Skip to content

feat: [Connectivity] Dynamic Keystore in HttpDestination#1202

Open
MatKuhr wants to merge 10 commits into
mainfrom
feat/dynamic-destination-keystore
Open

feat: [Connectivity] Dynamic Keystore in HttpDestination#1202
MatKuhr wants to merge 10 commits into
mainfrom
feat/dynamic-destination-keystore

Conversation

@MatKuhr

@MatKuhr MatKuhr commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Member

Context

Follow-up for #1142

Allows in-place rotation for destination keystore to fully support #1134

Feature scope:

  • Extend DefaultHttpDestination to support Supplier<Keystore>
  • Extend OAuth2ServiceBindingDestinationLoader and related classes to use this capability
  • Ensure no new public API is introduced

Definition of Done

  • Functionality scope stated & covered
  • Tests cover the scope above
  • Error handling created / updated & covered by the tests above
  • Documentation updated
  • Release notes updated

MatKuhr added 3 commits April 16, 2026 19:15
@MatKuhr
PoC dynamic keystore on httpdestination
c9fd388
@MatKuhr
Merge remote-tracking branch 'origin/main' into feat/dynamic-destinat…
41e2fd4 
…ion-keystore

# Conflicts:
#	cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Options.java
@MatKuhr
Add OAuth2Options implementation
82edf08
@MatKuhr MatKuhr added the please review Request to review a pull request label Jun 11, 2026
MatKuhr
MatKuhr commented Jun 12, 2026
View reviewed changes
Comment thread ...ivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java
* The {@link KeyStore} to be used when communicating over HTTP.
*/
@Nonnull
public Builder keyStore( @Nullable final KeyStore keyStore )

@MatKuhr MatKuhr Jun 12, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no new public API, just replaces the previous public @Setter

MatKuhr
MatKuhr commented Jun 12, 2026
View reviewed changes
Comment thread ...ivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java Outdated
@Nullable
private final KeyStore keyStore;
@Nonnull
private final Supplier<Option<KeyStore>> keyStore;

@MatKuhr MatKuhr Jun 12, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supplier<Option<KeyStore>> looks a bit strange, but this is because allowing a supplier to return null is often dangerous (especially, because our current annotations don't allow declaring Supplier<@Nullable KeyStore>). This solution was the least un-intuitive variant I could find that allows for the KeyStore to be null but still using a supplier.

@MatKuhr MatKuhr marked this pull request as ready for review June 12, 2026 10:14
@MatKuhr MatKuhr added the please merge Request to merge a pull request label Jun 12, 2026
Jonas-Isr
Jonas-Isr reviewed Jun 17, 2026
View reviewed changes

@Jonas-Isr Jonas-Isr left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only minor issues/questions :)

Comment thread ...ivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java Outdated
Comment thread ...ivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java
Comment thread ...ivity/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java
Comment on lines -552 to +555
.append(resolveKeyStoreHashCode(keyStore))
.append(resolveKeyStoreHashCode(keyStoreSupplier.get().getOrNull()))

@Jonas-Isr Jonas-Isr Jun 17, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Question)

How often do we expect the certificate to rotate (and thus the keyStore to differ)? Could this become a problem with hashCode() returning a different value then, resulting in cache misses or similar?

@MatKuhr MatKuhr Jun 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, this should only apply for ZTIS, since the new API is internal and only used there. Certs are expected to change rotate between 12hrs or 3.5 days, so not often.

Indeed, a rotated certificate would cause a cache miss if it were cached, but currently we don't have this for the ZTIS use case. But even if we did, I think that would be okay, this would have been the old behavior / expectation anyway 🙂

MatKuhr and others added 4 commits June 17, 2026 16:41
@MatKuhr @Jonas-Isr
Update cloudplatform/cloudplatform-connectivity/src/main/java/com/sap…
7bc3502 
…/cloud/sdk/cloudplatform/connectivity/DefaultHttpDestination.java

Co-authored-by: Jonas-Isr <jonas.israel@sap.com>
@MatKuhr
CamelCase
58143b7
@MatKuhr
Formatting
9ad8498
@MatKuhr
Merge branch 'main' into feat/dynamic-destination-keystore
0ba1faa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jonas-Isr Jonas-Isr Jonas-Isr approved these changes

Assignees

@MatKuhr MatKuhr

Labels

please merge Request to merge a pull request please review Request to review a pull request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MatKuhr @Jonas-Isr @CharlesDuboisSAP