feat(webhook): Single-identity mTLS webhook configuration #4790
Conversation
jcavanagh
force-pushed
the
mtls-webhook
branch
3 times, most recently
from
24baa3d to
bae7fe6
Compare
Allows configuring a single X509 identity to use as the client identity for all outgoing webhooks. Also enhances existing trust functionality to accept PEM CA certificates. When using keystores, an encrypted private key entry is required - passwordless unencrypted private keys in keystores are not supported. Use PEM instead. Similarly, keystores without passwords are also not supported. When using PEM, assumes no key encryption.
jcavanagh
force-pushed
the
mtls-webhook
branch
from
bae7fe6 to
aa23f0f
Compare
| }); | ||
|
|
||
| if (webhookProperties.isInsecureSkipHostnameVerification()) { | ||
| builder.hostnameVerifier((hostname, session) -> true); |
There was a problem hiding this comment.
Hostname verification needs to be disabled for testing, as OkHttp does validate certificate hosts by default
| @@ -73,9 +76,9 @@ public WebhookConfiguration(WebhookProperties webhookProperties) { | |||
| @Bean | |||
| @ConditionalOnMissingBean(RestTemplate.class) | |||
| public RestTemplate restTemplate(ClientHttpRequestFactory webhookRequestFactory) { | |||
| RestTemplate restTemplate = new RestTemplate(webhookRequestFactory); | |||
| var restTemplate = new RestTemplate(webhookRequestFactory); | |||
There was a problem hiding this comment.
Converted a bunch of types to var for legibility
| getCustomTrustStore().ifPresent(keyStore -> trustManagers.add(getTrustManager(keyStore))); | ||
|
|
||
| if (webhookProperties.isInsecureTrustSelfSigned()) { | ||
| trustManagers.add( |
There was a problem hiding this comment.
Another testing-only option to disable trust checks for situations that cannot or do not provide custom CA files.
| throw new RuntimeException(e); | ||
| if (StringUtils.isNotEmpty(identitySettings.getIdentityStore())) { | ||
| var identity = | ||
| X509IdentitySource.fromKeyStore( |
There was a problem hiding this comment.
Constructs a client identity from a keystore. The keystore must be password protected, and the private key entry in the store also must be password protected. For unencrypted keys, use PEM config instead.
| return Optional.of(identity.load()); | ||
| } else if (StringUtils.isNotEmpty(identitySettings.getIdentityKeyPem())) { | ||
| return Optional.of( | ||
| X509IdentitySource.fromPEM( |
There was a problem hiding this comment.
Constructs a client identity from PEM key and PEM cert. No encryption or password-protection supported.
|
|
||
| // Use keystore first if set, then try PEM | ||
| if (StringUtils.isNotEmpty(trustSettings.getTrustStore())) { | ||
| KeyStore keyStore; |
There was a problem hiding this comment.
Loads CA trust material from a keystore (preexisting code)
| return Optional.of(keyStore); | ||
| } else if (StringUtils.isNotEmpty(trustSettings.getTrustPem())) { | ||
| try { | ||
| return Optional.of(TrustStores.loadPEM(Path.of(trustSettings.getTrustPem()))); |
There was a problem hiding this comment.
Loads CA trust material from a PEM certificate list (new code)
| @Data | ||
| @NoArgsConstructor | ||
| public static class TrustSettings { | ||
| private boolean enabled; | ||
| private String trustStore; | ||
| private String trustStorePassword; | ||
| // Default as JKS instead of PKCS12 for backward compatibility | ||
| private String trustStoreType = "JKS"; | ||
| private String trustPem; |
There was a problem hiding this comment.
For the record, a curl command like
$ curl --cert identityCertPem --key identityKeyPem --cacert trustPem https://somewhere
corresponds to these pem properties.
Allows configuring a single X509 identity to use as the client identity for all outgoing webhooks.
Also enhances existing trust functionality to accept PEM CA certificates.
When using keystores, an encrypted private key entry is required - passwordless unencrypted private keys in keystores are not supported. Use PEM instead.
Similarly, keystores without passwords are also not supported.
When using PEM, assumes no key encryption.