redo changes

madhav-db · madhav-db · commit b28d0fb409d7 · 2025-04-21T20:25:43.000+05:30
diff --git a/src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java b/src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java
@@ -51,6 +51,14 @@ public static PoolingHttpClientConnectionManager getBaseConnectionManager(
           SocketFactoryUtil.getTrustAllSocketFactoryRegistry());
     }
 
+    // If self-signed certificates are allowed, use a trust-all socket factory
+    if (connectionContext.allowSelfSignedCerts()) {
+      LOGGER.warn(
+          "Self-signed certificates are allowed. Please only use this parameter (AllowSelfSignedCerts) when you're sure of what you're doing. This is not recommended for production use.");
+      return new PoolingHttpClientConnectionManager(
+          SocketFactoryUtil.getTrustAllSocketFactoryRegistry());
+    }
+
     // For standard SSL configuration, create a custom socket factory registry
     Registry<ConnectionSocketFactory> socketFactoryRegistry =
         createConnectionSocketFactoryRegistry(connectionContext);
@@ -67,7 +75,59 @@ public static PoolingHttpClientConnectionManager getBaseConnectionManager(
   public static Registry<ConnectionSocketFactory> createConnectionSocketFactoryRegistry(
       IDatabricksConnectionContext connectionContext) throws DatabricksHttpException {
 
-    return createRegistryWithSystemOrDefaultTrustStore(connectionContext);
+    // First check if a custom trust store is specified
+    if (connectionContext.getSSLTrustStore() != null) {
+      return createRegistryWithCustomTrustStore(connectionContext);
+    } else {
+      return createRegistryWithSystemOrDefaultTrustStore(connectionContext);
+    }
+  }
+
+  /**
+   * Creates a socket factory registry using a custom trust store.
+   *
+   * @param connectionContext The connection context containing the trust store information.
+   * @return A registry of connection socket factories.
+   * @throws DatabricksHttpException If there is an error setting up the trust store.
+   */
+  private static Registry<ConnectionSocketFactory> createRegistryWithCustomTrustStore(
+      IDatabricksConnectionContext connectionContext) throws DatabricksHttpException {
+
+    try {
+      KeyStore trustStore = loadTruststoreOrNull(connectionContext);
+      if (trustStore == null) {
+        String errorMessage =
+            "Specified trust store could not be loaded: " + connectionContext.getSSLTrustStore();
+        handleError(errorMessage, new IOException(errorMessage));
+      }
+
+      // Get trust anchors from custom store
+      Set<TrustAnchor> trustAnchors = getTrustAnchorsFromTrustStore(trustStore);
+      if (trustAnchors.isEmpty()) {
+        String errorMessage =
+            "Custom trust store contains no trust anchors. Certificate validation will fail.";
+        handleError(errorMessage, new KeyStoreException(errorMessage));
+      }
+
+      LOGGER.info("Using custom trust store: " + connectionContext.getSSLTrustStore());
+
+      // Create trust managers from trust store
+      TrustManager[] trustManagers =
+          createTrustManagers(
+              trustAnchors,
+              connectionContext.checkCertificateRevocation(),
+              connectionContext.acceptUndeterminedCertificateRevocation());
+
+      // Create socket factory registry
+      return createSocketFactoryRegistry(trustManagers);
+    } catch (DatabricksHttpException
+        | NoSuchAlgorithmException
+        | InvalidAlgorithmParameterException
+        | KeyManagementException e) {
+      handleError(
+          "Error while setting up custom trust store: " + connectionContext.getSSLTrustStore(), e);
+    }
+    return null; // This will never be reached, but is required for method signature.
   }
 
   /**
@@ -297,6 +357,57 @@ private static X509TrustManager findX509TrustManager(TrustManager[] trustManager
     return null;
   }
 
+  /**
+   * Loads a trust store from the path specified in the connection context.
+   *
+   * @param connectionContext The connection context containing trust store configuration.
+   * @return The loaded KeyStore or null if it could not be loaded.
+   * @throws DatabricksHttpException If there is an error during loading.
+   */
+  public static KeyStore loadTruststoreOrNull(IDatabricksConnectionContext connectionContext)
+      throws DatabricksHttpException {
+    String trustStorePath = connectionContext.getSSLTrustStore();
+    if (trustStorePath == null) {
+      return null;
+    }
+
+    // If the specified file doesn't exist, throw a specific error
+    File trustStoreFile = new File(trustStorePath);
+    if (!trustStoreFile.exists()) {
+      String errorMessage = "Specified trust store file does not exist: " + trustStorePath;
+      handleError(errorMessage, new IOException(errorMessage));
+    }
+
+    char[] password = null;
+    if (connectionContext.getSSLTrustStorePassword() != null) {
+      password = connectionContext.getSSLTrustStorePassword().toCharArray();
+    }
+
+    // Get the specified type, defaulting to JKS if not specified
+    String trustStoreType = connectionContext.getSSLTrustStoreType();
+    if (trustStoreType == null || trustStoreType.isEmpty()) {
+      trustStoreType = "JKS"; // Default to JKS if not specified
+    }
+
+    try (FileInputStream trustStoreStream = new FileInputStream(trustStorePath)) {
+      LOGGER.info("Loading trust store as type: " + trustStoreType);
+      KeyStore trustStore = KeyStore.getInstance(trustStoreType);
+      trustStore.load(trustStoreStream, password);
+      LOGGER.info("Successfully loaded trust store: " + trustStorePath);
+      return trustStore;
+    } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
+      String errorMessage =
+          "Failed to load trust store: "
+              + trustStorePath
+              + " with type "
+              + trustStoreType
+              + ": "
+              + e.getMessage();
+      handleError(errorMessage, e);
+    }
+    return null; // This will never be reached, but is required for method signature.
+  }
+
   /**
    * Extracts trust anchors from a KeyStore.
    *
diff --git a/src/test/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtilsTest.java b/src/test/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtilsTest.java
@@ -64,20 +64,24 @@ static void setup() throws Exception {
 
   private static void createEmptyTrustStore()
       throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
+    String password = TRUST_STORE_PASSWORD;
     // Create an empty JKS keystore
     KeyStore keyStore = KeyStore.getInstance(TRUST_STORE_TYPE);
-    keyStore.load(null, TRUST_STORE_PASSWORD.toCharArray());
+    keyStore.load(null, password.toCharArray());
 
     // Save the empty keystore to a file
     try (FileOutputStream fos = new FileOutputStream(EMPTY_TRUST_STORE_PATH)) {
-      keyStore.store(fos, TRUST_STORE_PASSWORD.toCharArray());
+      keyStore.store(fos, password.toCharArray());
     }
   }
 
   private static void createDummyTrustStore() throws Exception {
+    String trustStorePassword = TRUST_STORE_PASSWORD; // Password for the trust store
+    String alias = "dummy-cert"; // Alias for the dummy certificate
+
     // Create an empty JKS keystore
     KeyStore keyStore = KeyStore.getInstance(TRUST_STORE_TYPE);
-    keyStore.load(null, TRUST_STORE_PASSWORD.toCharArray());
+    keyStore.load(null, trustStorePassword.toCharArray());
 
     // Generate a key pair (public and private keys)
     KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
@@ -86,9 +90,13 @@ private static void createDummyTrustStore() throws Exception {
 
     // Create a self-signed certificate
     X509Certificate certificate = generateBarebonesCertificate(keyPair);
-    keyStore.setCertificateEntry("dummy-cert", certificate);
+
+    // Add the certificate to the keystore
+    keyStore.setCertificateEntry(alias, certificate);
+
+    // Save the keystore to a file
     try (FileOutputStream fos = new FileOutputStream(DUMMY_TRUST_STORE_PATH)) {
-      keyStore.store(fos, TRUST_STORE_PASSWORD.toCharArray());
+      keyStore.store(fos, trustStorePassword.toCharArray());
     }
   }
 
@@ -129,13 +137,46 @@ static void cleanup() {
     }
   }
 
+  @Test
+  void testGetConnectionSocketFactoryRegistry() throws DatabricksHttpException {
+    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
+    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
+    when(mockContext.getSSLTrustStore()).thenReturn(EMPTY_TRUST_STORE_PATH);
+    assertThrows(
+        DatabricksHttpException.class,
+        () -> ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext),
+        "the trustAnchors parameter must be non-empty");
+
+    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
+    Registry<ConnectionSocketFactory> registry =
+        ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext);
+    assertInstanceOf(
+        SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
+    assertInstanceOf(
+        PlainConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTP));
+  }
+
+  @Test
+  void testGetTrustAnchorsFromTrustStore() throws DatabricksHttpException {
+    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
+    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
+    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
+    KeyStore trustStore = ConfiguratorUtils.loadTruststoreOrNull(mockContext);
+    Set<TrustAnchor> trustAnchors = ConfiguratorUtils.getTrustAnchorsFromTrustStore(trustStore);
+    assertTrue(
+        trustAnchors.stream()
+            .anyMatch(ta -> ta.getTrustedCert().getIssuerDN().toString().contains(CERTIFICATE_CN)));
+  }
+
   @Test
   void testGetBaseConnectionManager_NoSSLTrustStoreAndRevocationCheckEnabled()
       throws DatabricksHttpException {
     // Define behavior for mock context
+    when(mockContext.getSSLTrustStore()).thenReturn(null);
     when(mockContext.checkCertificateRevocation()).thenReturn(true);
     when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(false);
     when(mockContext.useSystemTrustStore()).thenReturn(false);
+    when(mockContext.allowSelfSignedCerts()).thenReturn(false);
 
     try (MockedStatic<ConfiguratorUtils> configuratorUtils =
         mockStatic(ConfiguratorUtils.class, withSettings().defaultAnswer(CALLS_REAL_METHODS))) {
@@ -179,20 +220,43 @@ void testUseSystemTrustStoreFalse_NoCustomTrustStore() throws DatabricksHttpExce
     // Scenario: useSystemTrustStore=false and no custom trust store provided
     // Should use JDK default trust store and ignore system property
 
+    when(mockContext.getSSLTrustStore()).thenReturn(null);
     when(mockContext.useSystemTrustStore()).thenReturn(false);
     when(mockContext.checkCertificateRevocation()).thenReturn(false);
 
-    Registry<ConnectionSocketFactory> registry =
-        ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext);
-    assertNotNull(registry);
-    assertInstanceOf(
-        SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
+    try {
+      Registry<ConnectionSocketFactory> registry =
+          ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext);
+      assertNotNull(registry);
+      assertInstanceOf(
+          SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
+    } catch (Exception e) {
+      fail(
+          "Should not throw exception when useSystemTrustStore=false and no custom trust store: "
+              + e.getMessage());
+    }
+  }
+
+  @Test
+  void testAllowSelfSignedCerts() throws DatabricksHttpException {
+    // Scenario: allowSelfSignedCerts=true
+    // Should use trust-all socket factory
+
+    when(mockContext.allowSelfSignedCerts()).thenReturn(true);
+
+    PoolingHttpClientConnectionManager connManager =
+        ConfiguratorUtils.getBaseConnectionManager(mockContext);
+
+    assertNotNull(connManager);
   }
 
   @Test
   void testCustomTrustStore_WithRevocationChecking() throws DatabricksHttpException {
     // Scenario: Custom trust store with certificate revocation checking
 
+    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
+    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
+    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
     when(mockContext.checkCertificateRevocation()).thenReturn(true);
     when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(true);
 
@@ -204,6 +268,41 @@ void testCustomTrustStore_WithRevocationChecking() throws DatabricksHttpExceptio
         SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
   }
 
+  @Test
+  void testLoadTruststoreWithAutoDetection()
+      throws DatabricksHttpException,
+          IOException,
+          KeyStoreException,
+          CertificateException,
+          NoSuchAlgorithmException {
+    // Scenario: Trust store type auto-detection
+    // Create a trust store with default type but try to load with different types
+
+    String tempTrustStorePath = BASE_TRUST_STORE_PATH + "auto-detect-truststore.jks";
+
+    try {
+      // Create a trust store with password but without specifying type
+      KeyStore keyStore = KeyStore.getInstance("JKS");
+      keyStore.load(null, TRUST_STORE_PASSWORD.toCharArray());
+      try (FileOutputStream fos = new FileOutputStream(tempTrustStorePath)) {
+        keyStore.store(fos, TRUST_STORE_PASSWORD.toCharArray());
+      }
+
+      when(mockContext.getSSLTrustStore()).thenReturn(tempTrustStorePath);
+      when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
+      when(mockContext.getSSLTrustStoreType()).thenReturn(null); // No type specified
+
+      KeyStore loadedStore = ConfiguratorUtils.loadTruststoreOrNull(mockContext);
+      assertNotNull(loadedStore, "Trust store should be auto-detected and loaded");
+    } finally {
+      try {
+        Files.delete(Path.of(tempTrustStorePath));
+      } catch (IOException e) {
+        LOGGER.info("Failed to delete temp trust store file: " + e.getMessage());
+      }
+    }
+  }
+
   @Test
   void testCreateRegistryWithSystemPropertyTrustStore() throws DatabricksHttpException {
     // Save original system properties to restore later
@@ -216,6 +315,8 @@ void testCreateRegistryWithSystemPropertyTrustStore() throws DatabricksHttpExcep
       System.setProperty("javax.net.ssl.trustStore", DUMMY_TRUST_STORE_PATH);
       System.setProperty("javax.net.ssl.trustStorePassword", TRUST_STORE_PASSWORD);
       System.setProperty("javax.net.ssl.trustStoreType", TRUST_STORE_TYPE);
+
+      when(mockContext.getSSLTrustStore()).thenReturn(null);
       when(mockContext.useSystemTrustStore()).thenReturn(true);
       when(mockContext.checkCertificateRevocation()).thenReturn(false);
 
@@ -261,6 +362,7 @@ void testCreateRegistryWithSystemPropertyTrustStore_WithRevocationChecking()
       System.setProperty("javax.net.ssl.trustStorePassword", TRUST_STORE_PASSWORD);
       System.setProperty("javax.net.ssl.trustStoreType", TRUST_STORE_TYPE);
 
+      when(mockContext.getSSLTrustStore()).thenReturn(null);
       when(mockContext.useSystemTrustStore()).thenReturn(true);
       when(mockContext.checkCertificateRevocation()).thenReturn(true);
       when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(true);
@@ -293,9 +395,35 @@ void testCreateRegistryWithSystemPropertyTrustStore_WithRevocationChecking()
     }
   }
 
+  @Test
+  void testNonExistentTrustStore() {
+    // Create a mock with lenient verification since this test only expects an exception
+    IDatabricksConnectionContext mockContextLocal = mock(IDatabricksConnectionContext.class);
+
+    String nonExistentPath = "/path/to/nonexistent/truststore.jks";
+    when(mockContextLocal.getSSLTrustStore()).thenReturn(nonExistentPath);
+
+    DatabricksHttpException exception =
+        assertThrows(
+            DatabricksHttpException.class,
+            () -> ConfiguratorUtils.loadTruststoreOrNull(mockContextLocal));
+
+    assertTrue(
+        exception.getMessage().contains("does not exist"),
+        "Exception should mention that the trust store does not exist");
+  }
+
   @Test
   void testCreateTrustManagers_WithAndWithoutRevocationChecking() throws Exception {
     // Load a real trust store to test with
+    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
+    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
+    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
+
+    KeyStore trustStore = ConfiguratorUtils.loadTruststoreOrNull(mockContext);
+    Set<TrustAnchor> trustAnchors = ConfiguratorUtils.getTrustAnchorsFromTrustStore(trustStore);
+
+    // We're testing a private method, so we'll verify the public method behavior that uses it
     when(mockContext.checkCertificateRevocation()).thenReturn(true);
     when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(false);
     Registry<ConnectionSocketFactory> revocationCheckingRegistry =
@@ -311,6 +439,8 @@ void testCreateTrustManagers_WithAndWithoutRevocationChecking() throws Exception
 
   @Test
   void testFindX509TrustManager() throws Exception {
+    // Test instance method rather than using reflection on the private static method
+    // First test that we can create a trust manager factory
     TrustManagerFactory tmf =
         TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
     tmf.init((KeyStore) null);
@@ -354,6 +484,7 @@ void testCreateSocketFactoryRegistry() throws Exception {
     tmf.init((KeyStore) null);
 
     // Create a registry with the system default trust managers
+    when(mockContext.getSSLTrustStore()).thenReturn(null);
     when(mockContext.checkCertificateRevocation()).thenReturn(false);
     when(mockContext.useSystemTrustStore()).thenReturn(false);
 
