#16 Generate TLS keystore

Author: vityaman

backend/.gitignore

@@ -18,13 +18,16 @@
 *.zip
 *.tar.gz
 *.rar
-*.pem
 
-# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
+# Virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
 replay_pid*
 
 # Gradle
 build/
 .gradle/
 .kotlin
+
+# Secrets
+*.pem
+*.p12

backend/authik/src/test/kotlin/ru/ifmo/se/dating/authik/AuthikTestSuite.kt

@@ -7,6 +7,7 @@ import org.springframework.test.context.ContextConfiguration
 import org.springframework.test.context.junit4.SpringRunner
 import ru.ifmo.se.dating.Application
 import ru.ifmo.se.dating.PostgresInitializer
+import ru.ifmo.se.dating.SecurityInitializer
 
 @RunWith(SpringRunner::class)
 @ActiveProfiles(profiles = ["test"])
@@ -18,6 +19,7 @@ import ru.ifmo.se.dating.PostgresInitializer
 @ContextConfiguration(
     initializers = [
         PostgresInitializer::class,
+        SecurityInitializer::class,
     ],
 )
 abstract class AuthikTestSuite

backend/config/crypto/keys.bash

@@ -0,0 +1,60 @@
+set -e
+
+cd "$(dirname "$0")" || exit
+
+MODE="$1"
+ENV="$2"
+
+ALIAS="itmo-dating"
+KEYSTORE="keystore.p12"
+INSTALL_PATH="foundation/src/main/resources/keystore"
+PASSWORD="$ITMO_DATING_KEY_STORE_PASSWORD"
+
+function copy() {
+  cp "$1" "../../$INSTALL_PATH/$1"
+}
+
+function remove() {
+  rm -f "$1" "../../$INSTALL_PATH/$1"
+}
+
+function generate() {
+  keytool \
+    -genkeypair \
+    -alias      "$ALIAS" \
+    -keyalg     RSA \
+    -keysize    4096 \
+    -validity   1 \
+    -dname      "CN=localhost" \
+    -keypass    "$PASSWORD" \
+    -keystore   "$KEYSTORE" \
+    -storeType  PKCS12 \
+    -storepass  "$PASSWORD"
+
+  openssl pkcs12 -in "$KEYSTORE" -nocerts -out "$ALIAS-private.pem"
+  openssl pkcs12 -in "$KEYSTORE" -nokeys  -out "$ALIAS-public.pem"
+
+  copy "$KEYSTORE"
+  copy "$ALIAS-private.pem"
+  copy "$ALIAS-public.pem"
+}
+
+function clear() {
+  remove "$KEYSTORE"
+  remove "$ALIAS-private.pem"
+  remove "$ALIAS-public.pem"
+}
+
+if [ "$ENV" = "test" ]; then
+  PASSWORD="testing-keystore-password"
+fi
+
+if [ "$MODE" = "generate" ]; then
+  generate
+elif [ "$MODE" = "clear" ]; then
+  clear
+else
+  echo "Error: Invalid argument '$MODE'."
+  echo "Usage: $0 <generate|clear>"
+  exit 1
+fi

backend/config/env/.env

@@ -1,4 +1,5 @@
 ITMO_DATING_TOKEN_SIGN_KEY_PUBLIC="RSA:MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEArnKw3YcR3WJeLW64J6gc+8dT/ptl4Oi1kdfgib1EQBJmiNVmzgx6hnmf60MhTCbPHeKhbBKzozyFlboO32Aqx5Nfb0UAU2ssl99tuNi8R2VsYby6wkog58GgFidffKohdhWjOZaa3rBNI1D8CQXckk5WW4eFbonB6Vo84OLsebW5CX9ob8bCsJBX2iZYwS+WNCluUMFgxRyaLuyhtyKp0YRa7oje7iu3EXiLnaXTAFhGSP+iK6GxMUPORvGZYfJ7z+tpj6OYQId5cwYD/+5EXFM4wCkq82VDbj99mJqClpHs+1DhPP7sO/aSDM9SONXjAsMTtq27jJgdvEADpd6pHtwv/tHv1PsRS6DiQYFQSx5egc48JEiVDsBkMy3TzOmvf2dAU1KLWImNSwCybnwQiBhoRr2xPuUB6gNwyrUM8gSiX5HfK9pPX2LueberFzBYnzi8yR1phkLlqfvMZn9q6uRp9ysrtsw2tGf+Wn8BlbAoq3W8hD8ufr5pR03zHGvnAgMBAAE="
+ITMO_DATING_KEY_STORE_PASSWORD="testing-keystore-password"
 
 ITMO_DATING_AUTHIK_POSTGRES_DB="postgres"
 ITMO_DATING_AUTHIK_POSTGRES_USER="postgres"

backend/foundation-test/src/main/kotlin/ru/ifmo/se/dating/SecurityInitializer.kt

@@ -0,0 +1,17 @@
+package ru.ifmo.se.dating
+
+import org.springframework.boot.test.util.TestPropertyValues
+import org.springframework.context.ApplicationContextInitializer
+import org.springframework.context.ConfigurableApplicationContext
+
+class SecurityInitializer :
+    ApplicationContextInitializer<ConfigurableApplicationContext> {
+
+    private val keyStorePassword: String = "testing-keystore-password"
+
+    override fun initialize(ctx: ConfigurableApplicationContext) {
+        TestPropertyValues.of(
+            "server.ssl.key-store-password=$keyStorePassword",
+        ).applyTo(ctx.environment)
+    }
+}

backend/foundation/src/main/resources/application-foundation.yml

@@ -1,14 +1,15 @@
 server:
-  port: 8080
   ssl:
-    certificate: "classpath:cert.pem"
-    certificate-private-key: "classpath:privkey.pem"
-    trust-certificate: "classpath:chain.pem"
+    enabled: true
+    key-store-type: PKCS12
+    key-store: classpath:keystore/keystore.p12
+    protocol: TLS
+    enabled-protocols: TLSv1.3
 spring:
   datasource:
     driver-class-name: org.postgresql.Driver
   liquibase:
-    change-log: classpath:database/changelog.sql
+    change-log: database/changelog.sql
 springdoc:
   api-docs:
     path: /openapi

backend/matchmaker/src/test/kotlin/ru/ifmo/se/dating/matchmaker/MatchmakerTestSuite.kt

@@ -7,6 +7,7 @@ import org.springframework.test.context.ContextConfiguration
 import org.springframework.test.context.junit4.SpringRunner
 import ru.ifmo.se.dating.Application
 import ru.ifmo.se.dating.PostgresInitializer
+import ru.ifmo.se.dating.SecurityInitializer
 
 @RunWith(SpringRunner::class)
 @ActiveProfiles(profiles = ["test"])
@@ -18,6 +19,7 @@ import ru.ifmo.se.dating.PostgresInitializer
 @ContextConfiguration(
     initializers = [
         PostgresInitializer::class,
+        SecurityInitializer::class,
     ],
 )
 abstract class MatchmakerTestSuite

backend/people/src/test/kotlin/ru/ifmo/se/dating/people/PeopleTestSuite.kt

@@ -7,6 +7,7 @@ import org.springframework.test.context.ContextConfiguration
 import org.springframework.test.context.junit4.SpringRunner
 import ru.ifmo.se.dating.Application
 import ru.ifmo.se.dating.PostgresInitializer
+import ru.ifmo.se.dating.SecurityInitializer
 
 @RunWith(SpringRunner::class)
 @ActiveProfiles(profiles = ["test"])
@@ -18,6 +19,7 @@ import ru.ifmo.se.dating.PostgresInitializer
 @ContextConfiguration(
     initializers = [
         PostgresInitializer::class,
+        SecurityInitializer::class,
     ],
 )
 abstract class PeopleTestSuite