fix: Fix SSL Context switching (#3531)

pavel-jares-bcm · web-flow · commit e7575f6193e8 · 2024-05-06T13:50:32.000+02:00
diff --git a/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java b/integration-tests/src/test/java/org/zowe/apiml/util/config/ConfigReaderZaasClient.java
@@ -18,21 +18,19 @@
 public class ConfigReaderZaasClient {
 
         public static ConfigProperties getConfigProperties() {
-
-            ConfigProperties configProperties = new ConfigProperties();
-
-
-            configProperties.setApimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost());
-            configProperties.setApimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + "");
-            configProperties.setApimlBaseUrl(ROUTED_AUTH);
-            configProperties.setKeyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore());
-            configProperties.setKeyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword());
-            configProperties.setKeyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType());
-            configProperties.setTrustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore());
-            configProperties.setTrustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword());
-            configProperties.setTrustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType());
-            configProperties.setNonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices());
-            return configProperties;
+            return ConfigProperties.builder()
+                .apimlHost(environmentConfiguration().getGatewayServiceConfiguration().getHost())
+                .apimlPort(environmentConfiguration().getGatewayServiceConfiguration().getPort() + "")
+                .apimlBaseUrl(ROUTED_AUTH)
+                .keyStorePath(environmentConfiguration().getTlsConfiguration().getKeyStore())
+                .keyStorePassword(environmentConfiguration().getTlsConfiguration().getKeyStorePassword())
+                .keyStoreType(environmentConfiguration().getTlsConfiguration().getKeyStoreType())
+                .trustStorePath(environmentConfiguration().getTlsConfiguration().getTrustStore())
+                .trustStorePassword(environmentConfiguration().getTlsConfiguration().getTrustStorePassword())
+                .trustStoreType(environmentConfiguration().getTlsConfiguration().getTrustStoreType())
+                .nonStrictVerifySslCertificatesOfServices(environmentConfiguration().getTlsConfiguration().isNonStrictVerifySslCertificatesOfServices())
+                .build();
         }
+
 }
 
diff --git a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/config/ConfigProperties.java
@@ -29,6 +29,8 @@ public class ConfigProperties {
     private char[] trustStorePassword;
     private boolean httpOnly;
     private boolean nonStrictVerifySslCertificatesOfServices;
+    @Builder.Default
+    private String protocol = "TLS";
 
     @SuppressWarnings("squid:S1075")
     private static final String OLD_PATH_FORMAT = "/api/v1/gateway";
@@ -41,6 +43,7 @@ public class ConfigProperties {
     @Tolerate
     public ConfigProperties() {
         // lombok Builder.Default bug workaround
+        this.protocol = "TLS";
         this.tokenPrefix = "apimlAuthenticationToken";
     }
 
@@ -54,6 +57,7 @@ public ConfigProperties withoutKeyStore() {
             .trustStorePassword(trustStorePassword)
             .httpOnly(httpOnly)
             .nonStrictVerifySslCertificatesOfServices(nonStrictVerifySslCertificatesOfServices)
+            .protocol(protocol)
             .tokenPrefix(tokenPrefix)
             .build();
     }
diff --git a/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java b/zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java
@@ -19,29 +19,22 @@
 import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
-import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
+import org.apache.hc.client5.http.ssl.HttpsSupport;
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.util.Timeout;
 import org.zowe.apiml.zaasclient.config.ConfigProperties;
 import org.zowe.apiml.zaasclient.exception.ZaasConfigurationErrorCodes;
 import org.zowe.apiml.zaasclient.exception.ZaasConfigurationException;
 
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.security.UnrecoverableKeyException;
+import java.security.*;
 import java.security.cert.CertificateException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -50,30 +43,29 @@
 class ZaasHttpsClientProvider implements CloseableClientProvider {
     private static final int REQUEST_TIMEOUT = 30 * 1000;
 
-
     private static final Pattern KEYRING_PATTERN = Pattern.compile("^(safkeyring[^:]*):/{2,4}([^/]+)/([^/]+)$");
 
+    private ConfigProperties configProperties;
+
     private TrustManagerFactory tmf;
     private KeyManagerFactory kmf;
 
     private final char[] keyStorePassword;
     private final String keyStoreType;
     private final String keyStorePath;
-    private final HostnameVerifier hostnameVerifier;
 
     private final CookieStore cookieStore = new BasicCookieStore();
 
     private CloseableHttpClient httpsClient;
 
     public ZaasHttpsClientProvider(ConfigProperties configProperties) throws ZaasConfigurationException {
-
-
         if (configProperties.getTrustStorePath() == null) {
             throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.TRUST_STORE_NOT_PROVIDED);
         }
 
+        this.configProperties = configProperties;
+
         initializeTrustManagerFactory(configProperties.getTrustStorePath(), configProperties.getTrustStoreType(), configProperties.getTrustStorePassword());
-        this.hostnameVerifier = configProperties.isNonStrictVerifySslCertificatesOfServices() ? new NoopHostnameVerifier() : new DefaultHostnameVerifier();
         this.keyStorePath = configProperties.getKeyStorePath();
         this.keyStorePassword = configProperties.getKeyStorePassword();
         this.keyStoreType = configProperties.getKeyStoreType();
@@ -104,7 +96,10 @@ public synchronized CloseableHttpClient getHttpClient() throws ZaasConfiguration
             if (kmf == null) {
                 initializeKeyStoreManagerFactory();
             }
-            var manager = PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(new SSLConnectionSocketFactory(getSSLContext())).build();
+            var hostnameVerifier = configProperties.isNonStrictVerifySslCertificatesOfServices() ?
+                new NoopHostnameVerifier() : HttpsSupport.getDefaultHostnameVerifier();
+            var sslConnectionSocketFactory = new SSLConnectionSocketFactory(getSSLContext(), hostnameVerifier);
+            var manager = PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(sslConnectionSocketFactory).build();
 
             httpsClient = createSecureHttpClient(manager).build();
         }
@@ -169,14 +164,12 @@ private InputStream getCorrectInputStream(String uri) throws IOException {
 
     private SSLContext getSSLContext() throws ZaasConfigurationException {
         try {
-            SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+            SSLContext sslContext = SSLContext.getInstance(configProperties.getProtocol());
             sslContext.init(
                 kmf != null ? kmf.getKeyManagers() : null,
                 tmf.getTrustManagers(),
                 new SecureRandom()
             );
-            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
-            HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
             return sslContext;
         } catch (NoSuchAlgorithmException | KeyManagementException e) {
             throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e);
@@ -197,7 +190,6 @@ public HttpClientBuilder createSecureHttpClient(PoolingHttpClientConnectionManag
             .evictExpiredConnections()
             .evictIdleConnections(Timeout.ofSeconds(REQUEST_TIMEOUT))
             .disableAuthCaching();
-
     }
 
 }
