RHCLOUD-30039 Use TLS CA from Clowder with recipients-resolver

RedHatInsights · Jan 11, 2024 · aa6fdb5 · aa6fdb5
1 parent ba140d0
commit aa6fdb5
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 8 deletions.
diff --git a/...email/src/main/java/com/redhat/cloud/notifications/connector/email/EmailRouteBuilder.java b/...email/src/main/java/com/redhat/cloud/notifications/connector/email/EmailRouteBuilder.java
@@ -11,7 +11,9 @@
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
 import org.apache.camel.Predicate;
-import org.apache.camel.builder.endpoint.dsl.HttpEndpointBuilderFactory;
+import org.apache.camel.support.jsse.KeyStoreParameters;
+import org.apache.camel.support.jsse.SSLContextParameters;
+import org.apache.camel.support.jsse.TrustManagersParameters;
 import org.apache.http.conn.ssl.NoopHostnameVerifier;
 
 import java.util.Set;
@@ -22,6 +24,7 @@
 import static com.redhat.cloud.notifications.connector.email.constants.ExchangeProperty.FILTERED_USERS;
 import static com.redhat.cloud.notifications.connector.http.SslTrustAllManager.getSslContextParameters;
 import static org.apache.camel.LoggingLevel.INFO;
+import static org.apache.camel.builder.endpoint.dsl.HttpEndpointBuilderFactory.HttpEndpointBuilder;
 
 @ApplicationScoped
 public class EmailRouteBuilder extends EngineToConnectorRouteBuilder {
@@ -58,7 +61,7 @@ public void configureRoutes() {
          * Prepares the payload accepted by BOP and sends the request to
          * the service.
          */
-        final HttpEndpointBuilderFactory.HttpEndpointBuilder bopEndpoint = this.setUpBOPEndpoint();
+        final HttpEndpointBuilder bopEndpoint = this.setUpBOPEndpoint();
 
         from(seda(ENGINE_TO_CONNECTOR))
             .routeId(emailConnectorConfig.getConnectorName())
@@ -97,7 +100,7 @@ private Predicate shouldSkipEmail() {
      * BOP service's certificate.
      * @return the created endpoint.
      */
-    protected HttpEndpointBuilderFactory.HttpEndpointBuilder setUpBOPEndpoint() {
+    protected HttpEndpointBuilder setUpBOPEndpoint() {
         // Remove the schema from the url to avoid the
         // "ResolveEndpointFailedException", which complaints about specifying
         // the schema twice.
@@ -111,12 +114,27 @@ protected HttpEndpointBuilderFactory.HttpEndpointBuilder setUpBOPEndpoint() {
         }
     }
 
-    private HttpEndpointBuilderFactory.HttpEndpointBuilder setupRecipientResolverEndpoint() {
+    private HttpEndpointBuilder setupRecipientResolverEndpoint() {
         final String fullURL = emailConnectorConfig.getRecipientsResolverServiceURL() + "/internal/recipients-resolver";
+
         if (fullURL.startsWith("https")) {
-            return https(fullURL.replace("https://", ""))
-                    .sslContextParameters(getSslContextParameters())
-                    .x509HostnameVerifier(NoopHostnameVerifier.INSTANCE);
+            HttpEndpointBuilder endpointBuilder = https(fullURL.replace("https://", ""));
+            if (emailConnectorConfig.getRecipientsResolverTrustStorePath().isPresent() && emailConnectorConfig.getRecipientsResolverTrustStorePassword().isPresent() && emailConnectorConfig.getRecipientsResolverTrustStoreType().isPresent()) {
+
+                KeyStoreParameters keyStoreParameters = new KeyStoreParameters();
+                keyStoreParameters.setResource(emailConnectorConfig.getRecipientsResolverTrustStorePath().get());
+                keyStoreParameters.setPassword(emailConnectorConfig.getRecipientsResolverTrustStorePassword().get());
+                keyStoreParameters.setType(emailConnectorConfig.getRecipientsResolverTrustStoreType().get());
+
+                TrustManagersParameters trustManagersParameters = new TrustManagersParameters();
+                trustManagersParameters.setKeyStore(keyStoreParameters);
+
+                SSLContextParameters sslContextParameters = new SSLContextParameters();
+                sslContextParameters.setTrustManagers(trustManagersParameters);
+
+                endpointBuilder.sslContextParameters(sslContextParameters);
+            }
+            return endpointBuilder;
         } else {
             return http(fullURL.replace("http://", ""));
         }

diff --git a/...main/java/com/redhat/cloud/notifications/connector/email/config/EmailConnectorConfig.java b/...main/java/com/redhat/cloud/notifications/connector/email/config/EmailConnectorConfig.java
@@ -8,6 +8,7 @@
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
 import java.util.Map;
+import java.util.Optional;
 
 import static io.quarkus.runtime.LaunchMode.TEST;
 
@@ -19,14 +20,17 @@
 @Alternative
 @Priority(0) // The value doesn't matter.
 public class EmailConnectorConfig extends HttpConnectorConfig {
+
     private static final String BOP_API_TOKEN = "notifications.connector.user-provider.bop.api_token";
     private static final String BOP_CLIENT_ID = "notifications.connector.user-provider.bop.client_id";
     private static final String BOP_ENV = "notifications.connector.user-provider.bop.env";
     private static final String BOP_URL = "notifications.connector.user-provider.bop.url";
     private static final String MAX_RECIPIENTS_PER_EMAIL = "notifications.connector.max-recipients-per-email";
     private static final String RECIPIENTS_RESOLVER_USER_SERVICE_URL = "notifications.connector.recipients-resolver.url";
-
     private static final String NOTIFICATIONS_EMAILS_INTERNAL_ONLY_ENABLED = "notifications.emails-internal-only.enabled";
+    private static final String RECIPIENTS_RESOLVER_TRUST_STORE_PATH = "clowder.endpoints.notifications-recipients-resolver-service.trust-store-path";
+    private static final String RECIPIENTS_RESOLVER_TRUST_STORE_PASSWORD = "clowder.endpoints.notifications-recipients-resolver-service.trust-store-password";
+    private static final String RECIPIENTS_RESOLVER_TRUST_STORE_TYPE = "clowder.endpoints.notifications-recipients-resolver-service.trust-store-type";
 
     @ConfigProperty(name = BOP_API_TOKEN)
     String bopApiToken;
@@ -49,6 +53,15 @@ public class EmailConnectorConfig extends HttpConnectorConfig {
     @ConfigProperty(name = NOTIFICATIONS_EMAILS_INTERNAL_ONLY_ENABLED, defaultValue = "false")
     boolean emailsInternalOnlyEnabled;
 
+    @ConfigProperty(name = RECIPIENTS_RESOLVER_TRUST_STORE_PATH)
+    Optional<String> recipientsResolverTrustStorePath;
+
+    @ConfigProperty(name = RECIPIENTS_RESOLVER_TRUST_STORE_PASSWORD)
+    Optional<String> recipientsResolverTrustStorePassword;
+
+    @ConfigProperty(name = RECIPIENTS_RESOLVER_TRUST_STORE_TYPE)
+    Optional<String> recipientsResolverTrustStoreType;
+
     @Override
     protected Map<String, Object> getLoggedConfiguration() {
         Map<String, Object> config = super.getLoggedConfiguration();
@@ -63,6 +76,8 @@ protected Map<String, Object> getLoggedConfiguration() {
         config.put(RECIPIENTS_RESOLVER_USER_SERVICE_URL, recipientsResolverServiceURL);
         config.put(MAX_RECIPIENTS_PER_EMAIL, maxRecipientsPerEmail);
         config.put(NOTIFICATIONS_EMAILS_INTERNAL_ONLY_ENABLED, emailsInternalOnlyEnabled);
+        config.put(RECIPIENTS_RESOLVER_TRUST_STORE_PATH, recipientsResolverTrustStorePath);
+        config.put(RECIPIENTS_RESOLVER_TRUST_STORE_TYPE, recipientsResolverTrustStoreType);
 
         /*
          * /!\ WARNING /!\
@@ -105,6 +120,18 @@ public void setEmailsInternalOnlyEnabled(boolean emailsInternalOnlyEnabled) {
         this.emailsInternalOnlyEnabled = emailsInternalOnlyEnabled;
     }
 
+    public Optional<String> getRecipientsResolverTrustStorePath() {
+        return recipientsResolverTrustStorePath;
+    }
+
+    public Optional<String> getRecipientsResolverTrustStorePassword() {
+        return recipientsResolverTrustStorePassword;
+    }
+
+    public Optional<String> getRecipientsResolverTrustStoreType() {
+        return recipientsResolverTrustStoreType;
+    }
+
     /**
      * This method throws an {@link IllegalStateException} if it is invoked with a launch mode different from
      * {@link io.quarkus.runtime.LaunchMode#TEST TEST}. It should be added to methods that allow overriding a