Revert "Revert "Bjorncs/config convergence checker preps""

12 files changed, 126 insertions, 16 deletions

diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/application/ConfigConvergenceChecker.java b/configserver/src/main/java/com/yahoo/vespa/config/server/application/ConfigConvergenceChecker.java
index 6b316c06b54..bad82180702 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/application/ConfigConvergenceChecker.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/application/ConfigConvergenceChecker.java
@@ -8,7 +8,6 @@ import com.yahoo.component.AbstractComponent;
 import com.yahoo.config.model.api.HostInfo;
 import com.yahoo.config.model.api.PortInfo;
 import com.yahoo.config.model.api.ServiceInfo;
-import java.util.logging.Level;
 import com.yahoo.slime.Cursor;
 import com.yahoo.vespa.config.server.http.JSONResponse;
 import org.glassfish.jersey.client.ClientProperties;
@@ -43,6 +42,7 @@ import static com.yahoo.config.model.api.container.ContainerServiceType.QRSERVER
  * @author Ulf Lilleengen
  * @author hmusum
  */
+@SuppressWarnings("removal")
 public class ConfigConvergenceChecker extends AbstractComponent {
 
     private static final Logger log = Logger.getLogger(ConfigConvergenceChecker.class.getName());
@@ -82,7 +82,7 @@ public class ConfigConvergenceChecker extends AbstractComponent {
     }
 
     /** Check all services in given application. Returns the minimum current generation of all services */
-    public ServiceListResponse getServiceConfigGenerationsResponse(Application application, URI requestUrl, Duration timeoutPerService) {
+    public JSONResponse getServiceConfigGenerationsResponse(Application application, URI requestUrl, Duration timeoutPerService) {
         Map<ServiceInfo, Long> currentGenerations = getServiceConfigGenerations(application, timeoutPerService);
         long currentGeneration = currentGenerations.values().stream().mapToLong(Long::longValue).min().orElse(-1);
         return new ServiceListResponse(200, currentGenerations, requestUrl, application.getApplicationGeneration(),
@@ -90,7 +90,7 @@ public class ConfigConvergenceChecker extends AbstractComponent {
     }
 
     /** Check service identified by host and port in given application */
-    public ServiceResponse getServiceConfigGenerationResponse(Application application, String hostAndPortToCheck, URI requestUrl, Duration timeout) {
+    public JSONResponse getServiceConfigGenerationResponse(Application application, String hostAndPortToCheck, URI requestUrl, Duration timeout) {
         Long wantedGeneration = application.getApplicationGeneration();
         try {
             if ( ! hostInApplication(application, hostAndPortToCheck))
diff --git a/configserver/src/main/java/com/yahoo/vespa/serviceview/ConfigServerLocation.java b/configserver/src/main/java/com/yahoo/vespa/serviceview/ConfigServerLocation.java
index cc452421d2d..05d1119aa4f 100644
--- a/configserver/src/main/java/com/yahoo/vespa/serviceview/ConfigServerLocation.java
+++ b/configserver/src/main/java/com/yahoo/vespa/serviceview/ConfigServerLocation.java
@@ -15,6 +15,7 @@ public class ConfigServerLocation extends AbstractComponent {
 
     final int restApiPort;
     // The client factory must be owned by a component as StateResource is instantiated per request
+    @SuppressWarnings("removal")
     final VespaClientBuilderFactory clientBuilderFactory = new VespaClientBuilderFactory();
 
     @Inject
diff --git a/configserver/src/main/java/com/yahoo/vespa/serviceview/StateResource.java b/configserver/src/main/java/com/yahoo/vespa/serviceview/StateResource.java
index 76e600d2ad8..138e6c8798c 100644
--- a/configserver/src/main/java/com/yahoo/vespa/serviceview/StateResource.java
+++ b/configserver/src/main/java/com/yahoo/vespa/serviceview/StateResource.java
@@ -40,6 +40,7 @@ public class StateResource implements StateClient {
     private static final String USER_AGENT = "service-view-config-server-client";
     private static final String SINGLE_API_LINK = "url";
 
+    @SuppressWarnings("removal")
     private final VespaClientBuilderFactory clientBuilderFactory;
     private final int restApiPort;
     private final String host;
diff --git a/configserver/src/test/java/com/yahoo/vespa/config/server/application/ConfigConvergenceCheckerTest.java b/configserver/src/test/java/com/yahoo/vespa/config/server/application/ConfigConvergenceCheckerTest.java
index 6aeb774d2b0..4b25c36a9d7 100644
--- a/configserver/src/test/java/com/yahoo/vespa/config/server/application/ConfigConvergenceCheckerTest.java
+++ b/configserver/src/test/java/com/yahoo/vespa/config/server/application/ConfigConvergenceCheckerTest.java
@@ -2,15 +2,13 @@
 package com.yahoo.vespa.config.server.application;
 
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
+import com.yahoo.component.Version;
 import com.yahoo.config.model.api.Model;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.InstanceName;
 import com.yahoo.config.provision.TenantName;
-import com.yahoo.component.Version;
 import com.yahoo.container.jdisc.HttpResponse;
-import com.yahoo.slime.Slime;
-import com.yahoo.slime.SlimeUtils;
 import com.yahoo.vespa.config.server.ServerCache;
 import com.yahoo.vespa.config.server.monitoring.MetricUpdater;
 import org.junit.Before;
@@ -31,6 +29,7 @@ import static com.github.tomakehurst.wiremock.client.WireMock.get;
 import static com.github.tomakehurst.wiremock.client.WireMock.okJson;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
 import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
+import static com.yahoo.test.json.JsonTestHelper.assertJsonEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
@@ -202,16 +201,8 @@ public class ConfigConvergenceCheckerTest {
         return uri.getHost() + ":" + uri.getPort();
     }
 
-    private static void assertResponse(String json, int status, HttpResponse response) {
-        assertResponse((responseBody) -> {
-            Slime expected = SlimeUtils.jsonToSlime(json.getBytes());
-            Slime actual = SlimeUtils.jsonToSlime(responseBody.getBytes());
-            try {
-                assertEquals(new String((SlimeUtils.toJsonBytes(expected))), new String(SlimeUtils.toJsonBytes(actual)));
-            } catch (IOException e) {
-                throw new UncheckedIOException(e);
-            }
-        }, status, response);
+    private static void assertResponse(String expectedJson, int status, HttpResponse response) {
+        assertResponse((responseBody) -> assertJsonEquals(new String(responseBody.getBytes()), expectedJson), status, response);
     }
 
     private static void assertResponse(Consumer<String> assertFunc, int status, HttpResponse response) {
diff --git a/container/pom.xml b/container/pom.xml
index cf3aa21513b..4f045aac90e 100644
--- a/container/pom.xml
+++ b/container/pom.xml
@@ -45,6 +45,10 @@
           <groupId>io.airlift</groupId>
           <artifactId>airline</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.apache.httpcomponents.client5</groupId>
+          <artifactId>httpclient5</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
   </dependencies>
diff --git a/http-utils/pom.xml b/http-utils/pom.xml
index 6d2e009cf8c..aa261574285 100644
--- a/http-utils/pom.xml
+++ b/http-utils/pom.xml
@@ -38,6 +38,11 @@
       <artifactId>httpcore</artifactId>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents.client5</groupId>
+      <artifactId>httpclient5</artifactId>
+      <scope>compile</scope>
+    </dependency>
 
     <!-- test scope -->
     <dependency>
diff --git a/http-utils/src/main/java/ai/vespa/util/http/VespaAsyncHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/VespaAsyncHttpClientBuilder.java
new file mode 100644
index 00000000000..51e83bd870a
--- /dev/null
+++ b/http-utils/src/main/java/ai/vespa/util/http/VespaAsyncHttpClientBuilder.java
@@ -0,0 +1,95 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package ai.vespa.util.http;
+
+import com.yahoo.security.tls.MixedMode;
+import com.yahoo.security.tls.TlsContext;
+import com.yahoo.security.tls.TransportSecurityUtils;
+import org.apache.hc.client5.http.HttpRoute;
+import org.apache.hc.client5.http.impl.DefaultSchemePortResolver;
+import org.apache.hc.client5.http.impl.async.HttpAsyncClientBuilder;
+import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.impl.routing.DefaultRoutePlanner;
+import org.apache.hc.client5.http.nio.AsyncClientConnectionManager;
+import org.apache.hc.client5.http.routing.HttpRoutePlanner;
+import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
+import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
+import org.apache.hc.core5.http.HttpException;
+import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
+import org.apache.hc.core5.http.protocol.HttpContext;
+
+import javax.net.ssl.SSLParameters;
+
+/**
+ * Async http client builder for internal Vespa communications over http/https.
+ * Configures Vespa mTLS and handles TLS mixed mode automatically.
+ * Client should only be used for requests to Vespa services.
+ *
+ * Caveats:
+ * - custom connection manager must be configured through {@link #create(AsyncConnectionManagerFactory)}.
+ *
+ * @author bjorncs
+ */
+public class VespaAsyncHttpClientBuilder {
+
+    public interface AsyncConnectionManagerFactory {
+        AsyncClientConnectionManager create(TlsStrategy tlsStrategy);
+    }
+
+    public static HttpAsyncClientBuilder create() {
+        return create(
+                tlsStrategy -> PoolingAsyncClientConnectionManagerBuilder.create()
+                        .setTlsStrategy(tlsStrategy)
+                        .build());
+    }
+
+    public static HttpAsyncClientBuilder create(AsyncConnectionManagerFactory factory) {
+        HttpAsyncClientBuilder clientBuilder = HttpAsyncClientBuilder.create();
+        TlsContext vespaTlsContext = TransportSecurityUtils.createTlsContext().orElse(null);
+        TlsStrategy tlsStrategy;
+        if (vespaTlsContext != null) {
+            SSLParameters vespaTlsParameters = vespaTlsContext.parameters();
+            tlsStrategy = ClientTlsStrategyBuilder.create()
+                    .setHostnameVerifier(new NoopHostnameVerifier())
+                    .setSslContext(vespaTlsContext.context())
+                    .setTlsVersions(vespaTlsParameters.getProtocols())
+                    .setCiphers(vespaTlsParameters.getCipherSuites())
+                    .build();
+            if (TransportSecurityUtils.getInsecureMixedMode() != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) {
+                clientBuilder.setRoutePlanner(new HttpToHttpsRoutePlanner());
+            }
+        } else {
+            tlsStrategy = ClientTlsStrategyBuilder.create().build();
+        }
+        clientBuilder.disableConnectionState(); // Share connections between subsequent requests
+        clientBuilder.disableCookieManagement();
+        clientBuilder.disableAuthCaching();
+        clientBuilder.disableRedirectHandling();
+        clientBuilder.setConnectionManager(factory.create(tlsStrategy));
+        return clientBuilder;
+    }
+
+    private static class HttpToHttpsRoutePlanner implements HttpRoutePlanner {
+
+        private final DefaultRoutePlanner defaultPlanner = new DefaultRoutePlanner(new DefaultSchemePortResolver());
+
+        @Override
+        public HttpRoute determineRoute(HttpHost target, HttpContext context) throws HttpException {
+            HttpRoute originalRoute = defaultPlanner.determineRoute(target, context);
+            HttpHost originalHost = originalRoute.getTargetHost();
+            String originalScheme = originalHost.getSchemeName();
+            String rewrittenScheme = originalScheme.equalsIgnoreCase("http") ? "https" : originalScheme;
+            boolean rewrittenSecure = target.getSchemeName().equalsIgnoreCase("https");
+            HttpHost rewrittenHost = new HttpHost(
+                    rewrittenScheme, originalHost.getAddress(), originalHost.getHostName(), originalHost.getPort());
+            return new HttpRoute(
+                    rewrittenHost,
+                    originalRoute.getLocalAddress(),
+                    originalRoute.getProxyHost(),
+                    rewrittenSecure,
+                    originalRoute.getTunnelType(),
+                    originalRoute.getLayerType());
+        }
+    }
+
+}
diff --git a/jaxrs_client_utils/src/main/java/ai/vespa/util/http/VespaClientBuilderFactory.java b/jaxrs_client_utils/src/main/java/ai/vespa/util/http/VespaClientBuilderFactory.java
index 2bac7f66799..c6afa889041 100644
--- a/jaxrs_client_utils/src/main/java/ai/vespa/util/http/VespaClientBuilderFactory.java
+++ b/jaxrs_client_utils/src/main/java/ai/vespa/util/http/VespaClientBuilderFactory.java
@@ -27,8 +27,10 @@ import static java.util.logging.Level.CONFIG;
  *  - hostname verification is not enabled - CN/SAN verification is assumed to be handled by the underlying x509 trust manager.
  *  - ssl context or hostname verifier must not be overridden by the caller
  *
+ * @deprecated Use Apache httpclient based client factory instead (VespaHttpClientBuilder).
  * @author bjorncs
  */
+@Deprecated(forRemoval = true)
 public class VespaClientBuilderFactory implements AutoCloseable {
 
     private static final Logger log = Logger.getLogger(VespaClientBuilderFactory.class.getName());
diff --git a/jaxrs_client_utils/src/main/java/com/yahoo/vespa/jaxrs/client/VespaJerseyJaxRsClientFactory.java b/jaxrs_client_utils/src/main/java/com/yahoo/vespa/jaxrs/client/VespaJerseyJaxRsClientFactory.java
index bdc89d737d4..6d1c1c71f21 100644
--- a/jaxrs_client_utils/src/main/java/com/yahoo/vespa/jaxrs/client/VespaJerseyJaxRsClientFactory.java
+++ b/jaxrs_client_utils/src/main/java/com/yahoo/vespa/jaxrs/client/VespaJerseyJaxRsClientFactory.java
@@ -17,10 +17,13 @@ import java.util.List;
 /**
  * Factory for creating Jersey based Vespa clients from a JAX-RS resource interface.
  *
+ * @deprecated Use Apache httpclient based client factory instead (VespaHttpClientBuilder).
  * @author bjorncs
  */
+@Deprecated(forRemoval = true)
 public class VespaJerseyJaxRsClientFactory implements JaxRsClientFactory, AutoCloseable {
 
+    @SuppressWarnings("removal")
     private final VespaClientBuilderFactory clientBuilder = new VespaClientBuilderFactory();
     // Client is a heavy-weight object with a finalizer so we create only one and re-use it
     private final Client client;
diff --git a/orchestrator/src/main/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactory.java b/orchestrator/src/main/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactory.java
index 4b82f278f23..e2e769f8556 100644
--- a/orchestrator/src/main/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactory.java
+++ b/orchestrator/src/main/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactory.java
@@ -14,6 +14,7 @@ import java.util.List;
 /**
  * @author bakksjo
  */
+@SuppressWarnings("removal") // VespaJerseyJaxRsClientFactory
 public class RetryingClusterControllerClientFactory extends AbstractComponent implements ClusterControllerClientFactory {
 
     // TODO: Figure this port out dynamically.
diff --git a/orchestrator/src/test/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactoryTest.java b/orchestrator/src/test/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactoryTest.java
index 95fdd61563b..309d6a756f6 100644
--- a/orchestrator/src/test/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactoryTest.java
+++ b/orchestrator/src/test/java/com/yahoo/vespa/orchestrator/controller/RetryingClusterControllerClientFactoryTest.java
@@ -27,6 +27,7 @@ public class RetryingClusterControllerClientFactoryTest {
     private final Clock clock = new ManualClock();
 
     @Test
+    @SuppressWarnings("removal") // VespaJerseyJaxRsClientFactory
     public void verifyJerseyCallForSetNodeState() throws IOException {
         VespaJerseyJaxRsClientFactory clientFactory = mock(VespaJerseyJaxRsClientFactory.class);
         ClusterControllerJaxRsApi api = mock(ClusterControllerJaxRsApi.class);
diff --git a/parent/pom.xml b/parent/pom.xml
index cac59966332..72aa330fe13 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -575,6 +575,11 @@
                 <version>${apache.httpcore.version}</version>
             </dependency>
             <dependency>
+                <groupId>org.apache.httpcomponents.client5</groupId>
+                <artifactId>httpclient5</artifactId>
+                <version>${apache.httpclient5.version}</version>
+            </dependency>
+            <dependency>
                 <groupId>org.apache.httpcomponents</groupId>
                 <artifactId>httpmime</artifactId>
                 <version>4.3.6</version>
@@ -749,6 +754,7 @@
         <antlr4.version>4.5</antlr4.version>
         <apache.httpclient.version>4.5.12</apache.httpclient.version>
         <apache.httpcore.version>4.4.13</apache.httpcore.version>
+        <apache.httpclient5.version>5.0.3</apache.httpclient5.version>
         <asm.version>7.0</asm.version>
         <!-- Athenz dependencies. Make sure these dependencies match those in Vespa's internal repositories -->
         <athenz.version>1.8.49</athenz.version>