Merge pull request #9970 from vespa-engine/bjorncs/reapply-new-cfgserver-tls-setup

Bjorncs/reapply new cfgserver tls setup
author: Valerij Fredriksen <freva@users.noreply.github.com> 2019-07-05 11:56:02 +0200
committer: GitHub <noreply@github.com> 2019-07-05 11:56:02 +0200
commit: b9ad2dff907329cb8683d68517e3f8d063305b77 (patch)
tree: 5866108d046729f1aadfccdc0d3f9ff76d8f9898
parent: 99c794f11d90b9d928be05196d244c500298a495 (diff)
parent: 1d3e059ec8303bb2a7fb2f5d52e8552c4a6a4da2 (diff)
1 files changed, 34 insertions, 50 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
index 0eeeae457b6..a117d283146 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.java
@@ -2,13 +2,16 @@
 package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
 
 import com.google.inject.Inject;
-import com.yahoo.component.AbstractComponent;
-import com.yahoo.config.provision.Zone;
-import com.yahoo.jdisc.http.ssl.SslContextFactoryProvider;
+import com.yahoo.jdisc.http.ssl.impl.TlsContextBasedProvider;
 import com.yahoo.log.LogLevel;
 import com.yahoo.security.KeyStoreBuilder;
 import com.yahoo.security.KeyStoreType;
 import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SslContextBuilder;
+import com.yahoo.security.tls.DefaultTlsContext;
+import com.yahoo.security.tls.MutableX509KeyManager;
+import com.yahoo.security.tls.PeerAuthentication;
+import com.yahoo.security.tls.TlsContext;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
 import com.yahoo.vespa.athenz.client.zts.Identity;
@@ -17,12 +20,11 @@ import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.utils.SiaUtils;
 import com.yahoo.vespa.defaults.Defaults;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
-import org.eclipse.jetty.util.ssl.SslContextFactory;
 
+import javax.net.ssl.SSLContext;
 import java.net.URI;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.KeyStore;
 import java.security.PrivateKey;
@@ -42,14 +44,15 @@ import java.util.logging.Logger;
  *
  * @author bjorncs
  */
-public class ConfigserverSslContextFactoryProvider extends AbstractComponent implements SslContextFactoryProvider {
+public class ConfigserverSslContextFactoryProvider extends TlsContextBasedProvider  {
     private static final String CERTIFICATE_ALIAS = "athenz";
     private static final Duration EXPIRATION_MARGIN = Duration.ofHours(6);
     private static final Path VESPA_SIA_DIRECTORY = Paths.get(Defaults.getDefaults().underVespaHome("var/vespa/sia"));
 
     private static final Logger log = Logger.getLogger(ConfigserverSslContextFactoryProvider.class.getName());
 
-    private final SslContextFactory sslContextFactory;
+    private final TlsContext tlsContext;
+    private final MutableX509KeyManager keyManager = new MutableX509KeyManager();
     private final ScheduledExecutorService scheduler =
             Executors.newSingleThreadScheduledExecutor(runnable -> new Thread(runnable, "configserver-ssl-context-factory-provider"));
     private final ZtsClient ztsClient;
@@ -60,8 +63,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp
     @Inject
     public ConfigserverSslContextFactoryProvider(ServiceIdentityProvider bootstrapIdentity,
                                                  KeyProvider keyProvider,
-                                                 AthenzProviderServiceConfig config,
-                                                 Zone zone) {
+                                                 AthenzProviderServiceConfig config) {
         this.athenzProviderServiceConfig = config;
         this.ztsClient = new DefaultZtsClient(URI.create(athenzProviderServiceConfig.ztsUrl()), bootstrapIdentity);
         this.keyProvider = keyProvider;
@@ -69,25 +71,20 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp
 
         Duration updatePeriod = Duration.ofDays(config.updatePeriodDays());
         Path trustStoreFile = Paths.get(config.athenzCaTrustStore());
-        this.sslContextFactory = initializeSslContextFactory(keyProvider, trustStoreFile, updatePeriod, configserverIdentity, ztsClient, athenzProviderServiceConfig);
-        scheduler.scheduleAtFixedRate(new KeystoreUpdater(sslContextFactory),
+        this.tlsContext = createTlsContext(keyProvider, keyManager, trustStoreFile, updatePeriod, configserverIdentity, ztsClient, athenzProviderServiceConfig);
+        scheduler.scheduleAtFixedRate(new KeystoreUpdater(keyManager),
                                       updatePeriod.toDays()/*initial delay*/,
                                       updatePeriod.toDays(),
                                       TimeUnit.DAYS);
     }
 
     @Override
-    public SslContextFactory getInstance(String containerId, int port) {
-        return sslContextFactory;
+    protected TlsContext getTlsContext(String containerId, int port) {
+        return tlsContext;
     }
 
     Instant getCertificateNotAfter() {
-        try {
-            X509Certificate certificate = (X509Certificate) sslContextFactory.getKeyStore().getCertificate(CERTIFICATE_ALIAS);
-            return certificate.getNotAfter().toInstant();
-        } catch (GeneralSecurityException e) {
-            throw new IllegalStateException("Unable to find configserver certificate from keystore: " + e.getMessage(), e);
-        }
+        return keyManager.currentManager().getCertificateChain(CERTIFICATE_ALIAS)[0].getNotAfter().toInstant();
     }
 
     @Override
@@ -96,38 +93,28 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp
             scheduler.shutdownNow();
             scheduler.awaitTermination(30, TimeUnit.SECONDS);
             ztsClient.close();
+            super.deconstruct();
         } catch (InterruptedException e) {
             throw new RuntimeException("Failed to shutdown Athenz certificate updater on time", e);
         }
     }
 
-    private static SslContextFactory initializeSslContextFactory(KeyProvider keyProvider,
-                                                                 Path trustStoreFile,
-                                                                 Duration updatePeriod,
-                                                                 AthenzService configserverIdentity,
-                                                                 ZtsClient ztsClient,
-                                                                 AthenzProviderServiceConfig zoneConfig) {
-
-        // TODO Use DefaultTlsContext to configure SslContextFactory (ensure that cipher/protocol configuration is same across all TLS endpoints)
-
-        SslContextFactory.Server factory = new SslContextFactory.Server();
-
-        factory.setWantClientAuth(true);
-
-        KeyStore trustStore =
-                KeyStoreBuilder.withType(KeyStoreType.JKS)
-                        .fromFile(trustStoreFile)
-                        .build();
-        factory.setTrustStore(trustStore);
-
+    private static TlsContext createTlsContext(KeyProvider keyProvider,
+                                               MutableX509KeyManager keyManager,
+                                               Path trustStoreFile,
+                                               Duration updatePeriod,
+                                               AthenzService configserverIdentity,
+                                               ZtsClient ztsClient,
+                                               AthenzProviderServiceConfig zoneConfig) {
         KeyStore keyStore =
                 tryReadKeystoreFile(configserverIdentity, updatePeriod)
                         .orElseGet(() -> updateKeystore(configserverIdentity, generateKeystorePassword(), keyProvider, ztsClient, zoneConfig));
-        factory.setKeyStore(keyStore);
-        factory.setKeyStorePassword("");
-        factory.setExcludeProtocols("TLSv1.3"); // TLSv1.3 is broken is multiple OpenJDK 11 versions
-        factory.setEndpointIdentificationAlgorithm(null); // disable https hostname verification of clients (must be disabled when using Athenz x509 certificates)
-        return factory;
+        keyManager.updateKeystore(keyStore, new char[0]);
+        SSLContext sslContext = new SslContextBuilder()
+                .withTrustStore(trustStoreFile, KeyStoreType.JKS)
+                .withKeyManager(keyManager)
+                .build();
+        return new DefaultTlsContext(sslContext, PeerAuthentication.WANT);
     }
 
     private static Optional<KeyStore> tryReadKeystoreFile(AthenzService configserverIdentity, Duration updatePeriod) {
@@ -171,10 +158,10 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp
     }
 
     private class KeystoreUpdater implements Runnable {
-        final SslContextFactory sslContextFactory;
+        final MutableX509KeyManager keyManager;
 
-        KeystoreUpdater(SslContextFactory sslContextFactory) {
-            this.sslContextFactory = sslContextFactory;
+        KeystoreUpdater(MutableX509KeyManager keyManager) {
+            this.keyManager = keyManager;
         }
 
         @Override
@@ -183,10 +170,7 @@ public class ConfigserverSslContextFactoryProvider extends AbstractComponent imp
                 log.log(LogLevel.INFO, "Updating configserver provider certificate from ZTS");
                 char[] keystorePwd = generateKeystorePassword();
                 KeyStore keyStore = updateKeystore(configserverIdentity, keystorePwd, keyProvider, ztsClient, athenzProviderServiceConfig);
-                sslContextFactory.reload(scf -> {
-                    scf.setKeyStore(keyStore);
-                    scf.setKeyStorePassword(new String(keystorePwd));
-                });
+                keyManager.updateKeystore(keyStore, keystorePwd);
                 log.log(LogLevel.INFO, "Certificate successfully updated");
             } catch (Throwable t) {
                 log.log(LogLevel.ERROR, "Failed to update certificate from ZTS: " + t.getMessage(), t);
author	Valerij Fredriksen <freva@users.noreply.github.com>	2019-07-05 11:56:02 +0200
committer	GitHub <noreply@github.com>	2019-07-05 11:56:02 +0200
commit	b9ad2dff907329cb8683d68517e3f8d063305b77 (patch)
tree	5866108d046729f1aadfccdc0d3f9ff76d8f9898
parent	99c794f11d90b9d928be05196d244c500298a495 (diff)
parent	1d3e059ec8303bb2a7fb2f5d52e8552c4a6a4da2 (diff)