Accept SSL certificates by providing a resource path.

isabek · mp911de · commit b8b7f19c22bb · 2021-02-18T11:30:00.000+01:00
We now try to resolve SSL certificates first from the class path and then fall back to files when providing a path as string. [resolves #313][closes #318] Signed-off-by: Mark Paluch <mpaluch@vmware.com>
diff --git a/README.md b/README.md
@@ -82,17 +82,18 @@ Mono<Connection> connectionMono = Mono.from(connectionFactory.create());
 | `compatibilityMode` | Enable compatibility mode for cursored fetching. Required when using newer pgpool versions. Defaults to `false`. _(Optional)_
 | `errorResponseLogLevel` | Log level for error responses. Any of `OFF`, `DEBUG`, `INFO`, `WARN` or `ERROR`  Defaults to `DEBUG`. _(Optional)_
 | `fetchSize`       | The default number of rows to return when fetching results. Defaults to `0` for unlimited. _(Optional)_
-| `forceBinary`     | Whether to force binary transfer.  Defaults to `false`. _(Optional)_
+| `forceBinary`     | Whether to force binary transfer. Defaults to `false`. _(Optional)_
 | `loopResources`   | TCP/Socket LoopResources (depends on the endpoint connection type). _(Optional)_
 | `noticeLogLevel`  | Log level for error responses. Any of `OFF`, `DEBUG`, `INFO`, `WARN` or `ERROR`  Defaults to `DEBUG`. _(Optional)_
 | `preferAttachedBuffers` |Configure whether codecs should prefer attached data buffers. The default is `false`, meaning that codecs will copy data from the input buffer into a byte array. Enabling attached buffers requires consumption of values such as `Json`  to avoid memory leaks.
 | `preparedStatementCacheQueries` | Determine the number of queries that are cached in each connection. The default is `-1`, meaning there's no limit. The value of `0` disables the cache. Any other value specifies the cache size.
-| `options`         | A `Map<String, String>` of connection parameters. These are applied to each database connection created by the `ConnectionFactory`. Useful for setting generic [PostgreSQL connection parameters][psql-runtime-config]. _(Optional)_
+| `options`         | A `Map<String, String>` of connection parameters. These are applied to each database connection created by the `ConnectionFactory`. Useful for setting generic [PostgreSQL connection parameters][psql-runtime-config]. _(
+Optional)_
 | `schema`          | The search path to set. _(Optional)_
 | `sslMode`         | SSL mode to use, see `SSLMode` enum. Supported values: `DISABLE`, `ALLOW`, `PREFER`, `REQUIRE`, `VERIFY_CA`, `VERIFY_FULL`, `TUNNEL`. _(Optional)_
-| `sslRootCert`     | Path to SSL CA certificate in PEM format. _(Optional)_
-| `sslKey`          | Path to SSL key for TLS authentication in PEM format. _(Optional)_
-| `sslCert`         | Path to SSL certificate for TLS authentication in PEM format. _(Optional)_
+| `sslRootCert`     | Path to SSL CA certificate in PEM format. Can be also a resource path. _(Optional)_
+| `sslKey`          | Path to SSL key for TLS authentication in PEM format. Can be also a resource path. _(Optional)_
+| `sslCert`         | Path to SSL certificate for TLS authentication in PEM format. Can be also a resource path. _(Optional)_
 | `sslPassword`     | Key password to decrypt SSL key. _(Optional)_
 | `sslHostnameVerifier` | `javax.net.ssl.HostnameVerifier` implementation. _(Optional)_
 | `tcpNoDelay`      | Enable/disable TCP NoDelay. Enabled by default. _(Optional)_
diff --git a/src/main/java/io/r2dbc/postgresql/PostgresqlConnectionConfiguration.java b/src/main/java/io/r2dbc/postgresql/PostgresqlConnectionConfiguration.java
@@ -37,7 +37,11 @@
 
 import javax.net.ssl.HostnameVerifier;
 import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
 import java.net.Socket;
+import java.net.URL;
 import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Collections;
@@ -360,20 +364,20 @@ public static final class Builder {
         private String socket;
 
         @Nullable
-        private String sslCert = null;
+        private URL sslCert = null;
 
         private HostnameVerifier sslHostnameVerifier = DefaultHostnameVerifier.INSTANCE;
 
         @Nullable
-        private String sslKey = null;
+        private URL sslKey = null;
 
         private SSLMode sslMode = SSLMode.DISABLE;
 
         @Nullable
         private CharSequence sslPassword = null;
 
         @Nullable
-        private String sslRootCert = null;
+        private URL sslRootCert = null;
 
         private Function<SslContextBuilder, SslContextBuilder> sslContextBuilderCustomizer = Function.identity();
 
@@ -702,13 +706,24 @@ public Builder sslContextBuilderCustomizer(Function<SslContextBuilder, SslContex
         }
 
         /**
-         * Configure ssl cert for client certificate authentication.
+         * Configure ssl cert for client certificate authentication. Can point to either a resource within the classpath or a file.
          *
          * @param sslCert an X.509 certificate chain file in PEM format
          * @return this {@link Builder}
          */
         public Builder sslCert(String sslCert) {
-            this.sslCert = Assert.requireFileExistsOrNull(sslCert, "sslCert must not be null and must exist");
+            return sslCert(requireExistingFilePath(sslCert, "sslCert must not be null and must exist"));
+        }
+
+        /**
+         * Configure ssl cert for client certificate authentication.
+         *
+         * @param sslCert an X.509 certificate chain file in PEM format
+         * @return this {@link Builder}
+         * @since 0.8.7
+         */
+        public Builder sslCert(URL sslCert) {
+            this.sslCert = Assert.requireNonNull(sslCert, "sslCert must not be null");
             return this;
         }
 
@@ -724,13 +739,24 @@ public Builder sslHostnameVerifier(HostnameVerifier sslHostnameVerifier) {
         }
 
         /**
-         * Configure ssl key for client certificate authentication.
+         * Configure ssl key for client certificate authentication.  Can point to either a resource within the classpath or a file.
          *
          * @param sslKey a PKCS#8 private key file in PEM format
          * @return this {@link Builder}
          */
         public Builder sslKey(String sslKey) {
-            this.sslKey = Assert.requireFileExistsOrNull(sslKey, "sslKey must not be null and must exist");
+            return sslKey(requireExistingFilePath(sslKey, "sslKey must not be null and must exist"));
+        }
+
+        /**
+         * Configure ssl key for client certificate authentication.
+         *
+         * @param sslKey a PKCS#8 private key file in PEM format
+         * @return this {@link Builder}
+         * @since 0.8.7
+         */
+        public Builder sslKey(URL sslKey) {
+            this.sslKey = Assert.requireNonNull(sslKey, "sslKey must not be null");
             return this;
         }
 
@@ -757,13 +783,24 @@ public Builder sslPassword(@Nullable CharSequence sslPassword) {
         }
 
         /**
-         * Configure ssl root cert for server certificate validation.
+         * Configure ssl root cert for server certificate validation. Can point to either a resource within the classpath or a file.
          *
          * @param sslRootCert an X.509 certificate chain file in PEM format
          * @return this {@link Builder}
          */
         public Builder sslRootCert(String sslRootCert) {
-            this.sslRootCert = Assert.requireFileExistsOrNull(sslRootCert, "sslRootCert must not be null and must exist");
+            return sslRootCert(requireExistingFilePath(sslRootCert, "sslRootCert must not be null and must exist"));
+        }
+
+        /**
+         * Configure ssl root cert for server certificate validation.
+         *
+         * @param sslRootCert an X.509 certificate chain file in PEM format
+         * @return this {@link Builder}
+         * @since 0.8.7
+         */
+        public Builder sslRootCert(URL sslRootCert) {
+            this.sslRootCert = Assert.requireNonNull(sslRootCert, "sslRootCert must not be null and must exist");
             return this;
         }
 
@@ -851,14 +888,14 @@ private Supplier<SslProvider> createSslProvider() {
             SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
             if (this.sslMode.verifyCertificate()) {
                 if (this.sslRootCert != null) {
-                    sslContextBuilder.trustManager(new File(this.sslRootCert));
+                    doWithStream(this.sslRootCert, sslContextBuilder::trustManager);
                 }
             } else {
                 sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
             }
 
-            String sslKey = this.sslKey;
-            String sslCert = this.sslCert;
+            URL sslKey = this.sslKey;
+            URL sslCert = this.sslCert;
 
             // Emulate Libpq behavior
             // Determining the default file location
@@ -872,21 +909,24 @@ private Supplier<SslProvider> createSslProvider() {
 
             if (sslCert == null) {
                 String pathname = defaultDir + "postgresql.crt";
-                if (new File(pathname).exists()) {
-                    sslCert = pathname;
-                }
+                sslCert = resolveUrlFromFile(pathname);
             }
 
             if (sslKey == null) {
                 String pathname = defaultDir + "postgresql.pk8";
-                if (new File(pathname).exists()) {
-                    sslKey = pathname;
-                }
+                sslKey = resolveUrlFromFile(pathname);
             }
 
+            URL sslKeyToUse = sslKey;
+
             if (sslKey != null && sslCert != null) {
                 String sslPassword = this.sslPassword == null ? null : this.sslPassword.toString();
-                sslContextBuilder.keyManager(new File(sslCert), new File(sslKey), sslPassword);
+
+                doWithStream(sslCert, certStream -> {
+                    doWithStream(sslKeyToUse, keyStream -> {
+                        sslContextBuilder.keyManager(certStream, keyStream, sslPassword);
+                    });
+                });
             }
 
             return () -> SslProvider.builder()
@@ -895,6 +935,54 @@ private Supplier<SslProvider> createSslProvider() {
                 .build();
         }
 
+        interface StreamConsumer {
+
+            void doWithStream(InputStream is) throws IOException;
+
+        }
+
+        private void doWithStream(URL url, StreamConsumer consumer) {
+
+            try (InputStream is = url.openStream()) {
+
+                consumer.doWithStream(is);
+            } catch (IOException e) {
+                throw new IllegalStateException("Error while reading " + url, e);
+            }
+        }
+
+        private URL requireExistingFilePath(String path, String message) {
+
+            Assert.requireNonNull(path, message);
+
+            URL resource = getClass().getClassLoader().getResource(path);
+
+            if (resource != null) {
+                return resource;
+            }
+
+            if (!new File(path).exists()) {
+                throw new IllegalArgumentException(message);
+            }
+
+            return resolveUrlFromFile(path);
+        }
+
+        private URL resolveUrlFromFile(String pathname) {
+
+            File file = new File(pathname);
+
+            if (file.exists()) {
+                try {
+                    return file.toURI().toURL();
+                } catch (MalformedURLException e) {
+                    throw new IllegalArgumentException(String.format("Malformed error occurred during creating URL from %s", pathname));
+                }
+            }
+
+            return null;
+        }
+
     }
 
     static class FixedFetchSize implements ToIntFunction<String> {
diff --git a/src/main/java/io/r2dbc/postgresql/PostgresqlConnectionFactoryProvider.java b/src/main/java/io/r2dbc/postgresql/PostgresqlConnectionFactoryProvider.java
@@ -144,7 +144,7 @@ public final class PostgresqlConnectionFactoryProvider implements ConnectionFact
     public static final Option<Function<SslContextBuilder, SslContextBuilder>> SSL_CONTEXT_BUILDER_CUSTOMIZER = Option.valueOf("sslContextBuilderCustomizer");
 
     /**
-     * Full path for the certificate file.
+     * Path for the certificate file. Can point to either a resource within the classpath or a file.
      */
     public static final Option<String> SSL_CERT = Option.valueOf("sslCert");
 
@@ -154,7 +154,7 @@ public final class PostgresqlConnectionFactoryProvider implements ConnectionFact
     public static final Option<HostnameVerifier> SSL_HOSTNAME_VERIFIER = Option.valueOf("sslHostnameVerifier");
 
     /**
-     * Full path for the key file.
+     * File path for the key file. Can point to either a resource within the classpath or a file.
      */
     public static final Option<String> SSL_KEY = Option.valueOf("sslKey");
 
@@ -169,7 +169,7 @@ public final class PostgresqlConnectionFactoryProvider implements ConnectionFact
     public static final Option<String> SSL_PASSWORD = Option.valueOf("sslPassword");
 
     /**
-     * File name of the SSL root certificate.
+     * File path of the SSL root certificate. Can point to either a resource within the classpath or a file.
      */
     public static final Option<String> SSL_ROOT_CERT = Option.valueOf("sslRootCert");
 
diff --git a/src/test/java/io/r2dbc/postgresql/PostgresqlConnectionConfigurationUnitTests.java b/src/test/java/io/r2dbc/postgresql/PostgresqlConnectionConfigurationUnitTests.java
@@ -190,4 +190,96 @@ void constructorNoSslCustomizer() {
             .withMessage("sslContextBuilderCustomizer must not be null");
     }
 
+    @Test
+    void constructorNoSslCert() {
+        assertThatIllegalArgumentException().isThrownBy(() -> PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .password("test-password")
+            .sslCert((String) null)
+            .build())
+            .withMessage("sslCert must not be null and must exist");
+    }
+
+    @Test
+    void constructorNotExistSslCert() {
+        assertThatIllegalArgumentException().isThrownBy(() -> PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .username("test-username")
+            .password("test-password")
+            .sslCert("no-client.crt")
+            .build())
+            .withMessage("sslCert must not be null and must exist");
+    }
+
+    @Test
+    void constructorSslCert() {
+        PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .username("test-username")
+            .password("test-password")
+            .sslCert("client.crt")
+            .build();
+    }
+
+    @Test
+    void constructorNoSslKey() {
+        assertThatIllegalArgumentException().isThrownBy(() -> PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .password("test-password")
+            .sslKey((String) null)
+            .build())
+            .withMessage("sslKey must not be null and must exist");
+    }
+
+    @Test
+    void constructorNotExistSslKey() {
+        assertThatIllegalArgumentException().isThrownBy(() -> PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .username("test-username")
+            .password("test-password")
+            .sslKey("no-client.key")
+            .build())
+            .withMessage("sslKey must not be null and must exist");
+    }
+
+    @Test
+    void constructorSslKey() {
+        PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .username("test-username")
+            .password("test-password")
+            .sslKey("client.key")
+            .build();
+    }
+
+    @Test
+    void constructorNullSslRootCert() {
+        assertThatIllegalArgumentException().isThrownBy(() -> PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .password("test-password")
+            .sslRootCert((String) null)
+            .build())
+            .withMessage("sslRootCert must not be null and must exist");
+    }
+
+    @Test
+    void constructorNotExistSslRootCert() {
+        assertThatIllegalArgumentException().isThrownBy(() -> PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .password("test-password")
+            .sslRootCert("no-server.crt")
+            .build())
+            .withMessage("sslRootCert must not be null and must exist");
+    }
+
+    @Test
+    void constructorSslRootCert() {
+        PostgresqlConnectionConfiguration.builder()
+            .host("test-host")
+            .username("test-username")
+            .password("test-password")
+            .sslRootCert("client.crt")
+            .build();
+    }
+
 }
diff --git a/src/test/java/io/r2dbc/postgresql/PostgresqlConnectionFactoryProviderUnitTests.java b/src/test/java/io/r2dbc/postgresql/PostgresqlConnectionFactoryProviderUnitTests.java
