feat: add mTLS client certificate support

phillipleblanc · phillipleblanc · commit 283b42da7fa5 · 2026-05-12T18:06:50.000+09:00
diff --git a/src/main/java/ai/spice/SpiceClient.java b/src/main/java/ai/spice/SpiceClient.java
@@ -156,6 +156,9 @@ public class SpiceClient implements AutoCloseable {
     private URI flightAddress;
     private URI httpAddress;
     private int maxRetries;
+    private String tlsClientCertFile;
+    private String tlsClientKeyFile;
+    private String tlsRootCertFile;
     private FlightSqlClient flightClient;
     private CredentialCallOption authCallOptions = null;
     private BufferAllocator allocator;
@@ -200,11 +203,24 @@ public static SpiceClientBuilder builder() throws URISyntaxException {
      */
     public SpiceClient(String appId, String apiKey, URI flightAddress, URI httpAddress, int maxRetries,
             String userAgent, long memoryLimitMB) {
+        this(appId, apiKey, flightAddress, httpAddress, maxRetries, userAgent, memoryLimitMB, null, null);
+    }
+
+    public SpiceClient(String appId, String apiKey, URI flightAddress, URI httpAddress, int maxRetries,
+            String userAgent, long memoryLimitMB, String tlsClientCertFile, String tlsClientKeyFile) {
+        this(appId, apiKey, flightAddress, httpAddress, maxRetries, userAgent, memoryLimitMB, tlsClientCertFile, tlsClientKeyFile, null);
+    }
+
+    public SpiceClient(String appId, String apiKey, URI flightAddress, URI httpAddress, int maxRetries,
+            String userAgent, long memoryLimitMB, String tlsClientCertFile, String tlsClientKeyFile, String tlsRootCertFile) {
         this.appId = appId;
         this.apiKey = apiKey;
         this.maxRetries = maxRetries;
         this.httpAddress = httpAddress;
         this.userAgent = userAgent;
+        this.tlsClientCertFile = tlsClientCertFile;
+        this.tlsClientKeyFile = tlsClientKeyFile;
+        this.tlsRootCertFile = tlsRootCertFile;
 
         // Arrow Flight requires URI to be grpc protocol, convert http/https for
         // convinience
@@ -274,8 +290,17 @@ private synchronized void buildFlightClient() {
         NettyChannelBuilder channelBuilder = NettyChannelBuilder.forTarget(target);
         if (useTls) {
             try {
+                var sslContextBuilder = GrpcSslContexts.forClient();
+                if (this.tlsClientCertFile != null && this.tlsClientKeyFile != null) {
+                    sslContextBuilder.keyManager(
+                            new java.io.File(this.tlsClientCertFile),
+                            new java.io.File(this.tlsClientKeyFile));
+                }
+                if (this.tlsRootCertFile != null) {
+                    sslContextBuilder.trustManager(new java.io.File(this.tlsRootCertFile));
+                }
                 channelBuilder.useTransportSecurity()
-                        .sslContext(GrpcSslContexts.forClient().build());
+                        .sslContext(sslContextBuilder.build());
             } catch (Exception e) {
                 throw new RuntimeException("Failed to configure TLS for Flight client", e);
             }
diff --git a/src/main/java/ai/spice/SpiceClientBuilder.java b/src/main/java/ai/spice/SpiceClientBuilder.java
@@ -39,6 +39,9 @@ public class SpiceClientBuilder {
     private URI httpAddress;
     private int maxRetries = 3;
     private long memoryLimitMB = Long.MAX_VALUE; // Default is all available memory.
+    private String tlsClientCertFile;
+    private String tlsClientKeyFile;
+    private String tlsRootCertFile;
 
     /**
      * Constructs a new SpiceClientBuilder instance
@@ -167,12 +170,48 @@ public SpiceClientBuilder withArrowMemoryLimitMB(long memoryLimitMB) {
         return this;
     }
 
+    /**
+     * Sets the path to a PEM-encoded client certificate file for mTLS.
+     * Must be used together with {@link #withTlsClientKeyFile(String)}.
+     *
+     * @param certFile Path to the client certificate PEM file
+     * @return The current instance of SpiceClientBuilder for method chaining.
+     */
+    public SpiceClientBuilder withTlsClientCertFile(String certFile) {
+        this.tlsClientCertFile = certFile;
+        return this;
+    }
+
+    /**
+     * Sets the path to a PEM-encoded client private key file for mTLS.
+     * Must be used together with {@link #withTlsClientCertFile(String)}.
+     *
+     * @param keyFile Path to the client private key PEM file
+     * @return The current instance of SpiceClientBuilder for method chaining.
+     */
+    public SpiceClientBuilder withTlsClientKeyFile(String keyFile) {
+        this.tlsClientKeyFile = keyFile;
+        return this;
+    }
+
+    /**
+     * Sets the path to a PEM-encoded CA certificate file for server verification.
+     * When set, this CA is used instead of the system trust store.
+     *
+     * @param caFile Path to the CA certificate PEM file
+     * @return The current instance of SpiceClientBuilder for method chaining.
+     */
+    public SpiceClientBuilder withTlsRootCertFile(String caFile) {
+        this.tlsRootCertFile = caFile;
+        return this;
+    }
+
     /**
      * Creates SpiceClient with provided parameters.
      *
      * @return The SpiceClient instance
      */
     public SpiceClient build() {
-        return new SpiceClient(appId, apiKey, flightAddress, httpAddress, maxRetries, userAgent, memoryLimitMB);
+        return new SpiceClient(appId, apiKey, flightAddress, httpAddress, maxRetries, userAgent, memoryLimitMB, tlsClientCertFile, tlsClientKeyFile, tlsRootCertFile);
     }
 }
