feat: [Connectivity] Improve Certificate Rotation with ZTIS for OAuth2TokenService (#1142)

Author: MatKuhr

cloudplatform/connectivity-oauth/pom.xml

@@ -135,10 +135,6 @@
 			<groupId>org.apache.httpcomponents.core5</groupId>
 			<artifactId>httpcore5</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.apache.commons</groupId>
-			<artifactId>commons-lang3</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliers.java

@@ -267,6 +267,8 @@ private void attachClientKeyStore( @Nonnull final OAuth2Options.Builder optionsB
         {
             final KeyStore maybeClientStore = getClientKeyStore();
             if( maybeClientStore != null ) {
+                // note: in case the KS is loaded from ZTIS, the KS used for token retrieval and the KS registered here for mTLS to the target system may diverge
+                // Token retrieval supports certificate rotation in place, but mTLS to the target system requires re-loading the destination instead.
                 optionsBuilder.withClientKeyStore(maybeClientStore);
             }
         }
@@ -275,8 +277,8 @@ private void attachClientKeyStore( @Nonnull final OAuth2Options.Builder optionsB
         private KeyStore getClientKeyStore()
         {
             final ClientIdentity clientIdentity = getClientIdentity();
-            if( clientIdentity instanceof ZtisClientIdentity ) {
-                return ((ZtisClientIdentity) clientIdentity).getKeyStore();
+            if( clientIdentity instanceof ZtisClientIdentity ztisClientIdentity ) {
+                return ztisClientIdentity.getKeyStore();
             }
             if( !(clientIdentity instanceof ClientCertificate) ) {
                 return null;

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultOAuth2PropertySupplier.java

@@ -2,7 +2,6 @@
 
 import java.net.URI;
 import java.net.URISyntaxException;
-import java.security.KeyStore;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -173,14 +172,7 @@ private ZtisClientIdentity getZtisIdentity( @Nonnull final String clientid )
         }
         final ZeroTrustIdentityService ztis = ZeroTrustIdentityService.getInstance();
 
-        final KeyStore keyStore;
-        try {
-            keyStore = ztis.getOrCreateKeyStore();
-        }
-        catch( final Exception e ) {
-            throw new CloudPlatformException("Failed to load X509 certificate for credential type X509_ATTESTED.", e);
-        }
-        return new ZtisClientIdentity(clientid, keyStore);
+        return new ZtisClientIdentity(clientid, ztis::getOrCreateKeyStore);
     }
 
     @Nonnull

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java

@@ -97,6 +97,11 @@ class OAuth2Service
     OAuth2TokenService getTokenService( @Nullable final String tenantId )
     {
         final CacheKey key = CacheKey.fromIds(tenantId, null).append(identity);
+        // ZTIS certificates rotate at runtime, thus we explicitly add the current KeyStore as cache key
+        // once the certificate rotates, this produces a cache miss, ensuring we construct a new HTTP client with a new certificate
+        if( identity instanceof final ZtisClientIdentity ztisIdentity ) {
+            key.append(ztisIdentity.getKeyStore());
+        }
         return tokenServiceCache.get(key, this::createTokenService);
     }
 

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/SecurityLibWorkarounds.java

@@ -1,19 +1,16 @@
 package com.sap.cloud.sdk.cloudplatform.connectivity;
 
-import static com.sap.cloud.sdk.cloudplatform.connectivity.DestinationKeyStoreComparator.resolveCertificatesOnly;
-import static com.sap.cloud.sdk.cloudplatform.connectivity.DestinationKeyStoreComparator.resolveKeyStoreHashCode;
-
 import java.security.KeyStore;
+import java.util.function.Supplier;
 
 import javax.annotation.Nonnull;
 
-import org.apache.commons.lang3.builder.EqualsBuilder;
-import org.apache.commons.lang3.builder.HashCodeBuilder;
-
+import com.sap.cloud.sdk.cloudplatform.exception.CloudPlatformException;
 import com.sap.cloud.security.config.ClientIdentity;
 
-import lombok.AllArgsConstructor;
-import lombok.Getter;
+import lombok.EqualsAndHashCode;
+import lombok.ToString;
+import lombok.Value;
 
 final class SecurityLibWorkarounds
 {
@@ -22,44 +19,36 @@ private SecurityLibWorkarounds()
         throw new IllegalStateException("This utility class should never be instantiated.");
     }
 
-    @Getter
-    @AllArgsConstructor
+    @Value
     static class ZtisClientIdentity implements ClientIdentity
     {
         @Nonnull
-        private final String id;
+        String id;
+
+        // Exclude certificates from equals & hash code since they rotate dynamically at runtime
+        // Instead, the OAuth2Service cache explicitly checks for outdated KeyStores
         @Nonnull
-        private final KeyStore keyStore;
+        @EqualsAndHashCode.Exclude
+        @ToString.Exclude
+        Supplier<KeyStore> keyStoreSource;
 
         @Override
         public boolean isCertificateBased()
         {
             return true;
         }
 
-        // The identity will be used as cache key, so it's important we correctly implement equals/hashCode
-        @Override
-        public boolean equals( final Object obj )
+        @Nonnull
+        KeyStore getKeyStore()
         {
-            if( this == obj ) {
-                return true;
+            try {
+                return keyStoreSource.get();
             }
-
-            if( obj == null || getClass() != obj.getClass() ) {
-                return false;
+            catch( final Exception e ) {
+                throw new CloudPlatformException(
+                    "Failed to load X509 certificate for credential type X509_ATTESTED.",
+                    e);
             }
-
-            final ZtisClientIdentity that = (ZtisClientIdentity) obj;
-            return new EqualsBuilder()
-                .append(id, that.id)
-                .append(resolveCertificatesOnly(keyStore), resolveCertificatesOnly(that.keyStore))
-                .isEquals();
-        }
-
-        @Override
-        public int hashCode()
-        {
-            return new HashCodeBuilder(41, 71).append(id).append(resolveKeyStoreHashCode(keyStore)).build();
         }
     }
 }

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/BtpServicePropertySuppliersTest.java

@@ -757,8 +757,12 @@ void testMutualTlsWithZeroTrustIdentityService()
 
             final OAuth2PropertySupplier sut = IDENTITY_AUTHENTICATION.resolve(options);
             assertThat(sut).isNotNull();
+            assertThat(sut.getClientIdentity()).isInstanceOf(SecurityLibWorkarounds.ZtisClientIdentity.class);
 
-            assertThatThrownBy(sut::getClientIdentity)
+            final var identity = (SecurityLibWorkarounds.ZtisClientIdentity) sut.getClientIdentity();
+            assertThat(identity.getId()).isEqualTo("ias-client-id");
+
+            assertThatThrownBy(identity::getKeyStore)
                 .isInstanceOf(CloudPlatformException.class)
                 .describedAs("We are not mocking the ZTIS service here so this should fail")
                 .hasRootCauseInstanceOf(ServiceBindingAccessException.class);

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultOAuth2PropertySupplierTest.java

@@ -206,9 +206,15 @@ void testCredentialTypeX509_ATTESTED()
         sut = new DefaultOAuth2PropertySupplier(options);
 
         assertThat(sut.getCredentialType()).isEqualTo(CredentialType.X509_ATTESTED);
-        assertThatThrownBy(sut::getClientIdentity)
+        assertThat(sut).isNotNull();
+        assertThat(sut.getClientIdentity()).isInstanceOf(SecurityLibWorkarounds.ZtisClientIdentity.class);
+
+        final var identity = (SecurityLibWorkarounds.ZtisClientIdentity) sut.getClientIdentity();
+        assertThat(identity.getId()).isEqualTo("id");
+
+        assertThatThrownBy(identity::getKeyStore)
             .isInstanceOf(CloudPlatformException.class)
-            .describedAs("We are not mocking the Zero Trust Identity Service here, so this should be a failure")
+            .describedAs("We are not mocking the ZTIS service here so this should fail")
             .hasRootCauseInstanceOf(ServiceBindingAccessException.class);
     }
 

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/HttpClient5OAuth2TokenServiceTest.java

@@ -159,7 +159,7 @@ void testCreateHttpClientWithCertificateBasedClientIdentity()
     void testCreateHttpClientWithZtisClientIdentity()
     {
         final KeyStore keyStore = createEmptyKeyStore();
-        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", keyStore);
+        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", () -> keyStore);
 
         // ZtisClientIdentity is certificate-based but doesn't implement certificate methods properly
         // This should fail with certificate validation error
@@ -175,7 +175,7 @@ void testCreateHttpClientWithZtisClientIdentityAndExplicitKeyStore()
     {
         final KeyStore embeddedKeyStore = createEmptyKeyStore();
         final KeyStore explicitKeyStore = createEmptyKeyStore();
-        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", embeddedKeyStore);
+        final ClientIdentity ztisIdentity = new ZtisClientIdentity("ztis-client-id", () -> embeddedKeyStore);
 
         final CloseableHttpClient result =
             HttpClient5OAuth2TokenService.createHttpClient(ztisIdentity, explicitKeyStore);

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2IntegrationTest.java

@@ -216,7 +216,7 @@ void testIasFlowWithZeroTrustAndSubscriberTenant()
     {
         final KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, null);
-        final ClientIdentity identity = new SecurityLibWorkarounds.ZtisClientIdentity("myClientId", ks);
+        final ClientIdentity identity = new SecurityLibWorkarounds.ZtisClientIdentity("myClientId", () -> ks);
 
         stubFor(
             post("/oauth2/token")

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2ServiceTest.java

@@ -18,6 +18,7 @@
 import static org.mockito.Mockito.doReturn;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.when;
 
 import java.io.IOException;
 import java.net.URI;
@@ -28,6 +29,7 @@
 import java.time.Duration;
 import java.util.List;
 import java.util.Map;
+import java.util.function.Supplier;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -401,15 +403,47 @@ void testZeroTrustClientIdentity()
     {
         final KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, null);
-        ClientIdentity identity = new ZtisClientIdentity("id", ks);
+        ClientIdentity identity = new ZtisClientIdentity("id", () -> ks);
         OAuth2Service service = OAuth2Service.builder().withTokenUri(SERVER_1.baseUrl()).withIdentity(identity).build();
 
         final OAuth2TokenService result = service.getTokenService(null);
         assertThat(result).isSameAs(service.getTokenService(null));
 
-        identity = new ZtisClientIdentity("other-id", ks);
+        identity = new ZtisClientIdentity("other-id", () -> ks);
         service = OAuth2Service.builder().withTokenUri(SERVER_1.baseUrl()).withIdentity(identity).build();
 
         assertThat(result).isNotSameAs(service.getTokenService(null));
     }
+
+    @Test
+    @SneakyThrows
+    void testZeroTrustCertificateRotationCausesCacheMiss()
+    {
+        // we need to use actual KeyStores here because the code will build an HTTP Client and mocks don't suffice
+        final KeyStore ks1 = KeyStore.getInstance("JKS");
+        final KeyStore ks2 = KeyStore.getInstance("JKS");
+        ks1.load(null, null);
+        ks2.load(null, null);
+
+        assertThat(ks1).describedAs("Sanity check: objects should be different").isNotSameAs(ks2).isNotEqualTo(ks2);
+
+        @SuppressWarnings( "unchecked" )
+        final Supplier<KeyStore> mockZtis = mock(Supplier.class);
+        when(mockZtis.get()).thenReturn(ks1);
+
+        final ZtisClientIdentity identity = new ZtisClientIdentity("id", mockZtis);
+
+        final OAuth2Service service =
+            OAuth2Service.builder().withTokenUri(SERVER_1.baseUrl()).withIdentity(identity).build();
+
+        // Before rotation: same KeyStore → cache hit
+        final OAuth2TokenService tokenService1 = service.getTokenService(null);
+        assertThat(tokenService1).isSameAs(service.getTokenService(null));
+
+        when(mockZtis.get()).thenReturn(ks2);
+
+        // After rotation: different KeyStore → cache miss → new token service with new certificate
+        final OAuth2TokenService tokenService2 = service.getTokenService(null);
+        assertThat(tokenService2).isNotSameAs(tokenService1);
+    }
 }