You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/05/10 16:30:09 UTC

[tomcat] branch main updated: Adding a ServiceBindingPropertySource

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new ba7f29a0cb Adding a ServiceBindingPropertySource
ba7f29a0cb is described below

commit ba7f29a0cb916f81df669ad59144f5cd301c4c41
Author: Gareth Evans <g....@sap.com>
AuthorDate: Tue May 10 10:26:52 2022 +0100

    Adding a ServiceBindingPropertySource
    
    The property source allows values in Tomcat's configuration
    files to be injected directly from a servicebinding.io's
    Service Binding without having to be converted to an
    environment variable first.
    
    Co-authored-by: Sumit Kulhadia <su...@sap.com>
    Co-authored-by: Gareth Evans <g....@sap.com>
---
 .../digester/ServiceBindingPropertySource.java     | 119 +++++++++++++++++++++
 webapps/docs/config/systemprops.xml                |   5 +-
 2 files changed, 123 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java
new file mode 100644
index 0000000000..526ad37a1e
--- /dev/null
+++ b/java/org/apache/tomcat/util/digester/ServiceBindingPropertySource.java
@@ -0,0 +1,119 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.digester;
+
+import java.security.Permission;
+
+import org.apache.tomcat.util.IntrospectionUtils;
+import org.apache.tomcat.util.security.PermissionCheck;
+import java.io.IOException;
+import java.io.FilePermission;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+/**
+ * A {@link org.apache.tomcat.util.IntrospectionUtils.SecurePropertySource}
+ * that uses Kubernetes service bindings to resolve expressions.
+ *
+ * <p><strong>Usage example:</strong></p>
+ *
+ * Configure the certificate with a service binding.
+ *
+ * When the service binding is constructed as follows:
+ *
+ * <pre>
+ *    $SERVICE_BINDING_ROOT/
+ *                         /custom-certificate/
+ *                                            /keyFile
+ *                                            /file
+ *                                            /chainFile
+ * </pre>
+ * <pre>
+ *   {@code
+ *     <SSLHostConfig>
+ *           <Certificate certificateKeyFile="${custom-certificate.keyFile}"
+ *                        certificateFile="${custom-certificate.file}"
+ *                        certificateChainFile="${custom-certificate.chainFile}"
+ *                        type="RSA" />
+ *     </SSLHostConfig> }
+ * </pre>
+ *
+ * How to configure:
+ * <pre>
+ * {@code
+ *   echo "org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource" >> conf/catalina.properties}
+ * </pre>
+ * or add this to {@code CATALINA_OPTS}
+ *
+ * <pre>
+ * {@code
+ *   -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.ServiceBindingPropertySource}
+ * </pre>
+ *
+ * <b>NOTE</b>: When configured the PropertySource for resolving expressions
+ *              from system properties is still active.
+ *
+ * @see Digester
+ *
+ * @see <a href="https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements">Tomcat Configuration Reference System Properties</a>
+ */
+public class ServiceBindingPropertySource implements IntrospectionUtils.SecurePropertySource {
+
+    private static final String SERVICE_BINDING_ROOT_ENV_VAR = "SERVICE_BINDING_ROOT";
+
+    @Override
+    public String getProperty(String key) {
+        return null;
+    }
+
+    @Override
+    public String getProperty(String key, ClassLoader classLoader) {
+        // can we determine the service binding root
+        if (classLoader instanceof PermissionCheck) {
+            Permission p = new RuntimePermission("getenv." + SERVICE_BINDING_ROOT_ENV_VAR, null);
+            if (!((PermissionCheck) classLoader).check(p)) {
+                return null;
+            }
+        }
+
+        // get the root to search from
+        String serviceBindingRoot = System.getenv(SERVICE_BINDING_ROOT_ENV_VAR);
+        if (serviceBindingRoot == null) {
+            return null;
+        }
+
+        // we expect the keys to be in the format $SERVICE_BINDING_ROOT/<binding-name>/<key>
+        String[] parts = key.split("\\.");
+        if (parts.length != 2) {
+            return null;
+        }
+
+        Path path = Paths.get(serviceBindingRoot, parts[0], parts[1]);
+        try {
+            if (classLoader instanceof PermissionCheck) {
+                Permission p = new FilePermission(path.toString(), "read");
+                if (!((PermissionCheck) classLoader).check(p)) {
+                    return null;
+                }
+            }
+            return new String(Files.readAllBytes(path));
+        } catch (IOException e) {
+            return null;
+        }
+    }
+}
diff --git a/webapps/docs/config/systemprops.xml b/webapps/docs/config/systemprops.xml
index 690463ce69..bdb77bc721 100644
--- a/webapps/docs/config/systemprops.xml
+++ b/webapps/docs/config/systemprops.xml
@@ -51,13 +51,16 @@
       <p>Property replacement from the specified property source on the JVM
          system properties can also be done using the
          <code>REPLACE_SYSTEM_PROPERTIES</code> system property.</p>
+      <p><code>org.apache.tomcat.util.digester.ServiceBindingPropertySource</code>
+        can be used to replace parameters from any Kubernetes service bindings
+        that follows the <a href="https://servicebinding.io/">servicebinding.io</a> spec</p>
       <p><code>org.apache.tomcat.util.digester.EnvironmentPropertySource</code>
          can be used to replace parameters from the process' environment
          variables, e.g. injected ConfigMaps or Secret objects in container
          based systems like OpenShift or Kubernetes.</p>
       <p><code>org.apache.tomcat.util.digester.SystemPropertySource</code>
          does replacement with system properties. It is always enabled,
-         but can also be spefied as part of the property value.</p>
+         but can also be specified as part of the property value.</p>
     </property>
     <property name="org.apache.tomcat.util.digester. REPLACE_SYSTEM_PROPERTIES">
       <p>Set this boolean system property to <code>true</code> to cause


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org