feat: support PEM certificate string from VAULT_CACERT env var (#93)
All checks were successful
CI / build-with-it (11, 1.2.0) (push) Successful in 53s
CI / build-with-it (11, 1.19.0) (push) Successful in 1m0s
CI / build-with-it (17, 1.19.0) (push) Successful in 57s
CI / build-with-it (17, 1.2.0) (push) Successful in 52s
CI / build-with-it (21, 1.2.0) (push) Successful in 48s
CI / build-with-it (true, 21, 1.19.0) (push) Successful in 54s
All checks were successful
CI / build-with-it (11, 1.2.0) (push) Successful in 53s
CI / build-with-it (11, 1.19.0) (push) Successful in 1m0s
CI / build-with-it (17, 1.19.0) (push) Successful in 57s
CI / build-with-it (17, 1.2.0) (push) Successful in 52s
CI / build-with-it (21, 1.2.0) (push) Successful in 48s
CI / build-with-it (true, 21, 1.19.0) (push) Successful in 54s
Vault CLI and the connector up to 1.4 support providing a path to a CA certificate file. Introduce support for providing PEM encoded content directly which might be convenient in container environments to provide a certificate e.g. from secrets without mounting it to some path.
This commit is contained in:
@@ -20,11 +20,13 @@ import de.stklcode.jvault.connector.exception.ConnectionException;
|
||||
import de.stklcode.jvault.connector.exception.TlsException;
|
||||
import de.stklcode.jvault.connector.exception.VaultConnectorException;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.IOException;
|
||||
import java.net.MalformedURLException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.net.URL;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
@@ -326,7 +328,11 @@ public final class HTTPVaultConnectorBuilder {
|
||||
|
||||
/* Parse certificate, if set */
|
||||
if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).isBlank()) {
|
||||
return withTrustedCA(Paths.get(System.getenv(ENV_VAULT_CACERT)));
|
||||
X509Certificate cert = certificateFromString(System.getenv(ENV_VAULT_CACERT));
|
||||
if (cert == null) {
|
||||
cert = certificateFromFile(Paths.get(System.getenv(ENV_VAULT_CACERT)));
|
||||
}
|
||||
return withTrustedCA(cert);
|
||||
}
|
||||
return this;
|
||||
}
|
||||
@@ -398,6 +404,28 @@ public final class HTTPVaultConnectorBuilder {
|
||||
return con;
|
||||
}
|
||||
|
||||
/**
|
||||
* Read given certificate file to X.509 certificate.
|
||||
*
|
||||
* @param cert Certificate string (optionally PEM)
|
||||
* @return X.509 Certificate object if parseable, else {@code null}
|
||||
* @throws TlsException on error
|
||||
* @since 1.5.0
|
||||
*/
|
||||
private X509Certificate certificateFromString(final String cert) throws TlsException {
|
||||
// Check if PEM header is present in given string
|
||||
if (cert.contains("-BEGIN ") && cert.contains("-END")) {
|
||||
try (var is = new ByteArrayInputStream(cert.getBytes(StandardCharsets.UTF_8))) {
|
||||
return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
|
||||
} catch (IOException | CertificateException e) {
|
||||
throw new TlsException("Unable to read certificate.", e);
|
||||
}
|
||||
}
|
||||
|
||||
// Not am PEM string, skip
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Read given certificate file to X.509 certificate.
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user