[ISSUE#3315]Nacos client support https

client/src/main/java/com/alibaba/nacos/client/naming/net/HttpClient.java

@@ -18,6 +18,7 @@
 
 import com.alibaba.nacos.api.common.Constants;
 import com.alibaba.nacos.common.http.client.NacosRestTemplate;
+import com.alibaba.nacos.common.tls.TlsSystemConfig;
 import com.alibaba.nacos.common.utils.HttpMethod;
 import com.alibaba.nacos.common.utils.IoUtils;
 import com.alibaba.nacos.common.utils.StringUtils;
@@ -53,7 +54,7 @@ public class HttpClient {
 
     public static final int CON_TIME_OUT_MILLIS = Integer.getInteger("com.alibaba.nacos.client.naming.ctimeout", 3000);
 
-    private static final boolean ENABLE_HTTPS = Boolean.getBoolean("com.alibaba.nacos.client.naming.tls.enable");
+    private static final boolean ENABLE_HTTPS = Boolean.getBoolean(TlsSystemConfig.TLS_ENABLE);
 
     static {
         // limit max redirection

client/src/main/java/com/alibaba/nacos/client/naming/net/NamingHttpClientManager.java

@@ -23,6 +23,7 @@
 import com.alibaba.nacos.common.http.HttpClientFactory;
 import com.alibaba.nacos.common.http.client.NacosRestTemplate;
 import com.alibaba.nacos.common.lifecycle.Closeable;
+import com.alibaba.nacos.common.tls.TlsSystemConfig;
 import com.alibaba.nacos.common.utils.ExceptionUtil;
 import org.slf4j.Logger;
 
@@ -40,7 +41,7 @@ public class NamingHttpClientManager implements Closeable {
 
     private static final int CON_TIME_OUT_MILLIS = Integer.getInteger("com.alibaba.nacos.client.naming.ctimeout", 3000);
 
-    private static final boolean ENABLE_HTTPS = Boolean.getBoolean("com.alibaba.nacos.client.naming.tls.enable");
+    private static final boolean ENABLE_HTTPS = Boolean.getBoolean(TlsSystemConfig.TLS_ENABLE);
 
     private static final int MAX_REDIRECTS = 5;
 
@@ -85,7 +86,7 @@ protected HttpClientConfig buildHttpClientConfig() {
             return HttpClientConfig.builder().setConTimeOutMillis(CON_TIME_OUT_MILLIS)
                     .setReadTimeOutMillis(READ_TIME_OUT_MILLIS).setMaxRedirects(MAX_REDIRECTS).build();
         }
-
+        
         @Override
         protected Logger assignLogger() {
             return NAMING_LOGGER;

common/src/main/java/com/alibaba/nacos/common/http/AbstractHttpClientFactory.java

@@ -20,10 +20,22 @@
 import com.alibaba.nacos.common.http.client.NacosRestTemplate;
 import com.alibaba.nacos.common.http.client.request.DefaultAsyncHttpClientRequest;
 import com.alibaba.nacos.common.http.client.request.JdkHttpClientRequest;
+import com.alibaba.nacos.common.tls.SelfHostnameVerifier;
+import com.alibaba.nacos.common.tls.TlsFileWatcher;
+import com.alibaba.nacos.common.tls.TlsHelper;
+import com.alibaba.nacos.common.tls.TlsSystemConfig;
+import com.alibaba.nacos.common.utils.BiConsumer;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.impl.nio.client.HttpAsyncClients;
 import org.slf4j.Logger;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+
 /**
  * AbstractHttpClientFactory Let the creator only specify the http client config.
  *
@@ -34,7 +46,23 @@ public abstract class AbstractHttpClientFactory implements HttpClientFactory {
     @Override
     public final NacosRestTemplate createNacosRestTemplate() {
         HttpClientConfig httpClientConfig = buildHttpClientConfig();
-        return new NacosRestTemplate(assignLogger(), new JdkHttpClientRequest(httpClientConfig));
+        final JdkHttpClientRequest clientRequest = new JdkHttpClientRequest(httpClientConfig);
+
+        // enable ssl
+        initTls(new BiConsumer<SSLContext, HostnameVerifier>() {
+            @Override
+            public void accept(SSLContext sslContext, HostnameVerifier hostnameVerifier) {
+                clientRequest.setSSLContext(loadSSLContext());
+                clientRequest.replaceSSLHostnameVerifier(hostnameVerifier);
+            }
+        }, new TlsFileWatcher.FileChangeListener() {
+            @Override
+            public void onChanged(String filePath) {
+                clientRequest.setSSLContext(loadSSLContext());
+            }
+        });
+
+        return new NacosRestTemplate(assignLogger(), clientRequest);
     }
 
     @Override
@@ -51,6 +79,43 @@ private RequestConfig getRequestConfig() {
                 .setMaxRedirects(httpClientConfig.getMaxRedirects()).build();
     }
 
+    protected void initTls(BiConsumer<SSLContext, HostnameVerifier> initTlsBiFunc,
+            TlsFileWatcher.FileChangeListener tlsChangeListener) {
+        if (!TlsSystemConfig.tlsEnable) {
+            return;
+        }
+
+        final HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
+        final SelfHostnameVerifier selfHostnameVerifier = new SelfHostnameVerifier(hv);
+
+        initTlsBiFunc.accept(loadSSLContext(), selfHostnameVerifier);
+
+        if (tlsChangeListener != null) {
+            try {
+                TlsFileWatcher.getInstance()
+                        .addFileChangeListener(tlsChangeListener, TlsSystemConfig.tlsClientTrustCertPath,
+                                TlsSystemConfig.tlsClientKeyPath);
+            } catch (IOException e) {
+                assignLogger().error("add tls file listener fail", e);
+            }
+        }
+    }
+
+    @SuppressWarnings("checkstyle:abbreviationaswordinname")
+    protected synchronized SSLContext loadSSLContext() {
+        if (!TlsSystemConfig.tlsEnable) {
+            return null;
+        }
+        try {
+            return TlsHelper.buildSslContext(true);
+        } catch (NoSuchAlgorithmException e) {
+            assignLogger().error("Failed to create SSLContext", e);
+        } catch (KeyManagementException e) {
+            assignLogger().error("Failed to create SSLContext", e);
+        }
+        return null;
+    }
+
     /**
      * build http client config.
      *

common/src/main/java/com/alibaba/nacos/common/http/client/request/JdkHttpClientRequest.java

@@ -26,6 +26,9 @@
 import com.alibaba.nacos.common.model.RequestHttpEntity;
 import com.alibaba.nacos.common.utils.JacksonUtils;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URI;
@@ -45,6 +48,30 @@ public JdkHttpClientRequest(HttpClientConfig httpClientConfig) {
         this.httpClientConfig = httpClientConfig;
     }
 
+    /**
+     * Use specified {@link SSLContext}.
+     *
+     * @param sslContext ssl context
+     */
+    @SuppressWarnings("checkstyle:abbreviationaswordinname")
+    public void setSSLContext(SSLContext sslContext) {
+        if (sslContext != null) {
+            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
+        }
+    }
+
+    /**
+     * Replace the default HostnameVerifier.
+     *
+     * @param hostnameVerifier custom hostnameVerifier
+     */
+    @SuppressWarnings("checkstyle:abbreviationaswordinname")
+    public void replaceSSLHostnameVerifier(HostnameVerifier hostnameVerifier) {
+        if (hostnameVerifier != null) {
+            HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
+        }
+    }
+
     @Override
     public HttpClientResponse execute(URI uri, String httpMethod, RequestHttpEntity requestHttpEntity)
             throws Exception {

common/src/main/java/com/alibaba/nacos/common/tls/SelfHostnameVerifier.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.common.tls;
+
+import com.alibaba.nacos.common.utils.IpUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLSession;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * A HostnameVerifier verify ipv4 and localhost.
+ *
+ * @author wangwei
+ */
+
+public final class SelfHostnameVerifier implements HostnameVerifier {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(SelfHostnameVerifier.class);
+
+    private final HostnameVerifier hv;
+
+    private static ConcurrentHashMap<String, Boolean> hosts = new ConcurrentHashMap<String, Boolean>();
+
+    private static final String[] LOCALHOST_HOSTNAME = new String[] {"localhost", "127.0.0.1"};
+
+    public SelfHostnameVerifier(HostnameVerifier hv) {
+        this.hv = hv;
+    }
+
+    @Override
+    public boolean verify(String hostname, SSLSession session) {
+        if (LOCALHOST_HOSTNAME[0].equalsIgnoreCase(hostname) || LOCALHOST_HOSTNAME[1].equals(hostname)) {
+            return true;
+        }
+        if (isIpv4(hostname)) {
+            return true;
+        }
+        return hv.verify(hostname, session);
+    }
+
+    private static boolean isIpv4(String host) {
+        if (host == null || host.isEmpty()) {
+            LOGGER.warn("host is empty, isIPv4 = false");
+            return false;
+        }
+        Boolean cacheHostVerify = hosts.get(host);
+        if (cacheHostVerify != null) {
+            return cacheHostVerify;
+        }
+        boolean isIp = IpUtils.isIpv4(host);
+        hosts.putIfAbsent(host, isIp);
+        return isIp;
+    }
+}

common/src/main/java/com/alibaba/nacos/common/tls/SelfTrustManager.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.common.tls;
+
+import com.alibaba.nacos.common.utils.IoUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.net.ssl.SSLException;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+
+/**
+ * A TrustManager tool returns the specified TrustManager.
+ *
+ * @author wangwei
+ */
+public final class SelfTrustManager {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(SelfTrustManager.class);
+
+    @SuppressWarnings("checkstyle:WhitespaceAround")
+    static TrustManager[] trustAll = new TrustManager[] {new X509TrustManager() {
+
+        @Override
+        public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+        }
+
+        @Override
+        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+        }
+
+        @Override
+        public X509Certificate[] getAcceptedIssuers() {
+            return null;
+        }
+    }};
+
+    /**
+     * Returns the result of calling {@link #buildSecureTrustManager} if {@code needAuth} is enable and {@code
+     * trustCertPath} exists. Returns the {@link trustAll} otherwise.
+     *
+     * @param needAuth      whether need client auth
+     * @param trustCertPath trust certificate path
+     * @return Array of {@link TrustManager }
+     */
+    public static TrustManager[] trustManager(boolean needAuth, String trustCertPath) {
+        if (needAuth) {
+            try {
+                return trustCertPath == null ? null : buildSecureTrustManager(trustCertPath);
+            } catch (SSLException e) {
+                LOGGER.warn("degrade trust manager as build failed, " + "will trust all certs.");
+                return trustAll;
+            }
+        } else {
+            return trustAll;
+        }
+    }
+
+    private static TrustManager[] buildSecureTrustManager(String trustCertPath) throws SSLException {
+        TrustManagerFactory selfTmf;
+        InputStream in = null;
+
+        try {
+            String algorithm = TrustManagerFactory.getDefaultAlgorithm();
+            selfTmf = TrustManagerFactory.getInstance(algorithm);
+
+            KeyStore trustKeyStore = KeyStore.getInstance("JKS");
+            trustKeyStore.load(null, null);
+
+            in = new FileInputStream(trustCertPath);
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+
+            Collection<X509Certificate> certs = (Collection<X509Certificate>) cf.generateCertificates(in);
+            int count = 0;
+            for (Certificate cert : certs) {
+                trustKeyStore.setCertificateEntry("cert-" + (count++), cert);
+            }
+
+            selfTmf.init(trustKeyStore);
+            return selfTmf.getTrustManagers();
+        } catch (Exception e) {
+            LOGGER.error("build client trustManagerFactory failed", e);
+            throw new SSLException(e);
+        } finally {
+            IoUtils.closeQuietly(in);
+        }
+    }
+}