Merge pull request #72 from davco01a/latest

Health check and liveliness probe, and pen testing
kabanero-io · Oct 11, 2019 · 4c19c10 · 4c19c10
2 parents aa4fb11 + 600e7e2
commit 4c19c10
Show file tree

Hide file tree

Showing 7 changed files with 98 additions and 8 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,13 +10,27 @@ LABEL vendor="Kabanero" \
 COPY LICENSE /licenses/ 
 
 #FROM open-liberty:webProfile7-java8-openj9
-COPY --chown=1001:0 /target/kabanero-cli-service-1.0-SNAPSHOT.war /config/dropins
+COPY --chown=1001:0 /target/kabanero-cli-service-1.0-SNAPSHOT.war /config/apps
 COPY --chown=1001:0 /src/main/liberty/config/cacerts /config/resources/security/cacerts
 COPY --chown=1001:0 /src/main/liberty/config/keystore.xml /config/configDropins/defaults
 COPY --chown=1001:0 /target/liberty/wlp/usr/servers/defaultServer/server.xml /config
+COPY --chown=1001:0 /src/main/liberty/config/jvm.options /config
+
 RUN mkdir -p /opt/ol/wlp/output/defaultServer/resources/security
 RUN chown -R 1001:0 /opt/ol/wlp/output/defaultServer/resources/security
 RUN chmod -R g+rw /opt/ol/wlp/output/defaultServer/resources/security
-COPY /src/main/liberty/config/cacerts /opt/ol/wlp/output/defaultServer/resources/security/cacerts
-COPY /target/liberty/wlp/usr/servers/defaultServer/server.xml /opt/ol/wlp/output/defaultServer/server.xml
+RUN chmod 444 /config/server.xml
+RUN chmod 444 /config/server.env
+RUN chmod 444 /config/jvm.options
+RUN chmod 444 /config/resources/security/cacerts
+RUN chmod 444 /config/configDropins/defaults/keystore.xml
+RUN rm /config/configDropins/defaults/open-default-port.xml
+
+#COPY /src/main/liberty/config/cacerts /opt/ol/wlp/output/defaultServer/resources/security/cacerts
+#COPY /target/liberty/wlp/usr/servers/defaultServer/server.xml /opt/ol/wlp/output/defaultServer/server.xml
+#COPY --chown=1001:0 /src/main/liberty/config/jvm.options /opt/ol/wlp/output/defaultServer
+#RUN chmod 444 /opt/ol/wlp/output/defaultServer/server.xml
+#RUN chmod 444 /opt/ol/wlp/output/defaultServer/jvm.options
+#RUN chmod 444 /opt/ol/wlp/output/defaultServer/resources/security/cacerts
+
 
diff --git a/src/main/java/application/HealthEndpoint.java b/src/main/java/application/HealthEndpoint.java
@@ -3,7 +3,6 @@
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
-import javax.ws.rs.core.Application;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 

diff --git a/src/main/java/application/rest/CollectionsUtils.java b/src/main/java/application/rest/CollectionsUtils.java
@@ -27,6 +27,8 @@
 import io.kubernetes.client.ApiClient;
 
 public class CollectionsUtils {
+
+ public static boolean readGitSuccess=true;
 
  private static Map readYaml(String response) {
  Yaml yaml = new Yaml();
@@ -56,8 +58,11 @@ private static String getFromGit(String url, String user, String pw) {
  ;
  try {
  response = client.execute(request);
+ readGitSuccess=true;
  } catch (IOException e) {
  e.printStackTrace();
+ readGitSuccess=false;
+ throw new RuntimeException("Exception connecting or executing REST command to Git url: "+url,e);
  }
 
  System.out.println("Response Code : " + response.getStatusLine().getStatusCode());

diff --git a/src/main/java/application/rest/Liveliness.java b/src/main/java/application/rest/Liveliness.java
@@ -0,0 +1,53 @@
+package application.rest;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import com.ibm.json.java.JSONArray;
+import com.ibm.json.java.JSONObject;
+
+import application.rest.CollectionsUtils;
+import kabasec.HttpUtils;
+
+@Path("/v1")
+public class Liveliness {
+
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @Path("/liveliness")
+ public Response liveliness() {
+ boolean healthy = true;
+ if (CollectionsUtils.readGitSuccess && HttpUtils.accessGitSuccess) {
+ healthy = true;
+ } else {
+ healthy = false;
+ }
+
+ JSONObject msg = new JSONObject();
+
+ JSONArray checks = new JSONArray();
+ JSONObject jo = new JSONObject();
+ JSONObject jo1 = new JSONObject();
+
+ jo1.put("readGitSuccess",CollectionsUtils.readGitSuccess);
+ jo1.put("accessGitSuccess",HttpUtils.accessGitSuccess);
+ jo.put("GIT", jo1);
+
+ checks.add(jo);
+
+ msg.put("checks", checks);
+
+ if (!healthy) {
+ msg.put("status", "DOWN");
+ return Response.status(503).entity(msg).build();
+ } else {
+ msg.put("status", "UP");
+ return Response.ok(msg).build();
+ }
+
+ }
+
+}
diff --git a/src/main/liberty/config/jvm.options b/src/main/liberty/config/jvm.options
@@ -1 +1,4 @@
--javaagent:resources/javametrics-agent.jar
+#-javaagent:resources/javametrics-agent.jar
+#-Dcom.ibm.jsse2.sp800-131=strict
+-Djdk.tls.client.protocols=TLSv1.2
+-Dhttps.protocols=TLSv1.2
diff --git a/src/main/liberty/config/server.xml b/src/main/liberty/config/server.xml
@@ -11,7 +11,21 @@
  <feature>json-1.0</feature>
  </featureManager>
  -->
- <httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint" host="*" />
+ <httpEndpoint httpPort="-1" httpsPort="9443" id="defaultHttpEndpoint" host="*" />
+
+ <webAppSecurity ssoRequiresSSL="true" httpOnlyCookies="true" /> 
+
+ <httpSession cookieHttpOnly="true" allowOverflow="false" maxInMemorySessionCount="1000" alwaysEncodeUrl="true" cookieSecure="true" />
+
+ <applicationMonitor updateTrigger="mbean" dropinsEnabled="false" />
+
+ <httpDispatcher enableWelcomePage="false" />
+
+ <httpOptions removeServerHeader="true" />
+
+ <webContainer disableXPoweredBy="true" />
+
+ <config updateTrigger="mbean"/>
 
 
  <!-- The issuer specified here must match the issuer configured in the jwtBuilder -->
@@ -30,7 +44,7 @@
  <sslDefault sslRef="kabSSLConfig"/>
  <ssl id="kabSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="validationKeystore"/>
  <keyStore id="defaultKeyStore" />
- <keyStore id="validationKeystore" location="${server.config.dir}/resources/security/cacerts" type="jks" password="changeit"/>
+ <keyStore id="validationKeystore" location="${server.config.dir}/resources/security/cacerts" type="jks" />
 
  <!-- this will be the issuer of the jwts -->
  <variable name="jwt.issuer" defaultValue="https://kabasec.com" />
@@ -44,6 +58,7 @@
 
  <applicationMonitor pollingRate="1000ms"/>
 
+ <webApplication id="kabanero-cli-service" location="kabanero-cli-service-1.0-SNAPSHOT.war" name="kabanero-cli-service"/>
 
 
-</server>
+</server>
diff --git a/src/main/webapp/WEB-INF/ibm-web-ext.xml b/src/main/webapp/WEB-INF/ibm-web-ext.xml
@@ -5,4 +5,5 @@
  xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-web-ext_1_0.xsd"
  version="1.0">
  <context-root uri="/"/>
+ <enable-directory-browsing value="false"/> 
 </web-ext>