diff --git a/README.md b/README.md index 8c3db1c..fbed75e 100644 --- a/README.md +++ b/README.md @@ -26,26 +26,39 @@ X.509 and JWT SVIDs and bundles. Download -------- -The JARs can be downloaded from [Maven Central](https://search.maven.org/search?q=g:io.spiffe%20AND%20v:0.6.1). +The JARs can be downloaded from [Maven Central](https://search.maven.org/search?q=g:io.spiffe%20AND%20v:0.6.2). -The dependencies can be added to `pom.xml`: +The dependencies can be added to `pom.xml` + +To import the `java-spiffe-provider` component: +```xml + + io.spiffe + java-spiffe-provider + 0.6.2 + +``` +The `java-spiffe-provider` component imports the `java-spiffe-core` component. + +To just import the `java-spiffe-core` component: ```xml io.spiffe java-spiffe-core - 0.6.1 - - - io.spiffe - java-spiffe-provider - 0.6.1 + 0.6.2 ``` Using Gradle: + +Import `java-spiffe-provider`: ```gradle -implementation 'io.spiffe:java-spiffe-core:0.6.1' -implementation 'io.spiffe:java-spiffe-provider:0.6.1' +implementation group: 'io.spiffe', name: 'java-spiffe-provider', version: '0.6.2' +``` + +Import `java-spiffe-core`: +```gradle +implementation group: 'io.spiffe', name: 'java-spiffe-core', version: '0.6.2' ``` ### MacOS Support @@ -55,14 +68,14 @@ Add to your `pom.xml`: io.spiffe grpc-netty-macos - 0.6.1 + 0.6.2 runtime ``` Using Gradle: ```gradle -runtimeOnly 'io.spiffe:grpc-netty-macos:0.6.1' +runtimeOnly group: 'io.spiffe', name: 'grpc-netty-macos', version: '0.6.2' ``` ### Build the JARs diff --git a/build.gradle b/build.gradle index 6a64f44..2c9705a 100644 --- a/build.gradle +++ b/build.gradle @@ -12,7 +12,7 @@ allprojects { subprojects { group = 'io.spiffe' - version = '0.6.1' + version = '0.6.2' ext { grpcVersion = '1.31.1' diff --git a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java index 1d3499a..086fa7e 100644 --- a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java +++ b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java @@ -6,6 +6,7 @@ import io.spiffe.exception.BundleNotFoundException; import io.spiffe.internal.CertificateUtils; import io.spiffe.spiffeid.SpiffeId; import lombok.NonNull; +import lombok.extern.java.Log; import lombok.val; import java.security.cert.CertPathValidatorException; @@ -18,6 +19,7 @@ import java.util.function.Supplier; /** * Provides methods to validate a chain of X.509 certificates using an X.509 bundle source. */ +@Log public final class X509SvidValidator { private X509SvidValidator() { @@ -61,9 +63,16 @@ public final class X509SvidValidator { @NonNull final Supplier> acceptedSpiffeIdsSupplier) throws CertificateException { val spiffeIdSet = acceptedSpiffeIdsSupplier.get(); + if (spiffeIdSet.isEmpty()) { + String error = "The supplier of accepted SPIFFE IDs supplied an empty set"; + log.warning(error); + throw new CertificateException(error); + } + val spiffeId = CertificateUtils.getSpiffeId(x509Certificate); if (!spiffeIdSet.contains(spiffeId)) { - final String error = "SPIFFE ID %s in X.509 certificate is not accepted"; + val error = String.format("SPIFFE ID %s in X.509 certificate is not accepted", spiffeId); + log.warning(String.format("Client SPIFFE ID validation failed: %s", error)); throw new CertificateException(String.format(error, spiffeId)); } } diff --git a/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java b/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java index 4448925..e676839 100644 --- a/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java +++ b/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java @@ -25,6 +25,7 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeoutException; import java.util.function.Function; import java.util.logging.Level; +import java.util.stream.Collectors; import static io.spiffe.workloadapi.internal.ThreadUtils.await; @@ -139,9 +140,8 @@ public final class DefaultX509Source implements X509Source { * Returns the X.509 bundle for a given trust domain. * * @return an instance of a {@link X509Bundle} - * * @throws BundleNotFoundException is there is no bundle for the trust domain provided - * @throws IllegalStateException if the source is closed + * @throws IllegalStateException if the source is closed */ @Override public X509Bundle getBundleForTrustDomain(@NonNull final TrustDomain trustDomain) throws BundleNotFoundException { @@ -200,7 +200,8 @@ public final class DefaultX509Source implements X509Source { workloadApiClient.watchX509Context(new Watcher() { @Override public void onUpdate(final X509Context update) { - log.log(Level.INFO, "Received X509Context update"); + String spiffeIds = update.getX509Svids().stream().map(s -> s.getSpiffeId().toString()).collect(Collectors.joining(", ")); + log.log(Level.INFO, String.format("Received X509Context update: %s", spiffeIds)); setX509Context(update); done.countDown(); } diff --git a/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java b/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java index ecbc5f6..85ad033 100644 --- a/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java +++ b/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java @@ -81,7 +81,7 @@ public class X509SvidValidatorTest { } @Test - void checkSpiffeId_givenASpiffeIdInTheListOfAcceptedIds_doesntThrowException() throws IOException, CertificateException, URISyntaxException { + void verifySpiffeId_givenASpiffeIdInTheListOfAcceptedIds_doesntThrowException() throws IOException, CertificateException, URISyntaxException { val spiffeId1 = SpiffeId.parse("spiffe://example.org/test"); val spiffeId2 = SpiffeId.parse("spiffe://example.org/test2"); @@ -91,7 +91,7 @@ public class X509SvidValidatorTest { } @Test - void checkSpiffeId_givenASpiffeIdNotInTheListOfAcceptedIds_throwsCertificateException() throws IOException, CertificateException, URISyntaxException { + void verifySpiffeId_givenASpiffeIdNotInTheListOfAcceptedIds_throwsCertificateException() throws IOException, CertificateException, URISyntaxException { val spiffeId1 = SpiffeId.parse("spiffe://example.org/other1"); val spiffeId2 = SpiffeId.parse("spiffe://example.org/other2"); val spiffeIdSet = Sets.newHashSet(spiffeId1, spiffeId2); @@ -104,6 +104,17 @@ public class X509SvidValidatorTest { } } + @Test + void verifySpiffeId_givenAnEmptySupplier_throwsCertificateException() { + try { + X509SvidValidator.verifySpiffeId(leaf.getCertificate(), Collections::emptySet); + fail("Should have thrown CertificateException"); + } catch (CertificateException e) { + assertEquals("The supplier of accepted SPIFFE IDs supplied an empty set", e.getMessage()); + } + + } + @Test void checkSpiffeId_nullX509Certificate_throwsNullPointerException() throws CertificateException { try { diff --git a/java-spiffe-helper/README.md b/java-spiffe-helper/README.md index 0281275..da977b8 100644 --- a/java-spiffe-helper/README.md +++ b/java-spiffe-helper/README.md @@ -10,11 +10,11 @@ The Helper automatically gets the SVID updates and stores them in the KeyStore a On Linux: -`java -jar java-spiffe-helper-0.6.1-linux-x86_64.jar -c helper.conf` +`java -jar java-spiffe-helper-0.6.2-linux-x86_64.jar -c helper.conf` On Mac OS: -`java -jar java-spiffe-helper-0.6.1-osx-x86_64.jar -c helper.conf` +`java -jar java-spiffe-helper-0.6.2-osx-x86_64.jar -c helper.conf` (The jar can be found in `build/libs`, after running the gradle build) diff --git a/java-spiffe-provider/README.md b/java-spiffe-provider/README.md index 8bc949c..b2c0ad0 100644 --- a/java-spiffe-provider/README.md +++ b/java-spiffe-provider/README.md @@ -6,24 +6,23 @@ creating SSLContexts that are backed by the Workload API. ## Create an SSL Context backed by the Workload API To create an SSL Context that uses a `X509Source` backed by the Workload API, having the environment variable -` SPIFFE_ENDPOINT_SOCKET` defined with the Workload API endpoint address, and the `ssl.spiffe.accept` -Security property defined in the `java.security` file containing the list of SPIFFE IDs that the current workload +` SPIFFE_ENDPOINT_SOCKET` defined with the Workload API endpoint address. +The `SSLContext` is configured with a set of SPIFFE IDs that the current workload will trust for TLS connections: ``` X509Source source = DefaultX509Source.newSource(); + Supplier> acceptedSpiffeIds = () -> Collections.singleton(SpiffeId.parse("spiffe://example.org/test")); SslContextOptions options = SslContextOptions .builder() .x509Source(source) + .acceptedSpiffeIdsSupplier(acceptedSpiffeIds) .build(); SSLContext sslContext = SpiffeSslContextFactory.getSslContext(options); ``` - -See [HttpsServer example](src/test/java/io/spiffe/provider/examples/mtls/HttpsServer.java). - -Alternatively, a different Workload API address can be used by passing it to the X509Source creation method, and a -`Supplier` of a Set of accepted SPIFFE IDs can be provided as part of the `SslContextOptions`: + +Alternatively, a different Workload API address can be used by passing it to the X509Source creation method. ``` X509SourceOptions sourceOptions = X509SourceOptions @@ -32,12 +31,11 @@ Alternatively, a different Workload API address can be used by passing it to the .build(); X509Source x509Source = DefaultX509Source.newSource(sourceOptions); - - Supplier> spiffeIdSetSupplier = () -> Collections.singleton(SpiffeId.parse("spiffe://example.org/test")); + Supplier> acceptedSpiffeIds = () -> Collections.singleton(SpiffeId.parse("spiffe://example.org/test")); SslContextOptions sslContextOptions = SslContextOptions .builder() - .acceptedSpiffeIdsSupplier(spiffeIdSetSupplier) + .acceptedSpiffeIdsSupplier(acceptedSpiffeIds) .x509Source(x509Source) .build(); @@ -60,17 +58,19 @@ security.provider.= This declares a provider, and specifies its preference order `n`. -### Copy the JAR to the JVM extensions - +#### Java 8 For installing the JAR file containing the provider classes as a bundled extension in the java platform, copy `build/libs/java-spiffe-provider--all-linux-x86_64.jar` to `/jre/lib/ext`. In the case of testing the provider in Mac OS, the name of the jar will be `java-spiffe-provider--all-osx-x86_64.jar`. -#### Register the SPIFFE Provider +#### Java 9+ + +The `java-spiffe-provider` jar should be on the classpath. + +### Extend `java.security` properties file The master security properties file can be extended. Create a file `java.security` with the following content: - ``` # Add the spiffe provider, change the for the correct consecutive number security.provider.=io.spiffe.provider.SpiffeProvider @@ -120,7 +120,7 @@ in the `SslContextOptions`: SslContextOptions sslContextOptions = SslContextOptions .builder() .x509Source(x509Source) - .acceptAnySpiffeId(true) + .acceptAnySpiffeId() .build(); SSLContext sslContext = SpiffeSslContextFactory.getSslContext(sslContextOptions); @@ -159,8 +159,8 @@ Prerequisite: Having the SPIFFE Provided configured through the `java.security`. A `GRPC Server` using an SSL context backed by the Workload API: ``` - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM, SpiffeProviderConstants.PROVIDER_NAME); - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM, SpiffeProviderConstants.PROVIDER_NAME); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM); SslContextBuilder sslContextBuilder = SslContextBuilder @@ -184,6 +184,8 @@ with a [X509Source instance](../java-spiffe-core/README.md#x509-source). ``` // create a new X.509 source using the default socket endpoint address X509Source x509Source = DefaultX509Source.newSource(); + + // KeyManager gets the X.509 cert and private key from the X.509 SVID source KeyManager keyManager = new SpiffeKeyManager(x509Source); // TrustManager gets the X509Source and the supplier of the Set of accepted SPIFFE IDs. @@ -207,8 +209,11 @@ the GRPC SSL context, analogous to the config for the Server: ``` X509Source x509Source = DefaultX509Source.newSource(); + KeyManager keyManager = new SpiffeKeyManager(x509Source); - TrustManager trustManager = new SpiffeTrustManager(x509Source, () -> SpiffeIdUtils.toSetOfSpiffeIds("spiffe://example.org/workload-server", ',')); + + Supplier> acceptedSpiffeIds = () -> SpiffeIdUtils.toSetOfSpiffeIds("spiffe://example.org/workload-server", ','); + TrustManager trustManager = new SpiffeTrustManager(x509Source, acceptedSpiffeIds); SslContextBuilder sslContextBuilder = SslContextBuilder .forClient() @@ -221,8 +226,13 @@ the GRPC SSL context, analogous to the config for the Server: .build(); ``` -## References +### Secure Socket Example: +See [HttpsServer example](src/test/java/io/spiffe/provider/examples/mtls/HttpsServer.java). -[How to Implement a Provider in the Java Cryptography Architecture](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html) +## More information -[Java PKI Programmer's Guide](https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html) +[Java Platform Security Developer’s Guide](https://docs.oracle.com/en/java/javase/14/security/) + +[How to Implement a Provider in the Java Cryptography Architecture](https://docs.oracle.com/en/java/javase/14/security/howtoimplaprovider.html) + +[Java PKI Programmer's Guide](https://docs.oracle.com/en/java/javase/14/security/java-pki-programmers-guide.html) diff --git a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java index 91aadf6..3f4a835 100644 --- a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java +++ b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java @@ -4,7 +4,6 @@ import io.spiffe.spiffeid.SpiffeId; import io.spiffe.workloadapi.DefaultX509Source; import io.spiffe.workloadapi.X509Source; import lombok.AccessLevel; -import lombok.Builder; import lombok.Data; import lombok.NonNull; import lombok.Setter; @@ -49,6 +48,11 @@ public final class SpiffeSslContextFactory { throw new IllegalArgumentException("x509Source option cannot be null, an X.509 Source must be provided"); } + if (!options.acceptAnySpiffeId && options.acceptedSpiffeIdsSupplier == null) { + throw new IllegalArgumentException("SSL context should be configured either with a Supplier " + + "of accepted SPIFFE IDs or with acceptAnySpiffeId=true"); + } + val sslContext = newSslContext(options); val trustManagers = newTrustManager(options); val keyManagers = new SpiffeKeyManagerFactory().engineGetKeyManagers(options.x509Source); @@ -109,7 +113,6 @@ public final class SpiffeSslContextFactory { @Setter(AccessLevel.NONE) private boolean acceptAnySpiffeId; - @Builder public SslContextOptions( final String sslProtocol, final X509Source x509Source, @@ -120,5 +123,43 @@ public final class SpiffeSslContextFactory { this.sslProtocol = sslProtocol; this.acceptAnySpiffeId = acceptAnySpiffeId; } + + public static SslContextOptionsBuilder builder() { + return new SslContextOptionsBuilder(); + } + + public static class SslContextOptionsBuilder { + private String sslProtocol; + private X509Source x509Source; + private Supplier> acceptedSpiffeIdsSupplier; + private boolean acceptAnySpiffeId; + + SslContextOptionsBuilder() { + } + + public SslContextOptionsBuilder sslProtocol(String sslProtocol) { + this.sslProtocol = sslProtocol; + return this; + } + + public SslContextOptionsBuilder x509Source(X509Source x509Source) { + this.x509Source = x509Source; + return this; + } + + public SslContextOptionsBuilder acceptedSpiffeIdsSupplier(Supplier> acceptedSpiffeIdsSupplier) { + this.acceptedSpiffeIdsSupplier = acceptedSpiffeIdsSupplier; + return this; + } + + public SslContextOptionsBuilder acceptAnySpiffeId() { + this.acceptAnySpiffeId = true; + return this; + } + + public SslContextOptions build() { + return new SslContextOptions(sslProtocol, x509Source, acceptedSpiffeIdsSupplier, acceptAnySpiffeId); + } + } } } diff --git a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java index 42a8245..cdb0611 100644 --- a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java +++ b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java @@ -51,15 +51,15 @@ public final class SpiffeTrustManager extends X509ExtendedTrustManager { *

* Creates a {@link SpiffeTrustManager} with an X.509 bundle source used to provide the trusted bundles, * and a flag to indicate that any SPIFFE ID will be accepted. + *

+ * Any SPIFFE ID will be accepted during peer SVID validation. * * @param x509BundleSource an implementation of a {@link BundleSource} - * @param acceptAnySpiffeId a Supplier of a Set of accepted SPIFFE IDs. */ - public SpiffeTrustManager(@NonNull final BundleSource x509BundleSource, - final boolean acceptAnySpiffeId) { + public SpiffeTrustManager(@NonNull final BundleSource x509BundleSource) { this.x509BundleSource = x509BundleSource; this.acceptedSpiffeIdsSupplier = Collections::emptySet; - this.acceptAnySpiffeId = acceptAnySpiffeId; + this.acceptAnySpiffeId = true; } /** diff --git a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java index 87c1ac9..8925b4f 100644 --- a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java +++ b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java @@ -70,7 +70,7 @@ public class SpiffeTrustManagerFactory extends TrustManagerFactorySpi { final SpiffeTrustManager spiffeTrustManager; if (ACCEPT_ANY_SPIFFE_ID) { - spiffeTrustManager = new SpiffeTrustManager(x509Source, true); + spiffeTrustManager = new SpiffeTrustManager(x509Source); } else { spiffeTrustManager = new SpiffeTrustManager(x509Source, DEFAULT_SPIFFE_ID_SET_SUPPLIER); } @@ -92,8 +92,7 @@ public class SpiffeTrustManagerFactory extends TrustManagerFactorySpi { final SpiffeTrustManager spiffeTrustManager; if (ACCEPT_ANY_SPIFFE_ID) { - // make explicit that all SPIFFE IDs will be accepted - spiffeTrustManager = new SpiffeTrustManager(x509BundleSource, true); + spiffeTrustManager = new SpiffeTrustManager(x509BundleSource); } else { spiffeTrustManager = new SpiffeTrustManager(x509BundleSource, DEFAULT_SPIFFE_ID_SET_SUPPLIER); } @@ -108,7 +107,7 @@ public class SpiffeTrustManagerFactory extends TrustManagerFactorySpi { * @return an instance of a {@link TrustManager} wrapped in an array. The actual type returned is {@link SpiffeTrustManager} */ public TrustManager[] engineGetTrustManagersAcceptAnySpiffeId(@NonNull final BundleSource x509BundleSource) { - val spiffeTrustManager = new SpiffeTrustManager(x509BundleSource, true); + val spiffeTrustManager = new SpiffeTrustManager(x509BundleSource); return new TrustManager[]{spiffeTrustManager}; } diff --git a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java index 741d309..1015ba8 100644 --- a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java +++ b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java @@ -23,8 +23,12 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withX509Source() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -34,8 +38,12 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withSupplierOfSpiffeIds() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).acceptedSpiffeIdsSupplier(Collections::emptySet).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptedSpiffeIdsSupplier(Collections::emptySet) + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -45,8 +53,12 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withAcceptAny() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).acceptAnySpiffeId(true).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -56,8 +68,13 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withOtherSslProtocol() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).sslProtocol("TLSv1.1").build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .sslProtocol("TLSv1.1") + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -76,11 +93,33 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_nullX509Source() throws KeyManagementException, NoSuchAlgorithmException { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions.builder().build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .acceptAnySpiffeId() + .build(); try { SpiffeSslContextFactory.getSslContext(options); } catch (IllegalArgumentException e) { assertEquals("x509Source option cannot be null, an X.509 Source must be provided", e.getMessage()); } } + + @Test + void getSslContext_noSupplierAndAcceptAnyNotSet() { + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .build(); + try { + SpiffeSslContextFactory.getSslContext(options); + fail(); + } catch (NoSuchAlgorithmException | KeyManagementException e) { + fail(e); + } catch (IllegalArgumentException e) { + assertEquals("SSL context should be configured either with a Supplier " + + "of accepted SPIFFE IDs or with acceptAnySpiffeId=true", e.getMessage()); + } + } } \ No newline at end of file diff --git a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java index 75d7da8..070d929 100644 --- a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java +++ b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java @@ -28,7 +28,12 @@ class SpiffeSslSocketFactoryTest { @BeforeEach void setup() throws NoSuchAlgorithmException, KeyManagementException { X509SourceStub x509Source = new X509SourceStub(); - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions.builder().x509Source(x509Source).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .build(); spiffeSslSocketFactory = new SpiffeSslSocketFactory(options); SSLContext sslContext = SpiffeSslContextFactory.getSslContext(options); socketFactory = sslContext.getSocketFactory(); diff --git a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java index 6968f8a..cebcf3d 100644 --- a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java +++ b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java @@ -75,7 +75,7 @@ public class SpiffeTrustManagerTest { @Test void testCreateSpiffeTrustManager_nullSource() { try { - new SpiffeTrustManager(null, true); + new SpiffeTrustManager(null); fail(); } catch (Exception e) { assertEquals("x509BundleSource is marked non-null but is null", e.getMessage()); @@ -277,7 +277,7 @@ public class SpiffeTrustManagerTest { acceptedSpiffeIds = Collections.singleton(SpiffeId.parse("spiffe://example.org/other")); when(bundleSource.getBundleForTrustDomain(TrustDomain.of("example.org"))).thenReturn(bundleKnown); - spiffeTrustManager = new SpiffeTrustManager(bundleSource, true); + spiffeTrustManager = new SpiffeTrustManager(bundleSource); try { spiffeTrustManager.checkClientTrusted(chain, ""); @@ -291,7 +291,7 @@ public class SpiffeTrustManagerTest { acceptedSpiffeIds = Collections.singleton(SpiffeId.parse("spiffe://example.org/other")); when(bundleSource.getBundleForTrustDomain(TrustDomain.of("example.org"))).thenReturn(bundleKnown); - spiffeTrustManager = new SpiffeTrustManager(bundleSource, true); + spiffeTrustManager = new SpiffeTrustManager(bundleSource); try { spiffeTrustManager.checkClientTrusted(chain, "");