Initial

Author: MatKuhr

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliers.java

@@ -275,8 +275,9 @@ private void attachClientKeyStore( @Nonnull final OAuth2Options.Builder optionsB
         private KeyStore getClientKeyStore()
         {
             final ClientIdentity clientIdentity = getClientIdentity();
-            if( clientIdentity instanceof ZtisClientIdentity ) {
-                return ((ZtisClientIdentity) clientIdentity).getKeyStore();
+            //TODO: this doesn't work well with a dynamic keystore, check use cases
+            if( clientIdentity instanceof ZtisClientIdentity ztisClientIdentity ) {
+                return ztisClientIdentity.getKeyStore();
             }
             if( !(clientIdentity instanceof ClientCertificate) ) {
                 return null;

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultOAuth2PropertySupplier.java

@@ -173,14 +173,7 @@ private ZtisClientIdentity getZtisIdentity( @Nonnull final String clientid )
         }
         final ZeroTrustIdentityService ztis = ZeroTrustIdentityService.getInstance();
 
-        final KeyStore keyStore;
-        try {
-            keyStore = ztis.getOrCreateKeyStore();
-        }
-        catch( final Exception e ) {
-            throw new CloudPlatformException("Failed to load X509 certificate for credential type X509_ATTESTED.", e);
-        }
-        return new ZtisClientIdentity(clientid, keyStore);
+        return new ZtisClientIdentity(clientid, ztis::getOrCreateKeyStore);
     }
 
     @Nonnull

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java

@@ -97,6 +97,11 @@ class OAuth2Service
     OAuth2TokenService getTokenService( @Nullable final String tenantId )
     {
         final CacheKey key = CacheKey.fromIds(tenantId, null).append(identity);
+        // ZTIS certificates rotate at runtime, thus we explicitly add the current KeyStore as cache key
+        // once the certificate rotates, this produces a cache miss, ensuring we construct a new HTTP client with a new certificate
+        if (identity instanceof final ZtisClientIdentity ztisIdentity) {
+            key.append(ztisIdentity.getKeyStore());
+        }
         return tokenServiceCache.get(key, this::createTokenService);
     }
 

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/SecurityLibWorkarounds.java

@@ -1,19 +1,17 @@
 package com.sap.cloud.sdk.cloudplatform.connectivity;
 
-import static com.sap.cloud.sdk.cloudplatform.connectivity.DestinationKeyStoreComparator.resolveCertificatesOnly;
-import static com.sap.cloud.sdk.cloudplatform.connectivity.DestinationKeyStoreComparator.resolveKeyStoreHashCode;
-
 import java.security.KeyStore;
+import java.util.function.Supplier;
 
 import javax.annotation.Nonnull;
 
-import org.apache.commons.lang3.builder.EqualsBuilder;
-import org.apache.commons.lang3.builder.HashCodeBuilder;
+import com.sap.cloud.sdk.cloudplatform.exception.CloudPlatformException;
+import lombok.EqualsAndHashCode;
 
 import com.sap.cloud.security.config.ClientIdentity;
 
-import lombok.AllArgsConstructor;
-import lombok.Getter;
+import lombok.ToString;
+import lombok.Value;
 
 final class SecurityLibWorkarounds
 {
@@ -22,44 +20,34 @@ private SecurityLibWorkarounds()
         throw new IllegalStateException("This utility class should never be instantiated.");
     }
 
-    @Getter
-    @AllArgsConstructor
+    @Value
     static class ZtisClientIdentity implements ClientIdentity
     {
         @Nonnull
-        private final String id;
+        String id;
+
+        // Exclude certificates from equals & hash code since they rotate dynamically at runtime
+        // Instead, the OAuth2Service cache explicitly checks for outdated KeyStores
         @Nonnull
-        private final KeyStore keyStore;
+        @EqualsAndHashCode.Exclude
+        @ToString.Exclude
+        Supplier<KeyStore> keyStoreSource;
 
         @Override
         public boolean isCertificateBased()
         {
             return true;
         }
 
-        // The identity will be used as cache key, so it's important we correctly implement equals/hashCode
-        @Override
-        public boolean equals( final Object obj )
+        @Nonnull
+        KeyStore getKeyStore()
         {
-            if( this == obj ) {
-                return true;
+            try {
+                return keyStoreSource.get();
             }
-
-            if( obj == null || getClass() != obj.getClass() ) {
-                return false;
+            catch( final Exception e ) {
+                throw new CloudPlatformException("Failed to load X509 certificate for credential type X509_ATTESTED.", e);
             }
-
-            final ZtisClientIdentity that = (ZtisClientIdentity) obj;
-            return new EqualsBuilder()
-                .append(id, that.id)
-                .append(resolveCertificatesOnly(keyStore), resolveCertificatesOnly(that.keyStore))
-                .isEquals();
-        }
-
-        @Override
-        public int hashCode()
-        {
-            return new HashCodeBuilder(41, 71).append(id).append(resolveKeyStoreHashCode(keyStore)).build();
         }
     }
 }

release_notes.md

@@ -17,7 +17,7 @@
 
 ### 📈 Improvements
 
-- 
+- Improved the support for the credential type `X509_ATTESTED`. `HttpDestination` objects created via `ServiceBindingDestinationLoader` no longer need to be re-created for the rotation of certificates to take effect.
 
 ### 🐛 Fixed Issues