TrustAgentEnvironmentUtil.java

/*
 * Copyright (C) 2014 Intel Corporation
 * All rights reserved.
 */
package com.intel.mtwilson.setup.v2.resource;

import com.intel.dcsg.cpg.crypto.Sha1Digest;
import com.intel.dcsg.cpg.crypto.SimpleKeystore;
import com.intel.dcsg.cpg.io.FileResource;
import com.intel.dcsg.cpg.x509.X509Util;
import com.intel.mtwilson.My;
import com.intel.mtwilson.jaxrs2.mediatype.CryptoMediaType;
import com.intel.mtwilson.jaxrs2.mediatype.DataMediaType;
import com.intel.mtwilson.launcher.ws.ext.V2;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.BeanParam;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;
import org.apache.shiro.authz.annotation.RequiresPermissions;

/**
 * Utility for the UI to provide users with their "trustagent.env" file contents
 * that can be used when installing and setting up the trust agent to
 * automatically point to this mt wilson server
 *
 * Note that the client provides the username and password as input to this
 * utility for now , but later we might allow the client to automatically
 * generate the username and password (would require the security privileges)
 *
 * @author jbuhacoff
 */
@V2
@Path("/util/trustagent-env-file")
public class TrustAgentEnvironmentUtil {

    public static class BasicAuthorizationInput {

        @FormParam("username")
        public String username;
        @FormParam("password")
        public String password;
    }

    public static class TrustagentEnvFileOutput {

        public String content;
    }

    //         SimpleKeystore keystore = new SimpleKeystore(new FileResource(My.configuration().getTlsKeystoreFile()), My.configuration().getTlsKeystorePassword());
    protected X509Certificate getTlsCertificate() throws FileNotFoundException, IOException, CertificateException {
        // code duplicated from CaCertificatesRepository in mtwilson-attestation-ws-v2
        String certFile = My.configuration().getConfiguration().getString("mtwilson.tls.certificate.file"); // throws IOException
        if (certFile != null && !certFile.startsWith(File.separator)) {
            certFile = "/etc/intel/cloudsecurity/" + certFile;
        }
        if (certFile != null) {
            if (certFile.endsWith(".pem")) {
                File tlsPemFile = new File(certFile);
                try (FileInputStream in = new FileInputStream(tlsPemFile)) { // throws FileNotFoundException
                    String pem = IOUtils.toString(in); // throws IOException
                    X509Certificate cert = X509Util.decodePemCertificate(pem); // throws CertificateException
                    return cert;
                }
            }
            if (certFile.endsWith(".crt")) {
                File tlsPemFile = new File(certFile);
                try (FileInputStream in = new FileInputStream(tlsPemFile)) { // throws FileNotFoundException
                    byte[] der = IOUtils.toByteArray(in); // throws IOException
                    X509Certificate cert = X509Util.decodeDerCertificate(der);
                    return cert;
                }
            }
            throw new FileNotFoundException("Certificate file is not in .pem or .crt format");
        } else {
            throw new FileNotFoundException("Could not obtain TLS cert chain location from config");
        }
    }

    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Produces(MediaType.TEXT_PLAIN)
    @RequiresPermissions("files:create")
    public String generateTrustagentEnvFileText(@BeanParam BasicAuthorizationInput input, @Context HttpServletRequest request) throws Exception {
        if (input.username.contains(":")) {
            throw new IllegalArgumentException("The colon ':' is not allowed in usernames");
        }
        String urltext = String.format("%s://%s:%d/mtwilson/v2", request.getScheme(), request.getLocalName(), request.getLocalPort());
        X509Certificate cert = getTlsCertificate();
        String tlsCertFingerprint = Sha1Digest.digestOf(cert.getEncoded()).toHexString();
        String content = String.format("MTWILSON_API_URL=%s\nMTWILSON_API_USERNAME=%s\nMTWILSON_API_PASSWORD=%s\nMTWILSON_TLS_CERT_SHA1=%s\n",
                urltext, input.username, input.password, tlsCertFingerprint);
        return content;
    }

    @POST
    @Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, DataMediaType.APPLICATION_YAML})
    @Produces({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, DataMediaType.APPLICATION_YAML})
    @RequiresPermissions("files:create")
    public TrustagentEnvFileOutput generateTrustagentEnvFile(BasicAuthorizationInput input, @Context HttpServletRequest request) throws Exception {
        TrustagentEnvFileOutput output = new TrustagentEnvFileOutput();
        output.content = generateTrustagentEnvFileText(input, request);
        return output;
    }
    
    @GET
    @Produces(MediaType.TEXT_HTML)
    @RequiresPermissions("files:retrieve")
    public String getForm() {
        return "<html><body><form method=\"post\" action=\"trustagent-env-file.txt\"><table><tr><td><label>mtwilson API username: </label></td><td><input type=\"text\" name=\"username\"/></td></tr><tr><td><label>mtwilson API password: </label></td><td><input type=\"password\" name=\"password\"/></td></tr><tr><td> </td></tr><tr><td><input type=\"submit\"/></td></tr></table></form></body></html>";
    }
}