Add ssl configuration to driver3

Inspired by https://github.com/scylladb/kafka-connect-scylladb

Closes #72.

Author: wyfo

scylla-cdc-base/pom.xml

@@ -20,5 +20,11 @@
             <artifactId>guava</artifactId>
             <version>${guava.version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-handler</artifactId>
+            <version>4.1.75.Final</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 </project>

scylla-cdc-base/src/main/java/com/scylladb/cdc/cql/CQLConfiguration.java

@@ -63,10 +63,11 @@ public enum ConsistencyLevel {
     public final String password;
     private final ConsistencyLevel consistencyLevel;
     private final String localDCName;
+    public final SslConfig sslConfig;
 
     private CQLConfiguration(List<InetSocketAddress> contactPoints,
                             String user, String password, ConsistencyLevel consistencyLevel,
-                            String localDCName) {
+                            String localDCName, SslConfig sslConfig) {
         this.contactPoints = Preconditions.checkNotNull(contactPoints);
         Preconditions.checkArgument(!contactPoints.isEmpty());
 
@@ -79,6 +80,7 @@ private CQLConfiguration(List<InetSocketAddress> contactPoints,
 
         this.consistencyLevel = Preconditions.checkNotNull(consistencyLevel);
         this.localDCName = localDCName;
+        this.sslConfig = sslConfig;
     }
 
     /**
@@ -104,7 +106,7 @@ public ConsistencyLevel getConsistencyLevel() {
      * was not configured, this method returns <code>null</code>.
      *
      * @return the name of configured local datacenter or
-     *         <code>null</code> if it was not configured.
+     * <code>null</code> if it was not configured.
      */
     public String getLocalDCName() {
         return localDCName;
@@ -120,6 +122,7 @@ public static class Builder {
         private String password = null;
         private ConsistencyLevel consistencyLevel = DEFAULT_CONSISTENCY_LEVEL;
         private String localDCName = null;
+        private SslConfig sslConfig = null;
 
         public Builder addContactPoint(InetSocketAddress contactPoint) {
             Preconditions.checkNotNull(contactPoint);
@@ -181,8 +184,13 @@ public Builder withLocalDCName(String localDCName) {
             return this;
         }
 
+        public Builder withSslConfig(SslConfig sslConfig) {
+            this.sslConfig = sslConfig;
+            return this;
+        }
+
         public CQLConfiguration build() {
-            return new CQLConfiguration(contactPoints, user, password, consistencyLevel, localDCName);
+            return new CQLConfiguration(contactPoints, user, password, consistencyLevel, localDCName, sslConfig);
         }
     }
 }

scylla-cdc-base/src/main/java/com/scylladb/cdc/cql/SslConfig.java

@@ -0,0 +1,87 @@
+package com.scylladb.cdc.cql;
+
+import io.netty.handler.ssl.SslProvider;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class SslConfig {
+    public final SslProvider sslProvider;
+    public final String trustStorePath;
+    public final String trustStorePassword;
+    public final String keyStorePath;
+    public final String keyStorePassword;
+    public final List<String> cipherSuites;
+    public final String certPath;
+    public final String privateKeyPath;
+
+    public SslConfig(SslProvider sslProvider, String trustStorePath, String trustStorePassword, String keyStorePath, String keyStorePassword, List<String> cipherSuites, String certPath, String privateKeyPath) {
+        this.sslProvider = sslProvider;
+        this.trustStorePath = trustStorePath;
+        this.trustStorePassword = trustStorePassword;
+        this.keyStorePath = keyStorePath;
+        this.keyStorePassword = keyStorePassword;
+        this.cipherSuites = cipherSuites;
+        this.certPath = certPath;
+        this.privateKeyPath = privateKeyPath;
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+        private SslProvider sslProvider = null;
+        private String trustStorePath = null;
+        private String trustStorePassword = null;
+        private String keyStorePath = null;
+        private String keyStorePassword = null;
+        private final List<String> cipherSuites = new ArrayList<>();
+        private String certPath = null;
+        private String privateKeyPath = null;
+
+        public Builder withSslProvider(SslProvider sslProvider) {
+            this.sslProvider = sslProvider;
+            return this;
+        }
+
+        public Builder withTrustStorePath(String trustStorePath) {
+            this.trustStorePath = trustStorePath;
+            return this;
+        }
+
+        public Builder withTrustStorePassword(String trustStorePassword) {
+            this.trustStorePassword = trustStorePassword;
+            return this;
+        }
+
+        public Builder withKeyStorePath(String keyStorePath) {
+            this.keyStorePath = keyStorePath;
+            return this;
+        }
+
+        public Builder withKeyStorePassword(String keyStorePassword) {
+            this.keyStorePassword = keyStorePassword;
+            return this;
+        }
+
+        public Builder withCipher(String cipher) {
+            this.cipherSuites.add(cipher);
+            return this;
+        }
+
+        public Builder withCertPath(String certPath) {
+            this.certPath = certPath;
+            return this;
+        }
+
+        public Builder withPrivateKeyPath(String privateKeyPath) {
+            this.privateKeyPath = privateKeyPath;
+            return this;
+        }
+
+        public SslConfig build() {
+            return new SslConfig(sslProvider, trustStorePath, trustStorePassword, keyStorePath, keyStorePassword, cipherSuites, certPath, privateKeyPath);
+        }
+    }
+}

scylla-cdc-driver3/src/main/java/com/scylladb/cdc/cql/driver3/Driver3Session.java

@@ -1,11 +1,23 @@
 package com.scylladb.cdc.cql.driver3;
 
-import com.datastax.driver.core.Cluster;
-import com.datastax.driver.core.ConsistencyLevel;
-import com.datastax.driver.core.ProtocolVersion;
-import com.datastax.driver.core.Session;
+import com.datastax.driver.core.*;
 import com.datastax.driver.core.policies.DCAwareRoundRobinPolicy;
 import com.scylladb.cdc.cql.CQLConfiguration;
+import com.scylladb.cdc.cql.SslConfig;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.*;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
 
 public class Driver3Session implements AutoCloseable {
     private final Cluster driverCluster;
@@ -18,6 +30,71 @@ public Driver3Session(CQLConfiguration cqlConfiguration) {
 
         clusterBuilder = clusterBuilder.addContactPointsWithPorts(cqlConfiguration.contactPoints);
 
+        if (cqlConfiguration.sslConfig != null) {
+            SslConfig sslConfig = cqlConfiguration.sslConfig;
+            final SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+            System.out.println(sslConfig.getClass().getProtectionDomain().getCodeSource().getLocation());
+            sslContextBuilder.sslProvider(sslConfig.sslProvider);
+            if (sslConfig.trustStorePath != null) {
+                final KeyStore trustKeyStore = createKeyStore(sslConfig.trustStorePath, sslConfig.trustStorePassword);
+
+                final TrustManagerFactory trustManagerFactory;
+                try {
+                    trustManagerFactory =
+                            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                    trustManagerFactory.init(trustKeyStore);
+                } catch (NoSuchAlgorithmException e) {
+                    throw new RuntimeException("Exception while creating TrustManagerFactory", e);
+                } catch (KeyStoreException e) {
+                    throw new RuntimeException("Exception while calling TrustManagerFactory.init()", e);
+                }
+                sslContextBuilder.trustManager(trustManagerFactory);
+            }
+
+            if (sslConfig.keyStorePath != null) {
+                final KeyStore keyStore = createKeyStore(sslConfig.keyStorePath, sslConfig.keyStorePassword);
+
+                final KeyManagerFactory keyManagerFactory;
+                try {
+                    keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+                    keyManagerFactory.init(keyStore, sslConfig.keyStorePassword.toCharArray());
+                } catch (NoSuchAlgorithmException e) {
+                    throw new RuntimeException("Exception while creating KeyManagerFactory", e);
+                } catch (UnrecoverableKeyException | KeyStoreException e) {
+                    throw new RuntimeException("Exception while calling KeyManagerFactory.init()", e);
+                }
+                sslContextBuilder.keyManager(keyManagerFactory);
+            }
+
+            if (sslConfig.cipherSuites.size() > 0) {
+                sslContextBuilder.ciphers(sslConfig.cipherSuites);
+            }
+
+            if (sslConfig.certPath != null && sslConfig.privateKeyPath != null) {
+                try {
+                    sslContextBuilder.keyManager(new BufferedInputStream(new FileInputStream(sslConfig.certPath)),
+                            new BufferedInputStream(new FileInputStream(sslConfig.privateKeyPath)));
+                } catch (IllegalArgumentException e) {
+                    throw new RuntimeException(String.format("Invalid certificate or private key: %s", e.getMessage()));
+                } catch (FileNotFoundException e) {
+                    throw new RuntimeException("Invalid certificate or private key file path", e);
+                }
+            } else if ((sslConfig.certPath == null) != (sslConfig.privateKeyPath == null)) {
+                throw new RuntimeException(String.format("%s cannot be set without %s and vice-versa: %s is not set",
+                        "scylla.ssl.openssl.keyCertChain", "scylla.ssl.openssl.privateKey",
+                        (sslConfig.certPath == null) ? "scylla.ssl.openssl.keyCertChain" : "scylla.ssl.openssl.privateKey"));
+            }
+
+            final SslContext context;
+            try {
+                context = sslContextBuilder.build();
+            } catch (SSLException e) {
+                throw new RuntimeException(e);
+            }
+            final SSLOptions sslOptions = new RemoteEndpointAwareNettySSLOptions(context);
+            clusterBuilder.withSSL(sslOptions);
+        }
+
         // Deliberately set the protocol version to V4,
         // as V5 implements returning a metadata id (schema id)
         // per each page. Our implementation of Driver3WorkerCQL
@@ -87,4 +164,21 @@ public void close() {
             driverCluster.close();
         }
     }
+
+    private KeyStore createKeyStore(String path, String password) {
+        KeyStore keyStore;
+        try {
+            keyStore = KeyStore.getInstance("JKS");
+            try (InputStream inputStream = Files.newInputStream(Paths.get(path))) {
+                keyStore.load(inputStream, password.toCharArray());
+            } catch (IOException e) {
+                throw new RuntimeException("Exception while reading keystore", e);
+            } catch (CertificateException | NoSuchAlgorithmException e) {
+                throw new RuntimeException("Exception while loading keystore", e);
+            }
+        } catch (KeyStoreException e) {
+            throw new RuntimeException("Exception while creating keystore", e);
+        }
+        return keyStore;
+    }
 }