Merge remote-tracking branch 'origin/ssl-tests-and-ci' into ssl-tests-and-ci

madhav-db · madhav-db · commit c7cbb3a13f46 · 2025-04-21T20:23:52.000+05:30
diff --git a/src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java b/src/main/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.java
@@ -51,14 +51,6 @@ public static PoolingHttpClientConnectionManager getBaseConnectionManager(
           SocketFactoryUtil.getTrustAllSocketFactoryRegistry());
     }
 
-    // If self-signed certificates are allowed, use a trust-all socket factory
-    if (connectionContext.allowSelfSignedCerts()) {
-      LOGGER.warn(
-          "Self-signed certificates are allowed. Please only use this parameter (AllowSelfSignedCerts) when you're sure of what you're doing. This is not recommended for production use.");
-      return new PoolingHttpClientConnectionManager(
-          SocketFactoryUtil.getTrustAllSocketFactoryRegistry());
-    }
-
     // For standard SSL configuration, create a custom socket factory registry
     Registry<ConnectionSocketFactory> socketFactoryRegistry =
         createConnectionSocketFactoryRegistry(connectionContext);
@@ -75,59 +67,7 @@ public static PoolingHttpClientConnectionManager getBaseConnectionManager(
   public static Registry<ConnectionSocketFactory> createConnectionSocketFactoryRegistry(
       IDatabricksConnectionContext connectionContext) throws DatabricksHttpException {
 
-    // First check if a custom trust store is specified
-    if (connectionContext.getSSLTrustStore() != null) {
-      return createRegistryWithCustomTrustStore(connectionContext);
-    } else {
-      return createRegistryWithSystemOrDefaultTrustStore(connectionContext);
-    }
-  }
-
-  /**
-   * Creates a socket factory registry using a custom trust store.
-   *
-   * @param connectionContext The connection context containing the trust store information.
-   * @return A registry of connection socket factories.
-   * @throws DatabricksHttpException If there is an error setting up the trust store.
-   */
-  private static Registry<ConnectionSocketFactory> createRegistryWithCustomTrustStore(
-      IDatabricksConnectionContext connectionContext) throws DatabricksHttpException {
-
-    try {
-      KeyStore trustStore = loadTruststoreOrNull(connectionContext);
-      if (trustStore == null) {
-        String errorMessage =
-            "Specified trust store could not be loaded: " + connectionContext.getSSLTrustStore();
-        handleError(errorMessage, new IOException(errorMessage));
-      }
-
-      // Get trust anchors from custom store
-      Set<TrustAnchor> trustAnchors = getTrustAnchorsFromTrustStore(trustStore);
-      if (trustAnchors.isEmpty()) {
-        String errorMessage =
-            "Custom trust store contains no trust anchors. Certificate validation will fail.";
-        handleError(errorMessage, new KeyStoreException(errorMessage));
-      }
-
-      LOGGER.info("Using custom trust store: " + connectionContext.getSSLTrustStore());
-
-      // Create trust managers from trust store
-      TrustManager[] trustManagers =
-          createTrustManagers(
-              trustAnchors,
-              connectionContext.checkCertificateRevocation(),
-              connectionContext.acceptUndeterminedCertificateRevocation());
-
-      // Create socket factory registry
-      return createSocketFactoryRegistry(trustManagers);
-    } catch (DatabricksHttpException
-        | NoSuchAlgorithmException
-        | InvalidAlgorithmParameterException
-        | KeyManagementException e) {
-      handleError(
-          "Error while setting up custom trust store: " + connectionContext.getSSLTrustStore(), e);
-    }
-    return null; // This will never be reached, but is required for method signature.
+    return createRegistryWithSystemOrDefaultTrustStore(connectionContext);
   }
 
   /**
@@ -357,57 +297,6 @@ private static X509TrustManager findX509TrustManager(TrustManager[] trustManager
     return null;
   }
 
-  /**
-   * Loads a trust store from the path specified in the connection context.
-   *
-   * @param connectionContext The connection context containing trust store configuration.
-   * @return The loaded KeyStore or null if it could not be loaded.
-   * @throws DatabricksHttpException If there is an error during loading.
-   */
-  public static KeyStore loadTruststoreOrNull(IDatabricksConnectionContext connectionContext)
-      throws DatabricksHttpException {
-    String trustStorePath = connectionContext.getSSLTrustStore();
-    if (trustStorePath == null) {
-      return null;
-    }
-
-    // If the specified file doesn't exist, throw a specific error
-    File trustStoreFile = new File(trustStorePath);
-    if (!trustStoreFile.exists()) {
-      String errorMessage = "Specified trust store file does not exist: " + trustStorePath;
-      handleError(errorMessage, new IOException(errorMessage));
-    }
-
-    char[] password = null;
-    if (connectionContext.getSSLTrustStorePassword() != null) {
-      password = connectionContext.getSSLTrustStorePassword().toCharArray();
-    }
-
-    // Get the specified type, defaulting to JKS if not specified
-    String trustStoreType = connectionContext.getSSLTrustStoreType();
-    if (trustStoreType == null || trustStoreType.isEmpty()) {
-      trustStoreType = "JKS"; // Default to JKS if not specified
-    }
-
-    try (FileInputStream trustStoreStream = new FileInputStream(trustStorePath)) {
-      LOGGER.info("Loading trust store as type: " + trustStoreType);
-      KeyStore trustStore = KeyStore.getInstance(trustStoreType);
-      trustStore.load(trustStoreStream, password);
-      LOGGER.info("Successfully loaded trust store: " + trustStorePath);
-      return trustStore;
-    } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
-      String errorMessage =
-          "Failed to load trust store: "
-              + trustStorePath
-              + " with type "
-              + trustStoreType
-              + ": "
-              + e.getMessage();
-      handleError(errorMessage, e);
-    }
-    return null; // This will never be reached, but is required for method signature.
-  }
-
   /**
    * Extracts trust anchors from a KeyStore.
    *
diff --git a/src/test/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtilsTest.java b/src/test/java/com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtilsTest.java
@@ -64,24 +64,20 @@ static void setup() throws Exception {
 
   private static void createEmptyTrustStore()
       throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
-    String password = TRUST_STORE_PASSWORD;
     // Create an empty JKS keystore
     KeyStore keyStore = KeyStore.getInstance(TRUST_STORE_TYPE);
-    keyStore.load(null, password.toCharArray());
+    keyStore.load(null, TRUST_STORE_PASSWORD.toCharArray());
 
     // Save the empty keystore to a file
     try (FileOutputStream fos = new FileOutputStream(EMPTY_TRUST_STORE_PATH)) {
-      keyStore.store(fos, password.toCharArray());
+      keyStore.store(fos, TRUST_STORE_PASSWORD.toCharArray());
     }
   }
 
   private static void createDummyTrustStore() throws Exception {
-    String trustStorePassword = TRUST_STORE_PASSWORD; // Password for the trust store
-    String alias = "dummy-cert"; // Alias for the dummy certificate
-
     // Create an empty JKS keystore
     KeyStore keyStore = KeyStore.getInstance(TRUST_STORE_TYPE);
-    keyStore.load(null, trustStorePassword.toCharArray());
+    keyStore.load(null, TRUST_STORE_PASSWORD.toCharArray());
 
     // Generate a key pair (public and private keys)
     KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
@@ -90,13 +86,9 @@ private static void createDummyTrustStore() throws Exception {
 
     // Create a self-signed certificate
     X509Certificate certificate = generateBarebonesCertificate(keyPair);
-
-    // Add the certificate to the keystore
-    keyStore.setCertificateEntry(alias, certificate);
-
-    // Save the keystore to a file
+    keyStore.setCertificateEntry("dummy-cert", certificate);
     try (FileOutputStream fos = new FileOutputStream(DUMMY_TRUST_STORE_PATH)) {
-      keyStore.store(fos, trustStorePassword.toCharArray());
+      keyStore.store(fos, TRUST_STORE_PASSWORD.toCharArray());
     }
   }
 
@@ -137,46 +129,13 @@ static void cleanup() {
     }
   }
 
-  @Test
-  void testGetConnectionSocketFactoryRegistry() throws DatabricksHttpException {
-    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
-    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
-    when(mockContext.getSSLTrustStore()).thenReturn(EMPTY_TRUST_STORE_PATH);
-    assertThrows(
-        DatabricksHttpException.class,
-        () -> ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext),
-        "the trustAnchors parameter must be non-empty");
-
-    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
-    Registry<ConnectionSocketFactory> registry =
-        ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext);
-    assertInstanceOf(
-        SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
-    assertInstanceOf(
-        PlainConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTP));
-  }
-
-  @Test
-  void testGetTrustAnchorsFromTrustStore() throws DatabricksHttpException {
-    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
-    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
-    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
-    KeyStore trustStore = ConfiguratorUtils.loadTruststoreOrNull(mockContext);
-    Set<TrustAnchor> trustAnchors = ConfiguratorUtils.getTrustAnchorsFromTrustStore(trustStore);
-    assertTrue(
-        trustAnchors.stream()
-            .anyMatch(ta -> ta.getTrustedCert().getIssuerDN().toString().contains(CERTIFICATE_CN)));
-  }
-
   @Test
   void testGetBaseConnectionManager_NoSSLTrustStoreAndRevocationCheckEnabled()
       throws DatabricksHttpException {
     // Define behavior for mock context
-    when(mockContext.getSSLTrustStore()).thenReturn(null);
     when(mockContext.checkCertificateRevocation()).thenReturn(true);
     when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(false);
     when(mockContext.useSystemTrustStore()).thenReturn(false);
-    when(mockContext.allowSelfSignedCerts()).thenReturn(false);
 
     try (MockedStatic<ConfiguratorUtils> configuratorUtils =
         mockStatic(ConfiguratorUtils.class, withSettings().defaultAnswer(CALLS_REAL_METHODS))) {
@@ -220,43 +179,20 @@ void testUseSystemTrustStoreFalse_NoCustomTrustStore() throws DatabricksHttpExce
     // Scenario: useSystemTrustStore=false and no custom trust store provided
     // Should use JDK default trust store and ignore system property
 
-    when(mockContext.getSSLTrustStore()).thenReturn(null);
     when(mockContext.useSystemTrustStore()).thenReturn(false);
     when(mockContext.checkCertificateRevocation()).thenReturn(false);
 
-    try {
-      Registry<ConnectionSocketFactory> registry =
-          ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext);
-      assertNotNull(registry);
-      assertInstanceOf(
-          SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
-    } catch (Exception e) {
-      fail(
-          "Should not throw exception when useSystemTrustStore=false and no custom trust store: "
-              + e.getMessage());
-    }
-  }
-
-  @Test
-  void testAllowSelfSignedCerts() throws DatabricksHttpException {
-    // Scenario: allowSelfSignedCerts=true
-    // Should use trust-all socket factory
-
-    when(mockContext.allowSelfSignedCerts()).thenReturn(true);
-
-    PoolingHttpClientConnectionManager connManager =
-        ConfiguratorUtils.getBaseConnectionManager(mockContext);
-
-    assertNotNull(connManager);
+    Registry<ConnectionSocketFactory> registry =
+        ConfiguratorUtils.createConnectionSocketFactoryRegistry(mockContext);
+    assertNotNull(registry);
+    assertInstanceOf(
+        SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
   }
 
   @Test
   void testCustomTrustStore_WithRevocationChecking() throws DatabricksHttpException {
     // Scenario: Custom trust store with certificate revocation checking
 
-    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
-    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
-    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
     when(mockContext.checkCertificateRevocation()).thenReturn(true);
     when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(true);
 
@@ -268,41 +204,6 @@ void testCustomTrustStore_WithRevocationChecking() throws DatabricksHttpExceptio
         SSLConnectionSocketFactory.class, registry.lookup(DatabricksJdbcConstants.HTTPS));
   }
 
-  @Test
-  void testLoadTruststoreWithAutoDetection()
-      throws DatabricksHttpException,
-          IOException,
-          KeyStoreException,
-          CertificateException,
-          NoSuchAlgorithmException {
-    // Scenario: Trust store type auto-detection
-    // Create a trust store with default type but try to load with different types
-
-    String tempTrustStorePath = BASE_TRUST_STORE_PATH + "auto-detect-truststore.jks";
-
-    try {
-      // Create a trust store with password but without specifying type
-      KeyStore keyStore = KeyStore.getInstance("JKS");
-      keyStore.load(null, TRUST_STORE_PASSWORD.toCharArray());
-      try (FileOutputStream fos = new FileOutputStream(tempTrustStorePath)) {
-        keyStore.store(fos, TRUST_STORE_PASSWORD.toCharArray());
-      }
-
-      when(mockContext.getSSLTrustStore()).thenReturn(tempTrustStorePath);
-      when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
-      when(mockContext.getSSLTrustStoreType()).thenReturn(null); // No type specified
-
-      KeyStore loadedStore = ConfiguratorUtils.loadTruststoreOrNull(mockContext);
-      assertNotNull(loadedStore, "Trust store should be auto-detected and loaded");
-    } finally {
-      try {
-        Files.delete(Path.of(tempTrustStorePath));
-      } catch (IOException e) {
-        LOGGER.info("Failed to delete temp trust store file: " + e.getMessage());
-      }
-    }
-  }
-
   @Test
   void testCreateRegistryWithSystemPropertyTrustStore() throws DatabricksHttpException {
     // Save original system properties to restore later
@@ -315,8 +216,6 @@ void testCreateRegistryWithSystemPropertyTrustStore() throws DatabricksHttpExcep
       System.setProperty("javax.net.ssl.trustStore", DUMMY_TRUST_STORE_PATH);
       System.setProperty("javax.net.ssl.trustStorePassword", TRUST_STORE_PASSWORD);
       System.setProperty("javax.net.ssl.trustStoreType", TRUST_STORE_TYPE);
-
-      when(mockContext.getSSLTrustStore()).thenReturn(null);
       when(mockContext.useSystemTrustStore()).thenReturn(true);
       when(mockContext.checkCertificateRevocation()).thenReturn(false);
 
@@ -362,7 +261,6 @@ void testCreateRegistryWithSystemPropertyTrustStore_WithRevocationChecking()
       System.setProperty("javax.net.ssl.trustStorePassword", TRUST_STORE_PASSWORD);
       System.setProperty("javax.net.ssl.trustStoreType", TRUST_STORE_TYPE);
 
-      when(mockContext.getSSLTrustStore()).thenReturn(null);
       when(mockContext.useSystemTrustStore()).thenReturn(true);
       when(mockContext.checkCertificateRevocation()).thenReturn(true);
       when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(true);
@@ -395,35 +293,9 @@ void testCreateRegistryWithSystemPropertyTrustStore_WithRevocationChecking()
     }
   }
 
-  @Test
-  void testNonExistentTrustStore() {
-    // Create a mock with lenient verification since this test only expects an exception
-    IDatabricksConnectionContext mockContextLocal = mock(IDatabricksConnectionContext.class);
-
-    String nonExistentPath = "/path/to/nonexistent/truststore.jks";
-    when(mockContextLocal.getSSLTrustStore()).thenReturn(nonExistentPath);
-
-    DatabricksHttpException exception =
-        assertThrows(
-            DatabricksHttpException.class,
-            () -> ConfiguratorUtils.loadTruststoreOrNull(mockContextLocal));
-
-    assertTrue(
-        exception.getMessage().contains("does not exist"),
-        "Exception should mention that the trust store does not exist");
-  }
-
   @Test
   void testCreateTrustManagers_WithAndWithoutRevocationChecking() throws Exception {
     // Load a real trust store to test with
-    when(mockContext.getSSLTrustStore()).thenReturn(DUMMY_TRUST_STORE_PATH);
-    when(mockContext.getSSLTrustStorePassword()).thenReturn(TRUST_STORE_PASSWORD);
-    when(mockContext.getSSLTrustStoreType()).thenReturn(TRUST_STORE_TYPE);
-
-    KeyStore trustStore = ConfiguratorUtils.loadTruststoreOrNull(mockContext);
-    Set<TrustAnchor> trustAnchors = ConfiguratorUtils.getTrustAnchorsFromTrustStore(trustStore);
-
-    // We're testing a private method, so we'll verify the public method behavior that uses it
     when(mockContext.checkCertificateRevocation()).thenReturn(true);
     when(mockContext.acceptUndeterminedCertificateRevocation()).thenReturn(false);
     Registry<ConnectionSocketFactory> revocationCheckingRegistry =
@@ -439,8 +311,6 @@ void testCreateTrustManagers_WithAndWithoutRevocationChecking() throws Exception
 
   @Test
   void testFindX509TrustManager() throws Exception {
-    // Test instance method rather than using reflection on the private static method
-    // First test that we can create a trust manager factory
     TrustManagerFactory tmf =
         TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
     tmf.init((KeyStore) null);
@@ -484,7 +354,6 @@ void testCreateSocketFactoryRegistry() throws Exception {
     tmf.init((KeyStore) null);
 
     // Create a registry with the system default trust managers
-    when(mockContext.getSSLTrustStore()).thenReturn(null);
     when(mockContext.checkCertificateRevocation()).thenReturn(false);
     when(mockContext.useSystemTrustStore()).thenReturn(false);
 
