Reuse SSLContext when communicating with ZTS

4 files changed, 7 insertions, 36 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index 26fe0b6e930..e11445518ab 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -69,8 +69,7 @@ class AthenzCredentialsService {
         return toAthenzCredentials(instanceIdentity, keyPair, document);
     }
 
-    AthenzCredentials updateCredentials(AthenzCredentials currentCredentials) {
-        SignedIdentityDocument document = currentCredentials.getIdentityDocument();
+    AthenzCredentials updateCredentials(SignedIdentityDocument document, SSLContext sslContext) {
         KeyPair newKeyPair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
         Pkcs10Csr csr = createCSR(identityConfig.domain(),
                                   identityConfig.service(),
@@ -86,8 +85,7 @@ class AthenzCredentialsService {
                                                          document.providerUniqueId,
                                                          refreshInfo,
                                                          document.ztsEndpoint,
-                                                         currentCredentials.getCertificate(),
-                                                         currentCredentials.getKeyPair().getPrivate());
+                                                         sslContext);
         return toAthenzCredentials(instanceIdentity, newKeyPair, document);
     }
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index 594fa91e18f..0feaabd4d9d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -121,7 +121,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
         try {
             AthenzCredentials newCredentials = isExpired(credentials)
                     ? athenzCredentialsService.registerInstance()
-                    : athenzCredentialsService.updateCredentials(credentials);
+                    : athenzCredentialsService.updateCredentials(credentials.getIdentityDocument(), credentials.getIdentitySslContext());
             credentials = newCredentials;
         } catch (Throwable t) {
             log.log(LogLevel.WARNING, "Failed to update credentials: " + t.getMessage(), t);
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzService.java
index 98307a8a2d1..713e9c6c015 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzService.java
@@ -7,7 +7,6 @@ import org.apache.http.client.HttpRequestRetryHandler;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.methods.RequestBuilder;
-import org.apache.http.conn.ssl.SSLContextBuilder;
 import org.apache.http.entity.ContentType;
 import org.apache.http.entity.StringEntity;
 import org.apache.http.impl.client.CloseableHttpClient;
@@ -20,15 +19,6 @@ import javax.net.ssl.SSLContext;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.URI;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
 
 /**
  * @author mortent
@@ -63,9 +53,8 @@ public class AthenzService {
                                                        String instanceId,
                                                        InstanceRefreshInformation instanceRefreshInformation,
                                                        URI ztsEndpoint,
-                                                       X509Certificate certicate,
-                                                       PrivateKey privateKey) {
-        try (CloseableHttpClient client = createHttpClientWithTlsAuth(certicate, privateKey, retryHandler)) {
+                                                       SSLContext sslContext) {
+        try (CloseableHttpClient client = createHttpClientWithTlsAuth(sslContext, retryHandler)) {
             URI uri = ztsEndpoint
                     .resolve(INSTANCE_API_PATH + '/')
                     .resolve(providerService + '/')
@@ -99,26 +88,11 @@ public class AthenzService {
         return new StringEntity(objectMapper.writeValueAsString(value), ContentType.APPLICATION_JSON);
     }
 
-    private static CloseableHttpClient createHttpClientWithTlsAuth(X509Certificate certificate,
-                                                                   PrivateKey privateKey,
+    private static CloseableHttpClient createHttpClientWithTlsAuth(SSLContext sslContext,
                                                                    HttpRequestRetryHandler retryHandler) {
-        try {
-            String dummyPassword = "athenz";
-            KeyStore keyStore = KeyStore.getInstance("JKS");
-            keyStore.load(null);
-            keyStore.setKeyEntry("athenz", privateKey, dummyPassword.toCharArray(), new Certificate[]{certificate});
-            SSLContext sslContext = new SSLContextBuilder()
-                    .loadKeyMaterial(keyStore, dummyPassword.toCharArray())
-                    .build();
             return HttpClientBuilder.create()
                     .setRetryHandler(retryHandler)
                     .setSslcontext(sslContext)
                     .build();
-        } catch (KeyStoreException | UnrecoverableKeyException | NoSuchAlgorithmException |
-                KeyManagementException | CertificateException e) {
-            throw new RuntimeException(e);
-        } catch (IOException e) {
-            throw new UncheckedIOException(e);
-        }
     }
 }
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
index a0ae6ca61db..12e60326f97 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
@@ -70,8 +70,7 @@ public class AthenzIdentityProviderImplTest {
             }
         });
 
-        when(athenzService.sendInstanceRefreshRequest(anyString(), anyString(), anyString(),
-                                                      anyString(), any(), any(), any(), any()))
+        when(athenzService.sendInstanceRefreshRequest(anyString(), anyString(), anyString(), anyString(), any(), any(), any()))
                 .thenThrow(new RuntimeException("#1"))
                 .thenThrow(new RuntimeException("#2"))
                 .thenReturn(new InstanceIdentity(getCertificate(getExpirationSupplier(clock)), "TOKEN"));