fix: Zaas client to not send a certificate during authentication (#1763)

* Fix usage of empty keystore in https client

Signed-off-by: JirkaAichler <jiri.aichler@broadcom.com>

* Add unit test

Signed-off-by: JirkaAichler <jiri.aichler@broadcom.com>

* Comment code

Signed-off-by: JirkaAichler <jiri.aichler@broadcom.com>

Author: JirkaAichler

zaas-client/src/main/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProvider.java

@@ -23,7 +23,6 @@
 import org.zowe.apiml.zaasclient.exception.ZaasConfigurationException;
 
 import javax.net.ssl.*;
-import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -49,7 +48,7 @@ class ZaasHttpsClientProvider implements CloseableClientProvider {
 
     private final CookieStore cookieStore = new BasicCookieStore();
 
-    private CloseableHttpClient httpsClientWithKeyStoreAndTrustStore;
+    private CloseableHttpClient httpsClient;
 
     public ZaasHttpsClientProvider(ConfigProperties configProperties) throws ZaasConfigurationException {
         this.requestConfig = this.buildCustomRequestConfig();
@@ -71,14 +70,13 @@ public void clearCookieStore() {
 
     @Override
     public synchronized CloseableHttpClient getHttpClient() throws ZaasConfigurationException {
-        if (httpsClientWithKeyStoreAndTrustStore == null) {
-            if ((kmf == null) && (keyStorePath != null)) {
+        if (httpsClient == null) {
+            if (kmf == null) {
                 initializeKeyStoreManagerFactory();
             }
-            httpsClientWithKeyStoreAndTrustStore = sharedHttpClientConfiguration(getSSLContext())
-                .build();
+            httpsClient = sharedHttpClientConfiguration(getSSLContext()).build();
         }
-        return httpsClientWithKeyStoreAndTrustStore;
+        return httpsClient;
     }
 
     private void initializeTrustManagerFactory(String trustStorePath, String trustStoreType, char[] trustStorePassword)
@@ -97,8 +95,14 @@ private void initializeTrustManagerFactory(String trustStorePath, String trustSt
 
     private void initializeKeyStoreManagerFactory() throws ZaasConfigurationException {
         try {
+            KeyStore keyStore;
+            if (keyStorePath != null) {
+                keyStore = getKeystore(keyStorePath, keyStoreType, keyStorePassword);
+            } else {
+                keyStore = getEmptyKeystore();
+            }
+
             kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            KeyStore keyStore = getKeystore(keyStorePath, keyStoreType, keyStorePassword);
             kmf.init(keyStore, keyStorePassword);
         } catch (NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyStoreException e) {
             throw new ZaasConfigurationException(ZaasConfigurationErrorCodes.WRONG_CRYPTO_CONFIGURATION, e);
@@ -115,12 +119,20 @@ private KeyStore getKeystore(String uri, String keyStoreType, char[] storePasswo
         }
     }
 
+    // Necessary because IBM JDK will automatically add keyStore based on system variables when there is no keyStore
+    private KeyStore getEmptyKeystore() throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
+        KeyStore emptyKeystore = KeyStore.getInstance(KeyStore.getDefaultType());
+        emptyKeystore.load(null, null);
+
+        return emptyKeystore;
+    }
+
     private InputStream getCorrectInputStream(String uri) throws IOException {
         if (uri.startsWith(SAFKEYRING + ":////")) {
             URL url = new URL(replaceFourSlashes(uri));
             return url.openStream();
         }
-        return new FileInputStream(new File(uri));
+        return new FileInputStream(uri);
     }
 
     public static String replaceFourSlashes(String storeUri) {

zaas-client/src/test/java/org/zowe/apiml/zaasclient/service/internal/ZaasHttpsClientProviderTests.java

@@ -72,6 +72,15 @@ void testGetHttpsClientWithKeyStoreAndTrustStore() throws ZaasConfigurationExcep
         assertNotNull(zaasHttpsClientProvider.getHttpClient());
     }
 
+    @Test
+    void giveNoKeyStorePath_whenTheClientIsConstructed_thenEmptyKeyStoreIsUsed() throws ZaasConfigurationException, IOException {
+        ConfigProperties config = getConfigProperties();
+        config.setKeyStorePath(null);
+        ZaasHttpsClientProvider provider = new ZaasHttpsClientProvider(config);
+
+        assertNotNull(provider.getHttpClient());
+    }
+
     @Test
     void whenGetHttpsClientWithKeyStoreAndTrustStore_thenIdenticalClientReturned() throws ZaasConfigurationException {
         CloseableHttpClient client1 = zaasHttpsClientProvider.getHttpClient();