enable passing certificate directly in config

author: andreer <andreer@verizonmedia.com> 2019-06-14 16:32:46 +0200
committer: andreer <andreer@verizonmedia.com> 2019-06-19 12:45:27 +0200
commit: f20a195545545fe954479c99c3fda56a20bbe5e0 (patch)
tree: 1eaa6a7c068abcad5b02bfb88cab5411dca9abdf /jdisc_http_service
parent: f1f58f0d0661da7542ef8cc793ddc5deb8d0cbd6 (diff)
3 files changed, 38 insertions, 10 deletions
diff --git a/jdisc_http_service/abi-spec.json b/jdisc_http_service/abi-spec.json
index 04e6d22a445..a326b5792be 100644
--- a/jdisc_http_service/abi-spec.json
+++ b/jdisc_http_service/abi-spec.json
@@ -78,7 +78,9 @@
       "public void <init>(com.yahoo.jdisc.http.ConnectorConfig$Ssl)",
       "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder enabled(boolean)",
       "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder privateKeyFile(java.lang.String)",
+      "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder privateKey(java.lang.String)",
       "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder certificateFile(java.lang.String)",
+      "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder certificate(java.lang.String)",
       "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder caCertificateFile(java.lang.String)",
       "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder clientAuth(com.yahoo.jdisc.http.ConnectorConfig$Ssl$ClientAuth$Enum)",
       "public com.yahoo.jdisc.http.ConnectorConfig$Ssl build()"
@@ -131,7 +133,9 @@
       "public void <init>(com.yahoo.jdisc.http.ConnectorConfig$Ssl$Builder)",
       "public boolean enabled()",
       "public java.lang.String privateKeyFile()",
+      "public java.lang.String privateKey()",
       "public java.lang.String certificateFile()",
+      "public java.lang.String certificate()",
       "public java.lang.String caCertificateFile()",
       "public com.yahoo.jdisc.http.ConnectorConfig$Ssl$ClientAuth$Enum clientAuth()"
     ],
diff --git a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
index facb54bc37a..2021105fc52 100644
--- a/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
+++ b/jdisc_http_service/src/main/java/com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.java
@@ -60,15 +60,23 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro
 
     private static void validateConfig(ConnectorConfig.Ssl config) {
         if (!config.enabled()) return;
-        if (config.certificateFile().isEmpty()) {
-            throw new IllegalArgumentException("Missing certificate file.");
-        }
-        if (config.privateKeyFile().isEmpty()) {
-            throw new IllegalArgumentException("Missing private key file.");
-        }
 
+        if(hasBoth(config.certificate(), config.certificateFile()))
+            throw new IllegalArgumentException("Specified both certificate and certificate file.");
+
+        if(hasBoth(config.privateKey(), config.privateKeyFile()))
+            throw new IllegalArgumentException("Specified both private key and private key file.");
+
+        if(hasNeither(config.certificate(), config.certificateFile()))
+            throw new IllegalArgumentException("Specified neither certificate or certificate file.");
+
+        if(hasNeither(config.privateKey(), config.privateKeyFile()))
+            throw new IllegalArgumentException("Specified neither private key or private key file.");
     }
 
+    private static boolean hasBoth(String a, String b) { return !a.isBlank() && !b.isBlank(); }
+    private static boolean hasNeither(String a, String b) { return a.isBlank() && b.isBlank(); }
+
     private static KeyStore createTruststore(ConnectorConfig.Ssl sslConfig) {
         List<X509Certificate> caCertificates = X509CertificateUtils.certificateListFromPem(readToString(sslConfig.caCertificateFile()));
         return KeyStoreBuilder.withType(KeyStoreType.JKS)
@@ -77,11 +85,21 @@ public class ConfiguredSslContextFactoryProvider implements SslContextFactoryPro
     }
 
     private static KeyStore createKeystore(ConnectorConfig.Ssl sslConfig) {
-        PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(readToString(sslConfig.privateKeyFile()));
-        List<X509Certificate> certificates = X509CertificateUtils.certificateListFromPem(readToString(sslConfig.certificateFile()));
+        PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(getPrivateKey(sslConfig));
+        List<X509Certificate> certificates = X509CertificateUtils.certificateListFromPem(getCertificate(sslConfig));
         return KeyStoreBuilder.withType(KeyStoreType.JKS).withKeyEntry("default", privateKey, certificates).build();
     }
 
+    private static String getPrivateKey(ConnectorConfig.Ssl config) {
+        if(!config.privateKey().isBlank()) return config.privateKey();
+        return readToString(config.privateKeyFile());
+    }
+
+    private static String getCertificate(ConnectorConfig.Ssl config) {
+        if(!config.certificate().isBlank()) return config.certificate();
+        return readToString(config.certificateFile());
+    }
+
     private static String readToString(String filename) {
         try {
             return Files.readString(Paths.get(filename), StandardCharsets.UTF_8);
diff --git a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
index 7735420d803..c6c6fad345b 100644
--- a/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
+++ b/jdisc_http_service/src/main/resources/configdefinitions/jdisc.http.connector.def
@@ -56,12 +56,18 @@ throttling.idleTimeout              double   default=-1.0
 # Whether to enable SSL for this connector.
 ssl.enabled                         bool     default=false
 
-# File with private key in PEM format
+# File with private key in PEM format. Specify either this or privateKey, but not both
 ssl.privateKeyFile                  string   default=""
 
-# File with certificate in PEM format
+# Private key in PEM format. Specify either this or privateKeyFile, but not both
+ssl.privateKey                      string   default=""
+
+# File with certificate in PEM format. Specify either this or certificate, but not both
 ssl.certificateFile                 string   default=""
 
+# Certificate in PEM format. Specify either this or certificateFile, but not both
+ssl.certificate                     string   default=""
+
 # with trusted CA certificates in PEM format. Used to verify clients
 ssl.caCertificateFile               string default=""
author	andreer <andreer@verizonmedia.com>	2019-06-14 16:32:46 +0200
committer	andreer <andreer@verizonmedia.com>	2019-06-19 12:45:27 +0200
commit	f20a195545545fe954479c99c3fda56a20bbe5e0 (patch)
tree	1eaa6a7c068abcad5b02bfb88cab5411dca9abdf /jdisc_http_service
parent	f1f58f0d0661da7542ef8cc793ddc5deb8d0cbd6 (diff)