blob: 204288a52b71ffdc1f3b8724575cbd44573db193 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jdisc.http.server.jetty;
import com.yahoo.component.AbstractComponent;
import com.yahoo.component.annotation.Inject;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.security.X509CertificateWithKey;
import com.yahoo.vespa.defaults.Defaults;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import static com.yahoo.yolean.Exceptions.uncheck;
/**
* Generates temporary credentials to be used by a proxy for accessing Jdisc.
* Credentials are written to vespa_home/tmp/.
*
* @author mortent
*/
public class DataplaneProxyCredentials extends AbstractComponent {
private static final Logger log = Logger.getLogger(DataplaneProxyCredentials.class.getName());
private final Path certificateFile;
private final Path keyFile;
private final X509Certificate certificate;
@Inject
public DataplaneProxyCredentials() {
certificateFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_cert.pem"));
keyFile = Paths.get(Defaults.getDefaults().underVespaHome("tmp/proxy_key.pem"));
var existing = regenerateCredentials(certificateFile, keyFile).orElse(null);
if (existing == null) {
X509CertificateWithKey selfSigned = X509CertificateUtils.createSelfSigned("cn=vespa dataplane proxy", Duration.ofDays(30));
uncheck(() -> Files.writeString(certificateFile, X509CertificateUtils.toPem(selfSigned.certificate())));
uncheck(() -> Files.writeString(keyFile, KeyUtils.toPem(selfSigned.privateKey())));
this.certificate = selfSigned.certificate();
} else {
this.certificate = existing;
}
}
/*
* Returns true if credentials should be regenerated.
*
* @return old certificate if credentials should not be regenerated, empty otherwise.
*/
private Optional<X509Certificate> regenerateCredentials(Path certificateFile, Path keyFile) {
if (!Files.exists(certificateFile) || !Files.exists(keyFile)) {
return Optional.empty();
}
try {
X509Certificate x509Certificate = X509CertificateUtils.fromPem(Files.readString(certificateFile));
PrivateKey privateKey = KeyUtils.fromPemEncodedPrivateKey(Files.readString(keyFile));
if (!X509CertificateUtils.privateKeyMatchesPublicKey(privateKey, x509Certificate.getPublicKey())) return Optional.empty();
return Optional.of(x509Certificate);
} catch (IOException e) {
// Some exception occured, assume credentials corrupted and requires a new pair.
log.log(Level.WARNING, "Failed to load credentials: %s".formatted(e.getMessage()));
log.log(Level.FINE, e.toString(), e);
return Optional.empty();
}
}
public Path certificateFile() {
return certificateFile;
}
public Path keyFile() {
return keyFile;
}
public X509Certificate certificate() { return certificate; }
@Override
public void deconstruct() {
super.deconstruct();
}
}
|