Support retrieving token on HTTPS

Author: acogoluegnes

pom.xml

@@ -55,6 +55,7 @@
         <micrometer-docs-generator.version>1.0.4</micrometer-docs-generator.version>
         <jose4j.version>0.9.6</jose4j.version>
         <commons-lang3.version>3.17.0</commons-lang3.version>
+        <bouncycastle.version>1.79</bouncycastle.version>
         <maven.compiler.plugin.version>3.13.0</maven.compiler.plugin.version>
         <maven.dependency.plugin.version>3.8.1</maven.dependency.plugin.version>
         <maven-surefire-plugin.version>3.5.2</maven-surefire-plugin.version>
@@ -255,6 +256,14 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
             <version>${commons-lang3.version}</version>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+            <version>${bouncycastle.version}</version>
+            <scope>test</scope>
         </dependency>
 
     </dependencies>

src/main/java/com/rabbitmq/client/amqp/OAuthSettings.java

@@ -17,6 +17,8 @@
 // [email protected].
 package com.rabbitmq.client.amqp;
 
+import javax.net.ssl.SSLContext;
+
 public interface OAuthSettings<T> {
 
   OAuthSettings<T> tokenEndpointUri(String uri);
@@ -31,5 +33,14 @@ public interface OAuthSettings<T> {
 
   OAuthSettings<T> shared(boolean shared);
 
+  TlsSettings<? extends T> tls();
+
   T connection();
+
+  interface TlsSettings<T> {
+
+    TlsSettings<T> sslContext(SSLContext sslContext);
+
+    OAuthSettings<T> oauth();
+  }
 }

src/main/java/com/rabbitmq/client/amqp/impl/CredentialsFactory.java

@@ -21,8 +21,10 @@
 import com.rabbitmq.client.amqp.UsernamePasswordCredentialsProvider;
 import com.rabbitmq.client.amqp.oauth.GsonTokenParser;
 import com.rabbitmq.client.amqp.oauth.HttpTokenRequester;
+import java.net.http.HttpClient;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
+import java.util.function.Consumer;
 
 final class CredentialsFactory {
 
@@ -74,18 +76,20 @@ private Credentials globalOAuthCredentials(DefaultConnectionSettings<?> connecti
 
   private Credentials createOAuthCredentials(DefaultConnectionSettings<?> connectionSettings) {
     DefaultConnectionSettings.DefaultOAuthSettings<?> settings = connectionSettings.oauth();
-    // TODO set TLS configuration on TLS requester
-    // TODO use pre-configured token requester if any
+    Consumer<HttpClient.Builder> clientBuilderConsumer;
+    if (settings.tlsEnabled()) {
+      clientBuilderConsumer = b -> b.sslContext(settings.tls().sslContext());
+    } else {
+      clientBuilderConsumer = ignored -> {};
+    }
     HttpTokenRequester tokenRequester =
         new HttpTokenRequester(
             settings.tokenEndpointUri(),
             settings.clientId(),
             settings.clientSecret(),
             settings.grantType(),
             settings.parameters(),
-            null,
-            null,
-            null,
+            clientBuilderConsumer,
             null,
             new GsonTokenParser());
     return new TokenCredentials(tokenRequester, environment.scheduledExecutorService());

src/main/java/com/rabbitmq/client/amqp/impl/DefaultConnectionSettings.java

@@ -224,7 +224,7 @@ void copyTo(DefaultConnectionSettings<?> copy) {
     this.affinity.copyTo(copy.affinity);
 
     if (this.oAuthSettings.enabled()) {
-      this.oAuthSettings.copyTo((DefaultOAuthSettings<?>) copy.oauth());
+      this.oAuthSettings.copyTo(copy.oauth());
     }
   }
 
@@ -502,6 +502,7 @@ void validate() {
   static class DefaultOAuthSettings<T> implements OAuthSettings<T> {
 
     private final DefaultConnectionSettings<T> connectionSettings;
+    private final DefaultOAuthTlsSettings<T> tls = new DefaultOAuthTlsSettings<>(this);
     private final Map<String, String> parameters = new HashMap<>();
     private String tokenEndpointUri;
     private String clientId;
@@ -554,6 +555,12 @@ public OAuthSettings<T> shared(boolean shared) {
       return this;
     }
 
+    @Override
+    public DefaultOAuthTlsSettings<? extends T> tls() {
+      this.tls.enable();
+      return this.tls;
+    }
+
     @Override
     public T connection() {
       return this.connectionSettings.toReturn();
@@ -566,6 +573,9 @@ void copyTo(DefaultOAuthSettings<?> copy) {
       copy.grantType(this.grantType);
       copy.shared(this.shared);
       this.parameters.forEach(copy::parameter);
+      if (this.tls.enabled()) {
+        this.tls.copyTo(copy.tls());
+      }
     }
 
     String tokenEndpointUri() {
@@ -595,5 +605,48 @@ boolean shared() {
     boolean enabled() {
       return this.tokenEndpointUri != null;
     }
+
+    boolean tlsEnabled() {
+      return this.tls.enabled();
+    }
+  }
+
+  static class DefaultOAuthTlsSettings<T> implements OAuthSettings.TlsSettings<T> {
+
+    private final OAuthSettings<T> oAuthSettings;
+    private SSLContext sslContext;
+    private boolean enabled = false;
+
+    DefaultOAuthTlsSettings(OAuthSettings<T> oAuthSettings) {
+      this.oAuthSettings = oAuthSettings;
+    }
+
+    @Override
+    public OAuthSettings.TlsSettings<T> sslContext(SSLContext sslContext) {
+      this.sslContext = sslContext;
+      return this;
+    }
+
+    @Override
+    public OAuthSettings<T> oauth() {
+      return this.oAuthSettings;
+    }
+
+    void enable() {
+      this.enabled = true;
+    }
+
+    boolean enabled() {
+      return this.enabled;
+    }
+
+    SSLContext sslContext() {
+      return this.sslContext;
+    }
+
+    void copyTo(DefaultOAuthTlsSettings<?> copy) {
+      copy.enabled = this.enabled;
+      copy.sslContext(this.sslContext);
+    }
   }
 }

src/main/java/com/rabbitmq/client/amqp/oauth/HttpTokenRequester.java

@@ -30,8 +30,6 @@
 import java.util.Base64;
 import java.util.Map;
 import java.util.function.Consumer;
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.SSLSocketFactory;
 
 public final class HttpTokenRequester implements TokenRequester {
 
@@ -45,9 +43,6 @@ public final class HttpTokenRequester implements TokenRequester {
 
   private final Map<String, String> parameters;
 
-  private final HostnameVerifier hostnameVerifier;
-  private final SSLSocketFactory sslSocketFactory;
-
   private final HttpClient client;
   private final Consumer<HttpRequest.Builder> requestBuilderConsumer;
 
@@ -59,8 +54,6 @@ public HttpTokenRequester(
       String clientSecret,
       String grantType,
       Map<String, String> parameters,
-      HostnameVerifier hostnameVerifier,
-      SSLSocketFactory sslSocketFactory,
       Consumer<HttpClient.Builder> clientBuilderConsumer,
       Consumer<HttpRequest.Builder> requestBuilderConsumer,
       TokenParser parser) {
@@ -73,8 +66,6 @@ public HttpTokenRequester(
     this.clientSecret = clientSecret;
     this.grantType = grantType;
     this.parameters = Map.copyOf(parameters);
-    this.hostnameVerifier = hostnameVerifier;
-    this.sslSocketFactory = sslSocketFactory;
     this.parser = parser;
     if (requestBuilderConsumer == null) {
       this.requestBuilderConsumer =

src/test/java/com/rabbitmq/client/amqp/impl/HttpTestUtils.java

@@ -19,18 +19,91 @@
 
 import com.sun.net.httpserver.HttpHandler;
 import com.sun.net.httpserver.HttpServer;
+import com.sun.net.httpserver.HttpsConfigurator;
+import com.sun.net.httpserver.HttpsServer;
+import java.math.BigInteger;
 import java.net.InetSocketAddress;
+import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.spec.ECGenParameterSpec;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import org.bouncycastle.asn1.x500.X500NameBuilder;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 
 public final class HttpTestUtils {
 
+  private static final char[] KEY_STORE_PASSWORD = "password".toCharArray();
+
   private HttpTestUtils() {}
 
-  public static HttpServer startHttpServer(int port, String path, HttpHandler handler)
-      throws Exception {
-    com.sun.net.httpserver.HttpServer server =
-        com.sun.net.httpserver.HttpServer.create(new InetSocketAddress(port), 0);
-    server.createContext(path, handler);
-    server.start();
-    return server;
+  public static HttpServer startServer(int port, String path, HttpHandler handler) {
+    return startServer(port, path, null, handler);
+  }
+
+  public static HttpServer startServer(
+      int port, String path, KeyStore keyStore, HttpHandler handler) {
+    HttpServer server;
+    try {
+      if (keyStore != null) {
+        KeyManagerFactory keyManagerFactory =
+            KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        keyManagerFactory.init(keyStore, KEY_STORE_PASSWORD);
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
+        server = HttpsServer.create(new InetSocketAddress(port), 0);
+        ((HttpsServer) server).setHttpsConfigurator(new HttpsConfigurator(sslContext));
+      } else {
+        server = HttpServer.create(new InetSocketAddress(port), 0);
+      }
+      server.createContext(path, handler);
+      server.start();
+      return server;
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
+  }
+
+  public static KeyStore generateKeyPair() {
+    try {
+      KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+      keyStore.load(null, KEY_STORE_PASSWORD);
+
+      KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
+      ECGenParameterSpec spec = new ECGenParameterSpec("secp521r1");
+      kpg.initialize(spec);
+
+      KeyPair kp = kpg.generateKeyPair();
+
+      JcaX509v3CertificateBuilder certificateBuilder =
+          new JcaX509v3CertificateBuilder(
+              new X500NameBuilder().addRDN(BCStyle.CN, "localhost").build(),
+              BigInteger.valueOf(new SecureRandom().nextInt()),
+              Date.from(Instant.now().minus(10, ChronoUnit.DAYS)),
+              Date.from(Instant.now().plus(10, ChronoUnit.DAYS)),
+              new X500NameBuilder().addRDN(BCStyle.CN, "localhost").build(),
+              kp.getPublic());
+
+      X509CertificateHolder certificateHolder =
+          certificateBuilder.build(
+              new JcaContentSignerBuilder("SHA512withECDSA").build(kp.getPrivate()));
+
+      X509Certificate certificate =
+          new JcaX509CertificateConverter().getCertificate(certificateHolder);
+
+      keyStore.setKeyEntry(
+          "default", kp.getPrivate(), KEY_STORE_PASSWORD, new Certificate[] {certificate});
+      return keyStore;
+    } catch (Exception e) {
+      throw new RuntimeException(e);
+    }
   }
 }