Skip to content

Commit

Permalink
fix: Fix SSL Context switching (backport of #3531)
Browse files Browse the repository at this point in the history 
Signed-off-by: Pavel Jares <Pavel.Jares@broadcom.com>
  • Loading branch information
@pj892031
pj892031 committed May 6, 2024
1 parent 4c81a7c commit 6acdfbf
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 30 deletions.
28 changes: 13 additions & 15 deletions integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,21 +18,19 @@
public class ConfigReaderZaasClient {

public static ConfigProperties getConfigProperties() {

ConfigProperties configProperties = new ConfigProperties();


configProperties.setApimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost());
configProperties.setApimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + "");
configProperties.setApimlBaseUrl(ROUTED_AUTH);
configProperties.setKeyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore());
configProperties.setKeyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword());
configProperties.setKeyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType());
configProperties.setTrustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore());
configProperties.setTrustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword());
configProperties.setTrustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType());
configProperties.setNonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices());
return configProperties;
return ConfigProperties.builder()
.apimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost())
.apimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + "")
.apimlBaseUrl(ROUTED_AUTH)
.keyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore())
.keyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword())
.keyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType())
.trustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore())
.trustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword())
.trustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType())
.nonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices())
.build();
}

}

4 changes: 4 additions & 0 deletions zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ public class ConfigProperties {
private char[] trustStorePassword;
private boolean httpOnly;
private boolean nonStrictVerifySslCertificatesOfServices;
@Builder.Default
private String protocol = "TLS";

@SuppressWarnings("squid:S1075")
private static final String OLD_PATH_FORMAT = "/api/v1/gateway";
Expand All @@ -41,6 +43,7 @@ public class ConfigProperties {
@Tolerate
public ConfigProperties() {
// lombok Builder.Default bug workaround
this.protocol = "TLS";
this.tokenPrefix = "apimlAuthenticationToken";
}

Expand All @@ -54,6 +57,7 @@ public ConfigProperties withoutKeyStore() {
.trustStorePassword(trustStorePassword)
.httpOnly(httpOnly)
.nonStrictVerifySslCertificatesOfServices(nonStrictVerifySslCertificatesOfServices)
.protocol(protocol)
.tokenPrefix(tokenPrefix)
.build();
}
Expand Down
29 changes: 14 additions & 15 deletions ...ent/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,10 @@
import org.zowe.apiml.zaasclient.exception.ZaasConfigurationErrorCodes;
import org.zowe.apiml.zaasclient.exception.ZaasConfigurationException;

import javax.net.ssl.*;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
Expand All @@ -35,36 +38,33 @@

@AllArgsConstructor
class ZaasHttpsClientProvider implements CloseableClientProvider {

private static final int REQUEST_TIMEOUT = 30 * 1000;

private final RequestConfig requestConfig;

private static final Pattern KEYRING_PATTERN = Pattern.compile("^(safkeyring[^:]*):/{2,4}([^/]+)/([^/]+)$");

private ConfigProperties configProperties;

private TrustManagerFactory tmf;
private KeyManagerFactory kmf;

private final char[] keyStorePassword;
private final String keyStoreType;
private final String keyStorePath;
private final HostnameVerifier hostnameVerifier;

private final CookieStore cookieStore = new BasicCookieStore();

private CloseableHttpClient httpsClient;

public ZaasHttpsClientProvider(ConfigProperties configProperties) throws ZaasConfigurationException {
this.requestConfig = this.buildCustomRequestConfig();

if (configProperties.getTrustStorePath() == null) {
throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.TRUST_STORE_NOT_PROVIDED);
}
this.configProperties = configProperties;

this.requestConfig = this.buildCustomRequestConfig();
initializeTrustManagerFactory(configProperties.getTrustStorePath(), configProperties.getTrustStoreType(), configProperties.getTrustStorePassword());
this.hostnameVerifier = configProperties.isNonStrictVerifySslCertificatesOfServices() ? new NoopHostnameVerifier() : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
this.keyStorePath = configProperties.getKeyStorePath();
this.keyStorePassword = configProperties.getKeyStorePassword();
this.keyStoreType = configProperties.getKeyStoreType();
}

static boolean isKeyring(String input) {
Expand Down Expand Up @@ -114,14 +114,14 @@ private void initializeTrustManagerFactory(String trustStorePath, String trustSt
private void initializeKeyStoreManagerFactory() throws ZaasConfigurationException {
try {
KeyStore keyStore;
if (keyStorePath != null) {
keyStore = getKeystore(keyStorePath, keyStoreType, keyStorePassword);
if (configProperties.getKeyStorePath() != null) {
keyStore = getKeystore(configProperties.getKeyStorePath(), configProperties.getKeyStoreType(), configProperties.getKeyStorePassword());
} else {
keyStore = getEmptyKeystore();
}

kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, keyStorePassword);
kmf.init(keyStore, configProperties.getKeyStorePassword());
} catch (NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyStoreException e) {
throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e);
} catch (IOException e) {
Expand Down Expand Up @@ -155,14 +155,12 @@ private InputStream getCorrectInputStream(String uri) throws IOException {

private SSLContext getSSLContext() throws ZaasConfigurationException {
try {
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
SSLContext sslContext = SSLContext.getInstance(configProperties.getProtocol());
sslContext.init(
kmf != null ? kmf.getKeyManagers() : null,
tmf.getTrustManagers(),
new SecureRandom()
);
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
return sslContext;
} catch (NoSuchAlgorithmException | KeyManagementException e) {
throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e);
Expand Down Expand Up @@ -192,4 +190,5 @@ private RequestConfig buildCustomRequestConfig() {
builder.setConnectTimeout(REQUEST_TIMEOUT);
return builder.build();
}

}

0 comments on commit 6acdfbf

Please sign in to comment.