From 6d18886f7359996b6f6be171ff4bb6feded46c56 Mon Sep 17 00:00:00 2001 From: Guillaume Le Floch Date: Thu, 28 May 2020 14:34:15 +0200 Subject: [PATCH] Add global quarkus.tls.trust-all configuration property --- .../java/io/quarkus/runtime/TlsConfig.java | 19 +++++++++++++ .../runtime/KubernetesClientBuildConfig.java | 4 ++- .../io/quarkus/mailer/runtime/MailConfig.java | 4 ++- .../io/quarkus/oidc/OidcTenantConfig.java | 27 ++++--------------- .../io/quarkus/oidc/runtime/OidcRecorder.java | 3 +-- .../java/io/quarkus/vault/VaultProcessor.java | 6 +++-- .../quarkus/vault/runtime/VaultManager.java | 18 +++++++++---- .../quarkus/vault/runtime/VaultRecorder.java | 6 +++-- .../vault/runtime/VaultServiceProducer.java | 5 ++-- .../runtime/client/OkHttpClientFactory.java | 7 ++--- .../runtime/client/OkHttpVaultClient.java | 5 ++-- .../runtime/config/VaultConfigSource.java | 21 +++++++++++++-- .../vault/runtime/config/VaultTlsConfig.java | 5 ++-- .../vault/runtime/VaultAuthManagerTest.java | 3 ++- .../vault/runtime/VaultDbManagerTest.java | 3 ++- .../runtime/config/EventBusConfiguration.java | 4 ++- .../src/main/resources/application.properties | 3 ++- .../application-vault-multi-path.properties | 3 ++- .../application-vault-totp.properties | 3 ++- ...cation-vault-userpass-kvv2-wrap.properties | 1 - .../vault/test/VaultTestExtension.java | 5 +++- .../vault/test/client/TestVaultClient.java | 7 ++--- 22 files changed, 105 insertions(+), 57 deletions(-) create mode 100644 core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java diff --git a/core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java b/core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java new file mode 100644 index 00000000000000..967fd6cb4c14b0 --- /dev/null +++ b/core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java @@ -0,0 +1,19 @@ +package io.quarkus.runtime; + +import io.quarkus.runtime.annotations.ConfigItem; +import io.quarkus.runtime.annotations.ConfigPhase; +import io.quarkus.runtime.annotations.ConfigRoot; + +/** + * Configuration class allowing to globally set TLS properties. + */ +@ConfigRoot(phase = ConfigPhase.RUN_TIME) +public class TlsConfig { + + /** + * Enable trusting all certificates. Disable by default. + */ + @ConfigItem(defaultValue = "false") + public boolean trustAll; + +} diff --git a/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java b/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java index a5512d5d1f28c6..f40855f6fd142a 100644 --- a/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java +++ b/extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java @@ -12,8 +12,10 @@ public class KubernetesClientBuildConfig { /** * Whether or not the client should trust a self signed certificate if so presented by the API server + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem + @ConfigItem(defaultValue = "${quarkus.tls.trust-all}") public boolean trustCerts; /** diff --git a/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java b/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java index 6a12c598d04d3a..5166197eb165b8 100644 --- a/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java +++ b/extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java @@ -66,8 +66,10 @@ public class MailConfig { /** * Set whether to trust all certificates on ssl connect the option is also * applied to {@code STARTTLS} operation. {@code false} by default. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem + @ConfigItem(defaultValue = "${quarkus.tls.trust-all}") public boolean trustAll; /** diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java index bff3ce5fe8ee81..fd1aca4389b04e 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java @@ -166,31 +166,14 @@ public class OidcTenantConfig { @ConfigGroup public static class Tls { - public enum Verification { - /** - * Certificates are validated and hostname verification is enabled. This is the default value. - */ - REQUIRED, - /** - * All certificated are trusted and hostname verification is disabled. - */ - NONE - } /** - * Certificate validation and hostname verification, which can be one of the following values from enum - * {@link Verification}. Default is required. + * Enable or disable certificate validation and hostname verification. Enable by default. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem(defaultValue = "REQUIRED") - public Verification verification; - - public Verification getVerification() { - return verification; - } - - public void setVerification(Verification verification) { - this.verification = verification; - } + @ConfigItem(defaultValue = "${quarkus.tls.trust-all}") + public boolean verification; } diff --git a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java index bf5cca5ef6fea3..8b7895631454c6 100644 --- a/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java +++ b/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java @@ -16,7 +16,6 @@ import io.quarkus.oidc.OidcTenantConfig.Credentials; import io.quarkus.oidc.OidcTenantConfig.Credentials.Secret; import io.quarkus.oidc.OidcTenantConfig.Roles.Source; -import io.quarkus.oidc.OidcTenantConfig.Tls.Verification; import io.quarkus.runtime.annotations.Recorder; import io.quarkus.runtime.configuration.ConfigurationException; import io.smallrye.mutiny.Uni; @@ -192,7 +191,7 @@ private TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oi options.setProxyOptions(proxyOpt.get()); } - if (oidcConfig.tls.verification == Verification.NONE) { + if (oidcConfig.tls.verification) { options.setTrustAll(true); options.setVerifyHost(false); } diff --git a/extensions/vault/deployment/src/main/java/io/quarkus/vault/VaultProcessor.java b/extensions/vault/deployment/src/main/java/io/quarkus/vault/VaultProcessor.java index cf21623dd2f5be..28d88c86b16aa5 100644 --- a/extensions/vault/deployment/src/main/java/io/quarkus/vault/VaultProcessor.java +++ b/extensions/vault/deployment/src/main/java/io/quarkus/vault/VaultProcessor.java @@ -17,6 +17,7 @@ import io.quarkus.deployment.builditem.RunTimeConfigurationSourceBuildItem; import io.quarkus.deployment.builditem.SslNativeConfigBuildItem; import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem; +import io.quarkus.runtime.TlsConfig; import io.quarkus.smallrye.health.deployment.spi.HealthBuildItem; import io.quarkus.vault.runtime.Base64StringDeserializer; import io.quarkus.vault.runtime.Base64StringSerializer; @@ -73,8 +74,9 @@ AdditionalBeanBuildItem registerAdditionalBeans() { @Record(ExecutionTime.RUNTIME_INIT) @BuildStep - void configure(VaultRecorder recorder, VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig) { - recorder.configureRuntimeProperties(buildTimeConfig, serverConfig); + void configure(VaultRecorder recorder, VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig, + TlsConfig tlsConfig) { + recorder.configureRuntimeProperties(buildTimeConfig, serverConfig, tlsConfig); } @BuildStep diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultManager.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultManager.java index 1e16877d988bd5..c45100fc838e92 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultManager.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultManager.java @@ -1,5 +1,6 @@ package io.quarkus.vault.runtime; +import io.quarkus.runtime.TlsConfig; import io.quarkus.vault.runtime.client.OkHttpVaultClient; import io.quarkus.vault.runtime.client.VaultClient; import io.quarkus.vault.runtime.config.VaultBuildTimeConfig; @@ -11,6 +12,7 @@ public class VaultManager { private VaultRuntimeConfig serverConfig; private VaultBuildTimeConfig buildTimeConfig; + private TlsConfig tlsConfig; private VaultClient vaultClient; private VaultAuthManager vaultAuthManager; @@ -26,9 +28,9 @@ public static VaultManager getInstance() { return instance; } - public static void init(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig) { + public static void init(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) { if (instance == null) { - instance = new VaultManager(buildTimeConfig, serverConfig); + instance = new VaultManager(buildTimeConfig, serverConfig, tlsConfig); } } @@ -36,13 +38,15 @@ public static void reset() { instance = null; } - public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig) { - this(vaultBuildTimeConfig, serverConfig, new OkHttpVaultClient(serverConfig)); + public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) { + this(vaultBuildTimeConfig, serverConfig, new OkHttpVaultClient(serverConfig, tlsConfig), tlsConfig); } - public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig, VaultClient vaultClient) { + public VaultManager(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig serverConfig, VaultClient vaultClient, + TlsConfig tlsConfig) { this.serverConfig = serverConfig; this.vaultClient = vaultClient; + this.tlsConfig = tlsConfig; this.buildTimeConfig = vaultBuildTimeConfig; this.vaultAuthManager = new VaultAuthManager(this.vaultClient, serverConfig); this.vaultKvManager = new VaultKvManager(this.vaultAuthManager, this.vaultClient, serverConfig); @@ -87,6 +91,10 @@ public VaultRuntimeConfig getServerConfig() { return serverConfig; } + public TlsConfig getTlsConfig() { + return tlsConfig; + } + public VaultBuildTimeConfig getBuildTimeConfig() { return buildTimeConfig; } diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultRecorder.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultRecorder.java index 1578de99956f7a..bc25e869776a22 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultRecorder.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultRecorder.java @@ -3,6 +3,7 @@ import org.jboss.logging.Logger; import io.quarkus.arc.Arc; +import io.quarkus.runtime.TlsConfig; import io.quarkus.runtime.annotations.Recorder; import io.quarkus.vault.runtime.config.VaultBuildTimeConfig; import io.quarkus.vault.runtime.config.VaultRuntimeConfig; @@ -12,11 +13,12 @@ public class VaultRecorder { private static final Logger log = Logger.getLogger(VaultRecorder.class); - public void configureRuntimeProperties(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig vaultRuntimeConfig) { + public void configureRuntimeProperties(VaultBuildTimeConfig vaultBuildTimeConfig, VaultRuntimeConfig vaultRuntimeConfig, + TlsConfig tlsConfig) { if (vaultRuntimeConfig.url.isPresent()) { VaultServiceProducer producer = Arc.container().instance(VaultServiceProducer.class).get(); - producer.setVaultConfigs(vaultBuildTimeConfig, vaultRuntimeConfig); + producer.setVaultConfigs(vaultBuildTimeConfig, vaultRuntimeConfig, tlsConfig); } } diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultServiceProducer.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultServiceProducer.java index 06e4c5a40ed1a2..0c98c37bd6718a 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultServiceProducer.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultServiceProducer.java @@ -6,6 +6,7 @@ import javax.inject.Named; import io.quarkus.credentials.CredentialsProvider; +import io.quarkus.runtime.TlsConfig; import io.quarkus.vault.VaultKVSecretEngine; import io.quarkus.vault.VaultSystemBackendEngine; import io.quarkus.vault.VaultTOTPSecretEngine; @@ -58,7 +59,7 @@ public void close() { VaultManager.reset(); } - public void setVaultConfigs(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig) { - VaultManager.init(buildTimeConfig, serverConfig); + public void setVaultConfigs(VaultBuildTimeConfig buildTimeConfig, VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) { + VaultManager.init(buildTimeConfig, serverConfig, tlsConfig); } } diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java index b1f9a896ffb6c9..30b856a984b80f 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpClientFactory.java @@ -3,7 +3,7 @@ import static io.quarkus.vault.runtime.client.CertificateHelper.createSslContext; import static io.quarkus.vault.runtime.client.CertificateHelper.createTrustManagers; import static io.quarkus.vault.runtime.config.VaultAuthenticationType.KUBERNETES; -import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.KUBERNETES_CACERT; +import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.*; import java.io.IOException; import java.security.GeneralSecurityException; @@ -17,6 +17,7 @@ import org.jboss.logging.Logger; +import io.quarkus.runtime.TlsConfig; import io.quarkus.runtime.util.JavaVersionUtil; import io.quarkus.vault.VaultException; import io.quarkus.vault.runtime.config.VaultRuntimeConfig; @@ -27,7 +28,7 @@ public class OkHttpClientFactory { private static final Logger log = Logger.getLogger(OkHttpClientFactory.class.getName()); - public static OkHttpClient createHttpClient(VaultRuntimeConfig serverConfig) { + public static OkHttpClient createHttpClient(VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) { OkHttpClient.Builder builder = new OkHttpClient.Builder() .connectTimeout(serverConfig.connectTimeout) @@ -40,7 +41,7 @@ public static OkHttpClient createHttpClient(VaultRuntimeConfig serverConfig) { } try { - if (serverConfig.tls.skipVerify) { + if (serverConfig.tls.skipVerify || tlsConfig.trustAll) { skipVerify(builder); } else if (serverConfig.tls.caCert.isPresent()) { cacert(builder, serverConfig.tls.caCert.get()); diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpVaultClient.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpVaultClient.java index 24f8682e9f4590..74fcc4757b40bb 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpVaultClient.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/client/OkHttpVaultClient.java @@ -16,6 +16,7 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import io.quarkus.runtime.TlsConfig; import io.quarkus.vault.VaultException; import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleAuth; import io.quarkus.vault.runtime.client.dto.auth.VaultAppRoleAuthBody; @@ -83,8 +84,8 @@ public class OkHttpVaultClient implements VaultClient { private String kubernetesAuthMountPath; private ObjectMapper mapper = new ObjectMapper(); - public OkHttpVaultClient(VaultRuntimeConfig serverConfig) { - this.client = createHttpClient(serverConfig); + public OkHttpVaultClient(VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) { + this.client = createHttpClient(serverConfig, tlsConfig); this.url = serverConfig.url.get(); this.mapper.configure(FAIL_ON_UNKNOWN_PROPERTIES, false); this.mapper.setSerializationInclusion(JsonInclude.Include.NON_NULL); diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultConfigSource.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultConfigSource.java index a7caf48362787f..bfd58bc159db4d 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultConfigSource.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultConfigSource.java @@ -43,6 +43,7 @@ import org.eclipse.microprofile.config.spi.ConfigSource; import org.jboss.logging.Logger; +import io.quarkus.runtime.TlsConfig; import io.quarkus.runtime.configuration.DurationConverter; import io.quarkus.vault.VaultException; import io.quarkus.vault.runtime.LogConfidentialityLevel; @@ -61,6 +62,7 @@ public class VaultConfigSource implements ConfigSource { private AtomicReference>> cache = new AtomicReference<>(null); private AtomicReference serverConfig = new AtomicReference<>(null); private AtomicReference buildServerConfig = new AtomicReference<>(null); + private AtomicReference tlsConfig = new AtomicReference<>(null); private AtomicBoolean init = new AtomicBoolean(false); private int ordinal; @@ -154,10 +156,11 @@ private VaultManager getVaultManager() { VaultBuildTimeConfig buildTimeConfig = getBuildtimeConfig(); VaultRuntimeConfig serverConfig = getRuntimeConfig(); + TlsConfig tlsConfig = getTlsConfig(); // init at most once if (init.compareAndSet(false, true)) { - VaultManager.init(buildTimeConfig, serverConfig); + VaultManager.init(buildTimeConfig, serverConfig, tlsConfig); } return VaultManager.getInstance(); @@ -167,6 +170,10 @@ private VaultRuntimeConfig getRuntimeConfig() { return getConfig(this.serverConfig, () -> loadRuntimeConfig(), "runtime"); } + private TlsConfig getTlsConfig() { + return getConfig(this.tlsConfig, () -> loadTlsConfig(), "tls"); + } + private VaultBuildTimeConfig getBuildtimeConfig() { return getConfig(this.buildServerConfig, () -> loadBuildtimeConfig(), "buildtime"); } @@ -204,6 +211,7 @@ private VaultRuntimeConfig loadRuntimeConfig() { VaultRuntimeConfig serverConfig = new VaultRuntimeConfig(); serverConfig.tls = new VaultTlsConfig(); + serverConfig.tls.skipVerify = Boolean.parseBoolean(getProperty("quarkus.tls.trust-all", "false")); serverConfig.transit = new VaultTransitConfig(); serverConfig.authentication = new VaultAuthenticationConfig(); serverConfig.authentication.userpass = new VaultUserpassAuthenticationConfig(); @@ -250,6 +258,12 @@ private VaultRuntimeConfig loadRuntimeConfig() { return serverConfig; } + private TlsConfig loadTlsConfig() { + TlsConfig tlsConfig = new TlsConfig(); + tlsConfig.trustAll = Boolean.parseBoolean(getProperty("quarkus.tls.trust-all", "false")); + return tlsConfig; + } + private VaultMapConfigParser createCredentialProviderConfigParser() { return new VaultMapConfigParser<>(CREDENTIALS_PATTERN, this::getCredentialsProviderConfig, getConfigSourceStream()); } @@ -312,9 +326,12 @@ private Duration getVaultDuration(String key, String defaultValue) { private String getVaultProperty(String key, String defaultValue) { String propertyName = PROPERTY_PREFIX + key; + return getProperty(propertyName, defaultValue); + } + private String getProperty(String key, String defaultValue) { return getConfigSourceStream() - .map(configSource -> configSource.getValue(propertyName)) + .map(configSource -> configSource.getValue(key)) .filter(value -> value != null && value.length() != 0) .map(String::trim) .findFirst() diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java index ae253f46d85a87..3d30df02f5300e 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/config/VaultTlsConfig.java @@ -1,6 +1,5 @@ package io.quarkus.vault.runtime.config; -import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY; import static io.quarkus.vault.runtime.config.VaultRuntimeConfig.DEFAULT_TLS_USE_KUBERNETES_CACERT; import java.util.Optional; @@ -17,8 +16,10 @@ public class VaultTlsConfig { * If true this will allow TLS communications with Vault, without checking the validity of the * certificate presented by Vault. This is discouraged in production because it allows man in the middle * type of attacks. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem(defaultValue = DEFAULT_TLS_SKIP_VERIFY) + @ConfigItem(defaultValue = VaultRuntimeConfig.DEFAULT_TLS_SKIP_VERIFY) public boolean skipVerify; /** diff --git a/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultAuthManagerTest.java b/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultAuthManagerTest.java index 6dea66650bcf09..feecc8c46fe629 100644 --- a/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultAuthManagerTest.java +++ b/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultAuthManagerTest.java @@ -11,6 +11,7 @@ import org.junit.jupiter.api.Test; +import io.quarkus.runtime.TlsConfig; import io.quarkus.vault.runtime.client.OkHttpVaultClient; import io.quarkus.vault.runtime.client.VaultClientException; import io.quarkus.vault.runtime.client.dto.auth.VaultLookupSelf; @@ -117,7 +118,7 @@ private VaultRuntimeConfig createConfig() { } private OkHttpVaultClient createVaultClient() { - return new OkHttpVaultClient(config) { + return new OkHttpVaultClient(config, new TlsConfig()) { @Override public VaultUserPassAuth loginUserPass(String user, String password) { return vaultUserPassAuth; diff --git a/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultDbManagerTest.java b/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultDbManagerTest.java index 2487eac9d33c87..a1903246339593 100644 --- a/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultDbManagerTest.java +++ b/extensions/vault/runtime/src/test/java/io/quarkus/vault/runtime/VaultDbManagerTest.java @@ -14,6 +14,7 @@ import org.junit.jupiter.api.Test; +import io.quarkus.runtime.TlsConfig; import io.quarkus.vault.runtime.client.OkHttpVaultClient; import io.quarkus.vault.runtime.client.VaultClientException; import io.quarkus.vault.runtime.client.dto.database.VaultDatabaseCredentials; @@ -123,7 +124,7 @@ private VaultRuntimeConfig createConfig() { } private OkHttpVaultClient createVaultClient() { - return new OkHttpVaultClient(config) { + return new OkHttpVaultClient(config, new TlsConfig()) { @Override public VaultDatabaseCredentials generateDatabaseCredentials(String token, String databaseCredentialsRole) { return credentials; diff --git a/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java b/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java index fa759505f1e4b4..b0b5c7f1f3797e 100644 --- a/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java +++ b/extensions/vertx-core/runtime/src/main/java/io/quarkus/vertx/core/runtime/config/EventBusConfiguration.java @@ -138,8 +138,10 @@ public class EventBusConfiguration { /** * Enables or disables the trust all parameter. + * + * @deprecated use quarkus.tls.trust-all instead */ - @ConfigItem + @ConfigItem(defaultValue = "${quarkus.tls.trust-all}") public boolean trustAll; } diff --git a/integration-tests/oidc/src/main/resources/application.properties b/integration-tests/oidc/src/main/resources/application.properties index 2a425123ef58e6..434679a2104664 100644 --- a/integration-tests/oidc/src/main/resources/application.properties +++ b/integration-tests/oidc/src/main/resources/application.properties @@ -3,7 +3,6 @@ quarkus.oidc.auth-server-url=${keycloak.ssl.url}/realms/quarkus/ quarkus.oidc.client-id=quarkus-app quarkus.oidc.credentials.secret=secret quarkus.oidc.token.principal-claim=email -quarkus.oidc.tls.verification=none quarkus.http.cors=true quarkus.http.auth.basic=true @@ -11,3 +10,5 @@ quarkus.security.users.embedded.enabled=true quarkus.security.users.embedded.plain-text=true quarkus.security.users.embedded.users.alice=password quarkus.security.users.embedded.roles.alice=user + +quarkus.tls.trust-all=true diff --git a/integration-tests/vault/src/test/resources/application-vault-multi-path.properties b/integration-tests/vault/src/test/resources/application-vault-multi-path.properties index 8a2452d1fc34f2..21cfc6b7dcaf87 100644 --- a/integration-tests/vault/src/test/resources/application-vault-multi-path.properties +++ b/integration-tests/vault/src/test/resources/application-vault-multi-path.properties @@ -4,7 +4,8 @@ quarkus.vault.authentication.userpass.password=sinclair quarkus.vault.secret-config-kv-path=multi/default1,multi/default2 quarkus.vault.secret-config-kv-path.singer=multi/singer1,multi/singer2 -quarkus.vault.tls.skip-verify=true +#quarkus.vault.tls.skip-verify=true +quarkus.tls.trust-all=true # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default quarkus.vault.read-timeout=5S diff --git a/integration-tests/vault/src/test/resources/application-vault-totp.properties b/integration-tests/vault/src/test/resources/application-vault-totp.properties index cb5c9c4037cccc..2530a624b9e14e 100644 --- a/integration-tests/vault/src/test/resources/application-vault-totp.properties +++ b/integration-tests/vault/src/test/resources/application-vault-totp.properties @@ -2,7 +2,8 @@ quarkus.vault.url=https://localhost:8200 quarkus.vault.authentication.userpass.username=bob quarkus.vault.authentication.userpass.password=sinclair -quarkus.vault.tls.skip-verify=true +#quarkus.vault.tls.skip-verify=true +quarkus.tls.trust-all=true # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default quarkus.vault.read-timeout=5S diff --git a/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties b/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties index 99d5b2d0881c46..59ea870ceaf790 100644 --- a/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties +++ b/integration-tests/vault/src/test/resources/application-vault-userpass-kvv2-wrap.properties @@ -9,7 +9,6 @@ quarkus.vault.tls.ca-cert=src/test/resources/vault-tls.crt quarkus.vault.log-confidentiality-level=low quarkus.vault.renew-grace-period=10 - quarkus.log.category."io.quarkus.vault".level=DEBUG # CI can sometimes be slow, there is no need to fail a test if Vault doesn't respond in 1 second which is the default diff --git a/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java b/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java index e184e8705970a3..abd2c36d3523d1 100644 --- a/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java +++ b/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java @@ -47,6 +47,7 @@ import org.testcontainers.containers.PostgreSQLContainer; import org.testcontainers.containers.output.OutputFrame; +import io.quarkus.runtime.TlsConfig; import io.quarkus.vault.VaultException; import io.quarkus.vault.VaultKVSecretEngine; import io.quarkus.vault.runtime.VaultManager; @@ -179,7 +180,9 @@ private static VaultManager createVaultManager() { VaultBuildTimeConfig buildTimeConfig = new VaultBuildTimeConfig(); buildTimeConfig.health = new HealthConfig(); - return new VaultManager(buildTimeConfig, serverConfig, new TestVaultClient(serverConfig)); + TlsConfig tlsConfig = new TlsConfig(); + + return new VaultManager(buildTimeConfig, serverConfig, new TestVaultClient(serverConfig, tlsConfig), tlsConfig); } private static Optional getVaultUrl() { diff --git a/test-framework/vault/src/main/java/io/quarkus/vault/test/client/TestVaultClient.java b/test-framework/vault/src/main/java/io/quarkus/vault/test/client/TestVaultClient.java index 89ba776c051305..bfd3fd71adf488 100644 --- a/test-framework/vault/src/main/java/io/quarkus/vault/test/client/TestVaultClient.java +++ b/test-framework/vault/src/main/java/io/quarkus/vault/test/client/TestVaultClient.java @@ -1,5 +1,6 @@ package io.quarkus.vault.test.client; +import io.quarkus.runtime.TlsConfig; import io.quarkus.vault.runtime.VaultManager; import io.quarkus.vault.runtime.client.OkHttpVaultClient; import io.quarkus.vault.runtime.client.dto.transit.VaultTransitRandomBody; @@ -13,11 +14,11 @@ public class TestVaultClient extends OkHttpVaultClient { public TestVaultClient() { - this(VaultManager.getInstance().getServerConfig()); + this(VaultManager.getInstance().getServerConfig(), VaultManager.getInstance().getTlsConfig()); } - public TestVaultClient(VaultRuntimeConfig serverConfig) { - super(serverConfig); + public TestVaultClient(VaultRuntimeConfig serverConfig, TlsConfig tlsConfig) { + super(serverConfig, tlsConfig); } public VaultAppRoleSecretId generateAppRoleSecretId(String token, String roleName) {