Merge pull request #1571 from marklogic/feature/508-certificate-bug

rjrudin · web-flow · commit 5975ce893053 · 2023-07-18T13:57:41.000-07:00
DEVEXP-508 Certificate auth no longer requires a file path
diff --git a/marklogic-client-api/src/main/java/com/marklogic/client/DatabaseClientBuilder.java b/marklogic-client-api/src/main/java/com/marklogic/client/DatabaseClientBuilder.java
@@ -158,6 +158,12 @@ public DatabaseClientBuilder withCertificateAuth(String file, String password) {
 			.withCertificatePassword(password);
 	}
 
+	public DatabaseClientBuilder withCertificateAuth(SSLContext sslContext, X509TrustManager trustManager) {
+		return withAuthType(AUTH_TYPE_CERTIFICATE)
+			.withSSLContext(sslContext)
+			.withTrustManager(trustManager);
+	}
+
 	public DatabaseClientBuilder withSAMLAuth(String token) {
 		return withAuthType(AUTH_TYPE_SAML)
 			.withSAMLToken(token);
diff --git a/marklogic-client-api/src/main/java/com/marklogic/client/DatabaseClientFactory.java b/marklogic-client-api/src/main/java/com/marklogic/client/DatabaseClientFactory.java
@@ -1238,8 +1238,8 @@ public String getCertificatePassword() {
 	 *     "kerberos", "certificate", or "saml"</li>
 	 *     <li>marklogic.client.username = must be a String; required for basic and digest authentication</li>
 	 *     <li>marklogic.client.password = must be a String; required for basic and digest authentication</li>
-	 *     <li>marklogic.client.certificate.file = must be a String; required for certificate authentication</li>
-	 *     <li>marklogic.client.certificate.password = must be a String; required for certificate authentication</li>
+	 *     <li>marklogic.client.certificate.file = must be a String; optional for certificate authentication</li>
+	 *     <li>marklogic.client.certificate.password = must be a String; optional for certificate authentication</li>
 	 *     <li>marklogic.client.cloud.apiKey = must be a String; required for cloud authentication</li>
 	 *     <li>marklogic.client.kerberos.principal = must be a String; required for Kerberos authentication</li>
 	 *     <li>marklogic.client.saml.token = must be a String; required for SAML authentication</li>
diff --git a/marklogic-client-api/src/main/java/com/marklogic/client/impl/DatabaseClientPropertySource.java b/marklogic-client-api/src/main/java/com/marklogic/client/impl/DatabaseClientPropertySource.java
@@ -210,15 +210,19 @@ private DatabaseClientFactory.SecurityContext newCloudAuthContext() {
 	}
 
 	private DatabaseClientFactory.SecurityContext newCertificateAuthContext(SSLInputs sslInputs) {
-		try {
-			return new DatabaseClientFactory.CertificateAuthContext(
-				getRequiredStringValue("certificate.file"),
-				getRequiredStringValue("certificate.password"),
-				sslInputs.getTrustManager()
-			);
-		} catch (Exception e) {
-			throw new RuntimeException("Unable to create CertificateAuthContext; cause " + e.getMessage(), e);
+		String file = getNullableStringValue("certificate.file");
+		String password = getNullableStringValue("certificate.password");
+		if (file != null && file.trim().length() > 0) {
+			try {
+				if (password != null && password.trim().length() > 0) {
+					return new DatabaseClientFactory.CertificateAuthContext(file, password, sslInputs.getTrustManager());
+				}
+				return new DatabaseClientFactory.CertificateAuthContext(file, sslInputs.getTrustManager());
+			} catch (Exception e) {
+				throw new RuntimeException("Unable to create CertificateAuthContext; cause " + e.getMessage(), e);
+			}
 		}
+		return new DatabaseClientFactory.CertificateAuthContext(sslInputs.getSslContext(), sslInputs.getTrustManager());
 	}
 
 	private DatabaseClientFactory.SecurityContext newKerberosAuthContext() {
diff --git a/marklogic-client-api/src/test/java/com/marklogic/client/test/DatabaseClientBuilderTest.java b/marklogic-client-api/src/test/java/com/marklogic/client/test/DatabaseClientBuilderTest.java
@@ -3,13 +3,18 @@
 import com.marklogic.client.DatabaseClient;
 import com.marklogic.client.DatabaseClientBuilder;
 import com.marklogic.client.DatabaseClientFactory;
+import com.marklogic.client.ext.modulesloader.ssl.SimpleX509TrustManager;
 import org.junit.jupiter.api.Test;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
+
+import java.security.NoSuchAlgorithmException;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -138,14 +143,45 @@ void kerberos() {
 	}
 
 	@Test
-	void certificate() {
+	void certificateValidFile() {
+		DatabaseClient client = Common.newClientBuilder()
+			.withCertificateAuth("src/test/resources/test_certificate.p12", "abc")
+			.build();
+
+		assertNotNull(client);
+		assertNotNull(client.getSecurityContext().getSSLContext(), "An SSLContext should have been created based " +
+			"on the test keystore.");
+	}
+
+	@Test
+	void certificateInvalidFile() {
 		DatabaseClientBuilder builder = Common.newClientBuilder()
 			.withCertificateAuth("not.found", "passwd");
 
 		Exception ex = assertThrows(Exception.class, () -> builder.buildBean());
-		assertTrue(ex.getMessage().contains("Unable to create CertificateAuthContext"),
-			"We don't yet have a real test for certificate authentication, so there's not yet a certificate store " +
-				"to test against; just making sure that an attempt is made to create a CertificateAuthContext");
+		assertEquals("Unable to create CertificateAuthContext; cause not.found (No such file or directory)",
+			ex.getMessage(), "Should fail because the certificate file path is not valid, and thus a keystore " +
+				"cannot be created from it.");
+	}
+
+	@Test
+	void certificateWithNoFile() throws NoSuchAlgorithmException {
+		SSLContext defaultContext = SSLContext.getDefault();
+		X509TrustManager trustManager = new SimpleX509TrustManager();
+		DatabaseClientBuilder builder = Common.newClientBuilder()
+			.withCertificateAuth(defaultContext, trustManager)
+			.withSSLHostnameVerifier(DatabaseClientFactory.SSLHostnameVerifier.STRICT);
+
+		// Verify the SSL-related objects are the same ones passed in above.
+		DatabaseClientFactory.Bean bean = builder.buildBean();
+		assertSame(defaultContext, bean.getSecurityContext().getSSLContext());
+		assertSame(trustManager, bean.getSecurityContext().getTrustManager());
+		assertSame(DatabaseClientFactory.SSLHostnameVerifier.STRICT, bean.getSecurityContext().getSSLHostnameVerifier());
+
+		DatabaseClient client = bean.newClient();
+		assertNotNull(client, "The client can be instantiated because a certificate file and password aren't " +
+			"required. In this scenario, it's expected that a user will provide their own SSLContext to use for " +
+			"certificate authentication.");
 	}
 
 	@Test
diff --git a/marklogic-client-api/src/test/resources/test_certificate.p12 b/marklogic-client-api/src/test/resources/test_certificate.p12
