Merge pull request #1 from joshburt/jb_tls_and_cipher_enhancements

Jb tls and cipher enhancements
joshburt · Apr 26, 2016 · 2688b91 · 2688b91
2 parents c42aec9 + 538449d
commit 2688b91
Show file tree

Hide file tree

Showing 10 changed files with 430 additions and 80 deletions.
diff --git a/attributes/default.rb b/attributes/default.rb
@@ -22,19 +22,22 @@
 default['tomcat']['proxy_port'] = nil
 default['tomcat']['ssl_port'] = 8443
 default['tomcat']['ssl_proxy_port'] = nil
+default['tomcat']['use_external_ssl_cert_cache'] = false
+default['tomcat']['external_ssl_cert_cache'] = 'file://'
 default['tomcat']['ajp_port'] = 8009
 default['tomcat']['shutdown_port'] = 8005
 default['tomcat']['catalina_options'] = ''
-default['tomcat']['java_options'] = '-Xmx128M -Djava.awt.headless=true'
+default['tomcat']['java_options'] = '-Djava.awt.headless=true'
 default['tomcat']['use_security_manager'] = false
 default['tomcat']['authbind'] = 'no'
 default['tomcat']['deploy_manager_apps'] = true
 default['tomcat']['max_threads'] = nil
 default['tomcat']['ssl_max_threads'] = 150
 default['tomcat']['ssl_cert_file'] = nil
 default['tomcat']['ssl_key_file'] = nil
-default['tomcat']['ssl_chain_files'] = []
+default['tomcat']['ssl_chain_files'] = ''
 default['tomcat']['ssl_enabled_protocols'] = nil
+default['tomcat']['supported_tls_ciphers'] = nil
 default['tomcat']['keystore_file'] = 'keystore.jks'
 default['tomcat']['keystore_type'] = 'jks'
 # The keystore and truststore passwords will be generated by the
@@ -71,6 +74,7 @@
   default['tomcat']['context_dir'] = "#{node['tomcat']['config_dir']}/Catalina/localhost"
   default['tomcat']['webapp_dir'] = "/var/lib/tomcat#{suffix}/webapps"
   default['tomcat']['keytool'] = 'keytool'
+  default['tomcat']['openssl'] = 'openssl'
   default['tomcat']['lib_dir'] = "#{node['tomcat']['home']}/lib"
   default['tomcat']['endorsed_dir'] = "#{node['tomcat']['lib_dir']}/endorsed"
   default['tomcat']['packages'] = ["tomcat#{suffix}"]
@@ -87,6 +91,7 @@
   default['tomcat']['context_dir'] = "#{node['tomcat']['config_dir']}/Catalina/localhost"
   default['tomcat']['webapp_dir'] = "/var/lib/tomcat#{node['tomcat']['base_version']}/webapps"
   default['tomcat']['keytool'] = 'keytool'
+  default['tomcat']['openssl'] = 'openssl'
   default['tomcat']['lib_dir'] = "#{node['tomcat']['home']}/lib"
   default['tomcat']['endorsed_dir'] = "#{node['tomcat']['lib_dir']}/endorsed"
 when 'smartos'
@@ -101,6 +106,7 @@
   default['tomcat']['context_dir'] = "#{node['tomcat']['config_dir']}/Catalina/localhost"
   default['tomcat']['webapp_dir'] = '/opt/local/share/tomcat/webapps'
   default['tomcat']['keytool'] = '/opt/local/bin/keytool'
+  default['tomcat']['openssl'] = 'openssl'
   default['tomcat']['lib_dir'] = "#{node['tomcat']['home']}/lib"
   default['tomcat']['endorsed_dir'] = "#{node['tomcat']['home']}/lib/endorsed"
   default['tomcat']['packages'] = ['apache-tomcat']
@@ -118,10 +124,41 @@
   default['tomcat']['context_dir'] = "#{node['tomcat']['config_dir']}/Catalina/localhost"
   default['tomcat']['webapp_dir'] = '/srv/tomcat/webapps'
   default['tomcat']['keytool'] = 'keytool'
+  default['tomcat']['openssl'] = 'openssl'
   default['tomcat']['lib_dir'] = "#{node['tomcat']['home']}/lib"
   default['tomcat']['endorsed_dir'] = "#{node['tomcat']['lib_dir']}/endorsed"
   default['tomcat']['packages'] = ['tomcat']
   default['tomcat']['deploy_manager_packages'] = ['tomcat-admin-webapps']
+when 'windows'
+  default['tomcat']['user'] = "tomcat#{node['tomcat']['base_version']}"
+  default['tomcat']['group'] = "tomcat#{node['tomcat']['base_version']}"
+
+  # latest 6 version as per http://tomcat.apache.org/download-60.cgi
+  default['tomcat']['windows']['minor_version'] = 0
+  default['tomcat']['windows']['revision_version'] = 44
+  default['tomcat']['windows']['processor_architecture'] = 'x64' # possible values: x86 [32 bit], x64 [64 bit], i64 [Itanium]
+  default['tomcat']['windows']['preferred_download_mirror'] = 'https://www.apache.org'
+
+  # Special handling needed for jvm tuning and java options under windows
+  default['tomcat']['java_options'] = ''
+  default['tomcat']['windows']['tomcat_jvm_registry_key'] = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Apache Software Foundation\\Procrun 2.0\\Tomcat#{node['tomcat']['base_version']}\\Parameters\\Java"
+
+  # Windows defaults for Tomcat
+  default['tomcat']['home'] = "#{ENV['SYSTEMDRIVE']}\\Program Files\\Apache Software Foundation"
+  default['tomcat']['base'] = "#{node['tomcat']['home']}\\apache-tomcat-#{node['tomcat']['base_version']}.#{node['tomcat']['windows']['minor_version']}.#{node['tomcat']['windows']['revision_version']}"
+  default['tomcat']['config_dir'] = "#{node['tomcat']['base']}\\conf"
+  default['tomcat']['log_dir'] = "#{node['tomcat']['base']}\\logs"
+  default['tomcat']['tmp_dir'] = "#{node['tomcat']['base']}\\temp"
+  default['tomcat']['work_dir'] = "#{node['tomcat']['base']}\\work"
+  default['tomcat']['context_dir'] = "#{node['tomcat']['config_dir']}\\Catalina\\localhost"
+  default['tomcat']['webapp_dir'] = "#{node['tomcat']['base']}\\webapps"
+  default['tomcat']['keytool'] = 'keytool'
+  default['tomcat']['openssl_dir'] = "#{ENV['SYSTEMDRIVE']}\\Program Files (x86)\\Git\\ssl"
+  default['tomcat']['openssl'] = "#{ENV['SYSTEMDRIVE']}\\Program Files (x86)\\Git\\bin\\openssl"
+  default['tomcat']['lib_dir'] = "#{node['tomcat']['base']}\\lib"
+  default['tomcat']['endorsed_dir'] = "#{node['tomcat']['base']}\\endorsed"
+  default['tomcat']['packages'] = ["apache-tomcat-#{node['tomcat']['base_version']}.#{node['tomcat']['windows']['minor_version']}.#{node['tomcat']['windows']['revision_version']}-windows-#{node['tomcat']['windows']['processor_architecture']}.zip"]
+  default['tomcat']['deploy_manager_packages'] = []
 else
   default['tomcat']['user'] = "tomcat#{node['tomcat']['base_version']}"
   default['tomcat']['group'] = "tomcat#{node['tomcat']['base_version']}"
@@ -134,6 +171,7 @@
   default['tomcat']['context_dir'] = "#{node['tomcat']['config_dir']}/Catalina/localhost"
   default['tomcat']['webapp_dir'] = "/var/lib/tomcat#{node['tomcat']['base_version']}/webapps"
   default['tomcat']['keytool'] = 'keytool'
+  default['tomcat']['openssl'] = 'openssl'
   default['tomcat']['lib_dir'] = "#{node['tomcat']['home']}/lib"
   default['tomcat']['endorsed_dir'] = "#{node['tomcat']['lib_dir']}/endorsed"
 end
diff --git a/metadata.rb b/metadata.rb
@@ -4,13 +4,14 @@
 license          'Apache 2.0'
 description      'Installs and configures Apache Tomcat'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.17.3'
+version          '0.19.0'
 
 depends 'java'
 depends 'openssl'
 depends 'yum-epel'
+depends 'windows'
 
-%w(ubuntu debian redhat centos suse opensuse scientific oracle amazon).each do |os|
+%w(ubuntu debian redhat centos suse opensuse scientific oracle amazon windows).each do |os|
   supports os
 end
 

diff --git a/providers/cert_helper.rb b/providers/cert_helper.rb
@@ -0,0 +1,126 @@
+###############################################################################
+## action :install
+## This action updates tomcat certificate, keystore, and ca chain as required
+###############################################################################
+
+action :install do
+  ###############################################################################
+  # We are requesting the creation/injection of a self-signed certificate.
+  ###############################################################################
+  if new_resource.ssl_cert_file.nil?
+    execute 'Create Keystore with a self-signed certificate' do
+      group new_resource.group
+      command <<-EOH
+#{node['tomcat']['keytool']} \
+         -genkey \
+         -keystore "#{new_resource.config_dir}/#{new_resource.keystore_file}" \
+         -storepass "#{new_resource.keystore_password}" \
+         -keypass "#{new_resource.keystore_password}" \
+         -dname "#{node['tomcat']['certificate_dn']}" \
+         -keyalg "RSA"
+      EOH
+      umask 0007
+      creates "#{new_resource.config_dir}/#{new_resource.keystore_file}"
+      action :run
+      notifies :restart, "service[#{new_resource.instance}]"
+    end
+  else
+    ###############################################################################
+    # We are being asked to use certificate artifacts provided (3rd-party)
+    # but bundled within the cookbook.
+    ##
+    # Original implementation was no cross-platform, and could not execute
+    # on Windows platforms.  This has been corrected.
+    ###############################################################################
+
+    # In Windows OpenSSL needs a little help to get going when launched through automation.
+    if platform_family?('windows')
+      env 'OPENSSL_CONF' do
+        value "#{node['tomcat']['openssl_dir']}\\openssl.cnf"
+      end
+    end
+
+    if node['tomcat']['use_external_ssl_cert_cache']
+      # then we get our certs from a location outside of the tomcat cookbook
+      Chef::Log.info '###############################################################################'
+      Chef::Log.info 'Using external certificate source ..'
+      Chef::Log.info '###############################################################################'
+
+      remote_file "#{new_resource.config_dir}/#{new_resource.ssl_cert_file}" do
+        source "#{node['tomcat']['external_ssl_cert_cache']}#{new_resource.ssl_cert_file}"
+        backup false
+        mode '0644'
+        action :create
+        notifies :stop, "service[#{new_resource.instance}]", :immediately
+        notifies :run, "execute[create_keystore_with_cert_files-#{new_resource.instance}]"
+      end
+
+      remote_file "#{new_resource.config_dir}/#{new_resource.ssl_key_file}" do
+        source "#{node['tomcat']['external_ssl_cert_cache']}#{new_resource.ssl_key_file}"
+        backup false
+        mode '0644'
+        action :create
+        notifies :stop, "service[#{new_resource.instance}]", :immediately
+        notifies :run, "execute[create_keystore_with_cert_files-#{new_resource.instance}]"
+      end
+
+      if new_resource.ssl_chain_files && new_resource.ssl_chain_files != ''
+        remote_file "#{new_resource.config_dir}/#{new_resource.ssl_chain_files}" do
+          source "#{node['tomcat']['external_ssl_cert_cache']}#{new_resource.ssl_chain_files}"
+          backup false
+          mode '0644'
+          action :create
+          notifies :stop, "service[#{new_resource.instance}]", :immediately
+          notifies :run, "execute[create_keystore_with_cert_files-#{new_resource.instance}]"
+        end
+      end
+
+    else
+      # else we are using certs bundled with the cookbook
+      cookbook_file "#{new_resource.config_dir}/#{new_resource.ssl_cert_file}" do
+        mode '0644'
+        backup false
+        notifies :stop, "service[#{new_resource.instance}]", :immediately
+        notifies :run, "execute[create_keystore_with_cert_files-#{new_resource.instance}]"
+      end
+
+      cookbook_file "#{new_resource.config_dir}/#{new_resource.ssl_key_file}" do
+        mode '0644'
+        backup false
+        notifies :stop, "service[#{new_resource.instance}]", :immediately
+        notifies :run, "execute[create_keystore_with_cert_files-#{new_resource.instance}]"
+      end
+
+      if new_resource.ssl_chain_files && new_resource.ssl_chain_files != ''
+        cookbook_file "#{new_resource.config_dir}/#{new_resource.ssl_chain_files}" do
+          mode '0644'
+          backup false
+          notifies :stop, "service[#{new_resource.instance}]", :immediately
+          notifies :run, "execute[create_keystore_with_cert_files-#{new_resource.instance}]"
+        end
+      end
+
+    end
+
+    # Note that this sets the keystore type to pkcs12, the node attribute keystore_type needs to be updated
+    # accordingly if utilizing this functionality.
+    keystore_cmd = "\"#{node['tomcat']['openssl']}\" pkcs12 -export -inkey #{new_resource.ssl_key_file} -in #{new_resource.ssl_cert_file} -password pass:#{new_resource.keystore_password} -out #{new_resource.keystore_file}"
+    if new_resource.ssl_chain_files && new_resource.ssl_chain_files != ''
+      keystore_cmd << " -chain -CAfile #{new_resource.ssl_chain_files}"
+    end
+    execute "create_keystore_with_cert_files-#{new_resource.instance}" do
+      command keystore_cmd
+      cwd new_resource.config_dir
+      action :nothing
+      notifies :stop, "service[#{new_resource.instance}]", :delayed
+      notifies :start, "service[#{new_resource.instance}]", :delayed
+    end
+  end
+
+  unless new_resource.truststore_file.nil?
+    cookbook_file "#{new_resource.config_dir}/#{new_resource.truststore_file}" do
+      mode '0644'
+    end
+  end
+end
+