adutra commented on code in PR #15500:
URL: https://github.com/apache/iceberg/pull/15500#discussion_r2965496866
##########
core/src/test/java/org/apache/iceberg/rest/TestHTTPClient.java:
##########
@@ -395,6 +407,99 @@ public void
testLoadTLSConfigurerNotImplementTLSConfigurer() {
.hasMessageContaining("does not implement TLSConfigurer");
}
+ public static class LaxTLSConfigurer implements TLSConfigurer {
+
+ private static HostnameVerificationPolicy policy =
HostnameVerificationPolicy.BUILTIN;
+
+ static void setPolicy(HostnameVerificationPolicy policy) {
+ LaxTLSConfigurer.policy = policy;
+ }
+
+ @Override
+ public SSLContext sslContext() {
+ // Create an SSLContext that trusts MockServer's CA certificate but
still performs hostname
+ // verification during SSL handshake
+ try {
+ KeyStore keyStore =
+ new KeyStoreFactory(Configuration.configuration(), new
MockServerLogger())
+ .loadOrCreateKeyStore();
+ TrustManagerFactory tmf =
+
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ tmf.init(keyStore);
+ SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+ sslContext.init(null, tmf.getTrustManagers(), null);
+ return sslContext;
+ } catch (Exception e) {
+ throw new RuntimeException("Failed to create SSLContext", e);
+ }
+ }
+
+ @Override
+ public HostnameVerificationPolicy hostnameVerificationPolicy() {
+ return policy;
+ }
+
+ @Override
+ public HostnameVerifier hostnameVerifier() {
+ // Disable hostname verification at HttpClient level (post SSL handshake)
+ return NoopHostnameVerifier.INSTANCE;
+ }
+ }
+
+ @ParameterizedTest
+ @EnumSource(HostnameVerificationPolicy.class)
+ public void testTLSConfigurerHostnameVerificationPolicy(
+ HostnameVerificationPolicy policy, @TempDir Path temp) throws
IOException {
+
+ // Start a dedicated MockServer with a certificate that does NOT include
127.0.0.1 or localhost
+ // in its SANs. Hostname verification must be disabled for this test to
pass.
+ Configuration tlsConfig = Configuration.configuration();
+ tlsConfig.proactivelyInitialiseTLS(true);
+ tlsConfig.preventCertificateDynamicUpdate(true);
+ tlsConfig.sslCertificateDomainName("example.com");
+ tlsConfig.sslSubjectAlternativeNameIps(Sets.newHashSet("1.2.3.4"));
+ tlsConfig.sslSubjectAlternativeNameDomains(Sets.newHashSet("example.com"));
+
tlsConfig.directoryToSaveDynamicSSLCertificate(temp.toFile().getAbsolutePath());
+
+ int tlsPort = PORT + 1;
+ try (ClientAndServer server = startClientAndServer(tlsConfig, tlsPort)) {
+
+ String path = "tls/path";
+ HttpRequest mockRequest =
+ request()
+ .withPath("/" + path)
+ .withMethod(HttpMethod.HEAD.name().toUpperCase(Locale.ROOT));
+ HttpResponse mockResponse = response().withStatusCode(200).withBody("TLS
response");
+ server.when(mockRequest).respond(mockResponse);
+
+ LaxTLSConfigurer.setPolicy(policy);
Review Comment:
Good idea, added.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
