Generate proxy certificate and inject in trust store

author: Morten Tokle <mortent@yahooinc.com> 2023-06-07 11:29:07 +0200
committer: Morten Tokle <mortent@yahooinc.com> 2023-06-07 11:29:07 +0200
commit: e8e31b8f7ff1a77a47a8e9cf1bb884123ca2469a (patch)
tree: 55ae69cceca99e955f455348dd18c46f97d8b4fb /config-model/src/main/java/com/yahoo/vespa/model
parent: 17680e5bd51252b282e011e4f9929653f78be016 (diff)
3 files changed, 31 insertions, 16 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/CloudSslProvider.java
index adc1458ce85..5fa893e9599 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/ConfiguredDirectSslProvider.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/CloudSslProvider.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.model.container.http.ssl;
 
 import com.yahoo.jdisc.http.ConnectorConfig;
+import com.yahoo.jdisc.http.ssl.impl.CloudSslContextProvider;
 import com.yahoo.jdisc.http.ssl.impl.ConfiguredSslContextFactoryProvider;
 
 import java.util.Optional;
@@ -14,9 +15,10 @@ import static com.yahoo.jdisc.http.ConnectorConfig.Ssl.ClientAuth;
  * @author mortent
  * @author andreer
  */
-public class ConfiguredDirectSslProvider extends SslProvider {
+public class CloudSslProvider extends SslProvider {
     public static final String COMPONENT_ID_PREFIX = "configured-ssl-provider@";
-    public static final String COMPONENT_CLASS = ConfiguredSslContextFactoryProvider.class.getName();
+    public static final String MTLSONLY_COMPONENT_CLASS = ConfiguredSslContextFactoryProvider.class.getName();
+    public static final String TOKEN_COMPONENT_CLASS = CloudSslContextProvider.class.getName();
 
     private final String privateKey;
     private final String certificate;
@@ -24,8 +26,8 @@ public class ConfiguredDirectSslProvider extends SslProvider {
     private final String caCertificate;
     private final ClientAuth.Enum clientAuthentication;
 
-    public ConfiguredDirectSslProvider(String servername, String privateKey, String certificate, String caCertificatePath, String caCertificate, ClientAuth.Enum clientAuthentication) {
-        super(COMPONENT_ID_PREFIX, servername, COMPONENT_CLASS, null);
+    public CloudSslProvider(String servername, String privateKey, String certificate, String caCertificatePath, String caCertificate, ClientAuth.Enum clientAuthentication, boolean enableTokenSupport) {
+        super(COMPONENT_ID_PREFIX, servername, componentClass(enableTokenSupport), null);
         this.privateKey = privateKey;
         this.certificate = certificate;
         this.caCertificatePath = caCertificatePath;
@@ -33,6 +35,10 @@ public class ConfiguredDirectSslProvider extends SslProvider {
         this.clientAuthentication = clientAuthentication;
     }
 
+    private static String componentClass(boolean enableTokenSupport) {
+        return enableTokenSupport ? TOKEN_COMPONENT_CLASS : MTLSONLY_COMPONENT_CLASS;
+    }
+
     @Override
     public void amendConnectorConfig(ConnectorConfig.Builder builder) {
         builder.ssl.enabled(true);
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
index 72d2927f910..5bf348e5bb5 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.java
@@ -33,9 +33,9 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     public static HostedSslConnectorFactory withProvidedCertificate(
             String serverName, EndpointCertificateSecrets endpointCertificateSecrets, boolean enforceHandshakeClientAuth,
             Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port,
-            Duration endpointConnectionTtl) {
-        ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider(
-                serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth);
+            Duration endpointConnectionTtl, boolean enableTokenSupport) {
+        CloudSslProvider sslProvider = createConfiguredDirectSslProvider(
+                serverName, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, /*tlsCaCertificates*/null, enforceHandshakeClientAuth, enableTokenSupport);
         return new HostedSslConnectorFactory(sslProvider, false, enforceHandshakeClientAuth, tlsCiphersOverride,
                                              enableProxyProtocolMixedMode, port, endpointConnectionTtl);
     }
@@ -46,9 +46,9 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
     public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(
             String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificates,
             Collection<String> tlsCiphersOverride, boolean enableProxyProtocolMixedMode, int port,
-            Duration endpointConnectionTtl) {
-        ConfiguredDirectSslProvider sslProvider = createConfiguredDirectSslProvider(
-                serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false);
+            Duration endpointConnectionTtl, boolean enableTokenSupport) {
+        CloudSslProvider sslProvider = createConfiguredDirectSslProvider(
+                serverName, endpointCertificateSecrets, /*tlsCaCertificatesPath*/null, tlsCaCertificates, false, enableTokenSupport);
         return new HostedSslConnectorFactory(sslProvider, true, false, tlsCiphersOverride, enableProxyProtocolMixedMode,
                                              port, endpointConnectionTtl);
     }
@@ -74,16 +74,17 @@ public class HostedSslConnectorFactory extends ConnectorFactory {
         this.endpointConnectionTtl = endpointConnectionTtl;
     }
 
-    private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(
-            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificatesPath, String tlsCaCertificates, boolean enforceHandshakeClientAuth) {
+    private static CloudSslProvider createConfiguredDirectSslProvider(
+            String serverName, EndpointCertificateSecrets endpointCertificateSecrets, String tlsCaCertificatesPath, String tlsCaCertificates, boolean enforceHandshakeClientAuth, boolean enableTokenSupport) {
         var clientAuthentication = enforceHandshakeClientAuth ? ClientAuth.Enum.NEED_AUTH : ClientAuth.Enum.WANT_AUTH;
-        return new ConfiguredDirectSslProvider(
+        return new CloudSslProvider(
                 serverName,
                 endpointCertificateSecrets.key(),
                 endpointCertificateSecrets.certificate(),
                 tlsCaCertificatesPath,
                 tlsCaCertificates,
-                clientAuthentication);
+                clientAuthentication,
+                enableTokenSupport);
     }
 
     @Override
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index c8bd661a00b..3305e596a87 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -39,6 +39,7 @@ import com.yahoo.container.bundle.BundleInstantiationSpecification;
 import com.yahoo.container.logging.AccessLog;
 import com.yahoo.container.logging.FileConnectionLog;
 import com.yahoo.io.IOUtils;
+import com.yahoo.jdisc.http.server.jetty.DataplaneProxyCredentials;
 import com.yahoo.jdisc.http.server.jetty.VoidRequestLog;
 import com.yahoo.osgi.provider.model.ComponentModel;
 import com.yahoo.path.Path;
@@ -606,13 +607,20 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
                     .map(clientAuth -> clientAuth == AccessControl.ClientAuthentication.need)
                     .orElse(false);
 
+            // TODO (mortent): Implement token support in model
+            boolean enableTokenSupport = false;
+
+            // Set up component to generate proxy cert if token support is enabled
+            if (enableTokenSupport) {
+                cluster.addSimpleComponent(DataplaneProxyCredentials.class);
+            }
             connectorFactory = authorizeClient
                     ? HostedSslConnectorFactory.withProvidedCertificateAndTruststore(
                     serverName, endpointCertificateSecrets, X509CertificateUtils.toPem(clientCertificates),
-                    tlsCiphersOverride, proxyProtocolMixedMode, port, endpointConnectionTtl)
+                    tlsCiphersOverride, proxyProtocolMixedMode, port, endpointConnectionTtl, enableTokenSupport)
                     : HostedSslConnectorFactory.withProvidedCertificate(
                     serverName, endpointCertificateSecrets, enforceHandshakeClientAuth, tlsCiphersOverride,
-                    proxyProtocolMixedMode, port, endpointConnectionTtl);
+                    proxyProtocolMixedMode, port, endpointConnectionTtl, enableTokenSupport);
         } else {
             connectorFactory = HostedSslConnectorFactory.withDefaultCertificateAndTruststore(
                     serverName, tlsCiphersOverride, proxyProtocolMixedMode, port,
author	Morten Tokle <mortent@yahooinc.com>	2023-06-07 11:29:07 +0200
committer	Morten Tokle <mortent@yahooinc.com>	2023-06-07 11:29:07 +0200
commit	e8e31b8f7ff1a77a47a8e9cf1bb884123ca2469a (patch)
tree	55ae69cceca99e955f455348dd18c46f97d8b4fb /config-model/src/main/java/com/yahoo/vespa/model
parent	17680e5bd51252b282e011e4f9929653f78be016 (diff)