Merge branch '589-tcpkeepalive'

mateuszrzeszutek · May 2, 2018 · 33b33f6 · 33b33f6
2 parents b415ca6 + 47b3dfd
commit 33b33f6
Show file tree

Hide file tree

Showing 10 changed files with 129 additions and 14 deletions.
diff --git a/config/luna_security_provider.yml b/config/luna_security_provider.yml
@@ -19,3 +19,4 @@ version: 6.+
 repository_root: http://files.cf-hsm.io/luna-installer
 ha_logging_enabled: true
 logging_enabled: false
+tcp_keep_alive_enabled: false
diff --git a/docs/framework-luna_security_provider.md b/docs/framework-luna_security_provider.md
@@ -93,6 +93,7 @@ The framework can be configured by modifying the [`config/luna_security_provider
 | ---- | -----------
 | `ha_logging_enabled` | Whether to enable HA logging for the Luna Security Provider.  Defaults to `true`.
 | `logging_enabled` | Whether to enable the logging wrapper for the Luna Security Provider.  Defaults to `false`.
+| `tcp_keep_alive_enabled` | Whether to enable the client TCP keep alive setting for the Luna Security Provider.  Defaults to `false`.
 | `repository_root` | The URL of the Luna Security Provider repository index ([details][repositories]).
 | `version` | Version of the Luna Security Provider to use.
 

diff --git a/lib/java_buildpack/framework/luna_security_provider.rb b/lib/java_buildpack/framework/luna_security_provider.rb
@@ -113,6 +113,10 @@ def ha_logging?
         @configuration['ha_logging_enabled']
       end
 
+      def tcp_keep_alive
+        @configuration['tcp_keep_alive_enabled'] ? 1 : 0
+      end
+
       def padded_index(index)
         index.to_s.rjust(2, '0')
       end
@@ -157,8 +161,8 @@ def write_epilogue(f, groups)
 
           HAConfiguration = {
             AutoReconnectInterval = 60;
-            HAOnly = 1;
-            reconnAtt = -1;
+            HAOnly                = 1;
+            reconnAtt             = -1;
         HA
         write_ha_logging(f) if ha_logging?
         f.write <<~HA
@@ -212,8 +216,8 @@ def write_logging(f)
 
       def write_ha_logging(f)
         f.write <<~HA
-          haLogStatus = enabled;
-          haLogToStdout = enabled;
+          haLogStatus           = enabled;
+          haLogToStdout         = enabled;
         HA
       end
 
@@ -223,7 +227,8 @@ def write_prologue(f)
         f.write <<~CLIENT
 
           LunaSA Client = {
-            NetClient = 1;
+            TCPKeepAlive = #{tcp_keep_alive};
+            NetClient    = 1;
 
             ClientCertFile    = #{relative(client_certificate)};
             ClientPrivKeyFile = #{relative(client_private_key)};

diff --git a/spec/fixtures/framework_luna_security_provider/Chrystoki.conf b/spec/fixtures/framework_luna_security_provider/Chrystoki.conf
@@ -17,7 +17,8 @@ Chrystoki2 = {
 }
 
 LunaSA Client = {
-  NetClient = 1;
+  TCPKeepAlive = 0;
+  NetClient    = 1;
 
   ClientCertFile    = .java-buildpack/luna_security_provider/client-certificate.pem;
   ClientPrivKeyFile = .java-buildpack/luna_security_provider/client-private-key.pem;
@@ -47,8 +48,8 @@ VirtualToken = {
 
 HAConfiguration = {
   AutoReconnectInterval = 60;
-  HAOnly = 1;
-  reconnAtt = -1;
+  HAOnly                = 1;
+  reconnAtt             = -1;
 }
 
 HASynchronize = {

diff --git a/spec/fixtures/framework_luna_security_provider_logging/Chrystoki.conf b/spec/fixtures/framework_luna_security_provider_logging/Chrystoki.conf
@@ -25,7 +25,8 @@ CkLog2 = {
 }
 
 LunaSA Client = {
-  NetClient = 1;
+  TCPKeepAlive = 0;
+  NetClient    = 1;
 
   ClientCertFile    = .java-buildpack/luna_security_provider/client-certificate.pem;
   ClientPrivKeyFile = .java-buildpack/luna_security_provider/client-private-key.pem;
@@ -55,10 +56,10 @@ VirtualToken = {
 
 HAConfiguration = {
   AutoReconnectInterval = 60;
-  HAOnly = 1;
-  reconnAtt = -1;
-haLogStatus = enabled;
-haLogToStdout = enabled;
+  HAOnly                = 1;
+  reconnAtt             = -1;
+haLogStatus           = enabled;
+haLogToStdout         = enabled;
 }
 
 HASynchronize = {

diff --git a/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/Chrystoki.conf b/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/Chrystoki.conf
@@ -0,0 +1,68 @@
+Luna = {
+  CloningCommandTimeOut = 300000;
+  CommandTimeOutPedSet  = 720000;
+  DefaultTimeOut        = 500000;
+  KeypairGenTimeOut     = 2700000;
+  PEDTimeout1           = 100000;
+  PEDTimeout2           = 200000;
+  PEDTimeout3           = 10000;
+}
+
+Misc = {
+  PE1746Enabled = 0;
+}
+
+Chrystoki2 = {
+  LibUNIX64 = .java-buildpack/luna_security_provider/libs/64/libcklog2.so;
+}
+
+CkLog2 = {
+  Enabled      = 1;
+  LibUNIX64    = .java-buildpack/luna_security_provider/libs/64/libCryptoki2.so;
+  LoggingMask  = ALL_FUNC;
+  LogToStreams = 1;
+  NewFormat    = 1;
+}
+
+LunaSA Client = {
+  TCPKeepAlive = 1;
+  NetClient    = 1;
+
+  ClientCertFile    = .java-buildpack/luna_security_provider/client-certificate.pem;
+  ClientPrivKeyFile = .java-buildpack/luna_security_provider/client-private-key.pem;
+  HtlDir            = .java-buildpack/luna_security_provider/htl;
+  ServerCAFile      = .java-buildpack/luna_security_provider/server-certificates.pem;
+
+  ServerName00 = test-server-1;
+  ServerPort00 = 1792;
+  ServerHtl00  = 0;
+
+  ServerName01 = test-server-2;
+  ServerPort01 = 1792;
+  ServerHtl01  = 0;
+
+}
+
+VirtualToken = {
+  VirtualToken00Label   = test-group-1;
+  VirtualToken00SN      = 1test-group-1-member-1;
+  VirtualToken00Members = test-group-1-member-1,test-group-1-member-2;
+
+  VirtualToken01Label   = test-group-2;
+  VirtualToken01SN      = 1test-group-2-member-1;
+  VirtualToken01Members = test-group-2-member-1,test-group-2-member-2;
+
+}
+
+HAConfiguration = {
+  AutoReconnectInterval = 60;
+  HAOnly                = 1;
+  reconnAtt             = -1;
+haLogStatus           = enabled;
+haLogToStdout         = enabled;
+}
+
+HASynchronize = {
+  test-group-1 = 1;
+  test-group-2 = 1;
+}
diff --git a/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/client-certificate.pem b/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/client-certificate.pem
@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+test-client-cert
+-----END CERTIFICATE-----
diff --git a/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/client-private-key.pem b/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/client-private-key.pem
@@ -0,0 +1,3 @@
+-----BEGIN RSA PRIVATE KEY-----
+test-client-private-key
+-----END RSA PRIVATE KEY-----
diff --git a/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/server-certificates.pem b/spec/fixtures/framework_luna_security_provider_tcp_keep_alive/server-certificates.pem
@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE-----
+test-server-1-cert
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+test-server-2-cert
+-----END CERTIFICATE-----
diff --git a/spec/java_buildpack/framework/luna_security_provider_spec.rb b/spec/java_buildpack/framework/luna_security_provider_spec.rb
@@ -159,7 +159,13 @@
     end
 
     context do
-      let(:configuration) { { 'logging_enabled' => true, 'ha_logging_enabled' => true } }
+      let(:configuration) do
+        {
+          'logging_enabled' => true,
+          'ha_logging_enabled' => true,
+          'tcp_keep_alive_enabled' => false
+        }
+      end
 
       it 'writes configuration',
          cache_fixture: 'stub-luna-security-provider.tar' do
@@ -172,6 +178,26 @@
       end
     end
 
+    context do
+      let(:configuration) do
+        {
+          'logging_enabled' => true,
+          'ha_logging_enabled' => true,
+          'tcp_keep_alive_enabled' => true
+        }
+      end
+
+      it 'writes configuration with client tcp keep alive',
+         cache_fixture: 'stub-luna-security-provider.tar' do
+
+        component.compile
+
+        expect(sandbox + 'Chrystoki.conf').to exist
+        check_file_contents(sandbox + 'Chrystoki.conf',
+                            'spec/fixtures/framework_luna_security_provider_tcp_keep_alive/Chrystoki.conf')
+      end
+    end
+
     def check_file_contents(actual, expected)
       expect(File.read(actual)).to eq File.read(expected)
     end