fix: Fix SSL Context switching (backport of #3531) (#3532)

pavel-jares-bcm · web-flow · commit cefeae333f41 · 2024-05-06T16:38:20.000+02:00
Signed-off-by: Pavel Jares &lt;Pavel.Jares@broadcom.com&gt;
diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java
@@ -18,21 +18,19 @@
 public class ConfigReaderZaasClient {
 
         public static ConfigProperties getConfigProperties() {
-
-            ConfigProperties configProperties = new ConfigProperties();
-
-
-            configProperties.setApimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost());
-            configProperties.setApimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + "");
-            configProperties.setApimlBaseUrl(ROUTED_AUTH);
-            configProperties.setKeyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore());
-            configProperties.setKeyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword());
-            configProperties.setKeyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType());
-            configProperties.setTrustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore());
-            configProperties.setTrustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword());
-            configProperties.setTrustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType());
-            configProperties.setNonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices());
-            return configProperties;
+            return ConfigProperties.builder()
+                .apimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost())
+                .apimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + "")
+                .apimlBaseUrl(ROUTED_AUTH)
+                .keyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore())
+                .keyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword())
+                .keyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType())
+                .trustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore())
+                .trustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword())
+                .trustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType())
+                .nonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices())
+                .build();
         }
+
 }
 
diff --git a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java
@@ -29,6 +29,8 @@ public class ConfigProperties {
     private char[] trustStorePassword;
     private boolean httpOnly;
     private boolean nonStrictVerifySslCertificatesOfServices;
+    @Builder.Default
+    private String protocol = "TLS";
 
     @SuppressWarnings("squid:S1075")
     private static final String OLD_PATH_FORMAT = "/api/v1/gateway";
@@ -41,6 +43,7 @@ public class ConfigProperties {
     @Tolerate
     public ConfigProperties() {
         // lombok Builder.Default bug workaround
+        this.protocol = "TLS";
         this.tokenPrefix = "apimlAuthenticationToken";
     }
 
@@ -54,6 +57,7 @@ public ConfigProperties withoutKeyStore() {
             .trustStorePassword(trustStorePassword)
             .httpOnly(httpOnly)
             .nonStrictVerifySslCertificatesOfServices(nonStrictVerifySslCertificatesOfServices)
+            .protocol(protocol)
             .tokenPrefix(tokenPrefix)
             .build();
     }
diff --git a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java
@@ -23,7 +23,10 @@
 import org.zowe.apiml.zaasclient.exception.ZaasConfigurationErrorCodes;
 import org.zowe.apiml.zaasclient.exception.ZaasConfigurationException;
 
-import javax.net.ssl.*;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -35,36 +38,33 @@
 
 @AllArgsConstructor
 class ZaasHttpsClientProvider implements CloseableClientProvider {
+
     private static final int REQUEST_TIMEOUT = 30 * 1000;
 
     private final RequestConfig requestConfig;
 
     private static final Pattern KEYRING_PATTERN = Pattern.compile("^(safkeyring[^:]*):/{2,4}([^/]+)/([^/]+)$");
 
+    private ConfigProperties configProperties;
+
     private TrustManagerFactory tmf;
     private KeyManagerFactory kmf;
 
-    private final char[] keyStorePassword;
-    private final String keyStoreType;
-    private final String keyStorePath;
     private final HostnameVerifier hostnameVerifier;
 
     private final CookieStore cookieStore = new BasicCookieStore();
 
     private CloseableHttpClient httpsClient;
 
     public ZaasHttpsClientProvider(ConfigProperties configProperties) throws ZaasConfigurationException {
-        this.requestConfig = this.buildCustomRequestConfig();
-
         if (configProperties.getTrustStorePath() == null) {
             throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.TRUST_STORE_NOT_PROVIDED);
         }
+        this.configProperties = configProperties;
 
+        this.requestConfig = this.buildCustomRequestConfig();
         initializeTrustManagerFactory(configProperties.getTrustStorePath(), configProperties.getTrustStoreType(), configProperties.getTrustStorePassword());
         this.hostnameVerifier = configProperties.isNonStrictVerifySslCertificatesOfServices() ? new NoopHostnameVerifier() : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
-        this.keyStorePath = configProperties.getKeyStorePath();
-        this.keyStorePassword = configProperties.getKeyStorePassword();
-        this.keyStoreType = configProperties.getKeyStoreType();
     }
 
     static boolean isKeyring(String input) {
@@ -114,14 +114,14 @@ private void initializeTrustManagerFactory(String trustStorePath, String trustSt
     private void initializeKeyStoreManagerFactory() throws ZaasConfigurationException {
         try {
             KeyStore keyStore;
-            if (keyStorePath != null) {
-                keyStore = getKeystore(keyStorePath, keyStoreType, keyStorePassword);
+            if (configProperties.getKeyStorePath() != null) {
+                keyStore = getKeystore(configProperties.getKeyStorePath(), configProperties.getKeyStoreType(), configProperties.getKeyStorePassword());
             } else {
                 keyStore = getEmptyKeystore();
             }
 
             kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            kmf.init(keyStore, keyStorePassword);
+            kmf.init(keyStore, configProperties.getKeyStorePassword());
         } catch (NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyStoreException e) {
             throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e);
         } catch (IOException e) {
@@ -155,14 +155,12 @@ private InputStream getCorrectInputStream(String uri) throws IOException {
 
     private SSLContext getSSLContext() throws ZaasConfigurationException {
         try {
-            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            SSLContext sslContext = SSLContext.getInstance(configProperties.getProtocol());
             sslContext.init(
                 kmf != null ? kmf.getKeyManagers() : null,
                 tmf.getTrustManagers(),
                 new SecureRandom()
             );
-            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
-            HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
             return sslContext;
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e);
@@ -192,4 +190,5 @@ private RequestConfig buildCustomRequestConfig() {
         builder.setConnectTimeout(REQUEST_TIMEOUT);
         return builder.build();
     }
+
 }
