diff options
Diffstat (limited to 'container-core')
-rw-r--r-- | container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java | 5 | ||||
-rw-r--r-- | container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java | 40 |
2 files changed, 34 insertions, 11 deletions
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java b/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java index f3ad631f136..9ae7b599066 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java @@ -1,6 +1,7 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.jdisc.http.filter.util; +import com.yahoo.container.logging.AccessLogEntry; import com.yahoo.jdisc.Container; import com.yahoo.jdisc.References; import com.yahoo.jdisc.Request; @@ -31,6 +32,7 @@ import java.util.Map; import java.util.TreeMap; import static com.yahoo.jdisc.http.HttpRequest.Version.HTTP_1_1; +import static com.yahoo.jdisc.http.server.jetty.AccessLoggingRequestHandler.CONTEXT_KEY_ACCESS_LOG_ENTRY; /** * Test helper for {@link SecurityRequestFilter}/{@link SecurityResponseFilter}. @@ -54,6 +56,7 @@ public class FilterTestUtils { private final Map<String, String> headers = new TreeMap<>(); private Version version = HTTP_1_1; private SocketAddress remoteAddress; + private AccessLogEntry accessLogEntry; private final List<Cookie> cookies = new ArrayList<>(); private RequestBuilder() {} @@ -73,12 +76,14 @@ public class FilterTestUtils { public RequestBuilder withRemoteAddress(SocketAddress address) { this.remoteAddress = address; return this; } public RequestBuilder withCookie(String cookie) { cookies.addAll(Cookie.fromCookieHeader(cookie)); return this; } public RequestBuilder withCookie(Cookie cookie) { cookies.add(cookie); return this; } + public RequestBuilder withAccessLogEntry(AccessLogEntry entry) { this.accessLogEntry = entry; return this; } public DiscFilterRequest build() { var httpReq = HttpRequest.newServerRequest( new DummyContainer(clock), uri, method, version, remoteAddress, clock.millis(), clock.millis()); var filterReq = new DiscFilterRequest(httpReq); filterReq.setUserPrincipal(principal); + filterReq.setAttribute(CONTEXT_KEY_ACCESS_LOG_ENTRY, accessLogEntry != null ? accessLogEntry : new AccessLogEntry()); attributes.forEach(filterReq::setAttribute); filterReq.setAttribute(RequestUtils.JDISC_REQUEST_X509CERT, certificates.toArray(X509Certificate[]::new)); headers.forEach(filterReq::addHeader); diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java index 46c840ad607..a30252b1626 100644 --- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java +++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java @@ -2,11 +2,11 @@ package com.yahoo.jdisc.http.server.jetty; import com.yahoo.component.AbstractComponent; +import com.yahoo.component.annotation.Inject; import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateUtils; import com.yahoo.security.X509CertificateWithKey; import com.yahoo.vespa.defaults.Defaults; -import com.yahoo.yolean.Exceptions; import java.io.IOException; import java.nio.file.Files; @@ -15,6 +15,11 @@ import java.nio.file.Paths; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.time.Duration; +import java.util.Optional; +import java.util.logging.Level; +import java.util.logging.Logger; + +import static com.yahoo.yolean.Exceptions.uncheck; /** * Generates temporary credentials to be used by a proxy for accessing Jdisc. @@ -24,33 +29,44 @@ import java.time.Duration; */ public class DataplaneProxyCredentials extends AbstractComponent { + private static final Logger log = Logger.getLogger(DataplaneProxyCredentials.class.getName()); + private final Path certificateFile; private final Path keyFile; + private final X509Certificate certificate; + @Inject public DataplaneProxyCredentials() { certificateFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_cert.pem")); keyFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_key.pem")); - if (regenerateCredentials(certificateFile, keyFile)) { + var existing = regenerateCredentials(certificateFile, keyFile).orElse(null); + if (existing == null) { X509CertificateWithKey selfSigned = X509CertificateUtils.createSelfSigned("cn=vespa dataplane proxy", Duration.ofDays(30)); - Exceptions.uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate()))); - Exceptions.uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey()))); + uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate()))); + uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey()))); + this.certificate = selfSigned.certificate(); + } else { + this.certificate = existing; } } - /* - * Returns true if credentials should be regenerated. + /** + * @return old certificate if credentials should not be regenerated, empty otherwise. */ - private boolean regenerateCredentials(Path certificateFile, Path keyFile) { + private Optional<X509Certificate> regenerateCredentials(Path certificateFile, Path keyFile) { if (!Files.exists(certificateFile) || !Files.exists(keyFile)) { - return true; + return Optional.empty(); } try { X509Certificate x509Certificate = X509CertificateUtils.fromPem(Files.readString(certificateFile)); PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(Files.readString(keyFile)); - return !X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey()); + if (!X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey())) return Optional.empty(); + return Optional.of(x509Certificate); } catch (IOException e) { - // Some exception occured, assume credentials corrupted and requires a new pair. - return true; + // Some exception occurred, assume credentials corrupted and requires a new pair. + log.log(Level.WARNING, "Failed to load credentials: %s".formatted(e.getMessage())); + log.log(Level.FINE, e.toString(), e); + return Optional.empty(); } } @@ -62,6 +78,8 @@ public class DataplaneProxyCredentials extends AbstractComponent { return keyFile; } + public X509Certificate certificate() { return certificate; } + @Override public void deconstruct() { super.deconstruct(); |