From 84009f2ee421e2191f8cc32ce3a84e7fc09e305e Mon Sep 17 00:00:00 2001
From: Dimitar Popov <dimitarp@users.noreply.github.com>
Date: Mon, 16 Dec 2024 20:18:33 +0100
Subject: [PATCH] Ssl bundles not working because of wrong condition (#3641)

* Add test for ssl bundle configuration

* Fix support of ssl bundles

---------

Co-authored-by: Dimitar Popov <dimitar.popov@seitenbau.com>
---
 .../gateway/config/AbstractSslConfigurer.java |  5 +--
 .../ssl/ClientCertAuthSSLBundleTests.java     | 33 ++++++++++++++
 .../application-client-auth-ssl-bundle.yml    | 43 +++++++++++++++++++
 3 files changed, 77 insertions(+), 4 deletions(-)
 create mode 100644 spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/test/ssl/ClientCertAuthSSLBundleTests.java
 create mode 100644 spring-cloud-gateway-server/src/test/resources/application-client-auth-ssl-bundle.yml

diff --git a/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/config/AbstractSslConfigurer.java b/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/config/AbstractSslConfigurer.java
index 3a32ecb1d3..1996abac50 100644
--- a/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/config/AbstractSslConfigurer.java
+++ b/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/config/AbstractSslConfigurer.java
@@ -67,10 +67,7 @@ protected HttpClientProperties.Ssl getSslProperties() {
 	}
 
 	protected SslBundle getBundle() {
-		if (ssl.getSslBundle() == null || ssl.getSslBundle().length() > 0) {
-			return null;
-		}
-		if (bundles.getBundleNames().contains(ssl.getSslBundle())) {
+		if (ssl.getSslBundle() != null && ssl.getSslBundle().length() > 0 && bundles.getBundleNames().contains(ssl.getSslBundle())) {
 			return bundles.getBundle(ssl.getSslBundle());
 		}
 		return null;
diff --git a/spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/test/ssl/ClientCertAuthSSLBundleTests.java b/spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/test/ssl/ClientCertAuthSSLBundleTests.java
new file mode 100644
index 0000000000..7219d97aff
--- /dev/null
+++ b/spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/test/ssl/ClientCertAuthSSLBundleTests.java
@@ -0,0 +1,33 @@
+package org.springframework.cloud.gateway.test.ssl;
+
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import org.junit.jupiter.api.BeforeEach;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.ssl.SslBundles;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.client.reactive.ReactorClientHttpConnector;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
+import reactor.netty.http.client.HttpClient;
+
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;
+
+@SpringBootTest(webEnvironment = RANDOM_PORT)
+@DirtiesContext
+@ActiveProfiles("client-auth-ssl-bundle")
+public class ClientCertAuthSSLBundleTests extends SingleCertSSLTests {
+	@Autowired
+	private SslBundles sslBundles;
+
+	@BeforeEach
+	public void setup() throws Exception {
+		final var sslBundle = sslBundles.getBundle("scg-keystore-with-different-key-password");
+		final var sslContext = SslContextBuilder.forClient()
+				.trustManager(InsecureTrustManagerFactory.INSTANCE)
+				.keyManager(sslBundle.getManagers().getKeyManagerFactory())
+				.build();
+		HttpClient httpClient = HttpClient.create().secure(ssl -> ssl.sslContext(sslContext));
+		setup(new ReactorClientHttpConnector(httpClient), "https://localhost:" + port);
+	}
+}
diff --git a/spring-cloud-gateway-server/src/test/resources/application-client-auth-ssl-bundle.yml b/spring-cloud-gateway-server/src/test/resources/application-client-auth-ssl-bundle.yml
new file mode 100644
index 0000000000..2ca408d58e
--- /dev/null
+++ b/spring-cloud-gateway-server/src/test/resources/application-client-auth-ssl-bundle.yml
@@ -0,0 +1,43 @@
+test:
+  uri: lb:https://testservice
+
+server:
+  ssl:
+    enabled: true
+    key-alias: scg
+    key-store-password: scg1234
+    key-password: keyscg1234
+    key-store: classpath:scg-keystore-with-different-key-password.jks
+    trust-store: classpath:scg-truststore.jks
+    trust-store-password: scg1234
+    trust-store-type: JKS
+    key-store-type: JKS
+    client-auth: Need
+spring:
+  cloud:
+    gateway:
+      httpclient:
+        ssl:
+          ssl-bundle: scg-keystore-with-different-key-password
+          trustedX509Certificates:
+          - src/test/resources/single-cert-for-different-key-password.pem
+      default-filters:
+      - PrefixPath=/httpbin
+      routes:
+      - id: default_path_to_httpbin
+        uri: ${test.uri}
+        order: 10000
+        predicates:
+        - name: Path
+          args:
+            pattern: /**
+  ssl:
+    bundle:
+      jks:
+        scg-keystore-with-different-key-password:
+          key:
+            password: keyscg1234
+          keystore:
+            type: JKS
+            location: classpath:scg-keystore-with-different-key-password.jks
+            password: scg1234
\ No newline at end of file