Only create SSLContext once for each update

4 files changed, 50 insertions, 20 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java
index e423139d776..ae66899978e 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentials.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.identityprovider.client;
 
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocument;
 
+import javax.net.ssl.SSLContext;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 
@@ -15,15 +16,18 @@ class AthenzCredentials {
     private final X509Certificate certificate;
     private final KeyPair keyPair;
     private final SignedIdentityDocument identityDocument;
+    private final SSLContext identitySslContext;
 
     AthenzCredentials(String nToken,
                       X509Certificate certificate,
                       KeyPair keyPair,
-                      SignedIdentityDocument identityDocument) {
+                      SignedIdentityDocument identityDocument,
+                      SSLContext identitySslContext) {
         this.nToken = nToken;
         this.certificate = certificate;
         this.keyPair = keyPair;
         this.identityDocument = identityDocument;
+        this.identitySslContext = identitySslContext;
     }
 
     String getNToken() {
@@ -42,5 +46,7 @@ class AthenzCredentials {
         return identityDocument;
     }
 
-
+    SSLContext getIdentitySslContext() {
+        return identitySslContext;
+    }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index f355f96124b..26fe0b6e930 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -10,16 +10,20 @@ import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
 import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
 import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils;
 import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
+import com.yahoo.vespa.athenz.tls.SslContextBuilder;
 import com.yahoo.vespa.athenz.tls.SubjectAlternativeName;
 
+import javax.net.ssl.SSLContext;
 import javax.security.auth.x500.X500Principal;
+import java.io.File;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.security.KeyPair;
+import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
-import java.time.Clock;
 import java.util.Set;
 
+import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS;
 import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS;
 
 /**
@@ -32,16 +36,16 @@ class AthenzCredentialsService {
     private final IdentityConfig identityConfig;
     private final IdentityDocumentService identityDocumentService;
     private final AthenzService athenzService;
-    private final Clock clock;
+    private final File trustStoreJks;
 
     AthenzCredentialsService(IdentityConfig identityConfig,
                              IdentityDocumentService identityDocumentService,
                              AthenzService athenzService,
-                             Clock clock) {
+                             File trustStoreJks) {
         this.identityConfig = identityConfig;
         this.identityDocumentService = identityDocumentService;
         this.athenzService = athenzService;
-        this.clock = clock;
+        this.trustStoreJks = trustStoreJks;
     }
 
     AthenzCredentials registerInstance() {
@@ -88,11 +92,19 @@ class AthenzCredentialsService {
     }
 
     private AthenzCredentials toAthenzCredentials(InstanceIdentity instanceIdentity,
-                                                         KeyPair keyPair,
-                                                         SignedIdentityDocument identityDocument) {
+                                                  KeyPair keyPair,
+                                                  SignedIdentityDocument identityDocument) {
         X509Certificate certificate = instanceIdentity.getX509Certificate();
         String serviceToken = instanceIdentity.getServiceToken();
-        return new AthenzCredentials(serviceToken, certificate, keyPair, identityDocument);
+        SSLContext identitySslContext = createIdentitySslContext(keyPair.getPrivate(), certificate);
+        return new AthenzCredentials(serviceToken, certificate, keyPair, identityDocument, identitySslContext);
+    }
+
+    private SSLContext createIdentitySslContext(PrivateKey privateKey, X509Certificate certificate) {
+        return new SslContextBuilder()
+                .withKeyStore(privateKey, certificate)
+                .withTrustStore(trustStoreJks, JKS)
+                .build();
     }
 
     private static SignedIdentityDocument parseSignedIdentityDocument(String rawDocument) {
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
index d90b8d480e2..594fa91e18f 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java
@@ -1,4 +1,4 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+// Copyright 2019 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.client;
 
 import com.google.inject.Inject;
@@ -9,7 +9,6 @@ import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
-import com.yahoo.vespa.athenz.tls.SslContextBuilder;
 import com.yahoo.vespa.defaults.Defaults;
 
 import javax.net.ssl.SSLContext;
@@ -22,8 +21,6 @@ import java.util.concurrent.ScheduledThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Logger;
 
-import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS;
-
 /**
  * @author mortent
  * @author bjorncs
@@ -53,7 +50,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
              new AthenzCredentialsService(config,
                                           new IdentityDocumentService(config.loadBalancerAddress()),
                                           new AthenzService(),
-                                          Clock.systemUTC()),
+                                          new File(Defaults.getDefaults().underVespaHome("share/ssl/certs/yahoo_certificate_bundle.jks"))),
              new ScheduledThreadPoolExecutor(1),
              Clock.systemUTC());
     }
@@ -99,10 +96,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen
 
     @Override
     public SSLContext getIdentitySslContext() {
-        return new SslContextBuilder()
-                .withKeyStore(credentials.getKeyPair().getPrivate(), credentials.getCertificate())
-                .withTrustStore(new File(Defaults.getDefaults().underVespaHome("share/ssl/certs/yahoo_certificate_bundle.jks")), JKS)
-                .build();
+        return credentials.getIdentitySslContext();
     }
 
     @Override
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
index 9a2d552f99b..a0ae6ca61db 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
@@ -5,10 +5,17 @@ import com.yahoo.container.core.identity.IdentityConfig;
 import com.yahoo.container.jdisc.athenz.AthenzIdentityProviderException;
 import com.yahoo.jdisc.Metric;
 import com.yahoo.test.ManualClock;
+import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
+import com.yahoo.vespa.athenz.tls.KeyStoreUtils;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
 
+import java.io.File;
+import java.io.IOException;
+import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
@@ -16,6 +23,7 @@ import java.util.Date;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.function.Supplier;
 
+import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyString;
 import static org.mockito.Matchers.eq;
@@ -29,6 +37,9 @@ import static org.mockito.Mockito.when;
  */
 public class AthenzIdentityProviderImplTest {
 
+    @Rule
+    public TemporaryFolder tempDir = new TemporaryFolder();
+
     public static final Duration certificateValidity = Duration.ofDays(30);
 
     private static final IdentityConfig IDENTITY_CONFIG =
@@ -45,7 +56,7 @@ public class AthenzIdentityProviderImplTest {
     }
 
     @Test
-    public void metrics_updated_on_refresh() {
+    public void metrics_updated_on_refresh() throws IOException {
         IdentityDocumentService identityDocumentService = mock(IdentityDocumentService.class);
         AthenzService athenzService = mock(AthenzService.class);
         ManualClock clock = new ManualClock(Instant.EPOCH);
@@ -66,7 +77,7 @@ public class AthenzIdentityProviderImplTest {
                 .thenReturn(new InstanceIdentity(getCertificate(getExpirationSupplier(clock)), "TOKEN"));
 
         AthenzCredentialsService credentialService =
-                new AthenzCredentialsService(IDENTITY_CONFIG, identityDocumentService, athenzService, clock);
+                new AthenzCredentialsService(IDENTITY_CONFIG, identityDocumentService, athenzService, createDummyTrustStore());
 
         AthenzIdentityProviderImpl identityProvider =
                 new AthenzIdentityProviderImpl(IDENTITY_CONFIG, metric, credentialService, mock(ScheduledExecutorService.class), clock);
@@ -104,6 +115,13 @@ public class AthenzIdentityProviderImplTest {
         return x509Certificate;
     }
 
+    private File createDummyTrustStore() throws IOException {
+        File file = tempDir.newFile();
+        KeyStore keyStore = KeyStoreBuilder.withType(JKS).build();
+        KeyStoreUtils.writeKeyStoreToFile(keyStore, file);
+        return file;
+    }
+
     private static String getIdentityDocument() {
         return "{\n" +
                "  \"identity-document\": \"eyJwcm92aWRlci11bmlxdWUtaWQiOnsidGVuYW50IjoidGVuYW50IiwiYXBwbGljYXRpb24iOiJhcHBsaWNhdGlvbiIsImVudmlyb25tZW50IjoiZGV2IiwicmVnaW9uIjoidXMtbm9ydGgtMSIsImluc3RhbmNlIjoiZGVmYXVsdCIsImNsdXN0ZXItaWQiOiJkZWZhdWx0IiwiY2x1c3Rlci1pbmRleCI6MH0sImNvbmZpZ3NlcnZlci1ob3N0bmFtZSI6ImxvY2FsaG9zdCIsImluc3RhbmNlLWhvc3RuYW1lIjoieC55LmNvbSIsImNyZWF0ZWQtYXQiOjE1MDg3NDgyODUuNzQyMDAwMDAwfQ==\",\n" +