Added support for property based ssl configuration for JmxScraper (#1361)

* Added support for property based ssl configuration for JmxScraper

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* Removed ssl properties from exporter.sh

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* Made tests passing

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* Reverted name

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* Removed unused import

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* Added documentation

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* Retain existing ssl configuration

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* Reduce code duplication

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

* rename variable

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

---------

Signed-off-by: Hakky54 <hakangoudberg@hotmail.com>

Author: Hakky54

collector/pom.xml

@@ -59,6 +59,11 @@
             <artifactId>snakeyaml</artifactId>
             <version>2.5</version>
         </dependency>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>ayza</artifactId>
+            <version>10.0.2</version>
+        </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>

collector/src/main/java/io/prometheus/jmx/JmxCollector.java

@@ -34,16 +34,22 @@
 import java.io.InputStream;
 import java.io.PrintWriter;
 import java.io.StringWriter;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.TreeMap;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import javax.management.MalformedObjectNameException;
 import javax.management.ObjectName;
 import org.yaml.snakeyaml.Yaml;
@@ -85,6 +91,34 @@ static class Rule {
         ArrayList<String> labelValues;
     }
 
+    static class SslProperties {
+        boolean enabled = false;
+        KeyStoreProperties keyStoreProperties;
+        KeyStoreProperties trustStoreProperties;
+        List<String> protocols = Collections.emptyList();
+        List<String> ciphers = Collections.emptyList();
+
+        public SslProperties() {}
+
+        public SslProperties(boolean enabled) {
+            this.enabled = enabled;
+        }
+
+        public Optional<KeyStoreProperties> getKeyStoreProperties() {
+            return Optional.ofNullable(keyStoreProperties);
+        }
+
+        public Optional<KeyStoreProperties> getTrustStoreProperties() {
+            return Optional.ofNullable(trustStoreProperties);
+        }
+    }
+
+    static class KeyStoreProperties {
+        Path path;
+        String type;
+        String password;
+    }
+
     /** Class to implement MetricCustomizer */
     public static class MetricCustomizer {
         MBeanFilter mbeanFilter;
@@ -114,7 +148,7 @@ private static class Config {
         String jmxUrl = "";
         String username = "";
         String password = "";
-        boolean ssl = false;
+        SslProperties sslProperties = new SslProperties();
         boolean lowercaseOutputName;
         boolean lowercaseOutputLabelNames;
         boolean inferCounterTypeFromName;
@@ -317,8 +351,41 @@ private Config loadConfig(Map<String, Object> yamlConfig) throws MalformedObject
             cfg.password = VariableResolver.resolveVariable(password);
         }
 
-        if (yamlConfig.containsKey("ssl")) {
-            cfg.ssl = (Boolean) yamlConfig.get("ssl");
+        if (yamlConfig.containsKey("ssl") && yamlConfig.get("ssl") instanceof Boolean) {
+            cfg.sslProperties.enabled = (Boolean) yamlConfig.get("ssl");
+        }
+
+        if (yamlConfig.containsKey("ssl") && yamlConfig.get("ssl") instanceof Map) {
+            Map<String, Object> configSsl = (Map<String, Object>) yamlConfig.get("ssl");
+            if (configSsl.containsKey("enabled")) {
+                cfg.sslProperties.enabled = (Boolean) configSsl.get("enabled");
+            }
+
+            if (configSsl.containsKey("keyStore")) {
+                Map<String, Object> configKeyStore =
+                        (Map<String, Object>) configSsl.get("keyStore");
+                cfg.sslProperties.keyStoreProperties = getKeyStoreProperties(configKeyStore);
+            }
+
+            if (configSsl.containsKey("trustStore")) {
+                Map<String, Object> configKeyStore =
+                        (Map<String, Object>) configSsl.get("trustStore");
+                cfg.sslProperties.trustStoreProperties = getKeyStoreProperties(configKeyStore);
+            }
+
+            if (configSsl.containsKey("protocols")) {
+                cfg.sslProperties.protocols =
+                        Stream.of(((String) configSsl.get("protocols")).split(","))
+                                .map(String::trim)
+                                .collect(Collectors.toList());
+            }
+
+            if (configSsl.containsKey("ciphers")) {
+                cfg.sslProperties.ciphers =
+                        Stream.of(((String) configSsl.get("ciphers")).split(","))
+                                .map(String::trim)
+                                .collect(Collectors.toList());
+            }
         }
 
         if (yamlConfig.containsKey("lowercaseOutputName")) {
@@ -527,6 +594,20 @@ private Config loadConfig(Map<String, Object> yamlConfig) throws MalformedObject
         return cfg;
     }
 
+    private KeyStoreProperties getKeyStoreProperties(Map<String, Object> configKeyStore) {
+        KeyStoreProperties keyStoreProperties = new KeyStoreProperties();
+        if (configKeyStore.containsKey("filename")) {
+            keyStoreProperties.path = Paths.get((String) configKeyStore.get("filename"));
+        }
+        if (configKeyStore.containsKey("type")) {
+            keyStoreProperties.type = (String) configKeyStore.get("type");
+        }
+        if (configKeyStore.containsKey("password")) {
+            keyStoreProperties.password = (String) configKeyStore.get("password");
+        }
+        return keyStoreProperties;
+    }
+
     /**
      * Convert name to snake case and lower case.
      *
@@ -929,7 +1010,7 @@ public MetricSnapshots collect() {
                         config.jmxUrl,
                         config.username,
                         config.password,
-                        config.ssl,
+                        config.sslProperties,
                         config.includeObjectNames,
                         config.excludeObjectNames,
                         config.objectNameAttributeFilter,

collector/src/main/java/io/prometheus/jmx/JmxScraper.java

@@ -16,6 +16,7 @@
 
 package io.prometheus.jmx;
 
+import io.prometheus.jmx.JmxCollector.SslProperties;
 import io.prometheus.jmx.logger.Logger;
 import io.prometheus.jmx.logger.LoggerFactory;
 import java.io.IOException;
@@ -30,6 +31,7 @@
 import java.util.Optional;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.concurrent.Callable;
 import java.util.stream.Collectors;
 import javax.management.Attribute;
 import javax.management.AttributeList;
@@ -49,6 +51,8 @@
 import javax.management.remote.rmi.RMIConnectorServer;
 import javax.naming.Context;
 import javax.rmi.ssl.SslRMIClientSocketFactory;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.util.ProviderUtils;
 
 /** Class to implement JmxScraper */
 class JmxScraper {
@@ -84,7 +88,7 @@ void recordBean(
     private final String jmxUrl;
     private final String username;
     private final String password;
-    private final boolean ssl;
+    private final SslProperties sslProperties;
     private final List<ObjectName> includeObjectNames, excludeObjectNames;
     private final List<JmxCollector.MetricCustomizer> metricCustomizers;
     private final ObjectNameAttributeFilter objectNameAttributeFilter;
@@ -96,7 +100,7 @@ void recordBean(
      * @param jmxUrl jmxUrl
      * @param username username
      * @param password password
-     * @param ssl ssl
+     * @param sslProperties sslProperties
      * @param includeObjectNames includeObjectNames
      * @param excludeObjectNames excludeObjectNames
      * @param objectNameAttributeFilter objectNameAttributeFilter
@@ -107,7 +111,7 @@ public JmxScraper(
             String jmxUrl,
             String username,
             String password,
-            boolean ssl,
+            SslProperties sslProperties,
             List<ObjectName> includeObjectNames,
             List<ObjectName> excludeObjectNames,
             ObjectNameAttributeFilter objectNameAttributeFilter,
@@ -118,7 +122,7 @@ public JmxScraper(
         this.receiver = receiver;
         this.username = username;
         this.password = password;
-        this.ssl = ssl;
+        this.sslProperties = sslProperties;
         this.includeObjectNames = includeObjectNames;
         this.excludeObjectNames = excludeObjectNames;
         this.metricCustomizers = metricCustomizers;
@@ -145,20 +149,23 @@ public void doScrape() throws Exception {
                 String[] credent = new String[] {username, password};
                 environment.put(javax.management.remote.JMXConnector.CREDENTIALS, credent);
             }
-            if (ssl) {
+            if (sslProperties.enabled) {
                 environment.put(Context.SECURITY_PROTOCOL, "ssl");
+
+                SSLFactory sslFactory = createSslFactory();
+                ProviderUtils.configure(sslFactory);
+
                 SslRMIClientSocketFactory clientSocketFactory = new SslRMIClientSocketFactory();
                 environment.put(
-                        RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE,
-                        clientSocketFactory);
-
+                        RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, clientSocketFactory);
                 if (!"true".equalsIgnoreCase(System.getenv("RMI_REGISTRY_SSL_DISABLED"))) {
                     environment.put("com.sun.jndi.rmi.factory.socket", clientSocketFactory);
                 }
             }
 
             jmxc = JMXConnectorFactory.connect(new JMXServiceURL(jmxUrl), environment);
             beanConn = jmxc.getMBeanServerConnection();
+            ProviderUtils.remove();
         }
         try {
             // Query MBean names, see #89 for reasons queryMBeans() is used instead of queryNames()
@@ -192,6 +199,61 @@ public void doScrape() throws Exception {
         }
     }
 
+    /**
+     * Attempts to resolve the ssl configuration defined in the yaml file
+     * Next to that it also attempts to read the following system properties:
+     * <p>
+     * <pre>
+     *  - javax.net.ssl.keyStore
+     *  - javax.net.ssl.keyStorePassword
+     *  - javax.net.ssl.keyStoreType
+     *  - javax.net.ssl.keyStoreProvider
+     *  - javax.net.ssl.trustStore
+     *  - javax.net.ssl.trustStorePassword
+     *  - javax.net.ssl.trustStoreType
+     *  - javax.net.ssl.trustStoreProvider
+     *  - https.protocols
+     *  - https.cipherSuites
+     * </pre>
+     */
+    private SSLFactory createSslFactory() {
+        SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder().withDefaultTrustMaterial();
+        sslProperties
+                .getKeyStoreProperties()
+                .ifPresent(
+                        props ->
+                                sslFactoryBuilder.withIdentityMaterial(
+                                        props.path, props.password.toCharArray(), props.type));
+        sslProperties
+                .getTrustStoreProperties()
+                .ifPresent(
+                        props ->
+                                sslFactoryBuilder.withTrustMaterial(
+                                        props.path, props.password.toCharArray(), props.type));
+
+        if (!sslProperties.protocols.isEmpty()) {
+            sslFactoryBuilder.withProtocols(sslProperties.protocols.toArray(new String[0]));
+        }
+        if (!sslProperties.ciphers.isEmpty()) {
+            sslFactoryBuilder.withCiphers(sslProperties.ciphers.toArray(new String[0]));
+        }
+
+        callSafely(sslFactoryBuilder::withSystemPropertyDerivedIdentityMaterial,
+                sslFactoryBuilder::withSystemPropertyDerivedTrustMaterial,
+                sslFactoryBuilder::withSystemPropertyDerivedProtocols,
+                sslFactoryBuilder::withSystemPropertyDerivedCiphers);
+
+        return sslFactoryBuilder.build();
+    }
+
+    private void callSafely(Callable<?>... callables) {
+        for (Callable<?> callable : callables) {
+            try {
+                callable.call();
+            } catch (Exception ignored) {}
+        }
+    }
+
     private void scrapeBean(MBeanServerConnection beanConn, ObjectName mBeanName) {
         MBeanInfo mBeanInfo;
 
@@ -574,7 +636,9 @@ public static void main(String[] args) throws Exception {
                             args[0],
                             args[1],
                             args[2],
-                            (args.length > 3 && "ssl".equalsIgnoreCase(args[3])),
+                            (args.length > 3 && "ssl".equalsIgnoreCase(args[3]))
+                                    ? new SslProperties(true)
+                                    : new SslProperties(false),
                             objectNames,
                             new LinkedList<>(),
                             objectNameAttributeFilter,
@@ -587,7 +651,7 @@ public static void main(String[] args) throws Exception {
                             args[0],
                             "",
                             "",
-                            false,
+                            new SslProperties(false),
                             objectNames,
                             new LinkedList<>(),
                             objectNameAttributeFilter,
@@ -600,7 +664,7 @@ public static void main(String[] args) throws Exception {
                             "",
                             "",
                             "",
-                            false,
+                            new SslProperties(false),
                             objectNames,
                             new LinkedList<>(),
                             objectNameAttributeFilter,

integration_test_suite/integration_tests/src/main/java/io/prometheus/jmx/test/support/http/HttpClient.java

@@ -233,11 +233,13 @@ private static byte[] readBytes(InputStream inputStream) throws IOException {
 
     private static CloseableHttpClient getHttpClient(
             int connectTimeout, int readTimeout, SSLContext sslContext) {
-        if (connectTimeout != CONNECT_TIMEOUT || readTimeout != READ_TIMEOUT || sslContext != null) {
+        if (connectTimeout != CONNECT_TIMEOUT
+                || readTimeout != READ_TIMEOUT
+                || sslContext != null) {
             return createHttpClient(
-                            connectTimeout,
-                            readTimeout,
-                            sslContext != null ? sslContext : UNSAFE_SSLCONTEXT);
+                    connectTimeout,
+                    readTimeout,
+                    sslContext != null ? sslContext : UNSAFE_SSLCONTEXT);
         }
         return defaultHttpClient;
     }