cleanup JsonBimServerClientFactory creation with custom SSL certificate

opensourceBIM · Feb 4, 2022 · e808e03 · e808e03
1 parent 2e59595
commit e808e03
Show file tree

Hide file tree

Showing 4 changed files with 83 additions and 176 deletions.
diff --git a/BimServerClientLib/src/org/bimserver/client/AbstractBimServerClientFactory.java b/BimServerClientLib/src/org/bimserver/client/AbstractBimServerClientFactory.java
@@ -18,11 +18,27 @@
  *****************************************************************************/
 
 import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
 import java.nio.file.Files;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 
+import org.apache.http.config.Registry;
+import org.apache.http.config.RegistryBuilder;
+import org.apache.http.conn.socket.ConnectionSocketFactory;
+import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
+import org.apache.http.ssl.SSLContextBuilder;
+import org.apache.http.ssl.SSLContexts;
 import org.bimserver.emf.MetaDataManager;
 import org.bimserver.interfaces.SServiceInterfaceService;
 import org.bimserver.plugins.services.BimServerClientInterface;
@@ -45,6 +61,8 @@
 import org.bimserver.shared.meta.SService;
 import org.bimserver.shared.meta.SServicesMap;
 
+import javax.net.ssl.SSLContext;
+
 public abstract class AbstractBimServerClientFactory implements BimServerClientFactory {
 
 	private final SServicesMap servicesMap;
@@ -57,10 +75,10 @@ public AbstractBimServerClientFactory(SServicesMap servicesMap, MetaDataManager
 			throw new IllegalArgumentException("MetaDataManager cannot be null");
 		}
 		this.metaDataManager = metaDataManager;
-		initHttpClient();
+		initHttpClient(null);
 	}
 
-	public AbstractBimServerClientFactory(MetaDataManager metaDataManager) throws BimServerClientException {
+	public AbstractBimServerClientFactory(MetaDataManager metaDataManager, URL trustedCertificate) throws BimServerClientException {
 		if (metaDataManager == null) {
 			try {
 				this.metaDataManager = new MetaDataManager(Files.createTempDirectory("bimserver-tmp"));
@@ -87,22 +105,35 @@ public AbstractBimServerClientFactory(MetaDataManager metaDataManager) throws Bi
 		addService(new SService(servicesMap, null, NotificationRegistryInterface.class));
 		addService(new SService(servicesMap, null, OAuthInterface.class));
 		servicesMap.initialize();
-		initHttpClient();
+		initHttpClient(sslContext(trustedCertificate));
+	}
+
+	public AbstractBimServerClientFactory(MetaDataManager metaDataManager) throws BimServerClientException {
+		this(metaDataManager, null);
 	}
 
 	public CloseableHttpClient getHttpClient() {
 		return httpClient;
 	}
 
-	public void initHttpClient() {
+	private void initHttpClient(SSLContext sslContext) {
 		HttpClientBuilder builder = HttpClientBuilder.create();
-
-		PoolingHttpClientConnectionManager connManager = new PoolingHttpClientConnectionManager();
+		SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
+			sslContext == null ? SSLContexts.createSystemDefault() :  sslContext,
+			new String[] { "TLSv1.2" },
+			null,
+			SSLConnectionSocketFactory.getDefaultHostnameVerifier()
+		);
+		Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create()
+				.register("http", PlainConnectionSocketFactory.getSocketFactory())
+				.register("https", sslsf)
+				.build();
+		PoolingHttpClientConnectionManager connManager = new PoolingHttpClientConnectionManager(registry);
 		connManager.setMaxTotal(100);
 		connManager.setDefaultMaxPerRoute(100);
 		builder.setConnectionManager(connManager);
 		builder.disableAutomaticRetries();
-
+		// TODO set timeouts? https://hc.apache.org/httpcomponents-client-5.1.x/migration-guide/preparation.html
 //		builder.addInterceptorFirst(new HttpRequestInterceptor() {
 //			public void process(final HttpRequest request, final HttpContext context) throws HttpException, IOException {
 //				if (!request.containsHeader("Accept-Encoding")) {
@@ -131,7 +162,29 @@ public void initHttpClient() {
 
 		httpClient = builder.build();
 	}
-
+
+	private SSLContext sslContext(URL trustedCertificate) throws BimServerClientException {
+		if(trustedCertificate != null) {
+			SSLContextBuilder sslContextBuilder = SSLContexts.custom();
+			try {
+				KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+				keystore.load(null);  // initializes keystore
+				CertificateFactory cf = CertificateFactory.getInstance("X.509");
+				Certificate cert = null;
+				try (InputStream trustedCertStream = trustedCertificate.openStream()) {
+					cert = cf.generateCertificate(trustedCertStream);
+				}
+				if (cert!=null) keystore.setCertificateEntry("onlyentry", cert);
+				sslContextBuilder.loadTrustMaterial(keystore, null);
+				return sslContextBuilder.build();
+			} catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException | KeyManagementException  e) {
+				throw new BimServerClientException("Unable to use provided certificate.");
+			}
+		} else {
+			return SSLContexts.createSystemDefault();
+		}
+	}
+
 	public MetaDataManager getMetaDataManager() {
 		return metaDataManager;
 	}

diff --git a/BimServerClientLib/src/org/bimserver/client/json/JsonBimServerClientFactory.java b/BimServerClientLib/src/org/bimserver/client/json/JsonBimServerClientFactory.java
@@ -27,9 +27,10 @@
 import org.bimserver.shared.meta.SServicesMap;
 import org.bimserver.shared.reflector.RealtimeReflectorFactoryBuilder;
 import org.bimserver.shared.reflector.ReflectorFactory;
-
-public class JsonBimServerClientFactory extends AbstractBimServerClientFactory {
-
+import java.net.URL;
+
+public class JsonBimServerClientFactory extends AbstractBimServerClientFactory {
+
 	private String address;
 	private JsonSocketReflectorFactory jsonSocketReflectorFactory;
 	private ReflectorFactory reflectorFactory;
@@ -40,34 +41,43 @@ public JsonBimServerClientFactory(String address, SServicesMap servicesMap, Json
 		this.jsonSocketReflectorFactory = jsonSocketReflectorFactory;
 		this.reflectorFactory = reflectorFactory;
 	}
-
+
 	/**
 	 * Create a new JsonBimServerClientFactory
 	 * 
 	 * @param metaDataManager A MetaDataManager that can be shared over multiple factories
 	 * @param address Address of the remote server, must have the format "protocol://address:port[/contextpath]", for example "http://localhost:8080"
 	 * @throws BimServerClientException 
 	 */
-	public JsonBimServerClientFactory(MetaDataManager metaDataManager, String address) throws BimServerClientException {
-		super(metaDataManager);
-		this.address = address;
+
+	public JsonBimServerClientFactory(MetaDataManager metaDataManager, String address, URL trustedCertificate) throws BimServerClientException {
+		super(metaDataManager);
+		this.address = address;
 		this.jsonSocketReflectorFactory = new JsonSocketReflectorFactory(getServicesMap(), getHttpClient());
 		RealtimeReflectorFactoryBuilder factoryBuilder = new RealtimeReflectorFactoryBuilder(getServicesMap());
 		reflectorFactory = factoryBuilder.newReflectorFactory();
 		getServicesMap().setReflectorFactory(reflectorFactory);
 	}
 
 	public JsonBimServerClientFactory(String address) throws BimServerClientException {
-		this(null, address);
+		this(null, address);
+	}
+
+	public JsonBimServerClientFactory(String address, URL trustedCertificate) throws BimServerClientException {
+		this(null, address, trustedCertificate);
+	}
+
+	public JsonBimServerClientFactory(MetaDataManager metaDataManager, String address) throws BimServerClientException {
+		this(metaDataManager, address, null);
 	}
 
-	@Override
+	@Override
 	public BimServerClient create(AuthenticationInfo authenticationInfo) throws ServiceException, ChannelConnectionException {
 		JsonChannel jsonChannel = new JsonChannel(getHttpClient(), reflectorFactory, jsonSocketReflectorFactory, address + "/json", getServicesMap());
 		BimServerClient bimServerClient = new BimServerClient(this.getMetaDataManager(), address, getServicesMap(), jsonChannel);
-		jsonChannel.connect(bimServerClient);
+		jsonChannel.connect(bimServerClient);
 		bimServerClient.setAuthentication(authenticationInfo);
-		bimServerClient.connect();
-		return bimServerClient;
+		bimServerClient.connect();
+		return bimServerClient;
 	}
 }
diff --git a/BimServerClientLib/src/org/bimserver/client/json/JsonBimServerSSLClientFactory.java b/BimServerClientLib/src/org/bimserver/client/json/JsonBimServerSSLClientFactory.java
diff --git a/BimServerClientLib/src/org/bimserver/client/json/JsonSSLSocketReflectorFactory.java b/BimServerClientLib/src/org/bimserver/client/json/JsonSSLSocketReflectorFactory.java