First round for the Approov demo with Java Spring.

Signed-off-by: Paulo Silva <paulos@criticalblue.com>

Author: Exadra37

.env.example

@@ -0,0 +1,13 @@
+############
+# APPROOV
+############
+
+APPROOV_CLAIM_HEADER_NAME=Authorization
+
+# Feel free to play with different secrets. For development only you can create them with:
+# $ openssl rand -base64 64 | tr -d '\n'; echo
+APPROOV_BASE64_SECRET=h+CX0tOzdAAR9l15bWAqvq7w9olk66daIH+Xk+IAHhVVHszjDzeGobzNnqyRze3lw/WVyWrc2gZfh3XXfBOmww==
+
+APPROOV_ABORT_REQUEST_ON_INVALID_TOKEN=true
+APPROOV_ABORT_REQUEST_ON_INVALID_CUSTOM_PAYLOAD_CLAIM=true
+APPROOV_LOGGING_ENABLED=true

.gitignore

@@ -0,0 +1,33 @@
+HELP.md
+.gradle
+/build/
+!gradle/wrapper/gradle-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+/out/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+### VS Code ###
+.vscode/
+
+.local/
+.env

bin/generate-token

@@ -0,0 +1,92 @@
+#!/usr/bin/env python3
+
+"""
+GENERATE APPROOV TOKEN CLI
+
+To be used only to generate Approov tokens for testing purposes during development.
+
+Usage:
+ generate-token
+ generate-token [--expire EXPIRE] [--claim CLAIM] [--claim-example] [--secret SECRET]
+
+Options:
+ --expire EXPIRE The Approov token expire time in minutes [default: 5].
+ --claim CLAIM The base64 encode sha256 hash of the custom payload claim for the Approov token.
+ --claim-example Same as --claim but using an hard-coded claim example.
+ --secret SECRET The base64 encoded secret to sign the Approov token for test purposes.
+ -h --help Show this screen.
+ -v --version Show version.
+
+"""
+
+# Standard Libraries
+from os import getenv
+from sys import exit
+from time import time
+from hashlib import sha256
+from base64 import b64decode, b64encode
+
+# Third-Party Libraries
+from jwt import encode
+from docopt import docopt
+
+# to base64 encode the custom payload claim hash: http://tomeko.net/online_tools/hex_to_base64.php
+REQUEST_CLAIM_RAW_VALUE_EXAMPLE = 'claim-value-to-be-sha256-hashed-and-base64-encoded'
+
+def _generateSha256HashBase64Encoded(value):
+ value_hash = sha256(value.encode('utf-8')).digest()
+ return b64encode(value_hash).decode('utf-8')
+
+def generateToken(approov_base64_secret, token_expire_in_minutes, request_claim_raw_value):
+ """Generates a token with a 5 minutes lifetime. Optionally we can set also a custom payload claim."""
+
+ approov_base64_secret = approov_base64_secret.strip()
+
+ if not approov_base64_secret:
+ raise ValueError('Approov base64 encoded secret is missing.')
+
+ if not token_expire_in_minutes:
+ token_expire_in_minutes = 5
+
+ payload = {
+ 'exp': time() + (60 * token_expire_in_minutes), # required - the timestamp for when the token expires.
+ }
+
+ if request_claim_raw_value:
+ payload['pay'] = _generateSha256HashBase64Encoded(request_claim_raw_value)
+
+ return encode(payload, b64decode(approov_base64_secret), algorithm='HS256').decode()
+
+def main():
+
+ arguments = docopt(__doc__, version='GENERATE APPROOV TOKEN CLI - 1.0')
+
+ request_claim_raw_value = None
+ token_expire_in_minutes = int(arguments['--expire'])
+ approov_base64_secret = getenv("APPROOV_BASE64_SECRET")
+
+ if arguments['--claim']:
+ request_claim_raw_value = arguments['--claim']
+
+ if not request_claim_raw_value and arguments['--claim-example'] is True:
+ request_claim_raw_value = REQUEST_CLAIM_RAW_VALUE_EXAMPLE
+
+ if arguments['--secret']:
+ approov_base64_secret = arguments['--secret']
+
+ if not approov_base64_secret:
+ raise ValueError('--secret was provided as an empty string in the CLI or in the .env file.')
+
+ token = generateToken(approov_base64_secret, token_expire_in_minutes, request_claim_raw_value)
+
+ print('Token:\n', token)
+
+ return token
+
+if __name__ == '__main__':
+ try:
+ main()
+ exit(0)
+ except Exception as error:
+ print(error)
+ exit(1)

build.gradle

@@ -0,0 +1,35 @@
+plugins {
+id 'org.springframework.boot' version '2.1.3.RELEASE'
+id 'java'
+}
+
+apply plugin: 'io.spring.dependency-management'
+
+group = 'com.criticalblue'
+version = '0.0.1-SNAPSHOT'
+sourceCompatibility = '1.8'
+
+repositories {
+mavenCentral()
+}
+
+dependencies {
+implementation 'org.springframework.boot:spring-boot-starter-integration'
+implementation 'org.springframework.boot:spring-boot-starter-security'
+implementation 'org.springframework.boot:spring-boot-starter-web'
+implementation 'org.springframework.security:spring-security-core'
+implementation 'org.springframework.security:spring-security-web'
+implementation 'org.springframework.security:spring-security-config'
+
+implementation 'io.jsonwebtoken:jjwt-api:0.10.5'
+runtime 'io.jsonwebtoken:jjwt-impl:0.10.5',
+'io.jsonwebtoken:jjwt-jackson:0.10.5'
+
+compileOnly 'org.jetbrains:annotations:17.0.0'
+
+compileOnly 'javax.servlet:servlet-api:2.5'
+
+runtimeOnly 'org.springframework.boot:spring-boot-devtools'
+testImplementation 'org.springframework.boot:spring-boot-starter-test'
+testImplementation 'org.springframework.security:spring-security-test'
+}

docker/Dockerfile

@@ -0,0 +1,95 @@
+FROM openjdk:11.0.3-slim
+
+ARG CONTAINER_USER="java"
+ARG CONTAINER_UID="1000"
+ARG ZSH_THEME="robbyrussell"
+ARG GRADLE_VERSION=5.2.1
+
+
+# Will not prompt for questions
+ENV DEBIAN_FRONTEND=noninteractive \
+ CONTAINER_USER="${CONTAINER_USER}" \
+ CONTAINER_UID="${CONTAINER_UID}" \
+ ROOT_CA_DIR=/root-ca/ \
+ ROOT_CA_KEY="self-signed-root-ca.key" \
+ ROOT_CA_PEM="self-signed-root-ca.pem" \
+ ROOT_CA_NAME="ApproovStackRootCA" \
+ PROXY_CA_FILENAME="FirewallProxyCA.crt" \
+ PROXY_CA_PEM="certificates/FirewallProxyCA.crt" \
+ PROXY_CA_NAME="FirewallProxy" \
+ NO_AT_BRIDGE=1 \
+ DISPLAY=":0" \
+ GRADLE_HOME=/opt/gradle/gradle-"${GRADLE_VERSION}" \
+ PATH=/opt/gradle/gradle-"${GRADLE_VERSION}"/bin:${PATH}
+
+COPY ./setup ${ROOT_CA_DIR}
+
+RUN apt update && \
+ apt -y upgrade && \
+
+ # Install Required Dependencies
+ apt -y install \
+ python3 \
+ python3-pip \
+ locales \
+ tzdata \
+ ca-certificates \
+ inotify-tools \
+ libnss3-tools \
+ zip \
+ zsh \
+ curl \
+ git \
+ default-jdk \
+ maven && \
+
+
+
+ # Force installation of missing dependencies
+ apt -y -f install && \
+
+ #https://github.com/guard/listen/wiki/Increasing-the-amount-of-inotify-watchers
+ printf "fs.inotify.max_user_watches=524288\n" >> /etc/sysctl.conf && \
+
+ echo "en_GB.UTF-8 UTF-8" > /etc/locale.gen && \
+ locale-gen en_GB.UTF-8 && \
+ dpkg-reconfigure locales && \
+
+ useradd -m -u ${CONTAINER_UID} -s /usr/bin/zsh ${CONTAINER_USER} && \
+
+ cd ${ROOT_CA_DIR} && \
+ ./setup-root-certificate.sh "${ROOT_CA_KEY}" "${ROOT_CA_PEM}" "${ROOT_CA_NAME}" && \
+ ./add-proxy-certificate.sh "${PROXY_CA_PEM}" && \
+
+ curl -o gradle.zip -fsSL https://services.gradle.org/distributions/gradle-"${GRADLE_VERSION}"-bin.zip && \
+ unzip -d /opt/gradle gradle.zip && \
+ rm -f gradle.zip && \
+ gradle --version && \
+
+ # Install Oh My Zsh for Root and Node user
+ bash -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)" && \
+ chsh -s /usr/bin/zsh && \
+ cp -R /root/.oh-my-zsh /home/"${CONTAINER_USER}" && \
+ cp /root/.zsh* /home/"${CONTAINER_USER}" && \
+ sed -i "s/\/root/\/home\/${CONTAINER_USER}/g" /home/"${CONTAINER_USER}"/.zshrc && \
+ chown -R "${CONTAINER_USER}":"${CONTAINER_USER}" /home/"${CONTAINER_USER}" && \
+
+ # cleaning
+ rm -rvf /var/lib/apt/lists/*
+
+ENV LANG=en_GB.UTF-8 \
+ LANGUAGE=en_GB:en \
+ LC_ALL=en_GB.UTF-8
+
+USER ${CONTAINER_USER}
+
+RUN pip3 install \
+ pyjwt \
+ docopt
+
+# pip install will put the executables under ~/.local/bin
+ENV PATH=/home/"${CONTAINER_USER}"/.local/bin:$PATH
+
+WORKDIR /home/${CONTAINER_USER}/workspace
+
+CMD ["zsh"]

docker/setup/adb-setup-certificate.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# https://stackoverflow.com/a/48814971/6454622
+
+set -eu
+
+CA_PEM=${1?Missing certificate file name}
+
+cert_name=$(openssl x509 -inform PEM -subject_hash_old -in ${CA_PEM} | head -1)
+cat ${CA_PEM} > $cert_name
+openssl x509 -inform PEM -text -in ${CA_PEM} -out nul >> $cert_name
+
+adb shell mount -o rw,remount,rw /system
+adb push $cert_name /system/etc/security/cacerts/
+adb shell mount -o ro,remount,ro /system

docker/setup/add-certificate-to-browser.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -eu
+
+###
+# https://thomas-leister.de/en/how-to-import-ca-root-certificate/
+###
+
+
+### Script installs root.cert.pem to certificate trust store of applications using NSS
+### (e.g. Firefox, Thunderbird, Chromium)
+### Mozilla uses cert8, Chromium and Chrome use cert9
+
+###
+### Requirement: apt install libnss3-tools
+###
+
+CA_PEM="${1?Missing file path for the PEM certificate}"
+CA_NAME="${2?Missing Certificate Name}"
+BROWSER_CONFIG_DIR="${3:-/home/node}"
+
+printf "\n>>> ADDING CERTIFICATE TO BROWSERS TRUSTED STORE <<<\n"
+
+if [ -f "${CA_PEM}" ]
+ then
+ printf "\n--> CERTIFICATE FILE: ${CA_PEM}\n"
+ printf "\n--> CERTIFICATE NAME: ${CA_NAME}\n"
+ printf "\n--> BROWSER CONFIG DIR: ${BROWSER_CONFIG_DIR}\n"
+
+ ###
+ ### For cert8 (legacy - DBM)
+ ###
+ for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert8.db")
+ do
+ certdir=$(dirname ${certDB});
+ certutil -A -n "${CA_NAME}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d dbm:${certdir}
+ done
+
+ ###
+ ### For cert9 (SQL)
+ ###
+ for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert9.db")
+ do
+ certdir=$(dirname ${certDB});
+ certutil -A -n "${CA_NAME}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d sql:${certdir}
+ done
+ else
+ printf "\n>>> CERTIFICATE FILE NOT FOUND FOR: ${CA_PEM}\n"
+fi

docker/setup/add-certificate-to-node-server.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -eu
+
+CA_PEM_FILE="${1?Missing name for certificate file}"
+CA_EXTENSION="${CA_PEM_FILE##*.}"
+
+if [ "${CA_EXTENSION}" != "pem" ]
+ then
+ printf "\nFATAL ERROR: Certificate must use .pem extension\n\n"
+ exit 1
+fi
+
+if [ -f "${CA_PEM_FILE}" ]
+ then
+ printf "\n>>> ADDING A CERTIFICATE TO NODE SERVER <<<\n"
+
+ # Add certificate to node, so that we can use npm install
+ printf "cafile=${CA_PEM_FILE}" >> /root/.npmrc
+ printf "cafile=${CA_PEM_FILE}" >> /home/${CONTAINER_USER}/.npmrc;
+
+ printf "\n >>> CERTICATE ADDED SUCCESEFULY<<<\n"
+
+ else
+ printf "\n >>> NO CERTIFICATE TO ADD <<<\n"
+fi
+

docker/setup/add-proxy-certificate.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -eu
+
+PROXY_CA_PEM="${1?Missing name for Proxy CRT file}"
+
+if [ -f "${PROXY_CA_PEM}" ]
+ then
+ printf "\n>>> ADDING A PROXY CERTIFICATE TO THE TRUSTED STORE <<<\n"
+
+ # add certificate tpo the trust store
+ cp -v ${PROXY_CA_PEM} /usr/local/share/ca-certificates
+ update-ca-certificates
+
+ # verifies the certificate
+ openssl x509 -in ${PROXY_CA_PEM} -text -noout > "${PROXY_CA_PEM}.txt"
+
+ else
+ printf "\n >>> FATAL ERROR: Certificate not found in path ${PROXY_CA_PEM} <<<\n"
+fi

docker/setup/certificates/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore