From 5a8d9d9056a86df7d21c31c20cc5cbeb9319b424 Mon Sep 17 00:00:00 2001 From: Max Lambrecht Date: Tue, 25 Aug 2020 13:08:52 -0300 Subject: [PATCH] Bump version to 0.6.2 Improve how the SpiffeTrustManager is configured to either validate SPIFFE IDs or acceptAny. Validate the SslContextOptions. Add visibility to some validation errors by logging warnings. Improve log of the X509Source update. Improve Spiffe Provider README. Signed-off-by: Max Lambrecht --- README.md | 37 ++++++++---- build.gradle | 2 +- .../svid/x509svid/X509SvidValidator.java | 11 +++- .../spiffe/workloadapi/DefaultX509Source.java | 7 ++- .../svid/x509svid/X509SvidValidatorTest.java | 15 ++++- java-spiffe-helper/README.md | 4 +- java-spiffe-provider/README.md | 52 ++++++++++------- .../provider/SpiffeSslContextFactory.java | 45 ++++++++++++++- .../spiffe/provider/SpiffeTrustManager.java | 8 +-- .../provider/SpiffeTrustManagerFactory.java | 7 +-- .../provider/SpiffeSslContextFactoryTest.java | 57 ++++++++++++++++--- .../provider/SpiffeSslSocketFactoryTest.java | 7 ++- .../provider/SpiffeTrustManagerTest.java | 6 +- 13 files changed, 193 insertions(+), 65 deletions(-) diff --git a/README.md b/README.md index 8c3db1c..fbed75e 100644 --- a/README.md +++ b/README.md @@ -26,26 +26,39 @@ X.509 and JWT SVIDs and bundles. Download -------- -The JARs can be downloaded from [Maven Central](https://search.maven.org/search?q=g:io.spiffe%20AND%20v:0.6.1). +The JARs can be downloaded from [Maven Central](https://search.maven.org/search?q=g:io.spiffe%20AND%20v:0.6.2). -The dependencies can be added to `pom.xml`: +The dependencies can be added to `pom.xml` + +To import the `java-spiffe-provider` component: +```xml + + io.spiffe + java-spiffe-provider + 0.6.2 + +``` +The `java-spiffe-provider` component imports the `java-spiffe-core` component. + +To just import the `java-spiffe-core` component: ```xml io.spiffe java-spiffe-core - 0.6.1 - - - io.spiffe - java-spiffe-provider - 0.6.1 + 0.6.2 ``` Using Gradle: + +Import `java-spiffe-provider`: ```gradle -implementation 'io.spiffe:java-spiffe-core:0.6.1' -implementation 'io.spiffe:java-spiffe-provider:0.6.1' +implementation group: 'io.spiffe', name: 'java-spiffe-provider', version: '0.6.2' +``` + +Import `java-spiffe-core`: +```gradle +implementation group: 'io.spiffe', name: 'java-spiffe-core', version: '0.6.2' ``` ### MacOS Support @@ -55,14 +68,14 @@ Add to your `pom.xml`: io.spiffe grpc-netty-macos - 0.6.1 + 0.6.2 runtime ``` Using Gradle: ```gradle -runtimeOnly 'io.spiffe:grpc-netty-macos:0.6.1' +runtimeOnly group: 'io.spiffe', name: 'grpc-netty-macos', version: '0.6.2' ``` ### Build the JARs diff --git a/build.gradle b/build.gradle index 6a64f44..2c9705a 100644 --- a/build.gradle +++ b/build.gradle @@ -12,7 +12,7 @@ allprojects { subprojects { group = 'io.spiffe' - version = '0.6.1' + version = '0.6.2' ext { grpcVersion = '1.31.1' diff --git a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java index 1d3499a..086fa7e 100644 --- a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java +++ b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509SvidValidator.java @@ -6,6 +6,7 @@ import io.spiffe.exception.BundleNotFoundException; import io.spiffe.internal.CertificateUtils; import io.spiffe.spiffeid.SpiffeId; import lombok.NonNull; +import lombok.extern.java.Log; import lombok.val; import java.security.cert.CertPathValidatorException; @@ -18,6 +19,7 @@ import java.util.function.Supplier; /** * Provides methods to validate a chain of X.509 certificates using an X.509 bundle source. */ +@Log public final class X509SvidValidator { private X509SvidValidator() { @@ -61,9 +63,16 @@ public final class X509SvidValidator { @NonNull final Supplier> acceptedSpiffeIdsSupplier) throws CertificateException { val spiffeIdSet = acceptedSpiffeIdsSupplier.get(); + if (spiffeIdSet.isEmpty()) { + String error = "The supplier of accepted SPIFFE IDs supplied an empty set"; + log.warning(error); + throw new CertificateException(error); + } + val spiffeId = CertificateUtils.getSpiffeId(x509Certificate); if (!spiffeIdSet.contains(spiffeId)) { - final String error = "SPIFFE ID %s in X.509 certificate is not accepted"; + val error = String.format("SPIFFE ID %s in X.509 certificate is not accepted", spiffeId); + log.warning(String.format("Client SPIFFE ID validation failed: %s", error)); throw new CertificateException(String.format(error, spiffeId)); } } diff --git a/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java b/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java index 4448925..e676839 100644 --- a/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java +++ b/java-spiffe-core/src/main/java/io/spiffe/workloadapi/DefaultX509Source.java @@ -25,6 +25,7 @@ import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeoutException; import java.util.function.Function; import java.util.logging.Level; +import java.util.stream.Collectors; import static io.spiffe.workloadapi.internal.ThreadUtils.await; @@ -139,9 +140,8 @@ public final class DefaultX509Source implements X509Source { * Returns the X.509 bundle for a given trust domain. * * @return an instance of a {@link X509Bundle} - * * @throws BundleNotFoundException is there is no bundle for the trust domain provided - * @throws IllegalStateException if the source is closed + * @throws IllegalStateException if the source is closed */ @Override public X509Bundle getBundleForTrustDomain(@NonNull final TrustDomain trustDomain) throws BundleNotFoundException { @@ -200,7 +200,8 @@ public final class DefaultX509Source implements X509Source { workloadApiClient.watchX509Context(new Watcher() { @Override public void onUpdate(final X509Context update) { - log.log(Level.INFO, "Received X509Context update"); + String spiffeIds = update.getX509Svids().stream().map(s -> s.getSpiffeId().toString()).collect(Collectors.joining(", ")); + log.log(Level.INFO, String.format("Received X509Context update: %s", spiffeIds)); setX509Context(update); done.countDown(); } diff --git a/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java b/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java index ecbc5f6..85ad033 100644 --- a/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java +++ b/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidValidatorTest.java @@ -81,7 +81,7 @@ public class X509SvidValidatorTest { } @Test - void checkSpiffeId_givenASpiffeIdInTheListOfAcceptedIds_doesntThrowException() throws IOException, CertificateException, URISyntaxException { + void verifySpiffeId_givenASpiffeIdInTheListOfAcceptedIds_doesntThrowException() throws IOException, CertificateException, URISyntaxException { val spiffeId1 = SpiffeId.parse("spiffe://example.org/test"); val spiffeId2 = SpiffeId.parse("spiffe://example.org/test2"); @@ -91,7 +91,7 @@ public class X509SvidValidatorTest { } @Test - void checkSpiffeId_givenASpiffeIdNotInTheListOfAcceptedIds_throwsCertificateException() throws IOException, CertificateException, URISyntaxException { + void verifySpiffeId_givenASpiffeIdNotInTheListOfAcceptedIds_throwsCertificateException() throws IOException, CertificateException, URISyntaxException { val spiffeId1 = SpiffeId.parse("spiffe://example.org/other1"); val spiffeId2 = SpiffeId.parse("spiffe://example.org/other2"); val spiffeIdSet = Sets.newHashSet(spiffeId1, spiffeId2); @@ -104,6 +104,17 @@ public class X509SvidValidatorTest { } } + @Test + void verifySpiffeId_givenAnEmptySupplier_throwsCertificateException() { + try { + X509SvidValidator.verifySpiffeId(leaf.getCertificate(), Collections::emptySet); + fail("Should have thrown CertificateException"); + } catch (CertificateException e) { + assertEquals("The supplier of accepted SPIFFE IDs supplied an empty set", e.getMessage()); + } + + } + @Test void checkSpiffeId_nullX509Certificate_throwsNullPointerException() throws CertificateException { try { diff --git a/java-spiffe-helper/README.md b/java-spiffe-helper/README.md index 0281275..da977b8 100644 --- a/java-spiffe-helper/README.md +++ b/java-spiffe-helper/README.md @@ -10,11 +10,11 @@ The Helper automatically gets the SVID updates and stores them in the KeyStore a On Linux: -`java -jar java-spiffe-helper-0.6.1-linux-x86_64.jar -c helper.conf` +`java -jar java-spiffe-helper-0.6.2-linux-x86_64.jar -c helper.conf` On Mac OS: -`java -jar java-spiffe-helper-0.6.1-osx-x86_64.jar -c helper.conf` +`java -jar java-spiffe-helper-0.6.2-osx-x86_64.jar -c helper.conf` (The jar can be found in `build/libs`, after running the gradle build) diff --git a/java-spiffe-provider/README.md b/java-spiffe-provider/README.md index 8bc949c..b2c0ad0 100644 --- a/java-spiffe-provider/README.md +++ b/java-spiffe-provider/README.md @@ -6,24 +6,23 @@ creating SSLContexts that are backed by the Workload API. ## Create an SSL Context backed by the Workload API To create an SSL Context that uses a `X509Source` backed by the Workload API, having the environment variable -` SPIFFE_ENDPOINT_SOCKET` defined with the Workload API endpoint address, and the `ssl.spiffe.accept` -Security property defined in the `java.security` file containing the list of SPIFFE IDs that the current workload +` SPIFFE_ENDPOINT_SOCKET` defined with the Workload API endpoint address. +The `SSLContext` is configured with a set of SPIFFE IDs that the current workload will trust for TLS connections: ``` X509Source source = DefaultX509Source.newSource(); + Supplier> acceptedSpiffeIds = () -> Collections.singleton(SpiffeId.parse("spiffe://example.org/test")); SslContextOptions options = SslContextOptions .builder() .x509Source(source) + .acceptedSpiffeIdsSupplier(acceptedSpiffeIds) .build(); SSLContext sslContext = SpiffeSslContextFactory.getSslContext(options); ``` - -See [HttpsServer example](src/test/java/io/spiffe/provider/examples/mtls/HttpsServer.java). - -Alternatively, a different Workload API address can be used by passing it to the X509Source creation method, and a -`Supplier` of a Set of accepted SPIFFE IDs can be provided as part of the `SslContextOptions`: + +Alternatively, a different Workload API address can be used by passing it to the X509Source creation method. ``` X509SourceOptions sourceOptions = X509SourceOptions @@ -32,12 +31,11 @@ Alternatively, a different Workload API address can be used by passing it to the .build(); X509Source x509Source = DefaultX509Source.newSource(sourceOptions); - - Supplier> spiffeIdSetSupplier = () -> Collections.singleton(SpiffeId.parse("spiffe://example.org/test")); + Supplier> acceptedSpiffeIds = () -> Collections.singleton(SpiffeId.parse("spiffe://example.org/test")); SslContextOptions sslContextOptions = SslContextOptions .builder() - .acceptedSpiffeIdsSupplier(spiffeIdSetSupplier) + .acceptedSpiffeIdsSupplier(acceptedSpiffeIds) .x509Source(x509Source) .build(); @@ -60,17 +58,19 @@ security.provider.= This declares a provider, and specifies its preference order `n`. -### Copy the JAR to the JVM extensions - +#### Java 8 For installing the JAR file containing the provider classes as a bundled extension in the java platform, copy `build/libs/java-spiffe-provider--all-linux-x86_64.jar` to `/jre/lib/ext`. In the case of testing the provider in Mac OS, the name of the jar will be `java-spiffe-provider--all-osx-x86_64.jar`. -#### Register the SPIFFE Provider +#### Java 9+ + +The `java-spiffe-provider` jar should be on the classpath. + +### Extend `java.security` properties file The master security properties file can be extended. Create a file `java.security` with the following content: - ``` # Add the spiffe provider, change the for the correct consecutive number security.provider.=io.spiffe.provider.SpiffeProvider @@ -120,7 +120,7 @@ in the `SslContextOptions`: SslContextOptions sslContextOptions = SslContextOptions .builder() .x509Source(x509Source) - .acceptAnySpiffeId(true) + .acceptAnySpiffeId() .build(); SSLContext sslContext = SpiffeSslContextFactory.getSslContext(sslContextOptions); @@ -159,8 +159,8 @@ Prerequisite: Having the SPIFFE Provided configured through the `java.security`. A `GRPC Server` using an SSL context backed by the Workload API: ``` - KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM, SpiffeProviderConstants.PROVIDER_NAME); - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM, SpiffeProviderConstants.PROVIDER_NAME); + KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM); SslContextBuilder sslContextBuilder = SslContextBuilder @@ -184,6 +184,8 @@ with a [X509Source instance](../java-spiffe-core/README.md#x509-source). ``` // create a new X.509 source using the default socket endpoint address X509Source x509Source = DefaultX509Source.newSource(); + + // KeyManager gets the X.509 cert and private key from the X.509 SVID source KeyManager keyManager = new SpiffeKeyManager(x509Source); // TrustManager gets the X509Source and the supplier of the Set of accepted SPIFFE IDs. @@ -207,8 +209,11 @@ the GRPC SSL context, analogous to the config for the Server: ``` X509Source x509Source = DefaultX509Source.newSource(); + KeyManager keyManager = new SpiffeKeyManager(x509Source); - TrustManager trustManager = new SpiffeTrustManager(x509Source, () -> SpiffeIdUtils.toSetOfSpiffeIds("spiffe://example.org/workload-server", ',')); + + Supplier> acceptedSpiffeIds = () -> SpiffeIdUtils.toSetOfSpiffeIds("spiffe://example.org/workload-server", ','); + TrustManager trustManager = new SpiffeTrustManager(x509Source, acceptedSpiffeIds); SslContextBuilder sslContextBuilder = SslContextBuilder .forClient() @@ -221,8 +226,13 @@ the GRPC SSL context, analogous to the config for the Server: .build(); ``` -## References +### Secure Socket Example: +See [HttpsServer example](src/test/java/io/spiffe/provider/examples/mtls/HttpsServer.java). -[How to Implement a Provider in the Java Cryptography Architecture](https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html) +## More information -[Java PKI Programmer's Guide](https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html) +[Java Platform Security Developer’s Guide](https://docs.oracle.com/en/java/javase/14/security/) + +[How to Implement a Provider in the Java Cryptography Architecture](https://docs.oracle.com/en/java/javase/14/security/howtoimplaprovider.html) + +[Java PKI Programmer's Guide](https://docs.oracle.com/en/java/javase/14/security/java-pki-programmers-guide.html) diff --git a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java index 91aadf6..3f4a835 100644 --- a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java +++ b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeSslContextFactory.java @@ -4,7 +4,6 @@ import io.spiffe.spiffeid.SpiffeId; import io.spiffe.workloadapi.DefaultX509Source; import io.spiffe.workloadapi.X509Source; import lombok.AccessLevel; -import lombok.Builder; import lombok.Data; import lombok.NonNull; import lombok.Setter; @@ -49,6 +48,11 @@ public final class SpiffeSslContextFactory { throw new IllegalArgumentException("x509Source option cannot be null, an X.509 Source must be provided"); } + if (!options.acceptAnySpiffeId && options.acceptedSpiffeIdsSupplier == null) { + throw new IllegalArgumentException("SSL context should be configured either with a Supplier " + + "of accepted SPIFFE IDs or with acceptAnySpiffeId=true"); + } + val sslContext = newSslContext(options); val trustManagers = newTrustManager(options); val keyManagers = new SpiffeKeyManagerFactory().engineGetKeyManagers(options.x509Source); @@ -109,7 +113,6 @@ public final class SpiffeSslContextFactory { @Setter(AccessLevel.NONE) private boolean acceptAnySpiffeId; - @Builder public SslContextOptions( final String sslProtocol, final X509Source x509Source, @@ -120,5 +123,43 @@ public final class SpiffeSslContextFactory { this.sslProtocol = sslProtocol; this.acceptAnySpiffeId = acceptAnySpiffeId; } + + public static SslContextOptionsBuilder builder() { + return new SslContextOptionsBuilder(); + } + + public static class SslContextOptionsBuilder { + private String sslProtocol; + private X509Source x509Source; + private Supplier> acceptedSpiffeIdsSupplier; + private boolean acceptAnySpiffeId; + + SslContextOptionsBuilder() { + } + + public SslContextOptionsBuilder sslProtocol(String sslProtocol) { + this.sslProtocol = sslProtocol; + return this; + } + + public SslContextOptionsBuilder x509Source(X509Source x509Source) { + this.x509Source = x509Source; + return this; + } + + public SslContextOptionsBuilder acceptedSpiffeIdsSupplier(Supplier> acceptedSpiffeIdsSupplier) { + this.acceptedSpiffeIdsSupplier = acceptedSpiffeIdsSupplier; + return this; + } + + public SslContextOptionsBuilder acceptAnySpiffeId() { + this.acceptAnySpiffeId = true; + return this; + } + + public SslContextOptions build() { + return new SslContextOptions(sslProtocol, x509Source, acceptedSpiffeIdsSupplier, acceptAnySpiffeId); + } + } } } diff --git a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java index 42a8245..cdb0611 100644 --- a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java +++ b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManager.java @@ -51,15 +51,15 @@ public final class SpiffeTrustManager extends X509ExtendedTrustManager { *

* Creates a {@link SpiffeTrustManager} with an X.509 bundle source used to provide the trusted bundles, * and a flag to indicate that any SPIFFE ID will be accepted. + *

+ * Any SPIFFE ID will be accepted during peer SVID validation. * * @param x509BundleSource an implementation of a {@link BundleSource} - * @param acceptAnySpiffeId a Supplier of a Set of accepted SPIFFE IDs. */ - public SpiffeTrustManager(@NonNull final BundleSource x509BundleSource, - final boolean acceptAnySpiffeId) { + public SpiffeTrustManager(@NonNull final BundleSource x509BundleSource) { this.x509BundleSource = x509BundleSource; this.acceptedSpiffeIdsSupplier = Collections::emptySet; - this.acceptAnySpiffeId = acceptAnySpiffeId; + this.acceptAnySpiffeId = true; } /** diff --git a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java index 87c1ac9..8925b4f 100644 --- a/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java +++ b/java-spiffe-provider/src/main/java/io/spiffe/provider/SpiffeTrustManagerFactory.java @@ -70,7 +70,7 @@ public class SpiffeTrustManagerFactory extends TrustManagerFactorySpi { final SpiffeTrustManager spiffeTrustManager; if (ACCEPT_ANY_SPIFFE_ID) { - spiffeTrustManager = new SpiffeTrustManager(x509Source, true); + spiffeTrustManager = new SpiffeTrustManager(x509Source); } else { spiffeTrustManager = new SpiffeTrustManager(x509Source, DEFAULT_SPIFFE_ID_SET_SUPPLIER); } @@ -92,8 +92,7 @@ public class SpiffeTrustManagerFactory extends TrustManagerFactorySpi { final SpiffeTrustManager spiffeTrustManager; if (ACCEPT_ANY_SPIFFE_ID) { - // make explicit that all SPIFFE IDs will be accepted - spiffeTrustManager = new SpiffeTrustManager(x509BundleSource, true); + spiffeTrustManager = new SpiffeTrustManager(x509BundleSource); } else { spiffeTrustManager = new SpiffeTrustManager(x509BundleSource, DEFAULT_SPIFFE_ID_SET_SUPPLIER); } @@ -108,7 +107,7 @@ public class SpiffeTrustManagerFactory extends TrustManagerFactorySpi { * @return an instance of a {@link TrustManager} wrapped in an array. The actual type returned is {@link SpiffeTrustManager} */ public TrustManager[] engineGetTrustManagersAcceptAnySpiffeId(@NonNull final BundleSource x509BundleSource) { - val spiffeTrustManager = new SpiffeTrustManager(x509BundleSource, true); + val spiffeTrustManager = new SpiffeTrustManager(x509BundleSource); return new TrustManager[]{spiffeTrustManager}; } diff --git a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java index 741d309..1015ba8 100644 --- a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java +++ b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslContextFactoryTest.java @@ -23,8 +23,12 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withX509Source() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -34,8 +38,12 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withSupplierOfSpiffeIds() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).acceptedSpiffeIdsSupplier(Collections::emptySet).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptedSpiffeIdsSupplier(Collections::emptySet) + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -45,8 +53,12 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withAcceptAny() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).acceptAnySpiffeId(true).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -56,8 +68,13 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_withOtherSslProtocol() { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions - .builder().x509Source(x509Source).sslProtocol("TLSv1.1").build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .sslProtocol("TLSv1.1") + .build(); try { assertNotNull(SpiffeSslContextFactory.getSslContext(options)); } catch (NoSuchAlgorithmException | KeyManagementException e) { @@ -76,11 +93,33 @@ class SpiffeSslContextFactoryTest { @Test void getSslContext_nullX509Source() throws KeyManagementException, NoSuchAlgorithmException { - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions.builder().build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .acceptAnySpiffeId() + .build(); try { SpiffeSslContextFactory.getSslContext(options); } catch (IllegalArgumentException e) { assertEquals("x509Source option cannot be null, an X.509 Source must be provided", e.getMessage()); } } + + @Test + void getSslContext_noSupplierAndAcceptAnyNotSet() { + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .build(); + try { + SpiffeSslContextFactory.getSslContext(options); + fail(); + } catch (NoSuchAlgorithmException | KeyManagementException e) { + fail(e); + } catch (IllegalArgumentException e) { + assertEquals("SSL context should be configured either with a Supplier " + + "of accepted SPIFFE IDs or with acceptAnySpiffeId=true", e.getMessage()); + } + } } \ No newline at end of file diff --git a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java index 75d7da8..070d929 100644 --- a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java +++ b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeSslSocketFactoryTest.java @@ -28,7 +28,12 @@ class SpiffeSslSocketFactoryTest { @BeforeEach void setup() throws NoSuchAlgorithmException, KeyManagementException { X509SourceStub x509Source = new X509SourceStub(); - SpiffeSslContextFactory.SslContextOptions options = SpiffeSslContextFactory.SslContextOptions.builder().x509Source(x509Source).build(); + SpiffeSslContextFactory.SslContextOptions options = + SpiffeSslContextFactory.SslContextOptions + .builder() + .x509Source(x509Source) + .acceptAnySpiffeId() + .build(); spiffeSslSocketFactory = new SpiffeSslSocketFactory(options); SSLContext sslContext = SpiffeSslContextFactory.getSslContext(options); socketFactory = sslContext.getSocketFactory(); diff --git a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java index 6968f8a..cebcf3d 100644 --- a/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java +++ b/java-spiffe-provider/src/test/java/io/spiffe/provider/SpiffeTrustManagerTest.java @@ -75,7 +75,7 @@ public class SpiffeTrustManagerTest { @Test void testCreateSpiffeTrustManager_nullSource() { try { - new SpiffeTrustManager(null, true); + new SpiffeTrustManager(null); fail(); } catch (Exception e) { assertEquals("x509BundleSource is marked non-null but is null", e.getMessage()); @@ -277,7 +277,7 @@ public class SpiffeTrustManagerTest { acceptedSpiffeIds = Collections.singleton(SpiffeId.parse("spiffe://example.org/other")); when(bundleSource.getBundleForTrustDomain(TrustDomain.of("example.org"))).thenReturn(bundleKnown); - spiffeTrustManager = new SpiffeTrustManager(bundleSource, true); + spiffeTrustManager = new SpiffeTrustManager(bundleSource); try { spiffeTrustManager.checkClientTrusted(chain, ""); @@ -291,7 +291,7 @@ public class SpiffeTrustManagerTest { acceptedSpiffeIds = Collections.singleton(SpiffeId.parse("spiffe://example.org/other")); when(bundleSource.getBundleForTrustDomain(TrustDomain.of("example.org"))).thenReturn(bundleKnown); - spiffeTrustManager = new SpiffeTrustManager(bundleSource, true); + spiffeTrustManager = new SpiffeTrustManager(bundleSource); try { spiffeTrustManager.checkClientTrusted(chain, "");