Merge pull request #282 from SolaceProducts/DATAGO-116001-custom-cert-ema-work

DATAGO-116001: event-management-agent: Configure JCSMP to use default JDK truststore for Event Portal connections

Author: rudraneel-chakraborty

service/application/src/main/java/com/solace/maas/ep/event/management/agent/command/CommandManager.java

@@ -9,6 +9,7 @@
 import com.solace.maas.ep.event.management.agent.plugin.command.model.CommandRequest;
 import com.solace.maas.ep.event.management.agent.plugin.command.model.CommandResult;
 import com.solace.maas.ep.event.management.agent.plugin.command.model.JobStatus;
+import com.solace.maas.ep.event.management.agent.plugin.common.util.EnvironmentUtil;
 import com.solace.maas.ep.event.management.agent.plugin.service.MessagingServiceDelegateService;
 import com.solace.maas.ep.event.management.agent.plugin.solace.processor.semp.SempClient;
 import com.solace.maas.ep.event.management.agent.plugin.solace.processor.semp.SolaceHttpSemp;
@@ -53,6 +54,7 @@
 @Slf4j
 @Service
 @ConditionalOnProperty(name = "event-portal.gateway.messaging.standalone", havingValue = "false")
+@SuppressWarnings({"PMD.GodClass"})
 public class CommandManager {
     public static final String ERROR_EXECUTING_COMMAND = "Error executing command";
     private final TerraformManager terraformManager;
@@ -66,6 +68,7 @@ public class CommandManager {
     private final SempPatchCommandManager sempPatchCommandManager;
     private final SempGetCommandManager sempGetCommandManager;
     private final TerraformLogProcessingService terraformLoggingService;
+    private final EnvironmentUtil environmentUtil;
 
     public CommandManager(TerraformManager terraformManager,
                           CommandMapper commandMapper,
@@ -77,7 +80,8 @@ public CommandManager(TerraformManager terraformManager,
                           final SempDeleteCommandManager sempDeleteCommandManager,
                           TerraformLogProcessingService terraformLoggingService,
                           SempPatchCommandManager sempPatchCommandManager,
-                          SempGetCommandManager sempGetCommandManager) {
+                          SempGetCommandManager sempGetCommandManager,
+                          EnvironmentUtil environmentUtil) {
         this.terraformManager = terraformManager;
         this.commandMapper = commandMapper;
         this.commandPublisher = commandPublisher;
@@ -90,6 +94,7 @@ public CommandManager(TerraformManager terraformManager,
         this.terraformLoggingService = terraformLoggingService;
         this.sempPatchCommandManager = sempPatchCommandManager;
         this.sempGetCommandManager = sempGetCommandManager;
+        this.environmentUtil = environmentUtil;
     }
 
     public void execute(CommandMessage request) {
@@ -116,6 +121,10 @@ public void handleError(Exception e, CommandMessage message) {
 
     @SuppressWarnings("PMD")
     private void configPush(CommandRequest request) {
+
+        if (environmentUtil.isCustomCACertPresent()) {
+            log.info("Custom CA certificates present. Using combined truststore with default and custom CA certificates for configPush operation.");
+        }
         List<Path> executionLogFilesToClean = new ArrayList<>();
         boolean attachErrorToTerraformCommand = false;
         try {
@@ -136,6 +145,7 @@ private void configPush(CommandRequest request) {
                 log.info("Skipping TLS verification for config push to serviceId {}.", request.getServiceId());
             }
 
+
             for (CommandBundle bundle : request.getCommandBundles()) {
                 boolean exitEarlyOnFailedCommand = bundle.getExitOnFailure();
 

service/application/src/main/java/com/solace/maas/ep/event/management/agent/scanManager/ScanManager.java

@@ -4,6 +4,7 @@
 import com.solace.maas.ep.common.messages.ScanStatusMessage;
 import com.solace.maas.ep.common.model.ScanType;
 import com.solace.maas.ep.event.management.agent.config.eventPortal.EventPortalProperties;
+import com.solace.maas.ep.event.management.agent.plugin.common.util.EnvironmentUtil;
 import com.solace.maas.ep.event.management.agent.plugin.constants.RouteConstants;
 import com.solace.maas.ep.event.management.agent.plugin.constants.ScanStatus;
 import com.solace.maas.ep.event.management.agent.plugin.manager.loader.PluginLoader;
@@ -46,19 +47,25 @@ public class ScanManager {
     // This is an optional dependency since it is not available in standalone mode.
     // If the bean is not present, the publisher will not be used.
     private final Optional<ScanStatusPublisher> scanStatusPublisherOpt;
+    private final EnvironmentUtil environmentUtil;
 
     @Autowired
     public ScanManager(MessagingServiceDelegateServiceImpl messagingServiceDelegateService,
                        ScanService scanService,
                        EventPortalProperties eventPortalProperties,
-                       Optional<ScanStatusPublisher> scanStatusPublisher) {
+                       Optional<ScanStatusPublisher> scanStatusPublisher,
+                       EnvironmentUtil environmentUtil) {
         this.messagingServiceDelegateService = messagingServiceDelegateService;
         this.scanService = scanService;
         this.scanStatusPublisherOpt = scanStatusPublisher;
         runtimeAgentId = eventPortalProperties.getRuntimeAgentId();
+        this.environmentUtil = environmentUtil;
     }
 
     public String scan(ScanRequestBO scanRequestBO) {
+        if (environmentUtil.isCustomCACertPresent()) {
+            log.info("Custom CA certificates present. Using combined truststore with default and custom CA certificates for scan operation.");
+        }
         Validate.notBlank(scanRequestBO.getOrgId(), " Organization ID cannot be null or empty");
         String messagingServiceId = scanRequestBO.getMessagingServiceId();
         String scanId = scanRequestBO.getScanId();

service/application/src/test/java/com/solace/maas/ep/event/management/agent/TestConfig.java

@@ -19,6 +19,7 @@
 import com.solace.maas.ep.event.management.agent.plugin.service.MessagingServiceDelegateService;
 import com.solace.maas.ep.event.management.agent.plugin.terraform.manager.TerraformLogProcessingService;
 import com.solace.maas.ep.event.management.agent.plugin.terraform.manager.TerraformManager;
+import com.solace.maas.ep.event.management.agent.plugin.common.util.EnvironmentUtil;
 import com.solace.maas.ep.event.management.agent.plugin.vmr.VmrProcessor;
 import com.solace.maas.ep.event.management.agent.processor.CommandLogStreamingProcessor;
 import com.solace.maas.ep.event.management.agent.publisher.CommandLogsPublisher;
@@ -70,8 +71,15 @@ public SolaceConfiguration solaceConfiguration() {
 
     @Bean
     @Primary
-    public VMRProperties vmrProperties(EventPortalPluginProperties eventPortalPluginProperties) {
-        return new VMRProperties(eventPortalPluginProperties);
+    public EnvironmentUtil environmentUtil() {
+        return mock(EnvironmentUtil.class);
+    }
+
+    @Bean
+    @Primary
+    public VMRProperties vmrProperties(EventPortalPluginProperties eventPortalPluginProperties,
+                                       EnvironmentUtil environmentUtil) {
+        return new VMRProperties(eventPortalPluginProperties,  environmentUtil);
     }
 
     @Bean
@@ -177,7 +185,8 @@ public CommandManager getCommandManager(TerraformManager terraformManager,
                                             SempDeleteCommandManager sempDeleteCommandManager,
                                             TerraformLogProcessingService terraformLogProcessingService,
                                             SempPatchCommandManager sempPatchCommandManager,
-                                            SempGetCommandManager sempGetCommandManager) {
+                                            SempGetCommandManager sempGetCommandManager,
+                                            EnvironmentUtil environmentUtil) {
         return new CommandManager(
                 terraformManager,
                 commandMapper,
@@ -189,7 +198,8 @@ public CommandManager getCommandManager(TerraformManager terraformManager,
                 sempDeleteCommandManager,
                 terraformLogProcessingService,
                 sempPatchCommandManager,
-                sempGetCommandManager
+                sempGetCommandManager,
+                environmentUtil
         );
     }
 

…t/agent/webProxy/VMRPropertiesTests.java …nt/plugin/config/VMRPropertiesTests.javaservice/application/src/test/java/com/solace/maas/ep/event/management/agent/webProxy/VMRPropertiesTests.java renamed to service/application/src/test/java/com/solace/maas/ep/event/management/agent/plugin/config/VMRPropertiesTests.java service/application/src/test/java/com/solace/maas/ep/event/management/agent/webProxy/VMRPropertiesTests.java renamed to service/application/src/test/java/com/solace/maas/ep/event/management/agent/plugin/config/VMRPropertiesTests.java

@@ -1,11 +1,12 @@
-package com.solace.maas.ep.event.management.agent.webProxy;
+package com.solace.maas.ep.event.management.agent.plugin.config;
 
-import com.solace.maas.ep.event.management.agent.plugin.config.VMRProperties;
 import com.solace.maas.ep.event.management.agent.plugin.config.eventPortal.EventPortalPluginProperties;
-import com.solace.maas.ep.event.management.agent.plugin.config.eventPortal.GatewayProperties;
 import com.solace.maas.ep.event.management.agent.plugin.config.eventPortal.GatewayMessagingProperties;
+import com.solace.maas.ep.event.management.agent.plugin.config.eventPortal.GatewayProperties;
 import com.solace.maas.ep.event.management.agent.plugin.messagingService.MessagingServiceConnectionProperties;
 import com.solace.maas.ep.event.management.agent.plugin.messagingService.MessagingServiceUsersProperties;
+import com.solace.maas.ep.event.management.agent.plugin.common.util.EnvironmentUtil;
+import com.solace.messaging.config.SolaceProperties;
 import lombok.SneakyThrows;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -37,6 +38,9 @@ class VMRPropertiesTests {
     @Mock
     private GatewayMessagingProperties gatewayMessagingProperties;
 
+    @Mock
+    private EnvironmentUtil environmentUtil;
+
     // Class under test
     private VMRProperties vmrProperties;
 
@@ -47,7 +51,8 @@ void setUp() {
         // MockitoExtension handles mock initialization
         when(eventPortalPluginProperties.getGateway()).thenReturn(gatewayProperties);
         when(gatewayProperties.getMessaging()).thenReturn(gatewayMessagingProperties);
-        vmrProperties = new VMRProperties(eventPortalPluginProperties);
+
+        vmrProperties = new VMRProperties(eventPortalPluginProperties, environmentUtil);
 
         // Backup system properties
         systemPropertiesBackup = new Properties();
@@ -256,4 +261,38 @@ void testNoGatewayConnectionProperties() {
                 .hasCauseExactlyInstanceOf(NoSuchElementException.class)
                 .hasRootCauseMessage("Event Portal gateway connection properties not found.");
     }
+
+    @Test
+    @SneakyThrows
+    void testConfigureDefaultTrustStoreWhenCustomCaCertsPresent() {
+        // Mock environmentUtil to return true (custom CA certs are configured)
+        when(environmentUtil.isCustomCACertPresent()).thenReturn(true);
+
+        MessagingServiceConnectionProperties connectionProps = createConnectionProperties(false, null, null, null, null, null);
+        when(gatewayMessagingProperties.getConnections()).thenReturn(Collections.singletonList(connectionProps));
+
+        Properties properties = vmrProperties.getVmrProperties();
+
+        // Verify that truststore path is set when custom CA certs are present
+        assertThat(properties.getProperty(SolaceProperties.TransportLayerSecurityProperties.TRUST_STORE_PATH))
+                .isNotNull()
+                .endsWith("cacerts");
+    }
+
+    @Test
+    @SneakyThrows
+    void testConfigureDefaultTrustStoreWhenCustomCaCertsNotPresent() {
+        // Mock environmentUtil to return false (custom CA certs NOT configured)
+        when(environmentUtil.isCustomCACertPresent()).thenReturn(false);
+
+        MessagingServiceConnectionProperties connectionProps = createConnectionProperties(false, null, null, null, null, null);
+        when(gatewayMessagingProperties.getConnections()).thenReturn(Collections.singletonList(connectionProps));
+
+        Properties properties = vmrProperties.getVmrProperties();
+
+        // Verify that truststore path is NOT set when custom CA certs are not present
+        assertThat(properties.getProperty(SolaceProperties.TransportLayerSecurityProperties.TRUST_STORE_PATH))
+                .isNull();
+    }
+
 }

service/application/src/test/java/com/solace/maas/ep/event/management/agent/scanManager/ScanManagerHandleErrorTest.java

@@ -5,6 +5,7 @@
 import com.solace.maas.ep.common.model.ScanType;
 import com.solace.maas.ep.event.management.agent.TestConfig;
 import com.solace.maas.ep.event.management.agent.config.eventPortal.EventPortalProperties;
+import com.solace.maas.ep.event.management.agent.plugin.common.util.EnvironmentUtil;
 import com.solace.maas.ep.event.management.agent.publisher.ScanStatusPublisher;
 import com.solace.maas.ep.event.management.agent.service.MessagingServiceDelegateServiceImpl;
 import com.solace.maas.ep.event.management.agent.service.ScanService;
@@ -38,6 +39,9 @@ class ScanManagerHandleErrorTest {
     @Mock
     private ScanStatusPublisher scanStatusPublisher;
 
+    @Mock
+    private EnvironmentUtil environmentUtil;
+
     @Test
     void testScanManagerConnectedHandleError(){
         when(eventPortalProperties.getOrganizationId()).thenReturn("orgId");
@@ -49,7 +53,8 @@ void testScanManagerConnectedHandleError(){
                 messagingServiceDelegateService,
                 scanService,
                 eventPortalProperties,
-                Optional.of(scanStatusPublisher)
+                Optional.of(scanStatusPublisher),
+                environmentUtil
         );
         scanManagerUnderTest.handleError(mockEx,createScanCommandMessage());
         verify(scanStatusPublisher, times(1)).sendOverallScanStatus(any(),any());
@@ -66,7 +71,8 @@ void testScanManagerStandaloneHandleError(){
                 messagingServiceDelegateService,
                 scanService,
                 eventPortalProperties,
-                Optional.empty()
+                Optional.empty(),
+                environmentUtil
         );
         // should just do "nothing" and not throw an exception when scanStatusPublisher is not present
         assertDoesNotThrow(() ->

service/application/src/test/java/com/solace/maas/ep/event/management/agent/scanManager/ScanManagerTest.java

@@ -2,6 +2,7 @@
 
 import com.solace.maas.ep.event.management.agent.TestConfig;
 import com.solace.maas.ep.event.management.agent.config.eventPortal.EventPortalProperties;
+import com.solace.maas.ep.event.management.agent.plugin.common.util.EnvironmentUtil;
 import com.solace.maas.ep.event.management.agent.plugin.confluentSchemaRegistry.route.delegate.ConfluentSchemaRegistryRouteDelegateImpl;
 import com.solace.maas.ep.event.management.agent.plugin.kafka.route.delegate.KafkaRouteDelegateImpl;
 import com.solace.maas.ep.event.management.agent.plugin.localstorage.route.delegate.DataCollectionFileWriterDelegateImpl;
@@ -15,41 +16,45 @@
 import lombok.SneakyThrows;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.mockito.InjectMocks;
-import org.mockito.Mock;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.bean.override.mockito.MockitoBean;
+import org.springframework.test.context.bean.override.mockito.MockitoSpyBean;
 
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 
 import static org.assertj.core.api.Assertions.assertThatNoException;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
 @ActiveProfiles("TEST")
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, classes = TestConfig.class)
 class ScanManagerTest {
 
-    @Mock
+    @MockitoBean
     MessagingServiceDelegateServiceImpl messagingServiceDelegateService;
 
-    @Mock
+    @MockitoBean
     private EventPortalProperties eventPortalProperties;
 
-    @InjectMocks
+    @MockitoSpyBean
     ScanManager scanManager;
 
     @Autowired
     ConfluentSchemaRegistryRouteDelegateImpl confluentSchemaRegistryRouteDelegate;
 
-    @Mock
+    @MockitoBean
     private ScanService scanService;
 
+    @Autowired
+    private EnvironmentUtil environmentUtil;
+
 
     @Test
     @SneakyThrows
@@ -177,7 +182,7 @@ void testScanManager() {
             when(kafkaRouteDelegate.generateRouteList(destinations, List.of(), "KAFKA_ALL", messagingServiceId))
                     .thenReturn(routes);
 
-            when(scanService.singleScan(
+            when(scanService.singleScan(eq(
                     SingleScanSpecification
                             .builder()
                             .orgId("orgId")
@@ -189,7 +194,7 @@ void testScanManager() {
                             .runtimeAgentId("runtimeAgent1")
                             .routeBundles(List.of())
                             .build()
-            )).thenReturn(Mockito.anyString());
+            ))).thenReturn(Mockito.anyString());
             scanManager.scan(scanRequestBO);
 
             assertThatNoException();

service/plugin/src/main/java/com/solace/maas/ep/event/management/agent/plugin/common/util/EnvironmentUtil.java

@@ -0,0 +1,18 @@
+package com.solace.maas.ep.event.management.agent.plugin.common.util;
+
+import org.springframework.stereotype.Component;
+
+@Component
+public class EnvironmentUtil {
+
+    /**
+     * Checks if custom CA certificates are present via the CUSTOM_CA_CERTS_PRESENT environment variable.
+     * Currently, Only Private CEMAs are capable of importing and using custom ca certs for operating ep runtime operations
+     * on brokers that may be setup with certs signed by custom ca
+     * @return true if CUSTOM_CA_CERTS_PRESENT is set to "1", false otherwise
+     */
+    public boolean isCustomCACertPresent() {
+        String customCaCertsPresent = System.getenv("CUSTOM_CA_CERTS_PRESENT");
+        return "1".equals(customCaCertsPresent);
+    }
+}