Merge pull request #6920 from vespa-engine/bjorncs/ssl-cleanup

Remove SslKeyStoreConfigurator/SslTrustStoreConfigurator concept
author: Bjørn Christian Seime <bjorn.christian@seime.no> 2018-09-12 12:15:25 +0200
committer: GitHub <noreply@github.com> 2018-09-12 12:15:25 +0200
commit: c65822c82b71dfbcd49fc403d3a503914e044de3 (patch)
tree: d5693fd58bca2367ae053293e6e05717c209945d
parent: 9f404a93ef9a986c1ef8afb2f05630d97f3dccf5 (diff)
parent: 3ac0420f32e9841bd53705603ab7f9a67a8c8700 (diff)
17 files changed, 105 insertions, 491 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java
index 8bfd0b1e4da..1365eb43a30 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ConnectorFactory.java
@@ -4,16 +4,12 @@ package com.yahoo.vespa.model.container.http;
 import com.yahoo.component.ComponentId;
 import com.yahoo.container.bundle.BundleInstantiationSpecification;
 import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator;
-import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator;
 import com.yahoo.osgi.provider.model.ComponentModel;
 import com.yahoo.text.XML;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
 import com.yahoo.vespa.model.container.http.ssl.DummySslProvider;
 import org.w3c.dom.Element;
 
-import java.util.Optional;
-
 import static com.yahoo.component.ComponentSpecification.fromString;
 import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType;
 
@@ -29,14 +25,12 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig
     private final Element legacyConfig;
 
     public ConnectorFactory(String name, int listenPort) {
-        this(name, listenPort, null, null, null, new DummySslProvider(name));
+        this(name, listenPort, null, new DummySslProvider(name));
     }
 
     public ConnectorFactory(String name,
                             int listenPort,
                             Element legacyConfig,
-                            Element sslKeystoreConfigurator,
-                            Element sslTruststoreConfigurator,
                             SimpleComponent sslProviderComponent) {
         super(new ComponentModel(
                 new BundleInstantiationSpecification(new ComponentId(name),
@@ -47,8 +41,6 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig
         this.legacyConfig = legacyConfig;
         addChild(sslProviderComponent);
         inject(sslProviderComponent);
-        addSslKeyStoreConfigurator(name, sslKeystoreConfigurator);
-        addSslTrustStoreConfigurator(name, sslTruststoreConfigurator);
     }
 
     @Override
@@ -159,30 +151,4 @@ public class ConnectorFactory extends SimpleComponent implements ConnectorConfig
             }
         }
     }
-
-
-    private void addSslKeyStoreConfigurator(String name, Element sslKeystoreConfigurator) {
-        addSslConfigurator("ssl-keystore-configurator@" + name,
-                           DefaultSslKeyStoreConfigurator.class,
-                           sslKeystoreConfigurator);
-    }
-
-    private void addSslTrustStoreConfigurator(String name, Element sslKeystoreConfigurator) {
-        addSslConfigurator("ssl-truststore-configurator@" + name,
-                           DefaultSslTrustStoreConfigurator.class,
-                           sslKeystoreConfigurator);
-    }
-
-    private void addSslConfigurator(String idSpec, Class<?> defaultImplementation, Element configuratorElement) {
-        SimpleComponent configuratorComponent;
-        if (configuratorElement != null) {
-            String className = configuratorElement.getAttribute("class");
-            String bundleName = configuratorElement.getAttribute("bundle");
-            configuratorComponent = new SimpleComponent(new ComponentModel(idSpec, className, bundleName));
-        } else {
-            configuratorComponent = new SimpleComponent(new ComponentModel(idSpec, defaultImplementation.getName(), "jdisc_http_service"));
-        }
-        addChild(configuratorComponent);
-        inject(configuratorComponent);
-    }
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
index 6061ce45ce4..91cf25002e6 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/xml/JettyConnectorBuilder.java
@@ -38,10 +38,8 @@ public class JettyConnectorBuilder extends VespaDomBuilder.DomConfigProducerBuil
                 legacyServerConfig = null;
             }
         }
-        Element sslKeystoreConfigurator = XML.getChild(serverSpec, "ssl-keystore-configurator");
-        Element sslTruststoreConfigurator = XML.getChild(serverSpec, "ssl-truststore-configurator");
         SimpleComponent sslProviderComponent = getSslConfigComponents(name, serverSpec);
-        return new ConnectorFactory(name, port, legacyServerConfig, sslKeystoreConfigurator, sslTruststoreConfigurator, sslProviderComponent);
+        return new ConnectorFactory(name, port, legacyServerConfig, sslProviderComponent);
     }
 
     SimpleComponent getSslConfigComponents(String serverName, Element serverSpec) {
diff --git a/config-model/src/main/resources/schema/containercluster.rnc b/config-model/src/main/resources/schema/containercluster.rnc
index 991bd13f4a0..4934ce113bb 100644
--- a/config-model/src/main/resources/schema/containercluster.rnc
+++ b/config-model/src/main/resources/schema/containercluster.rnc
@@ -64,8 +64,6 @@ HttpServer =  element server {
     attribute port { xsd:nonNegativeInteger } &
     ComponentId &
     (Ssl | SslProvider)? &
-    element ssl-keystore-configurator { BundleSpec }? & # FOR INTERNAL USE ONLY - SUBJECT TO CHANGE
-    element ssl-truststore-configurator { BundleSpec }? & # FOR INTERNAL USE ONLY - SUBJECT TO CHANGE
     GenericConfig*
 }
 
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
index ff50acce3f0..1815befab88 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JettyContainerModelBuilderTest.java
@@ -3,30 +3,21 @@ package com.yahoo.vespa.model.container.xml;
 
 import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
 import com.yahoo.container.ComponentsConfig;
-import com.yahoo.container.bundle.BundleInstantiationSpecification;
 import com.yahoo.container.jdisc.FilterBindingsProvider;
 import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator;
-import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator;
 import com.yahoo.vespa.model.container.ContainerCluster;
 import com.yahoo.vespa.model.container.component.SimpleComponent;
 import com.yahoo.vespa.model.container.http.ConnectorFactory;
 import com.yahoo.vespa.model.container.http.JettyHttpServer;
-
 import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider;
 import org.junit.Test;
 import org.w3c.dom.Element;
-import org.xml.sax.SAXException;
 
-import java.io.IOException;
-import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
-import java.util.Set;
 
 import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.KeyStoreType;
 import static org.hamcrest.CoreMatchers.equalTo;
-import static org.hamcrest.CoreMatchers.hasItem;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.nullValue;
@@ -197,44 +188,6 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
     }
 
     @Test
-    public void ssl_keystore_and_truststore_configurator_can_be_overriden() throws IOException, SAXException {
-        Element clusterElem = DomBuilderTest.parse(
-                "<jdisc id='default' version='1.0' jetty='true'>",
-                "  <http>",
-                "    <server port='9000' id='foo'>",
-                "      <ssl-keystore-configurator class='com.yahoo.MySslKeyStoreConfigurator' bundle='mybundle'/>",
-                "      <ssl-truststore-configurator class='com.yahoo.MySslTrustStoreConfigurator' bundle='mybundle'/>",
-                "    </server>",
-                "    <server port='9001' id='bar'/>",
-                "  </http>",
-                nodesXml,
-                "</jdisc>");
-        createModel(root, clusterElem);
-        ContainerCluster cluster = (ContainerCluster) root.getChildren().get("default");
-        List<ConnectorFactory> connectorFactories = cluster.getChildrenByTypeRecursive(ConnectorFactory.class);
-        {
-            ConnectorFactory firstConnector = connectorFactories.get(0);
-            assertConnectorHasInjectedComponents(firstConnector, "ssl-keystore-configurator@foo", "ssl-truststore-configurator@foo", "dummy-ssl-provider@foo");
-            assertComponentHasClassNameAndBundle(getChildComponent(firstConnector, 0),
-                                                 "com.yahoo.MySslKeyStoreConfigurator",
-                                                 "mybundle");
-            assertComponentHasClassNameAndBundle(getChildComponent(firstConnector, 1),
-                                                 "com.yahoo.MySslTrustStoreConfigurator",
-                                                 "mybundle");
-        }
-        {
-            ConnectorFactory secondConnector = connectorFactories.get(1);
-            assertConnectorHasInjectedComponents(secondConnector, "ssl-keystore-configurator@bar", "ssl-truststore-configurator@bar", "dummy-ssl-provider@bar");
-            assertComponentHasClassNameAndBundle(getChildComponent(secondConnector, 0),
-                                                 DefaultSslKeyStoreConfigurator.class.getName(),
-                                                 "jdisc_http_service");
-            assertComponentHasClassNameAndBundle(getChildComponent(secondConnector, 1),
-                                                 DefaultSslTrustStoreConfigurator.class.getName(),
-                                                 "jdisc_http_service");
-        }
-    }
-
-    @Test
     public void verify_that_ssl_element_generates_connector_config_and_inject_provider_component() {
         Element clusterElem = DomBuilderTest.parse(
                 "<jdisc id='default' version='1.0' jetty='true'>",
@@ -315,25 +268,6 @@ public class JettyContainerModelBuilderTest extends ContainerModelBuilderTestBas
         assertChildComponentExists(connectorFactory, "com.yahoo.CustomSslProvider");
     }
 
-    private static void assertConnectorHasInjectedComponents(ConnectorFactory connectorFactory, String... componentNames) {
-        Set<String> injectedComponentIds = connectorFactory.getInjectedComponentIds();
-        assertThat(injectedComponentIds.size(), equalTo(componentNames.length));
-        Arrays.stream(componentNames)
-                .forEach(name -> assertThat(injectedComponentIds, hasItem(name)));
-    }
-
-    private static SimpleComponent getChildComponent(ConnectorFactory connectorFactory, int index) {
-        return connectorFactory.getChildrenByTypeRecursive(SimpleComponent.class).get(index);
-    }
-
-    private static void assertComponentHasClassNameAndBundle(SimpleComponent simpleComponent,
-                                                             String className,
-                                                             String bundleName) {
-        BundleInstantiationSpecification spec = simpleComponent.model.bundleInstantiationSpec;
-        assertThat(spec.classId.toString(), is(className));
-        assertThat(spec.bundle.toString(), is(bundleName));
-    }
-
     private static void assertChildComponentExists(ConnectorFactory connectorFactory, String className) {
         Optional<SimpleComponent> simpleComponent = connectorFactory.getChildren().values().stream()
                 .map(z -> (SimpleComponent) z)
diff --git a/config-model/src/test/schema-test-files/services.xml b/config-model/src/test/schema-test-files/services.xml
index 21d6693720e..632abe68ab7 100644
--- a/config-model/src/test/schema-test-files/services.xml
+++ b/config-model/src/test/schema-test-files/services.xml
@@ -112,10 +112,7 @@
         </request-chain>
       </filtering>
 
-      <server port="4080" id="myServer">
-        <ssl-keystore-configurator class="com.yahoo.MySslKeyStoreConfigurator" bundle="mybundle" />
-        <ssl-truststore-configurator class="com.yahoo.MySslTrustStoreConfigurator" bundle="mybundle" />
-      </server>
+      <server port="4080" id="myServer"/>
       <server port="4081" id="anotherServer">
         <config name="container.jdisc.config.http-server">
           <maxChunkSize>9999</maxChunkSize>
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java
deleted file mode 100644
index e805332429b..00000000000
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzTrustStoreConfigurator.java
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.athenz.filter;
-
-import com.google.inject.Inject;
-import com.yahoo.jdisc.http.ssl.SslTrustStoreConfigurator;
-import com.yahoo.jdisc.http.ssl.SslTrustStoreContext;
-import com.yahoo.security.KeyStoreBuilder;
-import com.yahoo.security.KeyStoreType;
-import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
-
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.security.KeyStore;
-
-/**
- * Load trust store with Athenz CA certificates
- *
- * @author bjorncs
- */
-public class AthenzTrustStoreConfigurator implements SslTrustStoreConfigurator {
-
-    private final KeyStore trustStore;
-
-    @Inject
-    public AthenzTrustStoreConfigurator(AthenzConfig config) {
-        this.trustStore = createTrustStore(Paths.get(config.athenzCaTrustStore()));
-    }
-
-    private static KeyStore createTrustStore(Path trustStoreFile) {
-        return KeyStoreBuilder.withType(KeyStoreType.JKS)
-                .fromFile(trustStoreFile, "changeit".toCharArray())
-                .build();
-    }
-
-    @Override
-    public void configure(SslTrustStoreContext context) {
-        context.updateTrustStore(trustStore);
-    }
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java
index 8799e781532..dd38bdd94f9 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslContextFactoryProvider.java
@@ -3,6 +3,7 @@ package com.yahoo.jdisc.http.ssl;
 
 import com.yahoo.config.InnerNode;
 import com.yahoo.jdisc.http.ConnectorConfig;
+import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore;
 import com.yahoo.security.KeyStoreBuilder;
 import com.yahoo.security.KeyStoreType;
 import com.yahoo.security.KeyUtils;
@@ -12,6 +13,7 @@ import org.eclipse.jetty.util.ssl.SslContextFactory;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.PrivateKey;
@@ -20,6 +22,7 @@ import java.util.Arrays;
 import java.util.List;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
+import java.util.logging.Logger;
 
 /**
  * JDisc's default implementation of {@link SslContextFactoryProvider} that uses the {@link ConnectorConfig} to construct a {@link SslContextFactory}.
@@ -28,16 +31,17 @@ import java.util.function.Function;
  */
 public class DefaultSslContextFactoryProvider implements SslContextFactoryProvider {
 
+    private static final Logger log = Logger.getLogger(DefaultSslContextFactoryProvider.class.getName());
+
     private final ConnectorConfig connectorConfig;
-    private final SslKeyStoreConfigurator sslKeyStoreConfigurator;
-    private final SslTrustStoreConfigurator sslTrustStoreConfigurator;
+    @SuppressWarnings("deprecation")
+    private final com.yahoo.jdisc.http.SecretStore secretStore;
 
     public DefaultSslContextFactoryProvider(ConnectorConfig connectorConfig,
-                                            SslKeyStoreConfigurator sslKeyStoreConfigurator,
-                                            SslTrustStoreConfigurator sslTrustStoreConfigurator) {
+                                            @SuppressWarnings("deprecation") com.yahoo.jdisc.http.SecretStore secretStore) {
+        validateConfig(connectorConfig.ssl());
         this.connectorConfig = connectorConfig;
-        this.sslKeyStoreConfigurator = sslKeyStoreConfigurator;
-        this.sslTrustStoreConfigurator = sslTrustStoreConfigurator;
+        this.secretStore = secretStore;
     }
 
     @Override
@@ -69,29 +73,100 @@ public class DefaultSslContextFactoryProvider implements SslContextFactoryProvid
                 factory.setTrustStore(createTruststore(sslConfig));
             }
             factory.setProtocol("TLS");
-        } else {
-            // TODO Remove SslKeyStoreConfigurator / SslTrustStoreConfigurator
-            sslKeyStoreConfigurator.configure(new DefaultSslKeyStoreContext(factory));
-            sslTrustStoreConfigurator.configure(new DefaultSslTrustStoreContext(factory));
-
-            // TODO Remove support for deprecated ssl connector config
-            if (!sslConfig.prng().isEmpty()) {
-                factory.setSecureRandomAlgorithm(sslConfig.prng());
+        } else { // TODO Vespa 7: Remove support for deprecated ssl connector config
+            configureUsingDeprecatedConnectorConfig(sslConfig, factory);
+        }
+        return factory;
+    }
+
+    private void configureUsingDeprecatedConnectorConfig(ConnectorConfig.Ssl sslConfig, SslContextFactory factory) {
+        switch (sslConfig.keyStoreType()) {
+            case JKS:
+                factory.setKeyStorePath(sslConfig.keyStorePath());
+                factory.setKeyStoreType("JKS");
+                factory.setKeyStorePassword(secretStore.getSecret(sslConfig.keyDbKey()));
+                break;
+            case PEM:
+                factory.setKeyStorePath(sslConfig.keyStorePath());
+                factory.setKeyStore(createPemKeyStore(sslConfig.pemKeyStore()));
+                break;
+        }
+
+        if (!sslConfig.trustStorePath().isEmpty()) {
+            factory.setTrustStorePath(sslConfig.trustStorePath());
+            factory.setTrustStoreType(sslConfig.trustStoreType().toString());
+            if (sslConfig.useTrustStorePassword()) {
+                factory.setTrustStorePassword(secretStore.getSecret(sslConfig.keyDbKey()));
             }
+        }
+
+        if (!sslConfig.prng().isEmpty()) {
+            factory.setSecureRandomAlgorithm(sslConfig.prng());
+        }
 
-            setStringArrayParameter(
-                    factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols);
-            setStringArrayParameter(
-                    factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols);
-            setStringArrayParameter(
-                    factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites);
-            setStringArrayParameter(
-                    factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites);
+        setStringArrayParameter(
+                factory, sslConfig.excludeProtocol(), ConnectorConfig.Ssl.ExcludeProtocol::name, SslContextFactory::setExcludeProtocols);
+        setStringArrayParameter(
+                factory, sslConfig.includeProtocol(), ConnectorConfig.Ssl.IncludeProtocol::name, SslContextFactory::setIncludeProtocols);
+        setStringArrayParameter(
+                factory, sslConfig.excludeCipherSuite(), ConnectorConfig.Ssl.ExcludeCipherSuite::name, SslContextFactory::setExcludeCipherSuites);
+        setStringArrayParameter(
+                factory, sslConfig.includeCipherSuite(), ConnectorConfig.Ssl.IncludeCipherSuite::name, SslContextFactory::setIncludeCipherSuites);
+
+        factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm());
+        factory.setProtocol(sslConfig.protocol());
+    }
 
-            factory.setKeyManagerFactoryAlgorithm(sslConfig.sslKeyManagerFactoryAlgorithm());
-            factory.setProtocol(sslConfig.protocol());
+    private static void validateConfig(ConnectorConfig.Ssl config) {
+        if (!config.enabled()) return;
+        switch (config.keyStoreType()) {
+            case JKS:
+                validateJksConfig(config);
+                break;
+            case PEM:
+                validatePemConfig(config);
+                break;
+        }
+        if (!config.trustStorePath().isEmpty() && config.useTrustStorePassword() && config.keyDbKey().isEmpty()) {
+            throw new IllegalArgumentException("Missing password for JKS truststore");
+        }
+    }
+
+    private static void validateJksConfig(ConnectorConfig.Ssl ssl) {
+        if (!ssl.pemKeyStore().keyPath().isEmpty() || ! ssl.pemKeyStore().certificatePath().isEmpty()) {
+            throw new IllegalArgumentException("pemKeyStore attributes can not be set when keyStoreType is JKS.");
+        }
+        if (ssl.keyDbKey().isEmpty()) {
+            throw new IllegalArgumentException("Missing password for JKS keystore");
+        }
+    }
+
+    private static void validatePemConfig(ConnectorConfig.Ssl ssl) {
+        if (! ssl.keyStorePath().isEmpty()) {
+            throw new IllegalArgumentException("keyStorePath can not be set when keyStoreType is PEM");
+        }
+        if (!ssl.keyDbKey().isEmpty()) {
+            // TODO Make an error once there are separate passwords for truststore and keystore
+            log.warning("Encrypted PEM key stores are not supported. Password is only applied to truststore");
+        }
+        if (ssl.pemKeyStore().certificatePath().isEmpty()) {
+            throw new IllegalArgumentException("Missing certificate path.");
+        }
+        if (ssl.pemKeyStore().keyPath().isEmpty()) {
+            throw new IllegalArgumentException("Missing key path.");
+        }
+    }
+
+    private static KeyStore createPemKeyStore(ConnectorConfig.Ssl.PemKeyStore pemKeyStore) {
+        try {
+            Path certificatePath = Paths.get(pemKeyStore.certificatePath());
+            Path keyPath = Paths.get(pemKeyStore.keyPath());
+            return new PemSslKeyStore(certificatePath, keyPath).loadJavaKeyStore();
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e);
         }
-        return factory;
     }
 
     private static KeyStore createTruststore(ConnectorConfig.Ssl sslConfig) {
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreConfigurator.java
deleted file mode 100644
index 1cf8997b465..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreConfigurator.java
+++ /dev/null
@@ -1,96 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-import com.google.inject.Inject;
-import com.yahoo.jdisc.http.ConnectorConfig;
-import com.yahoo.jdisc.http.ssl.pem.PemSslKeyStore;
-
-import java.io.IOException;
-import java.io.UncheckedIOException;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.security.KeyStore;
-import java.util.logging.Logger;
-
-/**
- * @author bjorncs
- */
-public class DefaultSslKeyStoreConfigurator implements SslKeyStoreConfigurator {
-
-    private static final Logger log = Logger.getLogger(DefaultSslKeyStoreConfigurator.class.getName());
-
-    @SuppressWarnings("deprecation")
-    private final com.yahoo.jdisc.http.SecretStore secretStore;
-    private final ConnectorConfig.Ssl config;
-
-    @Inject
-    @SuppressWarnings("deprecation")
-    public DefaultSslKeyStoreConfigurator(ConnectorConfig config, com.yahoo.jdisc.http.SecretStore secretStore) {
-        validateConfig(config.ssl());
-        this.secretStore = secretStore;
-        this.config = config.ssl();
-    }
-
-    private static void validateConfig(ConnectorConfig.Ssl config) {
-        if (!config.enabled()) return;
-        switch (config.keyStoreType()) {
-            case JKS:
-                validateJksConfig(config);
-                break;
-            case PEM:
-                validatePemConfig(config);
-                break;
-        }
-    }
-
-    @Override
-    public void configure(SslKeyStoreContext context) {
-        if (!config.enabled()) return;
-        switch (config.keyStoreType()) {
-            case JKS:
-                context.updateKeyStore(config.keyStorePath(), "JKS", secretStore.getSecret(config.keyDbKey()));
-                break;
-            case PEM:
-                context.updateKeyStore(createPemKeyStore(config.pemKeyStore()));
-                break;
-        }
-    }
-
-    private static void validateJksConfig(ConnectorConfig.Ssl ssl) {
-        if (!ssl.pemKeyStore().keyPath().isEmpty() || ! ssl.pemKeyStore().certificatePath().isEmpty()) {
-            throw new IllegalArgumentException("pemKeyStore attributes can not be set when keyStoreType is JKS.");
-        }
-        if (ssl.keyDbKey().isEmpty()) {
-            throw new IllegalArgumentException("Missing password for JKS keystore");
-        }
-    }
-
-    private static void validatePemConfig(ConnectorConfig.Ssl ssl) {
-        if (! ssl.keyStorePath().isEmpty()) {
-            throw new IllegalArgumentException("keyStorePath can not be set when keyStoreType is PEM");
-        }
-        if (!ssl.keyDbKey().isEmpty()) {
-            // TODO Make an error once there are separate passwords for truststore and keystore
-            log.warning("Encrypted PEM key stores are not supported. Password is only applied to truststore");
-        }
-        if (ssl.pemKeyStore().certificatePath().isEmpty()) {
-            throw new IllegalArgumentException("Missing certificate path.");
-        }
-        if (ssl.pemKeyStore().keyPath().isEmpty()) {
-            throw new IllegalArgumentException("Missing key path.");
-        }
-    }
-
-    private static KeyStore createPemKeyStore(ConnectorConfig.Ssl.PemKeyStore pemKeyStore) {
-        try {
-            Path certificatePath = Paths.get(pemKeyStore.certificatePath());
-            Path keyPath = Paths.get(pemKeyStore.keyPath());
-            return new PemSslKeyStore(certificatePath, keyPath).loadJavaKeyStore();
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
-        } catch (Exception e) {
-            throw new RuntimeException("Failed setting up key store for " + pemKeyStore.keyPath() + ", " + pemKeyStore.certificatePath(), e);
-        }
-    }
-
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreContext.java
deleted file mode 100644
index 44a9c606576..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslKeyStoreContext.java
+++ /dev/null
@@ -1,51 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-
-import java.security.KeyStore;
-import java.util.function.Consumer;
-
-/**
- * @author bjorncs
- */
-public class DefaultSslKeyStoreContext implements SslKeyStoreContext {
-
-    private final SslContextFactory sslContextFactory;
-
-    public DefaultSslKeyStoreContext(SslContextFactory sslContextFactory) {
-        this.sslContextFactory = sslContextFactory;
-    }
-
-    @Override
-    public void updateKeyStore(KeyStore keyStore) {
-        updateKeyStore(keyStore, null);
-    }
-
-    @Override
-    public void updateKeyStore(KeyStore keyStore, String password) {
-        updateKeyStore(sslContextFactory -> {
-            sslContextFactory.setKeyStore(keyStore);
-            if (password != null) {
-                sslContextFactory.setKeyStorePassword(password);
-            }
-        });
-    }
-
-    @Override
-    public void updateKeyStore(String keyStorePath, String keyStoreType, String keyStorePassword) {
-        updateKeyStore(sslContextFactory -> {
-            sslContextFactory.setKeyStorePath(keyStorePath);
-            sslContextFactory.setKeyStoreType(keyStoreType);
-            sslContextFactory.setKeyStorePassword(keyStorePassword);
-        });
-    }
-
-    private void updateKeyStore(Consumer<SslContextFactory> reloader) {
-        try {
-            sslContextFactory.reload(reloader);
-        } catch (Exception e) {
-            throw new RuntimeException("Could not update keystore: " + e.getMessage(), e);
-        }
-    }
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreConfigurator.java
deleted file mode 100644
index 5a8c399e6ba..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreConfigurator.java
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-import com.google.inject.Inject;
-import com.yahoo.jdisc.http.ConnectorConfig;
-
-/**
- * @author bjorncs
- */
-public class DefaultSslTrustStoreConfigurator implements SslTrustStoreConfigurator {
-
-    @SuppressWarnings("deprecation")
-    private final com.yahoo.jdisc.http.SecretStore secretStore;
-    private final ConnectorConfig.Ssl config;
-
-    @Inject
-    @SuppressWarnings("deprecation")
-    public DefaultSslTrustStoreConfigurator(ConnectorConfig config, com.yahoo.jdisc.http.SecretStore secretStore) {
-        validateConfig(config.ssl());
-        this.secretStore = secretStore;
-        this.config = config.ssl();
-    }
-
-    @Override
-    public void configure(SslTrustStoreContext context) {
-        if (!config.enabled()) return;
-        String keyDbPassword = config.keyDbKey();
-        if (!config.trustStorePath().isEmpty()) {
-            String password = config.useTrustStorePassword() ? secretStore.getSecret(keyDbPassword) : null;
-            context.updateTrustStore(config.trustStorePath(), config.trustStoreType().toString(), password);
-        }
-    }
-
-    private static void validateConfig(ConnectorConfig.Ssl config) {
-        if (!config.enabled()) return;
-        if (!config.trustStorePath().isEmpty() && config.useTrustStorePassword() && config.keyDbKey().isEmpty()) {
-            throw new IllegalArgumentException("Missing password for JKS truststore");
-        }
-    }
-
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreContext.java
deleted file mode 100644
index c2d91cca3ea..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/DefaultSslTrustStoreContext.java
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-import org.eclipse.jetty.util.ssl.SslContextFactory;
-
-import java.security.KeyStore;
-import java.util.function.Consumer;
-
-/**
- * @author bjorncs
- */
-public class DefaultSslTrustStoreContext implements SslTrustStoreContext {
-
-    private final SslContextFactory sslContextFactory;
-
-    public DefaultSslTrustStoreContext(SslContextFactory sslContextFactory) {
-        this.sslContextFactory = sslContextFactory;
-    }
-
-    @Override
-    public void updateTrustStore(KeyStore trustStore) {
-        updateTrustStore(trustStore, null);
-    }
-
-    @Override
-    public void updateTrustStore(KeyStore trustStore, String password) {
-        updateTrustStore(sslContextFactory -> {
-            sslContextFactory.setTrustStore(trustStore);
-            if (password != null) {
-                sslContextFactory.setTrustStorePassword(password);
-            }
-        });
-    }
-
-    @Override
-    public void updateTrustStore(String trustStorePath, String trustStoreType, String trustStorePassword) {
-        updateTrustStore(sslContextFactory -> {
-            sslContextFactory.setTrustStorePath(trustStorePath);
-            sslContextFactory.setTrustStoreType(trustStoreType);
-            if (trustStorePassword != null) {
-                sslContextFactory.setTrustStorePassword(trustStorePassword);
-            }
-        });
-    }
-
-    private void updateTrustStore(Consumer<SslContextFactory> reloader) {
-        try {
-            sslContextFactory.reload(reloader);
-        } catch (Exception e) {
-            throw new RuntimeException("Could not update truststore: " + e.getMessage(), e);
-        }
-    }
-
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreConfigurator.java
deleted file mode 100644
index 619f4a636ed..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreConfigurator.java
+++ /dev/null
@@ -1,14 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-/**
- * An interface for an component that can configure an {@link SslKeyStoreContext}. The implementor can assume that
- * the {@link SslKeyStoreContext} instance is thread-safe and be updated at any time
- * during and after the call to{@link #configure(SslKeyStoreContext)}.
- * Modifying the {@link SslKeyStoreContext} instance will trigger a hot reload of the keystore in JDisc.
- *
- * @author bjorncs
- */
-public interface SslKeyStoreConfigurator {
-    void configure(SslKeyStoreContext context);
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreContext.java
deleted file mode 100644
index 2a25f6d78b5..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslKeyStoreContext.java
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-import java.security.KeyStore;
-
-/**
- * An interface to update the keystore in JDisc. Any update will trigger a hot reload and new connections will
- * immediately see the new certificate chain.
- *
- * @author bjorncs
- */
-public interface SslKeyStoreContext {
-    void updateKeyStore(KeyStore keyStore);
-    void updateKeyStore(KeyStore keyStore, String password);
-    void updateKeyStore(String keyStorePath, String keyStoreType, String keyStorePassword);
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreConfigurator.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreConfigurator.java
deleted file mode 100644
index de1119a5275..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreConfigurator.java
+++ /dev/null
@@ -1,14 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-/**
- * An interface for an component that can configure an {@link SslTrustStoreContext}. The implementor can assume that
- * the {@link SslTrustStoreContext} instance is thread-safe and be updated at any time
- * during and after the call to{@link #configure(SslTrustStoreContext)}.
- * Modifying the {@link SslKeyStoreContext} instance will trigger a hot reload of the truststore in JDisc.
- *
- * @author bjorncs
- */
-public interface SslTrustStoreConfigurator {
-    void configure(SslTrustStoreContext context);
-}
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreContext.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreContext.java
deleted file mode 100644
index fc8cf397b24..00000000000
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/SslTrustStoreContext.java
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.jdisc.http.ssl;
-
-import java.security.KeyStore;
-
-/**
- * An interface to update the truststore in JDisc. Any update will trigger a hot reload and new connections will
- * authenticated using the update truststore.
- *
- * @author bjorncs
- */
-public interface SslTrustStoreContext {
-    void updateTrustStore(KeyStore trustStore);
-    void updateTrustStore(KeyStore trustStore, String password);
-    void updateTrustStore(String trustStorePath, String trustStoreType, String trustStorePassword);
-}
diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java
index 5e586f5e59e..cb7d30af952 100644
--- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java
+++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/guiceModules/ConnectorFactoryRegistryModule.java
@@ -12,8 +12,6 @@ import com.yahoo.jdisc.http.ConnectorConfig.Builder;
 import com.yahoo.jdisc.http.server.jetty.ConnectorFactory;
 import com.yahoo.jdisc.http.server.jetty.TestDrivers;
 import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider;
-import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator;
-import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator;
 
 /**
  * Guice module for test ConnectorFactories
@@ -49,11 +47,7 @@ public class ConnectorFactoryRegistryModule implements Module {
     private static class StaticKeyDbConnectorFactory extends ConnectorFactory {
 
         public StaticKeyDbConnectorFactory(ConnectorConfig connectorConfig) {
-            super(connectorConfig,
-                  new DefaultSslContextFactoryProvider(
-                          connectorConfig,
-                          new DefaultSslKeyStoreConfigurator(connectorConfig, new MockSecretStore()),
-                          new DefaultSslTrustStoreConfigurator(connectorConfig, new MockSecretStore())));
+            super(connectorConfig, new DefaultSslContextFactoryProvider(connectorConfig, new MockSecretStore()));
         }
 
     }
diff --git a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java
index d504e8be288..b328e151f51 100644
--- a/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java
+++ b/jdisc_http_service/src/test/java/com/yahoo/jdisc/http/server/jetty/ConnectorFactoryTest.java
@@ -4,8 +4,6 @@ package com.yahoo.jdisc.http.server.jetty;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.jdisc.http.ConnectorConfig;
 import com.yahoo.jdisc.http.ssl.DefaultSslContextFactoryProvider;
-import com.yahoo.jdisc.http.ssl.DefaultSslKeyStoreConfigurator;
-import com.yahoo.jdisc.http.ssl.DefaultSslTrustStoreConfigurator;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.handler.AbstractHandler;
@@ -107,12 +105,7 @@ public class ConnectorFactoryTest {
     }
 
     private static ConnectorFactory createConnectorFactory(ConnectorConfig config) {
-        ThrowingSecretStore secretStore = new ThrowingSecretStore();
-        return new ConnectorFactory(config,
-                                    new DefaultSslContextFactoryProvider(
-                                            config,
-                                            new DefaultSslKeyStoreConfigurator(config, secretStore),
-                                            new DefaultSslTrustStoreConfigurator(config, secretStore)));
+        return new ConnectorFactory(config, new DefaultSslContextFactoryProvider(config, new ThrowingSecretStore()));
     }
 
     private static class HelloWorldHandler extends AbstractHandler {
author	Bjørn Christian Seime <bjorn.christian@seime.no>	2018-09-12 12:15:25 +0200
committer	GitHub <noreply@github.com>	2018-09-12 12:15:25 +0200
commit	c65822c82b71dfbcd49fc403d3a503914e044de3 (patch)
tree	d5693fd58bca2367ae053293e6e05717c209945d
parent	9f404a93ef9a986c1ef8afb2f05630d97f3dccf5 (diff)
parent	3ac0420f32e9841bd53705603ab7f9a67a8c8700 (diff)