TrustagentConfiguration.java

/*
 * Copyright (C) 2014 Intel Corporation
 * All rights reserved.
 */
package com.intel.mtwilson.trustagent;

import com.intel.dcsg.cpg.configuration.CommonsConfigurationAdapter;
import com.intel.dcsg.cpg.configuration.Configuration;
import com.intel.dcsg.cpg.configuration.PropertiesConfiguration;
import com.intel.dcsg.cpg.net.NetUtils;
import com.intel.mtwilson.configuration.AbstractConfiguration;
import java.io.File;
import com.intel.mtwilson.MyFilesystem;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.SocketException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;

/**
 *
 * @author jbuhacoff
 */
public class TrustagentConfiguration extends AbstractConfiguration {
    private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(TrustagentConfiguration.class);

    // Variables such as TRUSTAGENT_HOME, TRUSTAGENT_CONF, etc. for filesystem
    // paths are not defined here; see MyFilesystem instead.
    // Trust Agent administrator username and password is not defined here,
    // see shiro.ini and password.txt files instead and administrator must
    // provide the username and password when connecting to Trust Agent.
    
    public final static String MTWILSON_API_URL = "mtwilson.api.url";
    public final static String MTWILSON_TLS_CERT_SHA1 = "mtwilson.tls.cert.sha1";
    public final static String MTWILSON_API_USERNAME = "mtwilson.api.username"; // NOTE: MUST NOT STORE THE VALUE
    public final static String MTWILSON_API_PASSWORD = "mtwilson.api.password"; // NOTE: MUST NOT STORE THE VALUE
    public final static String TPM_OWNER_SECRET = "tpm.owner.secret"; // 20 bytes hex (40 hex digits)
    public final static String TPM_SRK_SECRET = "tpm.srk.secret"; // 20 bytes hex (40 hex digits)
    public final static String AIK_SECRET = "aik.secret"; // 20 bytes hex (40 hex digits)
    public final static String AIK_INDEX = "aik.index"; // integer, default 1  but original HIS code from NIARL defaulted to zero
    public final static String TRUSTAGENT_HTTP_TLS_PORT = "trustagent.http.tls.port"; // default 1443 
    public final static String TRUSTAGENT_TLS_CERT_DN = "trustagent.tls.cert.dn"; // default CN=trustagent
    public final static String TRUSTAGENT_TLS_CERT_IP = "trustagent.tls.cert.ip"; // default 127.0.0.1  , can be comma-separated list of values
    public final static String TRUSTAGENT_TLS_CERT_DNS = "trustagent.tls.cert.dns";// default localhost  , can be comma-separated list of values
    public final static String TRUSTAGENT_KEYSTORE_PASSWORD = "trustagent.keystore.password";
    public final static String DAA_ENABLED = "daa.enabled"; // default false for 1.2 and 2.0
    public final static String TPM_QUOTE_IPV4 = "tpm.quote.ipv4";
    public static final String HARDWARE_UUID = "hardware.uuid";
    
    public TrustagentConfiguration(org.apache.commons.configuration.Configuration configuration) {
        this(new CommonsConfigurationAdapter(configuration));
    }
    public TrustagentConfiguration(Configuration configuration) {
        super();
        configure(configuration);
//        initEnvironmentConfiguration(configuration);
    }
    /*
    private void initEnvironmentConfiguration(Configuration given) {
        // using the environment configuration 
        // allows the MTWILSON_API_USERNAME and MTWILSON_API_PASSWORD to be set
        // in the environment instead of in trustagent.properties
        Configuration env = new KeyTransformerConfiguration(new AllCapsNamingStrategy(), new EnvironmentConfiguration()); // transforms mtwilson.ssl.cert.sha1 to MTWILSON_SSL_CERT_SHA1 
        Configuration configuration = new CompositeConfiguration(given, env);        
        setConfiguration(configuration);
    }
    */
    
    /**
     * NOTE: this comes from an environment variable and would only be used
     * during setup for automatic approval of the mtwilson tls cert when the
     * admin sets the env var MTWILSON_TLS_CERT_SHA1 to be a comma-separated list
     * of valid SHA1 digests. During setup the authorized certificates are 
     * saved to the trustagent.jks keystore so this env var is not needed 
     * after setup.
     * 
     * @return 
     */
    public List<String> getMtWilsonTlsCertificateFingerprints() {        
        String fingerprintCsv = getConfiguration().getString(MTWILSON_TLS_CERT_SHA1);
        if( fingerprintCsv == null || fingerprintCsv.isEmpty() ) {
            return Collections.EMPTY_LIST;
        }
        return Arrays.asList(fingerprintCsv.split("\\s*,\\s*"));
            
    }
    
    /*
    public File getWebAppContextFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "web.xml");
    }
    */
    
    public String getMtWilsonApiUrl() {
        return getConfiguration().getString(MTWILSON_API_URL);// intentionally no default - this must be configured during setup
    }
    public String getMtWilsonApiUsername() {
        return getConfiguration().getString(MTWILSON_API_USERNAME);// intentionally no default - this must be configured during setup
    }
    public String getMtWilsonApiPassword() {
        return getConfiguration().getString(MTWILSON_API_PASSWORD);// intentionally no default - this must be configured during setup
    }
    public String getTpmOwnerSecretHex() {
        return getConfiguration().getString(TPM_OWNER_SECRET); // intentionally no default - this must be generated during setup
    }
    public byte[] getTpmOwnerSecret() {
        try {
            return Hex.decodeHex(getTpmOwnerSecretHex().toCharArray());
        }
        catch(DecoderException e) {
            throw new IllegalArgumentException("Invalid owner secret", e);
        }
    }
    public String getTpmSrkSecretHex() {
        return getConfiguration().getString(TPM_SRK_SECRET); // intentionally no default - this must be generated during setup
    }
    public byte[] getTpmSrkSecret() {
        try {
            return Hex.decodeHex(getTpmSrkSecretHex().toCharArray());
        }
        catch(DecoderException e) {
            throw new IllegalArgumentException("Invalid SRK secret", e);
        }
    }
    public String getAikSecretHex() {
        return getConfiguration().getString(AIK_SECRET); // intentionally no default - this must be generated during setup
    }
    public byte[] getAikSecret() {
        try {
            return Hex.decodeHex(getAikSecretHex().toCharArray());
        }
        catch(DecoderException e) {
            throw new IllegalArgumentException("Invalid AIK secret", e);
        }
    }
    public int getAikIndex() {
        return getConfiguration().getInteger(AIK_INDEX, 1); 
    }
    
    public File getAikCertificateFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "aik.pem");        
    }
    public File getAikBlobFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "aik.blob");        
    }
    
    public int getTrustagentHttpTlsPort() {
        return getConfiguration().getInteger(TRUSTAGENT_HTTP_TLS_PORT, 1443);
    }
    public String getTrustagentTlsCertDn() {
        return getConfiguration().getString(TRUSTAGENT_TLS_CERT_DN, "CN=trustagent");
    }
        
    public String getTrustagentTlsCertIp() {
        return getConfiguration().getString(TRUSTAGENT_TLS_CERT_IP, "");
    }
    public String[] getTrustagentTlsCertIpArray() throws SocketException {
//        return getConfiguration().getString(TRUSTAGENT_TLS_CERT_IP, "127.0.0.1").split(",");
        String[] TlsCertIPs = getConfiguration().getString(TRUSTAGENT_TLS_CERT_IP, "").split(",");
        if (TlsCertIPs != null && !TlsCertIPs[0].isEmpty()) {
            log.debug("Retrieved IPs from trust agent configuration: {}", (Object[])TlsCertIPs);
            return TlsCertIPs;
        }
        List<String> TlsCertIPsList = NetUtils.getNetworkAddressList(); // never returns null but may be empty
        String[] ipListArray = new String[TlsCertIPsList.size()];
        if (ipListArray.length > 0) {
            log.debug("Retrieved IPs from network configuration: {}", (Object[])ipListArray);
            return TlsCertIPsList.toArray(ipListArray);
        }
        log.debug("Returning default IP address [127.0.0.1]");
        return new String[]{"127.0.0.1"};
    }
    public String getTrustagentTlsCertDns() {
        return getConfiguration().getString(TRUSTAGENT_TLS_CERT_DNS, "");
    }
    public String[] getTrustagentTlsCertDnsArray() throws SocketException {
//        return getConfiguration().getString(TRUSTAGENT_TLS_CERT_DNS, "localhost").split(",");
        String[] TlsCertDNs = getConfiguration().getString(TRUSTAGENT_TLS_CERT_DNS, "").split(",");
        if (TlsCertDNs != null && !TlsCertDNs[0].isEmpty()) {
            log.debug("Retrieved Domain Names trust agent from configuration: {}", (Object[])TlsCertDNs);
            return TlsCertDNs;
        }
        List<String> TlsCertDNsList = NetUtils.getNetworkHostnameList(); // never returns null but may be empty
        String[] dnListArray = new String[TlsCertDNsList.size()];
        if (dnListArray.length > 0) {
            log.debug("Retrieved Domain Names from network configuration: {}", (Object[])dnListArray);
            return TlsCertDNsList.toArray(dnListArray);
        }
        log.debug("Returning default Domain Name [localhost]");
        return new String[]{"localhost"};
    }
    
    public File getTrustagentKeystoreFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "trustagent.jks");
    }
    public String getTrustagentKeystorePassword() {
        return getConfiguration().getString(TRUSTAGENT_KEYSTORE_PASSWORD); // intentionally no default - this must be generated during setup
    }
    
    public File getEndorsementAuthoritiesFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "endorsement.pem");
    }

    public File getTrustagentUserFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "users.txt");
    }
    public File getTrustagentPermissionsFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "permissions.txt");
    }
    public File getTrustagentEtagCacheFile() {
        return new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "etag.cache");
    }
    
    public boolean isDaaEnabled() {
        return getConfiguration().getBoolean(DAA_ENABLED, false);
    }
    public boolean isTpmQuoteWithIpAddress() {
        return getConfiguration().getBoolean(TPM_QUOTE_IPV4, true);
    }
    
    public String getHardwareUuid() {
        return getConfiguration().getString(HARDWARE_UUID);
    }
    
    public File getMeasureLogLaunchScript() {
        return new File(MyFilesystem.getApplicationFilesystem().getBootstrapFilesystem().getBinPath() + File.separator + "module_analysis.sh");
    } 

    public String getMtwilsonTlsPolicyCertificateSha1() {
        return getConfiguration().getString("mtwilson.tls.cert.sha1");
    }
    
    public Properties getMtWilsonClientProperties() {
        Properties properties = new Properties();
        properties.setProperty("mtwilson.api.url", getMtWilsonApiUrl());
        properties.setProperty("mtwilson.api.username", getMtWilsonApiUsername());
        properties.setProperty("mtwilson.api.password", getMtWilsonApiPassword());
        properties.setProperty("mtwilson.api.tls.policy.certificate.keystore.file", getTrustagentKeystoreFile().getAbsolutePath());
        properties.setProperty("mtwilson.api.tls.policy.certificate.keystore.password", getTrustagentKeystorePassword());
        properties.setProperty("mtwilson.api.tls.policy.certificate.sha1", getMtwilsonTlsPolicyCertificateSha1());
        properties.setProperty("mtwilson.tls.cert.sha1", getMtwilsonTlsPolicyCertificateSha1());
        return properties;
    }
    
    
    public static TrustagentConfiguration loadConfiguration() throws IOException {
        File file = new File(MyFilesystem.getApplicationFilesystem().getConfigurationPath() + File.separator + "trustagent.properties");
        if( file.exists() ) {
            try(FileInputStream in = new FileInputStream(file)) {
                Properties properties = new Properties();
                properties.load(in);
                TrustagentConfiguration configuration = new TrustagentConfiguration(new PropertiesConfiguration(properties));
                return configuration;
            }
        }
        else {
            TrustagentConfiguration configuration = new TrustagentConfiguration(new PropertiesConfiguration());
            return configuration;
        }
    }
}