From 46d6fc0ade44165d70537dbfe6d6928f37062e8d Mon Sep 17 00:00:00 2001
From: Max Lambrecht <maxlambrecht@gmail.com>
Date: Fri, 12 Jun 2020 08:06:07 -0300
Subject: [PATCH] Fix code issues. Improve README.

Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
---
 .../java/spiffe/workloadapi/X509Source.java   |  2 -
 java-spiffe-provider/README.md                | 47 ++++++++++---------
 .../spiffe/provider/SpiffeTrustManager.java   |  5 +-
 3 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/java-spiffe-core/src/main/java/spiffe/workloadapi/X509Source.java b/java-spiffe-core/src/main/java/spiffe/workloadapi/X509Source.java
index 57f28ca..fb9e69e 100644
--- a/java-spiffe-core/src/main/java/spiffe/workloadapi/X509Source.java
+++ b/java-spiffe-core/src/main/java/spiffe/workloadapi/X509Source.java
@@ -125,8 +125,6 @@ public class X509Source implements X509SvidSource, BundleSource<X509Bundle>, Clo
      * @throws X509SourceException            if the source could not be initialized
      */
     public static X509Source newSource(@NonNull X509SourceOptions options, @NonNull Duration timeout) throws SocketEndpointAddressException, X509SourceException {
-
-        System.out.println("TIMEOUT: ***** "  + timeout);
         if (options.workloadApiClient == null) {
             options.workloadApiClient = createClient(options);
         }
diff --git a/java-spiffe-provider/README.md b/java-spiffe-provider/README.md
index cc647bb..984a1a5 100644
--- a/java-spiffe-provider/README.md
+++ b/java-spiffe-provider/README.md
@@ -5,15 +5,16 @@ creating SSLContexts that are backed by the Workload API.
 
 ## Create an SSL Context backed by the Workload API
 
-To create an SSL Context that uses a X509Source backed by the WorkloadAPI, having the environment variable
-` SPIFFE_ENDPOINT_SOCKET` defined with the WorkloadAPI endpoint address, and the `ssl.spiffe.accept` 
-Security property defined in the `java.security` containing the list of SPIFFE IDs that the current workload
-will trust for TLS connections. 
+To create an SSL Context that uses a `X509Source` backed by the Workload API, having the environment variable
+` SPIFFE_ENDPOINT_SOCKET` defined with the Workload API endpoint address, and the `ssl.spiffe.accept` 
+Security property defined in the `java.security` file containing the list of SPIFFE IDs that the current workload
+will trust for TLS connections:
 
 ```
+    X509Source source = X509Source.newSource();
     SslContextOptions options = SslContextOptions
             .builder()
-            .x509Source(x509Source.newSource())
+            .x509Source(source)
             .build();
 
     SSLContext sslContext = SpiffeSslContextFactory.getSslContext(options);
@@ -21,19 +22,22 @@ will trust for TLS connections.
 
 See [HttpsServer example](src/main/java/spiffe/provider/examples/HttpsServer.java).
 
-Alternatively, a different Workload API address can be used by passing it to the X509Source creation method, and the
-Supplier of accepted SPIFFE IDs list can be provided as part of the `SslContextOptions`:
+Alternatively, a different Workload API address can be used by passing it to the X509Source creation method, and a
+`Supplier` of a list of accepted SPIFFE IDs can be provided as part of the `SslContextOptions`:
 
 ```
     X509SourceOptions sourceOptions = X509SourceOptions
             .builder()
-            .spiffeSocketPath(spiffeSocket)
+            .spiffeSocketPath("unix:/tmp/agent.sock")
             .build();
+
     X509Source x509Source = X509Source.newSource(sourceOptions);
 
+    Supplier<List<SpiffeId>> spiffeIdListSupplier = () -> Collections.singletonList(SpiffeId.parse("spiffe://example.org/test"));
+
     SslContextOptions sslContextOptions = SslContextOptions
             .builder()
-            .acceptedSpiffeIdsSupplier(acceptedSpiffeIdsListSupplier)
+            .acceptedSpiffeIdsSupplier(spiffeIdListSupplier )
             .x509Source(x509Source)
             .build();
 
@@ -47,24 +51,23 @@ the list of SPIFFE IDs from a file.
 
 Java Security Providers are configured in the master security properties file `<java-home>/jre/lib/security/java.security`. 
 
-The way to register a provider is to specify the Provider subclass name and priority in the format
+The way to register a java security provider is by specifying the custom `Provider` subclass name and the priority in the 
+following format:
 
 ```
 security.provider.<n>=<className>
 ```
 
-This declares a provider, and specifies its preference order n.
+This declares a provider, and specifies its preference order `n`.
 
 ### Copy the JAR to the JVM extensions
 
 For installing the JAR file containing the provider classes as a bundled extension in the java platform, 
-copy build/libs/spiffe-provider-<version>-all.jar to <java-home>/jre/lib/ext
+copy `build/libs/java-spiffe-provider-<version>-all.jar` to `<java-home>/jre/lib/ext`.
 
 #### Register the SPIFFE Provider
 
-You can extend and override the master security properties file. 
-
-Create a file `java.security` with the following content:
+The master security properties file can be extended. Create a file `java.security` with the following content:
 
 ```
 # Add the spiffe provider, change the <n> for the correct consecutive number
@@ -78,12 +81,12 @@ ssl.TrustManagerFactory.algorithm=Spiffe
 ssl.spiffe.accept=spiffe://example.org/workload, spiffe://example.org/workload2, spiffe://example2.org/workload
 ```
 
-In your `java.security` file: 
+In this `java.security` file: 
 
 * replace `<n>` following the order of the `# List of Providers` in the master file. 
 
-* replace the value of the custom property `ssl.spiffe.accept` with the Spiffe IDs of the workloads that are allowed to connect.
-If the property is not present or if it's empty, any spiffe id will be authorized. 
+* replace the value of the custom property `ssl.spiffe.accept` with the SPIFFE IDs of the workloads that are allowed to connect.
+***If the property is not present or if it's empty, no SPIFFE ID will be authorized.*** 
 
 To pass your custom security properties file through the command line via system property when starting the JVM:
 
@@ -105,7 +108,7 @@ export SPIFFE_ENDPOINT_SOCKET=/tmp/agent.sock
 
 ### Configure a Tomcat connector
 
-Prerequisite: Having the SPIFFE Provided configured through the `java.security`.
+***Prerequisite***: Having the SPIFFE Provider configured through the `java.security`.
 
 A Tomcat TLS connector that uses the `Spiffe` KeyStore can be configured as follows: 
 
@@ -123,7 +126,7 @@ A Tomcat TLS connector that uses the `Spiffe` KeyStore can be configured as foll
 
 Prerequisite: Having the SPIFFE Provided configured through the `java.security`.
 
-A GRPC Server using a SSL context backed by the Workload API:
+A `GRPC Server` using a SSL context backed by the Workload API:
 
 ```
     KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SpiffeProviderConstants.ALGORITHM, SpiffeProviderConstants.PROVIDER_NAME);
@@ -143,7 +146,7 @@ A GRPC Server using a SSL context backed by the Workload API:
     server.start();
 ```
 
-The following alternative does not need the configuration through the `java.security`.
+#### Configuration programmatically:
 
 The `SpiffeKeyManager` and `SpiffeTrustManager` can be created without resorting to factories, providing the constructors
 with a [X509Source instance](../java-spiffe-core/README.md#x509source).
@@ -169,7 +172,7 @@ with a [X509Source instance](../java-spiffe-core/README.md#x509source).
             .build();
 ``` 
 
-For the client, a ManagedChannel would be created using the `SpiffeKeyManager` and `SpiffeTrustManager` for configuring 
+For the client, a `ManagedChannel` would be created using the `SpiffeKeyManager` and `SpiffeTrustManager` for configuring 
 the GRPC SSL context, analogous to the config for the Server:
 
 ``` 
diff --git a/java-spiffe-provider/src/main/java/spiffe/provider/SpiffeTrustManager.java b/java-spiffe-provider/src/main/java/spiffe/provider/SpiffeTrustManager.java
index 22081fa..1f04b96 100644
--- a/java-spiffe-provider/src/main/java/spiffe/provider/SpiffeTrustManager.java
+++ b/java-spiffe-provider/src/main/java/spiffe/provider/SpiffeTrustManager.java
@@ -1,6 +1,7 @@
 package spiffe.provider;
 
 import spiffe.bundle.BundleSource;
+import spiffe.bundle.x509bundle.X509Bundle;
 import spiffe.exception.BundleNotFoundException;
 import spiffe.spiffeid.SpiffeId;
 import spiffe.svid.x509svid.X509SvidValidator;
@@ -22,7 +23,7 @@ import java.util.function.Supplier;
  */
 public final class SpiffeTrustManager extends X509ExtendedTrustManager {
 
-    private final BundleSource x509BundleSource;
+    private final BundleSource<X509Bundle> x509BundleSource;
     private final Supplier<List<SpiffeId>> acceptedSpiffeIdsSupplier;
 
     /**
@@ -32,7 +33,7 @@ public final class SpiffeTrustManager extends X509ExtendedTrustManager {
      * @param x509BundleSource          an implementation of a {@link BundleSource}
      * @param acceptedSpiffeIdsSupplier a Supplier of a list of accepted SPIFFE IDs.
      */
-    public SpiffeTrustManager(BundleSource x509BundleSource,
+    public SpiffeTrustManager(BundleSource<X509Bundle> x509BundleSource,
                               Supplier<List<SpiffeId>> acceptedSpiffeIdsSupplier) {
         this.x509BundleSource = x509BundleSource;
         this.acceptedSpiffeIdsSupplier = acceptedSpiffeIdsSupplier;