ID-35: add support to remove certificates

Author: mlookaxw

doc/manual/_config-tool.adoc

@@ -61,7 +61,7 @@ Options:
 If environmentalized fields or certificates are not configured, the build fails.
 Missing fields or certificates are automatically added to the configuration file.
 
-[cols="2,5", options="header"]
+[cols="2,5a", options="header"]
 |===
 |Option
 |Description
@@ -134,11 +134,19 @@ If not set the output archives have the same passphrase as the source archives.
 |Enable simulation mode.
 
 In simulation mode, no output files (`.fed` or `.env`) will be written.
-Also non existing certificate files will be ignored.
 
+The simulation mode will ignore non existing certificate files and will not apply the values of environmentalized fields.
+
+[NOTE]
+====
+The simulation mode can be used to prepare packages for CI/CD pipelines.
+
+In this case configuration parameters and certificates may be stored in a configuration database.
+So during the preparation phase the certificates may not be available and the configuration files may contain placeholders.
+To avoid errors due to incompatible types (e.g. placeholder string used for an integer field) the values will not be applied to the entity store.
+====
 |===
 
-TIP: The simulation mode can be used to check the configuration and to update the configuration files.
 
 == Configuration Files
 
@@ -340,6 +348,17 @@ It specifies the alias of the certificates within the project and the source of
                 "source": "env", <16>
                 "type": "p12"
             }
+        },
+        "test4": {
+            "origin": {
+                "info": {
+                    "not_after": "2021-09-30T16:01:15+02:00", 
+                    "subject": "CN=DST Root CA X3, O=Digital Signature Trust Co."
+                }
+            },
+            "update": {
+                "type": "empty" <17>
+            }
         }
     }
 }
@@ -364,6 +383,7 @@ This certificate will be added to the certificate store.
 <14> Declares the property "password" as the source of the password for the `.p12` file.
 <15> The password is retrieved from the `TEST3_PASSWORD` environment variable.
 <16> Specifies an environment variable as the source of the password.
+<17> Type `empty` indicates that a certificate will be updated with an _empty_ certificate and therefore will be removed.
 
 === Properties
 

example/config-tool/config/gateway.certs.json

@@ -33,6 +33,28 @@
         "file": "config/certs/staged-root-ca.crt", 
         "type": "crt"
       }
+    }, 
+    "to-be-deleted": {
+      "origin": {
+        "info": {
+          "not_after": "2020-08-23T20:24:00+02:00", 
+          "subject": "CN=localhost, O=ACME Inc., C=EX"
+        }
+      },
+      "update": {
+        "type": "empty"
+      }
+    }, 
+    "to-be-removed-ca": {
+      "origin": {
+        "info": {
+          "not_after": "2029-08-23T20:19:00+02:00", 
+          "subject": "CN=acme-inc-example, O=ACME Inc., L=Example, C=EX"
+        }
+      },
+      "update": {
+        "type": "empty"
+      }
     }
   }
 }

example/config-tool/src/gateway.env

@@ -223,6 +223,12 @@ def __init__(self, alias, cert_type, cert_file_path, password = ""):
         self.__file_path = cert_file_path
         self.__password = password
 
+        if cert_type not in ["crt", "p12", "empty"]:
+            raise ValueError("Invalid certificate type '%s' for alias '%s'!" % (cert_type, alias))
+        if self.__type != "empty" and not self.__file_path:
+            raise ValueError("Missing path to certificate file for alias '%s'!" % (alias))
+        return
+
     def get_alias(self):
         return self.__alias
 
@@ -234,6 +240,9 @@ def get_file(self):
 
     def get_password(self):
         return self.__password
+    
+    def is_empty():
+        return self.__type == "empty"
 
 class CertInfo:
     __alias = None
@@ -362,10 +371,13 @@ def get_certificates(self):
 
                 cert = cert_cfg["update"]
 
+                if "type" not in cert:
+                    raise ValueError("Missing certificate type for alias '%s'!" % (alias))
                 cert_type = cert["type"]
-                if cert_type not in ["crt", "p12"]:
-                    raise ValueError("Invalid certificate type '%s' for alias '%s'!" % (cert_type, alias))
-                cert_file = cert["file"]
+
+                cert_file = None
+                if "file" in cert:
+                    cert_file = cert["file"]
 
                 password = None
                 if "password" in cert:

example/config-tool/src/gateway.pol

@@ -182,6 +182,14 @@ def __add_or_replace_certificate(self, es, alias, cert, private_key=None):
         es.updateEntity(cert_entity)
         return
 
+    def __remove_certificate(self, es, alias):
+        # Get certificate entity
+        cert_store = es.get('/[Certificates]name=Certificate Store')
+        cert_entity = es.getChild(cert_store, '[Certificate]dname=%s' % (es.escapeField(alias)))
+        if cert_entity:
+            es.cutEntity(cert_entity)
+        return
+    
     def __configure_certificates(self):
         if self.__cert_config is not None:
             # determine existing certificates
@@ -223,6 +231,10 @@ def __configure_certificates(self):
                             continue
                         else:
                             raise ValueError("Certificate file not found for alias '%s': %s" % (cert_ref.get_alias(), cert_ref.get_file()))
+                elif cert_ref.get_type() == "empty":
+                    self.__remove_certificate(es, cert_ref.get_alias())
+                    logging.info("Certificate removed: %s" % (cert_ref.get_alias()))
+                    continue
                 else:
                     raise ValueError("Unsupported certificate type: %s" % (cert_ref.get_type()))