Feature/repo 5358 merge 6213 (#26)

REPO-5361/REPO-5358 Merge latest changes (6.2.1.3) / Deployment modules should extend each other

In order to support the external deployment of the default keystore (MNT-21731/SEARCH-1915),
it was removed from alfresco-repository.jar and had be placed in deployment module of acs-packaging.
To support this in the new project structure, this commit moves the keystore back to
alfresco-community-repo's deployment module and has alfresco-enterprise-repo and acs-packaging
extend it in their own deployment modules. This also avoids duplication of licenses between projects.

repository/src/main/resources/alfresco/encryption-context.xml

@@ -15,10 +15,12 @@
     </bean>
     
     <bean id="keyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
+       <property name="id" value="metadata-keystore"/>
        <property name="name" value="Key Store"/>
        <property name="location" value="${encryption.keystore.location}"/>
        <property name="provider" value="${encryption.keystore.provider}"/>
        <property name="type"     value="${encryption.keystore.type}"/>
+       <!-- This property is left for backwards compatibility -->
        <property name="keyMetaDataFileLocation" value="${encryption.keystore.keyMetaData.location}"/>
     </bean>
 
@@ -30,18 +32,22 @@
 
     <!-- TODO i18n for key store names -->
     <bean id="sslKeyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
+        <property name="id" value="ssl-keystore"/>
         <property name="name" value="SSL Key Store"/>
         <property name="location" value="${encryption.ssl.keystore.location}"/>
         <property name="type" value="${encryption.ssl.keystore.type}"/>
         <property name="provider" value="${encryption.ssl.keystore.provider}"/>
+        <!-- This property is left for backwards compatibility -->
         <property name="keyMetaDataFileLocation" value="${encryption.ssl.keystore.keyMetaData.location}"/>
     </bean>
 
     <bean id="sslTrustStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
+        <property name="id" value="ssl-truststore"/>
         <property name="name" value="SSL Trust Store"/>
         <property name="location" value="${encryption.ssl.truststore.location}"/>
         <property name="type" value="${encryption.ssl.truststore.type}"/>
         <property name="provider" value="${encryption.ssl.truststore.provider}"/>
+        <!-- This property is left for backwards compatibility -->
         <property name="keyMetaDataFileLocation" value="${encryption.ssl.truststore.keyMetaData.location}"/>
     </bean>
 
@@ -71,10 +77,12 @@
     </bean>
     
     <bean id="backupKeyStoreParameters" class="org.alfresco.encryption.KeyStoreParameters" init-method="init">
+       <property name="id" value="metadata-backup-keystore"/>
        <property name="name" value="Backup Key Store"/>
        <property name="location" value="${encryption.keystore.backup.location}"/>
        <property name="provider" value="${encryption.keystore.backup.provider}"/>
        <property name="type"     value="${encryption.keystore.backup.type}"/>
+       <!-- This property is left for backwards compatibility -->
        <property name="keyMetaDataFileLocation" value="${encryption.keystore.backup.keyMetaData.location}"/>
     </bean>
     

repository/src/main/resources/alfresco/keystore/keystore-passwords.properties

@@ -1,7 +0,0 @@
-aliases=metadata
-# The password protecting the keystore entries
-keystore.password=mp6yc0UD9e
-# The password protecting the alias: metadata
-metadata.keyData=
-metadata.algorithm=DESede
-metadata.password=oKIWzVdEdA

repository/src/main/resources/alfresco/repository.properties

@@ -816,20 +816,22 @@ dir.keystore=classpath:alfresco/keystore
 
 # general encryption parameters
 encryption.keySpec.class=org.alfresco.encryption.DESEDEKeyGenerator
-encryption.keyAlgorithm=DESede
-encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
+encryption.keyAlgorithm=AES
+encryption.cipherAlgorithm=AES/CBC/PKCS5Padding
 
 # secret key keystore configuration
 encryption.keystore.location=${dir.keystore}/keystore
-encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties
+# configuration via metadata is deprecated
+encryption.keystore.keyMetaData.location=
 encryption.keystore.provider=
-encryption.keystore.type=JCEKS
+encryption.keystore.type=pkcs12
 
 # backup secret key keystore configuration
 encryption.keystore.backup.location=${dir.keystore}/backup-keystore
-encryption.keystore.backup.keyMetaData.location=${dir.keystore}/backup-keystore-passwords.properties
+# configuration via metadata is deprecated
+encryption.keystore.backup.keyMetaData.location=
 encryption.keystore.backup.provider=
-encryption.keystore.backup.type=JCEKS
+encryption.keystore.backup.type=pkcs12
 
 # Should encryptable properties be re-encrypted with new encryption keys on botstrap?
 encryption.bootstrap.reencrypt=false
@@ -842,11 +844,13 @@ encryption.mac.algorithm=HmacSHA1
 encryption.ssl.keystore.location=${dir.keystore}/ssl.keystore
 encryption.ssl.keystore.provider=
 encryption.ssl.keystore.type=JCEKS
-encryption.ssl.keystore.keyMetaData.location=${dir.keystore}/ssl-keystore-passwords.properties
+# configuration via metadata is deprecated
+encryption.ssl.keystore.keyMetaData.location=
 encryption.ssl.truststore.location=${dir.keystore}/ssl.truststore
 encryption.ssl.truststore.provider=
 encryption.ssl.truststore.type=JCEKS
-encryption.ssl.truststore.keyMetaData.location=${dir.keystore}/ssl-truststore-passwords.properties
+# configuration via metadata is deprecated
+encryption.ssl.truststore.keyMetaData.location=
 
 # Re-encryptor properties
 encryption.reencryptor.chunkSize=100

repository/src/test/java/org/alfresco/AppContext02TestSuite.java

@@ -65,6 +65,9 @@ import org.junit.runners.Suite;
     org.alfresco.repo.content.filestore.ReadOnlyFileContentStoreTest.class,
     org.alfresco.repo.content.RoutingContentStoreTest.class,
 
+    org.alfresco.encryption.EncryptionTests.class,
+    org.alfresco.encryption.KeyStoreTests.class
+
     // TODO REPO-2791 org.alfresco.repo.content.routing.StoreSelectorAspectContentStoreTest.class,
 })
 public class AppContext02TestSuite

repository/src/test/java/org/alfresco/encryption/EncryptionTests.java

@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.encryption;
 
 import java.io.Serializable;
@@ -270,28 +270,6 @@ public class EncryptionTests extends TestCase
 			mainEncryptor.setKeyProvider(mainKeyProvider);
 		}
 	}
-	
-	public void testBootstrapReEncrypt()
-	{
-		try
-		{
-			// ensure that the backup key store is not available
-			backupKeyStoreParameters.setLocation("");
-			//backupKeyStore.reload();
-			mainKeyStore.reload();
-
-			reEncryptor.bootstrapReEncrypt();
-			fail("Should have caught missing backup key store");
-		}
-		catch(MissingKeyException e)
-		{
-			System.out.println("Successfully caught missing key exception");
-		}
-		catch(InvalidKeystoreException e)
-		{
-			fail("Unexpected exception: " + e.getMessage());
-		}
-	}
 
 	protected void testChangeKeysImpl(boolean cacheCiphers) throws Throwable
 	{

repository/src/test/java/org/alfresco/encryption/KeyStoreTests.java

@@ -1,28 +1,28 @@
-/*
- * #%L
- * Alfresco Repository
- * %%
- * Copyright (C) 2005 - 2016 Alfresco Software Limited
- * %%
- * This file is part of the Alfresco software. 
- * If the software was purchased under a paid Alfresco license, the terms of 
- * the paid license agreement will prevail.  Otherwise, the software is 
- * provided under the following open source license terms:
- * 
- * Alfresco is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Lesser General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- * 
- * Alfresco is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Lesser General Public License for more details.
- * 
- * You should have received a copy of the GNU Lesser General Public License
- * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
- * #L%
- */
+/*
+ * #%L
+ * Alfresco Repository
+ * %%
+ * Copyright (C) 2005 - 2016 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
 package org.alfresco.encryption;
 
 import static org.junit.Assert.assertTrue;
@@ -37,6 +37,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@@ -212,7 +213,7 @@ public class KeyStoreTests
 
 		TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
 				Collections.singletonMap(KeyProvider.ALIAS_METADATA, generateEncodedKey()), generateKeystoreName(), generateKeystoreName());
-
+        missingMainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
 		encryptionKeysRegistry.unregisterKey(KeyProvider.ALIAS_METADATA);
 		keyStoreChecker.setMainKeyStore(missingMainKeyStore);
 
@@ -240,7 +241,7 @@ public class KeyStoreTests
 		// missing main keystore, missing backup keystore, metadata registered key -> error, re-instate the keystore
 		TestAlfrescoKeyStore missingMainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
 				null, generateKeystoreName(), generateKeystoreName());
-		
+        missingMainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
 		assertTrue("", encryptionKeysRegistry.isKeyRegistered("metadata"));
 
 		keyStoreChecker.setMainKeyStore(missingMainKeyStore);
@@ -268,6 +269,7 @@ public class KeyStoreTests
 		// create main keystore
 		TestAlfrescoKeyStore mainKeyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
 				null, generateKeystoreName(), generateKeystoreName());
+        mainKeyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
 		createAndPopulateKeyStore(mainKeyStore);
 
 		// de-register metadata key
@@ -303,6 +305,7 @@ public class KeyStoreTests
 
 		TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
 				null, generateKeystoreName(), generateKeystoreName());
+		keyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
 		createAndPopulateKeyStore(keyStore);
 
 		keyStoreChecker.setMainKeyStore(keyStore);
@@ -358,6 +361,7 @@ public class KeyStoreTests
 
 		TestAlfrescoKeyStore keyStore = getKeyStore("main", "JCEKS", Collections.singletonMap(KeyProvider.ALIAS_METADATA, "metadata"),
 				null, generateKeystoreName(), generateKeystoreName());
+        keyStore.setKeysToValidate(new HashSet<>(Collections.singletonList("metadata")));
 		createAndPopulateKeyStore(keyStore);
 
 		try

repository/src/test/resources/alfresco-global.properties

@@ -52,9 +52,16 @@ mimetype.config.cronExpression=0 0 0 ? JAN * 1970
 rendition.config.cronExpression=0 0 0 ? JAN * 1970
 local.transform.service.cronExpression=0 0 0 ? JAN * 1970
 transform.service.cronExpression=0 0 0 ? JAN * 1970
-
+        
 system.delete_not_exists.batchsize=100000
 system.delete_not_exists.delete_batchsize=1000
 system.delete_not_exists.read_only=false
 system.delete_not_exists.timeout_seconds=-1
 system.prop_table_cleaner.algorithm=V2
+
+# For testing only
+encryption.keystore.keyMetaData.location=${dir.keystore}/keystore-passwords.properties
+encryption.keyAlgorithm=DESede
+encryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
+encryption.keystore.type=JCEKS
+encryption.keystore.backup.type=JCEKS