fix: WebSocket (#4519)

Signed-off-by: Pablo Carle <pablo.carle@broadcom.com>
Co-authored-by: Pablo Carle <pablo.carle@broadcom.com>

Author: pablocarle

apiml/src/test/resources/application.yml

@@ -2,13 +2,12 @@ logging:
     level:
         ROOT: DEBUG
         org.springframework: DEBUG
+        org.springframework.boot.autoconfigure.web: DEBUG
+        org.springframework.cloud.gateway: DEBUG
+        org.springframework.http.server.reactive: DEBUG
+        org.springframework.web.reactive: DEBUG
         org.zowe.apiml: DEBUG
-        org.springframework.cloud.gateway: TRACE
-        org.springframework.http.server.reactive: TRACE
-        org.springframework.web.reactive: TRACE
-        org.springframework.boot.autoconfigure.web: TRACE
-        reactor.netty: TRACE
-        redisratelimiter: TRACE
+        redisratelimiter: DEBUG
 
 eureka:
     dashboard:

common-service-core/src/main/java/org/zowe/apiml/security/HostnameIgnoringSSLContextBuilder.java

@@ -0,0 +1,54 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.security;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import java.security.KeyManagementException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collection;
+
+/**
+ * Builder meant to be used only for non-strict configuration
+ */
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public class HostnameIgnoringSSLContextBuilder extends org.apache.hc.core5.ssl.SSLContextBuilder {
+
+    @Override
+    protected void initSSLContext(SSLContext sslContext, Collection<KeyManager> keyManagers,
+            Collection<TrustManager> trustManagers, SecureRandom secureRandom) throws KeyManagementException {
+
+        Collection<TrustManager> laxTrustManager = new ArrayList<>();
+        if (trustManagers != null) {
+            trustManagers.forEach(tm -> {
+                if (tm instanceof X509TrustManager x509tm) {
+                    laxTrustManager.add(new HostnameIgnoringTrustManager(x509tm));
+                } else {
+                    laxTrustManager.add(tm);
+                }
+            });
+        }
+
+        super.initSSLContext(sslContext, keyManagers, laxTrustManager, secureRandom);
+    }
+
+    public static HostnameIgnoringSSLContextBuilder create() {
+        return new HostnameIgnoringSSLContextBuilder();
+    }
+
+}

common-service-core/src/main/java/org/zowe/apiml/security/HostnameIgnoringTrustManager.java

@@ -0,0 +1,58 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.security;
+
+import lombok.AccessLevel;
+import lombok.RequiredArgsConstructor;
+import lombok.experimental.Delegate;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * To use for WebSocket scenarios that require non-strict hostname validation
+ */
+@RequiredArgsConstructor(access = AccessLevel.PACKAGE)
+public class HostnameIgnoringTrustManager extends X509ExtendedTrustManager {
+
+    @Delegate
+    private final X509TrustManager delegate;
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
+            throws CertificateException {
+        delegate.checkClientTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
+            throws CertificateException {
+        delegate.checkServerTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
+            throws CertificateException {
+        delegate.checkClientTrusted(chain, authType);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
+            throws CertificateException {
+        delegate.checkServerTrusted(chain, authType);
+    }
+
+}

common-service-core/src/main/java/org/zowe/apiml/security/HttpsFactory.java

@@ -33,10 +33,15 @@
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
+
 import java.io.File;
 import java.io.IOException;
 import java.net.URL;
-import java.security.*;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 
 
@@ -190,8 +195,11 @@ private synchronized SSLContext createSecureSslContext() {
         log.debug("Protocol: {}", config.getProtocol());
         SSLContextBuilder sslContextBuilder = SSLContexts.custom();
         try {
-            loadTrustMaterial(sslContextBuilder);
+            if (config.isNonStrictVerifySslCertificatesOfServices()) {
+                sslContextBuilder = HostnameIgnoringSSLContextBuilder.create();
+            }
             loadKeyMaterial(sslContextBuilder);
+            loadTrustMaterial(sslContextBuilder);
             this.secureSslContext = sslContextBuilder.build();
             validateSslConfig();
             return secureSslContext;

common-service-core/src/test/java/org/zowe/apiml/security/HostnameIgnoringSSLContextBuilderTest.java

@@ -0,0 +1,92 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.security;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import java.security.KeyManagementException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Collection;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.argThat;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.mock;
+
+@ExtendWith(MockitoExtension.class)
+class HostnameIgnoringSSLContextBuilderTest {
+
+    private HostnameIgnoringSSLContextBuilder builder;
+
+    @BeforeEach
+    void setUp() {
+        this.builder = HostnameIgnoringSSLContextBuilder.create();
+    }
+
+    @Test
+    void testInitSSLContext_withX509Trust() throws KeyManagementException {
+        var sslContext = mock(SSLContext.class);
+        var secureRandom = mock(SecureRandom.class);
+        Collection<KeyManager> km = new ArrayList<>();
+        Collection<TrustManager> tm = new ArrayList<>();
+
+        var x509tm = mock(X509TrustManager.class);
+        km.add(mock(KeyManager.class));
+        tm.add(x509tm);
+
+        doNothing().when(sslContext).init((KeyManager[]) eq(km.toArray()), argThat(t -> {
+            TrustManager[] trustManagers = t;
+            assertNotNull(trustManagers);
+            assertEquals(1, trustManagers.length);
+            assertTrue(trustManagers[0] instanceof HostnameIgnoringTrustManager);
+            return true;
+        }), any());
+
+        builder.initSSLContext(sslContext, km, tm, secureRandom);
+    }
+
+    @Test
+    void testInitSSLContext_withoutX509Trust() throws KeyManagementException {
+        var sslContext = mock(SSLContext.class);
+        var secureRandom = mock(SecureRandom.class);
+        Collection<KeyManager> km = new ArrayList<>();
+        Collection<TrustManager> tm = new ArrayList<>();
+
+        var nonX509tm = mock(TrustManager.class);
+        km.add(mock(KeyManager.class));
+        tm.add(nonX509tm);
+
+        doNothing().when(sslContext).init((KeyManager[]) eq(km.toArray()), argThat(t -> {
+            TrustManager[] trustManagers = t;
+            assertNotNull(trustManagers);
+            assertEquals(1, trustManagers.length);
+            assertSame(nonX509tm, trustManagers[0]);
+            return true;
+        }), any());
+
+        builder.initSSLContext(sslContext, km, tm, secureRandom);
+    }
+
+}

common-service-core/src/test/java/org/zowe/apiml/security/HostnameIgnoringTrustManagerTest.java

@@ -0,0 +1,103 @@
+/*
+ * This program and the accompanying materials are made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-v20.html
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Copyright Contributors to the Zowe Project.
+ */
+
+package org.zowe.apiml.security;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509TrustManager;
+
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+import static org.mockito.Mockito.doNothing;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class HostnameIgnoringTrustManagerTest {
+
+    private HostnameIgnoringTrustManager trustManager;
+
+    @Mock
+    private X509TrustManager delegate;
+
+    @BeforeEach
+    void setUp() {
+        this.trustManager = new HostnameIgnoringTrustManager(delegate);
+    }
+
+    @Test
+    void testCheckClientTrusted() throws CertificateException {
+        X509Certificate[] certs = new X509Certificate[]{};
+        var authType = "test";
+        Socket s = mock(Socket.class);
+
+        doNothing().when(delegate).checkClientTrusted(certs, authType);
+
+        trustManager.checkClientTrusted(certs, authType, s);
+
+        verify(delegate, times(1)).checkClientTrusted(certs, authType);
+    }
+
+    @Test
+    void testCheckClientTrusted2() throws CertificateException {
+        X509Certificate[] certs = new X509Certificate[]{};
+        var authType = "test";
+        SSLEngine e = mock(SSLEngine.class);
+
+        doNothing().when(delegate).checkClientTrusted(certs, authType);
+
+        trustManager.checkClientTrusted(certs, authType, e);
+
+        verify(delegate, times(1)).checkClientTrusted(certs, authType);
+    }
+
+    @Test
+    void testCheckServerTrusted() throws CertificateException {
+        X509Certificate[] certs = new X509Certificate[]{};
+        var authType = "test";
+        Socket s = mock(Socket.class);
+
+        doNothing().when(delegate).checkServerTrusted(certs, authType);
+
+        trustManager.checkServerTrusted(certs, authType, s);
+
+        verify(delegate, times(1)).checkServerTrusted(certs, authType);
+    }
+
+    @Test
+    void testCheckServerTrusted2() throws CertificateException {
+        X509Certificate[] certs = new X509Certificate[]{};
+        var authType = "test";
+        SSLEngine e = mock(SSLEngine.class);
+
+        doNothing().when(delegate).checkServerTrusted(certs, authType);
+
+        trustManager.checkServerTrusted(certs, authType, e);
+
+        verify(delegate, times(1)).checkServerTrusted(certs, authType);
+    }
+
+    @Test
+    void testGetAcceptedIssuers() {
+        when(delegate.getAcceptedIssuers()).thenReturn(null);
+        trustManager.getAcceptedIssuers();
+        verify(delegate, times(1)).getAcceptedIssuers();
+    }
+}

discoverable-client/src/main/java/org/zowe/apiml/client/ws/WebSocketServerHandler.java

@@ -16,6 +16,7 @@
 import org.springframework.web.socket.handler.AbstractWebSocketHandler;
 
 public class WebSocketServerHandler extends AbstractWebSocketHandler {
+
     @Override
     public void handleMessage(WebSocketSession webSocketSession, WebSocketMessage<?> webSocketMessage)
             throws Exception {
@@ -25,4 +26,5 @@ public void handleMessage(WebSocketSession webSocketSession, WebSocketMessage<?>
             webSocketSession.close();
         }
     }
+
 }

discoverable-client/src/test/java/org/zowe/apiml/client/ws/WebSocketServerHandlerTest.java

@@ -49,4 +49,5 @@ void handleByeMessage() throws Exception {
         assertEquals("BYE", messageCaptor.getValue().getPayload().toString());
         verify(session, times(1)).close();
     }
+
 }