chore: migrate to subscribeToCertificateUpdates API (#71)

jbutler · web-flow · commit a0336fe5116e · 2022-06-20T22:59:36.000-06:00
diff --git a/pom.xml b/pom.xml
@@ -43,27 +43,27 @@
         <dependency>
             <groupId>com.aws.greengrass</groupId>
             <artifactId>client-devices-auth</artifactId>
-            <version>2.0.0-SNAPSHOT</version>
+            <version>2.2.0-SNAPSHOT</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>com.aws.greengrass</groupId>
             <artifactId>nucleus</artifactId>
-            <version>2.2.0-SNAPSHOT</version>
+            <version>2.6.0-SNAPSHOT</version>
             <scope>provided</scope>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.paho</groupId>
-            <artifactId>org.eclipse.paho.client.mqttv3</artifactId>
-            <version>[1.2.5,)</version>
-        </dependency>
         <dependency>
             <groupId>com.aws.greengrass</groupId>
             <artifactId>nucleus</artifactId>
-            <version>2.2.0-SNAPSHOT</version>
+            <version>2.6.0-SNAPSHOT</version>
             <type>test-jar</type>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.eclipse.paho</groupId>
+            <artifactId>org.eclipse.paho.client.mqttv3</artifactId>
+            <version>[1.2.5,)</version>
+        </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
             <artifactId>lombok</artifactId>
@@ -76,21 +76,6 @@
             <version>0.12.1</version>
             <scope>test</scope>
         </dependency>
-        <!-- This dependency is also shadowed in Nucleus because I import moquette for testing.
-        Have to import it explicitly here-->
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-api</artifactId>
-            <version>1.7.30</version>
-            <scope>test</scope>
-        </dependency>
-        <!-- This dependency is also shadowed in Nucleus because I import moquette for testing.
-        Have to import it explicitly here-->
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-annotations</artifactId>
-            <version>2.11.2</version>
-        </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-api</artifactId>
diff --git a/recipe.json b/recipe.json
@@ -7,7 +7,7 @@
   "ComponentPublisher": "{COMPONENT_PUBLISHER}",
   "ComponentDependencies": {
     "aws.greengrass.clientdevices.Auth": {
-      "VersionRequirement": ">=2.0.0 <2.2.0",
+      "VersionRequirement": ">=2.2.0 <2.3.0",
       "DependencyType": "HARD"
     }
   },
diff --git a/src/main/java/com/aws/greengrass/mqttbridge/MQTTBridge.java b/src/main/java/com/aws/greengrass/mqttbridge/MQTTBridge.java
@@ -6,18 +6,17 @@
 package com.aws.greengrass.mqttbridge;
 
 import com.aws.greengrass.builtin.services.pubsub.PubSubIPCEventStreamAgent;
-import com.aws.greengrass.certificatemanager.certificate.CsrProcessingException;
 import com.aws.greengrass.componentmanager.KernelConfigResolver;
 import com.aws.greengrass.config.Node;
 import com.aws.greengrass.config.Topics;
 import com.aws.greengrass.config.WhatHappened;
 import com.aws.greengrass.dependency.ImplementsService;
 import com.aws.greengrass.dependency.State;
 import com.aws.greengrass.device.ClientDevicesAuthService;
+import com.aws.greengrass.device.exception.CertificateGenerationException;
 import com.aws.greengrass.lifecyclemanager.Kernel;
 import com.aws.greengrass.lifecyclemanager.PluginService;
 import com.aws.greengrass.lifecyclemanager.exceptions.ServiceLoadException;
-import com.aws.greengrass.mqttbridge.auth.CsrGeneratingException;
 import com.aws.greengrass.mqttbridge.auth.MQTTClientKeyStore;
 import com.aws.greengrass.mqttbridge.clients.IoTCoreClient;
 import com.aws.greengrass.mqttbridge.clients.MQTTClient;
@@ -116,7 +115,7 @@ public void install() {
     public void startup() {
         try {
             mqttClientKeyStore.init();
-        } catch (CsrProcessingException | KeyStoreException | CsrGeneratingException e) {
+        } catch (KeyStoreException | CertificateGenerationException e) {
             serviceErrored(e);
             return;
         }
@@ -163,6 +162,8 @@ public void startup() {
 
     @Override
     public void shutdown() {
+        mqttClientKeyStore.shutdown();
+
         messageBridge.removeMessageClient(TopicMapping.TopicType.LocalMqtt);
         if (mqttClient != null) {
             mqttClient.stop();
diff --git a/src/main/java/com/aws/greengrass/mqttbridge/auth/MQTTClientKeyStore.java b/src/main/java/com/aws/greengrass/mqttbridge/auth/MQTTClientKeyStore.java
@@ -5,32 +5,34 @@
 
 package com.aws.greengrass.mqttbridge.auth;
 
-import com.aws.greengrass.certificatemanager.CertificateManager;
-import com.aws.greengrass.certificatemanager.certificate.CertificateRequestGenerator;
-import com.aws.greengrass.certificatemanager.certificate.CsrProcessingException;
+import com.aws.greengrass.device.ClientDevicesAuthServiceApi;
+import com.aws.greengrass.device.api.CertificateUpdateEvent;
+import com.aws.greengrass.device.api.GetCertificateRequest;
+import com.aws.greengrass.device.api.GetCertificateRequestOptions;
+import com.aws.greengrass.device.exception.CertificateGenerationException;
 import com.aws.greengrass.logging.api.Logger;
 import com.aws.greengrass.logging.impl.LogManager;
+import com.aws.greengrass.mqttbridge.MQTTBridge;
 import lombok.AccessLevel;
 import lombok.Getter;
-import org.bouncycastle.operator.OperatorCreationException;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyManagementException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.concurrent.CopyOnWriteArrayList;
+import java.util.stream.Stream;
 import javax.inject.Inject;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -40,19 +42,13 @@
 public class MQTTClientKeyStore {
     private static final Logger LOGGER = LogManager.getLogger(MQTTClientKeyStore.class);
     static final char[] DEFAULT_KEYSTORE_PASSWORD = "".toCharArray();
-    private static final String DEFAULT_CN = "aws-greengrass-mqttbridge";
     static final String KEY_ALIAS = "aws-greengrass-mqttbridge";
-    private static final String RSA_KEY_INSTANCE = "RSA";
-    private static final int RSA_KEY_LENGTH = 2048;
 
     @Getter(AccessLevel.PACKAGE)
     private KeyStore keyStore;
-
-    private KeyPair keyPair;
-
-    private final CertificateManager certificateManager;
-
+    private final ClientDevicesAuthServiceApi clientDevicesAuthServiceApi;
     private final List<UpdateListener> updateListeners = new CopyOnWriteArrayList<>();
+    private final GetCertificateRequest clientCertificateRequest;
 
     @FunctionalInterface
     public interface UpdateListener {
@@ -62,56 +58,51 @@ public interface UpdateListener {
     /**
      * Constructor for MQTTClient KeyStore.
      *
-     * @param certificateManager certificate manager for subscribing to cert updates
+     * @param clientDevicesAuthServiceApi client devices auth api for subscribing to cert updates
      */
     @Inject
-    public MQTTClientKeyStore(CertificateManager certificateManager) {
-        this.certificateManager = certificateManager;
+    public MQTTClientKeyStore(ClientDevicesAuthServiceApi clientDevicesAuthServiceApi) {
+        GetCertificateRequestOptions options = new GetCertificateRequestOptions();
+        options.setCertificateType(GetCertificateRequestOptions.CertificateType.CLIENT);
+        this.clientCertificateRequest = new GetCertificateRequest(MQTTBridge.SERVICE_NAME, options, this::updateCert);
+        this.clientDevicesAuthServiceApi = clientDevicesAuthServiceApi;
     }
 
     /**
      * Initialize keypair and keystore and subscribe to cert updates.
      *
-     * @throws CsrProcessingException if unable to subscribe with csr
-     * @throws KeyStoreException      if unable to generate keypair or load keystore
-     * @throws CsrGeneratingException if unable to generate csr
+     * @throws KeyStoreException              if unable to generate keypair or load keystore
+     * @throws CertificateGenerationException if unable to request a client certificate
      */
-    public void init() throws CsrProcessingException, KeyStoreException, CsrGeneratingException {
-        try {
-            keyPair = newRSAKeyPair();
-        } catch (NoSuchAlgorithmException e) {
-            throw new KeyStoreException("unable to generate keypair for key store", e);
-        }
-
+    public void init() throws KeyStoreException, CertificateGenerationException {
         keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
         try {
             keyStore.load(null, DEFAULT_KEYSTORE_PASSWORD);
         } catch (IOException | NoSuchAlgorithmException | CertificateException e) {
             throw new KeyStoreException("Unable to load keystore", e);
         }
 
-        String csr;
-        try {
-            //client cert doesn't require SANs
-            csr = CertificateRequestGenerator.createCSR(keyPair, DEFAULT_CN, null,  null);
-        } catch (IOException | OperatorCreationException e) {
-            throw new CsrGeneratingException("Unable to generate CSR from keypair", e);
-        }
-        certificateManager.subscribeToClientCertificateUpdates(csr, this::updateCert);
+        clientDevicesAuthServiceApi.subscribeToCertificateUpdates(clientCertificateRequest);
     }
 
-    private KeyPair newRSAKeyPair() throws NoSuchAlgorithmException {
-        KeyPairGenerator kpg = KeyPairGenerator.getInstance(RSA_KEY_INSTANCE);
-        kpg.initialize(RSA_KEY_LENGTH);
-        return kpg.generateKeyPair();
+    /**
+     * Shutdown client key store.
+     */
+    public void shutdown() {
+        clientDevicesAuthServiceApi.unsubscribeFromCertificateUpdates(clientCertificateRequest);
     }
 
-    private void updateCert(X509Certificate... certChain) {
+    private void updateCert(CertificateUpdateEvent certificateUpdate) {
         try {
             LOGGER.atDebug().log("Storing new client certificate to be used on next connect attempt");
-            keyStore.setKeyEntry(KEY_ALIAS, keyPair.getPrivate(), DEFAULT_KEYSTORE_PASSWORD, certChain);
+            X509Certificate[] certChain = Stream.concat(
+                            Stream.of(certificateUpdate.getCertificate()),
+                            Arrays.stream(certificateUpdate.getCaCertificates()))
+                    .toArray(X509Certificate[]::new);
+            keyStore.setKeyEntry(
+                    KEY_ALIAS, certificateUpdate.getKeyPair().getPrivate(), DEFAULT_KEYSTORE_PASSWORD, certChain);
         } catch (KeyStoreException e) {
-            LOGGER.atError("Unable to store generated cert", e);
+            LOGGER.atError().log("Unable to store generated cert", e);
         }
     }
 
diff --git a/src/test/java/com/aws/greengrass/mqttbridge/MQTTBridgeTest.java b/src/test/java/com/aws/greengrass/mqttbridge/MQTTBridgeTest.java
@@ -86,6 +86,9 @@ public class MQTTBridgeTest extends GGServiceTestUtil {
 
     @BeforeEach
     void setup() throws IOException {
+        // Set this property for kernel to scan its own classpath to find plugins
+        System.setProperty("aws.greengrass.scanSelfClasspath", "true");
+
         kernel = new Kernel();
         kernel.getContext().put(CertificateManager.class, mockCertificateManager);
         IConfig defaultConfig = new MemoryConfig(new Properties());
diff --git a/src/test/java/com/aws/greengrass/mqttbridge/auth/MQTTClientKeyStoreTest.java b/src/test/java/com/aws/greengrass/mqttbridge/auth/MQTTClientKeyStoreTest.java
@@ -5,39 +5,43 @@
 
 package com.aws.greengrass.mqttbridge.auth;
 
-import com.aws.greengrass.certificatemanager.CertificateManager;
+import com.aws.greengrass.device.ClientDevicesAuthServiceApi;
+import com.aws.greengrass.device.api.CertificateUpdateEvent;
+import com.aws.greengrass.device.api.GetCertificateRequest;
 import com.aws.greengrass.testcommons.testutilities.GGExtension;
-import java.security.cert.CertificateEncodingException;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLSocketFactory;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
+import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
-import java.util.function.Consumer;
-import javax.net.SocketFactory;
-import javax.net.ssl.SSLSocketFactory;
 
 import static com.aws.greengrass.mqttbridge.auth.MQTTClientKeyStore.DEFAULT_KEYSTORE_PASSWORD;
 import static com.aws.greengrass.mqttbridge.auth.MQTTClientKeyStore.KEY_ALIAS;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
-import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 
@@ -64,24 +68,33 @@ public class MQTTClientKeyStoreTest {
     private static final byte[] END_CERT = "\r\n-----END CERTIFICATE-----\r\n".getBytes(StandardCharsets.UTF_8);
 
     @Mock
-    private CertificateManager mockCertificateManager;
+    private ClientDevicesAuthServiceApi mockServiceApi;
+    private KeyPair keyPair;
+
+    @BeforeEach
+    void beforeEach() throws NoSuchAlgorithmException {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+        kpg.initialize(2048);
+        keyPair = kpg.generateKeyPair();
+    }
 
     @Test
     void GIVEN_MQTTClientKeyStore_WHEN_initialized_THEN_keyAndCertGenerated() throws Exception {
-        MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockCertificateManager);
+        MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockServiceApi);
         mqttClientKeyStore.init();
 
-        ArgumentCaptor<Consumer<X509Certificate[]>> cbArgumentCaptor = ArgumentCaptor.forClass(Consumer.class);
-        verify(mockCertificateManager, times(1))
-                .subscribeToClientCertificateUpdates(any(String.class), cbArgumentCaptor.capture());
-        Consumer<X509Certificate[]> certCallback = cbArgumentCaptor.getValue();
+        ArgumentCaptor<GetCertificateRequest> cbArgumentCaptor = ArgumentCaptor.forClass(GetCertificateRequest.class);
+        verify(mockServiceApi, times(1))
+                .subscribeToCertificateUpdates(cbArgumentCaptor.capture());
+        GetCertificateRequest getCertificateRequest = cbArgumentCaptor.getValue();
 
         KeyStore keyStore = mqttClientKeyStore.getKeyStore();
         assertThat(keyStore.size(), is(0));
 
         X509Certificate certificate = pemToX509Certificate(CERTIFICATE);
-        X509Certificate[] chain = {certificate, certificate};
-        certCallback.accept(chain);
+        CertificateUpdateEvent certificateUpdate =
+                new CertificateUpdateEvent(keyPair, certificate, new X509Certificate[]{certificate});
+        getCertificateRequest.getCertificateUpdateConsumer().accept(certificateUpdate);
         assertThat(keyStore.size(), is(1));
 
         PrivateKey privateKey = (PrivateKey) keyStore.getKey(KEY_ALIAS, DEFAULT_KEYSTORE_PASSWORD);
@@ -100,7 +113,7 @@ private void verifyStoredCertificate(X509Certificate cert) throws CertificateEnc
 
     @Test
     void GIVEN_MQTTClientKeyStore_WHEN_called_updateCA_THEN_CA_stored() throws Exception {
-        MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockCertificateManager);
+        MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockServiceApi);
         mqttClientKeyStore.init();
         CountDownLatch updateLatch = new CountDownLatch(1);
         mqttClientKeyStore.listenToCAUpdates(updateLatch::countDown);
@@ -120,22 +133,23 @@ void GIVEN_MQTTClientKeyStore_WHEN_called_updateCA_THEN_CA_stored() throws Excep
 
     @Test
     void GIVEN_MQTTClientKeyStore_WHEN_getSSLSocketFactory_THEN_returns_SSLSocketFactory() throws Exception {
-        MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockCertificateManager);
+        MQTTClientKeyStore mqttClientKeyStore = new MQTTClientKeyStore(mockServiceApi);
         mqttClientKeyStore.init();
         CountDownLatch updateLatch = new CountDownLatch(1);
         mqttClientKeyStore.listenToCAUpdates(updateLatch::countDown);
 
-        ArgumentCaptor<Consumer<X509Certificate[]>> cbArgumentCaptor = ArgumentCaptor.forClass(Consumer.class);
-        verify(mockCertificateManager, times(1))
-                .subscribeToClientCertificateUpdates(any(String.class), cbArgumentCaptor.capture());
-        Consumer<X509Certificate[]> certCallback = cbArgumentCaptor.getValue();
+        ArgumentCaptor<GetCertificateRequest> cbArgumentCaptor = ArgumentCaptor.forClass(GetCertificateRequest.class);
+        verify(mockServiceApi, times(1))
+                .subscribeToCertificateUpdates(cbArgumentCaptor.capture());
+        GetCertificateRequest certificateRequest = cbArgumentCaptor.getValue();
 
         KeyStore keyStore = mqttClientKeyStore.getKeyStore();
         assertThat(keyStore.size(), is(0));
 
         X509Certificate certificate = pemToX509Certificate(CERTIFICATE);
-        X509Certificate[] chain = {certificate, certificate};
-        certCallback.accept(chain);
+        CertificateUpdateEvent certificateUpdate =
+                new CertificateUpdateEvent(keyPair, certificate, new X509Certificate[]{certificate});
+        certificateRequest.getCertificateUpdateConsumer().accept(certificateUpdate);
         mqttClientKeyStore.updateCA(Collections.singletonList(CERTIFICATE));
         assertThat(updateLatch.await(100, TimeUnit.MILLISECONDS), is(true));
         assertThat(keyStore.size(), is(2));

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@`
`7`	`7`	`"ComponentPublisher": "{COMPONENT_PUBLISHER}",`
`8`	`8`	`"ComponentDependencies": {`
`9`	`9`	`"aws.greengrass.clientdevices.Auth": {`
`10`		`- "VersionRequirement": ">=2.0.0 <2.2.0",`
	`10`	`+ "VersionRequirement": ">=2.2.0 <2.3.0",`
`11`	`11`	`"DependencyType": "HARD"`
`12`	`12`	`}`
`13`	`13`	`},`