use IDEA certificate manager when connecting to the cluster (#600)

Signed-off-by: Andre Dietisheim <[email protected]>

Author: adietish

build.gradle

@@ -60,7 +60,8 @@ dependencies {
             "io.fabric8:kubernetes-model-common:${kubernetesClientVersion}",
             "io.fabric8:openshift-client:${kubernetesClientVersion}",
             "io.fabric8:kubernetes-httpclient-okhttp:${kubernetesClientVersion}",
-            "org.apache.commons:commons-lang3:3.12.0"
+            "org.apache.commons:commons-lang3:3.12.0",
+            "io.github.hakky54:sslcontext-kickstart:8.0.0"
     )
     testImplementation(
             "org.assertj:assertj-core:3.22.0",

src/main/kotlin/com/redhat/devtools/intellij/kubernetes/model/client/ClientAdapter.kt

@@ -10,20 +10,29 @@
  ******************************************************************************/
 package com.redhat.devtools.intellij.kubernetes.model.client
 
+import com.intellij.openapi.diagnostic.logger
 import com.intellij.util.net.ssl.CertificateManager
+import com.intellij.util.net.ssl.ConfirmingTrustManager
 import com.redhat.devtools.intellij.kubernetes.model.util.isUnauthorized
 import io.fabric8.kubernetes.client.Client
 import io.fabric8.kubernetes.client.Config
 import io.fabric8.kubernetes.client.KubernetesClient
 import io.fabric8.kubernetes.client.KubernetesClientBuilder
 import io.fabric8.kubernetes.client.KubernetesClientException
+import io.fabric8.kubernetes.client.http.HttpClient
 import io.fabric8.kubernetes.client.impl.AppsAPIGroupClient
 import io.fabric8.kubernetes.client.impl.BatchAPIGroupClient
 import io.fabric8.kubernetes.client.impl.NetworkAPIGroupClient
 import io.fabric8.kubernetes.client.impl.StorageAPIGroupClient
+import io.fabric8.kubernetes.client.internal.SSLUtils
 import io.fabric8.openshift.client.NamespacedOpenShiftClient
 import io.fabric8.openshift.client.OpenShiftClient
 import java.util.concurrent.ConcurrentHashMap
+import javax.net.ssl.X509ExtendedTrustManager
+import javax.net.ssl.X509TrustManager
+import nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager
+import nl.altindag.ssl.util.TrustManagerUtils
+import org.apache.commons.lang3.reflect.FieldUtils
 
 open class OSClientAdapter(client: OpenShiftClient, private val kubeClient: KubernetesClient) :
     ClientAdapter<OpenShiftClient>(client) {
@@ -55,14 +64,16 @@ abstract class ClientAdapter<C: KubernetesClient>(private val fabric8Client: C)
     companion object Factory {
         fun create(namespace: String? = null, context: String? = null): ClientAdapter<out KubernetesClient> {
             val config = Config.autoConfigure(context)
-            setAcceptCertificates(config)
             return create(namespace, config)
         }
 
         fun create(namespace: String? = null, config: Config): ClientAdapter<out KubernetesClient> {
             setNamespace(namespace, config)
             val kubeClient = KubernetesClientBuilder()
                 .withConfig(config)
+                .withHttpClientBuilderConsumer { builder ->
+                    setSslContext(builder, config)
+                }
                 .build()
             val osClient = kubeClient.adapt(NamespacedOpenShiftClient::class.java)
             val isOpenShift = isOpenShift(osClient)
@@ -73,10 +84,74 @@ abstract class ClientAdapter<C: KubernetesClient>(private val fabric8Client: C)
             }
         }
 
-        private fun setAcceptCertificates(config: Config) {
-            val manager = CertificateManager.getInstance().state;
-            config.isTrustCerts = manager.ACCEPT_AUTOMATICALLY
-            config.isDisableHostnameVerification = manager.ACCEPT_AUTOMATICALLY
+        private fun setSslContext(builder: HttpClient.Builder, config: Config) {
+            val clientTrustManagers = SSLUtils.trustManagers(config)
+                .filterIsInstance<X509ExtendedTrustManager>()
+                .toTypedArray()
+            val ideTrustManager = configureIdeTrustManager(clientTrustManagers)
+            builder.sslContext(SSLUtils.keyManagers(config), arrayOf(ideTrustManager))
+        }
+
+        private fun configureIdeTrustManager(clientTrustManagers: Array<X509ExtendedTrustManager>): ConfirmingTrustManager {
+            val ideTrustManager = CertificateManager.getInstance().trustManager
+            try {
+                // < IC-2022.2
+                if (!setCompositeManager(clientTrustManagers, ideTrustManager)) {
+                    // >= IC-2022.2
+                    addCompositeManager(clientTrustManagers, ideTrustManager)
+                }
+            } catch (e: RuntimeException) {
+                logger<ClientAdapter<*>>().warn("Could not configure IDEA trust manager.", e)
+            }
+            return ideTrustManager
+        }
+
+        private fun setCompositeManager(
+            clientTrustManagers: Array<X509ExtendedTrustManager>,
+            ideTrustManager: ConfirmingTrustManager
+        ): Boolean {
+            val systemManagerField = FieldUtils.getDeclaredField(
+                ideTrustManager::class.java, "mySystemManager", true) ?: return false
+            val systemManager = systemManagerField.get(ideTrustManager) as? X509ExtendedTrustManager ?: return false
+            val compositeTrustManager = createCompositeTrustManager(systemManager, clientTrustManagers)
+            systemManagerField.set(ideTrustManager, compositeTrustManager)
+            return true
+        }
+
+        private fun addCompositeManager(
+            clientTrustManagers: Array<X509ExtendedTrustManager>,
+            ideTrustManager: ConfirmingTrustManager
+        ) {
+                val systemManagersField =
+                    FieldUtils.getDeclaredField(ideTrustManager::class.java, "mySystemManagers", true)
+                val managers =
+                    systemManagersField.get(ideTrustManager) as? MutableList<X509TrustManager> ?: return
+                val nonCompositeManagers = managers.filter { it !is CompositeX509ExtendedTrustManager }
+                val clientTrustManager = CompositeX509ExtendedTrustManager(clientTrustManagers.asList())
+                managers.clear()
+                managers.addAll(nonCompositeManagers)
+                managers.add(clientTrustManager)
+        }
+
+        private fun createCompositeTrustManager(
+            systemManager: X509ExtendedTrustManager,
+            clientTrustManagers: Array<X509ExtendedTrustManager>
+        ): X509ExtendedTrustManager {
+            val compositeTrustManager = if (systemManager is CompositeX509ExtendedTrustManager
+            ) {
+                // already patched CertificateManager, re-create composite manager
+                TrustManagerUtils.trustManagerBuilder()
+                    .withTrustManager(systemManager.innerTrustManagers[0])
+                    .withTrustManagers(*clientTrustManagers)
+                    .build()
+            } else {
+                // 1st time we patch CertificateManager, create composite manager
+                TrustManagerUtils.trustManagerBuilder()
+                    .withTrustManager(systemManager)
+                    .withTrustManagers(*clientTrustManagers)
+                    .build()
+            }
+            return compositeTrustManager
         }
 
         private fun isOpenShift(osClient: NamespacedOpenShiftClient): Boolean {