Add SSL support to auto-configuration for Rabbit Streams

Closes gh-43932

Signed-off-by: Jay Choi <jayyoungchoi22@gmail.com>

Author: jayychoi

module/spring-boot-amqp/src/main/java/org/springframework/boot/amqp/autoconfigure/RabbitProperties.java

@@ -52,6 +52,7 @@
  * @author Scott Frederick
  * @author Lasse Wulff
  * @author Yanming Zhou
+ * @author Jay Choi
  * @since 4.0.0
  */
 @ConfigurationProperties("spring.rabbitmq")
@@ -1311,6 +1312,8 @@ public static final class Stream {
 		 */
 		private @Nullable String name;
 
+		private final StreamSsl ssl = new StreamSsl();
+
 		public String getHost() {
 			return this.host;
 		}
@@ -1359,6 +1362,41 @@ public void setName(@Nullable String name) {
 			this.name = name;
 		}
 
+		public StreamSsl getSsl() {
+			return this.ssl;
+		}
+
+		public static class StreamSsl {
+
+			/**
+			 * Whether to enable SSL support. Enabled automatically if "bundle" is
+			 * provided.
+			 */
+			private @Nullable Boolean enabled;
+
+			/**
+			 * SSL bundle name.
+			 */
+			private @Nullable String bundle;
+
+			public boolean isEnabled() {
+				return (this.enabled != null) ? this.enabled : this.bundle != null;
+			}
+
+			public void setEnabled(@Nullable Boolean enabled) {
+				this.enabled = enabled;
+			}
+
+			public @Nullable String getBundle() {
+				return this.bundle;
+			}
+
+			public void setBundle(@Nullable String bundle) {
+				this.bundle = bundle;
+			}
+
+		}
+
 	}
 
 }

module/spring-boot-amqp/src/main/java/org/springframework/boot/amqp/autoconfigure/RabbitStreamConfiguration.java

@@ -16,8 +16,13 @@
 
 package org.springframework.boot.amqp.autoconfigure;
 
+import javax.net.ssl.SSLException;
+
 import com.rabbitmq.stream.Environment;
 import com.rabbitmq.stream.EnvironmentBuilder;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.amqp.rabbit.config.ContainerCustomizer;
 import org.springframework.amqp.support.converter.MessageConverter;
@@ -27,6 +32,10 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslBundles;
+import org.springframework.boot.ssl.SslManagerBundle;
+import org.springframework.boot.ssl.SslOptions;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.rabbit.stream.config.StreamRabbitListenerContainerFactory;
@@ -39,12 +48,14 @@
 import org.springframework.rabbit.stream.producer.RabbitStreamTemplate;
 import org.springframework.rabbit.stream.support.converter.StreamMessageConverter;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * Configuration for Spring RabbitMQ Stream plugin support.
  *
  * @author Gary Russell
  * @author Eddú Meléndez
+ * @author Jay Choi
  */
 @Configuration(proxyBeanMethods = false)
 @ConditionalOnClass(StreamRabbitListenerContainerFactory.class)
@@ -71,8 +82,8 @@ StreamRabbitListenerContainerFactory streamRabbitListenerContainerFactory(Enviro
 	@Bean(name = "rabbitStreamEnvironment")
 	@ConditionalOnMissingBean(name = "rabbitStreamEnvironment")
 	Environment rabbitStreamEnvironment(RabbitProperties properties, RabbitConnectionDetails connectionDetails,
-			ObjectProvider<EnvironmentBuilderCustomizer> customizers) {
-		EnvironmentBuilder builder = configure(Environment.builder(), properties, connectionDetails);
+			ObjectProvider<EnvironmentBuilderCustomizer> customizers, @Nullable SslBundles sslBundles) {
+		EnvironmentBuilder builder = configure(Environment.builder(), properties, connectionDetails, sslBundles);
 		customizers.orderedStream().forEach((customizer) -> customizer.customize(builder));
 		return builder.build();
 	}
@@ -105,20 +116,46 @@ RabbitStreamTemplate rabbitStreamTemplate(Environment rabbitStreamEnvironment, R
 	}
 
 	static EnvironmentBuilder configure(EnvironmentBuilder builder, RabbitProperties properties,
-			RabbitConnectionDetails connectionDetails) {
-		return configure(builder, properties.getStream(), connectionDetails);
+			RabbitConnectionDetails connectionDetails, @Nullable SslBundles sslBundles) {
+		return configure(builder, properties.getStream(), connectionDetails, sslBundles);
 	}
 
 	private static EnvironmentBuilder configure(EnvironmentBuilder builder, RabbitProperties.Stream stream,
-			RabbitConnectionDetails connectionDetails) {
+			RabbitConnectionDetails connectionDetails, @Nullable SslBundles sslBundles) {
 		builder.lazyInitialization(true);
 		PropertyMapper map = PropertyMapper.get();
 		map.from(stream.getHost()).to(builder::host);
 		map.from(stream.getPort()).to(builder::port);
 		map.from(stream.getVirtualHost()).orFrom(connectionDetails::getVirtualHost).to(builder::virtualHost);
 		map.from(stream.getUsername()).orFrom(connectionDetails::getUsername).to(builder::username);
 		map.from(stream.getPassword()).orFrom(connectionDetails::getPassword).to(builder::password);
+		RabbitProperties.Stream.StreamSsl ssl = stream.getSsl();
+		if (ssl.isEnabled()) {
+			if (StringUtils.hasLength(ssl.getBundle())) {
+				Assert.notNull(sslBundles, "SSL bundle name has been set but no SSL bundles found in context");
+				builder.tls().sslContext(createSslContext(sslBundles.getBundle(ssl.getBundle())));
+			}
+			else {
+				builder.tls();
+			}
+		}
 		return builder;
 	}
 
+	private static SslContext createSslContext(SslBundle sslBundle) {
+		SslOptions options = sslBundle.getOptions();
+		SslManagerBundle managers = sslBundle.getManagers();
+		try {
+			return SslContextBuilder.forClient()
+				.keyManager(managers.getKeyManagerFactory())
+				.trustManager(managers.getTrustManagerFactory())
+				.ciphers(SslOptions.asSet(options.getCiphers()))
+				.protocols(options.getEnabledProtocols())
+				.build();
+		}
+		catch (SSLException ex) {
+			throw new IllegalStateException("Failed to create SSL context for RabbitMQ Stream", ex);
+		}
+	}
+
 }

module/spring-boot-amqp/src/test/java/org/springframework/boot/amqp/autoconfigure/RabbitPropertiesTests.java

@@ -38,6 +38,7 @@
  * @author Stephane Nicoll
  * @author Rafael Carvalho
  * @author Scott Frederick
+ * @author Jay Choi
  */
 class RabbitPropertiesTests {
 
@@ -381,4 +382,34 @@ void hostPropertyMustBeSingleHost() {
 			.withMessageContaining("spring.rabbitmq.host");
 	}
 
+	@Test
+	void streamSslIsDisabledByDefault() {
+		assertThat(this.properties.getStream().getSsl().isEnabled()).isFalse();
+	}
+
+	@Test
+	void streamSslIsEnabledWhenEnabledIsTrue() {
+		this.properties.getStream().getSsl().setEnabled(true);
+		assertThat(this.properties.getStream().getSsl().isEnabled()).isTrue();
+	}
+
+	@Test
+	void streamSslIsDisabledWhenEnabledIsFalse() {
+		this.properties.getStream().getSsl().setEnabled(false);
+		assertThat(this.properties.getStream().getSsl().isEnabled()).isFalse();
+	}
+
+	@Test
+	void streamSslIsEnabledWhenBundleIsSet() {
+		this.properties.getStream().getSsl().setBundle("test-bundle");
+		assertThat(this.properties.getStream().getSsl().isEnabled()).isTrue();
+	}
+
+	@Test
+	void streamSslIsDisabledWhenBundleIsSetButEnabledIsFalse() {
+		this.properties.getStream().getSsl().setBundle("test-bundle");
+		this.properties.getStream().getSsl().setEnabled(false);
+		assertThat(this.properties.getStream().getSsl().isEnabled()).isFalse();
+	}
+
 }

module/spring-boot-amqp/src/test/java/org/springframework/boot/amqp/autoconfigure/RabbitStreamConfigurationTests.java

@@ -33,6 +33,9 @@
 import org.springframework.amqp.rabbit.listener.RabbitListenerEndpointRegistry;
 import org.springframework.amqp.support.converter.MessageConverter;
 import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.autoconfigure.ssl.SslAutoConfiguration;
+import org.springframework.boot.ssl.NoSuchSslBundleException;
+import org.springframework.boot.ssl.SslBundles;
 import org.springframework.boot.test.context.runner.ApplicationContextRunner;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -50,8 +53,11 @@
 import org.springframework.rabbit.stream.support.converter.StreamMessageConverter;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.BDDMockito.given;
 import static org.mockito.BDDMockito.then;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
 
 /**
  * Tests for {@link RabbitStreamConfiguration}.
@@ -60,11 +66,12 @@
  * @author Andy Wilkinson
  * @author Eddú Meléndez
  * @author Moritz Halbritter
+ * @author Jay Choi
  */
 class RabbitStreamConfigurationTests {
 
 	private final ApplicationContextRunner contextRunner = new ApplicationContextRunner()
-		.withConfiguration(AutoConfigurations.of(RabbitAutoConfiguration.class));
+		.withConfiguration(AutoConfigurations.of(RabbitAutoConfiguration.class, SslAutoConfiguration.class));
 
 	@Test
 	@SuppressWarnings("unchecked")
@@ -146,7 +153,7 @@ void environmentUsesConnectionDetailsByDefault() {
 		EnvironmentBuilder builder = mock(EnvironmentBuilder.class);
 		RabbitProperties properties = new RabbitProperties();
 		RabbitStreamConfiguration.configure(builder, properties,
-				new TestRabbitConnectionDetails("guest", "guest", "vhost"));
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
 		then(builder).should().port(5552);
 		then(builder).should().host("localhost");
 		then(builder).should().virtualHost("vhost");
@@ -162,7 +169,7 @@ void whenStreamPortIsSetThenEnvironmentUsesCustomPort() {
 		RabbitProperties properties = new RabbitProperties();
 		properties.getStream().setPort(5553);
 		RabbitStreamConfiguration.configure(builder, properties,
-				new TestRabbitConnectionDetails("guest", "guest", "vhost"));
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
 		then(builder).should().port(5553);
 	}
 
@@ -172,7 +179,7 @@ void whenStreamHostIsSetThenEnvironmentUsesCustomHost() {
 		RabbitProperties properties = new RabbitProperties();
 		properties.getStream().setHost("stream.rabbit.example.com");
 		RabbitStreamConfiguration.configure(builder, properties,
-				new TestRabbitConnectionDetails("guest", "guest", "vhost"));
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
 		then(builder).should().host("stream.rabbit.example.com");
 	}
 
@@ -182,7 +189,7 @@ void whenStreamVirtualHostIsSetThenEnvironmentUsesCustomVirtualHost() {
 		RabbitProperties properties = new RabbitProperties();
 		properties.getStream().setVirtualHost("stream-virtual-host");
 		RabbitStreamConfiguration.configure(builder, properties,
-				new TestRabbitConnectionDetails("guest", "guest", "vhost"));
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
 		then(builder).should().virtualHost("stream-virtual-host");
 	}
 
@@ -192,7 +199,7 @@ void whenStreamVirtualHostIsNotSetButDefaultVirtualHostIsSetThenEnvironmentUsesD
 		RabbitProperties properties = new RabbitProperties();
 		properties.setVirtualHost("properties-virtual-host");
 		RabbitStreamConfiguration.configure(builder, properties,
-				new TestRabbitConnectionDetails("guest", "guest", "default-virtual-host"));
+				new TestRabbitConnectionDetails("guest", "guest", "default-virtual-host"), null);
 		then(builder).should().virtualHost("default-virtual-host");
 	}
 
@@ -203,7 +210,7 @@ void whenStreamCredentialsAreNotSetThenEnvironmentUsesConnectionDetailsCredentia
 		properties.setUsername("alice");
 		properties.setPassword("secret");
 		RabbitStreamConfiguration.configure(builder, properties,
-				new TestRabbitConnectionDetails("bob", "password", "vhost"));
+				new TestRabbitConnectionDetails("bob", "password", "vhost"), null);
 		then(builder).should().username("bob");
 		then(builder).should().password("password");
 	}
@@ -217,7 +224,7 @@ void whenStreamCredentialsAreSetThenEnvironmentUsesStreamCredentials() {
 		properties.getStream().setUsername("bob");
 		properties.getStream().setPassword("confidential");
 		RabbitStreamConfiguration.configure(builder, properties,
-				new TestRabbitConnectionDetails("charlotte", "hidden", "vhost"));
+				new TestRabbitConnectionDetails("charlotte", "hidden", "vhost"), null);
 		then(builder).should().username("bob");
 		then(builder).should().password("confidential");
 	}
@@ -297,6 +304,71 @@ void environmentCreatedByBuilderCanBeCustomized() {
 		});
 	}
 
+	@Test
+	void whenStreamSslIsNotConfiguredThenTlsIsNotUsed() {
+		EnvironmentBuilder builder = mock(EnvironmentBuilder.class);
+		RabbitProperties properties = new RabbitProperties();
+		RabbitStreamConfiguration.configure(builder, properties,
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
+		then(builder).should(never()).tls();
+	}
+
+	@Test
+	void whenStreamSslIsEnabledThenTlsIsUsed() {
+		EnvironmentBuilder builder = mock(EnvironmentBuilder.class);
+		RabbitProperties properties = new RabbitProperties();
+		properties.getStream().getSsl().setEnabled(true);
+		RabbitStreamConfiguration.configure(builder, properties,
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
+		then(builder).should().tls();
+	}
+
+	@Test
+	void whenStreamSslBundleIsConfiguredThenTlsIsUsed() {
+		this.contextRunner.withPropertyValues("spring.rabbitmq.stream.ssl.bundle=test-bundle",
+				"spring.ssl.bundle.jks.test-bundle.keystore.location=classpath:org/springframework/boot/amqp/autoconfigure/test.jks",
+				"spring.ssl.bundle.jks.test-bundle.keystore.password=secret")
+			.run((context) -> {
+				assertThat(context).hasNotFailed();
+				assertThat(context).hasSingleBean(Environment.class);
+			});
+	}
+
+	@Test
+	void whenStreamSslIsDisabledThenTlsIsNotUsed() {
+		EnvironmentBuilder builder = mock(EnvironmentBuilder.class);
+		RabbitProperties properties = new RabbitProperties();
+		properties.getStream().getSsl().setEnabled(false);
+		RabbitStreamConfiguration.configure(builder, properties,
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
+		then(builder).should(never()).tls();
+	}
+
+	@Test
+	void whenStreamSslIsDisabledWithBundleThenTlsIsNotUsed() {
+		EnvironmentBuilder builder = mock(EnvironmentBuilder.class);
+		RabbitProperties properties = new RabbitProperties();
+		properties.getStream().getSsl().setEnabled(false);
+		properties.getStream().getSsl().setBundle("some-bundle");
+		RabbitStreamConfiguration.configure(builder, properties,
+				new TestRabbitConnectionDetails("guest", "guest", "vhost"), null);
+		then(builder).should(never()).tls();
+	}
+
+	@Test
+	void whenStreamSslBundleIsInvalidThenFails() {
+		EnvironmentBuilder builder = mock(EnvironmentBuilder.class);
+		SslBundles sslBundles = mock(SslBundles.class);
+		given(sslBundles.getBundle("invalid-bundle")).willThrow(
+				new NoSuchSslBundleException("invalid-bundle", "SSL bundle name 'invalid-bundle' cannot be found"));
+		RabbitProperties properties = new RabbitProperties();
+		properties.getStream().getSsl().setBundle("invalid-bundle");
+		assertThatExceptionOfType(NoSuchSslBundleException.class)
+			.isThrownBy(() -> RabbitStreamConfiguration.configure(builder, properties,
+					new TestRabbitConnectionDetails("guest", "guest", "vhost"), sslBundles))
+			.withMessageContaining("invalid-bundle");
+	}
+
 	@Configuration(proxyBeanMethods = false)
 	static class TestConfiguration {