Merge pull request #76 from Altinity/74-add---insecure-flag-to-skip-ssl-certificate-verification

Added support for insecure mode, where certs are trusted and host name verification is disabled.

Author: shyiko

ice/src/main/java/com/altinity/ice/cli/Main.java

@@ -81,6 +81,13 @@ public String configFile() {
       scope = CommandLine.ScopeType.INHERIT)
   private String logLevel;
 
+  @CommandLine.Option(
+      names = {"--insecure", "--ssl-no-verify"},
+      description =
+          "Skip SSL certificate verification (WARNING: insecure, use only for development)",
+      scope = CommandLine.ScopeType.INHERIT)
+  private boolean insecure;
+
   private Main() {}
 
   @CommandLine.Command(name = "check", description = "Check configuration.")
@@ -595,7 +602,19 @@ private RESTCatalog loadCatalog(String configFile) throws IOException {
       }
     }
 
-    RESTCatalog catalog = RESTCatalogFactory.create(caCrt);
+    // Command-line flag takes precedence over config file
+    // Default to true (verify SSL) unless explicitly disabled
+    boolean sslVerify = !insecure;
+    if (config.sslVerify() != null) {
+      sslVerify = config.sslVerify() && !insecure;
+    }
+
+    if (!sslVerify) {
+      logger.warn(
+          "SSL certificate verification is DISABLED. This is insecure and should only be used for development.");
+    }
+
+    RESTCatalog catalog = RESTCatalogFactory.create(caCrt, sslVerify);
     var icebergConfig = config.toIcebergConfig();
     logger.debug(
         "Iceberg configuration: {}",

ice/src/main/java/com/altinity/ice/cli/internal/config/Config.java

@@ -28,6 +28,9 @@ public record Config(
             "PEM-encoded CA bundle (use base64: prefix to pass base64-encoded value)")
         String caCrt,
     @JsonPropertyDescription("Bearer token to authorizer requests with") String bearerToken,
+    @JsonPropertyDescription(
+            "Skip SSL certificate verification (WARNING: insecure, use only for development)")
+        Boolean sslVerify,
     @JsonPropertyDescription(
             "/path/to/dir where to store downloaded files when `ice insert`ing from http:// & https://")
         String httpCacheDir,

ice/src/main/java/com/altinity/ice/cli/internal/iceberg/rest/RESTCatalogFactory.java

@@ -19,36 +19,45 @@
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.util.Collection;
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
-import org.apache.hc.client5.http.ssl.HostnameVerificationPolicy;
 import org.apache.hc.client5.http.ssl.HttpsSupport;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.apache.iceberg.CatalogProperties;
 import org.apache.iceberg.catalog.SessionCatalog;
 import org.apache.iceberg.rest.HTTPClient;
 import org.apache.iceberg.rest.RESTCatalog;
 
 public class RESTCatalogFactory {
 
-  public static RESTCatalog create(byte[] caCrt) {
-    if (caCrt == null) {
+  public static RESTCatalog create(byte[] caCrt, boolean sslVerify) {
+    if (caCrt == null && sslVerify) {
       return new RESTCatalog();
     }
     SSLContext sslContext;
     try {
-      sslContext = loadCABundle(caCrt);
+      if (!sslVerify) {
+        sslContext = createInsecureSSLContext();
+      } else {
+        sslContext = loadCABundle(caCrt);
+      }
     } catch (CertificateException
         | KeyStoreException
         | IOException
         | NoSuchAlgorithmException
         | KeyManagementException e) {
       throw new RuntimeException(e);
     }
-    var tlsSocketStrategy =
-        new DefaultClientTlsStrategy(
-            sslContext, HostnameVerificationPolicy.BOTH, HttpsSupport.getDefaultHostnameVerifier());
+    HostnameVerifier hostnameVerifier =
+        sslVerify ? HttpsSupport.getDefaultHostnameVerifier() : (hostname, session) -> true;
+    TlsSocketStrategy tlsSocketStrategy =
+        new DefaultClientTlsStrategy(sslContext, hostnameVerifier);
     return new RESTCatalog(
         SessionCatalog.SessionContext.createEmpty(),
         x ->
@@ -80,4 +89,23 @@ private static SSLContext loadCABundle(byte[] caCrt)
     sslContext.init(null, tmf.getTrustManagers(), new SecureRandom());
     return sslContext;
   }
+
+  private static SSLContext createInsecureSSLContext()
+      throws NoSuchAlgorithmException, KeyManagementException {
+    TrustManager[] trustAllCerts =
+        new TrustManager[] {
+          new X509TrustManager() {
+            public X509Certificate[] getAcceptedIssuers() {
+              return new X509Certificate[0];
+            }
+
+            public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+
+            public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+          }
+        };
+    SSLContext sslContext = SSLContext.getInstance("TLS");
+    sslContext.init(null, trustAllCerts, new SecureRandom());
+    return sslContext;
+  }
 }