opensearch-project · MaciejMierzwa · Dec 15, 2023 · Dec 15, 2023
@@ -0,0 +1,157 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package com.amazon.dlic.auth.http.saml;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Timer;
+
+import org.apache.hc.client5.http.classic.HttpClient;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.protocol.HttpClientContext;
+import org.apache.hc.core5.http.ClassicHttpResponse;
+import org.apache.hc.core5.http.Header;
+import org.apache.hc.core5.http.HttpException;
+import org.apache.hc.core5.http.HttpHeaders;
+import org.apache.hc.core5.http.io.entity.EntityUtils;
+import org.apache.hc.core5.http.HttpStatus;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import net.shibboleth.utilities.java.support.resolver.ResolverException;
+import org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver;
+
+public class HTTPMetadataResolver extends AbstractReloadingMetadataResolver {
+    private final static Logger log = LogManager.getLogger(HTTPMetadataResolver.class);
+    private HttpClient httpClient;
+    private URI metadataURI;
+    private String cachedMetadataETag;
+    private String cachedMetadataLastModified;
+
+    public HTTPMetadataResolver(final HttpClient client, final String metadataURL) throws ResolverException {
+        this(null, client, metadataURL);
+    }
+
+    public HTTPMetadataResolver(final Timer backgroundTaskTimer, final HttpClient client, final String metadataURL)
+        throws ResolverException {
+        super(backgroundTaskTimer);
+
+        if (client == null) {
+            throw new ResolverException("HTTP client may not be null");
+        }
+        httpClient = client;
+
+        try {
+            metadataURI = new URI(metadataURL);
+        } catch (final URISyntaxException e) {
+            throw new ResolverException("Illegal URL syntax", e);
+        }
+    }
+
+    public String getMetadataURI() {
+        return metadataURI.toASCIIString();
+    }
+
+    @Override
+    protected void doDestroy() {
+        if (httpClient instanceof AutoCloseable) {
+            try {
+                ((AutoCloseable) httpClient).close();
+            } catch (final Exception e) {
+                log.error("Error closing HTTP client", e);
+            }
+        }
+        httpClient = null;
+        metadataURI = null;
+        cachedMetadataETag = null;
+        cachedMetadataLastModified = null;
+
+        super.doDestroy();
+    }
+
+    @Override
+    protected String getMetadataIdentifier() {
+        return metadataURI.toString();
+    }
+
+    @Override
+    protected byte[] fetchMetadata() throws ResolverException {
+        final HttpGet httpGet = buildHttpGet();
+        final HttpClientContext context = HttpClientContext.create();
+
+        try {
+            log.debug("{} Attempting to fetch metadata document from '{}'", getLogPrefix(), metadataURI);
+            return httpClient.execute(httpGet, context, response -> {
+                final int httpStatusCode = response.getCode();
+                if (httpStatusCode == HttpStatus.SC_NOT_MODIFIED) {
+                    log.debug("{} Metadata document from '{}' has not changed since last retrieval", getLogPrefix(), getMetadataURI());
+                    return null;
+                }
+                if (httpStatusCode != HttpStatus.SC_OK) {
+                    final String errMsg = "Non-ok status code " + httpStatusCode + " returned from remote metadata source " + metadataURI;
+                    log.error("{} " + errMsg, getLogPrefix());
+                    throw new HttpException(errMsg);
+                }
+
+                processConditionalRetrievalHeaders(response);
+                try {
+                    return getMetadataBytesFromResponse(response);
+                } catch (ResolverException e) {
+                    final String errMsg = "Error retrieving metadata from " + metadataURI;
+                    throw new HttpException(errMsg, e);
+                }
+            });
+        } catch (final IOException e) {
+            final String errMsg = "Error retrieving metadata from " + metadataURI;
+            log.error("{} {}: {}", getLogPrefix(), errMsg, e.getMessage());
+            throw new ResolverException(errMsg, e);
+        }
+    }
+
+    protected HttpGet buildHttpGet() {
+        final HttpGet getMethod = new HttpGet(getMetadataURI());
+
+        if (cachedMetadataETag != null) {
+            getMethod.setHeader(HttpHeaders.IF_NONE_MATCH, cachedMetadataETag);
+        }
+        if (cachedMetadataLastModified != null) {
+            getMethod.setHeader(HttpHeaders.IF_MODIFIED_SINCE, cachedMetadataLastModified);
+        }
+
+        return getMethod;
+    }
+
+    protected void processConditionalRetrievalHeaders(final ClassicHttpResponse response) {
+        Header httpHeader = response.getFirstHeader(HttpHeaders.ETAG);
+        if (httpHeader != null) {
+            cachedMetadataETag = httpHeader.getValue();
+        }
+
+        httpHeader = response.getFirstHeader(HttpHeaders.LAST_MODIFIED);
+        if (httpHeader != null) {
+            cachedMetadataLastModified = httpHeader.getValue();
+        }
+    }
+
+    protected byte[] getMetadataBytesFromResponse(final ClassicHttpResponse response) throws ResolverException {
+        log.debug("{} Attempting to extract metadata from response to request for metadata from '{}'", getLogPrefix(), getMetadataURI());
+        try {
+            final InputStream ins = response.getEntity().getContent();
+            return inputstreamToByteArray(ins);
+        } catch (final IOException e) {
+            log.error("{} Unable to read response: {}", getLogPrefix(), e.getMessage());
+            throw new ResolverException("Unable to read response", e);
+        } finally {
+            // Make sure entity has been completely consumed.
+            EntityUtils.consumeQuietly(response.getEntity());
+        }
+    }
+}
@@ -28,7 +28,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import org.apache.commons.lang3.StringEscapeUtils;
-import org.apache.http.HttpStatus;
+import org.apache.hc.core5.http.HttpStatus;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 

@@ -17,16 +17,21 @@
 import java.security.PrivilegedExceptionAction;
 import java.time.Duration;
 
-import org.apache.http.client.HttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.impl.client.HttpClients;
+import org.apache.hc.client5.http.classic.HttpClient;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.client5.http.impl.io.BasicHttpClientConnectionManager;
+import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.core5.http.URIScheme;
+import org.apache.hc.core5.http.config.Registry;
+import org.apache.hc.core5.http.config.RegistryBuilder;
 
 import org.opensearch.SpecialPermission;
 import org.opensearch.common.settings.Settings;
 
 import com.amazon.dlic.util.SettingsBasedSSLConfiguratorV4;
 import net.shibboleth.utilities.java.support.resolver.ResolverException;
-import org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver;
 
 public class SamlHTTPMetadataResolver extends HTTPMetadataResolver {
 
@@ -38,10 +43,9 @@
     }
 
     @Override
-    @SuppressWarnings("removal")
     protected byte[] fetchMetadata() throws ResolverException {
         try {
-            return AccessController.doPrivileged((PrivilegedExceptionAction<byte[]>) () -> SamlHTTPMetadataResolver.super.fetchMetadata());
+            return AccessController.doPrivileged((PrivilegedExceptionAction<byte[]>) SamlHTTPMetadataResolver.super::fetchMetadata);
         } catch (PrivilegedActionException e) {
 
             if (e.getCause() instanceof ResolverException) {
@@ -56,7 +60,6 @@
         return new SettingsBasedSSLConfiguratorV4(settings, configPath, "idp").buildSSLConfig();
     }
 
-    @SuppressWarnings("removal")
     private static HttpClient createHttpClient(Settings settings, Path configPath) throws Exception {
         try {
             final SecurityManager sm = System.getSecurityManager();
@@ -89,7 +92,13 @@
         SettingsBasedSSLConfiguratorV4.SSLConfig sslConfig = getSSLConfig(settings, configPath);
 
         if (sslConfig != null) {
-            builder.setSSLSocketFactory(sslConfig.toSSLConnectionSocketFactory());
+            SSLConnectionSocketFactory sslConnectionSocketFactory = sslConfig.toSSLConnectionSocketFactory();
+            Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
+                .register(URIScheme.HTTPS.id, sslConnectionSocketFactory)
+                .build();
+
+            BasicHttpClientConnectionManager connectionManager = new BasicHttpClientConnectionManager(socketFactoryRegistry);
+            builder.setConnectionManager(connectionManager);
         }
 
         return builder.build();

@@ -11,7 +11,6 @@
 
 package com.amazon.dlic.util;
 
-import java.net.Socket;
 import java.nio.file.Path;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
@@ -25,22 +24,18 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
-import java.util.Map;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 
 import com.google.common.collect.ImmutableList;
-import org.apache.http.conn.ssl.DefaultHostnameVerifier;
-import org.apache.http.conn.ssl.NoopHostnameVerifier;
-import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
-import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
-import org.apache.http.ssl.PrivateKeyDetails;
-import org.apache.http.ssl.PrivateKeyStrategy;
-import org.apache.http.ssl.SSLContextBuilder;
-import org.apache.http.ssl.SSLContexts;
+import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
+import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.core5.ssl.SSLContextBuilder;
+import org.apache.hc.core5.ssl.SSLContexts;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -203,20 +198,16 @@
         if (enableSslClientAuth) {
             if (effectiveKeystore != null) {
                 try {
-                    sslContextBuilder.loadKeyMaterial(effectiveKeystore, effectiveKeyPassword, new PrivateKeyStrategy() {
-
-                        @Override
-                        public String chooseAlias(Map<String, PrivateKeyDetails> aliases, Socket socket) {
-                            if (aliases == null || aliases.isEmpty()) {
-                                return effectiveKeyAlias;
-                            }
-
-                            if (effectiveKeyAlias == null || effectiveKeyAlias.isEmpty()) {
-                                return aliases.keySet().iterator().next();
-                            }
-
+                    sslContextBuilder.loadKeyMaterial(effectiveKeystore, effectiveKeyPassword, (aliases, socket) -> {
+                        if (aliases == null || aliases.isEmpty()) {
                             return effectiveKeyAlias;
                         }
+
+                        if (effectiveKeyAlias == null || effectiveKeyAlias.isEmpty()) {
+                            return aliases.keySet().iterator().next();
+                        }
+
+                        return effectiveKeyAlias;
                     });
                 } catch (UnrecoverableKeyException e) {
                     throw new RuntimeException(e);
@@ -470,10 +461,6 @@
             return hostnameVerifier;
         }
 
-        public SSLIOSessionStrategy toSSLIOSessionStrategy() {
-            return new SSLIOSessionStrategy(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier);
-        }
-
         public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
             return new SSLConnectionSocketFactory(sslContext, supportedProtocols, supportedCipherSuites, hostnameVerifier);
         }