Add provider for SSLContext configured with Athenz certs

The provided SSLContext is configured with a keystore containing the Athenz service certificate and a trust store containing the Athenz CA certificates.
author: Bjørn Christian Seime <bjorncs@oath.com> 2017-12-11 14:17:03 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2017-12-12 12:42:09 +0100
commit: 10a0ec68ff2977bcd0a8cfe87fd5a46bac9f1c93 (patch)
tree: 31e0c8cf23bc51230c6b4100c43eab324a7eaaef /controller-server
parent: 7e35c730c7b63ad5e2a4d5d82f0da7687a441e71 (diff)
2 files changed, 89 insertions, 0 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java
new file mode 100644
index 00000000000..ab653f48388
--- /dev/null
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzSslContextProviderImpl.java
@@ -0,0 +1,86 @@
+// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.hosted.controller.athenz.impl;
+
+import com.google.inject.Inject;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzIdentityCertificate;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzSslContextProvider;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient;
+import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+
+/**
+ * @author bjorncs
+ */
+public class AthenzSslContextProviderImpl implements AthenzSslContextProvider {
+
+    private final AthenzClientFactory clientFactory;
+    private final AthenzConfig config;
+
+    @Inject
+    public AthenzSslContextProviderImpl(AthenzClientFactory clientFactory, AthenzConfig config) {
+        this.clientFactory = clientFactory;
+        this.config = config;
+    }
+
+    @Override
+    public SSLContext get() {
+        return createSslContext();
+    }
+
+    private SSLContext createSslContext() {
+        try {
+            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            sslContext.init(createKeyManagersWithServiceCertificate(clientFactory.createZtsClientWithServicePrincipal()),
+                            createTrustManagersWithAthenzCa(config),
+                            null);
+            return sslContext;
+        } catch (NoSuchAlgorithmException | KeyManagementException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static KeyManager[] createKeyManagersWithServiceCertificate(ZtsClient ztsClient) {
+        try {
+            AthenzIdentityCertificate identityCertificate = ztsClient.getIdentityCertificate();
+            KeyStore keyStore = KeyStore.getInstance("JKS");
+            keyStore.setKeyEntry("athenz-controller-key",
+                                 identityCertificate.getPrivateKey(),
+                                 new char[0],
+                                 new Certificate[]{identityCertificate.getCertificate()});
+            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
+            keyManagerFactory.init(keyStore, new char[0]);
+            return keyManagerFactory.getKeyManagers();
+        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static TrustManager[] createTrustManagersWithAthenzCa(AthenzConfig config) {
+        try {
+            KeyStore trustStore = KeyStore.getInstance("JKS");
+            try (FileInputStream in = new FileInputStream(config.athenzCaTrustStore())) {
+                trustStore.load(in, "changeit".toCharArray());
+            }
+            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
+            trustManagerFactory.init(trustStore);
+            return trustManagerFactory.getTrustManagers();
+        } catch (CertificateException | IOException | KeyStoreException | NoSuchAlgorithmException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}
diff --git a/controller-server/src/main/resources/configdefinitions/athenz.def b/controller-server/src/main/resources/configdefinitions/athenz.def
index 1d95ebd7860..068b1d353ba 100644
--- a/controller-server/src/main/resources/configdefinitions/athenz.def
+++ b/controller-server/src/main/resources/configdefinitions/athenz.def
@@ -17,6 +17,9 @@ domain                          string
 userAuthenticationPassThruAttribute  string
 # TODO Remove once migrated to Okta
 
+# Path to Athenz CA JKS trust store
+athenzCaTrustStore              string
+
 # Certificate DNS domain
 certDnsDomain                   string
author	Bjørn Christian Seime <bjorncs@oath.com>	2017-12-11 14:17:03 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2017-12-12 12:42:09 +0100
commit	10a0ec68ff2977bcd0a8cfe87fd5a46bac9f1c93 (patch)
tree	31e0c8cf23bc51230c6b4100c43eab324a7eaaef /controller-server
parent	7e35c730c7b63ad5e2a4d5d82f0da7687a441e71 (diff)