use IDEA certificate manager when connecting to the cluster (#600)

Signed-off-by: Andre Dietisheim <[email protected]>

Author: adietish

src/main/kotlin/com/redhat/devtools/intellij/kubernetes/model/AllContexts.kt

@@ -77,7 +77,11 @@ open class AllContexts(
 	private val contextFactory: (ClientAdapter<out KubernetesClient>, IResourceModelObservable) -> IActiveContext<out HasMetadata, out KubernetesClient>? =
 		IActiveContext.Factory::create,
 	private val modelChange: IResourceModelObservable,
-	private val clientFactory: (String?, String?) -> ClientAdapter<out KubernetesClient> = ClientAdapter.Factory::create
+	private val clientFactory: (
+		namespace: String?,
+		context: String?
+	) -> ClientAdapter<out KubernetesClient>
+	= { namespace, context -> ClientAdapter.Factory.create(namespace, context) }
 ) : IAllContexts {
 
 	init {

src/main/kotlin/com/redhat/devtools/intellij/kubernetes/model/ProcessWatches.kt

@@ -35,7 +35,10 @@ import java.io.IOException
 import java.io.OutputStream
 import java.util.concurrent.ConcurrentHashMap
 
-open class ProcessWatches(private val clientFactory: (String?, String?) -> ClientAdapter<out KubernetesClient> = ClientAdapter.Factory::create) {
+open class ProcessWatches(
+    private val clientFactory: (String?, String?) -> ClientAdapter<out KubernetesClient>
+    = { namespace: String?, context: String? -> ClientAdapter.Factory.create(namespace, context) }
+) {
 
     @Suppress("UNCHECKED_CAST")
     protected open val operators: Map<ResourceKind<out HasMetadata>, OperatorSpecs> = mapOf(

src/main/kotlin/com/redhat/devtools/intellij/kubernetes/model/client/ClientAdapter.kt

@@ -10,20 +10,24 @@
  ******************************************************************************/
 package com.redhat.devtools.intellij.kubernetes.model.client
 
-import com.intellij.util.net.ssl.CertificateManager
+import com.redhat.devtools.intellij.kubernetes.model.client.ssl.IDEATrustManager
 import com.redhat.devtools.intellij.kubernetes.model.util.isUnauthorized
 import io.fabric8.kubernetes.client.Client
 import io.fabric8.kubernetes.client.Config
 import io.fabric8.kubernetes.client.KubernetesClient
 import io.fabric8.kubernetes.client.KubernetesClientBuilder
 import io.fabric8.kubernetes.client.KubernetesClientException
+import io.fabric8.kubernetes.client.http.HttpClient
 import io.fabric8.kubernetes.client.impl.AppsAPIGroupClient
 import io.fabric8.kubernetes.client.impl.BatchAPIGroupClient
 import io.fabric8.kubernetes.client.impl.NetworkAPIGroupClient
 import io.fabric8.kubernetes.client.impl.StorageAPIGroupClient
+import io.fabric8.kubernetes.client.internal.SSLUtils
 import io.fabric8.openshift.client.NamespacedOpenShiftClient
 import io.fabric8.openshift.client.OpenShiftClient
 import java.util.concurrent.ConcurrentHashMap
+import javax.net.ssl.X509ExtendedTrustManager
+import javax.net.ssl.X509TrustManager
 
 open class OSClientAdapter(client: OpenShiftClient, private val kubeClient: KubernetesClient) :
     ClientAdapter<OpenShiftClient>(client) {
@@ -50,19 +54,31 @@ open class KubeClientAdapter(client: KubernetesClient) :
     }
 }
 
-abstract class ClientAdapter<C: KubernetesClient>(private val fabric8Client: C) {
+abstract class ClientAdapter<C : KubernetesClient>(private val fabric8Client: C) {
 
     companion object Factory {
-        fun create(namespace: String? = null, context: String? = null): ClientAdapter<out KubernetesClient> {
+        fun create(
+            namespace: String? = null,
+            context: String? = null,
+            trustManagerProvider: ((toIntegrate: Array<out X509ExtendedTrustManager>) -> X509TrustManager)
+            = IDEATrustManager()::configure
+        ): ClientAdapter<out KubernetesClient> {
             val config = Config.autoConfigure(context)
-            setAcceptCertificates(config)
-            return create(namespace, config)
+            return create(namespace, config, trustManagerProvider)
         }
 
-        fun create(namespace: String? = null, config: Config): ClientAdapter<out KubernetesClient> {
+        fun create(
+            namespace: String? = null,
+            config: Config,
+            externalTrustManagerProvider: (toIntegrate: Array<out X509ExtendedTrustManager>) -> X509TrustManager
+            = IDEATrustManager()::configure
+        ): ClientAdapter<out KubernetesClient> {
             setNamespace(namespace, config)
             val kubeClient = KubernetesClientBuilder()
                 .withConfig(config)
+                .withHttpClientBuilderConsumer { builder ->
+                    setSslContext(builder, config, externalTrustManagerProvider)
+                }
                 .build()
             val osClient = kubeClient.adapt(NamespacedOpenShiftClient::class.java)
             val isOpenShift = isOpenShift(osClient)
@@ -73,10 +89,16 @@ abstract class ClientAdapter<C: KubernetesClient>(private val fabric8Client: C)
             }
         }
 
-        private fun setAcceptCertificates(config: Config) {
-            val manager = CertificateManager.getInstance().state;
-            config.isTrustCerts = manager.ACCEPT_AUTOMATICALLY
-            config.isDisableHostnameVerification = manager.ACCEPT_AUTOMATICALLY
+        private fun setSslContext(
+            builder: HttpClient.Builder,
+            config: Config,
+            externalTrustManagerProvider: (toIntegrate: Array<out X509ExtendedTrustManager>) -> X509TrustManager
+        ) {
+            val clientTrustManagers = SSLUtils.trustManagers(config)
+                .filterIsInstance<X509ExtendedTrustManager>()
+                .toTypedArray()
+            val externalTrustManager = externalTrustManagerProvider.invoke(clientTrustManagers)
+            builder.sslContext(SSLUtils.keyManagers(config), arrayOf(externalTrustManager))
         }
 
         private fun isOpenShift(osClient: NamespacedOpenShiftClient): Boolean {

src/main/kotlin/com/redhat/devtools/intellij/kubernetes/model/client/ssl/CompositeX509ExtendedTrustManager.kt

@@ -0,0 +1,129 @@
+/*******************************************************************************
+ * Copyright (c) 2023 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Based on nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager at https://github.com/Hakky54/sslcontext-kickstart
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+
+package com.redhat.devtools.intellij.kubernetes.model.client.ssl
+
+import java.net.Socket
+import java.security.cert.CertificateException
+import java.security.cert.X509Certificate
+import java.util.*
+import java.util.function.Consumer
+import javax.net.ssl.SSLEngine
+import javax.net.ssl.X509ExtendedTrustManager
+
+class CompositeX509ExtendedTrustManager(trustManagers: List<X509ExtendedTrustManager>): X509ExtendedTrustManager() {
+
+    companion object {
+        private const val CERTIFICATE_EXCEPTION_MESSAGE = "None of the TrustManagers trust this certificate chain"
+    }
+
+    val innerTrustManagers: List<X509ExtendedTrustManager>
+    private val acceptedIssuers: Array<X509Certificate>
+
+    init {
+        innerTrustManagers = Collections.unmodifiableList(trustManagers)
+        acceptedIssuers = trustManagers.stream()
+            .map { obj: X509ExtendedTrustManager -> obj.acceptedIssuers }
+            .flatMap { array: Array<X509Certificate> ->
+                Arrays.stream(array)
+            }
+            .toArray { length -> arrayOfNulls<X509Certificate>(length) }
+    }
+
+    override fun getAcceptedIssuers(): Array<X509Certificate> {
+        return Arrays.copyOf(acceptedIssuers, acceptedIssuers.size)
+    }
+
+    @Throws(CertificateException::class)
+    override fun checkClientTrusted(chain: Array<X509Certificate>, authType: String) {
+        checkTrusted { trustManager: X509ExtendedTrustManager ->
+            trustManager.checkClientTrusted(
+                chain,
+                authType
+            )
+        }
+    }
+
+    @Throws(CertificateException::class)
+    override fun checkClientTrusted(chain: Array<X509Certificate>, authType: String, socket: Socket) {
+        checkTrusted { trustManager: X509ExtendedTrustManager ->
+            trustManager.checkClientTrusted(
+                chain,
+                authType,
+                socket
+            )
+        }
+    }
+
+    @Throws(CertificateException::class)
+    override fun checkClientTrusted(chain: Array<X509Certificate>, authType: String, sslEngine: SSLEngine) {
+        checkTrusted { trustManager: X509ExtendedTrustManager ->
+            trustManager.checkClientTrusted(
+                chain,
+                authType,
+                sslEngine
+            )
+        }
+    }
+
+    @Throws(CertificateException::class)
+    override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String) {
+        checkTrusted{ trustManager: X509ExtendedTrustManager ->
+            trustManager.checkServerTrusted(
+                chain,
+                authType
+            )
+        }
+    }
+
+    @Throws(CertificateException::class)
+    override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String, socket: Socket) {
+        checkTrusted{ trustManager: X509ExtendedTrustManager ->
+            trustManager.checkServerTrusted(
+                chain,
+                authType,
+                socket
+            )
+        }
+    }
+
+    @Throws(CertificateException::class)
+    override fun checkServerTrusted(chain: Array<X509Certificate>, authType: String, sslEngine: SSLEngine) {
+        checkTrusted { trustManager: X509ExtendedTrustManager ->
+            trustManager.checkServerTrusted(
+                chain,
+                authType,
+                sslEngine
+            )
+        }
+    }
+
+    @Throws(CertificateException::class)
+    private fun checkTrusted(consumer: (trustManager: X509ExtendedTrustManager) -> Unit) {
+        val certificateExceptions: MutableList<CertificateException> = ArrayList()
+        for (trustManager in innerTrustManagers) {
+            try {
+                consumer.invoke(trustManager)
+                return
+            } catch (e: CertificateException) {
+                certificateExceptions.add(e)
+            }
+        }
+        val certificateException = CertificateException(CERTIFICATE_EXCEPTION_MESSAGE)
+        certificateExceptions.forEach(Consumer { exception: CertificateException? ->
+            certificateException.addSuppressed(
+                exception
+            )
+        })
+        throw certificateException
+    }
+}

src/main/kotlin/com/redhat/devtools/intellij/kubernetes/model/client/ssl/IDEATrustManager.kt

@@ -0,0 +1,93 @@
+/*******************************************************************************
+ * Copyright (c) 2023 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+package com.redhat.devtools.intellij.kubernetes.model.client.ssl
+
+import com.intellij.openapi.diagnostic.logger
+import com.intellij.util.net.ssl.CertificateManager
+import com.intellij.util.net.ssl.ConfirmingTrustManager
+import javax.net.ssl.X509ExtendedTrustManager
+import javax.net.ssl.X509TrustManager
+import org.apache.commons.lang3.reflect.FieldUtils
+
+class IDEATrustManager(private val trustManager: X509TrustManager = CertificateManager.getInstance().trustManager) {
+
+    fun configure(toIntegrate: Array<out X509ExtendedTrustManager>): X509TrustManager {
+        try {
+            if (hasSystemManagerField()) {
+                // < IC-2022.2
+                setCompositeManager(toIntegrate, trustManager)
+            } else {
+                // >= IC-2022.2
+                addCompositeManager(toIntegrate, trustManager)
+            }
+        } catch (e: RuntimeException) {
+            logger<IDEATrustManager>().warn("Could not configure IDEA trust manager.", e)
+        }
+        return trustManager
+    }
+
+    /**
+     * Returns `true` if [ConfirmingTrustManager] has a private field `mySystemManager`.
+     * Returns `false` otherwise.
+     * IDEA < IC-2022.2 manages a single [X509TrustManager] in a private field called `mySystemManager`.
+     * IDEA >= IC-2022.2 manages a list of [X509TrustManager]s in a private list called `mySystemManagers`.
+     */
+    private fun hasSystemManagerField(): Boolean {
+        return FieldUtils.getDeclaredField(
+            ConfirmingTrustManager::class.java, "mySystemManager", true) != null
+    }
+
+    private fun setCompositeManager(
+        clientTrustManagers: Array<out X509ExtendedTrustManager>,
+        ideTrustManager: X509TrustManager
+    ): Boolean {
+        val systemManagerField = FieldUtils.getDeclaredField(
+            ConfirmingTrustManager::class.java, "mySystemManager", true) ?: return false
+        val systemManager = systemManagerField.get(ideTrustManager) as? X509ExtendedTrustManager ?: return false
+        val compositeTrustManager = createCompositeTrustManager(systemManager, clientTrustManagers)
+        systemManagerField.set(ideTrustManager, compositeTrustManager)
+        return true
+    }
+
+    private fun addCompositeManager(
+        clientTrustManagers: Array<out X509ExtendedTrustManager>,
+        ideTrustManager: X509TrustManager
+    ) {
+        val systemManagersField = FieldUtils.getDeclaredField(
+            ideTrustManager::class.java,
+            "mySystemManagers",
+            true
+        )
+        val managers = systemManagersField.get(ideTrustManager) as? MutableList<X509TrustManager> ?: return
+        val nonCompositeManagers = managers.filterNot { it is CompositeX509ExtendedTrustManager }
+        val clientTrustManager = CompositeX509ExtendedTrustManager(clientTrustManagers.asList())
+        managers.clear()
+        managers.addAll(nonCompositeManagers)
+        managers.add(clientTrustManager)
+    }
+
+    private fun createCompositeTrustManager(
+        systemManager: X509ExtendedTrustManager,
+        clientTrustManagers: Array<out X509ExtendedTrustManager>
+    ): X509ExtendedTrustManager {
+        val trustManagers = if (systemManager is CompositeX509ExtendedTrustManager) {
+            // already patched CertificateManager, re-create composite manager
+            mutableListOf(systemManager.innerTrustManagers[0])
+                .plus(clientTrustManagers)
+        } else {
+            // 1st time we patch CertificateManager, create composite manager
+            mutableListOf(systemManager)
+                .plus(clientTrustManagers)
+        }
+        return CompositeX509ExtendedTrustManager(trustManagers)
+    }
+
+}

src/test/kotlin/com/redhat/devtools/intellij/kubernetes/model/client/ClientAdapterTest.kt

@@ -10,18 +10,32 @@
  ******************************************************************************/
 package com.redhat.devtools.intellij.kubernetes.model.client
 
+import com.nhaarman.mockitokotlin2.any
 import com.nhaarman.mockitokotlin2.doReturn
 import com.nhaarman.mockitokotlin2.mock
 import com.nhaarman.mockitokotlin2.verify
 import com.redhat.devtools.intellij.kubernetes.model.mocks.ClientMocks.config
 import com.redhat.devtools.intellij.kubernetes.model.mocks.ClientMocks.namedContext
 import io.fabric8.kubernetes.client.NamespacedKubernetesClient
 import io.fabric8.kubernetes.client.impl.AppsAPIGroupClient
+import java.security.cert.X509Certificate
+import javax.net.ssl.X509ExtendedTrustManager
+import javax.net.ssl.X509TrustManager
 import org.assertj.core.api.Assertions.assertThat
 import org.junit.Test
 
 class ClientAdapterTest {
 
+    private val certificate: X509Certificate = mock {
+        on { subjectX500Principal } doReturn mock()
+    }
+    private val trustManager: X509TrustManager = mock {
+        on { acceptedIssuers } doReturn arrayOf(certificate)
+    }
+    private val trustManagerProvider: (toIntegrate: Array<out X509ExtendedTrustManager>) -> X509TrustManager = mock() {
+        on { invoke(any()) } doReturn trustManager
+    }
+
     @Test
     fun `#isOpenShift should return true if has OpenShiftClient`() {
         // given
@@ -101,10 +115,20 @@ class ClientAdapterTest {
         val ctx2 = namedContext("Death Start", "Navy Garrison", "Empire", "Darh Vader" )
         val config = config(ctx1, listOf(ctx1, ctx2))
         // when
-        ClientAdapter.Factory.create(namespace, config)
+        ClientAdapter.Factory.create(namespace,  config, trustManagerProvider)
         // then
         verify(config).namespace = namespace
         verify(config.currentContext.context).namespace = namespace
     }
 
+    @Test
+    fun `#create should call trust manager provider`() {
+        // given
+        val ctx1 = namedContext("Aldeeran", "Aldera", "Republic", "Organa" )
+        val config = config(ctx1, listOf(ctx1))
+        // when
+        ClientAdapter.Factory.create("namespace",  config, trustManagerProvider)
+        // then
+        verify(trustManagerProvider).invoke(any())
+    }
 }