From 80648a9b1667cee923f56950930cc1bc1a28f29e Mon Sep 17 00:00:00 2001
From: Gabriel Roldan <gabriel.roldan@camptocamp.com>
Date: Mon, 12 Aug 2024 00:02:00 -0300
Subject: [PATCH] Configure an SSL capable ClientHttpRequestFactory for the
 AclClient RestTemplate

---
 compose/.env                                  |  2 +-
 compose/compose.yml                           |  8 ++--
 pom.xml                                       |  6 +++
 .../org/geoserver/acl/client/AclClient.java   | 42 +++++++++++++++++--
 4 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/compose/.env b/compose/.env
index fd497ff..951972d 100644
--- a/compose/.env
+++ b/compose/.env
@@ -1,3 +1,3 @@
 COMPOSE_PROJECT_NAME=acldev
 TAG=2.3-SNAPSHOT
-GATEWAY_TAG=1.7.0
+GATEWAY_TAG=1.8.10
diff --git a/compose/compose.yml b/compose/compose.yml
index 26a8972..ee987b5 100644
--- a/compose/compose.yml
+++ b/compose/compose.yml
@@ -43,8 +43,8 @@ services:
         condition: service_healthy
         required: true    
     ports:
-      - 8080:8080
-      - 8081:8081
+      - 8180:8080
+      - 8181:8081
       - 15005:15005
     deploy:
       resources:
@@ -57,9 +57,7 @@ services:
     user: 1000:1000
     environment:
       SPRING_PROFILES_ACTIVE: standalone
-      GEOSERVER_BASE_PATH: /geoserver/cloud
-    volumes:
-      - ./gateway-service.yml:/etc/geoserver/gateway-service.yml
+      TARGETS_ACL: http://acl:8080
     ports:
       - 9090:8080
     deploy:
diff --git a/pom.xml b/pom.xml
index 7859117..afc41ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -213,6 +213,12 @@
         <artifactId>gs-acl-plugin-accessmanager</artifactId>
         <version>${project.version}</version>
       </dependency>
+      <dependency>
+        <groupId>org.geoserver.acl.plugin</groupId>
+        <artifactId>gs-acl-plugin-accessmanager</artifactId>
+        <version>${project.version}</version>
+        <type>test-jar</type>
+      </dependency>
       <dependency>
         <groupId>org.geoserver.acl.plugin</groupId>
         <artifactId>gs-acl-plugin-client</artifactId>
diff --git a/src/integration/openapi/java-client/src/main/java/org/geoserver/acl/client/AclClient.java b/src/integration/openapi/java-client/src/main/java/org/geoserver/acl/client/AclClient.java
index 65e715d..39d4ebf 100644
--- a/src/integration/openapi/java-client/src/main/java/org/geoserver/acl/client/AclClient.java
+++ b/src/integration/openapi/java-client/src/main/java/org/geoserver/acl/client/AclClient.java
@@ -7,6 +7,11 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.ssl.TrustStrategy;
 import org.geoserver.acl.api.client.ApiClient;
 import org.geoserver.acl.api.client.AuthorizationApi;
 import org.geoserver.acl.api.client.DataRulesApi;
@@ -20,10 +25,16 @@
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.util.DefaultUriBuilderFactory;
 
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.stream.Collectors;
 
+import javax.net.ssl.SSLContext;
+
 public class AclClient {
 
     private ApiClient apiClient;
@@ -93,11 +104,13 @@ public AuthorizationApi getAuthorizationApi() {
 
     static RestTemplate createRestTemplate() {
 
-        // Use Apache HttpComponents HttpClient, otherwise
-        // SimpleClientHttpRequestFactory fails on
+        // Use Apache HttpComponents HttpClient, otherwise SimpleClientHttpRequestFactory fails on
         // PATCH requests
-        ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
+        // ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
+
+        ClientHttpRequestFactory requestFactory = getClientHttpRequestFactoryForHttps();
         RestTemplate restTemplate = new RestTemplate(requestFactory);
+
         // This allows us to read the response more than once - Necessary for debugging
         restTemplate.setRequestFactory(
                 new BufferingClientHttpRequestFactory(restTemplate.getRequestFactory()));
@@ -109,7 +122,7 @@ static RestTemplate createRestTemplate() {
 
         List<HttpMessageConverter<?>> messageConverters =
                 restTemplate.getMessageConverters().stream()
-                        .filter(m -> !(MappingJackson2HttpMessageConverter.class.isInstance(m)))
+                        .filter(m -> !(m instanceof MappingJackson2HttpMessageConverter))
                         .collect(Collectors.toCollection(ArrayList::new));
 
         ObjectMapper objectMapper = new ObjectMapper();
@@ -120,4 +133,25 @@ static RestTemplate createRestTemplate() {
 
         return restTemplate;
     }
+
+    static ClientHttpRequestFactory getClientHttpRequestFactoryForHttps() {
+
+        TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
+        SSLContext sslContext;
+        try {
+            sslContext =
+                    org.apache.http.ssl.SSLContexts.custom()
+                            .loadTrustMaterial(null, acceptingTrustStrategy)
+                            .build();
+        } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException e) {
+            throw new IllegalStateException(e);
+        }
+        SSLConnectionSocketFactory csf =
+                new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
+        CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(csf).build();
+        HttpComponentsClientHttpRequestFactory requestFactory =
+                new HttpComponentsClientHttpRequestFactory();
+        requestFactory.setHttpClient(httpClient);
+        return requestFactory;
+    }
 }