Merge pull request #2469 from NationalSecurityAgency/t#2462/pki_fail

T#2462/pki fail

.github/workflows/build-and-test-ssl.yml

@@ -18,6 +18,12 @@ on:
   schedule:
     - cron: '0 7 * * *'
   workflow_dispatch:
+  pull_request:
+    paths-ignore:
+      - 'README.md'
+      - '.github/workflows/build-and-test-postgres.yml'
+      - '.github/workflows/publish-image-snapshot.yml'
+      - '.gitlab-ci.yml'
 
 jobs:
 

service/src/main/java/skills/auth/pki/HttpClientRestTemplateConfig.groovy

@@ -67,6 +67,10 @@ class HttpClientRestTemplateConfig {
 
     @Bean
     PoolingHttpClientConnectionManager poolingHttpClientConnectionManager() {
+        return createPoolingHttpClientConnectionManager();
+    }
+
+    PoolingHttpClientConnectionManager createPoolingHttpClientConnectionManager() {
         SSLContext sslContext = SSLContexts.createSystemDefault()
         HostnameVerifier allowAllHosts = new NoopHostnameVerifier();
         SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(

service/src/main/java/skills/auth/pki/PkiUserLookup.groovy

@@ -48,7 +48,7 @@ class PkiUserLookup {
 
 //    use @Autowired if you want to utilize apache HttpClient (see HttpClientRestTemplateConfig)
     @Autowired
-    RestTemplate restTemplate // = new RestTemplate()
+    RestTemplate restTemplate
 
     @Value('${skills.authorization.userInfoUri}')
     String userInfoUri

service/src/test/java/skills/intTests/RankingAndProgressViewsDisabledIT.groovy

@@ -26,7 +26,7 @@ import skills.intTests.utils.SkillsFactory
 @SpringBootTest(properties = ['skills.h2.port=9091', 'skills.config.ui.rankingAndProgressViewsEnabled=false', 'skills.config.ui.defaultLandingPage=progress',
         'skills.authorization.userInfoUri=https://localhost:8182/userInfo?dn={dn}',
         'skills.authorization.userQueryUri=https://localhost:8182/userQuery?query={query}',
-        'skills.authorization.userInfoHealthCheckUri=https://localhost:8182/actuator/health'], webEnvironment=SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SpringBootApp)
+        'skills.authorization.userInfoHealthCheckUri=https://localhost:8182/status'], webEnvironment=SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SpringBootApp)
 class RankingAndProgressViewsDisabledIT extends DefaultIntSpec {
 
     def "landingPage page is always admin when rankingAndProgressViewsDisabled=true"() {

service/src/test/java/skills/intTests/ServerTimingApiIT.groovy

@@ -23,7 +23,7 @@ import skills.intTests.utils.DefaultIntSpec
 @SpringBootTest(properties = ['skills.prof.serverTimingAPI.enabled=false',
         'skills.authorization.userInfoUri=https://localhost:8183/userInfo?dn={dn}',
         'skills.authorization.userQueryUri=https://localhost:8183/userQuery?query={query}',
-        'skills.authorization.userInfoHealthCheckUri=https://localhost:8183/actuator/health'],
+        'skills.authorization.userInfoHealthCheckUri=https://localhost:8183/status'],
         webEnvironment=SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SpringBootApp)
 class ServerTimingApiIT extends DefaultIntSpec {
 

service/src/test/java/skills/intTests/UpdtedDefaultHomePageIT.groovy

@@ -27,7 +27,7 @@ import skills.intTests.utils.DefaultIntSpec
         'skills.config.ui.defaultLandingPage=progress',
         'skills.authorization.userInfoUri=https://localhost:8184/userInfo?dn={dn}',
         'skills.authorization.userQueryUri=https://localhost:8184/userQuery?query={query}',
-        'skills.authorization.userInfoHealthCheckUri=https://localhost:8184/actuator/health'], webEnvironment=SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SpringBootApp)
+        'skills.authorization.userInfoHealthCheckUri=https://localhost:8184/status'], webEnvironment=SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SpringBootApp)
 class UpdtedDefaultHomePageIT extends DefaultIntSpec {
 
     def "landingPage page is always admin when rankingAndProgressViewsDisabled=true"() {

service/src/test/java/skills/intTests/UpgradeInProgressIT.groovy

@@ -47,7 +47,7 @@ import skills.storage.repos.UserRepo
         'skills.config.ui.rankingAndProgressViewsEnabled=false',
         'skills.config.ui.defaultLandingPage=progress',
         'skills.config.db-upgrade-in-progress=true',
-        'skills.authorization.userInfoHealthCheckUri=https://localhost:8189/actuator/health',
+        'skills.authorization.userInfoHealthCheckUri=https://localhost:8189/status',
         'skills.authorization.userInfoUri=https://localhost:8189/userInfo?dn={dn}',
         'skills.authorization.userQueryUri=https://localhost:8189/userQuery?query={query}',
         ], webEnvironment=SpringBootTest.WebEnvironment.RANDOM_PORT, classes = SpringBootApp)

service/src/test/java/skills/intTests/utils/MockUserInfoService.groovy

@@ -70,7 +70,7 @@ public class MockUserInfoService {
 
     @PostConstruct
     void start() {
-        def matcher = userInfoHealthCheckUri =~ /https:\/\/localhost:(\d\d\d\d)\/actuator\/health/
+        def matcher = userInfoHealthCheckUri =~ /https:\/\/localhost:(\d\d\d\d)\/status/
         int port = Integer.parseInt(matcher[0][1]);
 
         log.info("starting mock user-info-service on port ${port}")
@@ -88,10 +88,10 @@ public class MockUserInfoService {
                 .needClientAuth(true)
                 .extensions(new UserInfoResponseTransformer(userAttrsRepo)));
 
-        mockServer.stubFor(any(urlPathEqualTo("/actuator/health")).willReturn(
+        mockServer.stubFor(any(urlPathEqualTo("/status")).willReturn(
                 ok()
                 .withHeader(CONTENT_TYPE, "application/json")
-                .withBody("""{ "status": "UP" }""")
+                .withBody("""{ "status": "OK" }""")
         ));
         mockServer.stubFor(any(urlPathEqualTo("/userQuery")).willReturn(
                 ok()

service/src/test/java/skills/intTests/utils/SystemSSLConfiguration.groovy

@@ -16,13 +16,24 @@
 package skills.intTests.utils
 
 import groovy.util.logging.Slf4j
+import jakarta.annotation.PostConstruct
+import org.apache.hc.client5.http.classic.HttpClient
+import org.apache.hc.client5.http.impl.classic.HttpClients
+import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.context.annotation.Conditional
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory
 import org.springframework.stereotype.Component
 import org.springframework.util.ResourceUtils
+import org.springframework.web.client.RestTemplate
 import skills.auth.SecurityMode
+import skills.auth.pki.HttpClientRestTemplateConfig
 
-import jakarta.annotation.PostConstruct
+import javax.net.ssl.HttpsURLConnection
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManagerFactory
+import java.security.KeyStore
 
 @Slf4j
 @Conditional(SecurityMode.PkiAuth)
@@ -42,8 +53,14 @@ class SystemSSLConfiguration {
     @Value('#{"${server.ssl.trustStoreType}"}')
     String trustStoreType
 
+    @Autowired
+    HttpClientRestTemplateConfig rtc
+
+    @Autowired
+    RestTemplate restTemplate
+
     @PostConstruct
-    public void init() {
+    void init() {
         if (keyStore) {
             log.info("Setting system ssl properties for integration tests")
             File ksFile = ResourceUtils.getFile(keyStore)
@@ -54,6 +71,35 @@ class SystemSSLConfiguration {
             System.setProperty("javax.net.ssl.trustStore", trustFile.getPath())
             System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword)
             System.setProperty("javax.net.ssl.trustStoreType", trustStoreType)
+
+            // override any existing default SSLContext
+            KeyStore keyStoreObj = KeyStore.getInstance("JKS");
+            keyStoreObj.load(new FileInputStream(ksFile), keyStorePassword.toCharArray());
+
+            // Set up key manager factory to use our key store
+            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            keyManagerFactory.init(keyStoreObj, keyStorePassword.toCharArray());
+
+            // truststore
+            KeyStore trustStoreObj = KeyStore.getInstance("JKS");
+            trustStoreObj.load(new FileInputStream(trustFile), trustStorePassword.toCharArray());
+
+            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            trustManagerFactory.init(trustStoreObj);
+
+            SSLContext ctx = SSLContext.getInstance("TLS");
+            ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
+            SSLContext.setDefault(ctx);
+
+            HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());
+            HttpClient httpClient = HttpClients.custom()
+                    .useSystemProperties()
+                    .setConnectionManager(rtc.createPoolingHttpClientConnectionManager())
+                    .setDefaultRequestConfig(rtc.requestConfig())
+                    .build()
+            HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory()
+            requestFactory.setHttpClient(httpClient)
+            restTemplate.setRequestFactory(requestFactory)
         }
     }
 }

service/src/test/resources/application-pki.properties

@@ -51,7 +51,7 @@ server.ssl.enabled-protocols=TLSv1.2
 skills.disableHostnameVerifier=true
 skills.authorization.userInfoUri=https://localhost:8181/userInfo?dn={dn}
 skills.authorization.userQueryUri=https://localhost:8181/userQuery?query={query}
-skills.authorization.userInfoHealthCheckUri=https://localhost:8181/actuator/health
+skills.authorization.userInfoHealthCheckUri=https://localhost:8181/status
 skills.authorization.authMode=PKI
 
 skills.config.notifications.dispatchSchedule=*/5 * * * * *