-
Notifications
You must be signed in to change notification settings - Fork 2.2k
KeyVault JCA: lazy-load certificate material and add alias regex filtering #49774
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
6c8ec90
86621f2
f4371a4
5507d46
cc494aa
b3cd9d5
7875700
a343059
a6fbf69
9d74fac
162a828
d588c4d
b4aae28
c553796
c73eb95
72887a0
ce99b3e
7ec6baf
f34921f
9506d26
35885e3
e67607c
8cddbf0
f1ce384
470b184
524655e
7662126
60907c2
d75b0e2
b3120a8
91a495c
a407a55
31c94e2
fb84762
e450841
7c23284
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -29,7 +29,9 @@ | |
| import java.util.Map; | ||
| import java.util.Objects; | ||
| import java.util.Optional; | ||
| import java.util.Set; | ||
| import java.util.logging.Logger; | ||
| import java.util.stream.Collectors; | ||
| import java.util.stream.Stream; | ||
|
|
||
| import static java.util.logging.Level.FINE; | ||
|
|
@@ -56,6 +58,9 @@ public final class KeyVaultKeyStore extends KeyStoreSpi { | |
| */ | ||
| private static final Logger LOGGER = Logger.getLogger(KeyVaultKeyStore.class.getName()); | ||
|
|
||
| static final String CERTIFICATE_ALIAS_FILTER_PATTERNS_PROPERTY | ||
| = "azure.keyvault.jca.certificate-alias-filter-patterns"; | ||
|
|
||
| /** | ||
| * Stores the Jre key store certificates. | ||
| */ | ||
|
|
@@ -146,9 +151,10 @@ public KeyVaultKeyStore() { | |
| customCertificates = SpecificPathCertificates.getSpecificPathCertificates(customPath); | ||
| LOGGER.log(FINE, String.format("Loaded custom certificates: %s.", customCertificates.getAliases())); | ||
|
|
||
| keyVaultCertificates = new KeyVaultCertificates(refreshInterval, keyVaultUri, tenantId, clientId, clientSecret, | ||
| managedIdentity, accessToken, disableChallengeResourceVerification); | ||
| LOGGER.log(FINE, String.format("Loaded Key Vault certificates: %s.", keyVaultCertificates.getAliases())); | ||
| keyVaultCertificates | ||
| = new KeyVaultCertificates(refreshInterval, keyVaultUri, tenantId, clientId, clientSecret, managedIdentity, | ||
| accessToken, disableChallengeResourceVerification, getKeyVaultCertificateAliasFilterPatterns()); | ||
| LOGGER.log(FINE, () -> String.format("Loaded Key Vault certificates: %s.", keyVaultCertificates.getAliases())); | ||
|
|
||
| classpathCertificates = new ClasspathCertificates(); | ||
| LOGGER.log(FINE, String.format("Loaded classpath certificates: %s.", classpathCertificates.getAliases())); | ||
|
|
@@ -168,6 +174,15 @@ Long getRefreshInterval() { | |
| .orElse(0L); | ||
| } | ||
|
|
||
| Set<String> getKeyVaultCertificateAliasFilterPatterns() { | ||
| return Optional.ofNullable(System.getProperty(CERTIFICATE_ALIAS_FILTER_PATTERNS_PROPERTY)) | ||
| .map(value -> Stream.of(value.split(",")) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. another way: Use the number keys: -Dazure.keyvault.jca.certificate-alias-filter-pattern.1=abc.*
-Dazure.keyvault.jca.certificate-alias-filter-pattern.2=test.*
-Dazure.keyvault.jca.certificate-alias-filter-pattern.3=\d{1,5}Properties props = System.getProperties();
List<String> patterns =
props.stringPropertyNames()
.stream()
.filter(k -> k.startsWith("azure.keyvault.jca.certificate-alias-filter-patterns."))
.sorted()
.map(props::getProperty)
.toList();
|
||
| .map(String::trim) | ||
| .filter(pattern -> !pattern.isEmpty()) | ||
| .collect(Collectors.toSet())) | ||
| .orElse(Collections.emptySet()); | ||
| } | ||
|
|
||
| /** | ||
| * get key vault key store by system property | ||
| * | ||
|
|
@@ -254,16 +269,22 @@ public boolean engineEntryInstanceOf(String alias, Class<? extends KeyStore.Entr | |
| */ | ||
| @Override | ||
| public Certificate engineGetCertificate(String alias) { | ||
| Certificate certificate = allCertificates.stream() | ||
| .map(AzureCertificates::getCertificates) | ||
| .filter(a -> a.containsKey(alias)) | ||
| .findFirst() | ||
| .map(certificates -> certificates.get(alias)) | ||
| .orElse(null); | ||
| Certificate certificate = null; | ||
| for (AzureCertificates certificatesSource : allCertificates) { | ||
| if (certificatesSource instanceof KeyVaultCertificates) { | ||
| certificate = ((KeyVaultCertificates) certificatesSource).getCertificate(alias); | ||
| } else { | ||
| certificate = certificatesSource.getCertificates().get(alias); | ||
| } | ||
|
|
||
| if (certificate != null) { | ||
| break; | ||
| } | ||
| } | ||
|
|
||
| if (refreshCertificatesWhenHaveUnTrustCertificate && certificate == null) { | ||
| keyVaultCertificates.refreshCertificates(); | ||
| certificate = keyVaultCertificates.getCertificates().get(alias); | ||
| certificate = keyVaultCertificates.getCertificate(alias); | ||
| } | ||
|
rujche marked this conversation as resolved.
|
||
|
|
||
| return certificate; | ||
|
|
@@ -283,7 +304,7 @@ public String engineGetCertificateAlias(Certificate cert) { | |
| List<String> aliasList = getAllAliases(); | ||
| for (String candidateAlias : aliasList) { | ||
| Certificate certificate = engineGetCertificate(candidateAlias); | ||
| if (certificate.equals(cert)) { | ||
| if (certificate != null && certificate.equals(cert)) { | ||
| alias = candidateAlias; | ||
| break; | ||
| } | ||
|
|
@@ -307,16 +328,23 @@ public String engineGetCertificateAlias(Certificate cert) { | |
| */ | ||
| @Override | ||
| public Certificate[] engineGetCertificateChain(String alias) { | ||
| Certificate[] certificates = allCertificates.stream() | ||
| .map(AzureCertificates::getCertificateChains) | ||
| .filter(Objects::nonNull) | ||
| .filter(a -> a.containsKey(alias)) | ||
| .findFirst() | ||
| .map(m -> m.get(alias)) | ||
| .orElse(null); | ||
| Certificate[] certificates = null; | ||
| for (AzureCertificates certificatesSource : allCertificates) { | ||
| if (certificatesSource instanceof KeyVaultCertificates) { | ||
| certificates = ((KeyVaultCertificates) certificatesSource).getCertificateChain(alias); | ||
| } else { | ||
| Certificate[] certificateChain = certificatesSource.getCertificateChains().get(alias); | ||
| certificates = certificateChain == null ? null : certificateChain.clone(); | ||
| } | ||
|
|
||
| if (certificates != null) { | ||
| break; | ||
| } | ||
| } | ||
|
|
||
| if (refreshCertificatesWhenHaveUnTrustCertificate && certificates == null) { | ||
| keyVaultCertificates.refreshCertificates(); | ||
| return keyVaultCertificates.getCertificateChains().get(alias); | ||
| return keyVaultCertificates.getCertificateChain(alias); | ||
| } | ||
| return certificates; | ||
| } | ||
|
rujche marked this conversation as resolved.
|
||
|
|
@@ -358,12 +386,20 @@ public KeyStore.Entry engineGetEntry(String alias, KeyStore.ProtectionParameter | |
| */ | ||
| @Override | ||
| public Key engineGetKey(String alias, char[] password) { | ||
| return allCertificates.stream() | ||
| .map(AzureCertificates::getCertificateKeys) | ||
| .filter(a -> a.containsKey(alias)) | ||
| .findFirst() | ||
| .map(certificateKeys -> certificateKeys.get(alias)) | ||
| .orElse(null); | ||
| Key key = null; | ||
| for (AzureCertificates certificatesSource : allCertificates) { | ||
| if (certificatesSource instanceof KeyVaultCertificates) { | ||
| key = ((KeyVaultCertificates) certificatesSource).getCertificateKey(alias); | ||
| } else { | ||
| key = certificatesSource.getCertificateKeys().get(alias); | ||
| } | ||
|
|
||
| if (key != null) { | ||
| break; | ||
| } | ||
| } | ||
|
|
||
| return key; | ||
| } | ||
|
|
||
| /** | ||
|
|
||

Uh oh!
There was an error while loading. Please reload this page.