Add 'http-utils' module with VespaHttpClientBuilder

- Move VespaHttpClientBuilder source code from 'security-utils' to 'http-utils'.
- Improve configuration of connection manager.
  - Add static factory for client builder with BasicHttpClientConnectionManager.
  - Simplify implementations of ConnectionManagerFactory by improving its interface.

5 files changed, 228 insertions, 0 deletions

diff --git a/http-utils/OWNERS b/http-utils/OWNERS
new file mode 100644
index 00000000000..569bf1cc3a1
--- /dev/null
+++ b/http-utils/OWNERS
@@ -0,0 +1 @@
+bjorncs
diff --git a/http-utils/README.md b/http-utils/README.md
new file mode 100644
index 00000000000..8bbe2cd7d05
--- /dev/null
+++ b/http-utils/README.md
@@ -0,0 +1 @@
+# Http utilities for Java
\ No newline at end of file
diff --git a/http-utils/pom.xml b/http-utils/pom.xml
new file mode 100644
index 00000000000..aea402aef87
--- /dev/null
+++ b/http-utils/pom.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0"?>
+<!-- Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>com.yahoo.vespa</groupId>
+    <artifactId>parent</artifactId>
+    <version>7-SNAPSHOT</version>
+    <relativePath>../parent/pom.xml</relativePath>
+  </parent>
+  <artifactId>http-utils</artifactId>
+  <packaging>jar</packaging>
+  <version>7-SNAPSHOT</version>
+  <dependencies>
+    <!-- provided -->
+    <dependency>
+      <groupId>com.yahoo.vespa</groupId>
+      <artifactId>security-utils</artifactId>
+      <version>${project.version}</version>
+      <scope>provided</scope>
+    </dependency>
+
+    <!-- compile scope -->
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpcore</artifactId>
+      <scope>compile</scope>
+    </dependency>
+
+    <!-- test scope -->
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.assertj</groupId>
+      <artifactId>assertj-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/http-utils/src/main/java/ai/vespa/util/http/VespaHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/VespaHttpClientBuilder.java
new file mode 100644
index 00000000000..5e7a9441fc8
--- /dev/null
+++ b/http-utils/src/main/java/ai/vespa/util/http/VespaHttpClientBuilder.java
@@ -0,0 +1,135 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package ai.vespa.util.http;
+
+import com.yahoo.security.tls.MixedMode;
+import com.yahoo.security.tls.TlsContext;
+import com.yahoo.security.tls.TransportSecurityUtils;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpRequestInterceptor;
+import org.apache.http.client.methods.HttpRequestBase;
+import org.apache.http.client.utils.URIBuilder;
+import org.apache.http.config.Registry;
+import org.apache.http.config.RegistryBuilder;
+import org.apache.http.conn.HttpClientConnectionManager;
+import org.apache.http.conn.socket.ConnectionSocketFactory;
+import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
+import org.apache.http.protocol.HttpContext;
+
+import javax.net.ssl.SSLParameters;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Http client builder for internal Vespa communications over http/https.
+ *
+ * Notes:
+ *  - hostname verification is not enabled - CN/SAN verification is assumed to be handled by the underlying x509 trust manager.
+ *  - custom connection managers must be configured through {@link #createBuilder(ConnectionManagerFactory)}. Do not call {@link HttpClientBuilder#setConnectionManager(HttpClientConnectionManager)}.
+ *
+ * @author bjorncs
+ */
+public class VespaHttpClientBuilder {
+
+    private static final Logger log = Logger.getLogger(VespaHttpClientBuilder.class.getName());
+
+    public interface ConnectionManagerFactory {
+        HttpClientConnectionManager create(Registry<ConnectionSocketFactory> socketFactoryRegistry);
+    }
+
+    private VespaHttpClientBuilder() {}
+
+    /**
+     * Create a client builder with default connection manager.
+     */
+    public static HttpClientBuilder create() {
+        return createBuilder(null);
+    }
+
+    /**
+     * Create a client builder with a user specified connection manager.
+     */
+    public static HttpClientBuilder create(ConnectionManagerFactory connectionManagerFactory) {
+        return createBuilder(connectionManagerFactory);
+    }
+
+    /**
+     * Creates a client builder with a {@link BasicHttpClientConnectionManager} configured.
+     * This connection manager uses a single connection for all requests. See Javadoc for details.
+     */
+    public static HttpClientBuilder createWithBasicConnectionManager() {
+        return createBuilder(BasicHttpClientConnectionManager::new);
+    }
+
+    private static HttpClientBuilder createBuilder(ConnectionManagerFactory connectionManagerFactory) {
+        var builder = HttpClientBuilder.create();
+        addSslSocketFactory(builder, connectionManagerFactory);
+        addTlsAwareRequestInterceptor(builder);
+        return builder;
+    }
+
+    private static void addSslSocketFactory(HttpClientBuilder builder, ConnectionManagerFactory connectionManagerFactory)  {
+        TransportSecurityUtils.createTlsContext()
+                .ifPresent(tlsContext -> {
+                    log.log(Level.FINE, "Adding ssl socket factory to client");
+                    SSLConnectionSocketFactory socketFactory = createSslSocketFactory(tlsContext);
+                    if (connectionManagerFactory != null) {
+                        builder.setConnectionManager(connectionManagerFactory.create(createRegistry(socketFactory)));
+                    } else {
+                        builder.setSSLSocketFactory(socketFactory);
+                    }
+                });
+    }
+
+    private static void addTlsAwareRequestInterceptor(HttpClientBuilder builder) {
+        if (TransportSecurityUtils.isTransportSecurityEnabled()
+                && TransportSecurityUtils.getInsecureMixedMode() != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) {
+            log.log(Level.FINE, "Adding request interceptor to client");
+            builder.addInterceptorFirst(new HttpToHttpsRewritingRequestInterceptor());
+        }
+    }
+
+    private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext tlsContext) {
+        SSLParameters parameters = tlsContext.parameters();
+        return new SSLConnectionSocketFactory(tlsContext.context(), parameters.getProtocols(), parameters.getCipherSuites(), new NoopHostnameVerifier());
+    }
+
+    private static Registry<ConnectionSocketFactory> createRegistry(SSLConnectionSocketFactory sslSocketFactory) {
+        return RegistryBuilder.<ConnectionSocketFactory>create()
+                .register("https", sslSocketFactory)
+                .register("http", PlainConnectionSocketFactory.getSocketFactory())
+                .build();
+    }
+
+    static class HttpToHttpsRewritingRequestInterceptor implements HttpRequestInterceptor {
+        @Override
+        public void process(HttpRequest request, HttpContext context) {
+            if (request instanceof HttpRequestBase) {
+                HttpRequestBase httpUriRequest = (HttpRequestBase) request;
+                httpUriRequest.setURI(rewriteUri(httpUriRequest.getURI()));
+            } else {
+                log.log(Level.FINE, () -> "Not a HttpRequestBase - skipping URI rewriting: " + request.getClass().getName());
+            }
+        }
+
+        private static URI rewriteUri(URI originalUri) {
+            if (!originalUri.getScheme().equals("http")) {
+                return originalUri;
+            }
+            int port = originalUri.getPort();
+            int rewrittenPort = port != -1 ? port : 80;
+            try {
+                URI rewrittenUri = new URIBuilder(originalUri).setScheme("https").setPort(rewrittenPort).build();
+                log.log(Level.FINE, () -> String.format("Uri rewritten from '%s' to '%s'", originalUri, rewrittenUri));
+                return rewrittenUri;
+            } catch (URISyntaxException e) {
+                throw new RuntimeException(e);
+            }
+        }
+    }
+}
diff --git a/http-utils/src/test/java/ai/vespa/util/http/VespaHttpClientBuilderTest.java b/http-utils/src/test/java/ai/vespa/util/http/VespaHttpClientBuilderTest.java
new file mode 100644
index 00000000000..7ffd0e459b0
--- /dev/null
+++ b/http-utils/src/test/java/ai/vespa/util/http/VespaHttpClientBuilderTest.java
@@ -0,0 +1,39 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package ai.vespa.util.http;
+
+import ai.vespa.util.http.VespaHttpClientBuilder.HttpToHttpsRewritingRequestInterceptor;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.protocol.BasicHttpContext;
+import org.junit.Test;
+
+import java.net.URI;
+
+import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
+
+/**
+ * @author bjorncs
+ */
+public class VespaHttpClientBuilderTest {
+
+    @Test
+    public void request_interceptor_modifies_scheme_of_requests() {
+        verifyProcessedUriMatchesExpectedOutput("http://dummyhostname:8080/a/path/to/resource?query=value",
+                                                "https://dummyhostname:8080/a/path/to/resource?query=value");
+    }
+
+    @Test
+    public void request_interceptor_add_handles_implicit_http_port() {
+        verifyProcessedUriMatchesExpectedOutput("http://dummyhostname/a/path/to/resource?query=value",
+                                                "https://dummyhostname:80/a/path/to/resource?query=value");
+    }
+
+    private static void verifyProcessedUriMatchesExpectedOutput(String inputUri, String expectedOutputUri) {
+        var interceptor = new HttpToHttpsRewritingRequestInterceptor();
+        HttpGet request = new HttpGet(inputUri);
+        interceptor.process(request, new BasicHttpContext());
+        URI modifiedUri = request.getURI();
+        URI expectedUri = URI.create(expectedOutputUri);
+        assertThat(modifiedUri).isEqualTo(expectedUri);
+    }
+
+}
\ No newline at end of file