diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-26 17:51:54 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-04-26 17:51:54 +0200 |
commit | 938881c148eadd9fca215fca675dd6abaedfb66e (patch) | |
tree | f86cbfe81680abc5529712cf7e7c277aff32c1c3 /vespa-athenz | |
parent | 014a59dc7444d874c0fa7765783ee84707f6ae40 (diff) |
Only create SSLContext once for each update
Diffstat (limited to 'vespa-athenz')
4 files changed, 50 insertions, 20 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java index e423139d776..ae66899978e 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.identityprovider.client; import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocument; +import javax.net.ssl.SSLContext; import java.security.KeyPair; import java.security.cert.X509Certificate; @@ -15,15 +16,18 @@ class AthenzCredentials { private final X509Certificate certificate; private final KeyPair keyPair; private final SignedIdentityDocument identityDocument; + private final SSLContext identitySslContext; AthenzCredentials(String nToken, X509Certificate certificate, KeyPair keyPair, - SignedIdentityDocument identityDocument) { + SignedIdentityDocument identityDocument, + SSLContext identitySslContext) { this.nToken = nToken; this.certificate = certificate; this.keyPair = keyPair; this.identityDocument = identityDocument; + this.identitySslContext = identitySslContext; } String getNToken() { @@ -42,5 +46,7 @@ class AthenzCredentials { return identityDocument; } - + SSLContext getIdentitySslContext() { + return identitySslContext; + } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index f355f96124b..26fe0b6e930 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -10,16 +10,20 @@ import com.yahoo.vespa.athenz.tls.Pkcs10Csr; import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils; import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; +import com.yahoo.vespa.athenz.tls.SslContextBuilder; import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; +import javax.net.ssl.SSLContext; import javax.security.auth.x500.X500Principal; +import java.io.File; import java.io.IOException; import java.io.UncheckedIOException; import java.security.KeyPair; +import java.security.PrivateKey; import java.security.cert.X509Certificate; -import java.time.Clock; import java.util.Set; +import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS; import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; /** @@ -32,16 +36,16 @@ class AthenzCredentialsService { private final IdentityConfig identityConfig; private final IdentityDocumentService identityDocumentService; private final AthenzService athenzService; - private final Clock clock; + private final File trustStoreJks; AthenzCredentialsService(IdentityConfig identityConfig, IdentityDocumentService identityDocumentService, AthenzService athenzService, - Clock clock) { + File trustStoreJks) { this.identityConfig = identityConfig; this.identityDocumentService = identityDocumentService; this.athenzService = athenzService; - this.clock = clock; + this.trustStoreJks = trustStoreJks; } AthenzCredentials registerInstance() { @@ -88,11 +92,19 @@ class AthenzCredentialsService { } private AthenzCredentials toAthenzCredentials(InstanceIdentity instanceIdentity, - KeyPair keyPair, - SignedIdentityDocument identityDocument) { + KeyPair keyPair, + SignedIdentityDocument identityDocument) { X509Certificate certificate = instanceIdentity.getX509Certificate(); String serviceToken = instanceIdentity.getServiceToken(); - return new AthenzCredentials(serviceToken, certificate, keyPair, identityDocument); + SSLContext identitySslContext = createIdentitySslContext(keyPair.getPrivate(), certificate); + return new AthenzCredentials(serviceToken, certificate, keyPair, identityDocument, identitySslContext); + } + + private SSLContext createIdentitySslContext(PrivateKey privateKey, X509Certificate certificate) { + return new SslContextBuilder() + .withKeyStore(privateKey, certificate) + .withTrustStore(trustStoreJks, JKS) + .build(); } private static SignedIdentityDocument parseSignedIdentityDocument(String rawDocument) { diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index d90b8d480e2..594fa91e18f 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -1,4 +1,4 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +// Copyright 2019 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.client; import com.google.inject.Inject; @@ -9,7 +9,6 @@ import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException; import com.yahoo.jdisc.Metric; import com.yahoo.log.LogLevel; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; -import com.yahoo.vespa.athenz.tls.SslContextBuilder; import com.yahoo.vespa.defaults.Defaults; import javax.net.ssl.SSLContext; @@ -22,8 +21,6 @@ import java.util.concurrent.ScheduledThreadPoolExecutor; import java.util.concurrent.TimeUnit; import java.util.logging.Logger; -import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS; - /** * @author mortent * @author bjorncs @@ -53,7 +50,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen new AthenzCredentialsService(config, new IdentityDocumentService(config.loadBalancerAddress()), new AthenzService(), - Clock.systemUTC()), + new File(Defaults.getDefaults().underVespaHome("share/ssl/certs/yahoo_certificate_bundle.jks"))), new ScheduledThreadPoolExecutor(1), Clock.systemUTC()); } @@ -99,10 +96,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen @Override public SSLContext getIdentitySslContext() { - return new SslContextBuilder() - .withKeyStore(credentials.getKeyPair().getPrivate(), credentials.getCertificate()) - .withTrustStore(new File(Defaults.getDefaults().underVespaHome("share/ssl/certs/yahoo_certificate_bundle.jks")), JKS) - .build(); + return credentials.getIdentitySslContext(); } @Override diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java index 9a2d552f99b..a0ae6ca61db 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java @@ -5,10 +5,17 @@ import com.yahoo.container.core.identity.IdentityConfig; import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException; import com.yahoo.jdisc.Metric; import com.yahoo.test.ManualClock; +import com.yahoo.vespa.athenz.tls.KeyStoreBuilder; +import com.yahoo.vespa.athenz.tls.KeyStoreUtils; +import org.junit.Rule; import org.junit.Test; +import org.junit.rules.TemporaryFolder; import org.mockito.invocation.InvocationOnMock; import org.mockito.stubbing.Answer; +import java.io.File; +import java.io.IOException; +import java.security.KeyStore; import java.security.cert.X509Certificate; import java.time.Duration; import java.time.Instant; @@ -16,6 +23,7 @@ import java.util.Date; import java.util.concurrent.ScheduledExecutorService; import java.util.function.Supplier; +import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS; import static org.mockito.Matchers.any; import static org.mockito.Matchers.anyString; import static org.mockito.Matchers.eq; @@ -29,6 +37,9 @@ import static org.mockito.Mockito.when; */ public class AthenzIdentityProviderImplTest { + @Rule + public TemporaryFolder tempDir = new TemporaryFolder(); + public static final Duration certificateValidity = Duration.ofDays(30); private static final IdentityConfig IDENTITY_CONFIG = @@ -45,7 +56,7 @@ public class AthenzIdentityProviderImplTest { } @Test - public void metrics_updated_on_refresh() { + public void metrics_updated_on_refresh() throws IOException { IdentityDocumentService identityDocumentService = mock(IdentityDocumentService.class); AthenzService athenzService = mock(AthenzService.class); ManualClock clock = new ManualClock(Instant.EPOCH); @@ -66,7 +77,7 @@ public class AthenzIdentityProviderImplTest { .thenReturn(new InstanceIdentity(getCertificate(getExpirationSupplier(clock)), "TOKEN")); AthenzCredentialsService credentialService = - new AthenzCredentialsService(IDENTITY_CONFIG, identityDocumentService, athenzService, clock); + new AthenzCredentialsService(IDENTITY_CONFIG, identityDocumentService, athenzService, createDummyTrustStore()); AthenzIdentityProviderImpl identityProvider = new AthenzIdentityProviderImpl(IDENTITY_CONFIG, metric, credentialService, mock(ScheduledExecutorService.class), clock); @@ -104,6 +115,13 @@ public class AthenzIdentityProviderImplTest { return x509Certificate; } + private File createDummyTrustStore() throws IOException { + File file = tempDir.newFile(); + KeyStore keyStore = KeyStoreBuilder.withType(JKS).build(); + KeyStoreUtils.writeKeyStoreToFile(keyStore, file); + return file; + } + private static String getIdentityDocument() { return "{\n" + " \"identity-document\": \"eyJwcm92aWRlci11bmlxdWUtaWQiOnsidGVuYW50IjoidGVuYW50IiwiYXBwbGljYXRpb24iOiJhcHBsaWNhdGlvbiIsImVudmlyb25tZW50IjoiZGV2IiwicmVnaW9uIjoidXMtbm9ydGgtMSIsImluc3RhbmNlIjoiZGVmYXVsdCIsImNsdXN0ZXItaWQiOiJkZWZhdWx0IiwiY2x1c3Rlci1pbmRleCI6MH0sImNvbmZpZ3NlcnZlci1ob3N0bmFtZSI6ImxvY2FsaG9zdCIsImluc3RhbmNlLWhvc3RuYW1lIjoieC55LmNvbSIsImNyZWF0ZWQtYXQiOjE1MDg3NDgyODUuNzQyMDAwMDAwfQ==\",\n" + |