From cefeae333f4116da7174165133f48229075a9a29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Jare=C5=A1?= <58428711+pj892031@users.noreply.github.com> Date: Mon, 6 May 2024 16:38:20 +0200 Subject: [PATCH] fix: Fix SSL Context switching (backport of #3531) (#3532) Signed-off-by: Pavel Jares --- .../util/config/ConfigReaderZaasClient.java | 28 +++++++++--------- .../zaasclient/config/ConfigProperties.java | 4 +++ .../internal/ZaasHttpsClientProvider.java | 29 +++++++++---------- 3 files changed, 31 insertions(+), 30 deletions(-) diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java index 81eec2add6..8368aef062 100644 --- a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java +++ b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java @@ -18,21 +18,19 @@ public class ConfigReaderZaasClient { public static ConfigProperties getConfigProperties() { - - ConfigProperties configProperties = new ConfigProperties(); - - - configProperties.setApimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost()); - configProperties.setApimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + ""); - configProperties.setApimlBaseUrl(ROUTED_AUTH); - configProperties.setKeyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore()); - configProperties.setKeyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword()); - configProperties.setKeyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType()); - configProperties.setTrustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore()); - configProperties.setTrustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword()); - configProperties.setTrustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType()); - configProperties.setNonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices()); - return configProperties; + return ConfigProperties.builder() + .apimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost()) + .apimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + "") + .apimlBaseUrl(ROUTED_AUTH) + .keyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore()) + .keyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword()) + .keyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType()) + .trustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore()) + .trustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword()) + .trustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType()) + .nonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices()) + .build(); } + } diff --git a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java index 372d5c5c80..75f1edfa14 100644 --- a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java +++ b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java @@ -29,6 +29,8 @@ public class ConfigProperties { private char[] trustStorePassword; private boolean httpOnly; private boolean nonStrictVerifySslCertificatesOfServices; + @Builder.Default + private String protocol = "TLS"; @SuppressWarnings("squid:S1075") private static final String OLD_PATH_FORMAT = "/api/v1/gateway"; @@ -41,6 +43,7 @@ public class ConfigProperties { @Tolerate public ConfigProperties() { // lombok Builder.Default bug workaround + this.protocol = "TLS"; this.tokenPrefix = "apimlAuthenticationToken"; } @@ -54,6 +57,7 @@ public ConfigProperties withoutKeyStore() { .trustStorePassword(trustStorePassword) .httpOnly(httpOnly) .nonStrictVerifySslCertificatesOfServices(nonStrictVerifySslCertificatesOfServices) + .protocol(protocol) .tokenPrefix(tokenPrefix) .build(); } diff --git a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java index 3533d5ea3b..771f632b1b 100644 --- a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java +++ b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java @@ -23,7 +23,10 @@ import org.zowe.apiml.zaasclient.exception.ZaasConfigurationErrorCodes; import org.zowe.apiml.zaasclient.exception.ZaasConfigurationException; -import javax.net.ssl.*; +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.TrustManagerFactory; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; @@ -35,18 +38,18 @@ @AllArgsConstructor class ZaasHttpsClientProvider implements CloseableClientProvider { + private static final int REQUEST_TIMEOUT = 30 * 1000; private final RequestConfig requestConfig; private static final Pattern KEYRING_PATTERN = Pattern.compile("^(safkeyring[^:]*):/{2,4}([^/]+)/([^/]+)$"); + private ConfigProperties configProperties; + private TrustManagerFactory tmf; private KeyManagerFactory kmf; - private final char[] keyStorePassword; - private final String keyStoreType; - private final String keyStorePath; private final HostnameVerifier hostnameVerifier; private final CookieStore cookieStore = new BasicCookieStore(); @@ -54,17 +57,14 @@ class ZaasHttpsClientProvider implements CloseableClientProvider { private CloseableHttpClient httpsClient; public ZaasHttpsClientProvider(ConfigProperties configProperties) throws ZaasConfigurationException { - this.requestConfig = this.buildCustomRequestConfig(); - if (configProperties.getTrustStorePath() == null) { throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.TRUST_STORE_NOT_PROVIDED); } + this.configProperties = configProperties; + this.requestConfig = this.buildCustomRequestConfig(); initializeTrustManagerFactory(configProperties.getTrustStorePath(), configProperties.getTrustStoreType(), configProperties.getTrustStorePassword()); this.hostnameVerifier = configProperties.isNonStrictVerifySslCertificatesOfServices() ? new NoopHostnameVerifier() : SSLConnectionSocketFactory.getDefaultHostnameVerifier(); - this.keyStorePath = configProperties.getKeyStorePath(); - this.keyStorePassword = configProperties.getKeyStorePassword(); - this.keyStoreType = configProperties.getKeyStoreType(); } static boolean isKeyring(String input) { @@ -114,14 +114,14 @@ private void initializeTrustManagerFactory(String trustStorePath, String trustSt private void initializeKeyStoreManagerFactory() throws ZaasConfigurationException { try { KeyStore keyStore; - if (keyStorePath != null) { - keyStore = getKeystore(keyStorePath, keyStoreType, keyStorePassword); + if (configProperties.getKeyStorePath() != null) { + keyStore = getKeystore(configProperties.getKeyStorePath(), configProperties.getKeyStoreType(), configProperties.getKeyStorePassword()); } else { keyStore = getEmptyKeystore(); } kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - kmf.init(keyStore, keyStorePassword); + kmf.init(keyStore, configProperties.getKeyStorePassword()); } catch (NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyStoreException e) { throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e); } catch (IOException e) { @@ -155,14 +155,12 @@ private InputStream getCorrectInputStream(String uri) throws IOException { private SSLContext getSSLContext() throws ZaasConfigurationException { try { - SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); + SSLContext sslContext = SSLContext.getInstance(configProperties.getProtocol()); sslContext.init( kmf != null ? kmf.getKeyManagers() : null, tmf.getTrustManagers(), new SecureRandom() ); - HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); - HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); return sslContext; } catch (NoSuchAlgorithmException | KeyManagementException e) { throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e); @@ -192,4 +190,5 @@ private RequestConfig buildCustomRequestConfig() { builder.setConnectTimeout(REQUEST_TIMEOUT); return builder.build(); } + }