org.springframework.vault.support.SslConfiguration Java Examples

@Test
void shouldConfigureSsl() {

	Map<String, Object> map = new HashMap<String, Object>();
	map.put("vault.ssl.key-store", "classpath:certificate.json");
	map.put("vault.ssl.trust-store", "classpath:certificate.json");

	MapPropertySource propertySource = new MapPropertySource("shouldConfigureSsl", map);
	this.configurableEnvironment.getPropertySources().addFirst(propertySource);

	SslConfiguration sslConfiguration = this.configuration.sslConfiguration();

	assertThat(sslConfiguration.getKeyStore()).isInstanceOf(ClassPathResource.class);
	assertThat(sslConfiguration.getKeyStorePassword()).isEqualTo("key store password");

	assertThat(sslConfiguration.getTrustStore()).isInstanceOf(ClassPathResource.class);
	assertThat(sslConfiguration.getTrustStorePassword()).isEqualTo("trust store password");

	this.configurableEnvironment.getPropertySources().remove(propertySource.getName());
}
 

@Override
public SslConfiguration sslConfiguration() {
	if (vaultProperties.isSkipSslValidation()) {
		log.warn("The '" + VAULT_PROPERTIES_PREFIX + "skipSslValidation' property "
				+ "is not supported by this Vault environment repository implementation. "
				+ "Use the '" + VAULT_PROPERTIES_PREFIX
				+ "ssl` properties to provide "
				+ "custom keyStore and trustStore material instead.");
	}

	VaultEnvironmentProperties.Ssl ssl = vaultProperties.getSsl();

	SslConfiguration.KeyStoreConfiguration keyStoreConfiguration = getKeyStoreConfiguration(
			ssl.getKeyStore(), ssl.getKeyStorePassword());

	SslConfiguration.KeyStoreConfiguration trustStoreConfiguration = getKeyStoreConfiguration(
			ssl.getTrustStore(), ssl.getTrustStorePassword());

	return new SslConfiguration(keyStoreConfiguration, trustStoreConfiguration);
}
 

private KeyStoreConfiguration getKeyStoreConfiguration(String resourceProperty, String passwordProperty,
		String keystoreTypeProperty) {

	Resource keyStore = getResource(resourceProperty);
	String keyStorePassword = getProperty(passwordProperty);
	String keystoreType = getProperty(keystoreTypeProperty, SslConfiguration.PEM_KEYSTORE_TYPE);

	if (keyStore == null) {
		return KeyStoreConfiguration.unconfigured();
	}

	if (StringUtils.hasText(keyStorePassword)) {
		return KeyStoreConfiguration.of(keyStore, keyStorePassword.toCharArray(), keystoreType);
	}

	return KeyStoreConfiguration.of(keyStore).withStoreType(keystoreType);
}
 

@Test
public void customSslConfiguration() {
	VaultEnvironmentProperties properties = new VaultEnvironmentProperties();
	properties.getSsl().setKeyStore(new ClassPathResource("ssl-test.jks"));
	properties.getSsl().setKeyStorePassword("password");
	properties.getSsl().setTrustStore(new ClassPathResource("ssl-test.jks"));
	properties.getSsl().setTrustStorePassword("password");

	SpringVaultClientConfiguration configuration = getConfiguration(properties);
	SslConfiguration sslConfiguration = configuration.sslConfiguration();

	KeyStoreConfiguration keyStoreConfiguration = sslConfiguration
			.getKeyStoreConfiguration();
	KeyStoreConfiguration trustStoreConfiguration = sslConfiguration
			.getTrustStoreConfiguration();
	assertThat(keyStoreConfiguration.isPresent()).isTrue();
	assertThat(new String(keyStoreConfiguration.getStorePassword()))
			.isEqualTo("password");
	assertThat(trustStoreConfiguration.isPresent()).isTrue();
	assertThat(new String(trustStoreConfiguration.getStorePassword()))
			.isEqualTo("password");
}
 

static ClientHttpConnector usingReactorNetty(ClientOptions options, SslConfiguration sslConfiguration) {
	HttpClient client = HttpClient.create();

	if (hasSslConfiguration(sslConfiguration)) {

		SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
		configureSsl(sslConfiguration, sslContextBuilder);

		client = client.secure(builder -> {
			builder.sslContext(sslContextBuilder);
		});
	}

	client = client.tcpConfiguration(it -> it.option(ChannelOption.CONNECT_TIMEOUT_MILLIS,
			Math.toIntExact(options.getConnectionTimeout().toMillis())));

	return new ReactorClientHttpConnector(client);
}
 

private static void configureSsl(SslConfiguration sslConfiguration, SslContextBuilder sslContextBuilder) {

		try {

			if (sslConfiguration.getTrustStoreConfiguration().isPresent()) {
				sslContextBuilder
						.trustManager(createTrustManagerFactory(sslConfiguration.getTrustStoreConfiguration()));
			}

			if (sslConfiguration.getKeyStoreConfiguration().isPresent()) {
				sslContextBuilder.keyManager(createKeyManagerFactory(sslConfiguration.getKeyStoreConfiguration(),
						sslConfiguration.getKeyConfiguration()));
			}
		}
		catch (GeneralSecurityException | IOException e) {
			throw new IllegalStateException(e);
		}
	}
 

/**
 * Create a {@link ClientHttpConnector} for the given {@link ClientOptions} and
 * {@link SslConfiguration}.
 * @param options must not be {@literal null}
 * @param sslConfiguration must not be {@literal null}
 * @return a new {@link ClientHttpConnector}.
 */
public static ClientHttpConnector create(ClientOptions options, SslConfiguration sslConfiguration) {

	Assert.notNull(options, "ClientOptions must not be null");
	Assert.notNull(sslConfiguration, "SslConfiguration must not be null");

	if (REACTOR_NETTY_PRESENT) {
		return ReactorNetty.usingReactorNetty(options, sslConfiguration);
	}

	if (JETTY_PRESENT) {
		return JettyClient.usingJetty(options, sslConfiguration);
	}

	throw new IllegalStateException("No supported Reactive Http Client library available (Reactor Netty, Jetty)");
}
 

@Test
void httpComponentsClientUsingPemShouldWork() throws Exception {

	File caCertificate = new File(Settings.findWorkDir(), "ca/certs/ca.cert.pem");
	SslConfiguration sslConfiguration = SslConfiguration.forTrustStore(SslConfiguration.KeyStoreConfiguration
			.of(new FileSystemResource(caCertificate)).withStoreType(SslConfiguration.PEM_KEYSTORE_TYPE));

	ClientHttpRequestFactory factory = HttpComponents.usingHttpComponents(new ClientOptions(), sslConfiguration);
	RestTemplate template = new RestTemplate(factory);

	String response = request(template);

	assertThat(factory).isInstanceOf(HttpComponentsClientHttpRequestFactory.class);
	assertThat(response).isNotNull().contains("initialized");

	((DisposableBean) factory).destroy();
}
 

/**
 * Create a new {@link VaultInitializer} with the given {@link SslConfiguration} and
 * {@link VaultEndpoint}.
 * @param sslConfiguration must not be {@literal null}.
 * @param vaultEndpoint must not be {@literal null}.
 */
public VaultInitializer(SslConfiguration sslConfiguration, VaultEndpoint vaultEndpoint) {

	Assert.notNull(sslConfiguration, "SslConfiguration must not be null");
	Assert.notNull(vaultEndpoint, "VaultEndpoint must not be null");

	RestTemplate restTemplate = TestRestTemplateFactory.create(sslConfiguration);
	WebClient webClient = TestWebClientFactory.create(sslConfiguration);

	VaultTemplate vaultTemplate = new VaultTemplate(TestRestTemplateFactory.TEST_VAULT_ENDPOINT,
			restTemplate.getRequestFactory(), new PreparingSessionManager());

	this.token = Settings.token();

	this.prepareVault = new PrepareVault(webClient, TestRestTemplateFactory.create(sslConfiguration),
			vaultTemplate);
	this.vaultEndpoint = vaultEndpoint;
}
 

/**
 * Create a new {@link VaultRule} with the given {@link SslConfiguration} and
 * {@link VaultEndpoint}.
 * @param sslConfiguration must not be {@literal null}.
 * @param vaultEndpoint must not be {@literal null}.
 */
public VaultRule(SslConfiguration sslConfiguration, VaultEndpoint vaultEndpoint) {

	Assert.notNull(sslConfiguration, "SslConfiguration must not be null");
	Assert.notNull(vaultEndpoint, "VaultEndpoint must not be null");

	ClientHttpRequestFactory requestFactory = TestRestTemplateFactory
			.create(sslConfiguration).getRequestFactory();

	VaultTemplate vaultTemplate = new VaultTemplate(vaultEndpoint, requestFactory,
			new PreparingSessionManager());

	this.token = Settings.token();
	this.prepareVault = new PrepareVault(vaultTemplate);
	this.vaultEndpoint = vaultEndpoint;
}
 

@Test
public void configureSslUsesKeyStoreAndTrustStoreIfBothProvided() throws Exception {
    KeyVaultConfig keyVaultConfig = mock(KeyVaultConfig.class);
    EnvironmentVariableProvider envProvider = mock(EnvironmentVariableProvider.class);

    Path path = Files.createTempFile(UUID.randomUUID().toString(), ".tmp");
    path.toFile().deleteOnExit();

    when(keyVaultConfig.hasProperty("tlsKeyStorePath","tlsTrustStorePath")).thenReturn(true);

    when(keyVaultConfig.getProperty("tlsKeyStorePath")).thenReturn(Optional.of(path.toString()));
    when(keyVaultConfig.getProperty("tlsTrustStorePath")).thenReturn(Optional.of(path.toString()));

    SslConfiguration result = util.configureSsl(keyVaultConfig, envProvider);

    assertThat(result.getKeyStoreConfiguration().isPresent()).isTrue();
    assertThat(result.getTrustStoreConfiguration().isPresent()).isTrue();
}
 

@Test
public void configureSslUsesTrustStoreOnlyIfProvided() throws Exception {
    KeyVaultConfig keyVaultConfig = mock(KeyVaultConfig.class);
    EnvironmentVariableProvider envProvider = mock(EnvironmentVariableProvider.class);

    Path path = Files.createTempFile(UUID.randomUUID().toString(), ".tmp");
    path.toFile().deleteOnExit();

    when(keyVaultConfig.hasProperty("tlsTrustStorePath")).thenReturn(true);
    when(keyVaultConfig.hasProperty("tlsKeyStorePath")).thenReturn(false);

    when(keyVaultConfig.getProperty("tlsKeyStorePath")).thenReturn(Optional.empty());
    when(keyVaultConfig.getProperty("tlsTrustStorePath")).thenReturn(Optional.of(path.toString()));

    SslConfiguration result = util.configureSsl(keyVaultConfig, envProvider);

    assertThat(result.getKeyStoreConfiguration().isPresent()).isFalse();
    assertThat(result.getTrustStoreConfiguration().isPresent()).isTrue();
}
 

/**
 * Create a {@link SslConfiguration} given {@link Ssl SSL properties}.
 * @param ssl the SSL properties.
 * @return the SSL configuration.
 */
static SslConfiguration createSslConfiguration(Ssl ssl) {

	if (ssl == null) {
		return SslConfiguration.unconfigured();
	}

	KeyStoreConfiguration keyStore = KeyStoreConfiguration.unconfigured();
	KeyStoreConfiguration trustStore = KeyStoreConfiguration.unconfigured();

	if (ssl.getKeyStore() != null) {
		if (StringUtils.hasText(ssl.getKeyStorePassword())) {
			keyStore = KeyStoreConfiguration.of(ssl.getKeyStore(),
					ssl.getKeyStorePassword().toCharArray());
		}
		else {
			keyStore = KeyStoreConfiguration.of(ssl.getKeyStore());
		}
	}

	if (ssl.getTrustStore() != null) {

		if (StringUtils.hasText(ssl.getTrustStorePassword())) {
			trustStore = KeyStoreConfiguration.of(ssl.getTrustStore(),
					ssl.getTrustStorePassword().toCharArray());
		}
		else {
			trustStore = KeyStoreConfiguration.of(ssl.getTrustStore());
		}
	}

	return new SslConfiguration(keyStore, trustStore);
}
 

/**
 * Creates a {@link ClientHttpConnector} configured with {@link ClientOptions} and
 * {@link SslConfiguration} which are not necessarily applicable for the whole
 * application.
 * @param vaultProperties the Vault properties.
 * @return the {@link ClientHttpConnector}.
 */
private static ClientHttpConnector createConnector(VaultProperties vaultProperties) {

	ClientOptions clientOptions = new ClientOptions(
			Duration.ofMillis(vaultProperties.getConnectionTimeout()),
			Duration.ofMillis(vaultProperties.getReadTimeout()));

	SslConfiguration sslConfiguration = VaultConfigurationUtil
			.createSslConfiguration(vaultProperties.getSsl());

	return ClientHttpConnectorFactory.create(clientOptions, sslConfiguration);
}
 

private RestOperations getRestOperations(Map<String, String> properties) throws Exception {
  String vaultAddress = properties.get(HashicorpVaultAliasService.VAULT_ADDRESS_KEY);
  VaultEndpoint vaultEndpoint = VaultEndpoint.from(new URI(vaultAddress));
  VaultEndpointProvider vaultEndpointProvider = SimpleVaultEndpointProvider.of(vaultEndpoint);
  ClientOptions clientOptions = new ClientOptions();
  SslConfiguration sslConfiguration = SslConfiguration.unconfigured();
  ClientHttpRequestFactory clientHttpRequestFactory = ClientHttpRequestFactoryFactory.create(
      clientOptions, sslConfiguration);
  return VaultClients.createRestTemplate(vaultEndpointProvider, clientHttpRequestFactory);
}
 

static SslConfiguration prepareCertAuthenticationMethod(SslConfiguration.KeyConfiguration keyConfiguration) {

		SslConfiguration original = createSslConfiguration();

		return new SslConfiguration(KeyStoreConfiguration
				.of(new FileSystemResource(new File(findWorkDir(), "client-cert.jks")), "changeit".toCharArray()),
				keyConfiguration, original.getTrustStoreConfiguration());
	}
 

@Test
void shouldSelectKey() {

	WebClient webClient = TestWebClientFactory.create(
			prepareCertAuthenticationMethod(SslConfiguration.KeyConfiguration.of("changeit".toCharArray(), "1")));

	AuthenticationStepsOperator operator = new AuthenticationStepsOperator(
			ClientCertificateAuthentication.createAuthenticationSteps(), webClient);

	operator.getVaultToken() //
			.as(StepVerifier::create) //
			.expectNextCount(1) //
			.verifyComplete();
}
 

/**
 * Creates a {@link ClientFactoryWrapper} containing a
 * {@link ClientHttpRequestFactory}. {@link ClientHttpRequestFactory} is not exposed
 * as root bean because {@link ClientHttpRequestFactory} is configured with
 * {@link ClientOptions} and {@link SslConfiguration} which are not necessarily
 * applicable for the whole application.
 * @return the {@link ClientFactoryWrapper} to wrap a {@link ClientHttpRequestFactory}
 * instance.
 */
@Bean
@ConditionalOnMissingBean
public ClientFactoryWrapper clientHttpRequestFactoryWrapper() {

	ClientOptions clientOptions = new ClientOptions(
			Duration.ofMillis(this.vaultProperties.getConnectionTimeout()),
			Duration.ofMillis(this.vaultProperties.getReadTimeout()));

	SslConfiguration sslConfiguration = VaultConfigurationUtil
			.createSslConfiguration(this.vaultProperties.getSsl());

	return new ClientFactoryWrapper(
			ClientHttpRequestFactoryFactory.create(clientOptions, sslConfiguration));
}
 

@Test
void shouldSelectInvalidKey() {

	WebClient webClient = TestWebClientFactory.create(
			prepareCertAuthenticationMethod(SslConfiguration.KeyConfiguration.of("changeit".toCharArray(), "2")));

	AuthenticationStepsOperator operator = new AuthenticationStepsOperator(
			ClientCertificateAuthentication.createAuthenticationSteps(), webClient);

	operator.getVaultToken() //
			.as(StepVerifier::create) //
			.verifyError(VaultLoginException.class);
}
 

private static void initializeClientHttpRequestFactory(
		SslConfiguration sslConfiguration) throws Exception {

	if (factoryCache.get() != null) {
		return;
	}

	final ClientHttpRequestFactory clientHttpRequestFactory = ClientHttpRequestFactoryFactory
			.create(new ClientOptions(), sslConfiguration);

	if (factoryCache.compareAndSet(null, clientHttpRequestFactory)) {

		if (clientHttpRequestFactory instanceof InitializingBean) {
			((InitializingBean) clientHttpRequestFactory).afterPropertiesSet();
		}

		if (clientHttpRequestFactory instanceof DisposableBean) {

			Runtime.getRuntime().addShutdownHook(
					new Thread("ClientHttpRequestFactory Shutdown Hook") {

						@Override
						public void run() {
							try {
								((DisposableBean) clientHttpRequestFactory).destroy();
							}
							catch (Exception e) {
								e.printStackTrace();
							}
						}
					});
		}
	}
}
 

private static void initializeClientHttpRequestFactory(SslConfiguration sslConfiguration) throws Exception {

		if (factoryCache.get() != null) {
			return;
		}

		final ClientHttpRequestFactory clientHttpRequestFactory = ClientHttpRequestFactoryFactory
				.create(new ClientOptions(), sslConfiguration);

		if (factoryCache.compareAndSet(null, clientHttpRequestFactory)) {

			if (clientHttpRequestFactory instanceof InitializingBean) {
				((InitializingBean) clientHttpRequestFactory).afterPropertiesSet();
			}

			if (clientHttpRequestFactory instanceof DisposableBean) {

				Runtime.getRuntime().addShutdownHook(new Thread("ClientHttpRequestFactory Shutdown Hook") {

					@Override
					public void run() {
						try {
							((DisposableBean) clientHttpRequestFactory).destroy();
						}
						catch (Exception e) {
							e.printStackTrace();
						}
					}
				});
			}
		}
	}
 

/**
 * Create a new {@link RestTemplate} using the {@link SslConfiguration}. The
 * underlying {@link ClientHttpRequestFactory} is cached. See
 * {@link #create(ClientHttpRequestFactory)} to create {@link RestTemplate} for a
 * given {@link ClientHttpRequestFactory}.
 * @param sslConfiguration must not be {@literal null}.
 * @return
 */
public static RestTemplate create(SslConfiguration sslConfiguration) {

	Assert.notNull(sslConfiguration, "SslConfiguration must not be null!");

	try {
		initializeClientHttpRequestFactory(sslConfiguration);
		return create(factoryCache.get());
	}
	catch (Exception e) {
		throw new IllegalStateException(e);
	}
}
 

@Test
public void defaultSslConfiguration() {
	VaultEnvironmentProperties properties = new VaultEnvironmentProperties();

	SpringVaultClientConfiguration configuration = getConfiguration(properties);
	SslConfiguration sslConfiguration = configuration.sslConfiguration();

	assertThat(sslConfiguration.getKeyStoreConfiguration())
			.isEqualTo(KeyStoreConfiguration.unconfigured());
	assertThat(sslConfiguration.getTrustStoreConfiguration())
			.isEqualTo(KeyStoreConfiguration.unconfigured());
}
 

/**
 * @return the vault properties.
 */
public static SslConfiguration createSslConfiguration() {

	File workDir = findWorkDir();

	return SslConfiguration.forTrustStore(
			new FileSystemResource(new File(workDir, "keystore.jks")),
			"changeit".toCharArray());
}
 

/**
 * Create a new {@link WebClient} using the {@link SslConfiguration}. See
 * {@link ReactiveVaultClients#createWebClient(VaultEndpoint, ClientHttpConnector)} to
 * create {@link WebClient} for a given {@link ClientHttpConnector}.
 * @param sslConfiguration must not be {@literal null}.
 * @return
 */
public static WebClient create(SslConfiguration sslConfiguration) {

	Assert.notNull(sslConfiguration, "SslConfiguration must not be null!");

	try {
		ClientHttpConnector connector = ClientHttpConnectorFactory.create(new ClientOptions(), sslConfiguration);
		return ReactiveVaultClients.createWebClient(TEST_VAULT_ENDPOINT, connector);
	}
	catch (Exception e) {
		throw new IllegalStateException(e);
	}
}
 

/**
 * @return the vault properties.
 */
public static SslConfiguration createSslConfiguration() {

	File workDir = findWorkDir();

	return SslConfiguration.forTrustStore(new FileSystemResource(new File(workDir, "keystore.jks")),
			"changeit".toCharArray());
}
 

/**
 * Create a new {@link RestTemplate} using the {@link SslConfiguration}. The
 * underlying {@link ClientHttpRequestFactory} is cached. See
 * {@link #create(ClientHttpRequestFactory)} to create {@link RestTemplate} for a
 * given {@link ClientHttpRequestFactory}.
 * @param sslConfiguration must not be {@literal null}.
 * @return
 */
public static RestTemplate create(SslConfiguration sslConfiguration) {

	Assert.notNull(sslConfiguration, "SslConfiguration must not be null!");

	try {
		initializeClientHttpRequestFactory(sslConfiguration);
		return create(factoryCache.get());
	}
	catch (Exception e) {
		throw new IllegalStateException(e);
	}
}
 

static ClientHttpRequestFactory usingHttpComponents(ClientOptions options, SslConfiguration sslConfiguration)
		throws GeneralSecurityException, IOException {

	HttpClientBuilder httpClientBuilder = HttpClients.custom();

	httpClientBuilder.setRoutePlanner(
			new SystemDefaultRoutePlanner(DefaultSchemePortResolver.INSTANCE, ProxySelector.getDefault()));

	if (hasSslConfiguration(sslConfiguration)) {

		SSLContext sslContext = getSSLContext(sslConfiguration, getTrustManagers(sslConfiguration));
		SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext);
		httpClientBuilder.setSSLSocketFactory(sslSocketFactory);
		httpClientBuilder.setSSLContext(sslContext);
	}

	RequestConfig requestConfig = RequestConfig.custom()
			//
			.setConnectTimeout(Math.toIntExact(options.getConnectionTimeout().toMillis())) //
			.setSocketTimeout(Math.toIntExact(options.getReadTimeout().toMillis())) //
			.setAuthenticationEnabled(true) //
			.build();

	httpClientBuilder.setDefaultRequestConfig(requestConfig);

	// Support redirects
	httpClientBuilder.setRedirectStrategy(new LaxRedirectStrategy());

	return new HttpComponentsClientHttpRequestFactory(httpClientBuilder.build());
}
 

@Test
public void configureSslUsesNoKeyStoresIfNoneProvided() {
    KeyVaultConfig keyVaultConfig = mock(KeyVaultConfig.class);
    EnvironmentVariableProvider envProvider = mock(EnvironmentVariableProvider.class);

    when(keyVaultConfig.getProperty("tlsKeyStorePath")).thenReturn(Optional.empty());
    when(keyVaultConfig.getProperty("tlsTrustStorePath")).thenReturn(Optional.empty());

    SslConfiguration result = util.configureSsl(keyVaultConfig, envProvider);

    assertThat(result.getKeyStoreConfiguration().isPresent()).isFalse();
    assertThat(result.getTrustStoreConfiguration().isPresent()).isFalse();
}
 

@Test
public void createClientHttpRequestFactory() {
    ClientOptions clientOptions = mock(ClientOptions.class);
    SslConfiguration sslConfiguration = mock(SslConfiguration.class);

    SslConfiguration.KeyStoreConfiguration keyStoreConfiguration = mock(SslConfiguration.KeyStoreConfiguration.class);
    when(sslConfiguration.getKeyStoreConfiguration()).thenReturn(keyStoreConfiguration);
    when(sslConfiguration.getTrustStoreConfiguration()).thenReturn(keyStoreConfiguration);

    when(clientOptions.getConnectionTimeout()).thenReturn(Duration.ZERO);
    when(clientOptions.getReadTimeout()).thenReturn(Duration.ZERO);

    ClientHttpRequestFactory result = util.createClientHttpRequestFactory(clientOptions, sslConfiguration);

    assertThat(result).isInstanceOf(OkHttp3ClientHttpRequestFactory.class);
}