Merge 116145431-client-certificate to master

nebhale · nebhale · commit e1a3cd0fbbff · 2016-03-24T13:49:54.000-07:00
[Completes #116145431]
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -11,7 +11,7 @@ AllCops:
 Metrics/AbcSize:
  Max: 22
 Metrics/ClassLength:
-  Max: 200
+  Max: 250
 Metrics/CyclomaticComplexity:
   Max: 10
 Metrics/LineLength:
diff --git a/config/cache.yml b/config/cache.yml
@@ -16,3 +16,7 @@
 # Download cache configuration
 ---
 remote_downloads: enabled
+client_authentication:
+  certificate_location:
+  private_key_location:
+  private_key_password:
diff --git a/docs/extending-caches.md b/docs/extending-caches.md
@@ -46,6 +46,9 @@ Caching can be configured by modifying the [`config/cache.yml`][] file in the bu
 | Name | Description
 | ---- | -----------
 | `remote_downloads` | This property can take the value `enabled` or `disabled`. <p>The default value of `enabled` means that the buildpack will check the internet connection and remember the result for the remainder of the buildpack invocation. If the internet is available, it will then be used to download files. If the internet is not available, cache will be consulted instead. <p>Alternatively, the property may be set to `disabled` which avoids the check for an internet connection, does not attempt downloads, and consults the cache instead.
+| `client_authentication.certificate_location` | The path to a PEM or DER encoded certificate to use for SSL client certificate authentication
+| `client_authentication.private_key_location` | The path to a PEM or DER encoded DSA or RSA private key to use for SSL client certificate authentication
+| `client_authentication.private_key_password` | The password for the private key to use for SSL client certificate authentication
 
 ## `JavaBuildpack::Util::Cache::DownloadCache`
 The [`DownloadCache`][] is the most generic of the two caches.  It allows you to create a cache that persists files any that write access is available.  The constructor signature looks the following:
diff --git a/lib/java_buildpack/util/cache/download_cache.rb b/lib/java_buildpack/util/cache/download_cache.rb
@@ -19,9 +19,11 @@
 require 'java_buildpack/util/cache/cached_file'
 require 'java_buildpack/util/cache/inferred_network_failure'
 require 'java_buildpack/util/cache/internet_availability'
+require 'java_buildpack/util/configuration_utils'
 require 'java_buildpack/util/sanitizer'
 require 'monitor'
 require 'net/http'
+require 'openssl'
 require 'pathname'
 require 'tmpdir'
 require 'uri'
@@ -136,13 +138,19 @@ def attempt(http, request, cached_file)
             elsif redirect?(response)
               downloaded = update URI(response['Location']), cached_file
             else
-              fail InferredNetworkFailure, "Bad response: #{response}"
+              fail InferredNetworkFailure, "#{response.code} #{response.message}\n#{response.body}"
             end
           end
 
           downloaded
         end
 
+        def ca_file(http_options)
+          return unless CA_FILE.exist?
+          http_options[:ca_file] = CA_FILE.to_s
+          @logger.debug { "Adding additional CA certificates from #{CA_FILE}" }
+        end
+
         def cache_content(response, cached_file)
           compressed = compressed?(response)
 
@@ -185,6 +193,22 @@ def cache_last_modified(response, cached_file)
           end
         end
 
+        def client_authentication(http_options)
+          client_authentication = JavaBuildpack::Util::ConfigurationUtils.load('cache')['client_authentication']
+
+          certificate_location = client_authentication['certificate_location']
+          File.open(certificate_location) do |f|
+            http_options[:cert] = OpenSSL::X509::Certificate.new f.read
+            @logger.debug { "Adding client certificate from #{certificate_location}" }
+          end if certificate_location
+
+          private_key_location = client_authentication['private_key_location']
+          File.open(private_key_location) do |f|
+            http_options[:key] = OpenSSL::PKey.read f.read, client_authentication['private_key_password']
+            @logger.debug { "Adding private key from #{private_key_location}" }
+          end if private_key_location
+        end
+
         def compressed?(response)
           %w(br compress deflate gzip x-gzip).include?(response['Content-Encoding'])
         end
@@ -230,10 +254,8 @@ def http_options(rich_uri)
             http_options[:use_ssl] = true
             @logger.debug { 'Adding HTTP options for secure connection' }
 
-            if CA_FILE.exist?
-              http_options[:ca_file] = CA_FILE.to_s
-              @logger.debug { "Adding additional certs from #{CA_FILE}" }
-            end
+            ca_file http_options
+            client_authentication http_options
           end
 
           http_options
@@ -294,7 +316,7 @@ def attempt_update(cached_file, http, uri)
               InternetAvailability.instance.available false, "Request failed: #{e.message}"
               raise e
             else
-              @logger.warn { "Request failure #{failures}, retrying: #{e.message}" }
+              @logger.warn { "Request failure #{failures}, retrying.  Failure: #{e.message}" }
               retry
             end
           end
