localstack · viren-nadkarni · Oct 24, 2024 · Oct 22, 2024 · Oct 22, 2024 · Oct 22, 2024
diff --git a/localstack-core/localstack/services/opensearch/packages.py b/localstack-core/localstack/services/opensearch/packages.py
@@ -21,6 +21,11 @@
 from localstack.services.opensearch import versions
 from localstack.utils.archives import download_and_extract_with_retry
 from localstack.utils.files import chmod_r, load_file, mkdir, rm_rf, save_file
+from localstack.utils.java import (
+    java_system_properties_proxy,
+    java_system_properties_ssl,
+    system_properties_to_cli_args,
+)
 from localstack.utils.run import run
 from localstack.utils.ssl import create_ssl_cert, install_predefined_cert_if_available
 from localstack.utils.sync import SynchronizedDefaultDict, retry
@@ -65,7 +70,6 @@ def _install(self, target: InstallTarget):
                 tmp_archive = os.path.join(
                     config.dirs.cache, f"localstack.{os.path.basename(opensearch_url)}"
                 )
-                print(f"DEBUG: installing opensearch to path {install_dir_parent}")
                 download_and_extract_with_retry(opensearch_url, tmp_archive, install_dir_parent)
                 opensearch_dir = glob.glob(os.path.join(install_dir_parent, "opensearch*"))
                 if not opensearch_dir:
@@ -85,14 +89,27 @@ def _install(self, target: InstallTarget):
                 # install other default plugins for opensearch 1.1+
                 # https://forum.opensearch.org/t/ingest-attachment-cannot-be-installed/6494/12
                 if parsed_version >= "1.1.0":
+                    # Determine network configuration to use for plugin downloads
+                    sys_props = {
+                        **java_system_properties_proxy(),
+                        **java_system_properties_ssl(
+                            os.path.join(install_dir, "jdk", "bin", "keytool"),
+                            {"JAVA_HOME": os.path.join(install_dir, "jdk")},
+                        ),
+                    }
+                    java_opts = system_properties_to_cli_args(sys_props)
+
                     for plugin in OPENSEARCH_PLUGIN_LIST:
                         plugin_binary = os.path.join(install_dir, "bin", "opensearch-plugin")
                         plugin_dir = os.path.join(install_dir, "plugins", plugin)
                         if not os.path.exists(plugin_dir):
                             LOG.info("Installing OpenSearch plugin %s", plugin)
 
                             def try_install():
-                                output = run([plugin_binary, "install", "-b", plugin])
+                                output = run(
+                                    [plugin_binary, "install", "-b", plugin],
+                                    env_vars={"OPENSEARCH_JAVA_OPTS": " ".join(java_opts)},
+                                )
                                 LOG.debug("Plugin installation output: %s", output)
 
                             # We're occasionally seeing javax.net.ssl.SSLHandshakeException -> add download retries
@@ -241,6 +258,16 @@ def _install(self, target: InstallTarget):
                 mkdir(dir_path)
                 chmod_r(dir_path, 0o777)
 
+            # Determine network configuration to use for plugin downloads
+            sys_props = {
+                **java_system_properties_proxy(),
+                **java_system_properties_ssl(
+                    os.path.join(install_dir, "jdk", "bin", "keytool"),
+                    {"JAVA_HOME": os.path.join(install_dir, "jdk")},
+                ),
+            }
+            java_opts = system_properties_to_cli_args(sys_props)
+
             # install default plugins
             for plugin in ELASTICSEARCH_PLUGIN_LIST:
                 plugin_binary = os.path.join(install_dir, "bin", "elasticsearch-plugin")
@@ -249,7 +276,10 @@ def _install(self, target: InstallTarget):
                     LOG.info("Installing Elasticsearch plugin %s", plugin)
 
                     def try_install():
-                        output = run([plugin_binary, "install", "-b", plugin])
+                        output = run(
+                            [plugin_binary, "install", "-b", plugin],
+                            env_vars={"ES_JAVA_OPTS": " ".join(java_opts)},
+                        )
                         LOG.debug("Plugin installation output: %s", output)
 
                     # We're occasionally seeing javax.net.ssl.SSLHandshakeException -> add download retries

diff --git a/localstack-core/localstack/utils/java.py b/localstack-core/localstack/utils/java.py
@@ -0,0 +1,120 @@
+"""
+Utilities related to Java runtime.
+"""
+
+import logging
+from os import environ
+from urllib.parse import urlparse
+
+from localstack import config
+from localstack.utils.files import new_tmp_file, rm_rf
+from localstack.utils.run import run
+
+LOG = logging.getLogger(__name__)
+
+
+#
+# Network
+#
+
+
+def java_system_properties_proxy() -> dict[str, str]:
+    """
+    Returns Java system properties for network proxy settings as per LocalStack configuration.
+
+    See: https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html
+    """
+    props = {}
+
+    for scheme, default_port, var in [
+        ("http", "80", config.OUTBOUND_HTTP_PROXY),
+        ("https", "443", config.OUTBOUND_HTTPS_PROXY),
+    ]:
+        if var:
+            netloc = urlparse(var).netloc
+            url = netloc.split(":")
+            if len(url) == 2:
+                hostname, port = url
+            else:
+                hostname, port = url[0], default_port
+
+            props[f"{scheme}.proxyHost"] = hostname
+            props[f"{scheme}.proxyPort"] = port
-    for scheme, default_port, var in [
-        ("http", "80", config.OUTBOUND_HTTP_PROXY),
-        ("https", "443", config.OUTBOUND_HTTPS_PROXY),
-    ]:
-        if var:
-            netloc = urlparse(var).netloc
-            url = netloc.split(":")
-            if len(url) == 2:
-                hostname, port = url
-            else:
-                hostname, port = url[0], default_port
-
-            props[f"{scheme}.proxyHost"] = hostname
-            props[f"{scheme}.proxyPort"] = port
+    for scheme, default_port, proxy_url in [
+        ("http", "80", config.OUTBOUND_HTTP_PROXY),
+        ("https", "443", config.OUTBOUND_HTTPS_PROXY),
+    ]:
+        if var:
+            parsed_proxy_url = urlparse(proxy_url)
+            props[f"{scheme}.proxyHost"] = parsed_proxy_url.hostname
+            props[f"{scheme}.proxyPort"] = parsed_proxy_url.port
-    for scheme, default_port, var in [
-        ("http", "80", config.OUTBOUND_HTTP_PROXY),
-        ("https", "443", config.OUTBOUND_HTTPS_PROXY),
-    ]:
-        if var:
-            netloc = urlparse(var).netloc
-            url = netloc.split(":")
-            if len(url) == 2:
-                hostname, port = url
-            else:
-                hostname, port = url[0], default_port
-
-            props[f"{scheme}.proxyHost"] = hostname
-            props[f"{scheme}.proxyPort"] = port
+    for scheme, default_port, proxy_url in [
+        ("http", "80", config.OUTBOUND_HTTP_PROXY),
+        ("https", "443", config.OUTBOUND_HTTPS_PROXY),
+    ]:
+        if var:
+            parsed_proxy_url = urlparse(proxy_url)
+            props[f"{scheme}.proxyHost"] = parsed_proxy_url.hostname
+            props[f"{scheme}.proxyPort"] = parsed_proxy_url.port
+
+    return props
+
+
+#
+# SSL
+#
+
+
+def build_trust_store(
+    keytool_path: str, pem_bundle_path: str, env_vars: dict[str, str], store_passwd: str
+) -> str:
+    """
+    Build a TrustStore in JKS format from a PEM certificate bundle.
+
+    :param keytool_path: path to the `keytool` binary.
+    :param pem_bundle_path: path to the PEM bundle.
+    :param env_vars: environment variables passed during `keytool` execution. This should contain JAVA_HOME and other relevant variables.
+    :param store_passwd: store password to use.
+    :return: path to the truststore file.
+    """
+    store_path = new_tmp_file(suffix=".jks")
+    rm_rf(store_path)
+
+    LOG.debug("Building JKS trust store for %s at %s", pem_bundle_path, store_path)
+    cmd = f"{keytool_path} -importcert -trustcacerts -alias localstack -file {pem_bundle_path} -keystore {store_path} -storepass {store_passwd} -noprompt"
+    run(cmd, env_vars=env_vars)
+
+    return store_path
+
+
+def java_system_properties_ssl(keytool_path: str, env_vars: dict[str, str]) -> dict[str, str]:
+    """
+    Returns Java system properties for SSL settings as per LocalStack configuration.
+
+    See https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores
+    """
+    props = {}
+
+    if ca_bundle := environ.get("REQUESTS_CA_BUNDLE"):
+        store_passwd = "localstack"
+        store_path = build_trust_store(keytool_path, ca_bundle, env_vars, store_passwd)
+        props["javax.net.ssl.trustStore"] = store_path
+        props["javax.net.ssl.trustStorePassword"] = store_passwd
+        props["javax.net.ssl.trustStoreType"] = "jks"
+
+    return props
+
+
+#
+# Other
+#
+
+
+def system_properties_to_cli_args(properties: dict[str, str]) -> list[str]:
+    """
+    Convert a dict of Java system properties to a list of CLI arguments.
+
+    e.g.::
+
+        {
+          'java.sys.foo': 'bar',
+          'java.sys.lorem': 'ipsum'
+        }
+
+    returns::
+
+        [
+          '-Djava.sys.foo=bar',
+          '-Djava.sys.lorem=ipsum',
+        ]
+    """
+    args = []
+
+    for arg_name, arg_value in properties.items():
+        args.append(f"-D{arg_name}={arg_value}")
+
+    return args
diff --git a/tests/unit/utils/test_java.py b/tests/unit/utils/test_java.py
@@ -0,0 +1,65 @@
+from unittest.mock import MagicMock
+
+from localstack import config
+from localstack.utils import java
+
+
+def test_java_system_properties_proxy(monkeypatch):
+    # Ensure various combinations of env config options are properly converted into expected sys props
+
+    monkeypatch.setattr(config, "OUTBOUND_HTTP_PROXY", "http://lorem.com:69")
+    monkeypatch.setattr(config, "OUTBOUND_HTTPS_PROXY", "")
+    output = java.java_system_properties_proxy()
+    assert len(output) == 2
+    assert output["http.proxyHost"] == "lorem.com"
+    assert output["http.proxyPort"] == "69"
+
+    monkeypatch.setattr(config, "OUTBOUND_HTTP_PROXY", "")
+    monkeypatch.setattr(config, "OUTBOUND_HTTPS_PROXY", "http://ipsum.com")
+    output = java.java_system_properties_proxy()
+    assert len(output) == 2
+    assert output["https.proxyHost"] == "ipsum.com"
+    assert output["https.proxyPort"] == "443"
+
+    # Ensure no explicit port defaults to 80
+    monkeypatch.setattr(config, "OUTBOUND_HTTP_PROXY", "http://baz.com")
+    monkeypatch.setattr(config, "OUTBOUND_HTTPS_PROXY", "http://qux.com:42")
+    output = java.java_system_properties_proxy()
+    assert len(output) == 4
+    assert output["http.proxyHost"] == "baz.com"
+    assert output["http.proxyPort"] == "80"
+    assert output["https.proxyHost"] == "qux.com"
+    assert output["https.proxyPort"] == "42"
+
+
+def test_java_system_properties_ssl(monkeypatch):
+    mock = MagicMock()
+    mock.return_value = "/baz/qux"
+    monkeypatch.setattr(java, "build_trust_store", mock)
+
+    # Ensure that no sys props are returned if CA bundle is not set
+    monkeypatch.delenv("REQUESTS_CA_BUNDLE", raising=False)
+
+    output = java.java_system_properties_ssl("/path/keytool", {"enable_this": "true"})
+    assert output == {}
+    mock.assert_not_called()
+
+    # Ensure that expected sys props are returned when CA bundle is set
+    mock.reset_mock()
+    monkeypatch.setenv("REQUESTS_CA_BUNDLE", "/foo/bar")
+
+    output = java.java_system_properties_ssl("/path/to/keytool", {"disable_this": "true"})
+    assert len(output) == 3
+    assert output["javax.net.ssl.trustStore"] == "/baz/qux"
+    assert output["javax.net.ssl.trustStorePassword"] == "localstack"
+    assert output["javax.net.ssl.trustStoreType"] == "jks"
+    mock.assert_called_with("/path/to/keytool", "/foo/bar", {"disable_this": "true"}, "localstack")
+
+
+def test_system_properties_to_cli_args():
+    assert java.system_properties_to_cli_args({}) == []
+    assert java.system_properties_to_cli_args({"foo": "bar"}) == ["-Dfoo=bar"]
+    assert java.system_properties_to_cli_args({"foo": "bar", "baz": "qux"}) == [
+        "-Dfoo=bar",
+        "-Dbaz=qux",
+    ]