feat: add mtls support to GoogleNetHttpTransport and GoogleApacheHttpTransport

google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java

@@ -15,6 +15,8 @@
 package com.google.api.client.googleapis.apache.v2;
 
 import com.google.api.client.googleapis.GoogleUtils;
+import com.google.api.client.googleapis.util.MtlsUtils;
+import com.google.api.client.googleapis.util.Utils;
 import com.google.api.client.http.apache.v2.ApacheHttpTransport;
 import com.google.api.client.util.SslUtils;
 import java.io.IOException;
@@ -24,7 +26,6 @@
 import java.util.concurrent.TimeUnit;
 import javax.net.ssl.SSLContext;
 import org.apache.http.client.HttpClient;
-import org.apache.http.config.SocketConfig;
 import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.impl.client.HttpClientBuilder;
@@ -39,11 +40,26 @@
 public final class GoogleApacheHttpTransport {
 
   /**
-   * Returns a new instance of {@link ApacheHttpTransport} that uses
-   * {@link GoogleUtils#getCertificateTrustStore()} for the trusted certificates.
+   * Returns a new instance of {@link ApacheHttpTransport} that uses {@link
+   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. If
+   * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default
+   * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the
+   * transport uses the default client certificate and is mutual TLS.
    */
-  public static ApacheHttpTransport newTrustedTransport() throws GeneralSecurityException,
-      IOException {
+  public static ApacheHttpTransport newTrustedTransport()
+      throws GeneralSecurityException, IOException {
+    return newTrustedTransport(MtlsUtils.getDefaultMtlsProvider());
+  }
+
+  static ApacheHttpTransport newTrustedTransport(MtlsUtils.MtlsProvider mtlsProvider)
+      throws GeneralSecurityException, IOException {
+    KeyStore mtlsKeyStore = null;
+    String mtlsKeyStorePassword = null;
+    if (mtlsProvider.useMtlsClientCertificate()) {
+      mtlsKeyStore = mtlsProvider.loadDefaultKeyStore();
+      mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword();
+    }
+
     PoolingHttpClientConnectionManager connectionManager =
         new PoolingHttpClientConnectionManager(-1, TimeUnit.MILLISECONDS);
 
@@ -53,22 +69,35 @@ public static ApacheHttpTransport newTrustedTransport() throws GeneralSecurityEx
     // Use the included trust store
     KeyStore trustStore = GoogleUtils.getCertificateTrustStore();
     SSLContext sslContext = SslUtils.getTlsSslContext();
-    SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory());
+
+    boolean isMtls = false;
+    if (mtlsKeyStore != null && mtlsKeyStorePassword != null) {
+      isMtls = true;
+      SslUtils.initSslContext(
+          sslContext,
+          trustStore,
+          SslUtils.getPkixTrustManagerFactory(),
+          mtlsKeyStore,
+          mtlsKeyStorePassword,
+          SslUtils.getDefaultKeyManagerFactory());
+    } else {
+      SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory());
+    }
     LayeredConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
 
-    HttpClient client = HttpClientBuilder.create()
-        .useSystemProperties()
-        .setSSLSocketFactory(socketFactory)
-        .setMaxConnTotal(200)
-        .setMaxConnPerRoute(20)
-        .setRoutePlanner(new SystemDefaultRoutePlanner(ProxySelector.getDefault()))
-        .setConnectionManager(connectionManager)
-        .disableRedirectHandling()
-        .disableAutomaticRetries()
-        .build();
-    return new ApacheHttpTransport(client);
+    HttpClient client =
+        HttpClientBuilder.create()
+            .useSystemProperties()
+            .setSSLSocketFactory(socketFactory)
+            .setMaxConnTotal(200)
+            .setMaxConnPerRoute(20)
+            .setRoutePlanner(new SystemDefaultRoutePlanner(ProxySelector.getDefault()))
+            .setConnectionManager(connectionManager)
+            .disableRedirectHandling()
+            .disableAutomaticRetries()
+            .build();
+    return new ApacheHttpTransport(client, isMtls);
   }
 
-  private GoogleApacheHttpTransport() {
-  }
+  private GoogleApacheHttpTransport() {}
 }

google-api-client/src/main/java/com/google/api/client/googleapis/javanet/GoogleNetHttpTransport.java

@@ -15,6 +15,8 @@
 package com.google.api.client.googleapis.javanet;
 
 import com.google.api.client.googleapis.GoogleUtils;
+import com.google.api.client.googleapis.util.MtlsUtils;
+import com.google.api.client.googleapis.util.Utils;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
@@ -29,32 +31,50 @@
 public class GoogleNetHttpTransport {
 
   /**
-   * Returns a new instance of {@link NetHttpTransport} that uses
-   * {@link GoogleUtils#getCertificateTrustStore()} for the trusted certificates using
-   * {@link com.google.api.client.http.javanet.NetHttpTransport.Builder#trustCertificates(KeyStore)}
-   * .
+   * Returns a new instance of {@link NetHttpTransport} that uses {@link
+   * GoogleUtils#getCertificateTrustStore()} for the trusted certificates using {@link
+   * com.google.api.client.http.javanet.NetHttpTransport.Builder#trustCertificates(KeyStore)}. If
+   * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default
+   * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the
+   * transport uses the default client certificate and is mutual TLS.
    *
-   * <p>
-   * This helper method doesn't provide for customization of the {@link NetHttpTransport}, such as
-   * the ability to specify a proxy. To do use, use
-   * {@link com.google.api.client.http.javanet.NetHttpTransport.Builder}, for example:
-   * </p>
+   * <p>This helper method doesn't provide for customization of the {@link NetHttpTransport}, such
+   * as the ability to specify a proxy. To do use, use {@link
+   * com.google.api.client.http.javanet.NetHttpTransport.Builder}, for example:
    *
    * <pre>
-  static HttpTransport newProxyTransport() throws GeneralSecurityException, IOException {
-    NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
-    builder.trustCertificates(GoogleUtils.getCertificateTrustStore());
-    builder.setProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress("127.0.0.1", 3128)));
-    return builder.build();
-  }
+   * static HttpTransport newProxyTransport() throws GeneralSecurityException, IOException {
+   * NetHttpTransport.Builder builder = new NetHttpTransport.Builder();
+   * builder.trustCertificates(GoogleUtils.getCertificateTrustStore());
+   * builder.setProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress("127.0.0.1", 3128)));
+   * return builder.build();
+   * }
    * </pre>
    */
   public static NetHttpTransport newTrustedTransport()
       throws GeneralSecurityException, IOException {
-    return new NetHttpTransport.Builder().trustCertificates(GoogleUtils.getCertificateTrustStore())
-        .build();
+    return newTrustedTransport(MtlsUtils.getDefaultMtlsProvider());
   }
 
-  private GoogleNetHttpTransport() {
+  static NetHttpTransport newTrustedTransport(MtlsUtils.MtlsProvider mtlsProvider)
+      throws GeneralSecurityException, IOException {
+    KeyStore mtlsKeyStore = null;
+    String mtlsKeyStorePassword = null;
+    if (mtlsProvider.useMtlsClientCertificate()) {
+      mtlsKeyStore = mtlsProvider.loadDefaultKeyStore();
+      mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword();
+    }
+
+    if (mtlsKeyStore != null && mtlsKeyStorePassword != null) {
+      return new NetHttpTransport.Builder()
+          .trustCertificates(
+              GoogleUtils.getCertificateTrustStore(), mtlsKeyStore, mtlsKeyStorePassword)
+          .build();
+    }
+    return new NetHttpTransport.Builder()
+        .trustCertificates(GoogleUtils.getCertificateTrustStore())
+        .build();
   }
+
+  private GoogleNetHttpTransport() {}
 }

google-api-client/src/main/java/com/google/api/client/googleapis/util/MtlsUtils.java

@@ -0,0 +1,150 @@
+/*
+ * Copyright 2020 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.api.client.googleapis.util;
+
+import com.google.api.client.json.GenericJson;
+import com.google.api.client.json.JsonParser;
+import com.google.api.client.util.Beta;
+import com.google.api.client.util.Key;
+import com.google.api.client.util.SecurityUtils;
+import com.google.common.annotations.VisibleForTesting;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.List;
+
+public class MtlsUtils {
+  public interface MtlsProvider {
+    boolean useMtlsClientCertificate();
+
+    String getKeyStorePassword();
+
+    KeyStore loadDefaultKeyStore() throws IOException, GeneralSecurityException;
+  }
+
+  /**
+   * {@link Beta} <br>
+   * Data class representing context_aware_metadata.json file.
+   *
+   * @since 1.31
+   */
+  @Beta
+  public static class ContextAwareMetadataJson extends GenericJson {
+    /** Cert provider command */
+    @Key("cert_provider_command")
+    private List<String> commands;
+
+    /**
+     * Returns the cert provider command.
+     *
+     * @since 1.31
+     */
+    public final List<String> getCommands() {
+      return commands;
+    }
+  }
+
+  @VisibleForTesting
+  static class DefaultMtlsProvider implements MtlsProvider {
+    private static final String DEFAULT_CONTEXT_AWARE_METADATA_PATH =
+        System.getProperty("user.home") + "/.secureConnect/context_aware_metadata.json";
+
+    /** GOOGLE_API_USE_CLIENT_CERTIFICATE environment variable */
+    public static final String GOOGLE_API_USE_CLIENT_CERTIFICATE =
+        "GOOGLE_API_USE_CLIENT_CERTIFICATE";
+
+    interface EnvironmentProvider {
+      String getenv(String name);
+    }
+
+    static class SystemEnvironmentProvider implements EnvironmentProvider {
+      @Override
+      public String getenv(String name) {
+        return System.getenv(name);
+      }
+    }
+
+    DefaultMtlsProvider() {
+      this(new SystemEnvironmentProvider(), DEFAULT_CONTEXT_AWARE_METADATA_PATH);
+    }
+
+    private EnvironmentProvider envProvider;
+    private String metadataPath;
+
+    @VisibleForTesting
+    DefaultMtlsProvider(EnvironmentProvider envProvider, String metadataPath) {
+      this.envProvider = envProvider;
+      this.metadataPath = metadataPath;
+    }
+
+    @Override
+    public boolean useMtlsClientCertificate() {
+      String useClientCertificate = envProvider.getenv(GOOGLE_API_USE_CLIENT_CERTIFICATE);
+      return "true".equals(useClientCertificate);
+    }
+
+    @Override
+    public String getKeyStorePassword() {
+      return "";
+    }
+
+    @Override
+    public KeyStore loadDefaultKeyStore() throws IOException, GeneralSecurityException {
+      // Load the cert provider command from the json file.
+      InputStream stream;
+      try {
+        stream = new FileInputStream(metadataPath);
+      } catch (FileNotFoundException ignored) {
+        // file doesn't exist
+        return null;
+      }
+
+      List<String> command = extractCertificateProviderCommand(stream);
+
+      // Call the command.
+      Process process = new ProcessBuilder(command).start();
+      int exitCode = -1;
+      try {
+        exitCode = process.waitFor();
+      } catch (InterruptedException e) {
+        throw new IOException("Interrupted executing certificate provider command", e);
+      }
+      if (exitCode != 0) {
+        throw new IOException(
+            String.format("Failed to execute cert provider command with exit code: %d", exitCode));
+      }
+
+      // Parse input certificates from shell command
+      return SecurityUtils.createMtlsKeyStore(process.getInputStream());
+    }
+
+    @VisibleForTesting
+    static List<String> extractCertificateProviderCommand(InputStream contextAwareMetadata)
+        throws IOException {
+      JsonParser parser = Utils.getDefaultJsonFactory().createJsonParser(contextAwareMetadata);
+      ContextAwareMetadataJson json = parser.parse(ContextAwareMetadataJson.class);
+      return json.getCommands();
+    }
+  }
+
+  private static final MtlsProvider MTLS_PROVIDER = new DefaultMtlsProvider();
+
+  public static MtlsProvider getDefaultMtlsProvider() {
+    return MTLS_PROVIDER;
+  }
+}

google-api-client/src/main/java/com/google/api/client/googleapis/util/Utils.java

@@ -17,8 +17,18 @@
 import com.google.api.client.http.HttpTransport;
 import com.google.api.client.http.javanet.NetHttpTransport;
 import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.JsonParser;
 import com.google.api.client.json.jackson2.JacksonFactory;
 import com.google.api.client.util.Beta;
+import com.google.api.client.util.SecurityUtils;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.AccessControlException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.util.List;
 
 /**
  * {@link Beta} <br/>
@@ -29,9 +39,7 @@
 @Beta
 public final class Utils {
 
-  /**
-   * Returns a cached default implementation of the JsonFactory interface.
-   */
+  /** Returns a cached default implementation of the JsonFactory interface. */
   public static JsonFactory getDefaultJsonFactory() {
     return JsonFactoryInstanceHolder.INSTANCE;
   }
@@ -44,9 +52,7 @@ private static class JsonFactoryInstanceHolder {
     static final JsonFactory INSTANCE = new JacksonFactory();
   }
 
-  /**
-   * Returns a cached default implementation of the HttpTransport interface.
-   */
+  /** Returns a cached default implementation of the HttpTransport interface. */
   public static HttpTransport getDefaultTransport() {
     return TransportInstanceHolder.INSTANCE;
   }
@@ -55,6 +61,5 @@ private static class TransportInstanceHolder {
     static final HttpTransport INSTANCE = new NetHttpTransport();
   }
 
-  private Utils() {
-  }
+  private Utils() {}
 }