RIPE NCC has merged fb9346a

* Remove rsync repository write check from health check [2def4f13]
* Allow config path to be overridden [6767cef0]
* Naming [c887eeb8]
* Review items [6dc56937]
* Code smells [5b21fbe5]
* Typos [771db045]
* Comment [6a23e493]
* Fix broken tests [b23ba13e]
* Straighten ACA request-response workflow [82ab2814]
* Wrap singleton list in ArrayList to avoid XStream permission issue [25c30724]
* Fix the filename of the `.jsonl` logs [9c705391]
* Remove DB migration [b4608b00]
* Add some DB check constraints corresponding to @NotNull in Java code [73fab508]
* Add more validation checks [04a111f5]
* Revert erroneous change [aa026edb]
* Cleanup [c579d4f3]
* Do not use hibernate-validation, it fails to load persistence provider [23a00e87]
* Remove functionality that forced a single nCipher.sworld key to exist [2ab0cfed]

src/main/dist/rpki-ripe-ncc.sh

@@ -17,7 +17,7 @@ CORE_JAR=${CORE_JAR:-"./rpki-ripe-ncc.jar"}
 
 CORE_OPTS=(
     "--spring.profiles.active=$APPLICATION_ENVIRONMENT"
-    "--spring.config.additional-location=file:/cert/shared/rpki-config-credentials.properties"
+    "--spring.config.additional-location=${SPRING_CONFIG_ADDITIONAL_LOCATION:-file:/cert/shared/rpki-config-credentials.properties}"
 )
 
 case "$APPLICATION_ENVIRONMENT" in

src/main/java/net/ripe/rpki/application/impl/CertificationProviderConfig.java

@@ -12,18 +12,10 @@ public CertificationProviderConfigurationData certificationProviderConfiguration
         @Value("${keystore.provider}") String keyStoreProvider,
         @Value("${keypair.generator.provider}") String keyPairGeneratorProvider,
         @Value("${signature.provider}") String signatureProvider,
-        @Value("${keystore.type}") String keyStoreType,
-        @Value("${fs.keystore.provider:${keystore.provider}}")
-        String fsKeyStoreProvider,
-        @Value("${fs.keypair.generator.provider:${keypair.generator.provider}}")
-        String fsKeyPairGeneratorProvider,
-        @Value("${fs.signature.provider:${signature.provider}}")
-        String fsSignatureProvider,
-        @Value("${fs.keystore.type:${keystore.type}}")
-        String fsKeyStoreType
+        @Value("${keystore.type}") String keyStoreType
     ) {
         return new CertificationProviderConfigurationData(
-            keyStoreProvider, keyPairGeneratorProvider, signatureProvider, keyStoreType,
-            fsKeyStoreProvider, fsKeyPairGeneratorProvider, fsSignatureProvider, fsKeyStoreType);
+            keyStoreProvider, keyPairGeneratorProvider, signatureProvider, keyStoreType
+        );
     }
 }

src/main/java/net/ripe/rpki/domain/CertificationProviderConfigurationData.java

@@ -1,44 +1,11 @@
 package net.ripe.rpki.domain;
 
-import lombok.Getter;
-import net.ripe.rpki.server.api.support.objects.ValueObjectSupport;
-
-@Getter
-public class CertificationProviderConfigurationData extends ValueObjectSupport {
+import lombok.Data;
 
+@Data
+public class CertificationProviderConfigurationData {
 	private final String keyStoreProvider;
 	private final String keyPairGeneratorProvider;
 	private final String signatureProvider;
     private final String keyStoreType;
-
-    private final String fsKeyStoreProvider;
-	private final String fsKeyPairGeneratorProvider;
-	private final String fsSignatureProvider;
-    private final String fsKeyStoreType;
-
-    public CertificationProviderConfigurationData(String keyStoreProvider,
-                                                  String keyPairGeneratorProvider,
-                                                  String signatureProvider,
-                                                  String keyStoreType,
-                                                  String fsKeyStoreProvider,
-                                                  String fsKeyPairGeneratorProvider,
-                                                  String fsSignatureProvider,
-                                                  String fsKeyStoreType) {
-    	this.keyStoreProvider = keyStoreProvider;
-    	this.keyPairGeneratorProvider = keyPairGeneratorProvider;
-    	this.signatureProvider = signatureProvider;
-    	this.keyStoreType = keyStoreType;
-        this.fsKeyStoreProvider = fsKeyStoreProvider;
-        this.fsKeyPairGeneratorProvider = fsKeyPairGeneratorProvider;
-        this.fsSignatureProvider = fsSignatureProvider;
-        this.fsKeyStoreType = fsKeyStoreType;
-    }
-
-    public boolean hasDifferentProviders() {
-        return !keyStoreProvider.equals(fsKeyStoreProvider) ||
-            !keyPairGeneratorProvider.equals(fsKeyPairGeneratorProvider) ||
-            !signatureProvider.equals(fsSignatureProvider) ||
-            !keyStoreType.equals(fsKeyStoreType);
-    }
-
 }

src/main/java/net/ripe/rpki/domain/HardwareKeyPairFactory.java

@@ -12,21 +12,14 @@
  */
 public class HardwareKeyPairFactory implements Supplier<KeyPair> {
     private final KeyPairFactory keyPairFactory;
-    private final KeyPairFactory fsKeyPairFactory;
     private final CertificationProviderConfigurationData providerConfigurationData;
 
     public HardwareKeyPairFactory(CertificationProviderConfigurationData providerConfigurationData) {
         this.keyPairFactory = new KeyPairFactory(providerConfigurationData.getKeyPairGeneratorProvider());
-        this.fsKeyPairFactory = providerConfigurationData.hasDifferentProviders() ?
-            new KeyPairFactory(providerConfigurationData.getFsKeyPairGeneratorProvider()) :
-            this.keyPairFactory;
         this.providerConfigurationData = providerConfigurationData;
     }
     public HardwareKeyPairFactory(CertificationProviderConfigurationData providerConfigurationData, KeyPairFactory keyPairFactory) {
         this.keyPairFactory = keyPairFactory.withProvider(providerConfigurationData.getSignatureProvider());
-        this.fsKeyPairFactory = providerConfigurationData.hasDifferentProviders() ?
-            new KeyPairFactory(providerConfigurationData.getFsSignatureProvider()) :
-            this.keyPairFactory;
         this.providerConfigurationData = providerConfigurationData;
     }
 
@@ -35,10 +28,6 @@ public KeyPair get() {
         return keyPairFactory.generate();
     }
 
-    public KeyPair getFsKey() {
-        return fsKeyPairFactory.generate();
-    }
-
     public String keyPairGeneratorProvider() {
         return providerConfigurationData.getKeyPairGeneratorProvider();
     }

src/main/java/net/ripe/rpki/domain/IncomingResourceCertificate.java

@@ -4,6 +4,7 @@
 import lombok.NonNull;
 import net.ripe.ipresource.ImmutableResourceSet;
 import net.ripe.rpki.domain.interca.CertificateIssuanceResponse;
+import org.apache.commons.lang3.Validate;
 
 import javax.persistence.*;
 import javax.validation.constraints.NotNull;
@@ -34,10 +35,11 @@ protected IncomingResourceCertificate() {
 
     public IncomingResourceCertificate(@NonNull CertificateIssuanceResponse issuanceResponse, @NonNull KeyPairEntity subjectKeyPair) {
         super(issuanceResponse.getCertificate());
+        Validate.notNull(issuanceResponse);
         setPublicationUri(issuanceResponse.getPublicationUri());
         this.inheritedResources = issuanceResponse.getInheritedResources();
         this.subjectKeyPair = subjectKeyPair;
-        assertValid();
+        revalidate();
     }
 
     public boolean update(CertificateIssuanceResponse issuanceResponse) {
@@ -50,10 +52,17 @@ public boolean update(CertificateIssuanceResponse issuanceResponse) {
         updateCertificate(issuanceResponse.getCertificate());
         setPublicationUri(issuanceResponse.getPublicationUri());
         this.inheritedResources = issuanceResponse.getInheritedResources();
+        revalidate();
         return true;
     }
 
     public ImmutableResourceSet getCertifiedResources() {
         return inheritedResources.union(super.getResources());
     }
+
+    protected void revalidate() {
+        Validate.notNull(subjectKeyPair);
+        Validate.notNull(inheritedResources);
+        revalidateCertificate();
+    }
 }

src/main/java/net/ripe/rpki/domain/KeyPairEntity.java

@@ -89,11 +89,12 @@ public KeyPairEntity(KeyPair keyPair,
                          String crlFilename,
                          String manifestFilename) {
         this();
+        Validate.notNull(manifestFilename);
+        Validate.notNull(crlFilename);
         this.size = ((RSAPublicKey) keyPair.getPublic()).getModulus().bitLength();
         this.persistedKeyPair = new PersistedKeyPair(keyPair, signInfo);
         this.crlFilename = crlFilename;
         this.manifestFilename = manifestFilename;
-        assertValid();
     }
 
     @Override

src/main/java/net/ripe/rpki/domain/KeyPairService.java

@@ -7,7 +7,5 @@ public interface KeyPairService {
 
     KeyPairEntity createKeyPairEntity();
 
-    KeyPairEntity createSpecialFsKeyPairEntity();
-
     DownStreamProvisioningCommunicator createMyIdentityMaterial(ManagedCertificateAuthority ca);
 }

src/main/java/net/ripe/rpki/domain/OutgoingResourceCertificate.java

@@ -21,6 +21,8 @@
 import javax.validation.constraints.NotNull;
 import java.net.URI;
 
+import static java.util.Objects.requireNonNull;
+
 @Entity
 @DiscriminatorValue(value = "OUTGOING")
 public class OutgoingResourceCertificate extends ResourceCertificate {
@@ -65,14 +67,15 @@ protected OutgoingResourceCertificate() {
         super(certificate);
         Validate.isTrue(embedded || filename != null, "embedded or filename must be set");
         Validate.isTrue(embedded || parentPublicationDirectory != null, "embedded or parentPublicationDirectory must be set");
+        Validate.notNull(signingKeyPair);
         this.signingKeyPair = signingKeyPair;
         this.embedded = embedded;
         this.status = OutgoingResourceCertificateStatus.CURRENT;
         if (!embedded) {
             publishedObject = new PublishedObject(signingKeyPair, filename, getDerEncoded(), true, parentPublicationDirectory, getValidityPeriod());
             setPublicationUri(publishedObject.getUri());
         }
-        assertValid();
+        revalidateCertificate();
     }
 
     public KeyPairEntity getSigningKeyPair() {
@@ -81,7 +84,7 @@ public KeyPairEntity getSigningKeyPair() {
 
     public void setRequestingCertificateAuthority(@NonNull ChildCertificateAuthority requestingCertificateAuthority) {
         Validate.isTrue(isCurrent(), "only CURRENT certificate can have requesting child certificate authority");
-        this.requestingCertificateAuthority = requestingCertificateAuthority;
+        this.requestingCertificateAuthority = requireNonNull(requestingCertificateAuthority);
     }
 
     public boolean isCurrent() {

src/main/java/net/ripe/rpki/domain/ProductionCertificateAuthority.java

@@ -51,9 +51,4 @@ public Optional<ResourceExtension> lookupCertifiableIpResources(ResourceLookupSe
     public ProvisioningIdentityCertificate getProvisioningIdentityCertificate() {
         return myDownStreamProvisioningCommunicator.getProvisioningIdentityCertificate();
     }
-
-    @Override
-    protected KeyPairEntity generateNewKeyPair(KeyPairService keyPairService) {
-        return keyPairService.createSpecialFsKeyPairEntity();
-    }
 }

src/main/java/net/ripe/rpki/domain/ResourceCertificate.java

@@ -37,6 +37,7 @@ public abstract class ResourceCertificate extends EntitySupport {
 
     @Id
     @GeneratedValue(strategy = GenerationType.SEQUENCE, generator = "seq_resourcecertificate")
+    @Getter
     private Long id;
 
     @NotNull
@@ -102,19 +103,26 @@ protected void updateCertificate(X509ResourceCertificate certificate) {
         this.encodedSubjectPublicKey = certificate.getPublicKey().getEncoded();
         this.validityPeriod = new EmbeddedValidityPeriod(certificate.getValidityPeriod());
         this.encoded = certificate.getEncoded();
+        revalidateCertificate();
     }
 
-    @Override
-    public Long getId() {
-        return id;
+    protected void revalidateCertificate() {
+        Validate.notNull(serial);
+        Validate.notNull(subject);
+        Validate.notNull(issuer);
+        Validate.notNull(resourceExtension);
+        Validate.notNull(subjectPublicKey);
+        Validate.notNull(encodedSubjectPublicKey);
+        Validate.notNull(validityPeriod);
+        Validate.notNull(encoded);
     }
 
-    public @NonNull ImmutableResourceSet getResources() {
-        return resourceExtension.getResources();
+    public ImmutableResourceSet getResources() {
+        return requireNonNull(resourceExtension.getResources());
     }
 
-    public @NonNull ResourceExtension getResourceExtension() {
-        return resourceExtension.getResourceExtension();
+    public ResourceExtension getResourceExtension() {
+        return requireNonNull(resourceExtension.getResourceExtension());
     }
 
     public ValidityPeriod getValidityPeriod() {

src/main/java/net/ripe/rpki/ncc/core/domain/support/EntitySupport.java

@@ -46,16 +46,4 @@ public String toString() {
         return ToStringBuilder.reflectionToString(this, ToStringStyle.SHORT_PREFIX_STYLE);
     }
 
-    /**
-     * @throws IllegalStateException
-     *             the entity validation failed.
-     */
-    public void assertValid() {
-        ValidatorFactory factory = Validation.buildDefaultValidatorFactory();
-        Validator validator = factory.getValidator();
-        Set<ConstraintViolation<EntitySupport>> result = validator.validate(this);
-        if (!result.isEmpty()) {
-            throw new IllegalStateException(result.toString());
-        }
-    }
 }

src/main/java/net/ripe/rpki/services/impl/KeyPairServiceBean.java

@@ -36,11 +36,6 @@ public KeyPairEntity createKeyPairEntity() {
         return getKeyPairEntity(hardwareKeyPairFactory.get(), createSignInfo());
     }
 
-    @Override
-    public KeyPairEntity createSpecialFsKeyPairEntity() {
-        return getKeyPairEntity(hardwareKeyPairFactory.getFsKey(), createFsSignInfo());
-    }
-
     private KeyPairEntity getKeyPairEntity(KeyPair keyPair, KeyPairEntitySignInfo signInfo) {
         String crlFilename = namingStrategy.crlFileName(keyPair);
         String manifestFilename = namingStrategy.manifestFileName(keyPair);
@@ -60,12 +55,4 @@ private KeyPairEntitySignInfo createSignInfo() {
                 providerConfiguration.getSignatureProvider(),
                 providerConfiguration.getKeyStoreType());
     }
-
-    private KeyPairEntitySignInfo createFsSignInfo() {
-        return new KeyPairEntitySignInfo(
-                providerConfiguration.getFsKeyStoreProvider(),
-                providerConfiguration.getFsSignatureProvider(),
-                providerConfiguration.getFsKeyStoreType());
-    }
-
 }

src/main/java/net/ripe/rpki/services/impl/handlers/KeyManagementInitiateRollCommandHandler.java

@@ -16,7 +16,9 @@
 import net.ripe.rpki.server.api.services.command.CommandWithoutEffectException;
 
 import javax.inject.Inject;
+import java.util.ArrayList;
 import java.util.Collections;
+import java.util.List;
 
 import static net.ripe.rpki.domain.Resources.DEFAULT_RESOURCE_CLASS;
 
@@ -80,9 +82,9 @@ public void handle(KeyManagementInitiateRollCommand command, CommandStatus comma
     }
 
     private void handleForAllResourcesCa(AllResourcesCertificateAuthority ca, CertificateIssuanceRequest request) {
-        ca.setUpStreamCARequestEntity(new UpStreamCARequestEntity(ca, certificationRequestCreationService.createTrustAnchorRequest(
-            Collections.singletonList(toTaRequests(request))
-        )));
+        List<TaRequest> signingRequests = new ArrayList<>(Collections.singletonList(toTaRequests(request)));
+        ca.setUpStreamCARequestEntity(new UpStreamCARequestEntity(ca,
+                certificationRequestCreationService.createTrustAnchorRequest(signingRequests)));
     }
 
     private void handleForManagedCertificateAuthority(ManagedCertificateAuthority ca, CertificateIssuanceRequest request) {