access to default client config trust store via new config provider

Adds new FhirClientConfigProvider to the API with access to client
configs (moved from FhirClientProvider), the default client config trust
store and a method to create a SSLContext based on the default trust
store.
New integration test for config provider.

Author: hhund

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/ProcessPluginApiImpl.java

@@ -12,6 +12,7 @@
 import dev.dsf.bpe.v2.service.DataLogger;
 import dev.dsf.bpe.v2.service.DsfClientProvider;
 import dev.dsf.bpe.v2.service.EndpointProvider;
+import dev.dsf.bpe.v2.service.FhirClientConfigProvider;
 import dev.dsf.bpe.v2.service.FhirClientProvider;
 import dev.dsf.bpe.v2.service.MailService;
 import dev.dsf.bpe.v2.service.MimeTypeService;
@@ -30,6 +31,7 @@ public class ProcessPluginApiImpl implements ProcessPluginApi, InitializingBean
 	private final FhirContext fhirContext;
 	private final DsfClientProvider dsfClientProvider;
 	private final FhirClientProvider fhirClientProvider;
+	private final FhirClientConfigProvider fhirClientConfigProvider;
 	private final OidcClientProvider oidcClientProvider;
 	private final MailService mailService;
 	private final MimeTypeService mimeTypeService;
@@ -45,9 +47,9 @@ public class ProcessPluginApiImpl implements ProcessPluginApi, InitializingBean
 
 	public ProcessPluginApiImpl(ProxyConfig proxyConfig, EndpointProvider endpointProvider, FhirContext fhirContext,
 			DsfClientProvider dsfClientProvider, FhirClientProvider fhirClientProvider,
-			OidcClientProvider oidcClientProvider, MailService mailService, MimeTypeService mimeTypeService,
-			ObjectMapper objectMapper, OrganizationProvider organizationProvider,
-			ProcessAuthorizationHelper processAuthorizationHelper,
+			FhirClientConfigProvider fhirClientConfigProvider, OidcClientProvider oidcClientProvider,
+			MailService mailService, MimeTypeService mimeTypeService, ObjectMapper objectMapper,
+			OrganizationProvider organizationProvider, ProcessAuthorizationHelper processAuthorizationHelper,
 			QuestionnaireResponseHelper questionnaireResponseHelper, ReadAccessHelper readAccessHelper,
 			TaskHelper taskHelper, CryptoService cryptoService, TargetProvider targetProvider, DataLogger dataLogger)
 	{
@@ -56,6 +58,7 @@ public ProcessPluginApiImpl(ProxyConfig proxyConfig, EndpointProvider endpointPr
 		this.fhirContext = fhirContext;
 		this.dsfClientProvider = dsfClientProvider;
 		this.fhirClientProvider = fhirClientProvider;
+		this.fhirClientConfigProvider = fhirClientConfigProvider;
 		this.oidcClientProvider = oidcClientProvider;
 		this.mailService = mailService;
 		this.mimeTypeService = mimeTypeService;
@@ -78,6 +81,7 @@ public void afterPropertiesSet() throws Exception
 		Objects.requireNonNull(fhirContext, "fhirContext");
 		Objects.requireNonNull(dsfClientProvider, "dsfClientProvider");
 		Objects.requireNonNull(fhirClientProvider, "fhirClientProvider");
+		Objects.requireNonNull(fhirClientConfigProvider, "fhirClientConfigProvider");
 		Objects.requireNonNull(oidcClientProvider, "oidcClientProvider");
 		Objects.requireNonNull(mailService, "mailService");
 		Objects.requireNonNull(mimeTypeService, "mimeTypeService");
@@ -122,6 +126,12 @@ public FhirClientProvider getFhirClientProvider()
 		return fhirClientProvider;
 	}
 
+	@Override
+	public FhirClientConfigProvider getFhirClientConfigProvider()
+	{
+		return fhirClientConfigProvider;
+	}
+
 	@Override
 	public OidcClientProvider getOidcClientProvider()
 	{

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientConfigProviderImpl.java

@@ -0,0 +1,89 @@
+package dev.dsf.bpe.v2.service;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.CertificateException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
+import javax.net.ssl.SSLContext;
+
+import org.springframework.beans.factory.InitializingBean;
+
+import de.hsheilbronn.mi.utils.crypto.context.SSLContextFactory;
+import dev.dsf.bpe.v2.client.fhir.ClientConfig;
+import dev.dsf.bpe.v2.client.fhir.ClientConfigs;
+
+public class FhirClientConfigProviderImpl implements FhirClientConfigProvider, InitializingBean
+{
+	private final Map<String, ClientConfig> clientConfigsByFhirServerId = new HashMap<>();
+	private final KeyStore defaultTrustStore;
+
+	public FhirClientConfigProviderImpl(KeyStore defaultTrustStore, ClientConfigs clientConfigs)
+	{
+		this.defaultTrustStore = defaultTrustStore;
+
+		if (clientConfigs != null)
+			clientConfigsByFhirServerId.putAll(clientConfigs.getConfigs().stream()
+					.collect(Collectors.toMap(ClientConfig::getFhirServerId, Function.identity())));
+	}
+
+	@Override
+	public void afterPropertiesSet() throws Exception
+	{
+		Objects.requireNonNull(defaultTrustStore, "defaultTrustStore");
+	}
+
+	@Override
+	public SSLContext createDefaultSslContext()
+	{
+		try
+		{
+			return SSLContextFactory.createSSLContext(defaultTrustStore);
+		}
+		catch (UnrecoverableKeyException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException e)
+		{
+			throw new RuntimeException(e);
+		}
+	}
+
+	@Override
+	public KeyStore createDefaultTrustStore()
+	{
+		try
+		{
+			char[] password = UUID.randomUUID().toString().toCharArray();
+			ByteArrayOutputStream out = new ByteArrayOutputStream();
+			defaultTrustStore.store(out, password);
+
+			KeyStore store = KeyStore.getInstance(defaultTrustStore.getType(), defaultTrustStore.getProvider());
+			store.load(new ByteArrayInputStream(out.toByteArray()), password);
+
+			return store;
+		}
+		catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e)
+		{
+			throw new RuntimeException(e);
+		}
+	}
+
+	@Override
+	public Optional<ClientConfig> getClientConfig(String fhirServerId)
+	{
+		if (fhirServerId == null || fhirServerId.isBlank())
+			return Optional.empty();
+
+		return Optional.ofNullable(clientConfigsByFhirServerId.get(fhirServerId));
+	}
+}

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientProviderWithEndpointSupport.java renamed to dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientConfigProviderWithEndpointSupport.java

@@ -2,43 +2,36 @@
 
 import java.security.KeyStore;
 import java.time.Duration;
-import java.util.Objects;
 import java.util.Optional;
 import java.util.function.Function;
 
-import org.springframework.beans.factory.InitializingBean;
+import javax.net.ssl.SSLContext;
 
-import ca.uhn.fhir.rest.client.api.IGenericClient;
 import dev.dsf.bpe.api.config.FhirClientConfig;
 import dev.dsf.bpe.v2.client.fhir.ClientConfig;
 
-public class FhirClientProviderWithEndpointSupport implements FhirClientProvider, InitializingBean
+public class FhirClientConfigProviderWithEndpointSupport implements FhirClientConfigProvider
 {
 	private final EndpointProvider endpointProvider;
-	private final FhirClientProviderImpl delegate;
+	private final FhirClientConfigProvider delegate;
 
-	public FhirClientProviderWithEndpointSupport(EndpointProvider endpointProvider, FhirClientProviderImpl delegate)
+	public FhirClientConfigProviderWithEndpointSupport(EndpointProvider endpointProvider,
+			FhirClientConfigProvider delegate)
 	{
 		this.endpointProvider = endpointProvider;
 		this.delegate = delegate;
 	}
 
 	@Override
-	public void afterPropertiesSet() throws Exception
+	public SSLContext createDefaultSslContext()
 	{
-		Objects.requireNonNull(endpointProvider, "endpointProvider");
-		Objects.requireNonNull(delegate, "delegate");
+		return delegate.createDefaultSslContext();
 	}
 
 	@Override
-	public Optional<IGenericClient> getClient(String fhirServerId)
+	public KeyStore createDefaultTrustStore()
 	{
-		if (fhirServerId == null || fhirServerId.isBlank())
-			return Optional.empty();
-		else if (fhirServerId.startsWith("#"))
-			return getClientConfig(fhirServerId).flatMap(delegate::getClient);
-		else
-			return delegate.getClient(fhirServerId);
+		return delegate.createDefaultTrustStore();
 	}
 
 	@Override

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/service/FhirClientProviderImpl.java

@@ -4,15 +4,12 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
-import java.util.function.Function;
-import java.util.stream.Collectors;
 
 import org.springframework.beans.factory.InitializingBean;
 
 import ca.uhn.fhir.context.FhirContext;
 import ca.uhn.fhir.rest.client.api.IGenericClient;
 import dev.dsf.bpe.v2.client.fhir.ClientConfig;
-import dev.dsf.bpe.v2.client.fhir.ClientConfigs;
 import dev.dsf.bpe.v2.client.fhir.FhirClientFactory;
 import dev.dsf.bpe.v2.config.ProxyConfig;
 
@@ -22,8 +19,8 @@ public class FhirClientProviderImpl implements FhirClientProvider, InitializingB
 	private final ProxyConfig proxyConfig;
 	private final OidcClientProvider oidcClientProvider;
 	private final String userAgent;
+	private final FhirClientConfigProvider configProvider;
 
-	private final Map<String, ClientConfig> clientConfigsByFhirServerId = new HashMap<>();
 	private final Map<String, FhirClientFactory> clientFactoriesByFhirServerId = new HashMap<>();
 
 	/**
@@ -35,20 +32,17 @@ public class FhirClientProviderImpl implements FhirClientProvider, InitializingB
 	 *            not <code>null</code>
 	 * @param userAgent
 	 *            not <code>null</code>
-	 * @param clientConfigs
-	 *            may be <code>null</code>
+	 * @param configProvider
+	 *            not <code>null</code>
 	 */
 	public FhirClientProviderImpl(FhirContext fhirContext, ProxyConfig proxyConfig,
-			OidcClientProvider oidcClientProvider, String userAgent, ClientConfigs clientConfigs)
+			OidcClientProvider oidcClientProvider, String userAgent, FhirClientConfigProvider configProvider)
 	{
 		this.fhirContext = fhirContext;
 		this.proxyConfig = proxyConfig;
 		this.oidcClientProvider = oidcClientProvider;
 		this.userAgent = userAgent;
-
-		if (clientConfigs != null)
-			clientConfigsByFhirServerId.putAll(clientConfigs.getConfigs().stream()
-					.collect(Collectors.toMap(ClientConfig::getFhirServerId, Function.identity())));
+		this.configProvider = configProvider;
 	}
 
 	@Override
@@ -58,6 +52,7 @@ public void afterPropertiesSet() throws Exception
 		Objects.requireNonNull(proxyConfig, "proxyConfig");
 		Objects.requireNonNull(oidcClientProvider, "oidcClientProvider");
 		Objects.requireNonNull(userAgent, "userAgent");
+		Objects.requireNonNull(configProvider, "configProvider");
 	}
 
 	protected Optional<IGenericClient> getClient(ClientConfig clientConfig)
@@ -82,16 +77,7 @@ protected Optional<IGenericClient> getClient(ClientConfig clientConfig)
 	@Override
 	public Optional<IGenericClient> getClient(String fhirServerId)
 	{
-		return getClientConfig(fhirServerId).flatMap(this::getClient);
-	}
-
-	@Override
-	public Optional<ClientConfig> getClientConfig(String fhirServerId)
-	{
-		if (fhirServerId == null || fhirServerId.isBlank())
-			return Optional.empty();
-
-		return Optional.ofNullable(clientConfigsByFhirServerId.get(fhirServerId));
+		return configProvider.getClientConfig(fhirServerId).flatMap(this::getClient);
 	}
 
 	protected FhirClientFactory createClientFactory(ClientConfig config)

dsf-bpe/dsf-bpe-process-api-v2-impl/src/main/java/dev/dsf/bpe/v2/spring/ApiServiceConfig.java

@@ -45,9 +45,11 @@
 import dev.dsf.bpe.v2.service.DsfClientProviderImpl;
 import dev.dsf.bpe.v2.service.EndpointProvider;
 import dev.dsf.bpe.v2.service.EndpointProviderImpl;
+import dev.dsf.bpe.v2.service.FhirClientConfigProvider;
+import dev.dsf.bpe.v2.service.FhirClientConfigProviderImpl;
+import dev.dsf.bpe.v2.service.FhirClientConfigProviderWithEndpointSupport;
 import dev.dsf.bpe.v2.service.FhirClientProvider;
 import dev.dsf.bpe.v2.service.FhirClientProviderImpl;
-import dev.dsf.bpe.v2.service.FhirClientProviderWithEndpointSupport;
 import dev.dsf.bpe.v2.service.MailService;
 import dev.dsf.bpe.v2.service.MailServiceDelegate;
 import dev.dsf.bpe.v2.service.MimeTypeService;
@@ -101,9 +103,10 @@ public class ApiServiceConfig
 	public ProcessPluginApi processPluginApiV2()
 	{
 		return new ProcessPluginApiImpl(proxyConfigDelegate(), endpointProvider(), fhirContext(), dsfClientProvider(),
-				fhirClientProvider(), oidcClientProvider(), mailService(), mimeTypeService(), objectMapper(),
-				organizationProvider(), processAuthorizationHelper(), questionnaireResponseHelper(), readAccessHelper(),
-				taskHelper(), cryptoService(), targetProvider(), dataLogger());
+				fhirClientProvider(), fhirClientConfigProvider(), oidcClientProvider(), mailService(),
+				mimeTypeService(), objectMapper(), organizationProvider(), processAuthorizationHelper(),
+				questionnaireResponseHelper(), readAccessHelper(), taskHelper(), cryptoService(), targetProvider(),
+				dataLogger());
 	}
 
 	@Bean
@@ -144,9 +147,15 @@ public DsfClientProvider dsfClientProvider()
 	@Bean
 	public FhirClientProvider fhirClientProvider()
 	{
-		return new FhirClientProviderWithEndpointSupport(endpointProvider(),
-				new FhirClientProviderImpl(fhirContext(), proxyConfigDelegate(), oidcClientProvider(),
-						buildInfoProvider.getUserAgentValue(), clientConfigsDelegate()));
+		return new FhirClientProviderImpl(fhirContext(), proxyConfigDelegate(), oidcClientProvider(),
+				buildInfoProvider.getUserAgentValue(), fhirClientConfigProvider());
+	}
+
+	@Bean
+	public FhirClientConfigProvider fhirClientConfigProvider()
+	{
+		return new FhirClientConfigProviderWithEndpointSupport(endpointProvider(),
+				new FhirClientConfigProviderImpl(fhirClientConfigs.defaultTrustStore(), clientConfigsDelegate()));
 	}
 
 	@Bean

dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/ProcessPluginApi.java

@@ -11,6 +11,7 @@
 import dev.dsf.bpe.v2.service.DataLogger;
 import dev.dsf.bpe.v2.service.DsfClientProvider;
 import dev.dsf.bpe.v2.service.EndpointProvider;
+import dev.dsf.bpe.v2.service.FhirClientConfigProvider;
 import dev.dsf.bpe.v2.service.FhirClientProvider;
 import dev.dsf.bpe.v2.service.MailService;
 import dev.dsf.bpe.v2.service.MimeTypeService;
@@ -41,6 +42,8 @@ public interface ProcessPluginApi
 
 	FhirClientProvider getFhirClientProvider();
 
+	FhirClientConfigProvider getFhirClientConfigProvider();
+
 	OidcClientProvider getOidcClientProvider();
 
 	MailService getMailService();

dsf-bpe/dsf-bpe-process-api-v2/src/main/java/dev/dsf/bpe/v2/service/FhirClientConfigProvider.java

@@ -0,0 +1,50 @@
+package dev.dsf.bpe.v2.service;
+
+import java.security.KeyStore;
+import java.util.Optional;
+
+import javax.net.ssl.SSLContext;
+
+import org.hl7.fhir.r4.model.Endpoint;
+
+import dev.dsf.bpe.v2.client.fhir.ClientConfig;
+import dev.dsf.bpe.v2.constants.NamingSystems;
+
+/**
+ * Provides connection configurations for YAML configured (non DSF) FHIR servers and DSF FHIR servers, as well as access
+ * to the default certificate trust store for FHIR connections configured via the DSF BPE property
+ * `dev.dsf.bpe.fhir.client.connections.config.default.trust.server.certificate.cas` as default for the YAML properties
+ * `trusted-root-certificates-file` and `oidc-auth.trusted-root-certificates-file`
+ */
+public interface FhirClientConfigProvider
+{
+	/**
+	 * @return new {@link SSLContext} configured with {@link #createDefaultTrustStore()}
+	 * @implNote Every call to this method creates a new {@link SSLContext} object
+	 */
+	SSLContext createDefaultSslContext();
+
+	/**
+	 * @return copy of default certificate trust store configured via the DSF BPE config property
+	 *         `dev.dsf.bpe.fhir.client.connections.config.default.trust.server.certificate.cas`
+	 * @implNote Every call to this method creates a new {@link KeyStore} object
+	 */
+	KeyStore createDefaultTrustStore();
+
+	/**
+	 * FHIR client config for a FHIR server configured via YAML with the given <b>fhirServerId</b>.<br>
+	 * <br>
+	 * Use <code>#local</code> as the <b>fhirServerId</b> for a connection configuration to the local DSF FHIR
+	 * server.<br>
+	 * Use <code>#&lt;value></code> as the <b>fhirServerId</b> for a connection configuration to a DSF FHIR server with
+	 * an active {@link Endpoint} resource and the given <b>fhirServerId</b> as the
+	 * {@value NamingSystems.EndpointIdentifier#SID} value (ignoring the {@literal #} character).
+	 *
+	 * @param fhirServerId
+	 *            may be <code>null</code>
+	 * @return never <code>null</code>, {@link Optional#empty()} if no client is configured for the given
+	 *         <b>fhirServerId</b>
+	 * @see DsfClientProvider
+	 */
+	Optional<ClientConfig> getClientConfig(String fhirServerId);
+}