2 files changed, 34 insertions, 11 deletions

diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java b/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java
index f3ad631f136..9ae7b599066 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/filter/util/FilterTestUtils.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jdisc.http.filter.util;
 
+import com.yahoo.container.logging.AccessLogEntry;
 import com.yahoo.jdisc.Container;
 import com.yahoo.jdisc.References;
 import com.yahoo.jdisc.Request;
@@ -31,6 +32,7 @@ import java.util.Map;
 import java.util.TreeMap;
 
 import static com.yahoo.jdisc.http.HttpRequest.Version.HTTP_1_1;
+import static com.yahoo.jdisc.http.server.jetty.AccessLoggingRequestHandler.CONTEXT_KEY_ACCESS_LOG_ENTRY;
 
 /**
  * Test helper for {@link SecurityRequestFilter}/{@link SecurityResponseFilter}.
@@ -54,6 +56,7 @@ public class FilterTestUtils {
         private final Map<String, String> headers = new TreeMap<>();
         private Version version = HTTP_1_1;
         private SocketAddress remoteAddress;
+        private AccessLogEntry accessLogEntry;
         private final List<Cookie> cookies = new ArrayList<>();
 
         private RequestBuilder() {}
@@ -73,12 +76,14 @@ public class FilterTestUtils {
         public RequestBuilder withRemoteAddress(SocketAddress address) { this.remoteAddress = address; return this; }
         public RequestBuilder withCookie(String cookie) { cookies.addAll(Cookie.fromCookieHeader(cookie)); return this; }
         public RequestBuilder withCookie(Cookie cookie) { cookies.add(cookie); return this; }
+        public RequestBuilder withAccessLogEntry(AccessLogEntry entry) { this.accessLogEntry = entry; return this; }
 
         public DiscFilterRequest build() {
             var httpReq = HttpRequest.newServerRequest(
                     new DummyContainer(clock), uri, method, version, remoteAddress, clock.millis(), clock.millis());
             var filterReq = new DiscFilterRequest(httpReq);
             filterReq.setUserPrincipal(principal);
+            filterReq.setAttribute(CONTEXT_KEY_ACCESS_LOG_ENTRY, accessLogEntry != null ? accessLogEntry : new AccessLogEntry());
             attributes.forEach(filterReq::setAttribute);
             filterReq.setAttribute(RequestUtils.JDISC_REQUEST_X509CERT, certificates.toArray(X509Certificate[]::new));
             headers.forEach(filterReq::addHeader);
diff --git a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java
index 46c840ad607..a30252b1626 100644
--- a/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java
+++ b/container-core/src/main/java/com/yahoo/jdisc/http/server/jetty/DataplaneProxyCredentials.java
@@ -2,11 +2,11 @@
 package com.yahoo.jdisc.http.server.jetty;
 
 import com.yahoo.component.AbstractComponent;
+import com.yahoo.component.annotation.Inject;
 import com.yahoo.security.KeyUtils;
 import com.yahoo.security.X509CertificateUtils;
 import com.yahoo.security.X509CertificateWithKey;
 import com.yahoo.vespa.defaults.Defaults;
-import com.yahoo.yolean.Exceptions;
 
 import java.io.IOException;
 import java.nio.file.Files;
@@ -15,6 +15,11 @@ import java.nio.file.Paths;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
+import java.util.Optional;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import static com.yahoo.yolean.Exceptions.uncheck;
 
 /**
  * Generates temporary credentials to be used by a proxy for accessing Jdisc.
@@ -24,33 +29,44 @@ import java.time.Duration;
  */
 public class DataplaneProxyCredentials extends AbstractComponent {
 
+    private static final Logger log = Logger.getLogger(DataplaneProxyCredentials.class.getName());
+
     private final Path certificateFile;
     private final Path keyFile;
+    private final X509Certificate certificate;
 
+    @Inject
     public DataplaneProxyCredentials() {
         certificateFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_cert.pem"));
         keyFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_key.pem"));
-        if (regenerateCredentials(certificateFile, keyFile)) {
+        var existing = regenerateCredentials(certificateFile, keyFile).orElse(null);
+        if (existing == null) {
             X509CertificateWithKey selfSigned = X509CertificateUtils.createSelfSigned("cn=vespa dataplane proxy", Duration.ofDays(30));
-            Exceptions.uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate())));
-            Exceptions.uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey())));
+            uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate())));
+            uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey())));
+            this.certificate = selfSigned.certificate();
+        } else {
+            this.certificate = existing;
         }
     }
 
-    /*
-     * Returns true if credentials should be regenerated.
+    /**
+     * @return old certificate if credentials should not be regenerated, empty otherwise.
      */
-    private boolean regenerateCredentials(Path certificateFile, Path keyFile) {
+    private Optional<X509Certificate> regenerateCredentials(Path certificateFile, Path keyFile) {
         if (!Files.exists(certificateFile) || !Files.exists(keyFile)) {
-            return true;
+            return Optional.empty();
         }
         try {
             X509Certificate x509Certificate = X509CertificateUtils.fromPem(Files.readString(certificateFile));
             PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(Files.readString(keyFile));
-            return !X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey());
+            if (!X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey())) return Optional.empty();
+            return Optional.of(x509Certificate);
         } catch (IOException e) {
-            // Some exception occured, assume credentials corrupted and requires a new pair.
-            return true;
+            // Some exception occurred, assume credentials corrupted and requires a new pair.
+            log.log(Level.WARNING, "Failed to load credentials: %s".formatted(e.getMessage()));
+            log.log(Level.FINE, e.toString(), e);
+            return Optional.empty();
         }
     }
 
@@ -62,6 +78,8 @@ public class DataplaneProxyCredentials extends AbstractComponent {
         return keyFile;
     }
 
+    public X509Certificate certificate() { return certificate; }
+
     @Override
     public void deconstruct() {
         super.deconstruct();