From ce808d7a45768aa8f237a5a174e3f8511d261826 Mon Sep 17 00:00:00 2001
From: detmerl <laura.detmer@gmail.com>
Date: Wed, 14 Aug 2024 09:06:34 -0400
Subject: [PATCH] provide HttpTransport support for google certificates with
 apache HTTP client v5

---
 google-api-client-apache-v5/pom.xml           | 201 ++++++++++++++++++
 .../apache/v5/GoogleApache5HttpTransport.java | 149 +++++++++++++
 .../googleapis/apache/v5/package-info.java    |  20 ++
 .../v5/GoogleApache5HttpTransportTest.java    |  43 ++++
 .../v5/ITGoogleApache5HttpTransportTest.java  |  50 +++++
 google-api-client/pom.xml                     |  12 ++
 .../mtls/MtlsTransportBaseTest.java           |  10 +-
 pom.xml                                       |   1 +
 8 files changed, 481 insertions(+), 5 deletions(-)
 create mode 100644 google-api-client-apache-v5/pom.xml
 create mode 100644 google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java
 create mode 100644 google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/package-info.java
 create mode 100644 google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransportTest.java
 create mode 100644 google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java

diff --git a/google-api-client-apache-v5/pom.xml b/google-api-client-apache-v5/pom.xml
new file mode 100644
index 000000000..c92bf1feb
--- /dev/null
+++ b/google-api-client-apache-v5/pom.xml
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.google.api-client</groupId>
+        <artifactId>google-api-client-parent</artifactId>
+        <version>2.6.1-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>google-api-client-apache-v5</artifactId>
+
+        <name>Apache extensions to the Google APIs Client Library for Java</name>
+        <build>
+            <extensions>
+                <extension>
+                    <groupId>kr.motd.maven</groupId>
+                    <artifactId>os-maven-plugin</artifactId>
+                    <version>1.7.1</version>
+                </extension>
+            </extensions>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-resources-plugin</artifactId>
+                    <executions>
+                        <execution>
+                            <goals>
+                                <goal>resources</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-javadoc-plugin</artifactId>
+                    <configuration>
+                        <links>
+                            <link>https://docs.oracle.com/javase/7/docs/api/</link>
+                            <link>https://cloud.google.com/appengine/docs/standard/java/javadoc/</link>
+                            <link>https://googleapis.dev/java/google-http-client/${project.http.version}/</link>
+                            <link>https://googleapis.dev/java/google-oauth-client/${project.oauth.version}/</link>
+                        </links>
+                        <doctitle>${project.name} ${project.version}</doctitle>
+                        <windowtitle>${project.artifactId} ${project.version}</windowtitle>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-jar-plugin</artifactId>
+                    <configuration>
+                        <archive>
+                            <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
+                            <manifest>
+                                <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                            </manifest>
+                            <manifestEntries>
+                                <Automatic-Module-Name>google.api.client</Automatic-Module-Name>
+                            </manifestEntries>
+                            <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
+                        </archive>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.felix</groupId>
+                    <artifactId>maven-bundle-plugin</artifactId>
+                    <version>5.1.9</version>
+                    <executions>
+                        <execution>
+                            <id>bundle-manifest</id>
+                            <phase>process-classes</phase>
+                            <goals>
+                                <goal>manifest</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                    <configuration>
+                        <instructions>
+                            <Bundle-DocURL>https://developers.google.com/api-client-library/java/</Bundle-DocURL>
+                            <Bundle-Description>Google HTTP transport wrapper for the Apache Http Client.</Bundle-Description>
+                            <Bundle-SymbolicName>com.google.api.client.googleapis.apache</Bundle-SymbolicName>
+                        </instructions>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <artifactId>maven-source-plugin</artifactId>
+                    <executions>
+                        <execution>
+                            <id>source-jar</id>
+                            <goals>
+                                <goal>jar</goal>
+                            </goals>
+                        </execution>
+                    </executions>
+                </plugin>
+
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-dependency-plugin</artifactId>
+                    <configuration>
+                        <usedDependencies>commons-codec:commons-codec</usedDependencies>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-surefire-plugin</artifactId>
+                    <configuration>
+                        <!-- These tests require an Env Var to be set. Use -PenvVarTest to ONLY run these tests -->
+                        <test>!AbstractGoogleClientTest#testGoogleClientBuilder_noCustomUniverseDomain_universeDomainEnvVar+testGoogleClientBuilder_customUniverseDomain_universeDomainEnvVar</test>
+                    </configuration>
+                </plugin>
+            </plugins>
+
+            <resources>
+                <resource>
+                    <directory>src/main/resources</directory>
+                </resource>
+                <resource>
+                    <directory>src/main/properties</directory>
+                    <filtering>true</filtering>
+                </resource>
+            </resources>
+        </build>
+        <dependencies>
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <!-- google-api-client itself does not touch commons-codec. Its
+                  httpclient's dependency. For security advisories in commons-codec, it
+                  declares a newer commons-codec than the one declared by httpclient. -->
+                <groupId>commons-codec</groupId>
+                <artifactId>commons-codec</artifactId>
+            </dependency>
+
+            <dependency>
+                <groupId>com.google.api-client</groupId>
+                <artifactId>google-api-client</artifactId>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.apache.httpcomponents</groupId>
+                        <artifactId>httpcore</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.httpcomponents</groupId>
+                        <artifactId>httpclient</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>com.google.http-client</groupId>
+                <artifactId>google-http-client-apache-v5</artifactId>
+                <version>1.44.3-SNAPSHOT</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.httpcomponents.client5</groupId>
+                <artifactId>httpclient5</artifactId>
+                <version>5.3.1</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.httpcomponents.core5</groupId>
+                <artifactId>httpcore5-h2</artifactId>
+                <version>5.2.4</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.http-client</groupId>
+                <artifactId>google-http-client</artifactId>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.apache.httpcomponents</groupId>
+                        <artifactId>httpcore</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.apache.httpcomponents</groupId>
+                        <artifactId>httpclient</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-core</artifactId>
+                <scope>test</scope>
+            </dependency>
+            <dependency>
+                <groupId>com.google.api-client</groupId>
+                <artifactId>google-api-client</artifactId>
+                <type>test-jar</type>
+                <scope>test</scope>
+                <version>2.6.1-SNAPSHOT</version>
+            </dependency>
+
+        </dependencies>
+
+
+    </project>
diff --git a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java
new file mode 100644
index 000000000..b18fd4a8e
--- /dev/null
+++ b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.api.client.googleapis.apache.v5;
+
+import com.google.api.client.googleapis.GoogleUtils;
+import com.google.api.client.googleapis.mtls.MtlsProvider;
+import com.google.api.client.googleapis.mtls.MtlsUtils;
+import com.google.api.client.googleapis.util.Utils;
+import com.google.api.client.http.apache.v5.Apache5HttpTransport;
+import com.google.common.annotations.Beta;
+import com.google.api.client.util.SslUtils;
+import com.google.common.annotations.VisibleForTesting;
+import org.apache.hc.client5.http.config.ConnectionConfig;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory;
+import org.apache.hc.client5.http.socket.PlainConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
+import org.apache.hc.client5.http.impl.routing.SystemDefaultRoutePlanner;
+import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
+import org.apache.hc.core5.http.config.Registry;
+import org.apache.hc.core5.http.config.RegistryBuilder;
+
+import javax.net.ssl.SSLContext;
+import java.io.IOException;
+import java.net.ProxySelector;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Utilities for Google APIs based on {@link ApacheHttpTransport}.
+ *
+ * @since 1.31
+ */
+public final class GoogleApache5HttpTransport {
+
+  /**
+   * Returns a new instance of {@link ApacheHttpTransport} that uses {@link
+   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. If
+   * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default
+   * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the
+   * transport uses the default client certificate and is mutual TLS.
+   */
+  public static Apache5HttpTransport newTrustedTransport()
+      throws GeneralSecurityException, IOException {
+    return newTrustedTransport(MtlsUtils.getDefaultMtlsProvider());
+  }
+
+  /**
+   * {@link Beta} <br>
+   * Returns a new instance of {@link ApacheHttpTransport} that uses {@link
+   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. mtlsProvider can be used
+   * to configure mutual TLS for the transport.
+   *
+   * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport
+   */
+  @Beta
+  public static Apache5HttpTransport newTrustedTransport(MtlsProvider mtlsProvider)
+      throws GeneralSecurityException, IOException {
+
+    SocketFactoryRegistryHandler handler = new SocketFactoryRegistryHandler(mtlsProvider);
+
+    PoolingHttpClientConnectionManager connectionManager =
+        new PoolingHttpClientConnectionManager(handler.getSocketFactoryRegistry());
+    connectionManager.setMaxTotal(200);
+    connectionManager.setDefaultMaxPerRoute(20);
+    connectionManager.setDefaultConnectionConfig(
+        ConnectionConfig.custom()
+            .setTimeToLive(-1, TimeUnit.MILLISECONDS)
+            .setValidateAfterInactivity(-1L, TimeUnit.MILLISECONDS)
+            .build());
+
+    CloseableHttpClient client =
+        HttpClients.custom()
+            .useSystemProperties()
+            .setConnectionManager(connectionManager)
+            .setRoutePlanner(new SystemDefaultRoutePlanner(ProxySelector.getDefault()))
+            .disableRedirectHandling()
+            .disableAutomaticRetries()
+            .build();
+
+    return new Apache5HttpTransport(client, handler.isMtls());
+  }
+
+  @VisibleForTesting
+  static class SocketFactoryRegistryHandler {
+    private final Registry<ConnectionSocketFactory> socketFactoryRegistry;
+    private final boolean isMtls;
+
+    public SocketFactoryRegistryHandler(MtlsProvider mtlsProvider)
+        throws GeneralSecurityException, IOException {
+      KeyStore mtlsKeyStore = null;
+      String mtlsKeyStorePassword = null;
+      if (mtlsProvider.useMtlsClientCertificate()) {
+        mtlsKeyStore = mtlsProvider.getKeyStore();
+        mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword();
+      }
+
+      // Use the included trust store
+      KeyStore trustStore = GoogleUtils.getCertificateTrustStore();
+      SSLContext sslContext = SslUtils.getTlsSslContext();
+
+      if (mtlsKeyStore != null && mtlsKeyStorePassword != null) {
+        this.isMtls = true;
+        SslUtils.initSslContext(
+            sslContext,
+            trustStore,
+            SslUtils.getPkixTrustManagerFactory(),
+            mtlsKeyStore,
+            mtlsKeyStorePassword,
+            SslUtils.getDefaultKeyManagerFactory());
+      } else {
+        this.isMtls = false;
+        SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory());
+      }
+      LayeredConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
+
+      this.socketFactoryRegistry =
+          RegistryBuilder.<ConnectionSocketFactory>create()
+              .register("http", PlainConnectionSocketFactory.getSocketFactory())
+              .register("https", socketFactory)
+              .build();
+    }
+
+    public Registry<ConnectionSocketFactory> getSocketFactoryRegistry() {
+      return this.socketFactoryRegistry;
+    }
+
+    public boolean isMtls() {
+      return this.isMtls;
+    }
+  }
+
+  private GoogleApache5HttpTransport() {}
+}
diff --git a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/package-info.java b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/package-info.java
new file mode 100644
index 000000000..25faf0191
--- /dev/null
+++ b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+/**
+ * Google APIs support based on the Apache HTTP Client v5.
+ *
+ * @since 1.31
+ */
+package com.google.api.client.googleapis.apache.v5;
diff --git a/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransportTest.java b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransportTest.java
new file mode 100644
index 000000000..a7d59c51e
--- /dev/null
+++ b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransportTest.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.api.client.googleapis.apache.v5;
+
+import com.google.api.client.googleapis.mtls.MtlsProvider;
+import com.google.api.client.googleapis.mtls.MtlsTransportBaseTest;
+import com.google.api.client.http.HttpTransport;
+import org.junit.Test;
+
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import static org.junit.Assert.*;
+
+public class GoogleApache5HttpTransportTest extends MtlsTransportBaseTest {
+  @Override
+  protected HttpTransport buildTrustedTransport(MtlsProvider mtlsProvider)
+      throws GeneralSecurityException, IOException {
+    return GoogleApache5HttpTransport.newTrustedTransport(mtlsProvider);
+  }
+
+  @Test
+  public void socketFactoryRegistryHandlerTest() throws GeneralSecurityException, IOException {
+    MtlsProvider mtlsProvider = new TestMtlsProvider(true, createTestMtlsKeyStore(), "", false);
+    GoogleApache5HttpTransport.SocketFactoryRegistryHandler handler = new GoogleApache5HttpTransport.SocketFactoryRegistryHandler(mtlsProvider);
+    assertNotNull(handler.getSocketFactoryRegistry().lookup("http"));
+    assertNotNull(handler.getSocketFactoryRegistry().lookup("https"));
+    assertTrue(handler.isMtls());
+  }
+}
diff --git a/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java
new file mode 100644
index 000000000..e45c55e47
--- /dev/null
+++ b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java
@@ -0,0 +1,50 @@
+package com.google.api.client.googleapis.apache.v5;
+
+import com.google.api.client.http.apache.v5.Apache5HttpTransport;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.junit.Test;
+import javax.net.ssl.SSLHandshakeException;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.fail;
+
+public class ITGoogleApache5HttpTransportTest {
+
+  @Test
+  public void testHttpRequestFailsWhenMakingRequestToNonGoogleSite()
+      throws GeneralSecurityException, IOException {
+    Apache5HttpTransport apache5HttpTransport = GoogleApache5HttpTransport.newTrustedTransport();
+    HttpGet httpGet = new HttpGet("https://www.bing.com/");
+
+    assertThrows(
+        SSLHandshakeException.class,
+        () ->
+            apache5HttpTransport
+                .getHttpClient()
+                .execute(
+                    httpGet,
+                    response -> {
+                      fail(
+                          "Should not have been able to complete SSL request to site without google certificates.");
+                      return null;
+                    }));
+  }
+
+  @Test
+  public void testHttpRequestPassesWhenMakingRequestToGoogleSite() throws Exception {
+    Apache5HttpTransport apache5HttpTransport = GoogleApache5HttpTransport.newTrustedTransport();
+    HttpGet httpGet = new HttpGet("https://www.google.com/");
+
+    apache5HttpTransport
+        .getHttpClient()
+        .execute(
+            httpGet,
+            response -> {
+              assertEquals(200, response.getCode());
+              return null;
+            });
+  }
+}
diff --git a/google-api-client/pom.xml b/google-api-client/pom.xml
index 8d73dbad4..d42452c6d 100644
--- a/google-api-client/pom.xml
+++ b/google-api-client/pom.xml
@@ -87,6 +87,18 @@
               <goal>jar</goal>
             </goals>
           </execution>
+          <execution>
+            <id>Jar Tests Package</id>
+            <phase>package</phase>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+            <configuration>
+              <includes>
+                <include>**/Mtls/**</include>
+              </includes>
+            </configuration>
+          </execution>
         </executions>
       </plugin>
       <plugin>
diff --git a/google-api-client/src/test/java/com/google/api/client/googleapis/mtls/MtlsTransportBaseTest.java b/google-api-client/src/test/java/com/google/api/client/googleapis/mtls/MtlsTransportBaseTest.java
index 096ff4abf..86b1a77a2 100644
--- a/google-api-client/src/test/java/com/google/api/client/googleapis/mtls/MtlsTransportBaseTest.java
+++ b/google-api-client/src/test/java/com/google/api/client/googleapis/mtls/MtlsTransportBaseTest.java
@@ -35,11 +35,11 @@ protected KeyStore createTestMtlsKeyStore() throws IOException, GeneralSecurityE
     return SecurityUtils.createMtlsKeyStore(certAndKey);
   }
 
-  protected static class TestMtlsProvider implements MtlsProvider {
-    private boolean useClientCertificate;
-    private KeyStore keyStore;
-    private String keyStorePassword;
-    private boolean throwExceptionForGetKeyStore;
+    public static class TestMtlsProvider implements MtlsProvider {
+    private final boolean useClientCertificate;
+    private final KeyStore keyStore;
+    private final String keyStorePassword;
+    private final boolean throwExceptionForGetKeyStore;
 
     public TestMtlsProvider(
         boolean useClientCertificate,
diff --git a/pom.xml b/pom.xml
index 1d332f0f5..a7d286989 100644
--- a/pom.xml
+++ b/pom.xml
@@ -80,6 +80,7 @@
     <module>google-api-client-jackson2</module>
     <module>google-api-client-protobuf</module>
     <module>google-api-client-xml</module>
+    <module>google-api-client-apache-v5</module>
   </modules>
 
   <pluginRepositories>