feat(webhook): Single-identity mTLS webhook configuration

Allows configuring a single X509 identity to use as the client identity for all outgoing webhooks.
Also enhances existing trust functionality to accept PEM CA certificates.

When using keystores, an encrypted private key entry is required - passwordless unencrypted private keys in keystores are not supported.  Use PEM instead.
Similarly, keystores without passwords are also not supported.

When using PEM, assumes no key encryption.

orca-webhook/orca-webhook.gradle

@@ -24,11 +24,20 @@ dependencies {
   implementation("io.spinnaker.kork:kork-web")
   implementation("org.springframework.boot:spring-boot-autoconfigure")
   compileOnly("org.projectlombok:lombok")
+  testCompileOnly("org.projectlombok:lombok")
   annotationProcessor("org.projectlombok:lombok")
+  testAnnotationProcessor("org.projectlombok:lombok")
   implementation("com.jayway.jsonpath:json-path")
   implementation("com.squareup.okhttp3:okhttp")
   implementation("com.jakewharton.retrofit:retrofit1-okhttp3-client:1.1.0")
+
+  testImplementation("com.squareup.okhttp3:mockwebserver")
+  testImplementation("io.spinnaker.kork:kork-test")
+  testImplementation("org.bouncycastle:bcpkix-jdk18on")
+  testImplementation("org.junit.jupiter:junit-jupiter-api")
+  testImplementation("org.mockito:mockito-core")
   testImplementation("org.springframework:spring-test")
+  testImplementation("org.springframework.boot:spring-boot-test")
   testImplementation("org.apache.groovy:groovy-json")
   testRuntimeOnly("net.bytebuddy:byte-buddy")
 

orca-webhook/src/main/java/com/netflix/spinnaker/orca/webhook/config/WebhookConfiguration.java

@@ -17,6 +17,9 @@
 
 package com.netflix.spinnaker.orca.webhook.config;
 
+import com.netflix.spinnaker.kork.crypto.TrustStores;
+import com.netflix.spinnaker.kork.crypto.X509Identity;
+import com.netflix.spinnaker.kork.crypto.X509IdentitySource;
 import com.netflix.spinnaker.okhttp.OkHttpClientConfigurationProperties;
 import com.netflix.spinnaker.orca.config.UserConfiguredUrlRestrictions;
 import com.netflix.spinnaker.orca.webhook.util.UnionX509TrustManager;
@@ -25,13 +28,14 @@
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.nio.charset.Charset;
+import java.nio.file.Path;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import javax.net.ssl.*;
@@ -51,7 +55,6 @@
 import org.springframework.http.client.ClientHttpRequestFactory;
 import org.springframework.http.client.OkHttp3ClientHttpRequestFactory;
 import org.springframework.http.converter.AbstractHttpMessageConverter;
-import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.HttpMessageNotReadableException;
 import org.springframework.http.converter.HttpMessageNotWritableException;
 import org.springframework.http.converter.StringHttpMessageConverter;
@@ -73,9 +76,9 @@ public WebhookConfiguration(WebhookProperties webhookProperties) {
   @Bean
   @ConditionalOnMissingBean(RestTemplate.class)
   public RestTemplate restTemplate(ClientHttpRequestFactory webhookRequestFactory) {
-    RestTemplate restTemplate = new RestTemplate(webhookRequestFactory);
+    var restTemplate = new RestTemplate(webhookRequestFactory);
 
-    List<HttpMessageConverter<?>> converters = restTemplate.getMessageConverters();
+    var converters = restTemplate.getMessageConverters();
     converters.add(new ObjectStringHttpMessageConverter());
     converters.add(new MapToStringHttpMessageConverter());
     restTemplate.setMessageConverters(converters);
@@ -86,10 +89,11 @@ public RestTemplate restTemplate(ClientHttpRequestFactory webhookRequestFactory)
   @Bean
   public ClientHttpRequestFactory webhookRequestFactory(
       OkHttpClientConfigurationProperties okHttpClientConfigurationProperties,
-      UserConfiguredUrlRestrictions userConfiguredUrlRestrictions) {
-    X509TrustManager trustManager = webhookX509TrustManager();
-    SSLSocketFactory sslSocketFactory = getSSLSocketFactory(trustManager);
-    OkHttpClient client =
+      UserConfiguredUrlRestrictions userConfiguredUrlRestrictions)
+      throws IOException {
+    var trustManager = webhookX509TrustManager();
+    var sslSocketFactory = getSSLSocketFactory(trustManager);
+    var builder =
         new OkHttpClient.Builder()
             .sslSocketFactory(sslSocketFactory, trustManager)
             .addNetworkInterceptor(
@@ -105,9 +109,14 @@ public ClientHttpRequestFactory webhookRequestFactory(
                   }
 
                   return response;
-                })
-            .build();
-    OkHttp3ClientHttpRequestFactory requestFactory = new OkHttp3ClientHttpRequestFactory(client);
+                });
+
+    if (webhookProperties.isInsecureSkipHostnameVerification()) {
+      builder.hostnameVerifier((hostname, session) -> true);
+    }
+
+    var client = builder.build();
+    var requestFactory = new OkHttp3ClientHttpRequestFactory(client);
     requestFactory.setReadTimeout(
         Math.toIntExact(okHttpClientConfigurationProperties.getReadTimeoutMs()));
     requestFactory.setConnectTimeout(
@@ -116,58 +125,123 @@ public ClientHttpRequestFactory webhookRequestFactory(
   }
 
   private X509TrustManager webhookX509TrustManager() {
-    List<X509TrustManager> trustManagers = new ArrayList<>();
+    var trustManagers = new ArrayList<X509TrustManager>();
 
     trustManagers.add(getTrustManager(null));
-    getCustomKeyStore().ifPresent(keyStore -> trustManagers.add(getTrustManager(keyStore)));
+    getCustomTrustStore().ifPresent(keyStore -> trustManagers.add(getTrustManager(keyStore)));
+
+    if (webhookProperties.isInsecureTrustSelfSigned()) {
+      trustManagers.add(
+          new X509TrustManager() {
+            @Override
+            public void checkClientTrusted(X509Certificate[] chain, String authType) {}
+
+            @Override
+            public void checkServerTrusted(X509Certificate[] chain, String authType) {}
+
+            @Override
+            public X509Certificate[] getAcceptedIssuers() {
+              return new X509Certificate[0];
+            }
+          });
+    }
 
     return new UnionX509TrustManager(trustManagers);
   }
 
-  private SSLSocketFactory getSSLSocketFactory(X509TrustManager trustManager) {
+  private SSLSocketFactory getSSLSocketFactory(X509TrustManager trustManager) throws IOException {
     try {
-      SSLContext sslContext = SSLContext.getInstance("TLS");
-      sslContext.init(null, new X509TrustManager[] {trustManager}, null);
-      return sslContext.getSocketFactory();
+      var identityOpt = getCustomIdentity();
+      if (identityOpt.isPresent()) {
+        var identity = identityOpt.get();
+        return identity.createSSLContext(trustManager).getSocketFactory();
+      } else {
+        var sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(null, new X509TrustManager[] {trustManager}, null);
+        return sslContext.getSocketFactory();
+      }
     } catch (KeyManagementException | NoSuchAlgorithmException e) {
       throw new RuntimeException(e);
     }
   }
 
   private X509TrustManager getTrustManager(KeyStore keyStore) {
     try {
-      TrustManagerFactory trustManagerFactory =
+      var trustManagerFactory =
           TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
       trustManagerFactory.init(keyStore);
-      TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+      var trustManagers = trustManagerFactory.getTrustManagers();
       return (X509TrustManager) trustManagers[0];
     } catch (KeyStoreException | NoSuchAlgorithmException e) {
       throw new RuntimeException(e);
     }
   }
 
-  private Optional<KeyStore> getCustomKeyStore() {
-    WebhookProperties.TrustSettings trustSettings = webhookProperties.getTrust();
-    if (trustSettings == null
-        || !trustSettings.isEnabled()
-        || StringUtils.isEmpty(trustSettings.getTrustStore())) {
+  private Optional<X509Identity> getCustomIdentity() throws IOException {
+    var identitySettings = webhookProperties.getIdentity();
+    if (identitySettings == null || !identitySettings.isEnabled()) {
       return Optional.empty();
     }
 
-    KeyStore keyStore;
-    try {
-      keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-    } catch (KeyStoreException e) {
-      throw new RuntimeException(e);
+    if (StringUtils.isNotEmpty(identitySettings.getIdentityStore())) {
+      var identity =
+          X509IdentitySource.fromKeyStore(
+              Path.of(identitySettings.getIdentityStore()),
+              identitySettings.getIdentityStoreType(),
+              () -> {
+                var password = identitySettings.getIdentityStorePassword();
+                return password == null ? new char[0] : password.toCharArray();
+              },
+              () -> {
+                var password = identitySettings.getIdentityStoreKeyPassword();
+                return password == null ? new char[0] : password.toCharArray();
+              });
+      return Optional.of(identity.load());
+    } else if (StringUtils.isNotEmpty(identitySettings.getIdentityKeyPem())) {
+      return Optional.of(
+          X509IdentitySource.fromPEM(
+                  Path.of(identitySettings.getIdentityKeyPem()),
+                  Path.of(identitySettings.getIdentityCertPem()))
+              .load());
     }
 
-    try (FileInputStream file = new FileInputStream(trustSettings.getTrustStore())) {
-      keyStore.load(file, trustSettings.getTrustStorePassword().toCharArray());
-    } catch (CertificateException | IOException | NoSuchAlgorithmException e) {
-      throw new RuntimeException(e);
+    return Optional.empty();
+  }
+
+  private Optional<KeyStore> getCustomTrustStore() {
+    var trustSettings = webhookProperties.getTrust();
+    if (trustSettings == null || !trustSettings.isEnabled()) {
+      return Optional.empty();
+    }
+
+    // Use keystore first if set, then try PEM
+    if (StringUtils.isNotEmpty(trustSettings.getTrustStore())) {
+      KeyStore keyStore;
+      try {
+        keyStore = KeyStore.getInstance(trustSettings.getTrustStoreType());
+      } catch (KeyStoreException e) {
+        throw new RuntimeException(e);
+      }
+
+      try (FileInputStream file = new FileInputStream(trustSettings.getTrustStore())) {
+        keyStore.load(file, trustSettings.getTrustStorePassword().toCharArray());
+      } catch (CertificateException | IOException | NoSuchAlgorithmException e) {
+        throw new RuntimeException(e);
+      }
+
+      return Optional.of(keyStore);
+    } else if (StringUtils.isNotEmpty(trustSettings.getTrustPem())) {
+      try {
+        return Optional.of(TrustStores.loadPEM(Path.of(trustSettings.getTrustPem())));
+      } catch (CertificateException
+          | IOException
+          | NoSuchAlgorithmException
+          | KeyStoreException e) {
+        throw new RuntimeException(e);
+      }
     }
 
-    return Optional.of(keyStore);
+    return Optional.empty();
   }
 
   public class ObjectStringHttpMessageConverter extends StringHttpMessageConverter {

orca-webhook/src/main/java/com/netflix/spinnaker/orca/webhook/config/WebhookProperties.java

@@ -53,18 +53,39 @@ public class WebhookProperties {
           .collect(Collectors.toList());
 
   private List<PreconfiguredWebhook> preconfigured = new ArrayList<>();
-  private TrustSettings trust;
+  private TrustSettings trust = new TrustSettings();
+  private IdentitySettings identity = new IdentitySettings();
 
   private boolean verifyRedirects = true;
 
   private List<Integer> defaultRetryStatusCodes = List.of(429);
 
+  // For testing *only*
+  private boolean insecureSkipHostnameVerification = false;
+  private boolean insecureTrustSelfSigned = false;
+
   @Data
   @NoArgsConstructor
   public static class TrustSettings {
     private boolean enabled;
     private String trustStore;
     private String trustStorePassword;
+    // Default as JKS instead of PKCS12 for backward compatibility
+    private String trustStoreType = "JKS";
+    private String trustPem;
+  }
+
+  @Data
+  @NoArgsConstructor
+  public static class IdentitySettings {
+    private boolean enabled;
+    private String identityStore;
+    private String identityStorePassword;
+    private String identityStoreKeyPassword;
+    private String identityStoreType = "PKCS12";
+
+    private String identityKeyPem;
+    private String identityCertPem;
   }
 
   @Data

orca-webhook/src/test/java/com/netflix/spinnaker/orca/webhook/config/MtlsConfigurationKeystoreTest.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2024 Apple, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ *
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.netflix.spinnaker.orca.webhook.config;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import com.netflix.spinnaker.config.OkHttp3ClientConfiguration;
+import com.netflix.spinnaker.config.OkHttpClientComponents;
+import com.netflix.spinnaker.orca.pipeline.model.StageExecutionImpl;
+import com.netflix.spinnaker.orca.webhook.service.WebhookService;
+import java.util.HashMap;
+import java.util.Map;
+import lombok.SneakyThrows;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Primary;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+
+@SpringBootTest(
+    classes = {
+      MtlsConfigurationKeystoreTest.KeyStoreTestConfiguration.class,
+      MtlsConfigurationTestBase.TestConfigurationBase.class,
+      OkHttp3ClientConfiguration.class,
+      OkHttpClientComponents.class,
+      WebhookConfiguration.class,
+      WebhookService.class
+    })
+public class MtlsConfigurationKeystoreTest extends MtlsConfigurationTestBase {
+  static class KeyStoreTestConfiguration {
+    @Bean
+    @Primary
+    WebhookProperties webhookProperties() {
+      // Set up identity and trust properties
+      var props = new WebhookProperties();
+
+      var identity = new WebhookProperties.IdentitySettings();
+      identity.setEnabled(true);
+      identity.setIdentityStore(clientIdentityStoreFile.getAbsolutePath());
+      identity.setIdentityStorePassword(password);
+      identity.setIdentityStoreKeyPassword(password);
+      props.setIdentity(identity);
+
+      var trust = new WebhookProperties.TrustSettings();
+      trust.setEnabled(true);
+      trust.setTrustStore(caStoreFile.getAbsolutePath());
+      trust.setTrustStorePassword(password);
+      props.setTrust(trust);
+
+      // Tell okhttp to skip hostname verification, since all this is made up
+      props.setInsecureSkipHostnameVerification(true);
+
+      return props;
+    }
+  }
+
+  @Autowired WebhookService service;
+
+  @Test
+  @SneakyThrows
+  public void mTLSConnectivityTest() {
+    var context =
+        new HashMap<String, Object>() {
+          {
+            put("url", mockWebServer.url("/").toString());
+            put("method", HttpMethod.POST);
+            put("payload", "{ \"foo\": \"bar\" }");
+          }
+        };
+
+    var stageExecution = new StageExecutionImpl(null, null, null, context);
+    var response = service.callWebhook(stageExecution);
+
+    assertEquals(HttpStatus.OK, response.getStatusCode());
+    var body = mapper.readValue(response.getBody().toString(), Map.class);
+    assertEquals("yep", body.get("mtls"));
+  }
+}