Add automatic internal communications HTTPS configuration

core/trino-main/src/main/java/io/trino/server/InternalCommunicationModule.java

@@ -16,6 +16,7 @@
 import com.google.inject.Binder;
 import io.airlift.configuration.AbstractConfigurationAwareModule;
 import io.airlift.http.client.HttpClientConfig;
+import io.airlift.http.server.HttpServerConfig;
 
 import static io.airlift.configuration.ConfigBinder.configBinder;
 import static io.airlift.http.client.HttpClientBinder.httpClientBinder;
@@ -26,20 +27,32 @@ public class InternalCommunicationModule
     @Override
     protected void setup(Binder binder)
     {
+        // Set defaults for all HttpClients in the same guice context
+        // so in case of any additions or alternations here an update in:
+        //   io.trino.server.security.jwt.JwtAuthenticatorSupportModule.JwkModule.configure
+        // and
+        //   io.trino.server.security.oauth2.OAuth2ServiceModule.setup
+        // may also be required.
         InternalCommunicationConfig internalCommunicationConfig = buildConfigObject(InternalCommunicationConfig.class);
-        configBinder(binder).bindConfigGlobalDefaults(HttpClientConfig.class, config -> {
-            // Set defaults for all HttpClients in the same guice context
-            // so in case of any additions or alternations here an update in:
-            //   io.trino.server.security.jwt.JwtAuthenticatorSupportModule.JwkModule.configure
-            // and
-            //   io.trino.server.security.oauth2.OAuth2ServiceModule.setup
-            // may also be required.
-            config.setHttp2Enabled(internalCommunicationConfig.isHttp2Enabled());
-            config.setKeyStorePath(internalCommunicationConfig.getKeyStorePath());
-            config.setKeyStorePassword(internalCommunicationConfig.getKeyStorePassword());
-            config.setTrustStorePath(internalCommunicationConfig.getTrustStorePath());
-            config.setTrustStorePassword(internalCommunicationConfig.getTrustStorePassword());
-        });
+        if (internalCommunicationConfig.isHttpsRequired() && internalCommunicationConfig.getKeyStorePath() == null && internalCommunicationConfig.getTrustStorePath() == null) {
+            String sharedSecret = internalCommunicationConfig.getSharedSecret()
+                    .orElseThrow(() -> new IllegalArgumentException("Internal shared secret must be set when internal HTTPS is enabled"));
+            configBinder(binder).bindConfigDefaults(HttpServerConfig.class, config -> config.setAutomaticHttpsSharedSecret(sharedSecret));
+            configBinder(binder).bindConfigGlobalDefaults(HttpClientConfig.class, config -> {
+                config.setHttp2Enabled(internalCommunicationConfig.isHttp2Enabled());
+                config.setAutomaticHttpsSharedSecret(sharedSecret);
+            });
+        }
+        else {
+            configBinder(binder).bindConfigGlobalDefaults(HttpClientConfig.class, config -> {
+                config.setHttp2Enabled(internalCommunicationConfig.isHttp2Enabled());
+                config.setKeyStorePath(internalCommunicationConfig.getKeyStorePath());
+                config.setKeyStorePassword(internalCommunicationConfig.getKeyStorePassword());
+                config.setTrustStorePath(internalCommunicationConfig.getTrustStorePath());
+                config.setTrustStorePassword(internalCommunicationConfig.getTrustStorePassword());
+                config.setAutomaticHttpsSharedSecret(null);
+            });
+        }
 
         binder.bind(InternalAuthenticationManager.class);
         httpClientBinder(binder).bindGlobalFilter(InternalAuthenticationManager.class);

core/trino-main/src/main/java/io/trino/server/security/jwt/JwtAuthenticatorSupportModule.java

@@ -61,7 +61,8 @@ public void configure(Binder binder)
                             .setKeyStorePath(null)
                             .setKeyStorePassword(null)
                             .setTrustStorePath(null)
-                            .setTrustStorePassword(null));
+                            .setTrustStorePassword(null)
+                            .setAutomaticHttpsSharedSecret(null));
         }
 
         // this module can be added multiple times, and this prevents multiple processing by Guice

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2ServiceModule.java

@@ -59,7 +59,8 @@ protected void setup(Binder binder)
                         .setKeyStorePath(null)
                         .setKeyStorePassword(null)
                         .setTrustStorePath(null)
-                        .setTrustStorePassword(null));
+                        .setTrustStorePassword(null)
+                        .setAutomaticHttpsSharedSecret(null));
     }
 
     @Provides

pom.xml

@@ -49,7 +49,7 @@
         <dep.accumulo.version>1.7.4</dep.accumulo.version>
         <dep.accumulo-hadoop.version>2.7.7-1</dep.accumulo-hadoop.version>
         <dep.antlr.version>4.9</dep.antlr.version>
-        <dep.airlift.version>206</dep.airlift.version>
+        <dep.airlift.version>207</dep.airlift.version>
         <dep.packaging.version>${dep.airlift.version}</dep.packaging.version>
         <dep.aws-sdk.version>1.11.946</dep.aws-sdk.version>
         <dep.okhttp.version>3.14.9</dep.okhttp.version>