diff options
author | Martin Polden <mpolden@mpolden.no> | 2019-10-21 11:03:34 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2019-10-21 11:19:09 +0200 |
commit | 7d0599b84f109b77038abcd6a170c689b6e60d27 (patch) | |
tree | 8c6783096ada5784c6db3ce0bc3a81cca6e7537a /vespa-athenz | |
parent | 1e9da543a5f9388efd9e4a43ee1fb661d0f76ce6 (diff) |
Make SiaIdentityProvider trust store type configurable
Diffstat (limited to 'vespa-athenz')
3 files changed, 53 insertions, 11 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java index 06f3246ee44..4981b80998f 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java @@ -32,7 +32,8 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde this(new AthenzService(config.athenzDomain(), config.athenzService()), SiaUtils.getPrivateKeyFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())).toFile(), SiaUtils.getCertificateFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())).toFile(), - new File(config.trustStorePath())); + new File(config.trustStorePath()), + config.trustStoreType()); } public SiaIdentityProvider(AthenzIdentity service, @@ -41,16 +42,18 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde this(service, SiaUtils.getPrivateKeyFile(siaPath, service).toFile(), SiaUtils.getCertificateFile(siaPath, service).toFile(), - trustStoreFile); + trustStoreFile, + SiaProviderConfig.TrustStoreType.Enum.jks); } public SiaIdentityProvider(AthenzIdentity service, File privateKeyFile, File certificateFile, - File trustStoreFile) { + File trustStoreFile, + SiaProviderConfig.TrustStoreType.Enum trustStoreType) { this.service = service; this.keyManager = AutoReloadingX509KeyManager.fromPemFiles(privateKeyFile.toPath(), certificateFile.toPath()); - this.sslContext = createIdentitySslContext(keyManager, trustStoreFile.toPath()); + this.sslContext = createIdentitySslContext(keyManager, trustStoreFile.toPath(), trustStoreType); } @Override @@ -63,15 +66,22 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde return sslContext; } - private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile) { - return new SslContextBuilder() - .withTrustStore(trustStoreFile, KeyStoreType.JKS) - .withKeyManager(keyManager) - .build(); + private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile, + SiaProviderConfig.TrustStoreType.Enum trustStoreType) { + var builder = new SslContextBuilder(); + if (trustStoreType == SiaProviderConfig.TrustStoreType.Enum.pem) { + builder = builder.withTrustStore(trustStoreFile); + } else if (trustStoreType == SiaProviderConfig.TrustStoreType.Enum.jks) { + builder = builder.withTrustStore(trustStoreFile, KeyStoreType.JKS); + } else { + throw new IllegalArgumentException("Unsupported trust store type: " + trustStoreType); + } + return builder.withKeyManager(keyManager).build(); } @Override public void deconstruct() { keyManager.close(); } + } diff --git a/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def b/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def index 14fe0741a60..b1145a9a4fc 100644 --- a/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def +++ b/vespa-athenz/src/main/resources/configdefinitions/sia-provider.def @@ -4,4 +4,5 @@ namespace=vespa.athenz.identity athenzDomain string athenzService string keyPathPrefix string -trustStorePath string
\ No newline at end of file +trustStorePath string +trustStoreType enum {pem, jks} default=jks diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java index 31152a4602f..ce02860cc78 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java @@ -10,6 +10,7 @@ import com.yahoo.security.SignatureAlgorithm; import com.yahoo.security.X509CertificateBuilder; import com.yahoo.security.X509CertificateUtils; import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.yolean.Exceptions; import org.junit.Rule; import org.junit.Test; import org.junit.rules.TemporaryFolder; @@ -53,7 +54,32 @@ public class SiaIdentityProviderTest { new AthenzService("domain", "service-name"), keyFile, certificateFile, - trustStoreFile); + trustStoreFile, + SiaProviderConfig.TrustStoreType.Enum.jks); + + assertNotNull(provider.getIdentitySslContext()); + } + + @Test + public void constructs_ssl_context_with_pem_trust_store() throws IOException { + File keyFile = tempDirectory.newFile(); + KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA); + createPrivateKeyFile(keyFile, keypair); + + X509Certificate certificate = createCertificate(keypair); + File certificateFile = tempDirectory.newFile(); + createCertificateFile(certificate, certificateFile); + + File trustStoreFile = tempDirectory.newFile(); + createPemTrustStoreFile(certificate, trustStoreFile); + + SiaIdentityProvider provider = + new SiaIdentityProvider( + new AthenzService("domain", "service-name"), + keyFile, + certificateFile, + trustStoreFile, + SiaProviderConfig.TrustStoreType.Enum.pem); assertNotNull(provider.getIdentitySslContext()); } @@ -81,6 +107,11 @@ public class SiaIdentityProviderTest { .build(); } + private void createPemTrustStoreFile(X509Certificate certificate, File trustStoreFile) { + var pemEncoded = X509CertificateUtils.toPem(certificate); + Exceptions.uncheck(() -> Files.writeString(trustStoreFile.toPath(), pemEncoded)); + } + private void createTrustStoreFile(X509Certificate certificate, File trustStoreFile) { KeyStore keystore = KeyStoreBuilder.withType(KeyStoreType.JKS) .withCertificateEntry("dummy-cert", certificate) |