Add equals/hashcode for Destination #341
Conversation
| } | ||
| } | ||
| catch( final Exception e ) { | ||
| log.debug("Error while resolving certificates from KeyStore", e); |
There was a problem hiding this comment.
It will only throw when a keyStore is not initialized. The first thing in resolveCertificatesOnly should be filtering for un-initialized keystores. Or maybe in the destination itself.
There was a problem hiding this comment.
- There is no method on
KeyStoreto check for "is-loaded" unfortunately. - The existing API and behavior assumes the
KeyStoreinkeyStoreandtrustStorefields are already loaded. There is no "lazy loading" or sth like that in already initializedDestination/HttpClientobjects. - I want to avoid additional logic within
DefaultHttpDestinationclass or its super classes as far as reasonably possible, this is why I put all potential logic into this helper comparator util class.
...rc/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DestinationKeyStoreComparator.java
Show resolved
Hide resolved
| if( !ks.isCertificateEntry(alias) ) { | ||
| return new Certificate[0]; | ||
| } | ||
| out.add(ks.getCertificate(alias)); |
There was a problem hiding this comment.
What happens if a certificate is followed by "not a certificate"? Should "not a certificate" rather be ignored instead?
There was a problem hiding this comment.
I didn't want to mix behavior:
As soon as a non-certificate based entry occurs, the logic falls back to current main behavior, i.e. ignore everything.
…code' into destination-keystore-equals-hashcode
newtork
added
please merge
There was a problem hiding this comment.
I hope those destinations are supposed to be equal:
final KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null);
keyStore.setCertificateEntry("a", cert);
Destination dest = DefaultHttpDestination.builder("https://example.com").keyStore(keyStore).build();
final KeyStore keyStore2 = KeyStore.getInstance("JKS");
keyStore2.load(null);
keyStore2.setCertificateEntry("b", cert);
Destination dest2 = DefaultHttpDestination.builder("https://example.com").keyStore(keyStore2).build();
assertThat(dest).isEqualTo(dest2);Otherwise LGTM
I think this is fine, currently the aliases don't matter AFAIK. I think it wouldn't hurt to also compare the aliases, they should always be equal as well in our usage, but not super required I guess.. |
|
Good find, @CharlesDuboisSAP. I haven't noticed that I removed the alias comparison :/ @MatKuhr is right, the aliases are not important at runtime. However not comparing them might be add to the confusion 🤔 On the other hand adding new logic now to compare Therefore I'll leave it as is. |
Backlog item: https://github.com/SAP/cloud-sdk-java-backlog/issues/403
Context
keyStoreandtrustStoreproperties; both of Java typeKeyStore. Useful in mTLS scenarios or when having a custom root certificate for TLS/SSL.KeyStoreAPI does not offer a custom implementation forequalsandhashCode. This is why we exclude it from evaluation in theDefaultHttpDestinationclass.hashCodeto isolate destination-related cache entries, e.g. for resolving storedHttpClientinstances.Currently on
main.Destinations are evaluated as equal with same hash-code:
KeyStoreorTrustStoreKeyStoremixedTrustStoreWith this PR
Destinations are evaluated as equal with same hash-code:
AssignedKeyStoreorTrustStoreDestination1(name=foo, staticHeaders={sap-client:100}, keyStore={fizz})Destination2(name=foo, staticHeaders={sap-client:100})AssignedKeyStoremixedTrustStoreDestination1(name=foo, staticHeaders={sap-client:100}, keyStore={fizz})Destination2(name=foo, staticHeaders={sap-client:100}, trustStore={buzz})Limitation
This behavior change only applies to
KeyStoreinstances that have certificate based entries only.E.g. if a
KeyStorewith only a secret-key would be added - it will be ignored from equals/hashCode, i.e. the previous behavior ofmainapplies again.