Issue #13 - add option to bypass SSL restrictions in scenarios like development where untrusted certs are the norm

Author: gondor

src/main/java/org/openstack4j/api/EndpointTokenProvider.java

@@ -23,5 +23,13 @@ public interface EndpointTokenProvider {
 	 * @return the auth token identifier
 	 */
 	String getTokenId();
+
+	/**
+	 * Determines if the client should ignore self-signed cerificates and hostnames typically found in private or
+	 * DEV based environments.
+	 * 
+	 * @return true to use non strict SSL client
+	 */
+	boolean useNonStrictSSLClient();
 
 }

src/main/java/org/openstack4j/core/transport/HttpExecutorService.java

@@ -16,4 +16,14 @@ public interface HttpExecutorService {
 	 */
 	<R> HttpResponse execute(HttpRequest<R> request);
 
+	/**
+	 * Executes the given request and returns the {@code HttpResponse} result from the server
+	 *
+	 * @param <R> the underlying return entity type
+	 * @param request the request to execute
+	 * @param useNonStrictSSL set this to true if the endpoint is using a self-signed certificate.  False to use trusted only client
+	 * @return HttpResponse from the server
+	 */
+	<R> HttpResponse execute(HttpRequest<R> request, boolean useNonStrictSSL);
+	
 }

src/main/java/org/openstack4j/core/transport/HttpRequest.java

@@ -33,8 +33,7 @@ public class HttpRequest<R> {
 	private Map<String, List<Object>> queryParams;
 	private Map<String, Object> headers = new HashMap<String, Object>();
 	private Function<String, String> endpointFunc;
-	
-	
+	private boolean useNonStrictSSLClient;
 	public HttpRequest() { }
 
 	/**
@@ -96,6 +95,10 @@ public String getEndpoint() {
 		return endpoint;
 	}
 
+	public boolean useNonStrictSSLClient() {
+			return useNonStrictSSLClient;
+	}
+	
 	/**
 	 * @return the http path
 	 */
@@ -358,6 +361,7 @@ public HttpRequest<R> build() {
 			if (provider != null)
 			{
 				request.endpoint = provider.getEndpoint(service);
+				request.useNonStrictSSLClient = provider.useNonStrictSSLClient();
 				request.getHeaders().put(ClientConstants.HEADER_X_AUTH_TOKEN, provider.getTokenId());
 			}
 			return request;

src/main/java/org/openstack4j/core/transport/internal/ClientFactory.java

@@ -1,7 +1,15 @@
 package org.openstack4j.core.transport.internal;
 
 import java.io.IOException;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 import javax.ws.rs.client.Client;
 import javax.ws.rs.client.ClientBuilder;
 import javax.ws.rs.client.ClientRequestContext;
@@ -24,24 +32,29 @@
 class ClientFactory {
 
 	private static final CustomContextResolver RESOLVER = new CustomContextResolver();
+	private static Client clientStrict;
 	private static Client client;
+
 
 	/**
 	 * Creates or Returns a Client
 	 *
 	 * @return the client
 	 */
-	static Client create() {
+	static Client create(boolean useNonStrictSSL) {
+		
+		if (useNonStrictSSL)
+			return getNonStrictSSLClient();
 
-		if (client == null) {
-			client = ClientBuilder.newBuilder()
+		if (clientStrict == null) {
+			clientStrict = ClientBuilder.newBuilder()
 					 									.register(JacksonFeature.class)
 					 									.register(RESOLVER)
 					 									.register(new RequestFilter())
 					 									.build();
 		}
 
-		return client;
+		return clientStrict;
 	}
 
 	private static final class RequestFilter implements ClientRequestFilter {
@@ -54,7 +67,44 @@ public void filter(ClientRequestContext requestContext) throws IOException {
 			requestContext.getHeaders().remove(ClientConstants.HEADER_CONTENT_LANGUAGE);
 			requestContext.getHeaders().remove(ClientConstants.HEADER_CONTENT_ENCODING);			
 		}
+	}
+	
+	private static Client getNonStrictSSLClient() {
+		if (client == null) 
+		{
+			ClientBuilder cb = ClientBuilder.newBuilder()
+					.register(JacksonFeature.class)
+					.register(RESOLVER)
+					.register(new RequestFilter());
+			
+			try
+			{
+				TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
+					public X509Certificate[] getAcceptedIssuers() {
+						return null;
+					}
+					public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+					public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+				} };
+				SSLContext context = SSLContext.getInstance("TLS");
+				context.init(null, trustAllCerts, new SecureRandom());
+				HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
+				
+				cb.sslContext(context);
+				cb.hostnameVerifier(new HostnameVerifier() {
+					@Override
+					public boolean verify(String s, SSLSession session) {
+						return true;
+					} });
+			}
+			catch (Throwable t) {
+				t.printStackTrace();
+			}
+			
+			client = cb.build();
+		}
 
+		return client;
 	}
 
 	private static final class CustomContextResolver implements ContextResolver<ObjectMapper> {

src/main/java/org/openstack4j/core/transport/internal/HttpExecutor.java

@@ -40,8 +40,16 @@ public static HttpExecutor create() {
 	 */
 	@Override
 	public <R> HttpResponse execute(HttpRequest<R> request) {
+		return execute(request, request.useNonStrictSSLClient());
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public <R> HttpResponse execute(HttpRequest<R> request, boolean useNonStrictSSL) {
 		try {
-			return invoke(request);
+			return invoke(request, useNonStrictSSL);
 		}
 		catch (ResponseException re) {
 			throw re;
@@ -51,7 +59,7 @@ public <R> HttpResponse execute(HttpRequest<R> request) {
 			return null;
 		}
 	}
-
+	
 	/**
 	 * Invokes the given request
 	 *
@@ -60,8 +68,8 @@ public <R> HttpResponse execute(HttpRequest<R> request) {
 	 * @return the response
 	 * @throws Exception the exception
 	 */
-	private <R> HttpResponse invoke(HttpRequest<R> request) throws Exception {
-		Client client = ClientFactory.create();
+	private <R> HttpResponse invoke(HttpRequest<R> request, boolean useNonStrictSSL) throws Exception {
+		Client client = ClientFactory.create(useNonStrictSSL);
 		WebTarget target = client.target(request.getEndpoint()).path(request.getPath());
 
 		if (Boolean.getBoolean(HttpLoggingFilter.class.getName()))

src/main/java/org/openstack4j/openstack/OSFactory.java

@@ -22,7 +22,8 @@ public class OSFactory {
 		String user;
 		String tenantName;
 		String password;
-
+		boolean useNonStrictSSL;
+		
 		private OSFactory() { }
 
 		/**
@@ -40,22 +41,51 @@ public static OSFactory builder() {
 			return new OSFactory();
 		}
 
+		/**
+		 * The identity endpoint to connect to
+		 * @param endpoint the endpoint URL of the identity service
+		 * @return self for method chaining
+		 */
 		public OSFactory endpoint(String endpoint) {
 			this.endpoint = endpoint;
 			return this;
 		}
 
+		/**
+		 * The authentication credentials
+		 * 
+		 * @param user the user to authenticate with
+		 * @param password the password to authenticate with
+		 * @return self for method chaining
+		 */
 		public OSFactory credentials(String user, String password) {
 		  this.user = user;
 			this.password = password;
 			return this;
 		}
 
+		/**
+		 * The tenant/project to authenticate as
+		 * @param tenantName the tenant/project name
+		 * @return self for method chaining
+		 */
 		public OSFactory tenantName(String tenantName) {
 			this.tenantName = tenantName;
 			return this;
 		}
 
+		/**
+		 * In some private environments self signed certificates are used.  If you are using HTTPS and using
+		 * self-signed cerificates then set this to true.  Otherwise the default strict hostname and properly
+		 * signed validation based client will be used.
+		 * 
+		 * @param useNonStrictSSL true if an HTTPS self-signed environment
+		 * @return self for method chaining
+		 */
+		public OSFactory useNonStrictSSLClient(boolean useNonStrictSSL) {
+			this.useNonStrictSSL = useNonStrictSSL;
+			return this;
+		}
 		/**
 		 * Attempts to connect, authenticated and obtain an authorization access entity which contains a token, service catalog and endpoints
 		 * from the controller. As a result a client will be returned encapsulating the authorized access and corresponding API access
@@ -66,8 +96,8 @@ public OSFactory tenantName(String tenantName) {
 		public OSClient authenticate() throws AuthenticationException {
 			Credentials credentials = new Credentials(user, password, tenantName);
 			HttpRequest<KeystoneAccess> request = HttpRequest.builder(KeystoneAccess.class).endpoint(endpoint).method(HttpMethod.POST).path("/tokens").entity(credentials).build();
-			KeystoneAccess access = HttpExecutor.create().execute(request).getEntity(KeystoneAccess.class);
-			return OSClientSession.createSession(access.applyContext(endpoint, credentials));
+			KeystoneAccess access = HttpExecutor.create().execute(request, useNonStrictSSL).getEntity(KeystoneAccess.class);
+			return OSClientSession.createSession(access.applyContext(endpoint, credentials), useNonStrictSSL);
 		}
 
 }

src/main/java/org/openstack4j/openstack/identity/domain/KeystoneAccess.java

@@ -27,7 +27,7 @@ public class KeystoneAccess implements Access {
 	private AccessUser user;
 	private String endpoint;
 	private Credentials credentials;
-
+	
 	/**
 	 * @return the token
 	 */

src/main/java/org/openstack4j/openstack/internal/OSClientSession.java

@@ -40,15 +40,21 @@ public class OSClientSession implements OSClient, EndpointTokenProvider {
 	KeystoneAccess access;
 	Set<ServiceType> supports;
 	String publicHostIP;
+	boolean useNonStrictSSL;
 
-	private OSClientSession(KeystoneAccess access, String endpoint)
+	private OSClientSession(KeystoneAccess access, String endpoint, boolean useNonStrictSSL)
 	{
 		this.access = access;
+		this.useNonStrictSSL = useNonStrictSSL;
 		sessions.set(this);
 	}
 
 	public static OSClientSession createSession(KeystoneAccess access) {
-		return new OSClientSession(access, access.getEndpoint());
+		return new OSClientSession(access, access.getEndpoint(), Boolean.FALSE);
+	}
+	
+	public static OSClientSession createSession(KeystoneAccess access, boolean useNonStrictSSL) {
+		return new OSClientSession(access, access.getEndpoint(), useNonStrictSSL);
 	}
 
 	public static OSClientSession getCurrent() {
@@ -65,6 +71,14 @@ public Set<ServiceType> getSupportedServices() {
 		return supports;
 	}
 
+	/**
+	 * @return true if we should ignore self-signed cerificates
+	 */
+	@Override
+	public boolean useNonStrictSSLClient() {
+		return this.useNonStrictSSL;
+	}
+	
 	/**
 	 * {@inheritDoc}
 	 */