GH-970: Add AmqpAppender.verifyHostname option (#971)

* GH-970: Add `AmqpAppender.verifyHostname` option

Fixes #970

* Some code polishing and internal refactoring for `AmqpAppender`

**Cherry-pick to 2.1.x**

* * Fix Checkstyle violations
* Add `verifyHostname` to the Log4J `AmqpAppender`
* Document `verifyHostname` option

Author: artembilan

spring-rabbit/src/main/java/org/springframework/amqp/rabbit/log4j2/AmqpAppender.java

@@ -20,6 +20,7 @@
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
 import java.util.Calendar;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -67,6 +68,7 @@
 import org.springframework.amqp.rabbit.core.DeclareExchangeConnectionListener;
 import org.springframework.amqp.rabbit.core.RabbitAdmin;
 import org.springframework.amqp.rabbit.core.RabbitTemplate;
+import org.springframework.amqp.utils.JavaUtils;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
 import org.springframework.retry.RetryPolicy;
@@ -154,6 +156,7 @@ public static AmqpAppender createAppender(// NOSONAR NCSS line count
 			@PluginAttribute("password") String password,
 			@PluginAttribute("virtualHost") String virtualHost,
 			@PluginAttribute("useSsl") boolean useSsl,
+			@PluginAttribute("verifyHostname") boolean verifyHostname,
 			@PluginAttribute("sslAlgorithm") String sslAlgorithm,
 			@PluginAttribute("sslPropertiesLocation") String sslPropertiesLocation,
 			@PluginAttribute("keyStore") String keyStore,
@@ -197,6 +200,7 @@ public static AmqpAppender createAppender(// NOSONAR NCSS line count
 		manager.password = password;
 		manager.virtualHost = virtualHost;
 		manager.useSsl = useSsl;
+		manager.verifyHostname = verifyHostname;
 		manager.sslAlgorithm = sslAlgorithm;
 		manager.sslPropertiesLocation = sslPropertiesLocation;
 		manager.keyStore = keyStore;
@@ -327,9 +331,8 @@ private void doSend(Event event, LogEvent logEvent, MessageProperties amqpProps)
 		String routingKey;
 		try {
 			synchronized (this.layoutMutex) {
-				msgBody = new StringBuilder(new String(getLayout().toByteArray(logEvent), "UTF-8"));
-				routingKey = new String(this.manager.routingKeyLayout.toByteArray(logEvent),
-						"UTF-8");
+				msgBody = new StringBuilder(new String(getLayout().toByteArray(logEvent), StandardCharsets.UTF_8));
+				routingKey = new String(this.manager.routingKeyLayout.toByteArray(logEvent), StandardCharsets.UTF_8);
 			}
 			Message message = null;
 			if (this.manager.charset != null) {
@@ -400,6 +403,7 @@ public void run() {
 				Thread.currentThread().interrupt();
 			}
 		}
+
 	}
 
 	/**
@@ -524,6 +528,8 @@ protected static class AmqpManager extends AbstractManager {
 		 */
 		private boolean useSsl;
 
+		private boolean verifyHostname = true;
+
 		/**
 		 * The SSL algorithm to use.
 		 */
@@ -626,7 +632,7 @@ private boolean activateOptions() {
 			ConnectionFactory rabbitConnectionFactory = createRabbitConnectionFactory();
 			if (rabbitConnectionFactory != null) {
 				this.routingKeyLayout = PatternLayout.newBuilder()
-						.withPattern(this.routingKeyPattern.replaceAll("%X\\{applicationId\\}", this.applicationId))
+						.withPattern(this.routingKeyPattern.replaceAll("%X\\{applicationId}", this.applicationId))
 						.withCharset(Charset.forName(this.charset))
 						.withAlwaysWriteExceptions(false)
 						.withNoConsoleNoAnsi(true)
@@ -675,17 +681,18 @@ protected ConnectionFactory createRabbitConnectionFactory() {
 		 * @param factoryBean the {@link RabbitConnectionFactoryBean}.
 		 */
 		protected void configureRabbitConnectionFactory(RabbitConnectionFactoryBean factoryBean) {
-
-			Optional.ofNullable(this.host).ifPresent(factoryBean::setHost);
-			Optional.ofNullable(this.port).ifPresent(factoryBean::setPort);
-			Optional.ofNullable(this.username).ifPresent(factoryBean::setUsername);
-			Optional.ofNullable(this.password).ifPresent(factoryBean::setPassword);
-			Optional.ofNullable(this.virtualHost).ifPresent(factoryBean::setVirtualHost);
-			// overrides all preceding items when set
-			Optional.ofNullable(this.uri).ifPresent(factoryBean::setUri);
+			JavaUtils.INSTANCE
+					.acceptIfNotNull(this.host, factoryBean::setHost)
+					.acceptIfNotNull(this.port, factoryBean::setPort)
+					.acceptIfNotNull(this.username, factoryBean::setUsername)
+					.acceptIfNotNull(this.password, factoryBean::setPassword)
+					.acceptIfNotNull(this.virtualHost, factoryBean::setVirtualHost)
+					// overrides all preceding items when set
+					.acceptIfNotNull(this.uri, factoryBean::setUri);
 
 			if (this.useSsl) {
 				factoryBean.setUseSSL(true);
+				factoryBean.setEnableHostnameVerification(this.verifyHostname);
 				if (this.sslAlgorithm != null) {
 					factoryBean.setSslAlgorithm(this.sslAlgorithm);
 				}

spring-rabbit/src/main/java/org/springframework/amqp/rabbit/logback/AmqpAppender.java

@@ -21,7 +21,6 @@
 import java.util.Calendar;
 import java.util.Map;
 import java.util.Map.Entry;
-import java.util.Optional;
 import java.util.Set;
 import java.util.Timer;
 import java.util.TimerTask;
@@ -49,6 +48,7 @@
 import org.springframework.amqp.rabbit.core.DeclareExchangeConnectionListener;
 import org.springframework.amqp.rabbit.core.RabbitAdmin;
 import org.springframework.amqp.rabbit.core.RabbitTemplate;
+import org.springframework.amqp.utils.JavaUtils;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
 import org.springframework.util.StringUtils;
@@ -64,7 +64,7 @@
 import com.rabbitmq.client.ConnectionFactory;
 
 /**
- * A Lockback appender that publishes logging events to an AMQP Exchange.
+ * A Logback appender that publishes logging events to an AMQP Exchange.
  * <p>
  * A fully-configured AmqpAppender, with every option set to their defaults, would look like this:
  *
@@ -272,6 +272,8 @@ public class AmqpAppender extends AppenderBase<ILoggingEvent> {
 	 */
 	private String trustStoreType = "JKS";
 
+	private boolean verifyHostname = true;
+
 	/**
 	 * Default content-type of log messages.
 	 */
@@ -381,6 +383,25 @@ public void setUseSsl(boolean ssl) {
 		this.useSsl = ssl;
 	}
 
+	/**
+	 * Enable server hostname verification for TLS connections.
+	 * @param enable false to disable.
+	 * @since 2.1.6
+	 * @see RabbitConnectionFactoryBean#setEnableHostnameVerification(boolean)
+	 */
+	public void setVerifyHostname(boolean enable) {
+		this.verifyHostname = enable;
+	}
+
+	/**
+	 * Return true (default) if TLS hostname verification is enabled.
+	 * @return true (default) if TLS hostname verification is enabled.
+	 * @since 2.1.6
+	 */
+	public boolean isVerifyHostname() {
+		return this.verifyHostname;
+	}
+
 	public String getSslAlgorithm() {
 		return this.sslAlgorithm;
 	}
@@ -589,7 +610,6 @@ public void setConnectionName(String connectionName) {
 	/**
 	 * Set additional client connection properties to be added to the rabbit connection,
 	 * with the form {@code key:value[,key:value]...}.
-	 *
 	 * @param clientConnectionProperties the properties.
 	 * @since 1.5.6
 	 */
@@ -620,7 +640,7 @@ public void start() {
 		if (rabbitConnectionFactory != null) {
 			super.start();
 			this.routingKeyLayout.setPattern(this.routingKeyLayout.getPattern()
-					.replaceAll("%property\\{applicationId\\}", this.applicationId));
+					.replaceAll("%property\\{applicationId}", this.applicationId));
 			this.routingKeyLayout.setContext(getContext());
 			this.routingKeyLayout.start();
 			this.locationLayout.setContext(getContext());
@@ -645,7 +665,6 @@ public void start() {
 
 	/**
 	 * Create the {@link ConnectionFactory}.
-	 *
 	 * @return a {@link ConnectionFactory}.
 	 */
 	protected ConnectionFactory createRabbitConnectionFactory() {
@@ -664,21 +683,21 @@ protected ConnectionFactory createRabbitConnectionFactory() {
 	/**
 	 * Configure the {@link RabbitConnectionFactoryBean}. Sub-classes may override to
 	 * customize the configuration of the bean.
-	 *
 	 * @param factoryBean the {@link RabbitConnectionFactoryBean}.
 	 */
 	protected void configureRabbitConnectionFactory(RabbitConnectionFactoryBean factoryBean) {
-
-		Optional.ofNullable(this.host).ifPresent(factoryBean::setHost);
-		Optional.ofNullable(this.port).ifPresent(factoryBean::setPort);
-		Optional.ofNullable(this.username).ifPresent(factoryBean::setUsername);
-		Optional.ofNullable(this.password).ifPresent(factoryBean::setPassword);
-		Optional.ofNullable(this.virtualHost).ifPresent(factoryBean::setVirtualHost);
-		// overrides all preceding items when set
-		Optional.ofNullable(this.uri).ifPresent(factoryBean::setUri);
+		JavaUtils.INSTANCE
+				.acceptIfNotNull(this.host, factoryBean::setHost)
+				.acceptIfNotNull(this.port, factoryBean::setPort)
+				.acceptIfNotNull(this.username, factoryBean::setUsername)
+				.acceptIfNotNull(this.password, factoryBean::setPassword)
+				.acceptIfNotNull(this.virtualHost, factoryBean::setVirtualHost)
+				// overrides all preceding items when set
+				.acceptIfNotNull(this.uri, factoryBean::setUri);
 
 		if (this.useSsl) {
 			factoryBean.setUseSSL(true);
+			factoryBean.setEnableHostnameVerification(this.verifyHostname);
 			if (this.sslAlgorithm != null) {
 				factoryBean.setSslAlgorithm(this.sslAlgorithm);
 			}
@@ -708,7 +727,6 @@ protected void configureRabbitConnectionFactory(RabbitConnectionFactoryBean fact
 	/**
 	 * Subclasses can override this method to add properties to the connection client
 	 * properties.
-	 *
 	 * @param clientProperties the client properties.
 	 * @since 1.5.6
 	 */
@@ -717,7 +735,6 @@ protected void updateConnectionClientProperties(Map<String, Object> clientProper
 
 	/**
 	 * Subclasses can override this method to inject a custom queue implementation.
-	 *
 	 * @return the queue to use for queueing logging events before processing them.
 	 * @since 2.0.1
 	 */
@@ -773,7 +790,6 @@ else if ("headers".equals(this.exchangeType)) {
 
 	/**
 	 * Subclasses may modify the final message before sending.
-	 *
 	 * @param message The message.
 	 * @param event The event.
 	 * @return The modified message.
@@ -920,6 +936,7 @@ private byte[] encodeMessage(ILoggingEvent logEvent) {
 				return msgBody.getBytes(); //NOSONAR (default charset)
 			}
 		}
+
 	}
 
 	/**

spring-rabbit/src/test/java/org/springframework/amqp/rabbit/logback/AmqpAppenderTests.java

@@ -37,6 +37,7 @@
 /**
  *
  * @author Stephen Oakey
+ * @author Artem Bilan
  *
  * @since 2.0
  */
@@ -99,15 +100,17 @@ public void testDefaultSslConfiguration() {
 	public void testSslConfigurationWithAlgorithm() {
 		AmqpAppender appender = new AmqpAppender();
 		appender.setUseSsl(true);
+		appender.setVerifyHostname(false);
 		String sslAlgorithm = "TLSv2";
 		appender.setSslAlgorithm(sslAlgorithm);
 
 		RabbitConnectionFactoryBean bean = mock(RabbitConnectionFactoryBean.class);
 		appender.configureRabbitConnectionFactory(bean);
 
 		verifyDefaultHostProperties(bean);
-		verify(bean).setUseSSL(eq(true));
-		verify(bean).setSslAlgorithm(eq(sslAlgorithm));
+		verify(bean).setUseSSL(true);
+		verify(bean).setSslAlgorithm(sslAlgorithm);
+		verify(bean).setEnableHostnameVerification(false);
 	}
 
 	@Test

src/reference/asciidoc/logging.adoc

@@ -75,6 +75,11 @@ Retries are delayed as follows: `N ^ log(N)`, where `N` is the retry number.
 | Whether to use SSL for the RabbitMQ connection.
 See <<_rabbitconnectionfactorybean_and_configuring_ssl>>
 
+| verifyHostname
+| true
+| Enable server hostname verification for TLS connections.
+See <<_rabbitconnectionfactorybean_and_configuring_ssl>>
+
 | sslAlgorithm
 | null
 | The SSL algorithm to use.

src/reference/asciidoc/whats-new.adoc

@@ -112,3 +112,8 @@ A new `ImmediateRequeueAmqpException` is introduced to notify a listener contain
 To use this feature, a new `ImmediateRequeueMessageRecoverer` implementation is added.
 
 See <<async-listeners>> for more information.
+
+===== AMQP Logging Appenders Changes
+
+The Log4J and Logback `AmqpAppender` s now support a `verifyHostname` SSL option.
+See <<logging>> for more information.