Implement method for Https ssl trustmanager and improve exception

components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/APIApplicationServicesImpl.java

@@ -19,6 +19,7 @@
 package io.entgra.device.mgt.core.apimgt.extension.rest.api;
 
 import com.google.gson.Gson;
+import io.entgra.device.mgt.core.apimgt.extension.rest.api.util.HttpsTrustManagerUtils;
 import org.json.JSONObject;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.APIApplicationKey;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.constants.Constants;
@@ -48,7 +49,7 @@ import java.util.concurrent.TimeUnit;
 public class APIApplicationServicesImpl implements APIApplicationServices {
 
     private static final Log log = LogFactory.getLog(APIApplicationServicesImpl.class);
-    private static final OkHttpClient client = getOkHttpClient();
+    private static final OkHttpClient client = new OkHttpClient(HttpsTrustManagerUtils.getSSLClient().newBuilder());
     private static final Gson gson = new Gson();
     private static final MediaType JSON = MediaType.parse("application/json; charset=utf-8");
     String msg = null;
@@ -133,55 +134,4 @@ public class APIApplicationServicesImpl implements APIApplicationServices {
             throw new APIServicesException(e);
         }
     }
-
-    protected static OkHttpClient getOkHttpClient() {
-        X509TrustManager trustAllCerts = new X509TrustManager() {
-            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-                return new java.security.cert.X509Certificate[0];
-            }
-
-            public void checkClientTrusted(
-                    java.security.cert.X509Certificate[] certs, String authType) {
-            }
-
-            public void checkServerTrusted(
-                    java.security.cert.X509Certificate[] certs, String authType) {
-            }
-        };
-        OkHttpClient okHttpClient = new OkHttpClient.Builder()
-                .connectTimeout(300, TimeUnit.SECONDS)
-                .writeTimeout(300, TimeUnit.SECONDS)
-                .readTimeout(300, TimeUnit.SECONDS)
-                .connectionPool(new ConnectionPool(500, 500, TimeUnit.SECONDS))
-                .sslSocketFactory(getSimpleTrustedSSLSocketFactory(), trustAllCerts)
-                .hostnameVerifier((hostname, sslSession) -> true).build();
-        return okHttpClient;
-    }
-
-    private static SSLSocketFactory getSimpleTrustedSSLSocketFactory() {
-        try {
-            TrustManager[] trustAllCerts = new TrustManager[]{
-                    new X509TrustManager() {
-                        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-                            return null;
-                        }
-
-                        public void checkClientTrusted(
-                                java.security.cert.X509Certificate[] certs, String authType) {
-                        }
-
-                        public void checkServerTrusted(
-                                java.security.cert.X509Certificate[] certs, String authType) {
-                        }
-                    }
-            };
-            SSLContext sc = SSLContext.getInstance("SSL");
-            sc.init(null, trustAllCerts, new java.security.SecureRandom());
-            return sc.getSocketFactory();
-        } catch (KeyManagementException | NoSuchAlgorithmException e) {
-            log.error("Error while creating the SSL socket factory due to " + e.getMessage(), e);
-            return null;
-        }
-
-    }
 }

components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/PublisherRESTAPIServices.java

@@ -23,6 +23,8 @@ import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.APIApplicationKey
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.AccessTokenInfo;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.exceptions.APIServicesException;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.exceptions.BadRequestException;
+import io.entgra.device.mgt.core.apimgt.extension.rest.api.exceptions.UnexpectedResponseException;
+import io.entgra.device.mgt.core.apimgt.extension.rest.api.util.HttpsTrustManagerUtils;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.util.ScopeUtils;
 import okhttp3.MediaType;
 import okhttp3.OkHttpClient;
@@ -38,17 +40,15 @@ import org.wso2.carbon.apimgt.api.model.Scope;
 
 import java.io.IOException;
 
-import static io.entgra.device.mgt.core.apimgt.extension.rest.api.APIApplicationServicesImpl.getOkHttpClient;
-
 public class PublisherRESTAPIServices {
     private static final Log log = LogFactory.getLog(PublisherRESTAPIServices.class);
-    private static final OkHttpClient client = getOkHttpClient();
+    private static final OkHttpClient client = new OkHttpClient(HttpsTrustManagerUtils.getSSLClient().newBuilder());
     private static final MediaType JSON = MediaType.parse("application/json; charset=utf-8");
     private static final String host = System.getProperty(Constants.IOT_CORE_HOST);
     private static final String port = System.getProperty(Constants.IOT_CORE_HTTPS_PORT);
 
     public JSONObject getScopes(APIApplicationKey apiApplicationKey, AccessTokenInfo accessTokenInfo)
-            throws APIServicesException, BadRequestException {
+            throws APIServicesException, BadRequestException, UnexpectedResponseException {
 
         String getAllScopesUrl = Constants.HTTPS_PROTOCOL + Constants.SCHEME_SEPARATOR + host + Constants.COLON
                 + port + Constants.GET_ALL_SCOPES;
@@ -76,7 +76,8 @@ public class PublisherRESTAPIServices {
                 log.error(msg);
                 throw new BadRequestException(msg);
             } else {
-                return null;
+                String msg = "Response : " + response.code() + response.body();
+                throw new UnexpectedResponseException(msg);
             }
         } catch (IOException e) {
             String msg = "Error occurred while processing the response";
@@ -86,7 +87,7 @@ public class PublisherRESTAPIServices {
     }
 
     public boolean isSharedScopeNameExists(APIApplicationKey apiApplicationKey, AccessTokenInfo accessTokenInfo, String key)
-            throws APIServicesException, BadRequestException {
+            throws APIServicesException, BadRequestException, UnexpectedResponseException {
 
         String keyValue = new String(Base64.encodeBase64((key).getBytes())).replace(Constants.QUERY_KEY_VALUE_SEPARATOR,
                 Constants.EMPTY_STRING);
@@ -115,7 +116,8 @@ public class PublisherRESTAPIServices {
                 log.error(msg);
                 throw new BadRequestException(msg);
             } else {
-                return false;
+                String msg = "Response : " + response.code() + response.body();
+                throw new UnexpectedResponseException(msg);
             }
         } catch (IOException e) {
             String msg = "Error occurred while processing the response";
@@ -125,7 +127,7 @@ public class PublisherRESTAPIServices {
     }
 
     public boolean updateSharedScope(APIApplicationKey apiApplicationKey, AccessTokenInfo accessTokenInfo, Scope scope)
-            throws APIServicesException, BadRequestException {
+            throws APIServicesException, BadRequestException, UnexpectedResponseException {
 
         String updateScopeUrl = Constants.HTTPS_PROTOCOL + Constants.SCHEME_SEPARATOR + host
                 + Constants.COLON + port + Constants.GET_SCOPE + scope.getId();
@@ -161,7 +163,8 @@ public class PublisherRESTAPIServices {
                 log.error(msg);
                 throw new BadRequestException(msg);
             } else {
-                return false;
+                String msg = "Response : " + response.code() + response.body();
+                throw new UnexpectedResponseException(msg);
             }
         } catch (IOException e) {
             String msg = "Error occurred while processing the response";

components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/exceptions/UnexpectedResponseException.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2023, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
+ *
+ * Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * Custom exception class for handling unexpected server response exceptions.
+ */
+package io.entgra.device.mgt.core.apimgt.extension.rest.api.exceptions;
+
+public class UnexpectedResponseException extends Exception {
+
+    private static final long serialVersionUID = -2387103750774855056L;
+
+    public UnexpectedResponseException(String errorMessage) {
+        super(errorMessage);
+    }
+}

components/apimgt-extensions/io.entgra.device.mgt.core.apimgt.extension.rest.api/src/main/java/io/entgra/device/mgt/core/apimgt/extension/rest/api/util/HttpsTrustManagerUtils.java

@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2023, Entgra (Pvt) Ltd. (http://www.entgra.io) All Rights Reserved.
+ *
+ * Entgra (Pvt) Ltd. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package io.entgra.device.mgt.core.apimgt.extension.rest.api.util;
+
+import okhttp3.ConnectionPool;
+import okhttp3.OkHttpClient;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.base.ServerConfiguration;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.HostnameVerifier;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.Proxy;
+import java.net.ProxySelector;
+import java.net.InetSocketAddress;
+import java.net.SocketAddress;
+import java.net.URI;
+
+import java.security.*;
+import java.security.cert.CertificateException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+public class HttpsTrustManagerUtils {
+
+    private static final Log log = LogFactory.getLog(HttpsTrustManagerUtils.class);
+    private static final String KEY_STORE_TYPE = "JKS";
+    /**
+     * Default truststore type of the client
+     */
+    private static final String TRUST_STORE_TYPE = "JKS";
+    /**
+     * Default keymanager type of the client
+     */
+    private static final String KEY_MANAGER_TYPE = "SunX509"; //Default Key Manager Type
+    /**
+     * Default trustmanager type of the client
+     */
+    private static final String TRUST_MANAGER_TYPE = "SunX509"; //Default Trust Manager Type
+    private static final String SSLV3 = "SSLv3";
+    private static final String DEFAULT_HOST = "localhost";
+    private static final String DEFAULT_HOST_IP = "127.0.0.1";
+    private static final int TIMEOUT = 100;
+
+    public static OkHttpClient getSSLClient() {
+
+        boolean isIgnoreHostnameVerification = Boolean.parseBoolean(System.getProperty("org.wso2"
+                + ".ignoreHostnameVerification"));
+        OkHttpClient okHttpClient;
+        final String proxyHost = System.getProperty("http.proxyHost");
+        final String proxyPort = System.getProperty("http.proxyPort");
+        final String nonProxyHostsValue = System.getProperty("http.nonProxyHosts");
+
+        final ProxySelector proxySelector = new ProxySelector() {
+            @Override
+            public List<Proxy> select(URI uri) {
+                List<Proxy> proxyList = new ArrayList<>();
+                String host = uri.getHost();
+
+                if (!StringUtils.isEmpty(host)) {
+                    if (host.startsWith(DEFAULT_HOST_IP) || host.startsWith(DEFAULT_HOST) || StringUtils
+                            .isEmpty(nonProxyHostsValue) || StringUtils.contains(nonProxyHostsValue, host) ||
+                            StringUtils.isEmpty(proxyHost) || StringUtils.isEmpty(proxyPort)) {
+                        proxyList.add(Proxy.NO_PROXY);
+                    } else {
+                        proxyList.add(new Proxy(Proxy.Type.HTTP,
+                                new InetSocketAddress(proxyHost, Integer.parseInt(proxyPort))));
+                    }
+                } else {
+                    log.error("Host is null. Host could not be empty or null");
+                }
+                return proxyList;
+            }
+
+            @Override
+            public void connectFailed(URI uri, SocketAddress sa, IOException ioe) {
+                throw new UnsupportedOperationException("Not supported yet.");
+            }
+        };
+
+        X509TrustManager trustAllCerts = new X509TrustManager() {
+            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+                return new java.security.cert.X509Certificate[0];
+            }
+
+            public void checkClientTrusted(
+                    java.security.cert.X509Certificate[] certs, String authType) {
+            }
+
+            public void checkServerTrusted(
+                    java.security.cert.X509Certificate[] certs, String authType) {
+            }
+        };
+
+        if (isIgnoreHostnameVerification) {
+            okHttpClient = new OkHttpClient.Builder()
+                    .connectTimeout(TIMEOUT, TimeUnit.SECONDS)
+                    .writeTimeout(TIMEOUT, TimeUnit.SECONDS)
+                    .readTimeout(TIMEOUT, TimeUnit.SECONDS)
+                    .connectionPool(new ConnectionPool(TIMEOUT, TIMEOUT, TimeUnit.SECONDS))
+                    .sslSocketFactory(getSimpleTrustedSSLSocketFactory(), trustAllCerts)
+                    .hostnameVerifier(new HostnameVerifier() {
+                        @Override
+                        public boolean verify(String s, SSLSession sslSession) {
+                            return true;
+                        }
+                    }).proxySelector(proxySelector).build();
+            return okHttpClient;
+        } else {
+            SSLSocketFactory trustedSSLSocketFactory = getTrustedSSLSocketFactory();
+            okHttpClient = new OkHttpClient.Builder()
+                    .connectTimeout(TIMEOUT, TimeUnit.SECONDS)
+                    .writeTimeout(TIMEOUT, TimeUnit.SECONDS)
+                    .readTimeout(TIMEOUT, TimeUnit.SECONDS)
+                    .connectionPool(new ConnectionPool(TIMEOUT, TIMEOUT, TimeUnit.SECONDS))
+                    .sslSocketFactory(trustedSSLSocketFactory)
+                    .proxySelector(proxySelector).build();
+            return okHttpClient;
+        }
+    }
+
+    private static SSLSocketFactory getSimpleTrustedSSLSocketFactory() {
+        try {
+            TrustManager[] trustAllCerts = new TrustManager[]{
+                    new X509TrustManager() {
+                        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+                            return null;
+                        }
+
+                        public void checkClientTrusted(
+                                java.security.cert.X509Certificate[] certs, String authType) {
+                        }
+
+                        public void checkServerTrusted(
+                                java.security.cert.X509Certificate[] certs, String authType) {
+                        }
+                    }
+            };
+            SSLContext sc = SSLContext.getInstance("SSL");
+            sc.init(null, trustAllCerts, new SecureRandom());
+            return sc.getSocketFactory();
+        } catch (KeyManagementException | NoSuchAlgorithmException e) {
+            log.error("Error while creating the SSL socket factory due to " + e.getMessage(), e);
+            return null;
+        }
+    }
+
+    private static SSLSocketFactory getTrustedSSLSocketFactory() {
+        try {
+            String keyStorePassword = ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Password");
+            String keyStoreLocation = ServerConfiguration.getInstance().getFirstProperty("Security.KeyStore.Location");
+            String trustStorePassword = ServerConfiguration.getInstance().getFirstProperty(
+                    "Security.TrustStore.Password");
+            String trustStoreLocation = ServerConfiguration.getInstance().getFirstProperty(
+                    "Security.TrustStore.Location");
+            KeyStore keyStore = loadKeyStore(keyStoreLocation, keyStorePassword, KEY_STORE_TYPE);
+            KeyStore trustStore = loadTrustStore(trustStoreLocation, trustStorePassword);
+
+            return initSSLConnection(keyStore, keyStorePassword, trustStore);
+        } catch (KeyManagementException | NoSuchAlgorithmException | KeyStoreException
+                 | CertificateException | IOException | UnrecoverableKeyException e) {
+            log.error("Error while creating the SSL socket factory due to " + e.getMessage(), e);
+            return null;
+        }
+    }
+
+    private static SSLSocketFactory initSSLConnection(KeyStore keyStore, String keyStorePassword, KeyStore trustStore)
+            throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, KeyManagementException {
+        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KEY_MANAGER_TYPE);
+        keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
+        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TRUST_MANAGER_TYPE);
+        trustManagerFactory.init(trustStore);
+
+        // Create and initialize SSLContext for HTTPS communication
+        SSLContext sslContext = SSLContext.getInstance(SSLV3);
+        sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
+        SSLContext.setDefault(sslContext);
+        return sslContext.getSocketFactory();
+    }
+
+    private static KeyStore loadKeyStore(String keyStorePath, String ksPassword, String type)
+            throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
+        InputStream fileInputStream = null;
+        try {
+            char[] keypassChar = ksPassword.toCharArray();
+            KeyStore keyStore = KeyStore.getInstance(type);
+            fileInputStream = new FileInputStream(keyStorePath);
+            keyStore.load(fileInputStream, keypassChar);
+            return keyStore;
+        } finally {
+            if (fileInputStream != null) {
+                fileInputStream.close();
+            }
+        }
+    }
+
+    private static KeyStore loadTrustStore(String trustStorePath, String tsPassword)
+            throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
+        return loadKeyStore(trustStorePath, tsPassword, TRUST_STORE_TYPE);
+    }
+}

components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/APIPublisherServiceImpl.java

@@ -25,6 +25,7 @@ import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.APIApplicationKey
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.dto.AccessTokenInfo;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.exceptions.APIServicesException;
 import io.entgra.device.mgt.core.apimgt.extension.rest.api.exceptions.BadRequestException;
+import io.entgra.device.mgt.core.apimgt.extension.rest.api.exceptions.UnexpectedResponseException;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -468,7 +469,11 @@ public class APIPublisherServiceImpl implements APIPublisherService {
             String errorMsg = "Error while calling Publisher REST APIs";
             log.error(errorMsg, e);
             throw new APIManagerPublisherException(e);
-        } finally {
+        } catch (UnexpectedResponseException e) {
+            String errorMsg = "Unexpected response from the server";
+            log.error(errorMsg, e);
+            throw new APIManagerPublisherException(e);
+        }finally {
             PrivilegedCarbonContext.endTenantFlow();
         }
     }