Merge pull request #39 from IBMStreams/develop

Develop

Author: joergboe

CHANGELOG.md

@@ -36,3 +36,8 @@
 * Enhancement in operator HTTPTupleInjection: insert the default values
 * Correction in operator HTTPTupleView: selection of partition fails if attribute has type boolean
 
+## v4.2.0
+* Fixed: Operators can not load trustStore file if path is not an absolute one
+* Enhancemement: Parameter contextResourceBase is now independent from parameter context
+* Enhancemement in description for generation of client certitficate which can be used in a brower
+

com.ibm.streamsx.inetserver/com.ibm.streamsx.inet.rest/namespace-info.spl

@@ -36,9 +36,13 @@
  * [http://d3js.org|D3].
  * 
  * Meta-data for the streams connected to the operators is also available through `HTTP GET` requests,
- * to allow JavaScript applications to self-discover the format of the data.
+ * to allow JavaScript applications to self-discover the format of the data and the to self-discover the connected 
+ * streams and exposed contexts:
+ * * `ports/info` Meta information of the connected ports
+ * * `contexts/info` Meta information of the exposed contexts
+ * * `/` default context mapped to `application_directory/opt/html`
  * 
- * These fixed contexts are provided by the operators:
+ * More fixed contexts are provided by the operators:
  * * `streamsx.inet.resources` Utilities provided by the operators.
  * * `streamsx.inet.dojo` The Dojo Javascript library located at `$STREAMS_INSTALL/ext/dojo`. 
  * 

com.ibm.streamsx.inetserver/com.ibm.streamsx.inet/namespace-info.spl

@@ -76,28 +76,40 @@
  * * `trustStorePassword` - Password to the trust store.
  *
  * # Server Key and Certificate
- * To generate a server key pair use the following command: 
+ * To generate a server key pair in a jks-keystore. Use the following command: 
  *     keytool -genkeypair -keyalg RSA -alias mykey -keypass changeit -storepass changeit -validity 1000 -keystore etc/keystore.jks -dname "CN=<name/hostname>, OU=<org unit>, O=<organization>, L=<locality>, ST=<state>, C=<two-letter country code>"
  * 
  * Check the content of an keystore file:
  *     keytool -list -v -keystore etc/keystore.jks
  * 
- * Extract the certificate for the client trust manager:
+ * Extract the certificate for the client trust manager (pem-file):
  *     keytool -export -rfc -alias mykey -file etc/servercert.pem -storepass changeit -keystore etc/keystore.jks
  * 
- * Insert the the certificate into a new truststore at the client site:
- *     keytool -import -file etc/servercert.pem -alias mykey -keystore etc/cacert.jks -storepass changeit -trustcacerts'
+ * Insert the certificate into a new jks-truststore at the client site:
+ *     keytool -import -file etc/servercert.pem -alias mykey -keystore etc/cacert.jks -storepass changeit -trustcacerts
  * 
- * # Client Key and Certificate
+ * # Client Key and Certificate for clients with jks based keystore
  * 
- * The `dname` of an client key must match to the `dname` of the server key. To generate a client key use the following commands:
- *     keytool -genkeypair -keyalg RSA -alias myclientkey -keypass changeit -storepass changeit -keystore etc/clientkey.jks -dname '<the dname string from the server certificate>'
+ * To generate a client key use the following commands:
+ *     keytool -genkeypair -keyalg RSA -alias myclientkey -keypass changeit -storepass changeit -keystore etc/clientkey.jks -dname "CN=<name/hostname>, OU=<org unit>, O=<organization>, L=<locality>, ST=<state>, C=<two-letter country code>"
  * 
  * Extract the certificate for the server trust manager:
  *     keytool -export -rfc -alias myclientkey -file etc/clientkey.pem -keystore etc/clientkey.jks -storepass changeit -keypass changeit
  * 
- * Insert the the certificate into a new truststore at the srver site:
+ * Insert the the certificate into a new jks-truststore at the server site:
  *     keytool -import -file etc/clientkey.pem -alias myclientkey -keystore etc/cacert.jks -storepass changeit -trustcacerts
+ * 
+ * # Client Key and Certificate for a Browser / Clients with PKCS:
+ * Generate a client key pair in a .pfx file that can be imported into browser.
+ *     keytool -genkeypair -keyalg RSA -alias myclientkey -storepass changeit -keystore etc/client.pfx -storetype PKCS12 -dname "CN=<name/hostname>, OU=<org unit>, O=<organization>, L=<locality>, ST=<state>, C=<two-letter country code>"
+ * 
+ * Export for server as .pem file:
+ *     keytool -export -rfc -alias myclientkey -file etc/clientkey.pem -storepass changeit -keystore etc/client.pfx -storetype PKCS12
+ * 
+ * Import the certificate into a new jks-truststore at the server site:
+ *     keytool -import -file etc/clientkey.pem -keystore etc/cacerts.jks -storepass changeit -trustcacerts
+ *     rm etc/clientkey.pem
+ * 
 */
 
 namespace com.ibm.streamsx.inet;

com.ibm.streamsx.inetserver/impl/java/src/com/ibm/streamsx/inet/rest/engine/ServletEngine.java

@@ -47,14 +47,14 @@
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import org.eclipse.jetty.util.thread.ThreadPool;
-import org.eclipse.jetty.webapp.WebAppContext;
 
 import com.ibm.streams.operator.OperatorContext;
 import com.ibm.streams.operator.StreamingData;
 import com.ibm.streams.operator.management.OperatorManagement;
 import com.ibm.streamsx.inet.rest.ops.Functions;
 import com.ibm.streamsx.inet.rest.ops.PostTuple;
 import com.ibm.streamsx.inet.rest.ops.ServletOperator;
+import com.ibm.streamsx.inet.rest.servlets.ExposedContextInfo;
 import com.ibm.streamsx.inet.rest.servlets.ExposedPortsInfo;
 import com.ibm.streamsx.inet.rest.servlets.PortInfo;
 import com.ibm.streamsx.inet.rest.setup.ExposedPort;
@@ -178,6 +178,10 @@ public void join() throws InterruptedException {
 		portsIntro.addServlet(new ServletHolder( new ExposedPortsInfo(exposedPorts)), "/info");
 		addHandler(portsIntro);
 
+		ServletContextHandler contextIntro = new ServletContextHandler(server, "/contexts", ServletContextHandler.SESSIONS);
+		contextIntro.addServlet(new ServletHolder( new ExposedContextInfo(staticContexts)), "/info");
+		addHandler(contextIntro);
+
 		// making a abs path by combining toolkit directory with the opt/resources dir
 		URI baseToolkitDir = operatorContext.getToolkitDirectory().toURI();
 		addStaticContext("streamsx.inet.resources", PathConversionHelper.convertToAbsPath(baseToolkitDir, "opt/resources"));
@@ -212,14 +216,18 @@ private void setHTTPSConnector(OperatorContext operatorContext, Server server, i
 		File keyStorePathFile = new File(keyStorePath);
 		if (!keyStorePathFile.isAbsolute())
 			keyStorePathFile = new File(operatorContext.getPE().getApplicationDirectory(), keyStorePath);
-		sslContextFactory.setKeyStorePath(keyStorePathFile.getAbsolutePath());
+		String keyStorePathToLoad = keyStorePathFile.getAbsolutePath();
+		System.out.println("keyStorePathToLoad=" + keyStorePathToLoad);
+		sslContextFactory.setKeyStorePath(keyStorePathToLoad);
 		//the key store password is optional
 		if (operatorContext.getParameterNames().contains(SSL_KEYSTORE_PASSWORD_PARAM)) {
 			String keyStorePassword = operatorContext.getParameterValues(SSL_KEYSTORE_PASSWORD_PARAM).get(0);
+			System.out.println("keyStorePassword=****");
 			sslContextFactory.setKeyStorePassword(Functions.obfuscate(keyStorePassword));
 		}
 		//Key password is required
 		String keyPassword = operatorContext.getParameterValues(SSL_KEY_PASSWORD_PARAM).get(0);
+		System.out.println("keyPassword=****");
 		sslContextFactory.setKeyManagerPassword(Functions.obfuscate(keyPassword));
 		//Key alias
 		String alias = operatorContext.getParameterValues(SSL_CERT_ALIAS_PARAM).get(0);
@@ -230,10 +238,13 @@ private void setHTTPSConnector(OperatorContext operatorContext, Server server, i
 			File trustStorePathFile = new File(trustStorePath);
 			if (!trustStorePathFile.isAbsolute())
 				trustStorePathFile = new File(operatorContext.getPE().getApplicationDirectory(), trustStorePath);
-			sslContextFactory.setTrustStorePath(trustStorePath);
+			String trustStorePathToLoad = trustStorePathFile.getAbsolutePath();
+			System.out.println("trustStorePathToLoad=" + trustStorePathToLoad);
+			sslContextFactory.setTrustStorePath(trustStorePathToLoad);
 			sslContextFactory.setNeedClientAuth(true);
 			if (operatorContext.getParameterNames().contains(SSL_TRUSTSTORE_PASSWORD_PARAM)) {
 				String trustStorePassword = operatorContext.getParameterValues(SSL_TRUSTSTORE_PASSWORD_PARAM).get(0);
+				System.out.println("trustStorePassword=****");
 				sslContextFactory.setTrustStorePassword(Functions.obfuscate(trustStorePassword));
 			}
 		}
@@ -421,12 +432,21 @@ public void registerOperator(ServletOperator operator, Object conduit) throws Ex
 				staticContext.setAttribute("operator.conduit", conduit);
 		}
 
-		// For a static context just use the name of the
-		// base operator (without the composite nesting qualifiers)
-		// as the lead in for resources exposed by this operator.
-		// Otherwise use the full name of the operator so that it is unique.
+		// If there is a context parameter in this operator
+		// just use the base name of the operator (without the composite nesting qualifiers)
+		// as the lead in for port resources exposed by this operator.
+		// Otherwise use the full operator name so that it is unique.
+		String ctxName = null;
+		if (operatorContext.getParameterNames().contains(CONTEXT_PARAM)) {
+			ctxName = operatorContext.getParameterValues(CONTEXT_PARAM).get(0);
+
+			if ("".equals(ctxName))
+				throw new IllegalArgumentException("Parameter " + CONTEXT_PARAM + " cannot be empty");
+
+		}
+		
 		String leadIn = operatorContext.getName(); // .replace('.', '/');
-		if (staticContext != null && leadIn.indexOf('.') != -1) {
+		if (ctxName != null && leadIn.indexOf('.') != -1) {
 			leadIn = leadIn.substring(leadIn.lastIndexOf('.') + 1);
 		}
 
@@ -436,10 +456,9 @@ public void registerOperator(ServletOperator operator, Object conduit) throws Ex
 				operatorContext.getNumberOfStreamingOutputs() != 0) {
 
 			String portsContextPath = "/" + leadIn + "/ports";
-			if (staticContext != null)
-				portsContextPath = staticContext.getContextPath() + portsContextPath;
-			ports = new ServletContextHandler(server, portsContextPath,
-					ServletContextHandler.SESSIONS);
+			if (ctxName != null)
+				portsContextPath = "/" + ctxName + portsContextPath;
+			ports = new ServletContextHandler(server, portsContextPath, ServletContextHandler.SESSIONS);
 
 			ports.setAttribute("operator.context", operatorContext);
 			if (conduit != null)
@@ -480,10 +499,10 @@ public void registerOperator(ServletOperator operator, Object conduit) throws Ex
 			addHandler(ports);
 	}
 
-	public static class OperatorWebAppContext extends WebAppContext {
+	/*public static class OperatorWebAppContext extends WebAppContext {
 		public OperatorWebAppContext() {
 		}
-	}
+	}*/
 
 	@Override
 	public void postDeregister() {

com.ibm.streamsx.inetserver/impl/java/src/com/ibm/streamsx/inet/rest/ops/RequestProcess.java

@@ -114,21 +114,18 @@ public void setTrustStorePassword(String ksp) {}
 
 	@ContextCheck
 	public static void checkContextParameters(OperatorContextChecker checker) {	
-		checker.checkDependentParameters("context", "contextResourceBase");
-		checker.checkDependentParameters("contextResourceBase", "context");
 
 		checker.checkDependentParameters(ServletEngine.SSL_CERT_ALIAS_PARAM, ServletEngine.SSL_KEYSTORE_PARAM, ServletEngine.SSL_KEY_PASSWORD_PARAM);
 		checker.checkDependentParameters(ServletEngine.SSL_KEY_PASSWORD_PARAM, ServletEngine.SSL_CERT_ALIAS_PARAM);
 		checker.checkDependentParameters(ServletEngine.SSL_KEYSTORE_PASSWORD_PARAM, ServletEngine.SSL_CERT_ALIAS_PARAM);
 
 		checker.checkDependentParameters(ServletEngine.SSL_TRUSTSTORE_PARAM, ServletEngine.SSL_CERT_ALIAS_PARAM);
 		checker.checkDependentParameters(ServletEngine.SSL_TRUSTSTORE_PASSWORD_PARAM, ServletEngine.SSL_TRUSTSTORE_PARAM);
-		
-		checker.checkDependentParameters(ServletEngine.CONTEXT_PARAM, ServletEngine.CONTEXT_RESOURCE_BASE_PARAM);
+	
 		checker.checkDependentParameters(ServletEngine.CONTEXT_RESOURCE_BASE_PARAM, ServletEngine.CONTEXT_PARAM);
 	}
 
-	static final String CONTEXT_DESC = "Define a URL context path that maps to the resources defined by" + 
+	static final String CONTEXT_DESC = "Define a URL context path that maps to the resources defined by " + 
 			"`contextResourceBase`. This allows a composite that invokes this operator in a " + 
 			"toolkit to provide resources regardless of the value of the application's data directory. " + 
 			"For example setting it to *maps* would result in the URL */maps/index.html* " + 
@@ -159,5 +156,6 @@ public static void checkContextParameters(OperatorContextChecker checker) {
 			"\\n" + 
 			"    param\\n" + 
 			"      context: “maps”\\n" + 
-			"      contextResourceBase: getThisToolkitDir() + “/opt/resources/mapinfo”\\n";
+			"      contextResourceBase: getThisToolkitDir() + “/opt/resources/mapinfo”\\n\\n" +
+			"If this parameter is applied parameter `" + ServletEngine.CONTEXT_RESOURCE_BASE_PARAM + "` is required too.";
 }

com.ibm.streamsx.inetserver/impl/java/src/com/ibm/streamsx/inet/rest/ops/ServletOperator.java

@@ -1,6 +1,6 @@
 /*
 # Licensed Materials - Property of IBM
-# Copyright IBM Corp. 2011, 2014 
+# Copyright IBM Corp. 2011, 2019 
 # US Government Users Restricted Rights - Use, duplication or
 # disclosure restricted by GSA ADP Schedule Contract with
 # IBM Corp.

com.ibm.streamsx.inetserver/impl/java/src/com/ibm/streamsx/inet/rest/ops/WebContext.java

@@ -0,0 +1,48 @@
+/*
+# Licensed Materials - Property of IBM
+# Copyright IBM Corp. 2019, 2020
+*/
+package com.ibm.streamsx.inet.rest.servlets;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Map;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.eclipse.jetty.servlet.ServletContextHandler;
+
+import com.ibm.json.java.JSONArray;
+import com.ibm.json.java.JSONObject;
+
+@SuppressWarnings("serial")
+public class ExposedContextInfo extends HttpServlet {
+	
+	private final Map<String, ServletContextHandler> staticContexts;
+	
+	public ExposedContextInfo(Map<String, ServletContextHandler> staticContexts) {
+		this.staticContexts = staticContexts;
+	}
+	
+	@Override
+	public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+
+		response.setCharacterEncoding("UTF-8");
+		response.setContentType("application/json");
+		PrintWriter out = response.getWriter();
+		response.setStatus(HttpServletResponse.SC_OK);
+
+		JSONObject jresp = new JSONObject();
+		JSONArray jcontexts = new JSONArray();
+		for (String ctx : staticContexts.keySet()) {
+			jcontexts.add("/" + ctx);
+		}
+		jresp.put("contexts", jcontexts);
+		out.println(jresp.serialize());
+		out.flush();
+		out.close();
+	}
+}