtime 'org.opencadc:cadc-access-control-identity:[1.2.5,)'
 
     testCompile 'junit:junit:[4.0,)'
 
-    intTestCompile 'org.opencadc:cadc-test-vosi:[1.0.2,)'
+    intTestCompile 'org.opencadc:cadc-test-vosi:[1.0.14,)'
 }

cred/src/main/java/org/opencadc/cred/CredConfig.java

@@ -0,0 +1,108 @@
+/*
+************************************************************************
+*******************  CANADIAN ASTRONOMY DATA CENTRE  *******************
+**************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************
+*
+*  (c) 2024.                            (c) 2024.
+*  Government of Canada                 Gouvernement du Canada
+*  National Research Council            Conseil national de recherches
+*  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6
+*  All rights reserved                  Tous droits réservés
+*
+*  NRC disclaims any warranties,        Le CNRC dénie toute garantie
+*  expressed, implied, or               énoncée, implicite ou légale,
+*  statutory, of any kind with          de quelque nature que ce
+*  respect to the software,             soit, concernant le logiciel,
+*  including without limitation         y compris sans restriction
+*  any warranty of merchantability      toute garantie de valeur
+*  or fitness for a particular          marchande ou de pertinence
+*  purpose. NRC shall not be            pour un usage particulier.
+*  liable in any event for any          Le CNRC ne pourra en aucun cas
+*  damages, whether direct or           être tenu responsable de tout
+*  indirect, special or general,        dommage, direct ou indirect,
+*  consequential or incidental,         particulier ou général,
+*  arising from the use of the          accessoire ou fortuit, résultant
+*  software.  Neither the name          de l'utilisation du logiciel. Ni
+*  of the National Research             le nom du Conseil National de
+*  Council of Canada nor the            Recherches du Canada ni les noms
+*  names of its contributors may        de ses  participants ne peuvent
+*  be used to endorse or promote        être utilisés pour approuver ou
+*  products derived from this           promouvoir les produits dérivés
+*  software without specific prior      de ce logiciel sans autorisation
+*  written permission.                  préalable et particulière
+*                                       par écrit.
+*
+*  This file is part of the             Ce fichier fait partie du projet
+*  OpenCADC project.                    OpenCADC.
+*
+*  OpenCADC is free software:           OpenCADC est un logiciel libre ;
+*  you can redistribute it and/or       vous pouvez le redistribuer ou le
+*  modify it under the terms of         modifier suivant les termes de
+*  the GNU Affero General Public        la “GNU Affero General Public
+*  License as published by the          License” telle que publiée
+*  Free Software Foundation,            par la Free Software Foundation
+*  either version 3 of the              : soit la version 3 de cette
+*  License, or (at your option)         licence, soit (à votre gré)
+*  any later version.                   toute version ultérieure.
+*
+*  OpenCADC is distributed in the       OpenCADC est distribué
+*  hope that it will be useful,         dans l’espoir qu’il vous
+*  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE
+*  without even the implied             GARANTIE : sans même la garantie
+*  warranty of MERCHANTABILITY          implicite de COMMERCIALISABILITÉ
+*  or FITNESS FOR A PARTICULAR          ni d’ADÉQUATION À UN OBJECTIF
+*  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence
+*  General Public License for           Générale Publique GNU Affero
+*  more details.                        pour plus de détails.
+*
+*  You should have received             Vous devriez avoir reçu une
+*  a copy of the GNU Affero             copie de la Licence Générale
+*  General Public License along         Publique GNU Affero avec
+*  with OpenCADC.  If not, see          OpenCADC ; si ce n’est
+*  <http://www.gnu.org/licenses/>.      pas le cas, consultez :
+*                                       <http://www.gnu.org/licenses/>.
+*
+************************************************************************
+*/
+
+package org.opencadc.cred;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.security.auth.x500.X500Principal;
+import org.apache.log4j.Logger;
+
+/**
+ * Configuration object that is created at startup and stored in JNDI for use
+ * by delegation and proxy servlets. 
+ * 
+ * @author pdowler
+ */
+public class CredConfig {
+    private static final Logger log = Logger.getLogger(CredConfig.class);
+
+    private final List<X500Principal> delegateUsers = new ArrayList<>();
+    private final List<X500Principal> proxyUsers = new ArrayList<>();
+    public float proxyMaxDaysValid = 30.0f;
+
+    public CredConfig() { 
+    }
+
+    public List<X500Principal> getDelegateUsers() {
+        return delegateUsers;
+    }
+
+    public List<X500Principal> getProxyUsers() {
+        return proxyUsers;
+    }
+
+    @Override
+    public String toString() {
+        return CredConfig.class.getName() + "[" 
+                + "trusted=" + proxyUsers.size() + ","
+                + "su=" + delegateUsers.size() + ","
+                + "proxyMaxDaysValid=" + proxyMaxDaysValid + "]";
+    }
+
+
+}

cred/src/main/java/org/opencadc/cred/CredInitAction.java

@@ -67,8 +67,6 @@
 
 package org.opencadc.cred;
 
-import ca.nrc.cadc.cred.server.CredConfig;
-import ca.nrc.cadc.cred.server.InitDatabaseCDP;
 import ca.nrc.cadc.db.DBUtil;
 import ca.nrc.cadc.rest.InitAction;
 import ca.nrc.cadc.util.MultiValuedProperties;
@@ -80,6 +78,7 @@
 import javax.security.auth.x500.X500Principal;
 import javax.sql.DataSource;
 import org.apache.log4j.Logger;
+import org.opencadc.cred.db.InitDatabaseCDP;
 
 /**
  * Validate config and put CredConfig object into JNDI and init the database
@@ -95,14 +94,15 @@ public class CredInitAction extends InitAction {
     private static final String PROXY_PROP     = "org.opencadc.cred.proxy.allowedUser";
     private static final String MAX_VALID_PROP = "org.opencadc.cred.proxy.maxDaysValid";
 
-    private final String jndiKey = CredConfig.JDNI_KEY; // temporarily hard coded to work with lib
+    private String jndiKey;
     private CredConfig credConfig;
 
     public CredInitAction() { 
     }
 
     @Override
     public void doInit() {
+        this.jndiKey = super.appName + "." + CredConfig.class.getSimpleName();
         initConfig();
         initDatabase();
     }

cred/src/main/java/org/opencadc/cred/DelegationsImpl.java → cred/src/main/java/org/opencadc/cred/GetCertAction.java

@@ -3,12 +3,12 @@
 *******************  CANADIAN ASTRONOMY DATA CENTRE  *******************
 **************  CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES  **************
 *
-*  (c) 2022.                            (c) 2022.
+*  (c) 2024.                            (c) 2024.
 *  Government of Canada                 Gouvernement du Canada
 *  National Research Council            Conseil national de recherches
 *  Ottawa, Canada, K1A 0R6              Ottawa, Canada, K1A 0R6
 *  All rights reserved                  Tous droits réservés
-*                                       
+*
 *  NRC disclaims any warranties,        Le CNRC dénie toute garantie
 *  expressed, implied, or               énoncée, implicite ou légale,
 *  statutory, of any kind with          de quelque nature que ce
@@ -31,10 +31,10 @@
 *  software without specific prior      de ce logiciel sans autorisation
 *  written permission.                  préalable et particulière
 *                                       par écrit.
-*                                       
+*
 *  This file is part of the             Ce fichier fait partie du projet
 *  OpenCADC project.                    OpenCADC.
-*                                       
+*
 *  OpenCADC is free software:           OpenCADC est un logiciel libre ;
 *  you can redistribute it and/or       vous pouvez le redistribuer ou le
 *  modify it under the terms of         modifier suivant les termes de
@@ -44,7 +44,7 @@
 *  either version 3 of the              : soit la version 3 de cette
 *  License, or (at your option)         licence, soit (à votre gré)
 *  any later version.                   toute version ultérieure.
-*                                       
+*
 *  OpenCADC is distributed in the       OpenCADC est distribué
 *  hope that it will be useful,         dans l’espoir qu’il vous
 *  but WITHOUT ANY WARRANTY;            sera utile, mais SANS AUCUNE
@@ -54,35 +54,43 @@
 *  PURPOSE.  See the GNU Affero         PARTICULIER. Consultez la Licence
 *  General Public License for           Générale Publique GNU Affero
 *  more details.                        pour plus de détails.
-*                                       
+*
 *  You should have received             Vous devriez avoir reçu une
 *  a copy of the GNU Affero             copie de la Licence Générale
 *  General Public License along         Publique GNU Affero avec
 *  with OpenCADC.  If not, see          OpenCADC ; si ce n’est
 *  <http://www.gnu.org/licenses/>.      pas le cas, consultez :
 *                                       <http://www.gnu.org/licenses/>.
 *
-*  $Revision: 4 $
-*
 ************************************************************************
 */
 
 package org.opencadc.cred;
 
-import ca.nrc.cadc.cred.server.CertificateDAO.CertificateSchema;
-import ca.nrc.cadc.cred.server.DatabaseDelegations;
+import ca.nrc.cadc.rest.InlineContentHandler;
+import ca.nrc.cadc.rest.RestAction;
+import org.apache.log4j.Logger;
 
 /**
- * Implementation of the base Delegations API.
+ * Skeleton action to generate and return a short-lived certificate.
+ * 
+ * @author pdowler
  */
-public class DelegationsImpl extends DatabaseDelegations
-{
-    public static final String DATASOURCE = "jdbc/cred";
-    public static final String CATALOG = null;
-    public static final String SCHEMA = "cred";
-    
-    public DelegationsImpl()
-    {
-        super(DATASOURCE, new CertificateSchema(DATASOURCE, CATALOG, SCHEMA));
+public class GetCertAction extends RestAction {
+    private static final Logger log = Logger.getLogger(GetCertAction.class);
+
+    public GetCertAction() { 
+    }
+
+    @Override
+    protected InlineContentHandler getInlineContentHandler() {
+        return null;
     }
+
+    @Override
+    public void doAction() throws Exception {
+        throw new UnsupportedOperationException();
+    }
+
+
 }

cred/src/main/java/org/opencadc/cred/ServiceAvailability.java

@@ -69,9 +69,9 @@
 
 package org.opencadc.cred;
 
-import ca.nrc.cadc.cred.server.CertificateDAO;
 import ca.nrc.cadc.vosi.Availability;
 import ca.nrc.cadc.vosi.AvailabilityPlugin;
+import org.opencadc.cred.db.CertificateDAO;
 
 public class ServiceAvailability implements AvailabilityPlugin {
 
@@ -93,9 +93,7 @@ public Availability getStatus() {
         boolean isGood = true;
         String note = "service is accepting requests";
         try {
-            CertificateDAO.CertificateSchema config = new CertificateDAO.CertificateSchema(
-                    DelegationsImpl.DATASOURCE, DelegationsImpl.CATALOG, DelegationsImpl.SCHEMA);
-            CertificateDAO dao = new CertificateDAO(config);
+            CertificateDAO dao = new CertificateDAO("cred"); // hard-coded schema
             dao.exists("no-such-key");
         } catch (Throwable t) {
             // the test itself failed