From 3e4bc027ebdba5dd1a0935a75b5218960f736f76 Mon Sep 17 00:00:00 2001
From: Jay Modi <jaymode@users.noreply.github.com>
Date: Thu, 20 Jul 2017 07:36:56 -0600
Subject: [PATCH] RestClient uses system properties and system default
 SSLContext (#25757)

This commit calls the `useSystemProperties` method on the HttpAsyncClientBuilder so that the jvm
system properties are used. The primary reason for doing this is to ensure the builder uses the
system default SSLContext rather than the default instance created by the http client library.

Closes #23231
---
 .../client/RestClientBuilder.java             |  11 +-
 .../client/RestClientBuilderIntegTests.java   | 119 ++++++++++++++++++
 client/rest/src/test/resources/testks.jks     | Bin 0 -> 2381 bytes
 .../bootstrap/test-framework.policy           |   4 +
 .../low-level/configuration.asciidoc          |   3 +
 .../plugin-metadata/plugin-security.policy    |  10 ++
 6 files changed, 145 insertions(+), 2 deletions(-)
 create mode 100644 client/rest/src/test/java/org/elasticsearch/client/RestClientBuilderIntegTests.java
 create mode 100644 client/rest/src/test/resources/testks.jks

diff --git a/client/rest/src/main/java/org/elasticsearch/client/RestClientBuilder.java b/client/rest/src/main/java/org/elasticsearch/client/RestClientBuilder.java
index 4466a61d9df..38c9cdbe6e6 100644
--- a/client/rest/src/main/java/org/elasticsearch/client/RestClientBuilder.java
+++ b/client/rest/src/main/java/org/elasticsearch/client/RestClientBuilder.java
@@ -202,11 +202,18 @@ public final class RestClientBuilder {
 
         HttpAsyncClientBuilder httpClientBuilder = HttpAsyncClientBuilder.create().setDefaultRequestConfig(requestConfigBuilder.build())
                 //default settings for connection pooling may be too constraining
-                .setMaxConnPerRoute(DEFAULT_MAX_CONN_PER_ROUTE).setMaxConnTotal(DEFAULT_MAX_CONN_TOTAL);
+                .setMaxConnPerRoute(DEFAULT_MAX_CONN_PER_ROUTE).setMaxConnTotal(DEFAULT_MAX_CONN_TOTAL).useSystemProperties();
         if (httpClientConfigCallback != null) {
             httpClientBuilder = httpClientConfigCallback.customizeHttpClient(httpClientBuilder);
         }
-        return httpClientBuilder.build();
+
+        final HttpAsyncClientBuilder finalBuilder = httpClientBuilder;
+        return AccessController.doPrivileged(new PrivilegedAction<CloseableHttpAsyncClient>() {
+            @Override
+            public CloseableHttpAsyncClient run() {
+                return finalBuilder.build();
+            }
+        });
     }
 
     /**
diff --git a/client/rest/src/test/java/org/elasticsearch/client/RestClientBuilderIntegTests.java b/client/rest/src/test/java/org/elasticsearch/client/RestClientBuilderIntegTests.java
new file mode 100644
index 00000000000..8142fea6d25
--- /dev/null
+++ b/client/rest/src/test/java/org/elasticsearch/client/RestClientBuilderIntegTests.java
@@ -0,0 +1,119 @@
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.elasticsearch.client;
+
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpHandler;
+import com.sun.net.httpserver.HttpsConfigurator;
+import com.sun.net.httpserver.HttpsServer;
+import org.apache.http.HttpHost;
+import org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement;
+import org.elasticsearch.mocksocket.MockHttpServer;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.security.KeyStore;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+/**
+ * Integration test to validate the builder builds a client with the correct configuration
+ */
+//animal-sniffer doesn't like our usage of com.sun.net.httpserver.* classes
+@IgnoreJRERequirement
+public class RestClientBuilderIntegTests extends RestClientTestCase {
+
+    private static HttpsServer httpsServer;
+
+    @BeforeClass
+    public static void startHttpServer() throws Exception {
+        httpsServer = MockHttpServer.createHttps(new InetSocketAddress(InetAddress.getLoopbackAddress(), 0), 0);
+        httpsServer.setHttpsConfigurator(new HttpsConfigurator(getSslContext()));
+        httpsServer.createContext("/", new ResponseHandler());
+        httpsServer.start();
+    }
+
+    //animal-sniffer doesn't like our usage of com.sun.net.httpserver.* classes
+    @IgnoreJRERequirement
+    private static class ResponseHandler implements HttpHandler {
+        @Override
+        public void handle(HttpExchange httpExchange) throws IOException {
+            httpExchange.sendResponseHeaders(200, -1);
+            httpExchange.close();
+        }
+    }
+
+    @AfterClass
+    public static void stopHttpServers() throws IOException {
+        httpsServer.stop(0);
+        httpsServer = null;
+    }
+
+    public void testBuilderUsesDefaultSSLContext() throws Exception {
+        final SSLContext defaultSSLContext = SSLContext.getDefault();
+        try {
+            try (RestClient client = buildRestClient()) {
+                try {
+                    client.performRequest("GET", "/");
+                    fail("connection should have been rejected due to SSL handshake");
+                } catch (Exception e) {
+                    assertThat(e.getMessage(), containsString("General SSLEngine problem"));
+                }
+            }
+
+            SSLContext.setDefault(getSslContext());
+            try (RestClient client = buildRestClient()) {
+                Response response = client.performRequest("GET", "/");
+                assertEquals(200, response.getStatusLine().getStatusCode());
+            }
+        } finally {
+            SSLContext.setDefault(defaultSSLContext);
+        }
+    }
+
+    private RestClient buildRestClient() {
+        InetSocketAddress address = httpsServer.getAddress();
+        return RestClient.builder(new HttpHost(address.getHostString(), address.getPort(), "https")).build();
+    }
+
+    private static SSLContext getSslContext() throws Exception {
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        try (InputStream in = RestClientBuilderIntegTests.class.getResourceAsStream("/testks.jks")) {
+            KeyStore keyStore = KeyStore.getInstance("JKS");
+            keyStore.load(in, "password".toCharArray());
+            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
+            kmf.init(keyStore, "password".toCharArray());
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
+            tmf.init(keyStore);
+            sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+        }
+        return sslContext;
+    }
+}
diff --git a/client/rest/src/test/resources/testks.jks b/client/rest/src/test/resources/testks.jks
new file mode 100644
index 0000000000000000000000000000000000000000..cd706db5e3834f4b44493530bca17697f32d8de2
GIT binary patch
literal 2381
zcmcgt`9IYA8vlOB80%QF%P^K4yYI*ll4T;A?8cHMVh&T*Y{!}zYjf<S$aSr8vgFuz
z(iF1B4W;Ztgb<F9!@2jK>o2&U*Xwz`-tYJ4{loKmp6B&EKURON0ssIz4)Cv__YA&G
z3_fNKX6Ang002D<qQHMZYzSsq1PBLZV4NUG55Ot#<=_{tQ#G%rrPFumiBPzvU%+Ce
z#o}Z)+>BTG4J7uREh5mJ7*;DV;dAlA=s5+KPl4wULQJdoL8~Pe7D3^*Cpn+O9sr03
zISo5KN{!m#CIL0)yz>t}H?Dji7ewQeMTpah_;lIM9lfx^{MI46EY=H2Gb87zSV!L9
zBNwGc)hcRNP-{ZbigjTAb+b#asOW1;eDvzR6aB?nZ0b51o)HL=(P6?em8T=Dtimf@
zkw!zNEH-cfeLsno#O=RbxSvAmmq_5eGP;=CTVxI0y~COhkJiND1UdLS2Ol7#CcE^d
zL>{Nth-L14Z4j+X`yfibe=ag4rVlxJp#US7Q|y@QX^G~`3fl?pyl5Y^R8rIQWW4Id
zQ{z=r`vr-qyIpkx)5AVH*xUo_`4Nx4b(N?wT{OYbRG2-rc<pTqw#u`Oi=x&eL=*Z|
zvL3yhq0`y9ALyu%FJEc+uv~jfx20S~Wwo4VzVyhRe$@sQ)G1>bCh$ubPg4`&+@r5D
zzPUX@zCiejz)?}CTe3&^u7rVdbjjY6C5l<H#aw@TcZ&~wl=mdNU5I%@pwoN7+|oWb
z@3c^ldotaePq$RYELTbtF+VcA-;q8T+~LOQ(*km^2Vd-(MJ{UgF02|x-6e~ui!*E2
zP=P+!j6-6xnyJL_CMs>@V4|cw6<vXss3L!4Knu}e8CTny6rR=dkks}}eJ|yIp30uz
zAjsIA`6`}CG#TXg8v<C}Dktmd`+t6Q@IhMRK+QcO^6^AYaDi<jYp0umUQI4ML*!wO
zq80dtcbz3<|H`KiVlD83$Z#chtYBQ6YNp?XTfg^y?NG`p1;-Z(>NVPj+>;MVdCH6G
z;*UbVqziZ{8{q|$yRDA6AbU?YM#cWH7~gF>>!8r(I*ID&@IdyK9Vh)mhm9(9QprF*
zTcmmB5ofTGhE^wgc6e}~gaOj0+F~@7<CmPSX0<Y!Me#cnv+U-4VJL1v@(Ps7EIIWJ
z)H<ryoPMV7_fF_3-4v^J=0qF#Qu^0mWwEQRy)Wa-9u4R|YHTItWx24dtgOeZMhRv0
zJriDiT-!Eo276ttd9B|<h_i9VR>M8SRe&>AqUy`aoNh?gL%tOLG=Z`F!b~nE6fm|g
zn~sp%GU*wT?a;|Lx{14y5rz@Zi*Ei`1^Asfnk+f1QoG!rBKWDm!N)n4tjm$w;#(Ms
z*y4S9lR%xR<uyyRaa(Y_HJin1qhr|BNL`w8eL0b$<yp5xJ7X$025<IK^t{|v@lC{8
zy)TWnA65Qp<0kj*a@$NLh27sqo6RHmaU%SgqJ@@|*BQ)_&M;D(fY5gLbg$IR)U0um
z(_uV$-^@m@+*B%>>-qfN9B<|yeOK)-bH747=ZNpA3?IQ6RWFHIE8S<zx$65SB2Rm<
zDlgHeDhEqQzzs7GWZ9p;F_2SI5f>gO`efbu{fcV~?x(fP{fMBSHJgUi@HE~B!hGqp
zOO=HE;j=bw>XQc_Lz$N7+B!oz5O}9z4<B1RWAE^-m$u;0(ba&kwj>>`!sl^^yX__=
zt-G_fDHBHnrXd?sZVgtfT~YRfOVPRZGOfh@@i4+lcQw=8yf9tQ<v|R5x4h6;BK(as
z>pirKyrJ1>K}mXUYH+n6o>({TY+<a~<X4vZzTG`@(O1%_Ev07~m}3SF|GgM(6tIvQ
z0Kn;w7a|BzV4rj8U?2<zS8KqzLP!LYOsqldE)oP;=mE$L!vZlO=m>BG7mQ%>U&6=*
z!|7mnA?}kO1}>zLcYv3_Gsz2WMIr`aIF6U>vChoJK=g3-^C!7rkPyp>!omgjC;Itg
z&OjU|l#Yw(grdE?U5St|9}=SqsbW+yDi|fK%5^@Z(h0@>hyMQ(p@3qii*S4+=qMmN
z08v0@7zG4@>`*WMc%Za&v|oF7I$+-EMoqJWYD_z76t$P8`b?SG)ttMjYum12Jk&V7
zsHmP6>E*Mnu22@bNiF7pFuY}Fi}583GKns-grfA-Wjf!$M<WJAamV0jbf{W&gW=_i
zd*p;EKDbc4O_4aUBYR<uMlDS?7crHKtDwFE$5m&)X$jM0#|>+>b?2e(*eKQE{W(|_
zqzG@m_}u1gR1!=yj)8OGH|*MNL9vesbIH50(wEe#5QVStcy5LF4wl>1k4ux85&=BQ
z2HOs`T4SDJht6*D#{Bb)k$L@P!=cU0W*tNP=9B^XyUy|_5eP@s-Sg0mVfsMlT$VO-
z8v~;Q0kD8v1Cc8sa`JH>QJipc97K+egWo;Aws9QCLw5Rs6ebUE7iSN5Z$Ezu&)-nt
zFXZa&c|0~0=D%fS3g7?mX^-+LlgcTR%4w4dggQxx4bBVawnyH{XAX1Hh2PQ)FJzj~
zV0fH;=5%9^r~A0EAmDBKU?@>M=V)d1wfsQ-HBPDx*3~(vs9PE7?jqurC(74<uNLdl
zLC{U?CYZ1!zTlR%MsEG%2dq;@K17R!S|o9hjkD8#0^4t(4zkBbIHFcva#dIh4fQ}{
z+ReFYx>^6*Ip;M<nzbA9oHA|r#VtKowxA0$xDDrxb=T_|9SN1hE?|MwhTv5YU7m~h
zgKxjD&n8+xZK^=O0#34Auq=-pWEJ&GleFDcW<`F^aGBtcdpSM9V?|+7rM<ASv$j8c
z^`*Qw?-E5`>fXd)H`2nLpdhX1nEE+M3Y~js@@+eX5olR{E5MTxf=!t-%Qh!Tb~aJm
hJ4YDT<kp>Z?{bYj5Ah4y>@bn_^A>sIjjET5{u3>b{aXM4

literal 0
HcmV?d00001

diff --git a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
index e73c5c25723..69881df232f 100644
--- a/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
+++ b/core/src/main/resources/org/elasticsearch/bootstrap/test-framework.policy
@@ -67,6 +67,8 @@ grant codeBase "${codebase.mocksocket-1.2.jar}" {
 grant codeBase "${codebase.elasticsearch-rest-client-6.0.0-beta1-SNAPSHOT.jar}" {
   // rest makes socket connections for rest tests
   permission java.net.SocketPermission "*", "connect";
+  // rest client uses system properties which gets the default proxy
+  permission java.net.NetPermission "getProxySelector";
 };
 
 grant codeBase "${codebase.httpcore-nio-4.4.5.jar}" {
@@ -77,4 +79,6 @@ grant codeBase "${codebase.httpcore-nio-4.4.5.jar}" {
 grant codeBase "${codebase.httpasyncclient-4.1.2.jar}" {
   // httpasyncclient makes socket connections for rest tests
   permission java.net.SocketPermission "*", "connect";
+  // rest client uses system properties which gets the default proxy
+  permission java.net.NetPermission "getProxySelector";
 };
diff --git a/docs/java-rest/low-level/configuration.asciidoc b/docs/java-rest/low-level/configuration.asciidoc
index b0b516305b3..54f7cd28173 100644
--- a/docs/java-rest/low-level/configuration.asciidoc
+++ b/docs/java-rest/low-level/configuration.asciidoc
@@ -79,6 +79,9 @@ https://hc.apache.org/httpcomponents-asyncclient-dev/httpasyncclient/apidocs/org
 include-tagged::{doc-tests}/RestClientDocumentation.java[rest-client-config-encrypted-communication]
 --------------------------------------------------
 
+If no explicit configuration is provided, the http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores[system default configuration]
+will be used.
+
 === Others
 
 For any other required configuration needed, the Apache HttpAsyncClient docs
diff --git a/modules/reindex/src/main/plugin-metadata/plugin-security.policy b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
index f9ce0f894d3..e56769c10b4 100644
--- a/modules/reindex/src/main/plugin-metadata/plugin-security.policy
+++ b/modules/reindex/src/main/plugin-metadata/plugin-security.policy
@@ -21,3 +21,13 @@ grant {
    // reindex opens socket connections using the rest client
    permission java.net.SocketPermission "*", "connect";
 };
+
+grant codeBase "${codebase.elasticsearch-rest-client-6.0.0-beta1-SNAPSHOT.jar}" {
+  // rest client uses system properties which gets the default proxy
+  permission java.net.NetPermission "getProxySelector";
+};
+
+grant codeBase "${codebase.httpasyncclient-4.1.2.jar}" {
+  // rest client uses system properties which gets the default proxy
+  permission java.net.NetPermission "getProxySelector";
+};