// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package ai.vespa.util.http.hc4; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; import org.apache.http.HttpException; import org.apache.http.HttpHost; import org.apache.http.HttpRequest; import org.apache.http.client.config.RequestConfig; import org.apache.http.client.protocol.HttpClientContext; import org.apache.http.config.Registry; import org.apache.http.config.RegistryBuilder; import org.apache.http.conn.HttpClientConnectionManager; import org.apache.http.conn.UnsupportedSchemeException; import org.apache.http.conn.routing.HttpRoute; import org.apache.http.conn.routing.HttpRoutePlanner; import org.apache.http.conn.socket.ConnectionSocketFactory; import org.apache.http.conn.socket.PlainConnectionSocketFactory; import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.conn.ssl.SSLConnectionSocketFactory; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.conn.BasicHttpClientConnectionManager; import org.apache.http.impl.conn.DefaultSchemePortResolver; import org.apache.http.protocol.HttpContext; import javax.net.ssl.SSLParameters; import java.net.InetAddress; import java.util.logging.Level; import java.util.logging.Logger; import static ai.vespa.util.http.hc4.SslConnectionSocketFactory.noopVerifier; /** * Http client builder for internal Vespa communications over http/https. * * Notes: * - hostname verification is not enabled - CN/SAN verification is assumed to be handled by the underlying x509 trust manager. * - custom connection managers must be configured through {@link #createBuilder(ConnectionManagerFactory)}. Do not call {@link HttpClientBuilder#setConnectionManager(HttpClientConnectionManager)}. * * @author bjorncs */ public class VespaHttpClientBuilder { private static final Logger log = Logger.getLogger(VespaHttpClientBuilder.class.getName()); public interface ConnectionManagerFactory { HttpClientConnectionManager create(Registry socketFactoryRegistry); } private VespaHttpClientBuilder() {} /** * Create a client builder with default connection manager. */ public static HttpClientBuilder create() { return createBuilder(null); } /** * Create a client builder with a user specified connection manager. */ public static HttpClientBuilder create(ConnectionManagerFactory connectionManagerFactory) { return createBuilder(connectionManagerFactory); } /** * Creates a client builder with a {@link BasicHttpClientConnectionManager} configured. * This connection manager uses a single connection for all requests. See Javadoc for details. */ public static HttpClientBuilder createWithBasicConnectionManager() { return createBuilder(BasicHttpClientConnectionManager::new); } private static HttpClientBuilder createBuilder(ConnectionManagerFactory connectionManagerFactory) { HttpClientBuilder builder = HttpClientBuilder.create(); addSslSocketFactory(builder, connectionManagerFactory); addHttpsRewritingRoutePlanner(builder); return builder; } private static void addSslSocketFactory(HttpClientBuilder builder, ConnectionManagerFactory connectionManagerFactory) { TransportSecurityUtils.getSystemTlsContext() .ifPresent(tlsContext -> { log.log(Level.FINE, "Adding ssl socket factory to client"); SSLConnectionSocketFactory socketFactory = createSslSocketFactory(tlsContext); if (connectionManagerFactory != null) { builder.setConnectionManager(connectionManagerFactory.create(createRegistry(socketFactory))); } else { builder.setSSLSocketFactory(socketFactory); } // Workaround that allows re-using https connections, see https://stackoverflow.com/a/42112034/1615280 for details. // Proper solution would be to add a request interceptor that adds a x500 principal as user token, // but certificate subject CN is not accessible through the TlsContext currently. builder.setUserTokenHandler(context -> null); }); } private static void addHttpsRewritingRoutePlanner(HttpClientBuilder builder) { if (TransportSecurityUtils.isTransportSecurityEnabled() && TransportSecurityUtils.getInsecureMixedMode() != MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) { builder.setRoutePlanner(new HttpToHttpsRoutePlanner()); } } private static SSLConnectionSocketFactory createSslSocketFactory(TlsContext ctx) { return SslConnectionSocketFactory.of(ctx, noopVerifier()); } private static Registry createRegistry(SSLConnectionSocketFactory sslSocketFactory) { return RegistryBuilder.create() .register("https", sslSocketFactory) .register("http", PlainConnectionSocketFactory.getSocketFactory()) .build(); } /** * Reroutes requests using 'http' to 'https'. * Implementation inspired by {@link org.apache.http.impl.conn.DefaultRoutePlanner}, but without proxy support. */ static class HttpToHttpsRoutePlanner implements HttpRoutePlanner { @Override public HttpRoute determineRoute(HttpHost host, HttpRequest request, HttpContext context) throws HttpException { HttpClientContext clientContext = HttpClientContext.adapt(context); RequestConfig config = clientContext.getRequestConfig(); InetAddress local = config.getLocalAddress(); HttpHost target = resolveTarget(host); boolean secure = target.getSchemeName().equalsIgnoreCase("https"); return new HttpRoute(target, local, secure); } private HttpHost resolveTarget(HttpHost host) throws HttpException { try { String originalScheme = host.getSchemeName(); String scheme = originalScheme.equalsIgnoreCase("http") ? "https" : originalScheme; int port = DefaultSchemePortResolver.INSTANCE.resolve(host); return new HttpHost(host.getHostName(), port, scheme); } catch (UnsupportedSchemeException e) { throw new HttpException(e.getMessage(), e); } } } }