From 8783afef1d012e3eb026d952fc7949fa5285fe80 Mon Sep 17 00:00:00 2001
From: Jon Marius Venstad <venstad@gmail.com>
Date: Fri, 9 Apr 2021 17:06:10 +0200
Subject: Make VespaHttpClitBuilders more customizable

---
 .../util/http/hc5/VespaAsyncHttpClientBuilder.java |  7 ++++++-
 .../util/http/hc5/VespaHttpClientBuilder.java      | 22 ++++++++++++++++++----
 2 files changed, 24 insertions(+), 5 deletions(-)

(limited to 'http-utils/src/main')

diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaAsyncHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaAsyncHttpClientBuilder.java
index 219f1707589..50af29f92aa 100644
--- a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaAsyncHttpClientBuilder.java
+++ b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaAsyncHttpClientBuilder.java
@@ -11,6 +11,7 @@ import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
 import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.core5.http.nio.ssl.TlsStrategy;
 
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLParameters;
 
 /**
@@ -37,13 +38,17 @@ public class VespaAsyncHttpClientBuilder {
     }
 
     public static HttpAsyncClientBuilder create(AsyncConnectionManagerFactory factory) {
+        return create(factory, new NoopHostnameVerifier());
+    }
+
+    public static HttpAsyncClientBuilder create(AsyncConnectionManagerFactory factory, HostnameVerifier hostnameVerifier) {
         HttpAsyncClientBuilder clientBuilder = HttpAsyncClientBuilder.create();
         TlsContext vespaTlsContext = TransportSecurityUtils.getSystemTlsContext().orElse(null);
         TlsStrategy tlsStrategy;
         if (vespaTlsContext != null) {
             SSLParameters vespaTlsParameters = vespaTlsContext.parameters();
             tlsStrategy = ClientTlsStrategyBuilder.create()
-                    .setHostnameVerifier(new NoopHostnameVerifier())
+                    .setHostnameVerifier(hostnameVerifier)
                     .setSslContext(vespaTlsContext.context())
                     .setTlsVersions(vespaTlsParameters.getProtocols())
                     .setCiphers(vespaTlsParameters.getCipherSuites())
diff --git a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java
index 40cb0796cbf..e01d278ff38 100644
--- a/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java
+++ b/http-utils/src/main/java/ai/vespa/util/http/hc5/VespaHttpClientBuilder.java
@@ -11,6 +11,7 @@ import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
 import org.apache.hc.core5.http.config.Registry;
 import org.apache.hc.core5.http.config.RegistryBuilder;
 
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLParameters;
 
 import static com.yahoo.security.tls.MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER;
@@ -37,9 +38,21 @@ public class VespaHttpClientBuilder {
     }
 
     public static HttpClientBuilder create(HttpClientConnectionManagerFactory connectionManagerFactory) {
+        return create(connectionManagerFactory, new NoopHostnameVerifier());
+    }
+
+    public static HttpClientBuilder create(HttpClientConnectionManagerFactory connectionManagerFactory,
+                                           HostnameVerifier hostnameVerifier) {
+        return create(connectionManagerFactory, hostnameVerifier, true);
+    }
+
+    public static HttpClientBuilder create(HttpClientConnectionManagerFactory connectionManagerFactory,
+                                           HostnameVerifier hostnameVerifier,
+                                           boolean rewriteHttpToHttps) {
         HttpClientBuilder builder = HttpClientBuilder.create();
-        addSslSocketFactory(builder, connectionManagerFactory);
-        addHttpsRewritingRoutePlanner(builder);
+        addSslSocketFactory(builder, connectionManagerFactory, hostnameVerifier);
+        if (rewriteHttpToHttps)
+            addHttpsRewritingRoutePlanner(builder);
 
         builder.disableConnectionState(); // Share connections between subsequent requests.
         builder.disableCookieManagement();
@@ -49,13 +62,14 @@ public class VespaHttpClientBuilder {
         return builder;
     }
 
-    private static void addSslSocketFactory(HttpClientBuilder builder, HttpClientConnectionManagerFactory connectionManagerFactory) {
+    private static void addSslSocketFactory(HttpClientBuilder builder, HttpClientConnectionManagerFactory connectionManagerFactory,
+                                            HostnameVerifier hostnameVerifier) {
         getSystemTlsContext().ifPresent(tlsContext -> {
             SSLParameters parameters = tlsContext.parameters();
             SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(tlsContext.context(),
                                                                                       parameters.getProtocols(),
                                                                                       parameters.getCipherSuites(),
-                                                                                      new NoopHostnameVerifier());
+                                                                                      hostnameVerifier);
             builder.setConnectionManager(connectionManagerFactory.create(createRegistry(socketFactory)));
             // Workaround that allows re-using https connections, see https://stackoverflow.com/a/42112034/1615280 for details.
             // Proper solution would be to add a request interceptor that adds a x500 principal as user token,
-- 
cgit v1.2.3