Introduce mTLS support

benchkit-backend/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <artifactId>neo4j-java-driver-parent</artifactId>
         <groupId>org.neo4j.driver</groupId>
-        <version>5.18-SNAPSHOT</version>
+        <version>5.19-SNAPSHOT</version>
     </parent>
 
     <artifactId>benchkit-backend</artifactId>

bundle/pom.xml

@@ -6,7 +6,7 @@
   <parent>
     <groupId>org.neo4j.driver</groupId>
     <artifactId>neo4j-java-driver-parent</artifactId>
-    <version>5.18-SNAPSHOT</version>
+    <version>5.19-SNAPSHOT</version>
     <relativePath>..</relativePath>
   </parent>
 

driver/pom.xml

@@ -6,7 +6,7 @@
   <parent>
     <groupId>org.neo4j.driver</groupId>
     <artifactId>neo4j-java-driver-parent</artifactId>
-    <version>5.18-SNAPSHOT</version>
+    <version>5.19-SNAPSHOT</version>
   </parent>
 
   <artifactId>neo4j-java-driver</artifactId>

driver/src/main/java/org/neo4j/driver/ClientCertificate.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [https://neo4j.com]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.neo4j.driver;
+
+import org.neo4j.driver.internal.InternalClientCertificate;
+import org.neo4j.driver.util.Preview;
+
+/**
+ * An opaque container for client certificate used for mTLS.
+ * <p>
+ * Use {@link ClientCertificates} to create new instances.
+ * @since 5.19
+ */
+@Preview(name = "mTLS")
+public sealed interface ClientCertificate permits InternalClientCertificate {}

driver/src/main/java/org/neo4j/driver/ClientCertificateManager.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [https://neo4j.com]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.neo4j.driver;
+
+import java.util.concurrent.CompletionStage;
+import org.neo4j.driver.util.Preview;
+
+/**
+ * A manager of {@link ClientCertificate} instances used by the driver for mTLS.
+ * <p>
+ * The driver uses the {@link ClientCertificate} supplied by the manager for setting up new connections. Therefore,
+ * a change of the certificate affects subsequent new connections only.
+ * <p>
+ * The manager must never return {@literal null}. Exceptions must be emitted via the {@link CompletionStage} only.
+ * <p>
+ * All implementations of this interface must be thread-safe and non-blocking for caller threads. For instance, IO
+ * operations must not done on the calling thread.
+ * @since 5.19
+ */
+@Preview(name = "mTLS")
+public interface ClientCertificateManager {
+    /**
+     * Returns a {@link CompletionStage} of a new {@link ClientCertificate}.
+     * <p>
+     * The first {@link CompletionStage} supplied to the driver must not complete with {@literal null} to ensure the
+     * driver has the initial {@link ClientCertificate}.
+     * <p>
+     * Afterwards, the {@link CompletionStage} may complete with {@literal null} to indicate no update. If the
+     * {@link CompletionStage} completes with {@link ClientCertificate}, the driver loads the supplied
+     * {@link ClientCertificate}.
+     * @return the certificate stage, must not be {@literal null}
+     */
+    CompletionStage<ClientCertificate> getClientCertificate();
+}

driver/src/main/java/org/neo4j/driver/ClientCertificateManagers.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [https://neo4j.com]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.neo4j.driver;
+
+import org.neo4j.driver.internal.InternalRotatingClientCertificateManager;
+import org.neo4j.driver.util.Preview;
+
+/**
+ * Implementations of {@link ClientCertificateManager}.
+ *
+ * @since 5.19
+ */
+@Preview(name = "mTLS")
+public final class ClientCertificateManagers {
+    private ClientCertificateManagers() {}
+
+    /**
+     * Returns a {@link RotatingClientCertificateManager} that supports rotating its {@link ClientCertificate} using the
+     * {@link RotatingClientCertificateManager#rotate(ClientCertificate)} method.
+     *
+     * @param clientCertificate an initial certificate, must not be {@literal null}
+     * @return a new manager
+     */
+    public static RotatingClientCertificateManager rotating(ClientCertificate clientCertificate) {
+        return new InternalRotatingClientCertificateManager(clientCertificate);
+    }
+}

driver/src/main/java/org/neo4j/driver/ClientCertificates.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) "Neo4j"
+ * Neo4j Sweden AB [https://neo4j.com]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.neo4j.driver;
+
+import java.io.File;
+import java.util.Objects;
+import org.neo4j.driver.internal.InternalClientCertificate;
+import org.neo4j.driver.util.Preview;
+
+/**
+ * Creates new instances of {@link ClientCertificate}.
+ * @since 5.19
+ */
+@Preview(name = "mTLS")
+public final class ClientCertificates {
+    private ClientCertificates() {}
+
+    /**
+     * Creates a new instance of {@link ClientCertificate} with certificate {@link File} and private key {@link File}.
+     * @param certificate the certificate file, must not be {@literal null}
+     * @param privateKey the key file, must not be {@literal null}
+     * @return the client certificate
+     */
+    public static ClientCertificate of(File certificate, File privateKey) {
+        return of(certificate, privateKey, null);
+    }
+
+    /**
+     * Creates a new instance of {@link ClientCertificate} with certificate {@link File}, private key {@link File} and key password.
+     * @param certificate the certificate file, must not be {@literal null}
+     * @param privateKey the key file, must not be {@literal null}
+     * @param password the key password
+     * @return the client certificate
+     */
+    public static ClientCertificate of(File certificate, File privateKey, String password) {
+        Objects.requireNonNull(certificate);
+        Objects.requireNonNull(privateKey);
+        return new InternalClientCertificate(certificate, privateKey, password);
+    }
+}