Change from Apache Http Client to Reactor Netty.

Provide followRedirect to remove Authorization.

Fixes spring-attic#5989

Author: Corneil du Plessis

spring-cloud-dataflow-configuration-metadata/pom.xml

@@ -35,6 +35,10 @@
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>io.projectreactor.netty</groupId>
+			<artifactId>reactor-netty</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-core</artifactId>

spring-cloud-dataflow-configuration-metadata/src/test/java/org/springframework/cloud/dataflow/container/registry/authorization/DropAuthorizationHeaderOnInsecureS3RequestRedirectStrategyTest.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2020-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.dataflow.container.registry.authorization;
+
+import java.util.Collections;
+import java.util.Map;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtensionContext;
+import org.junit.jupiter.api.extension.RegisterExtension;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.test.autoconfigure.web.client.AutoConfigureWebClient;
+import org.springframework.cloud.dataflow.configuration.metadata.ApplicationConfigurationMetadataResolverAutoConfiguration;
+import org.springframework.cloud.dataflow.configuration.metadata.container.DefaultContainerImageMetadataResolver;
+import org.springframework.cloud.dataflow.container.registry.ContainerRegistryAutoConfiguration;
+import org.springframework.cloud.dataflow.container.registry.ContainerRegistryConfiguration;
+import org.springframework.cloud.dataflow.container.registry.ContainerRegistryProperties;
+import org.springframework.cloud.dataflow.container.registry.authorization.support.S3SignedRedirectRequestServerApplication;
+import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.context.annotation.AnnotationConfigApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Primary;
+import org.springframework.test.util.TestSocketUtils;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.entry;
+
+/**
+ * @author Adam J. Weigold
+ * @author Corneil du Plessis
+ */
+//TODO: Boot3x followup
+@Disabled("TODO: Netty HttpClient configuration for both http and https required")
+public class DropAuthorizationHeaderOnInsecureS3RequestRedirectStrategyTest {
+	private final static Logger logger = LoggerFactory.getLogger(DropAuthorizationHeaderOnInsecureS3RequestRedirectStrategyTest.class);
+	private AnnotationConfigApplicationContext context;
+	private ConfigurableApplicationContext application;
+	private static int serverPort;
+	@BeforeEach
+	void setup() {
+			 serverPort = TestSocketUtils.findAvailableTcpPort();
+
+			logger.info("Setting S3 Signed Redirect Server port to " + serverPort);
+
+			this.application = new SpringApplicationBuilder(S3SignedRedirectRequestServerApplication.class).build()
+				.run("--server.port=" + serverPort);
+			logger.info("S3 Signed Redirect Server Server is UP! at " + serverPort);
+	}
+	@AfterEach
+	void clean() {
+		if (context != null) {
+			context.close();
+		}
+		context = null;
+	}
+
+	@Test
+	void redirect() {
+		context = new AnnotationConfigApplicationContext(TestApplication.class);
+
+		final DefaultContainerImageMetadataResolver imageMetadataResolver =
+			context.getBean(DefaultContainerImageMetadataResolver.class);
+
+		Map<String, String> imageLabels = imageMetadataResolver.getImageLabels("localhost:" +
+			serverPort + "/test/s3-redirect-image:1.0.0");
+
+		assertThat(imageLabels).containsOnly(entry("foo", "bar"));
+	}
+
+	@Import({ContainerRegistryAutoConfiguration.class, ApplicationConfigurationMetadataResolverAutoConfiguration.class})
+	@AutoConfigureWebClient
+	static class TestApplication {
+		@Bean
+		@Primary
+		ContainerRegistryProperties containerRegistryProperties() {
+			ContainerRegistryProperties properties = new ContainerRegistryProperties();
+			ContainerRegistryConfiguration registryConfiguration = new ContainerRegistryConfiguration();
+			registryConfiguration.setRegistryHost(String.format("localhost:%s", serverPort));
+			registryConfiguration.setAuthorizationType(ContainerRegistryConfiguration.AuthorizationType.dockeroauth2);
+			registryConfiguration.setUser("admin");
+			registryConfiguration.setSecret("Harbor12345");
+			registryConfiguration.setDisableSslVerification(true);
+			registryConfiguration.setExtra(Collections.singletonMap(
+				DockerOAuth2RegistryAuthorizer.DOCKER_REGISTRY_AUTH_URI_KEY,
+				"http://localhost:" + serverPort + "/service/token"));
+			properties.setRegistryConfigurations(Collections.singletonMap("goharbor", registryConfiguration));
+
+			return properties;
+		}
+	}
+}

spring-cloud-dataflow-configuration-metadata/src/test/java/org/springframework/cloud/dataflow/container/registry/authorization/DropAuthorizationHeaderOnSignedS3RequestRedirectStrategyTest.java

@@ -42,8 +42,6 @@
  * @author Adam J. Weigold
  * @author Corneil du Plessis
  */
-//TODO: Boot3x followup
-@Disabled("TODO: Boot3x `org.springframework.web.client.HttpClientErrorException$BadRequest: 400 : [no body]` is thrown by REST Template")
 public class DropAuthorizationHeaderOnSignedS3RequestRedirectStrategyTest {
 	@RegisterExtension
 	public final static S3SignedRedirectRequestServerResource s3SignedRedirectRequestServerResource =

spring-cloud-dataflow-container-registry/pom.xml

@@ -42,6 +42,10 @@
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>io.projectreactor.netty</groupId>
+			<artifactId>reactor-netty</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-core</artifactId>

spring-cloud-dataflow-container-registry/src/main/java/org/springframework/cloud/dataflow/container/registry/ContainerImageRestTemplateFactory.java

@@ -16,36 +16,26 @@
 
 package org.springframework.cloud.dataflow.container.registry;
 
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.ConcurrentHashMap;
 
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-
-import org.apache.hc.client5.http.config.RequestConfig;
-import org.apache.hc.client5.http.cookie.StandardCookieSpec;
-import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
-import org.apache.hc.client5.http.impl.classic.HttpClients;
-import org.apache.hc.client5.http.impl.io.BasicHttpClientConnectionManager;
-import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
-import org.apache.hc.client5.http.socket.PlainConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.core5.http.HttpHost;
-import org.apache.hc.core5.http.config.Lookup;
-import org.apache.hc.core5.http.config.RegistryBuilder;
+import javax.net.ssl.SSLException;
+
+import io.netty.handler.codec.http.HttpHeaders;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import reactor.netty.http.Http11SslContextSpec;
+import reactor.netty.http.client.HttpClient;
+import reactor.netty.transport.ProxyProvider;
 
 import org.springframework.boot.web.client.RestTemplateBuilder;
-import org.springframework.cloud.dataflow.container.registry.authorization.DropAuthorizationHeaderRequestRedirectStrategy;
 import org.springframework.http.MediaType;
-import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.http.client.ClientHttpRequestFactory;
+import org.springframework.http.client.ReactorNettyClientRequestFactory;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.web.client.RestTemplate;
 
@@ -153,67 +143,50 @@ public RestTemplate getContainerRestTemplate(boolean skipSslVerification, boolea
 		}
 	}
 
-	private RestTemplate createContainerRestTemplate(boolean skipSslVerification, boolean withHttpProxy, Map<String, String> extra)
-			throws NoSuchAlgorithmException, KeyManagementException {
+	private RestTemplate createContainerRestTemplate(boolean skipSslVerification, boolean withHttpProxy, Map<String, String> extra) {
+		HttpClient client = httpClientBuilder(skipSslVerification);
+		return initRestTemplate(client, withHttpProxy, extra);
+	}
 
-		if (!skipSslVerification) {
-			// Create a RestTemplate that uses custom request factory
-			return this.initRestTemplate(HttpClients.custom(), withHttpProxy, extra);
+	private static void removeAuthorization(HttpHeaders headers) {
+		for(Map.Entry<String,String> entry: headers.entries()) {
+			if(entry.getKey().equalsIgnoreCase(org.springframework.http.HttpHeaders.AUTHORIZATION)) {
+				headers.remove(entry.getKey());
+				break;
+			}
 		}
-
-		// Trust manager that blindly trusts all SSL certificates.
-		TrustManager[] trustAllCerts = new TrustManager[] {
-				new X509TrustManager() {
-					public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-						return new X509Certificate[0];
-					}
-
-					public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
-					}
-
-					public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
-					}
-				}
-		};
-		SSLContext sslContext = SSLContext.getInstance("SSL");
-		// Install trust manager to SSL Context.
-		sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
-
-		// Create a RestTemplate that uses custom request factory
-		return initRestTemplate(
-				httpClientBuilder(sslContext),
-				withHttpProxy,
-				extra);
-	}
-	private HttpClientBuilder httpClientBuilder(SSLContext sslContext) {
-		// Register http/s connection factories
-		Lookup<ConnectionSocketFactory> connSocketFactoryLookup = RegistryBuilder.<ConnectionSocketFactory> create()
-			.register("https", new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE))
-			.register("http", new PlainConnectionSocketFactory())
-			.build();
-		return HttpClients.custom()
-			.setConnectionManager(new BasicHttpClientConnectionManager(connSocketFactoryLookup));
 	}
-	private RestTemplate initRestTemplate(HttpClientBuilder clientBuilder, boolean withHttpProxy, Map<String, String> extra) {
 
-		clientBuilder.setDefaultRequestConfig(RequestConfig.custom().setCookieSpec(StandardCookieSpec.RELAXED).build());
+	private HttpClient httpClientBuilder(boolean skipSslVerification) {
+
+        try {
+			SslContextBuilder builder = skipSslVerification ? SslContextBuilder.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE) : SslContextBuilder.forClient();
+			SslContext sslContext = builder.build();
+			HttpClient client = HttpClient.create().secure(sslContextSpec -> sslContextSpec.sslContext(sslContext));
+
+			return client.followRedirect(true, (entries, httpClientRequest) -> {
+						HttpHeaders httpHeaders = httpClientRequest.requestHeaders();
+						removeAuthorization(httpHeaders);
+						removeAuthorization(entries);
+						httpClientRequest.headers(httpHeaders);
+					});
+        } catch (SSLException e) {
+            throw new RuntimeException(e);
+        }
+
+	}
+	private RestTemplate initRestTemplate(HttpClient client, boolean withHttpProxy, Map<String, String> extra) {
 
 		// Set the HTTP proxy if configured.
 		if (withHttpProxy) {
 			if (!properties.getHttpProxy().isEnabled()) {
 				throw new ContainerRegistryException("Registry Configuration uses a HttpProxy but non is configured!");
 			}
-			HttpHost proxy = new HttpHost(properties.getHttpProxy().getHost(), properties.getHttpProxy().getPort());
-			clientBuilder.setProxy(proxy);
+			ProxyProvider.Builder builder = ProxyProvider.builder().type(ProxyProvider.Proxy.HTTP).host(properties.getHttpProxy().getHost()).port(properties.getHttpProxy().getPort());
+			client.proxy(typeSpec -> builder.build());
 		}
-
-		HttpComponentsClientHttpRequestFactory customRequestFactory =
-				new HttpComponentsClientHttpRequestFactory(
-						clientBuilder
-								.setRedirectStrategy(new DropAuthorizationHeaderRequestRedirectStrategy(extra))
-								// Azure redirects may contain double slashes and on default those are normilised
-								.setDefaultRequestConfig(RequestConfig.custom().build())
-								.build());
+		// TODO what do we do with extra?
+		ClientHttpRequestFactory customRequestFactory = new ReactorNettyClientRequestFactory(client);
 
 		// DockerHub response's media-type is application/octet-stream although the content is in JSON.
 		// Similarly the Github CR response's media-type is always text/plain although the content is in JSON.