SslConfiguration configureSsl(HashicorpKeyVaultConfig keyVaultConfig, EnvironmentVariableProvider envProvider) { if(keyVaultConfig.getTlsKeyStorePath() != null && keyVaultConfig.getTlsTrustStorePath() != null) { Resource clientKeyStore = new FileSystemResource(keyVaultConfig.getTlsKeyStorePath().toFile()); Resource clientTrustStore = new FileSystemResource(keyVaultConfig.getTlsTrustStorePath().toFile()); SslConfiguration.KeyStoreConfiguration keyStoreConfiguration = SslConfiguration.KeyStoreConfiguration.of( clientKeyStore, envProvider.getEnvAsCharArray(keyStorePwdEnvVar) ); SslConfiguration.KeyStoreConfiguration trustStoreConfiguration = SslConfiguration.KeyStoreConfiguration.of( clientTrustStore, envProvider.getEnvAsCharArray(trustStorePwdEnvVar) ); return new SslConfiguration(keyStoreConfiguration, trustStoreConfiguration); } else if (keyVaultConfig.getTlsTrustStorePath() != null) { Resource clientTrustStore = new FileSystemResource(keyVaultConfig.getTlsTrustStorePath().toFile()); return SslConfiguration.forTrustStore(clientTrustStore, envProvider.getEnvAsCharArray(trustStorePwdEnvVar)); } else { return SslConfiguration.unconfigured(); } }
@Override public Enclave create(Config config) { LOGGER.info("Creating enclave"); Optional<ServerConfig> enclaveServerConfig = config.getServerConfigs().stream() .filter(sc -> sc.getApp() == AppType.ENCLAVE) .findAny(); if (enclaveServerConfig.isPresent()) { final ClientFactory clientFactory = new ClientFactory(); ServerConfig serverConfig = enclaveServerConfig.get(); Client client = clientFactory.buildFrom(serverConfig); LOGGER.info("Creating remoted enclave for {}", serverConfig.getServerUri()); return new EnclaveClient(client, serverConfig.getServerUri()); } KeyPairConverter keyPairConverter = new KeyPairConverter(config, new EnvironmentVariableProvider()); Collection<KeyPair> keys = keyPairConverter.convert(config.getKeys().getKeyData()); Collection<PublicKey> forwardKeys = com.quorum.tessera.encryption.KeyFactory.convert(config.getAlwaysSendTo()); LOGGER.info("Creating local enclave instance"); return new EnclaveImpl(NaclFacadeFactory.newFactory().create(), new KeyManagerImpl(keys, forwardKeys)); }
final KeyVaultService keyVaultService = keyVaultServiceFactory.create(config, new EnvironmentVariableProvider()); final KeyVaultService keyVaultService = keyVaultServiceFactory.create(config, new EnvironmentVariableProvider());
@Override public KeyVaultService create(Config config, EnvironmentVariableProvider envProvider) { Objects.requireNonNull(config); Objects.requireNonNull(envProvider); String clientId = envProvider.getEnv(clientIdEnvVar); String clientSecret = envProvider.getEnv(clientSecretEnvVar); if(clientId == null || clientSecret == null) { throw new AzureCredentialNotSetException(clientIdEnvVar + " and " + clientSecretEnvVar + " environment variables must be set"); } AzureKeyVaultConfig keyVaultConfig = Optional.ofNullable(config.getKeys()) .map(KeyConfiguration::getAzureKeyVaultConfig) .orElseThrow(() -> new ConfigException(new RuntimeException("Trying to create Azure key vault connection but no Azure configuration provided"))); return new AzureKeyVaultService( keyVaultConfig, new AzureKeyVaultClientDelegate( new AzureKeyVaultClientFactory( new AzureKeyVaultClientCredentials( clientId, clientSecret, Executors.newFixedThreadPool(1) ) ).getAuthenticatedClient() ) ); }
SslConfiguration configureSsl(HashicorpKeyVaultConfig keyVaultConfig, EnvironmentVariableProvider envProvider) { if(keyVaultConfig.getTlsKeyStorePath() != null && keyVaultConfig.getTlsTrustStorePath() != null) { Resource clientKeyStore = new FileSystemResource(keyVaultConfig.getTlsKeyStorePath().toFile()); Resource clientTrustStore = new FileSystemResource(keyVaultConfig.getTlsTrustStorePath().toFile()); SslConfiguration.KeyStoreConfiguration keyStoreConfiguration = SslConfiguration.KeyStoreConfiguration.of( clientKeyStore, envProvider.getEnvAsCharArray(keyStorePwdEnvVar) ); SslConfiguration.KeyStoreConfiguration trustStoreConfiguration = SslConfiguration.KeyStoreConfiguration.of( clientTrustStore, envProvider.getEnvAsCharArray(trustStorePwdEnvVar) ); return new SslConfiguration(keyStoreConfiguration, trustStoreConfiguration); } else if (keyVaultConfig.getTlsTrustStorePath() != null) { Resource clientTrustStore = new FileSystemResource(keyVaultConfig.getTlsTrustStorePath().toFile()); return SslConfiguration.forTrustStore(clientTrustStore, envProvider.getEnvAsCharArray(trustStorePwdEnvVar)); } else { return SslConfiguration.unconfigured(); } }
ClientAuthentication configureClientAuthentication(HashicorpKeyVaultConfig keyVaultConfig, EnvironmentVariableProvider envProvider, ClientHttpRequestFactory clientHttpRequestFactory, VaultEndpoint vaultEndpoint) { final String roleId = envProvider.getEnv(roleIdEnvVar); final String secretId = envProvider.getEnv(secretIdEnvVar); final String authToken = envProvider.getEnv(authTokenEnvVar); if(roleId != null && secretId != null) { AppRoleAuthenticationOptions appRoleAuthenticationOptions = AppRoleAuthenticationOptions.builder() .path(keyVaultConfig.getApprolePath()) .roleId(AppRoleAuthenticationOptions.RoleId.provided(roleId)) .secretId(AppRoleAuthenticationOptions.SecretId.provided(secretId)) .build(); RestOperations restOperations = VaultClients.createRestTemplate(vaultEndpoint, clientHttpRequestFactory); return new AppRoleAuthentication(appRoleAuthenticationOptions, restOperations); } else if (Objects.isNull(roleId) != Objects.isNull(secretId)) { throw new HashicorpCredentialNotSetException("Both " + roleIdEnvVar + " and " + secretIdEnvVar + " environment variables must be set to use the AppRole authentication method"); } else if (authToken == null){ throw new HashicorpCredentialNotSetException("Both " + roleIdEnvVar + " and " + secretIdEnvVar + " environment variables must be set to use the AppRole authentication method. Alternatively set " + authTokenEnvVar + " to authenticate using the Token method"); } return new TokenAuthentication(authToken); } }
ClientAuthentication configureClientAuthentication(HashicorpKeyVaultConfig keyVaultConfig, EnvironmentVariableProvider envProvider, ClientHttpRequestFactory clientHttpRequestFactory, VaultEndpoint vaultEndpoint) { final String roleId = envProvider.getEnv(roleIdEnvVar); final String secretId = envProvider.getEnv(secretIdEnvVar); final String authToken = envProvider.getEnv(authTokenEnvVar); if(roleId != null && secretId != null) { AppRoleAuthenticationOptions appRoleAuthenticationOptions = AppRoleAuthenticationOptions.builder() .path(keyVaultConfig.getApprolePath()) .roleId(AppRoleAuthenticationOptions.RoleId.provided(roleId)) .secretId(AppRoleAuthenticationOptions.SecretId.provided(secretId)) .build(); RestOperations restOperations = VaultClients.createRestTemplate(vaultEndpoint, clientHttpRequestFactory); return new AppRoleAuthentication(appRoleAuthenticationOptions, restOperations); } else if (Objects.isNull(roleId) != Objects.isNull(secretId)) { throw new HashicorpCredentialNotSetException("Both " + roleIdEnvVar + " and " + secretIdEnvVar + " environment variables must be set to use the AppRole authentication method"); } else if (authToken == null){ throw new HashicorpCredentialNotSetException("Both " + roleIdEnvVar + " and " + secretIdEnvVar + " environment variables must be set to use the AppRole authentication method. Alternatively set " + authTokenEnvVar + " to authenticate using the Token method"); } return new TokenAuthentication(authToken); } }
@Override public KeyVaultService create(Config config, EnvironmentVariableProvider envProvider) { Objects.requireNonNull(config); Objects.requireNonNull(envProvider); String clientId = envProvider.getEnv(clientIdEnvVar); String clientSecret = envProvider.getEnv(clientSecretEnvVar); if(clientId == null || clientSecret == null) { throw new AzureCredentialNotSetException(clientIdEnvVar + " and " + clientSecretEnvVar + " environment variables must be set"); } AzureKeyVaultConfig keyVaultConfig = Optional.ofNullable(config.getKeys()) .map(KeyConfiguration::getAzureKeyVaultConfig) .orElseThrow(() -> new ConfigException(new RuntimeException("Trying to create Azure key vault connection but no Azure configuration provided"))); return new AzureKeyVaultService( keyVaultConfig, new AzureKeyVaultClientDelegate( new AzureKeyVaultClientFactory( new AzureKeyVaultClientCredentials( clientId, clientSecret, Executors.newFixedThreadPool(1) ) ).getAuthenticatedClient() ) ); }