[PR requested change] Add SSL

Author: onobc

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/pulsar/ClientBuilderSslConfigurer.java

@@ -0,0 +1,167 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.pulsar;
+
+import java.io.FileNotFoundException;
+import java.util.Arrays;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import org.springframework.boot.autoconfigure.ssl.JksSslBundleProperties;
+import org.springframework.boot.autoconfigure.ssl.JksSslBundleProperties.Store;
+import org.springframework.boot.autoconfigure.ssl.PemSslBundleProperties;
+import org.springframework.boot.autoconfigure.ssl.SslProperties;
+import org.springframework.boot.context.properties.PropertyMapper;
+import org.springframework.boot.ssl.SslBundle;
+import org.springframework.boot.ssl.SslBundles;
+import org.springframework.boot.ssl.SslOptions;
+import org.springframework.boot.ssl.SslStoreBundle;
+import org.springframework.boot.ssl.jks.JksSslStoreBundle;
+import org.springframework.boot.ssl.pem.PemSslStoreBundle;
+import org.springframework.util.Assert;
+import org.springframework.util.ResourceUtils;
+
+/**
+ * Configures the SSL settings on {@link ClientBuilderSslSettings}.
+ *
+ * @author Chris Bono
+ * @since 3.2.0
+ */
+public class ClientBuilderSslConfigurer {
+
+	private final SslBundles sslBundles;
+
+	private final SslProperties sslProperties;
+
+	/**
+	 * Construct a configurer using the specified SSL bundle and properties.
+	 * @param sslBundles optional ssl bundles configured for the application
+	 * @param sslProperties optional ssl properties for the application
+	 */
+	public ClientBuilderSslConfigurer(SslBundles sslBundles, SslProperties sslProperties) {
+		this.sslBundles = sslBundles;
+		this.sslProperties = sslProperties;
+	}
+
+	/**
+	 * Applies the specified SSL properties to the specified client SSL builder.
+	 * @param clientBuilderSslSettings the ssl builder
+	 * @param clientSslProperties the ssl properties
+	 */
+	public void applySsl(ClientBuilderSslSettings<?> clientBuilderSslSettings,
+			SslConfigProperties clientSslProperties) {
+		if (!clientSslProperties.isEnabled()) {
+			return;
+		}
+		clientBuilderSslSettings.enableTls(true);
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		map.from(clientSslProperties::isVerifyHostname).to(clientBuilderSslSettings::enableTlsHostnameVerification);
+		map.from(clientSslProperties::getAllowInsecureConnection)
+			.to(clientBuilderSslSettings::allowTlsInsecureConnection);
+		if (clientSslProperties.getBundle() == null) {
+			return;
+		}
+		Assert.state(this.sslBundles != null, "SSL enabled but no SSL bundles configured");
+		Assert.state(this.sslProperties != null, "SSL enabled but no SSL properties configured");
+		String bundleName = clientSslProperties.getBundle();
+		SslBundle sslBundle = this.sslBundles.getBundle(bundleName);
+		SslOptions sslOptions = sslBundle.getOptions();
+		if (sslOptions.getCiphers() != null) {
+			Set<String> tlsCiphers = Arrays.stream(sslOptions.getCiphers()).collect(Collectors.toSet());
+			clientBuilderSslSettings.tlsCiphers(tlsCiphers);
+		}
+		if (sslOptions.getEnabledProtocols() != null) {
+			Set<String> tlsProtocols = Arrays.stream(sslOptions.getEnabledProtocols()).collect(Collectors.toSet());
+			clientBuilderSslSettings.tlsProtocols(tlsProtocols);
+		}
+		SslType sslBundleType = SslType.forSslStoreBundle(sslBundle.getStores());
+		switch (sslBundleType) {
+			case JKS -> applyJksSslProperties(clientBuilderSslSettings, map, bundleName);
+			case PEM -> applyPemSslProperties(clientBuilderSslSettings, map, bundleName);
+			case UNSUPPORTED -> throw new IllegalArgumentException(
+					"Unsupported store bundle type %s".formatted(sslBundle.getStores().getClass().getName()));
+		}
+	}
+
+	private void applyJksSslProperties(ClientBuilderSslSettings<?> clientBuilderSslSettings, PropertyMapper map,
+			String bundleName) {
+		clientBuilderSslSettings.useKeyStoreTls(true);
+		// Dip down into the ssl props for the info we need to set on the client builder
+		JksSslBundleProperties jksProperties = this.sslProperties.getBundle().getJks().get(bundleName);
+		Assert.state(jksProperties != null,
+				() -> "SslStoreBundle is JKS but unable to find 'spring.ssl.bundle.jks.%s.*' properties"
+					.formatted(bundleName));
+		Store trustStore = jksProperties.getTruststore();
+		map.from(trustStore::getType).to(clientBuilderSslSettings::tlsTrustStoreType);
+		map.from(trustStore::getLocation).as(this::resolvePath).to(clientBuilderSslSettings::tlsTrustStorePath);
+		map.from(trustStore::getPassword).to(clientBuilderSslSettings::tlsTrustStorePassword);
+		map.from(trustStore::getProvider).to(clientBuilderSslSettings::sslProvider);
+		Store keyStore = jksProperties.getKeystore();
+		map.from(keyStore::getType).to(clientBuilderSslSettings::tlsKeyStoreType);
+		map.from(keyStore::getLocation).as(this::resolvePath).to(clientBuilderSslSettings::tlsKeyStorePath);
+		map.from(keyStore::getPassword).to(clientBuilderSslSettings::tlsKeyStorePassword);
+		// Key store provider overrides trust store provider
+		map.from(keyStore::getProvider).to(clientBuilderSslSettings::sslProvider);
+	}
+
+	private void applyPemSslProperties(ClientBuilderSslSettings<?> clientBuilderSslSettings, PropertyMapper map,
+			String bundleName) {
+		// Dip down into the properties for the info we need to set on the client builder
+		PemSslBundleProperties pemProperties = this.sslProperties.getBundle().getPem().get(bundleName);
+		Assert.state(pemProperties != null,
+				() -> "SslStoreBundle is PEM but unable to find 'spring.ssl.bundle.pem.%s.*' properties"
+					.formatted(bundleName));
+		PemSslBundleProperties.Store trustStore = pemProperties.getTruststore();
+		map.from(trustStore::getCertificate).as(this::resolvePath).to(clientBuilderSslSettings::tlsTrustCertsFilePath);
+		PemSslBundleProperties.Store keyStore = pemProperties.getKeystore();
+		map.from(keyStore::getPrivateKey).as(this::resolvePath).to(clientBuilderSslSettings::tlsKeyFilePath);
+		map.from(keyStore::getCertificate).as(this::resolvePath).to(clientBuilderSslSettings::tlsCertificateFilePath);
+	}
+
+	/**
+	 * Resolves a location into an actual path. The Pulsar client builders TLS related
+	 * methods all expect the locations passed in to be file paths. Adding this resolve
+	 * allows us to use 'classpath:' locations.
+	 * @param resourceLocation the location of the resource
+	 * @return path to the resource
+	 */
+	private String resolvePath(String resourceLocation) {
+		try {
+			return ResourceUtils.getURL(resourceLocation).getPath();
+		}
+		catch (FileNotFoundException ex) {
+			throw new RuntimeException(ex);
+		}
+	}
+
+	enum SslType {
+
+		JKS, PEM, UNSUPPORTED;
+
+		static SslType forSslStoreBundle(SslStoreBundle sslStoreBundle) {
+			if (sslStoreBundle instanceof JksSslStoreBundle) {
+				return SslType.JKS;
+			}
+			if (sslStoreBundle instanceof PemSslStoreBundle) {
+				return SslType.PEM;
+			}
+			return UNSUPPORTED;
+		}
+
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/pulsar/ClientBuilderSslSettings.java

@@ -0,0 +1,167 @@
+/*
+ * Copyright 2012-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.pulsar;
+
+import java.util.Set;
+
+import org.apache.pulsar.client.admin.PulsarAdminBuilder;
+import org.apache.pulsar.client.api.ClientBuilder;
+
+/**
+ * Adapts a client builder's SSL settings. The Pulsar {@link ClientBuilder} and
+ * {@link PulsarAdminBuilder} do not share a common interface for SSL settings eventhough
+ * they have the same exact properties. This allows them to be treated the same and
+ * therefore the SSL logic can be in a single place.
+ *
+ * @param <T> the client builder
+ * @author Chris Bono
+ * @since 3.2.0
+ */
+public interface ClientBuilderSslSettings<T> {
+
+	/**
+	 * Returns the adapted client builder.
+	 * @return the adapted client builder
+	 */
+	T adaptedClientBuilder();
+
+	/**
+	 * Configure whether to use TLS encryption on the connection <i>(default: true if
+	 * serviceUrl starts with "pulsar+ssl://", false otherwise)</i>.
+	 * @param enableTls whether to enable tls
+	 * @return the client builder instance
+	 */
+	T enableTls(boolean enableTls);
+
+	/**
+	 * Set the path to the TLS key file.
+	 * @param tlsKeyFilePath the path to the tls key file
+	 * @return the client builder instance
+	 */
+	T tlsKeyFilePath(String tlsKeyFilePath);
+
+	/**
+	 * Set the path to the TLS certificate file.
+	 * @param tlsCertificateFilePath the path to the tls cert file
+	 * @return the client builder instance
+	 */
+	T tlsCertificateFilePath(String tlsCertificateFilePath);
+
+	/**
+	 * Set the path to the trusted TLS certificate file.
+	 * @param tlsTrustCertsFilePath the path to the tls trust certs file
+	 * @return the client builder instance
+	 */
+	T tlsTrustCertsFilePath(String tlsTrustCertsFilePath);
+
+	/**
+	 * Configure whether the Pulsar client accept untrusted TLS certificate from broker
+	 * <i>(default: false)</i>.
+	 * @param allowTlsInsecureConnection whether to accept a untrusted TLS certificate
+	 * @return the client builder instance
+	 */
+	T allowTlsInsecureConnection(boolean allowTlsInsecureConnection);
+
+	/**
+	 * It allows to validate hostname verification when client connects to broker over
+	 * tls. It validates incoming x509 certificate and matches provided hostname(CN/SAN)
+	 * with expected broker's host name. It follows RFC 2818, 3.1. Server Identity
+	 * hostname verification.
+	 * @param enableTlsHostnameVerification whether to enable TLS hostname verification
+	 * @return the client builder instance
+	 * @see <a href="https://tools.ietf.org/html/rfc2818">RFC 818</a>
+	 */
+	T enableTlsHostnameVerification(boolean enableTlsHostnameVerification);
+
+	/**
+	 * If Tls is enabled, whether to use KeyStore type as tls configuration parameter.
+	 * False means use default pem type configuration.
+	 * @param useKeyStoreTls whether to use key store for tls
+	 * @return the client builder instance
+	 */
+	T useKeyStoreTls(boolean useKeyStoreTls);
+
+	/**
+	 * The name of the security provider used for SSL connections. Default value is the
+	 * default security provider of the JVM.
+	 * @param sslProvider the ssl provider
+	 * @return the client builder instance
+	 */
+	T sslProvider(String sslProvider);
+
+	/**
+	 * The file format of the key store file.
+	 * @param tlsKeyStoreType the tls key store file format
+	 * @return the client builder instance
+	 */
+	T tlsKeyStoreType(String tlsKeyStoreType);
+
+	/**
+	 * The location of the key store file.
+	 * @param tlsKeyStorePath the path to the tls key store
+	 * @return the client builder instance
+	 */
+	T tlsKeyStorePath(String tlsKeyStorePath);
+
+	/**
+	 * The store password for the key store file.
+	 * @param tlsKeyStorePassword the password for the tls key store
+	 * @return the client builder instance
+	 */
+	T tlsKeyStorePassword(String tlsKeyStorePassword);
+
+	/**
+	 * The file format of the trust store file.
+	 * @param tlsTrustStoreType the tls trust store file format
+	 * @return the client builder instance
+	 */
+	T tlsTrustStoreType(String tlsTrustStoreType);
+
+	/**
+	 * The location of the trust store file.
+	 * @param tlsTrustStorePath the path to the tls trust store
+	 * @return the client builder instance
+	 */
+	T tlsTrustStorePath(String tlsTrustStorePath);
+
+	/**
+	 * The store password for the trust store file.
+	 * @param tlsTrustStorePassword the password for the tls trust store
+	 * @return the client builder instance
+	 */
+	T tlsTrustStorePassword(String tlsTrustStorePassword);
+
+	/**
+	 * A list of cipher suites. This is a named combination of authentication, encryption,
+	 * MAC and key exchange algorithm used to negotiate the security settings for a
+	 * network connection using TLS or SSL network protocol. By default, all the available
+	 * cipher suites are supported.
+	 * @param tlsCiphers the tls ciphers
+	 * @return the client builder instance
+	 */
+	T tlsCiphers(Set<String> tlsCiphers);
+
+	/**
+	 * The SSL protocol used to generate the SSLContext. Default setting is TLS, which is
+	 * fine for most cases. Allowed values in recent JVMs are TLS, TLSv1.3, TLSv1.2 and
+	 * TLSv1.1.
+	 * @param tlsProtocols the enabled protocols
+	 * @return the client builder instance
+	 */
+	T tlsProtocols(Set<String> tlsProtocols);
+
+}