Support custom trust stores for https#295
Conversation
src/main/java/io/aiven/kafka/connect/http/sender/SslContextBuilder.java
Outdated
Show resolved
Hide resolved
|
@muralibasani Just a follow-up to see if you have any other feedback on the pull request. |
@madhavvishnubhatta ok from me, but pinged other team members for a 2nd review. |
Claudenw
left a comment
Claudenw
left a comment
There was a problem hiding this comment.
Please try with NO_DEFAULT values. It should work as expected. Otherwise I will approve this as it stands.
| return null; | ||
| } | ||
| try { | ||
| final KeyStore trustStore = KeyStore.getInstance("JKS"); |
There was a problem hiding this comment.
Would it be a good idea to also add a config for the keystore type?
There was a problem hiding this comment.
Yes, but jks meets my need. I can think of adding other types later if I have the time, but it would be good to not hold this off until other support is available. Let me know what you think. if you agree, I can update teh documentation to make it clear that only JKS is supported for now.
There was a problem hiding this comment.
I think it's probably fine to not add the keystore type immediately -- IIUC, adding the truststore here is just a mechanism to create an allow list of acceptable HTTPS servers (not to verify that the client is acceptable). This is by far the most frequent usage (e.g., when my browser contacts https://github.com, the server never checks who I am).
There was a problem hiding this comment.
Correct. This is only for the client to validate the server. This is not a mechanism for the server to check who is connecting. But makes me think if mTLS might be a future feature request. Anyway, that is out of scope for this PR.
RyanSkraba
changed the title
|
Hello! I'm going through this and it looks pretty good so far! Thanks. I'm assuming the use case is that you have a self-signed HTTPS server, or with a private certificate authority, and you want to avoid I guess technically trusting all certs is dubious 🤔 but since the end user is the only one telling the connector where to connect, it's already a pretty explicit "allow list". Is there another use for adding the trust store? It might be worthwhile documenting in the PR! |
RyanSkraba
left a comment
RyanSkraba
left a comment
There was a problem hiding this comment.
Hey, this looks good -- do you think it would be possible to generate the truststore.jks programmatically instead of checking in the binary?
If it's possible, it's probably more future proof.
| import org.slf4j.Logger; | ||
| import org.slf4j.LoggerFactory; | ||
|
|
||
| final class TruststoreLoader { |
There was a problem hiding this comment.
| final class TruststoreLoader { | |
| final class TrustStoreLoader { |
Haha, the canonical spelling of TrustStore has an internal capital S. It's definitely NOT that important but it's definitely worth getting it right at the start (as someone who has fussed with APIs and documentation around Elasticsearch and OpenSearch).
| return getBoolean(HTTP_SSL_TRUST_ALL_CERTIFICATES); | ||
| } | ||
|
|
||
| public final String sslTruststoreLocation() { |
There was a problem hiding this comment.
| public final String sslTruststoreLocation() { | |
| public final String sslTrustStoreLocation() { |
Haha, the Java spelling of TrustStore has an internal capital S.
It's a nit-pick, but I've spent too much time chasing down Elasticsearch vs. OpenSearch inconsistencies 😆 I only care about the public methods and classnames though!
There was a problem hiding this comment.
Absolutely. As a pedant myself 😄 , I shouldn't have missed it. And will definitely fix it.
There was a problem hiding this comment.
Fixed this in the latest commit.
|
|
||
| final var config = new HttpSinkConfig(properties); | ||
| assertThat(config.sslTruststoreLocation()).isEqualTo("/path/to/truststore.jks"); | ||
| assertThat(config.sslTruststorePassword()).isEqualTo("password123"); |
There was a problem hiding this comment.
If I understand correctly (especially for TrustStores), the password is only used to check integrity.
There was a problem hiding this comment.
Correct. Password for the trust stores is only for integrity.
Your assumption about the usecase is correct. To your question about whether telling the connector where to connect is already an explicit allow list, and why there is a need for more security, I dont think that is valid. The trust store ensures that the https endpoint being reached is not compromised by some bad actors (or due to some DNS trickery). This is especially true when the https endpoint is managed/controlled by someone external to the org that is running the connector. Let me know if that makes sense. |
… done. Also changed 'Truststore' to 'TrustStore' (note the 'S' in caps)
|
I have answered all questions asked so far and also made the suggested changes. Please take a look and let me know if you have more feedback. |
|
Oh my, this is amazing -- I was just going to log in and say not to bother doing the generated truststore exercise, because it was too difficult 😆 Really nice work, I appreciate you taking the time to educate us on your use cases. I'll merge this as soon as the CI passes! |
|
Ooops, looks like it's missing a dependency for the trust store generation! I still think it's a good idea (to not check in a truststore binary), but if you just want to revert that chunk of code, we can make an issue to future-proof that part later! Up to you -- I'm happy with the tests, and the non-test code looks just right! |
madhavvishnubhatta
dismissed stale reviews from RyanSkraba and Claudenw
via
0d21144
I have pushed in another commit with the dependencies. Let me check if the CI passes now. |
Just to be transparent, I used Amazon Q Developer to help 🙂 |
|
Can someone approve this workflow so that I can debug failures (if any)? |
|
LGTM, thanks again! |
|
@RyanSkraba What is the release policy? Any idea when the next release will be, of which this will be a part? |
5 participants
Added custom trust store support. Can you please review this?
This will fix the issue #293
I tested this with both http and https (with custom trust store) endpoints.