CWMS-1875 - Removing use of .pem

Author: rma-bryson

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/CwbiAuthUtil.java

@@ -23,32 +23,54 @@
  */
 package hec.army.usace.hec.cwbi.auth.http.client;
 
-
-import static hec.army.usace.hec.cwbi.auth.http.client.trustmanagers.CwbiAuthTrustManager.TOKEN_URL;
-
 import java.io.IOException;
+import java.io.UncheckedIOException;
 import java.util.Collections;
+import java.util.Map;
 import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLSocketFactory;
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2TokenProvider;
 
 public final class CwbiAuthUtil {
 
+    private static final Map<String, OAuth2TokenProvider> TOKEN_PROVIDER_CACHE = new ConcurrentHashMap<>();
+
     private CwbiAuthUtil() {
         throw new AssertionError("Utility class");
     }
 
     /**
      * Builds CumulusTokenProvider for retrieving and refreshing tokens for cumulus authentication.
-     * @param keyManager - KeyManager for client
-     * @return OAuth2TokenProvider - CumulusTokenProvider
+     * Caches the TokenProvider instance per KeyCloak token URL to prevent redundant creation.
+     * Ensures thread safety and propagates IOException.
+     *
+     * @param tokenUrl  - KeyCloak token URL
+     * @param clientId  - Client ID for authentication
+     * @param keyManager - KeyManager for client SSL
+     * @return OAuth2TokenProvider - Cached or newly created TokenProvider
      * @throws IOException - thrown if failed to build CumulusTokenProvider
      */
-    public static OAuth2TokenProvider buildCwbiAuthTokenProvider(String clientId, KeyManager keyManager) throws IOException {
-        SSLSocketFactory sslSocketFactory = CwbiAuthSslSocketFactory.buildSSLSocketFactory(
-            Collections.singletonList(Objects.requireNonNull(keyManager, "Missing required KeyManager")));
-        return new CwbiAuthTokenProvider(TOKEN_URL, clientId, sslSocketFactory);
-    }
+    public static OAuth2TokenProvider buildCwbiAuthTokenProvider(String tokenUrl, String clientId, KeyManager keyManager) throws IOException {
+        Objects.requireNonNull(tokenUrl, "Missing required tokenUrl");
+        Objects.requireNonNull(clientId, "Missing required clientId");
+        Objects.requireNonNull(keyManager, "Missing required KeyManager");
 
+        try {
+            return TOKEN_PROVIDER_CACHE.computeIfAbsent(tokenUrl, url -> {
+                try {
+                    SSLSocketFactory sslSocketFactory = CwbiAuthSslSocketFactory.buildSSLSocketFactory(
+                            Collections.singletonList(keyManager));
+                    return new CwbiAuthTokenProvider(url, clientId, sslSocketFactory);
+                } catch (IOException e) {
+                    throw new UncheckedIOException(e);
+                }
+            });
+        } catch (UncheckedIOException e) {
+            throw e.getCause();
+        }
+    }
 }
+
+

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/trustmanagers/CwbiAuthTrustManager.java

@@ -23,14 +23,10 @@
  */
 package hec.army.usace.hec.cwbi.auth.http.client.trustmanagers;
 
-import java.io.IOException;
-import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.logging.Level;
@@ -45,6 +41,7 @@ public final class CwbiAuthTrustManager implements X509TrustManager {
 
     private static final Logger LOGGER = Logger.getLogger(CwbiAuthTrustManager.class.getName());
     public static final String TOKEN_URL = "https://auth.corps.cloud/auth/realms/water/protocol/openid-connect/token";
+    public static final String TOKEN_TEST_URL = "https://identity-test.cwbi.us/auth/realms/cwbi/protocol/openid-connect/token";
     private final TrustManagerFactory trustManagerFactory;
 
     private static final X509TrustManager INSTANCE = buildTrustManager();
@@ -60,17 +57,12 @@ private CwbiAuthTrustManager(TrustManagerFactory trustManagerFactory) {
      */
     private static X509TrustManager buildTrustManager() {
         X509TrustManager retVal = null;
-        try (InputStream trustedCertificateAsInputStream = CwbiAuthTrustManager.class.getResourceAsStream("cwbiAuthServer.pem")) {
-            KeyStore ts = KeyStore.getInstance("JKS");
-            ts.load(null, null);
-            Certificate trustedCertificate = CertificateFactory.getInstance("X.509").generateCertificate(trustedCertificateAsInputStream);
-            ts.setCertificateEntry("cwbi-auth-server-root-certificate", trustedCertificate);
-            ((X509Certificate) trustedCertificate).checkValidity();
+        try {
             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
-            trustManagerFactory.init(ts);
+            trustManagerFactory.init((KeyStore) null);
             retVal = new CwbiAuthTrustManager(trustManagerFactory);
-        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException e) {
-            LOGGER.log(Level.SEVERE, "Unable to authenticate with CWBI Auth server", e);
+        } catch (NoSuchAlgorithmException | KeyStoreException e) {
+            LOGGER.log(Level.SEVERE, "Unable to initialize CWBI Auth Trust Manager", e);
         }
         return retVal;
     }
@@ -125,4 +117,4 @@ public X509Certificate[] getAcceptedIssuers() {
             .toArray(X509Certificate[]::new);
     }
 
-}
+}

cwbi-auth-http-client/src/test/java/hec/army/usace/hec/cwbi/auth/http/client/TestCwbiAuthTrustManager.java

@@ -51,8 +51,8 @@ void testGetTrustManager() {
         List<String> details = Arrays.asList(acceptedIssuers[0].getIssuerDN().toString().split(","));
         details = details.stream().map(String::trim)
                     .collect(toList());
-        assertTrue(details.contains("CN=ISRG Root X1"));
-        assertTrue(details.contains("O=Internet Security Research Group"));
+        assertTrue(details.contains("CN=Entrust Root Certification Authority - EC1"));
+        assertTrue(details.contains("O=\"Entrust"));
         assertTrue(details.contains("C=US"));
     }
 

cwbi-auth-http-client/src/test/java/hec/army/usace/hec/cwbi/auth/http/client/TestCwbiAuthUtil.java

@@ -23,6 +23,7 @@
  */
 package hec.army.usace.hec.cwbi.auth.http.client;
 
+import static hec.army.usace.hec.cwbi.auth.http.client.trustmanagers.CwbiAuthTrustManager.TOKEN_TEST_URL;
 import static hec.army.usace.hec.cwbi.auth.http.client.trustmanagers.CwbiAuthTrustManager.TOKEN_URL;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -35,14 +36,14 @@ class TestCwbiAuthUtil {
 
     @Test
     void testBuildTokenProvider() throws IOException {
-        CwbiAuthTokenProvider tokenProvider = (CwbiAuthTokenProvider) CwbiAuthUtil.buildCwbiAuthTokenProvider("cumulus", getTestKeyManager());
+        CwbiAuthTokenProvider tokenProvider = (CwbiAuthTokenProvider) CwbiAuthUtil.buildCwbiAuthTokenProvider(TOKEN_URL, "cumulus", getTestKeyManager());
         assertEquals(TOKEN_URL, tokenProvider.getUrl());
         assertEquals("cumulus", tokenProvider.getClientId());
     }
 
     @Test
     void testNulls() {
-        assertThrows(NullPointerException.class, () -> CwbiAuthUtil.buildCwbiAuthTokenProvider("cumulus", null));
+        assertThrows(NullPointerException.class, () -> CwbiAuthUtil.buildCwbiAuthTokenProvider(TOKEN_TEST_URL, "cumulus", null));
     }
 
     private KeyManager getTestKeyManager() {