Allowing file watcher empty identity certs

Zgoda91 · Zgoda91 · commit 1735ee5aa572 · 2025-09-10T14:07:10.000Z
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProvider.java
@@ -73,10 +73,12 @@ final class FileWatcherCertificateProvider extends CertificateProvider implement
     this.scheduledExecutorService =
         checkNotNull(scheduledExecutorService, "scheduledExecutorService");
     this.timeProvider = checkNotNull(timeProvider, "timeProvider");
-    this.certFile = Paths.get(checkNotNull(certFile, "certFile"));
-    this.keyFile = Paths.get(checkNotNull(keyFile, "keyFile"));
-    checkArgument((trustFile != null || spiffeTrustMapFile != null),
-        "either trustFile or spiffeTrustMapFile must be present");
+    checkArgument(((certFile != null) == (keyFile != null)),
+        "certFile and keyFile must be both set or both unset");
+    this.certFile = certFile == null ? null : Paths.get(certFile);
+    this.keyFile = keyFile == null ? null : Paths.get(keyFile);
+    checkArgument((trustFile != null || spiffeTrustMapFile != null || keyFile != null),
+        "must be watching either root or identity certificates");
     if (spiffeTrustMapFile != null) {
       this.spiffeTrustMapFile = Paths.get(spiffeTrustMapFile);
       this.trustFile = null;
@@ -113,23 +115,26 @@ private synchronized void scheduleNextRefreshCertificate(long delayInSeconds) {
   void checkAndReloadCertificates() {
     try {
       try {
-        FileTime currentCertTime = Files.getLastModifiedTime(certFile);
-        FileTime currentKeyTime = Files.getLastModifiedTime(keyFile);
-        if (!currentCertTime.equals(lastModifiedTimeCert)
-            && !currentKeyTime.equals(lastModifiedTimeKey)) {
-          byte[] certFileContents = Files.readAllBytes(certFile);
-          byte[] keyFileContents = Files.readAllBytes(keyFile);
-          FileTime currentCertTime2 = Files.getLastModifiedTime(certFile);
-          FileTime currentKeyTime2 = Files.getLastModifiedTime(keyFile);
-          if (currentCertTime2.equals(currentCertTime) && currentKeyTime2.equals(currentKeyTime)) {
-            try (ByteArrayInputStream certStream = new ByteArrayInputStream(certFileContents);
-                ByteArrayInputStream keyStream = new ByteArrayInputStream(keyFileContents)) {
-              PrivateKey privateKey = CertificateUtils.getPrivateKey(keyStream);
-              X509Certificate[] certs = CertificateUtils.toX509Certificates(certStream);
-              getWatcher().updateCertificate(privateKey, Arrays.asList(certs));
+        if (certFile != null && keyFile != null) {
+          FileTime currentCertTime = Files.getLastModifiedTime(certFile);
+          FileTime currentKeyTime = Files.getLastModifiedTime(keyFile);
+          if (!currentCertTime.equals(lastModifiedTimeCert)
+              && !currentKeyTime.equals(lastModifiedTimeKey)) {
+            byte[] certFileContents = Files.readAllBytes(certFile);
+            byte[] keyFileContents = Files.readAllBytes(keyFile);
+            FileTime currentCertTime2 = Files.getLastModifiedTime(certFile);
+            FileTime currentKeyTime2 = Files.getLastModifiedTime(keyFile);
+            if (currentCertTime2.equals(currentCertTime)
+                && currentKeyTime2.equals(currentKeyTime)) {
+              try (ByteArrayInputStream certStream = new ByteArrayInputStream(certFileContents);
+                  ByteArrayInputStream keyStream = new ByteArrayInputStream(keyFileContents)) {
+                PrivateKey privateKey = CertificateUtils.getPrivateKey(keyStream);
+                X509Certificate[] certs = CertificateUtils.toX509Certificates(certStream);
+                getWatcher().updateCertificate(privateKey, Arrays.asList(certs));
+              }
+              lastModifiedTimeCert = currentCertTime;
+              lastModifiedTimeKey = currentKeyTime;
             }
-            lastModifiedTimeCert = currentCertTime;
-            lastModifiedTimeKey = currentKeyTime;
           }
         }
       } catch (Throwable t) {
diff --git a/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProvider.java b/xds/src/main/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProvider.java
@@ -17,7 +17,6 @@
 package io.grpc.xds.internal.security.certprovider;
 
 import static com.google.common.base.Preconditions.checkArgument;
-import static com.google.common.base.Preconditions.checkNotNull;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
@@ -94,30 +93,27 @@ public CertificateProvider createCertificateProvider(
         timeProvider);
   }
 
-  private static String checkForNullAndGet(Map<String, ?> map, String key) {
-    return checkNotNull(JsonUtil.getString(map, key), "'" + key + "' is required in the config");
-  }
-
   private static Config validateAndTranslateConfig(Object config) {
     checkArgument(config instanceof Map, "Only Map supported for config");
     @SuppressWarnings("unchecked") Map<String, ?> map = (Map<String, ?>)config;
 
     Config configObj = new Config();
-    configObj.certFile = checkForNullAndGet(map, CERT_FILE_KEY);
-    configObj.keyFile = checkForNullAndGet(map, KEY_FILE_KEY);
-    if (enableSpiffe) {
-      if (!map.containsKey(ROOT_FILE_KEY) && !map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY)) {
-        throw new NullPointerException(
-            String.format("either '%s' or '%s' is required in the config",
-                ROOT_FILE_KEY, SPIFFE_TRUST_MAP_FILE_KEY));
-      }
-      if (map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY)) {
-        configObj.spiffeTrustMapFile = JsonUtil.getString(map, SPIFFE_TRUST_MAP_FILE_KEY);
-      } else {
-        configObj.rootFile = JsonUtil.getString(map, ROOT_FILE_KEY);
-      }
+    configObj.certFile = JsonUtil.getString(map, CERT_FILE_KEY);
+    configObj.keyFile = JsonUtil.getString(map, KEY_FILE_KEY);
+    if ((configObj.certFile != null) != (configObj.keyFile != null)) {
+      throw new NullPointerException(
+          String.format("'%s' and '%s' must be both set or both unset",
+              CERT_FILE_KEY, KEY_FILE_KEY));
+    }
+    if (!map.containsKey(ROOT_FILE_KEY)
+        && !map.containsKey(CERT_FILE_KEY)
+        && (!enableSpiffe || !map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY))) {
+      throw new NullPointerException("must be watching either root or identity certificates");
+    }
+    if (enableSpiffe && map.containsKey(SPIFFE_TRUST_MAP_FILE_KEY)) {
+      configObj.spiffeTrustMapFile = JsonUtil.getString(map, SPIFFE_TRUST_MAP_FILE_KEY);
     } else {
-      configObj.rootFile = checkForNullAndGet(map, ROOT_FILE_KEY);
+      configObj.rootFile = JsonUtil.getString(map, ROOT_FILE_KEY);
     }
     String refreshIntervalString = JsonUtil.getString(map, REFRESH_INTERVAL_KEY);
     if (refreshIntervalString != null) {
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderProviderTest.java
@@ -206,7 +206,9 @@ public void createProvider_missingCert_expectException() throws IOException {
       provider.createCertificateProvider(map, distWatcher, true);
       fail("exception expected");
     } catch (NullPointerException npe) {
-      assertThat(npe).hasMessageThat().isEqualTo("'certificate_file' is required in the config");
+      assertThat(npe)
+          .hasMessageThat()
+          .isEqualTo("'certificate_file' and 'private_key_file' must be both set or both unset");
     }
   }
 
@@ -220,24 +222,69 @@ public void createProvider_missingKey_expectException() throws IOException {
       provider.createCertificateProvider(map, distWatcher, true);
       fail("exception expected");
     } catch (NullPointerException npe) {
-      assertThat(npe).hasMessageThat().isEqualTo("'private_key_file' is required in the config");
+      assertThat(npe)
+          .hasMessageThat()
+          .isEqualTo("'certificate_file' and 'private_key_file' must be both set or both unset");
     }
   }
 
   @Test
-  public void createProvider_missingRoot_expectException() throws IOException {
-    String expectedMessage = enableSpiffe ? "either 'ca_certificate_file' or "
-        + "'spiffe_trust_bundle_map_file' is required in the config"
-        : "'ca_certificate_file' is required in the config";
+  public void createProvider_missingRootAndSpiffeConfig() throws IOException {
     CertificateProvider.DistributorWatcher distWatcher =
         new CertificateProvider.DistributorWatcher();
     @SuppressWarnings("unchecked")
     Map<String, ?> map = (Map<String, ?>) JsonParser.parse(MISSING_ROOT_AND_SPIFFE_CONFIG);
+    ScheduledExecutorService mockService = mock(ScheduledExecutorService.class);
+    when(scheduledExecutorServiceFactory.create()).thenReturn(mockService);
+    provider.createCertificateProvider(map, distWatcher, true);
+    verify(fileWatcherCertificateProviderFactory, times(1))
+        .create(
+            eq(distWatcher),
+            eq(true),
+            eq("/var/run/gke-spiffe/certs/certificates.pem"),
+            eq("/var/run/gke-spiffe/certs/private_key.pem"),
+            eq(null),
+            eq(null),
+            eq(600L),
+            eq(mockService),
+            eq(timeProvider));
+  }
+
+  @Test
+  public void createProvider_missingCertAndKeyConfig() throws IOException {
+    CertificateProvider.DistributorWatcher distWatcher =
+        new CertificateProvider.DistributorWatcher();
+    @SuppressWarnings("unchecked")
+    Map<String, ?> map = (Map<String, ?>) JsonParser.parse(MISSING_CERT_AND_KEY_CONFIG);
+    ScheduledExecutorService mockService = mock(ScheduledExecutorService.class);
+    when(scheduledExecutorServiceFactory.create()).thenReturn(mockService);
+    provider.createCertificateProvider(map, distWatcher, true);
+    verify(fileWatcherCertificateProviderFactory, times(1))
+        .create(
+            eq(distWatcher),
+            eq(true),
+            eq(null),
+            eq(null),
+            eq("/var/run/gke-spiffe/certs/ca_certificates.pem"),
+            eq(null),
+            eq(600L),
+            eq(mockService),
+            eq(timeProvider));
+  }
+
+  @Test
+  public void createProvider_emptyConfig_expectException() throws IOException {
+    CertificateProvider.DistributorWatcher distWatcher =
+        new CertificateProvider.DistributorWatcher();
+    @SuppressWarnings("unchecked")
+    Map<String, ?> map = (Map<String, ?>) JsonParser.parse(EMPTY_CONFIG);
     try {
       provider.createCertificateProvider(map, distWatcher, true);
       fail("exception expected");
     } catch (NullPointerException npe) {
-      assertThat(npe).hasMessageThat().isEqualTo(expectedMessage);
+      assertThat(npe)
+          .hasMessageThat()
+          .isEqualTo("must be watching either root or identity certificates");
     }
   }
 
@@ -292,6 +339,13 @@ public void createProvider_missingRoot_expectException() throws IOException {
           + "        \"private_key_file\": \"/var/run/gke-spiffe/certs/private_key.pem\""
           + "      }";
 
+  private static final String MISSING_CERT_AND_KEY_CONFIG =
+      "{\n"
+          + "        \"ca_certificate_file\": \"/var/run/gke-spiffe/certs/ca_certificates.pem\""
+          + "      }";
+
+  private static final String EMPTY_CONFIG = "{\n}";
+
   private static final String ZERO_REFRESH_INTERVAL =
       "{\n"
           + "        \"certificate_file\": \"/var/run/gke-spiffe/certs/certificates2.pem\","
diff --git a/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderTest.java b/xds/src/test/java/io/grpc/xds/internal/security/certprovider/FileWatcherCertificateProviderTest.java
@@ -25,6 +25,8 @@
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SERVER_1_PEM_FILE;
 import static io.grpc.xds.internal.security.CommonTlsContextTestsUtil.SPIFFE_TRUST_MAP_1_FILE;
 import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doReturn;
@@ -357,6 +359,33 @@ public void getCertificate_missingRootFile() throws IOException, InterruptedExce
     verifyWatcherErrorUpdates(Status.Code.UNKNOWN, NoSuchFileException.class, 1, 0, "root.pem");
   }
 
+  @Test
+  public void illegalConstructorArguments_MissingPrivateKeyWhileCertChainPresent()
+      throws IllegalArgumentException {
+    Exception ex = assertThrows(
+        IllegalArgumentException.class,
+        () -> new FileWatcherCertificateProvider(
+            watcher, true, null, keyFile, rootFile, null, 600L, timeService, timeProvider));
+
+    String expectedMsg = "certFile and keyFile must be both set or both unset";
+    String actualMsg = ex.getMessage();
+
+    assertEquals(expectedMsg, actualMsg);
+  }
+
+  @Test
+  public void illegalConstructorArguments_NoFilesToWatch() throws IllegalArgumentException {
+    Exception ex = assertThrows(
+        IllegalArgumentException.class,
+        () -> new FileWatcherCertificateProvider(
+            watcher, true, null, null, null, null, 600L, timeService, timeProvider));
+
+    String expectedMsg = "must be watching either root or identity certificates";
+    String actualMsg = ex.getMessage();
+
+    assertEquals(expectedMsg, actualMsg);
+  }
+
   private void commonErrorTest(
       String certFile,
       String keyFile,
