diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java index a144f6a..b0a4179 100644 --- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java +++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionService.java @@ -11,6 +11,7 @@ import lombok.Getter; import lombok.Setter; +import com.bettercloud.vault.SslConfig; import com.bettercloud.vault.Vault; import com.bettercloud.vault.VaultConfig; import com.bettercloud.vault.VaultException; @@ -134,21 +135,42 @@ public final void rotateKeys() { */ final Vault buildVaultDriver(@Nullable String authToken) { try { - VaultConfig vaultConfig = new VaultConfig() - .token(authToken) - .engineVersion(configuration.getEngineVersion()) - .address(configuration.getUri()) - .build(); - - Vault newDriver = new Vault(vaultConfig); - - if (configuration.getMaxRetries() > 0) { - newDriver.withRetries( - configuration.getMaxRetries(), - Math.toIntExact(configuration.getRetryInterval().toMillis())); - } + if (configuration.isSsl()) { // If SSL is enabled, set up the SSL configuration + SslConfig sslConfig = new SslConfig(); + sslConfig.verify(false); + VaultConfig vaultConfig = new VaultConfig() + .sslConfig(sslConfig) + .token(authToken) + .engineVersion(configuration.getEngineVersion()) + .address(configuration.getUri()) + .build(); + + Vault newDriver = new Vault(vaultConfig); + + if (configuration.getMaxRetries() > 0) { + newDriver.withRetries( + configuration.getMaxRetries(), + Math.toIntExact(configuration.getRetryInterval().toMillis())); + } + + return newDriver; + } else { + VaultConfig vaultConfig = new VaultConfig() + .token(authToken) + .engineVersion(getConfiguration().getEngineVersion()) + .address(getConfiguration().getUri()) + .build(); + + Vault newDriver = new Vault(vaultConfig); + + if (getConfiguration().getMaxRetries() > 0) { + newDriver.withRetries( + getConfiguration().getMaxRetries(), + Math.toIntExact(getConfiguration().getRetryInterval().toMillis())); + } - return newDriver; + return newDriver; + } } catch (VaultException e) { throw new VaultEncryptionConfigurationException("Unable to build Vault Encryption Configuration", e); } diff --git a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionServiceConfiguration.java b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionServiceConfiguration.java index 3a9d6c2..16fa65c 100644 --- a/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionServiceConfiguration.java +++ b/encryption-service-vault/src/main/java/com/mx/path/service/facility/security/vault/VaultEncryptionServiceConfiguration.java @@ -22,6 +22,7 @@ public enum AuthenticationType { private static final AuthenticationType DEFAULT_AUTHENTICATION = AuthenticationType.APPROLE; private static final String DEFAULT_KEY_NAME = "vault_session"; private static final int DEFAULT_NUM_KEYS_TO_KEEP_COUNT = 1; + private static final boolean DEFAULT_SSL_ENABLED = false; @ConfigurationField private boolean enabled = true; @@ -59,6 +60,9 @@ public enum AuthenticationType { @ConfigurationField(secret = true) private String token; + @ConfigurationField(value = "ssl-enabled") + private boolean ssl = DEFAULT_SSL_ENABLED; + @ConfigurationField private AuthenticationType authentication = DEFAULT_AUTHENTICATION; } diff --git a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy index 0d49450..c4724a3 100644 --- a/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy +++ b/encryption-service-vault/src/test/groovy/com/mx/path/service/facility/security/vault/VaultEncryptionServiceTest.groovy @@ -72,6 +72,20 @@ class VaultEncryptionServiceTest extends Specification { } } + def configWithAppRoleSSL() { + return new VaultEncryptionServiceConfiguration().tap { + setUri("http://localhost:8200") + setEnabled(true) + setAuthentication(VaultEncryptionServiceConfiguration.AuthenticationType.APPROLE) + setAppRole("role-k8s") + setSecretId("secretId") + setKeyName("test-key") + setMaxRetries(2) + setNumKeysToKeep(3) + setSsl(true) + } + } + def "on first use, creates and authenticates driver once"() { given: def config = configWithAppId() @@ -113,10 +127,11 @@ class VaultEncryptionServiceTest extends Specification { driver.getClass() == Vault where: - config | _ - configWithAppId() | _ - configWithToken() | _ - configWithAppRole() | _ + config | _ + configWithAppId() | _ + configWithToken() | _ + configWithAppRole() | _ + configWithAppRoleSSL() | _ } @Unroll diff --git a/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStore.java b/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStore.java index 5fc79cd..0510ef2 100644 --- a/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStore.java +++ b/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStore.java @@ -11,6 +11,7 @@ import lombok.Getter; import lombok.Setter; +import com.bettercloud.vault.SslConfig; import com.bettercloud.vault.Vault; import com.bettercloud.vault.VaultConfig; import com.bettercloud.vault.VaultException; @@ -46,21 +47,42 @@ public VaultStore(@Configuration VaultStoreConfiguration configuration) { */ Vault buildVaultDriver(@Nullable String authToken) { try { - VaultConfig vaultConfig = new VaultConfig() - .token(authToken) - .engineVersion(getConfiguration().getEngineVersion()) - .address(getConfiguration().getUri()) - .build(); - - Vault newDriver = new Vault(vaultConfig); - - if (getConfiguration().getMaxRetries() > 0) { - newDriver.withRetries( - getConfiguration().getMaxRetries(), - Math.toIntExact(getConfiguration().getRetryInterval().toMillis())); - } + if (configuration.isSsl()) { // If SSL is enabled, set up the SSL configuration + SslConfig sslConfig = new SslConfig(); + sslConfig.verify(false); + VaultConfig vaultConfig = new VaultConfig() + .sslConfig(sslConfig) + .token(authToken) + .engineVersion(configuration.getEngineVersion()) + .address(configuration.getUri()) + .build(); + + Vault newDriver = new Vault(vaultConfig); + + if (configuration.getMaxRetries() > 0) { + newDriver.withRetries( + configuration.getMaxRetries(), + Math.toIntExact(configuration.getRetryInterval().toMillis())); + } + + return newDriver; + } else { + VaultConfig vaultConfig = new VaultConfig() + .token(authToken) + .engineVersion(getConfiguration().getEngineVersion()) + .address(getConfiguration().getUri()) + .build(); + + Vault newDriver = new Vault(vaultConfig); - return newDriver; + if (getConfiguration().getMaxRetries() > 0) { + newDriver.withRetries( + getConfiguration().getMaxRetries(), + Math.toIntExact(getConfiguration().getRetryInterval().toMillis())); + } + + return newDriver; + } } catch (Exception e) { throw new VaultStoreConfigurationException("Unable to build Vault Configuration", e); } diff --git a/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStoreConfiguration.java b/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStoreConfiguration.java index 970c41f..66d5c9f 100644 --- a/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStoreConfiguration.java +++ b/store-vault/src/main/java/com/mx/path/service/facility/store/vault/VaultStoreConfiguration.java @@ -26,6 +26,7 @@ enum AuthenticationType { private static final Duration DEFAULT_RETRY_INTERVAL = Duration.ofMillis(200); private static final int KEY_NOT_FOUND = 404; private static final int MAXIMUM_REAUTHENTICATION_RETRIES = 3; + private static final boolean DEFAULT_SSL_ENABLED = false; @ConfigurationField(value = "app-id") private String appId; @@ -48,6 +49,9 @@ enum AuthenticationType { @ConfigurationField(secret = true) private String secretId; + @ConfigurationField(value = "ssl-enabled") + private boolean ssl = DEFAULT_SSL_ENABLED; + @ConfigurationField(secret = true) private String token; diff --git a/store-vault/src/test/groovy/com/mx/path/service/facility/store/vault/VaultStoreTest.groovy b/store-vault/src/test/groovy/com/mx/path/service/facility/store/vault/VaultStoreTest.groovy index 070fa10..cff7830 100644 --- a/store-vault/src/test/groovy/com/mx/path/service/facility/store/vault/VaultStoreTest.groovy +++ b/store-vault/src/test/groovy/com/mx/path/service/facility/store/vault/VaultStoreTest.groovy @@ -62,6 +62,17 @@ class VaultStoreTest extends Specification { } } + def configWithAppRoleSSL() { + return new VaultStoreConfiguration().tap { + setUri("http://localhost:8200") + setAuthentication(VaultStoreConfiguration.AuthenticationType.APPROLE) + setAppRole("role-k8s") + setSecretId("secretId") + setMaxRetries(2) + setSsl(true) + } + } + def "on first use, creates and authenticates driver once"() { given: def config = configWithAppId() @@ -103,10 +114,11 @@ class VaultStoreTest extends Specification { driver.getClass() == Vault where: - config | _ - configWithAppId() | _ - configWithToken() | _ - configWithAppRole() | _ + config | _ + configWithAppId() | _ + configWithToken() | _ + configWithAppRole() | _ + configWithAppRoleSSL() | _ } def "buildVaultDriver with invalid configuration"() {