Make SiaIdentityProvider trust store type configurable

author: Martin Polden <mpolden@mpolden.no> 2019-10-21 11:03:34 +0200
committer: Martin Polden <mpolden@mpolden.no> 2019-10-21 11:19:09 +0200
commit: 7d0599b84f109b77038abcd6a170c689b6e60d27 (patch)
tree: 8c6783096ada5784c6db3ce0bc3a81cca6e7537a /vespa-athenz
parent: 1e9da543a5f9388efd9e4a43ee1fb661d0f76ce6 (diff)
3 files changed, 53 insertions, 11 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
index 06f3246ee44..4981b80998f 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
@@ -32,7 +32,8 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
         this(new AthenzService(config.athenzDomain(), config.athenzService()),
              SiaUtils.getPrivateKeyFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())).toFile(),
              SiaUtils.getCertificateFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())).toFile(),
-             new File(config.trustStorePath()));
+             new File(config.trustStorePath()),
+             config.trustStoreType());
     }
 
     public SiaIdentityProvider(AthenzIdentity service,
@@ -41,16 +42,18 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
         this(service,
              SiaUtils.getPrivateKeyFile(siaPath, service).toFile(),
              SiaUtils.getCertificateFile(siaPath, service).toFile(),
-             trustStoreFile);
+             trustStoreFile,
+             SiaProviderConfig.TrustStoreType.Enum.jks);
     }
 
     public SiaIdentityProvider(AthenzIdentity service,
                                File privateKeyFile,
                                File certificateFile,
-                               File trustStoreFile) {
+                               File trustStoreFile,
+                               SiaProviderConfig.TrustStoreType.Enum trustStoreType) {
         this.service = service;
         this.keyManager = AutoReloadingX509KeyManager.fromPemFiles(privateKeyFile.toPath(), certificateFile.toPath());
-        this.sslContext = createIdentitySslContext(keyManager, trustStoreFile.toPath());
+        this.sslContext = createIdentitySslContext(keyManager, trustStoreFile.toPath(), trustStoreType);
     }
 
     @Override
@@ -63,15 +66,22 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
         return sslContext;
     }
 
-    private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile) {
-        return new SslContextBuilder()
-                .withTrustStore(trustStoreFile, KeyStoreType.JKS)
-                .withKeyManager(keyManager)
-                .build();
+    private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile,
+                                                       SiaProviderConfig.TrustStoreType.Enum trustStoreType) {
+        var builder = new SslContextBuilder();
+        if (trustStoreType == SiaProviderConfig.TrustStoreType.Enum.pem) {
+            builder = builder.withTrustStore(trustStoreFile);
+        } else if (trustStoreType == SiaProviderConfig.TrustStoreType.Enum.jks) {
+            builder = builder.withTrustStore(trustStoreFile, KeyStoreType.JKS);
+        } else {
+            throw new IllegalArgumentException("Unsupported trust store type: " + trustStoreType);
+        }
+        return builder.withKeyManager(keyManager).build();
     }
 
     @Override
     public void deconstruct() {
         keyManager.close();
     }
+
 }
diff --git a/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def b/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def
index 14fe0741a60..b1145a9a4fc 100644
--- a/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def
+++ b/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def
@@ -4,4 +4,5 @@ namespace=vespa.athenz.identity
 athenzDomain string
 athenzService string
 keyPathPrefix string
-trustStorePath string
-\ No newline at end of file
+trustStorePath string
+trustStoreType enum {pem, jks} default=jks
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
index 31152a4602f..ce02860cc78 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
@@ -10,6 +10,7 @@ import com.yahoo.security.SignatureAlgorithm;
 import com.yahoo.security.X509CertificateBuilder;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.yolean.Exceptions;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -53,7 +54,32 @@ public class SiaIdentityProviderTest {
                         new AthenzService("domain", "service-name"),
                         keyFile,
                         certificateFile,
-                        trustStoreFile);
+                        trustStoreFile,
+                        SiaProviderConfig.TrustStoreType.Enum.jks);
+
+        assertNotNull(provider.getIdentitySslContext());
+    }
+
+    @Test
+    public void constructs_ssl_context_with_pem_trust_store() throws IOException {
+        File keyFile = tempDirectory.newFile();
+        KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
+        createPrivateKeyFile(keyFile, keypair);
+
+        X509Certificate certificate = createCertificate(keypair);
+        File certificateFile = tempDirectory.newFile();
+        createCertificateFile(certificate, certificateFile);
+
+        File trustStoreFile = tempDirectory.newFile();
+        createPemTrustStoreFile(certificate, trustStoreFile);
+
+        SiaIdentityProvider provider =
+                new SiaIdentityProvider(
+                        new AthenzService("domain", "service-name"),
+                        keyFile,
+                        certificateFile,
+                        trustStoreFile,
+                        SiaProviderConfig.TrustStoreType.Enum.pem);
 
         assertNotNull(provider.getIdentitySslContext());
     }
@@ -81,6 +107,11 @@ public class SiaIdentityProviderTest {
                 .build();
     }
 
+    private void createPemTrustStoreFile(X509Certificate certificate, File trustStoreFile) {
+        var pemEncoded = X509CertificateUtils.toPem(certificate);
+        Exceptions.uncheck(() -> Files.writeString(trustStoreFile.toPath(), pemEncoded));
+    }
+
     private void createTrustStoreFile(X509Certificate certificate, File trustStoreFile) {
         KeyStore keystore = KeyStoreBuilder.withType(KeyStoreType.JKS)
                 .withCertificateEntry("dummy-cert", certificate)
author	Martin Polden <mpolden@mpolden.no>	2019-10-21 11:03:34 +0200
committer	Martin Polden <mpolden@mpolden.no>	2019-10-21 11:19:09 +0200
commit	7d0599b84f109b77038abcd6a170c689b6e60d27 (patch)
tree	8c6783096ada5784c6db3ce0bc3a81cca6e7537a /vespa-athenz
parent	1e9da543a5f9388efd9e4a43ee1fb661d0f76ce6 (diff)