Enable mTLS for downstream clients (kroxylicious#1631)

Signed-off-by: Alan Robinson <[email protected]>
Co-authored-by: Sam Barker <[email protected]>
Co-authored-by: kwall <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -7,6 +7,7 @@ Format `<github issue/pr number>: <short description>`.
 
 ## SNAPSHOT
 
+* [#1561](https://github.com/kroxylicious/kroxylicious/pull/1631) Allow Trust and ClientAuth to be set for Downstream TLS
 * [#1550](https://github.com/kroxylicious/kroxylicious/pull/1550) Upgrade Apache Kafka from 3.8.0 to 3.9.0 #1550
 * [#1557](https://github.com/kroxylicious/kroxylicious/pull/1557) Bump io.micrometer:micrometer-bom from 1.13.5 to 1.13.6
 * [#1554](https://github.com/kroxylicious/kroxylicious/pull/1554) Bump apicurio-registry.version from 2.6.4.Final to 2.6.5.Final

kroxylicious-api/pom.xml

@@ -72,6 +72,10 @@
             <artifactId>junit-jupiter-params</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-annotations</artifactId>
+        </dependency>
     </dependencies>
 
     <build>

kroxylicious-api/src/main/java/io/kroxylicious/proxy/config/tls/ServerOptions.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.proxy.config.tls;
+
+import edu.umd.cs.findbugs.annotations.Nullable;
+
+/**
+ * Options that control TLS negotiation when in server mode.
+ */
+public record ServerOptions(@Nullable TlsClientAuth clientAuth) implements TrustOptions {
+    @Override
+    public boolean forClient() {
+        return false;
+    }
+}

kroxylicious-api/src/main/java/io/kroxylicious/proxy/config/tls/Tls.java

@@ -12,10 +12,8 @@
 /**
  * Provides TLS configuration for this peer.  This class is designed to be used for both TLS server and client roles.
  *
- * @param key   specifies a key provider that provides the certificate/key used to identify this peer.
+ * @param key specifies a key provider that provides the certificate/key used to identify this peer.
  * @param trust specifies a trust provider used by this peer to determine whether to trust the peer. If omitted platform trust is used instead.
- *
- * TODO ability to restrict by TLS protocol and cipher suite.
  */
 public record Tls(KeyProvider key,
                   TrustProvider trust) {
@@ -29,4 +27,5 @@ public static String getStoreTypeOrPlatformDefault(String storeType) {
     public boolean definesKey() {
         return key != null;
     }
+
 }

kroxylicious-api/src/main/java/io/kroxylicious/proxy/config/tls/TlsClientAuth.java

@@ -0,0 +1,15 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.proxy.config.tls;
+
+public enum TlsClientAuth {
+
+    REQUIRED,
+    REQUESTED,
+    NONE;
+
+}

kroxylicious-api/src/main/java/io/kroxylicious/proxy/config/tls/TrustOptions.java

@@ -0,0 +1,16 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.proxy.config.tls;
+
+import com.fasterxml.jackson.annotation.JsonSubTypes;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+
+@JsonTypeInfo(use = JsonTypeInfo.Id.DEDUCTION)
+@JsonSubTypes({ @JsonSubTypes.Type(ServerOptions.class) })
+public interface TrustOptions {
+    boolean forClient();
+}

kroxylicious-api/src/main/java/io/kroxylicious/proxy/config/tls/TrustProvider.java

@@ -9,6 +9,8 @@
 import com.fasterxml.jackson.annotation.JsonSubTypes;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 
+import edu.umd.cs.findbugs.annotations.Nullable;
+
 /**
  * A TrustProvider is a source of trust anchors used to determine whether a certificate present by a peer is trusted.
  * <ul>
@@ -27,4 +29,13 @@ public interface TrustProvider {
      * @param visitor visitor.
      */
     <T> T accept(TrustProviderVisitor<T> visitor);
+
+    /**
+     * Trust options that apply to this TLS peer..
+     *
+     * @return trust options
+     */
+    default @Nullable TrustOptions trustOptions() {
+        return null;
+    }
 }

kroxylicious-api/src/main/java/io/kroxylicious/proxy/config/tls/TrustStore.java

@@ -13,26 +13,41 @@
 
 import io.kroxylicious.proxy.config.secret.PasswordProvider;
 
+import edu.umd.cs.findbugs.annotations.Nullable;
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 
 /**
  * A {@link TrustProvider} backed by a Java Truststore.
  *
- * @param storeFile             location of a key store, or reference to a PEM file containing both private-key/certificate/intermediates.
+ * @param storeFile location of a key store, or reference to a PEM file containing both private-key/certificate/intermediates.
  * @param storePasswordProvider provider for the store password or null if store does not require a password.
- * @param storeType             specifies the server key type. Legal values are those types supported by the platform {@link KeyStore},
- *                              and PEM (for X-509 certificates express in PEM format).
+ * @param storeType specifies the server key type. Legal values are those types supported by the platform {@link KeyStore},
+ *         and PEM (for X-509 certificates express in PEM format).
+ * @param trustOptions the trust options that will be applied to this peer.
  */
 @SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "The paths provide the location for key material which may exist anywhere on the file-system. Paths are provided by the user in the administrator role via Kroxylicious configuration. ")
 public record TrustStore(@JsonProperty(required = true) String storeFile,
                          @JsonProperty(value = "storePassword") PasswordProvider storePasswordProvider,
-                         String storeType)
+                         String storeType,
+                         @Nullable @JsonProperty(value = "trustOptions") TrustOptions trustOptions)
         implements TrustProvider {
 
     public TrustStore {
         Objects.requireNonNull(storeFile);
     }
 
+    /**
+     * A {@link TrustProvider} backed by a Java Truststore.
+     *
+     * @param storeFile location of a key store, or reference to a PEM file containing both private-key/certificate/intermediates.
+     * @param storePasswordProvider provider for the store password or null if store does not require a password.
+     * @param storeType specifies the server key type. Legal values are those types supported by the platform {@link KeyStore},
+     *         and PEM (for X-509 certificates express in PEM format).
+     */
+    public TrustStore(String storeFile, PasswordProvider storePasswordProvider, String storeType) {
+        this(storeFile, storePasswordProvider, storeType, null);
+    }
+
     public String getType() {
         return Tls.getStoreTypeOrPlatformDefault(storeType);
     }

kroxylicious-api/src/test/java/io/kroxylicious/proxy/config/tls/InsecureTlsTest.java

@@ -34,4 +34,10 @@ public InsecureTls visit(PlatformTrustProvider platformTrustProviderTls) {
         });
         assertThat(result).isSameAs(trustProvider);
     }
+
+    @Test
+    void testNoTrustOptions() {
+        TrustProvider trustProvider = new InsecureTls(true);
+        assertThat(trustProvider.trustOptions()).isNull();
+    }
 }

kroxylicious-api/src/test/java/io/kroxylicious/proxy/config/tls/TlsParseTest.java

@@ -205,6 +205,25 @@ void testTrustStoreStoreFilePathPassword() throws IOException {
         assertThat(tls).isEqualTo(new Tls(null, new TrustStore("/tmp/file", new FilePassword("/tmp/pass"), null)));
     }
 
+    @Test
+    void testTrustStoreStoreWithClientAuth() throws IOException {
+        String json = """
+                {
+                    "trust": {
+                        "storeFile": "/tmp/file",
+                        "storePassword": {
+                            "filePath": "/tmp/pass"
+                        },
+                        "trustOptions": {
+                            "clientAuth": "REQUIRED"
+                        }
+                    }
+                }
+                """;
+        Tls tls = readTls(json);
+        assertThat(tls).isEqualTo(new Tls(null, new TrustStore("/tmp/file", new FilePassword("/tmp/pass"), null, new ServerOptions(TlsClientAuth.REQUIRED))));
+    }
+
     @Test
     void testTrustStoreStoreFileType() throws IOException {
         String json = """