Skip to content

feat: Support Customer CAS Private CA for server certificates. #2095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 10, 2025
Merged

feat: Support Customer CAS Private CA for server certificates. #2095

merged 1 commit into from
Jan 10, 2025

Conversation

hessjcg
Copy link
Collaborator

@hessjcg hessjcg commented Dec 17, 2024
edited
Loading

Support instances configured with a Customer managed CAS private CA. This includes the integration test.

@hessjcg hessjcg requested a review from a team as a code owner December 17, 2024 20:00
@hessjcg hessjcg force-pushed the customer-ca-support branch 2 times, most recently from ff8e682 to 17c3bdf Compare January 9, 2025 00:13
@hessjcg hessjcg changed the title feat: Support Private CA for server certificates. feat: Support Customer CAS Private CA for server certificates. Jan 9, 2025
jackwotherspoon
jackwotherspoon requested changes Jan 9, 2025
View reviewed changes
core/src/main/java/com/google/cloud/sql/core/DefaultConnectionInfoRepository.java Outdated
@@ -312,7 +312,7 @@ private InstanceMetadata fetchMetadata(CloudSqlInstanceName instanceName, AuthTy
instanceName,
ipAddrs,
instanceCaCertificates,
"GOOGLE_MANAGED_CAS_CA".equals(instanceMetadata.getServerCaMode()),
isCasManagedCertificate(instanceMetadata),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it simplify things to have this function take in serverCaMode instead of instanceMetadata?

Would make adding a standalone unit test for isCasManagedCertificate easy and reduce having to call .getServerCaMode() twice in the function.

Suggested change
isCasManagedCertificate(instanceMetadata),
isCasManagedCertificate(instanceMetadata.getServerCaMode()),

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've inverted the logic here. Going forward, both GOOGLE_MANAGED_CAS_CA, CUSTOMER_MANAGED_CAS_CA, and future new kinds of CA we will do standard TLS domain name validation using the server certificate SAN records. The certificate validation logic for the original GOOGLE_MANAGED_INTERNAL_CA is now the exception. The code should reflect it:

We don't have a unit test for this method, but this change is covered by this test: com.google.cloud.sql.core.ConnectorTest#create_successfulPublicCasConnection

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think it would be simpler for the function to take in serverCaMode instead of instanceMetadata...

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@hessjcg hessjcg requested a review from a team January 9, 2025 15:54
@hessjcg hessjcg force-pushed the customer-ca-support branch from 17c3bdf to d19126a Compare January 9, 2025 17:05
@hessjcg hessjcg force-pushed the customer-ca-support branch from d19126a to 4f78dae Compare January 9, 2025 17:18
@hessjcg hessjcg mentioned this pull request Jan 9, 2025
Merged
@hessjcg hessjcg force-pushed the customer-ca-support branch 2 times, most recently from 9b87197 to 5b1fa42 Compare January 10, 2025 17:09
hessjcg added a commit to GoogleCloudPlatform/cloud-sql-go-connector that referenced this pull request Jan 10, 2025
@hessjcg
chore: Simplify server cert validation logic to distinguish legacy fr…
e88d82a 
…om CA validation (#910)

Going forward, both GOOGLE_MANAGED_CAS_CA, CUSTOMER_MANAGED_CAS_CA, and future new kinds
of CA will use standard TLS domain name validation using the server certificate SAN records. The certificate
validation logic for the original GOOGLE_MANAGED_INTERNAL_CA is now the exception.

See implementation in other connectors:

feat: Support Private CA for server certificates. GoogleCloudPlatform/cloud-sql-nodejs-connector#408
feat: Support Customer CAS Private CA for server certificates. GoogleCloudPlatform/cloud-sql-jdbc-socket-factory#2095
@release-please release-please bot mentioned this pull request Jan 8, 2025
Merged
jackwotherspoon
jackwotherspoon reviewed Jan 10, 2025
View reviewed changes
core/src/main/java/com/google/cloud/sql/core/DefaultConnectionInfoRepository.java Outdated
Comment on lines 343 to 349
private static boolean isCasManagedCertificate(String serverCaMode) {
return serverCaMode != null && !"GOOGLE_MANAGED_INTERNAL_CA".equals(serverCaMode);
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a case where serverCaMode could be the empty string?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Updated again for clarity.

@hessjcg
feat: Support Private CA for server certificates.
f0a1886 
This includes the integration test.
@hessjcg hessjcg force-pushed the customer-ca-support branch from 5b1fa42 to f0a1886 Compare January 10, 2025 18:06
@hessjcg hessjcg mentioned this pull request Jan 10, 2025
Closed
jackwotherspoon
jackwotherspoon approved these changes Jan 10, 2025
View reviewed changes
Copy link
Collaborator

@jackwotherspoon jackwotherspoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

@hessjcg hessjcg merged commit d14b4e4 into main Jan 10, 2025
17 checks passed
@hessjcg hessjcg deleted the customer-ca-support branch January 10, 2025 21:22
@release-please release-please bot mentioned this pull request Jan 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jackwotherspoon jackwotherspoon jackwotherspoon approved these changes

Assignees

@jackwotherspoon jackwotherspoon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hessjcg @jackwotherspoon