Refactor: extract sslContext logic to a separate class

Author: zoewangg

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/AwaitCloseChannelPoolMap.java

@@ -31,6 +31,7 @@
 import java.net.URISyntaxException;
 import java.time.Duration;
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ConcurrentHashMap;
@@ -90,6 +91,7 @@ public void channelCreated(Channel ch) throws Exception {
     private final SslProvider sslProvider;
     private final ProxyConfiguration proxyConfiguration;
     private final BootstrapProvider bootstrapProvider;
+    private final SslContextProvider sslContextProvider;
 
     private AwaitCloseChannelPoolMap(Builder builder, Function<Builder, BootstrapProvider> createBootStrapProvider) {
         this.configuration = builder.configuration;
@@ -100,6 +102,7 @@ private AwaitCloseChannelPoolMap(Builder builder, Function<Builder, BootstrapPro
         this.sslProvider = builder.sslProvider;
         this.proxyConfiguration = builder.proxyConfiguration;
         this.bootstrapProvider = createBootStrapProvider.apply(builder);
+        this.sslContextProvider = new SslContextProvider(configuration, protocol, sslProvider);
     }
 
     private AwaitCloseChannelPoolMap(Builder builder) {
@@ -123,8 +126,11 @@ public static Builder builder() {
 
     @Override
     protected SimpleChannelPoolAwareChannelPool newPool(URI key) {
-        SslContext sslContext = sslContext(key);
-        
+        SslContext sslContext = null;
+        if (needSslContext(key)) {
+            sslContext = sslContextProvider.sslContext();
+        }
+
         Bootstrap bootstrap = createBootstrap(key);
 
         AtomicReference<ChannelPool> channelPoolRef = new AtomicReference<>();
@@ -259,53 +265,12 @@ private SdkChannelPool wrapBaseChannelPool(Bootstrap bootstrap, ChannelPool chan
         return sdkChannelPool;
     }
 
-    private SslContext sslContext(URI targetAddress) {
+    private boolean needSslContext(URI targetAddress) {
         URI proxyAddress = proxyAddress(targetAddress);
-
         boolean needContext = targetAddress.getScheme().equalsIgnoreCase("https")
-                || proxyAddress != null && proxyAddress.getScheme().equalsIgnoreCase("https");
-
-        if (!needContext) {
-            return null;
-        }
+                              || proxyAddress != null && proxyAddress.getScheme().equalsIgnoreCase("https");
 
-        try {
-            return SslContextBuilder.forClient()
-                                    .sslProvider(sslProvider)
-                                    .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
-                                    .trustManager(getTrustManager())
-                                    .keyManager(getKeyManager())
-                                    .build();
-        } catch (SSLException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private TrustManagerFactory getTrustManager() {
-        Validate.isTrue(configuration.tlsTrustManagersProvider() == null || !configuration.trustAllCertificates(),
-                        "A TlsTrustManagerProvider can't be provided if TrustAllCertificates is also set");
-
-        if (configuration.tlsTrustManagersProvider() != null) {
-            return StaticTrustManagerFactory.create(configuration.tlsTrustManagersProvider().trustManagers());
-        }
-
-        if (configuration.trustAllCertificates()) {
-            log.warn(() -> "SSL Certificate verification is disabled. This is not a safe setting and should only be "
-                           + "used for testing.");
-            return InsecureTrustManagerFactory.INSTANCE;
-        }
-
-        return null;
-    }
-
-    private KeyManagerFactory getKeyManager() {
-        if (configuration.tlsKeyManagersProvider() != null) {
-            KeyManager[] keyManagers = configuration.tlsKeyManagersProvider().keyManagers();
-            if (keyManagers != null) {
-                return StaticKeyManagerFactory.create(keyManagers);
-            }
-        }
-        return null;
+        return needContext;
     }
 
     public static class Builder {

http-clients/netty-nio-client/src/main/java/software/amazon/awssdk/http/nio/netty/internal/SslContextProvider.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package software.amazon.awssdk.http.nio.netty.internal;
+
+import io.netty.handler.codec.http2.Http2SecurityUtil;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.SslProvider;
+import io.netty.handler.ssl.SupportedCipherSuiteFilter;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManagerFactory;
+import software.amazon.awssdk.annotations.SdkInternalApi;
+import software.amazon.awssdk.http.Protocol;
+import software.amazon.awssdk.utils.Logger;
+import software.amazon.awssdk.utils.Validate;
+
+@SdkInternalApi
+public final class SslContextProvider {
+    private static final Logger log = Logger.loggerFor(SslContextProvider.class);
+    private final Protocol protocol;
+    private final SslProvider sslProvider;
+    private final TrustManagerFactory trustManagerFactory;
+    private final KeyManagerFactory keyManagerFactory;
+
+    public SslContextProvider(NettyConfiguration configuration, Protocol protocol, SslProvider sslProvider) {
+        this.protocol = protocol;
+        this.sslProvider = sslProvider;
+        this.trustManagerFactory = getTrustManager(configuration);
+        this.keyManagerFactory = getKeyManager(configuration);
+    }
+
+    public SslContext sslContext() {
+        try {
+            return SslContextBuilder.forClient()
+                                    .sslProvider(sslProvider)
+                                    .ciphers(Http2SecurityUtil.CIPHERS, SupportedCipherSuiteFilter.INSTANCE)
+                                    .trustManager(trustManagerFactory)
+                                    .keyManager(keyManagerFactory)
+                                    .build();
+        } catch (SSLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private TrustManagerFactory getTrustManager(NettyConfiguration configuration) {
+        Validate.isTrue(configuration.tlsTrustManagersProvider() == null || !configuration.trustAllCertificates(),
+                        "A TlsTrustManagerProvider can't be provided if TrustAllCertificates is also set");
+
+        if (configuration.tlsTrustManagersProvider() != null) {
+            return StaticTrustManagerFactory.create(configuration.tlsTrustManagersProvider().trustManagers());
+        }
+
+        if (configuration.trustAllCertificates()) {
+            log.warn(() -> "SSL Certificate verification is disabled. This is not a safe setting and should only be "
+                           + "used for testing.");
+            return InsecureTrustManagerFactory.INSTANCE;
+        }
+
+        return null;
+    }
+
+    private KeyManagerFactory getKeyManager(NettyConfiguration configuration) {
+        if (configuration.tlsKeyManagersProvider() != null) {
+            KeyManager[] keyManagers = configuration.tlsKeyManagersProvider().keyManagers();
+            if (keyManagers != null) {
+                return StaticKeyManagerFactory.create(keyManagers);
+            }
+        }
+        return null;
+    }
+}