Tests

Author: MatKuhr

cloudplatform/connectivity-oauth/pom.xml

@@ -135,10 +135,6 @@
 			<groupId>org.apache.httpcomponents.core5</groupId>
 			<artifactId>httpcore5</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.apache.commons</groupId>
-			<artifactId>commons-lang3</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliers.java

@@ -267,6 +267,8 @@ private void attachClientKeyStore( @Nonnull final OAuth2Options.Builder optionsB
         {
             final KeyStore maybeClientStore = getClientKeyStore();
             if( maybeClientStore != null ) {
+                // note: in case the KS is loaded from ZTIS, the KS used for token retrieval and the KS registered here for mTLS to the target system may diverge
+                // Token retrieval supports certificate rotation in place, but mTLS to the target system requires re-loading the destination instead.
                 optionsBuilder.withClientKeyStore(maybeClientStore);
             }
         }
@@ -275,7 +277,6 @@ private void attachClientKeyStore( @Nonnull final OAuth2Options.Builder optionsB
         private KeyStore getClientKeyStore()
         {
             final ClientIdentity clientIdentity = getClientIdentity();
-            //TODO: this doesn't work well with a dynamic keystore, check use cases
             if( clientIdentity instanceof ZtisClientIdentity ztisClientIdentity ) {
                 return ztisClientIdentity.getKeyStore();
             }

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultOAuth2PropertySupplier.java

@@ -2,7 +2,6 @@
 
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java

@@ -99,7 +99,7 @@ OAuth2TokenService getTokenService( @Nullable final String tenantId )
         final CacheKey key = CacheKey.fromIds(tenantId, null).append(identity);
         // ZTIS certificates rotate at runtime, thus we explicitly add the current KeyStore as cache key
         // once the certificate rotates, this produces a cache miss, ensuring we construct a new HTTP client with a new certificate
-        if (identity instanceof final ZtisClientIdentity ztisIdentity) {
+        if( identity instanceof final ZtisClientIdentity ztisIdentity ) {
             key.append(ztisIdentity.getKeyStore());
         }
         return tokenServiceCache.get(key, this::createTokenService);

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/SecurityLibWorkarounds.java

@@ -6,10 +6,9 @@
 import javax.annotation.Nonnull;
 
 import com.sap.cloud.sdk.cloudplatform.exception.CloudPlatformException;
-import lombok.EqualsAndHashCode;
-
 import com.sap.cloud.security.config.ClientIdentity;
 
+import lombok.EqualsAndHashCode;
 import lombok.ToString;
 import lombok.Value;
 
@@ -46,7 +45,9 @@ KeyStore getKeyStore()
                 return keyStoreSource.get();
             }
             catch( final Exception e ) {
-                throw new CloudPlatformException("Failed to load X509 certificate for credential type X509_ATTESTED.", e);
+                throw new CloudPlatformException(
+                    "Failed to load X509 certificate for credential type X509_ATTESTED.",
+                    e);
             }
         }
     }

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliersTest.java

@@ -757,8 +757,12 @@ void testMutualTlsWithZeroTrustIdentityService()
 
             final OAuth2PropertySupplier sut = IDENTITY_AUTHENTICATION.resolve(options);
             assertThat(sut).isNotNull();
+            assertThat(sut.getClientIdentity()).isInstanceOf(SecurityLibWorkarounds.ZtisClientIdentity.class);
 
-            assertThatThrownBy(sut::getClientIdentity)
+            final var identity = (SecurityLibWorkarounds.ZtisClientIdentity) sut.getClientIdentity();
+            assertThat(identity.getId()).isEqualTo("ias-client-id");
+
+            assertThatThrownBy(identity::getKeyStore)
                 .isInstanceOf(CloudPlatformException.class)
                 .describedAs("We are not mocking the ZTIS service here so this should fail")
                 .hasRootCauseInstanceOf(ServiceBindingAccessException.class);

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultOAuth2PropertySupplierTest.java

@@ -206,9 +206,15 @@ void testCredentialTypeX509_ATTESTED()
         sut = new DefaultOAuth2PropertySupplier(options);
 
         assertThat(sut.getCredentialType()).isEqualTo(CredentialType.X509_ATTESTED);
-        assertThatThrownBy(sut::getClientIdentity)
+        assertThat(sut).isNotNull();
+        assertThat(sut.getClientIdentity()).isInstanceOf(SecurityLibWorkarounds.ZtisClientIdentity.class);
+
+        final var identity = (SecurityLibWorkarounds.ZtisClientIdentity) sut.getClientIdentity();
+        assertThat(identity.getId()).isEqualTo("id");
+
+        assertThatThrownBy(identity::getKeyStore)
             .isInstanceOf(CloudPlatformException.class)
-            .describedAs("We are not mocking the Zero Trust Identity Service here, so this should be a failure")
+            .describedAs("We are not mocking the ZTIS service here so this should fail")
             .hasRootCauseInstanceOf(ServiceBindingAccessException.class);
     }
 

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/HttpClient5OAuth2TokenServiceTest.java

@@ -159,7 +159,7 @@ void testCreateHttpClientWithCertificateBasedClientIdentity()
     void testCreateHttpClientWithZtisClientIdentity()
     {
         final KeyStore keyStore = createEmptyKeyStore();
-        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", keyStore);
+        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", () -> keyStore);
 
         // ZtisClientIdentity is certificate-based but doesn't implement certificate methods properly
         // This should fail with certificate validation error
@@ -175,7 +175,7 @@ void testCreateHttpClientWithZtisClientIdentityAndExplicitKeyStore()
     {
         final KeyStore embeddedKeyStore = createEmptyKeyStore();
         final KeyStore explicitKeyStore = createEmptyKeyStore();
-        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", embeddedKeyStore);
+        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", () -> embeddedKeyStore);
 
         final CloseableHttpClient result =
             HttpClient5OAuth2TokenService.createHttpClient(ztisIdentity, explicitKeyStore);

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2IntegrationTest.java

@@ -216,7 +216,7 @@ void testIasFlowWithZeroTrustAndSubscriberTenant()
     {
         final KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, null);
-        final ClientIdentity identity = new SecurityLibWorkarounds.ZtisClientIdentity("myClientId", ks);
+        final ClientIdentity identity = new SecurityLibWorkarounds.ZtisClientIdentity("myClientId", () -> ks);
 
         stubFor(
             post("/oauth2/token")

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2ServiceTest.java

@@ -18,6 +18,7 @@
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
 
 import java.io.IOException;
 import java.net.URI;
@@ -28,6 +29,7 @@
 import java.time.Duration;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Supplier;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -401,15 +403,47 @@ void testZeroTrustClientIdentity()
     {
         final KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, null);
-        ClientIdentity identity = new ZtisClientIdentity("id", ks);
+        ClientIdentity identity = new ZtisClientIdentity("id", () -> ks);
         OAuth2Service service = OAuth2Service.builder().withTokenUri(SERVER_1.baseUrl()).withIdentity(identity).build();
 
         final OAuth2TokenService result = service.getTokenService(null);
         assertThat(result).isSameAs(service.getTokenService(null));
 
-        identity = new ZtisClientIdentity("other-id", ks);
+        identity = new ZtisClientIdentity("other-id", () -> ks);
         service = OAuth2Service.builder().withTokenUri(SERVER_1.baseUrl()).withIdentity(identity).build();
 
         assertThat(result).isNotSameAs(service.getTokenService(null));
     }
+
+    @Test
+    @SneakyThrows
+    void testZeroTrustCertificateRotationCausesCacheMiss()
+    {
+        // we need to use actual KeyStores here because the code will build an HTTP Client and mocks don't suffice
+        final KeyStore ks1 = KeyStore.getInstance("JKS");
+        final KeyStore ks2 = KeyStore.getInstance("JKS");
+        ks1.load(null, null);
+        ks2.load(null, null);
+
+        assertThat(ks1).describedAs("Sanity check: objects should be different").isNotSameAs(ks2).isNotEqualTo(ks2);
+
+        @SuppressWarnings( "unchecked" )
+        final Supplier<KeyStore> mockZtis = mock(Supplier.class);
+        when(mockZtis.get()).thenReturn(ks1);
+
+        final ZtisClientIdentity identity = new ZtisClientIdentity("id", mockZtis);
+
+        final OAuth2Service service =
+            OAuth2Service.builder().withTokenUri(SERVER_1.baseUrl()).withIdentity(identity).build();
+
+        // Before rotation: same KeyStore → cache hit
+        final OAuth2TokenService tokenService1 = service.getTokenService(null);
+        assertThat(tokenService1).isSameAs(service.getTokenService(null));
+
+        when(mockZtis.get()).thenReturn(ks2);
+
+        // After rotation: different KeyStore → cache miss → new token service with new certificate
+        final OAuth2TokenService tokenService2 = service.getTokenService(null);
+        assertThat(tokenService2).isNotSameAs(tokenService1);
+    }
 }