Merge pull request #18 from SourceLabOrg/sp/clientCert

Add ability to send a client certificate with requests by defining a keystore

Author: Crim

CHANGELOG.md

@@ -2,6 +2,11 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## 1.3.0 (UNRELEASED)
+
+### New Features
+- Added ability to configure sending a client certificate in order to authenicate Kafka-Connect REST endpoints.
+
 ## 1.2.0 (02/02/2019)
 
 ### New Features

README.md

@@ -73,7 +73,7 @@ final Configuration configuration = new Configuration("https://hostname.for.kafk
  * with.
  */
 configuration.useTrustStore(
-    new File("/path/to/truststore.jks"), "TrustStorePasswordHere or NULL"
+    new File("/path/to/truststore.jks"), "Optional Password Here or NULL"
 );
 
 /*
@@ -83,6 +83,14 @@ configuration.useTrustStore(
  */
 //configuration.useInsecureSslCertificates();
 
+/*
+ * If your Kafka-Connect instance is configured to validate client certificates, you can configure a KeyStore for
+ * the client to send with each request:
+ */
+configuration.useKeyStore(
+    new File("/path/to/keystore.jks"), "Optional Password Here or NULL"    
+);
+
 /*
  * Create an instance of KafkaConnectClient, passing your configuration.
  */

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>org.sourcelab</groupId>
     <artifactId>kafka-connect-client</artifactId>
-    <version>1.2.0</version>
+    <version>1.3.0</version>
     <packaging>jar</packaging>
 
     <!-- Require Maven 3.3.9 -->
@@ -161,6 +161,14 @@
             <version>2.6</version>
             <scope>test</scope>
         </dependency>
+
+        <!-- Test Http/Https Client -->
+        <dependency>
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-server</artifactId>
+            <version>9.4.14.v20181114</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

src/main/java/org/sourcelab/kafka/connect/apiclient/Configuration.java

@@ -36,11 +36,15 @@ public final class Configuration {
     private String basicAuthUsername = null;
     private String basicAuthPassword = null;
 
-    // Optional SSL options
+    // Optional settings to validate Kafka-Connect's SSL certificate.
     private boolean ignoreInvalidSslCertificates = false;
     private File trustStoreFile = null;
     private String trustStorePassword = null;
 
+    // Optional settings to send a client certificate with request.
+    private File keyStoreFile = null;
+    private String keyStorePassword = null;
+
     // Optional Proxy Configuration
     private String proxyHost = null;
     private int proxyPort = 0;
@@ -59,7 +63,7 @@ public Configuration(final String kafkaConnectHost) {
             throw new NullPointerException("Kafka Connect Host parameter cannot be null!");
         }
 
-        // Normalize into "http://<hostname>"
+        // Normalize into "http://<hostname>" if not specified.
         if (kafkaConnectHost.startsWith("http://") || kafkaConnectHost.startsWith("https://")) {
             this.apiHost = kafkaConnectHost;
         } else {
@@ -120,21 +124,36 @@ public Configuration useInsecureSslCertificates() {
     }
 
     /**
-     * You can supply a path to a JKS trust store to be used to validate SSL certificates with.
+     * (Optional) Supply a path to a JKS trust store to be used to validate SSL certificates with.  You'll need this
+     * if you're using Self Signed certificates.
      *
      * Alternatively you can can explicitly add your certificate to the JVM's truststore using a command like:
      * keytool -importcert -keystore truststore.jks -file servercert.pem
      *
-     * @param trustStorePath file path to truststore.
-     * @param password (optional) Password for truststore.
+     * @param trustStoreFile file path to truststore.
+     * @param password (optional) Password for truststore. Pass null if no password.
      * @return Configuration instance.
      */
-    public Configuration useTrustStore(final File trustStorePath, final String password) {
-        this.trustStoreFile = Objects.requireNonNull(trustStorePath);
+    public Configuration useTrustStore(final File trustStoreFile, final String password) {
+        this.trustStoreFile = Objects.requireNonNull(trustStoreFile);
         this.trustStorePassword = password;
         return this;
     }
 
+    /**
+     * (Optional) Supply a path to a JKS key store to be used for client validation.  You'll need this if your
+     * Kafka-Connect instance is configured to only accept requests from clients with a valid certificate.
+     *
+     * @param keyStoreFile file path to keystore.
+     * @param password (optional) Password for keystore. Pass null if no password.
+     * @return Configuration instance.
+     */
+    public Configuration useKeyStore(final File keyStoreFile, final String password) {
+        this.keyStoreFile = Objects.requireNonNull(keyStoreFile);
+        this.keyStorePassword = password;
+        return this;
+    }
+
     /**
      * Set the request timeout value, in seconds.
      * @param requestTimeoutInSeconds How long before a request times out, in seconds.
@@ -185,6 +204,14 @@ public int getRequestTimeoutInSeconds() {
         return requestTimeoutInSeconds;
     }
 
+    public File getKeyStoreFile() {
+        return keyStoreFile;
+    }
+
+    public String getKeyStorePassword() {
+        return keyStorePassword;
+    }
+
     public String getBasicAuthUsername() {
         return basicAuthUsername;
     }

src/main/java/org/sourcelab/kafka/connect/apiclient/rest/HttpClientRestClient.java

@@ -48,6 +48,7 @@
 import org.sourcelab.kafka.connect.apiclient.rest.exceptions.ResultParsingException;
 import org.sourcelab.kafka.connect.apiclient.rest.handlers.RestResponseHandler;
 
+import javax.net.ssl.SSLHandshakeException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.SocketException;
@@ -261,8 +262,8 @@ private <T> T submitGetRequest(final String url, final Map<String, String> getPa
 
             // Execute and return
             return httpClient.execute(get, responseHandler, httpClientContext);
-        } catch (final ClientProtocolException | SocketException | URISyntaxException connectionException) {
-            // Typically this is a connection issue.
+        } catch (final ClientProtocolException | SocketException | URISyntaxException | SSLHandshakeException connectionException) {
+            // Typically this is a connection or certificate issue.
             throw new ConnectionException(connectionException.getMessage(), connectionException);
         } catch (final IOException ioException) {
             // Typically this is a parse error.
@@ -294,7 +295,7 @@ private <T> T submitPostRequest(final String url, final Object requestBody, fina
 
             // Execute and return
             return httpClient.execute(post, responseHandler, httpClientContext);
-        } catch (final ClientProtocolException | SocketException connectionException) {
+        } catch (final ClientProtocolException | SocketException | SSLHandshakeException connectionException) {
             // Typically this is a connection issue.
             throw new ConnectionException(connectionException.getMessage(), connectionException);
         } catch (final IOException ioException) {
@@ -326,7 +327,7 @@ private <T> T submitPutRequest(final String url, final Object requestBody, final
 
             // Execute and return
             return httpClient.execute(put, responseHandler, httpClientContext);
-        } catch (final ClientProtocolException | SocketException connectionException) {
+        } catch (final ClientProtocolException | SocketException | SSLHandshakeException connectionException) {
             // Typically this is a connection issue.
             throw new ConnectionException(connectionException.getMessage(), connectionException);
         } catch (final IOException ioException) {
@@ -357,7 +358,7 @@ private <T> T submitDeleteRequest(final String url, final Object requestBody, fi
 
             // Execute and return
             return httpClient.execute(delete, responseHandler, httpClientContext);
-        } catch (final ClientProtocolException | SocketException connectionException) {
+        } catch (final ClientProtocolException | SocketException | SSLHandshakeException connectionException) {
             // Typically this is a connection issue.
             throw new ConnectionException(connectionException.getMessage(), connectionException);
         } catch (final IOException ioException) {

src/main/java/org/sourcelab/kafka/connect/apiclient/rest/HttpsContextBuilder.java

@@ -27,16 +27,19 @@
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import java.io.FileInputStream;
+import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.util.Objects;
 
@@ -60,10 +63,28 @@ class HttpsContextBuilder {
      * Constructor.
      * @param configuration client configuration instance.
      */
-    HttpsContextBuilder(final Configuration configuration) {
+    public HttpsContextBuilder(final Configuration configuration) {
         this.configuration = Objects.requireNonNull(configuration);
     }
 
+    /**
+     * Properly configured SslSocketFactory based on client configuration.
+     * @return SslSocketFactory instance.
+     */
+    public LayeredConnectionSocketFactory createSslSocketFactory() {
+        // Emit an warning letting everyone know we're using an insecure configuration.
+        if (configuration.getIgnoreInvalidSslCertificates()) {
+            logger.warn("Using insecure configuration, skipping server-side certificate validation checks.");
+        }
+
+        return new SSLConnectionSocketFactory(
+            getSslContext(),
+            getSslProtocols(),
+            null,
+            getHostnameVerifier()
+        );
+    }
+
     /**
      * Get HostnameVerifier instance based on client configuration.
      * @return HostnameVerifier instance.
@@ -83,28 +104,78 @@ HostnameVerifier getHostnameVerifier() {
      * @return SSLContext instance.
      */
     SSLContext getSslContext() {
-        // Create default SSLContext
-        final SSLContext sslcontext = SSLContexts.createDefault();
+        try {
+            // Create default SSLContext
+            final SSLContext sslcontext = SSLContexts.createDefault();
+
+            // Initialize ssl context with configured key and trust managers.
+            sslcontext.init(getKeyManagers(), getTrustManagers(), new SecureRandom());
+
+            return sslcontext;
+        } catch (final KeyManagementException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+
+    /**
+     * Based on client configuration, construct KeyManager instances to use.
+     * @return Array of 0 or more KeyManagers.
+     */
+    KeyManager[] getKeyManagers() {
+        // If not configured to use a KeyStore
+        if (configuration.getKeyStoreFile() == null) {
+            // Return null array.
+            return new KeyManager[0];
+        }
+
+        // If configured to use a key store
+        try {
+            final KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+
+            // New JKS Keystore.
+            final KeyStore keyStore = KeyStore.getInstance("JKS");
+            final char[] password;
+            if (configuration.getKeyStorePassword() == null) {
+                password = new char[0];
+            } else {
+                password = configuration.getKeyStorePassword().toCharArray();
+            }
+
+            try (final FileInputStream keyStoreFileInput = new FileInputStream(configuration.getKeyStoreFile())) {
+                keyStore.load(keyStoreFileInput, password);
+            }
+            keyFactory.init(keyStore, password);
+            return keyFactory.getKeyManagers();
+        } catch (final FileNotFoundException exception) {
+            throw new RuntimeException(
+                "Unable to find configured KeyStore file \"" + configuration.getKeyStoreFile() + "\"",
+                exception
+            );
+        } catch (final KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
 
+    /**
+     * Based on Client Configuration, construct TrustManager instances to use.
+     * @return Array of 0 or more TrustManager instances.
+     */
+    TrustManager[] getTrustManagers() {
         try {
+            final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+
             // If client configuration is set to ignore invalid certificates
             if (configuration.getIgnoreInvalidSslCertificates()) {
                 // Initialize ssl context with a TrustManager instance that just accepts everything blindly.
                 // HIGHLY INSECURE / NOT RECOMMENDED!
-                sslcontext.init(new KeyManager[0], new TrustManager[]{new NoopTrustManager()}, new SecureRandom());
+                return new TrustManager[]{ new NoopTrustManager() };
 
             // If client configuration has a trust store defined.
             } else if (configuration.getTrustStoreFile() != null) {
-
-                final TrustManagerFactory trustManagerFactory = TrustManagerFactory
-                    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
-
-
-                // New JKS Keystore.
-                final KeyStore keyStore = KeyStore.getInstance("JKS");
-
                 // Attempt to read the trust store from disk.
                 try (final FileInputStream trustStoreFileInput = new FileInputStream(configuration.getTrustStoreFile())) {
+                    // New JKS Keystore.
+                    final KeyStore keyStore = KeyStore.getInstance("JKS");
 
                     // If no trust store password is set.
                     if (configuration.getTrustStorePassword() == null) {
@@ -114,15 +185,20 @@ SSLContext getSslContext() {
                     }
                     trustManagerFactory.init(keyStore);
                 }
-
-                // Initialize ssl context with our custom loaded trust store.
-                sslcontext.init(new KeyManager[0], trustManagerFactory.getTrustManagers(), new SecureRandom());
+                return trustManagerFactory.getTrustManagers();
+            } else {
+                // use default TrustManager instances
+                trustManagerFactory.init((KeyStore) null);
+                return trustManagerFactory.getTrustManagers();
             }
-        } catch (final KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | KeyManagementException e) {
-            throw new RuntimeException(e.getMessage(), e);
+        } catch (final FileNotFoundException exception) {
+            throw new RuntimeException(
+                "Unable to find configured TrustStore file \"" + configuration.getTrustStoreFile() + "\"",
+                exception
+            );
+        } catch (final KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException exception) {
+            throw new RuntimeException(exception.getMessage(), exception);
         }
-
-        return sslcontext;
     }
 
     /**
@@ -132,22 +208,4 @@ SSLContext getSslContext() {
     private String[] getSslProtocols() {
         return sslProtocols;
     }
-
-    /**
-     * Properly configured SslSocketFactory based on client configuration.
-     * @return SslSocketFactory instance.
-     */
-    LayeredConnectionSocketFactory createSslSocketFactory() {
-        // Emit an warning letting everyone know we're using an insecure configuration.
-        if (configuration.getIgnoreInvalidSslCertificates()) {
-            logger.warn("Using insecure configuration, skipping server-side certificate validation checks.");
-        }
-
-        return new SSLConnectionSocketFactory(
-            getSslContext(),
-            getSslProtocols(),
-            null,
-            getHostnameVerifier()
-        );
-    }
 }