Add customizeSslContext(Consumer<SslContextBuilder>)

SslProvider is now created lazily on connect and we allow customization
of the used SslContextBuilder.

[resolves #191]

Author: mp911de

src/main/java/io/r2dbc/postgresql/PostgresqlConnectionConfiguration.java

@@ -36,6 +36,8 @@
 import java.util.List;
 import java.util.Map;
 import java.util.ServiceLoader;
+import java.util.function.Function;
+import java.util.function.Supplier;
 
 import static reactor.netty.tcp.SslProvider.DefaultConfigurationType.TCP;
 
@@ -277,6 +279,8 @@ public static final class Builder {
         @Nullable
         private String sslRootCert = null;
 
+        private Function<SslContextBuilder, SslContextBuilder> sslContextBuilderCustomizer = Function.identity();
+
         @Nullable
         private String username;
 
@@ -473,6 +477,20 @@ public Builder socket(String socket) {
             return this;
         }
 
+        /**
+         * Configure a {@link SslContextBuilder} customizer. The customizer gets applied on each SSL connection attempt to allow for just-in-time configuration updates. The {@link Function} gets
+         * called with the prepared {@link SslContextBuilder} that has all configuration options applied. The customizer may return the same builder or return a new builder instance to be used to
+         * build the SSL context.
+         *
+         * @param sslContextBuilderCustomizer customizer function
+         * @return this {@link Builder}
+         * @throws IllegalArgumentException if {@code sslContextBuilderCustomizer} is {@code null}
+         */
+        public Builder sslContextBuilderCustomizer(Function<SslContextBuilder, SslContextBuilder> sslContextBuilderCustomizer) {
+            this.sslContextBuilderCustomizer = Assert.requireNonNull(sslContextBuilderCustomizer, "sslContextBuilderCustomizer must not be null");
+            return this;
+        }
+
         /**
          * Configure ssl cert for client certificate authentication.
          *
@@ -544,6 +562,7 @@ public String toString() {
                 ", schema='" + this.schema + '\'' +
                 ", username='" + this.username + '\'' +
                 ", socket='" + this.socket + '\'' +
+                ", sslContextBuilderCustomizer='" + this.sslContextBuilderCustomizer + '\'' +
                 ", sslMode='" + this.sslMode + '\'' +
                 ", sslRootCert='" + this.sslRootCert + '\'' +
                 ", sslCert='" + this.sslCert + '\'' +
@@ -577,14 +596,14 @@ public Builder username(String username) {
 
         private SSLConfig createSslConfig() {
             if (this.socket != null || this.sslMode == SSLMode.DISABLE) {
-                return new SSLConfig(SSLMode.DISABLE, null, (hostname, session) -> true);
+                return SSLConfig.disabled();
             }
+
             HostnameVerifier hostnameVerifier = this.sslHostnameVerifier;
-            SslProvider sslProvider = createSslProvider();
-            return new SSLConfig(this.sslMode, sslProvider, hostnameVerifier);
+            return new SSLConfig(this.sslMode, createSslProvider(), hostnameVerifier);
         }
 
-        private SslProvider createSslProvider() {
+        private Supplier<SslProvider> createSslProvider() {
             SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
             if (this.sslMode.verifyCertificate()) {
                 if (this.sslRootCert != null) {
@@ -625,8 +644,10 @@ private SslProvider createSslProvider() {
                 String sslPassword = this.sslPassword == null ? null : this.sslPassword.toString();
                 sslContextBuilder.keyManager(new File(sslCert), new File(sslKey), sslPassword);
             }
-            return SslProvider.builder()
-                .sslContext(sslContextBuilder)
+
+
+            return () -> SslProvider.builder()
+                .sslContext(this.sslContextBuilderCustomizer.apply(sslContextBuilder))
                 .defaultConfiguration(TCP)
                 .build();
         }

src/main/java/io/r2dbc/postgresql/PostgresqlConnectionFactoryProvider.java

@@ -16,6 +16,7 @@
 
 package io.r2dbc.postgresql;
 
+import io.netty.handler.ssl.SslContextBuilder;
 import io.r2dbc.postgresql.client.SSLMode;
 import io.r2dbc.postgresql.util.Assert;
 import io.r2dbc.spi.ConnectionFactoryOptions;
@@ -24,6 +25,7 @@
 
 import javax.net.ssl.HostnameVerifier;
 import java.util.Map;
+import java.util.function.Function;
 
 import static io.r2dbc.spi.ConnectionFactoryOptions.CONNECT_TIMEOUT;
 import static io.r2dbc.spi.ConnectionFactoryOptions.DATABASE;
@@ -74,6 +76,11 @@ public final class PostgresqlConnectionFactoryProvider implements ConnectionFact
      */
     public static final Option<String> SOCKET = Option.valueOf("socket");
 
+    /**
+     * Customizer {@link Function} for {@link SslContextBuilder}.
+     */
+    public static final Option<Function<SslContextBuilder, SslContextBuilder>> SSL_CONTEXT_BUILDER_CUSTOMIZER = Option.valueOf("sslContextBuilderCustomizer");
+
     /**
      * Full path for the certificate file.
      */
@@ -216,6 +223,10 @@ static PostgresqlConnectionConfiguration createConfiguration(ConnectionFactoryOp
                     builder.sslHostnameVerifier((HostnameVerifier) sslHostnameVerifier);
                 }
             }
+
+            if (connectionFactoryOptions.hasOption(SSL_CONTEXT_BUILDER_CUSTOMIZER)) {
+                builder.sslContextBuilderCustomizer(connectionFactoryOptions.getRequiredValue(SSL_CONTEXT_BUILDER_CUSTOMIZER));
+            }
         }
 
         return builder.build();

src/main/java/io/r2dbc/postgresql/client/SSLConfig.java

@@ -22,16 +22,19 @@
 import reactor.util.annotation.Nullable;
 
 import javax.net.ssl.HostnameVerifier;
+import java.util.function.Supplier;
 
 public final class SSLConfig {
 
+    @Nullable
     private final HostnameVerifier hostnameVerifier;
 
     private final SSLMode sslMode;
 
-    private final SslProvider sslProvider;
+    @Nullable
+    private final Supplier<SslProvider> sslProvider;
 
-    public SSLConfig(SSLMode sslMode, @Nullable SslProvider sslProvider, @Nullable HostnameVerifier hostnameVerifier) {
+    public SSLConfig(SSLMode sslMode, @Nullable Supplier<SslProvider> sslProvider, @Nullable HostnameVerifier hostnameVerifier) {
         if (sslMode != SSLMode.DISABLE) {
             Assert.requireNonNull(sslProvider, "Ssl provider is required for ssl mode " + sslMode);
         }
@@ -43,16 +46,23 @@ public SSLConfig(SSLMode sslMode, @Nullable SslProvider sslProvider, @Nullable H
         this.hostnameVerifier = hostnameVerifier;
     }
 
-    public HostnameVerifier getHostnameVerifier() {
-        return hostnameVerifier;
+    public static SSLConfig disabled() {
+        return new SSLConfig(SSLMode.DISABLE, null, (hostname, session) -> true);
+    }
+
+    HostnameVerifier getHostnameVerifier() {
+        return this.hostnameVerifier;
     }
 
     public SSLMode getSslMode() {
-        return sslMode;
+        return this.sslMode;
     }
 
-    public SslProvider getSslProvider() {
-        return sslProvider;
+    public Supplier<SslProvider> getSslProvider() {
+        if (this.sslProvider == null) {
+            throw new IllegalStateException("SSL Mode disabled. SslProvider not available");
+        }
+        return this.sslProvider;
     }
 
     public SSLConfig mutateMode(SSLMode newMode) {

src/main/java/io/r2dbc/postgresql/client/SSLSessionHandlerAdapter.java

@@ -48,7 +48,7 @@ final class SSLSessionHandlerAdapter extends ChannelInboundHandlerAdapter implem
     SSLSessionHandlerAdapter(ByteBufAllocator alloc, SSLConfig sslConfig) {
         this.alloc = alloc;
         this.sslConfig = sslConfig;
-        this.sslEngine = sslConfig.getSslProvider()
+        this.sslEngine = sslConfig.getSslProvider().get()
             .getSslContext()
             .newEngine(alloc);
         this.handshakeFuture = new CompletableFuture<>();

src/test/java/io/r2dbc/postgresql/PostgresqlConnectionConfigurationTest.java

@@ -148,4 +148,12 @@ void constructorInvalidOptions() {
             .withMessage("option values must not be null");
     }
 
+    @Test
+    void constructorNoSslCustomizer() {
+        assertThatIllegalArgumentException().isThrownBy(() -> PostgresqlConnectionConfiguration.builder()
+            .sslContextBuilderCustomizer(null)
+            .build())
+            .withMessage("sslContextBuilderCustomizer must not be null");
+    }
+
 }

src/test/java/io/r2dbc/postgresql/PostgresqlConnectionFactoryProviderTest.java

@@ -30,13 +30,16 @@
 import static io.r2dbc.postgresql.PostgresqlConnectionFactoryProvider.OPTIONS;
 import static io.r2dbc.postgresql.PostgresqlConnectionFactoryProvider.POSTGRESQL_DRIVER;
 import static io.r2dbc.postgresql.PostgresqlConnectionFactoryProvider.SOCKET;
+import static io.r2dbc.postgresql.PostgresqlConnectionFactoryProvider.SSL_CONTEXT_BUILDER_CUSTOMIZER;
+import static io.r2dbc.postgresql.PostgresqlConnectionFactoryProvider.SSL_MODE;
 import static io.r2dbc.spi.ConnectionFactoryOptions.DRIVER;
 import static io.r2dbc.spi.ConnectionFactoryOptions.HOST;
 import static io.r2dbc.spi.ConnectionFactoryOptions.PASSWORD;
 import static io.r2dbc.spi.ConnectionFactoryOptions.SSL;
 import static io.r2dbc.spi.ConnectionFactoryOptions.USER;
 import static io.r2dbc.spi.ConnectionFactoryOptions.builder;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 final class PostgresqlConnectionFactoryProviderTest {
@@ -202,6 +205,23 @@ void shouldConfigureAutodetectExtensions() {
         assertThat(factory.getConfiguration().isAutodetectExtensions()).isFalse();
     }
 
+    @Test
+    void shouldApplySslContextBuilderCustomizer() {
+
+        PostgresqlConnectionFactory factory = this.provider.create(builder()
+            .option(DRIVER, POSTGRESQL_DRIVER)
+            .option(HOST, "test-host")
+            .option(PASSWORD, "test-password")
+            .option(USER, "test-user")
+            .option(SSL_MODE, SSLMode.ALLOW)
+            .option(SSL_CONTEXT_BUILDER_CUSTOMIZER, sslContextBuilder -> {
+                throw new IllegalStateException("Works!");
+            })
+            .build());
+
+        assertThatIllegalStateException().isThrownBy(() -> factory.getConfiguration().getSslConfig().getSslProvider().get()).withMessageContaining("Works!");
+    }
+
     @Test
     void shouldConnectUsingUnixDomainSocket() {
 

src/test/java/io/r2dbc/postgresql/client/ReactorNettyClientIntegrationTests.java

@@ -645,6 +645,20 @@ void verifyCa() {
                         .verifyComplete());
             }
 
+            @Test
+            void verifyCaWithCustomizer() {
+                client(
+                    c -> c.sslContextBuilderCustomizer(sslContextBuilder -> {
+                        return sslContextBuilder.trustManager(new File(SERVER.getServerCrt()))
+                            .keyManager(new File(SERVER.getClientCrt()), new File(SERVER.getClientKey()));
+                    })
+                        .sslMode(SSLMode.VERIFY_CA),
+                    c -> c
+                        .as(StepVerifier::create)
+                        .expectNextCount(1)
+                        .verifyComplete());
+            }
+
             @Test
             void verifyCaFailedWithWrongRootCert() {
                 client(