SCANJLIB-236 Map JVM cacerts to the new ssl properties

Author: henryju

lib/src/main/java/org/sonarsource/scanner/lib/ScannerEngineBootstrapper.java

@@ -20,14 +20,14 @@
 package org.sonarsource.scanner.lib;
 
 import java.net.InetSocketAddress;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.time.temporal.ChronoUnit;
 import java.util.HashMap;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
-import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
@@ -121,20 +121,38 @@ public ScannerEngineFacade bootstrap() {
       return new SimulationScannerEngineFacade(properties, isSonarCloud, serverVersion);
     } else if (isSonarCloud || VersionUtils.isAtLeastIgnoringQualifier(serverVersion, SQ_VERSION_NEW_BOOTSTRAPPING)) {
       var launcher = scannerEngineLauncherFactory.createLauncher(scannerHttpClient, fileCache, properties);
-      return new NewScannerEngineFacade(properties, launcher, isSonarCloud, serverVersion);
+      var adaptedProperties = adaptDeprecatedPropertiesForForkedBootstrapping(properties, httpConfig);
+      return new NewScannerEngineFacade(adaptedProperties, launcher, isSonarCloud, serverVersion);
     } else {
       var launcher = launcherFactory.createLauncher(scannerHttpClient, fileCache);
-      var adaptedProperties = adaptDeprecatedProperties(properties, httpConfig);
+      var adaptedProperties = adaptDeprecatedPropertiesForInProcessBootstrapping(properties, httpConfig);
       return new InProcessScannerEngineFacade(adaptedProperties, launcher, false, serverVersion);
     }
   }
 
+  /**
+   * New versions of SonarQube/SonarCloud will run on a separate VM. For people who used to rely on configuring SSL
+   * by inserting the trusted certificate in the Scanner JVM truststore,
+   * we need to adapt the properties to read from the truststore of the scanner JVM.
+   */
+  Map<String, String> adaptDeprecatedPropertiesForForkedBootstrapping(Map<String, String> properties, HttpConfig httpConfig) {
+    var adaptedProperties = new HashMap<>(properties);
+    if (system.getProperty("javax.net.ssl.trustStore") == null && httpConfig.getSslConfig().getTrustStore() == null) {
+      var defaultJvmTrustStoreLocation = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
+      if (Files.isRegularFile(defaultJvmTrustStoreLocation)) {
+        LOG.debug("Mapping default scanner JVM truststore location '{}' to new properties", defaultJvmTrustStoreLocation);
+        adaptedProperties.put("sonar.scanner.truststorePath", defaultJvmTrustStoreLocation.toString());
+        adaptedProperties.put("sonar.scanner.truststorePassword", System.getProperty("javax.net.ssl.trustStorePassword", "changeit"));
+      }
+    }
+    return Map.copyOf(adaptedProperties);
+  }
+
   /**
    * Older SonarQube versions used to rely on some different properties, or even {@link System} properties.
    * For backward compatibility, we adapt the new properties to the old format.
    */
-  @Nonnull
-  Map<String, String> adaptDeprecatedProperties(Map<String, String> properties, HttpConfig httpConfig) {
+  Map<String, String> adaptDeprecatedPropertiesForInProcessBootstrapping(Map<String, String> properties, HttpConfig httpConfig) {
     var adaptedProperties = new HashMap<>(properties);
     if (!adaptedProperties.containsKey(HttpConfig.READ_TIMEOUT_SEC_PROPERTY)) {
       adaptedProperties.put(HttpConfig.READ_TIMEOUT_SEC_PROPERTY, "" + httpConfig.getSocketTimeout().get(ChronoUnit.SECONDS));

lib/src/main/java/org/sonarsource/scanner/lib/internal/http/OkHttpClientFactory.java

@@ -113,11 +113,11 @@ private static SSLFactory configureSsl(SslConfig sslConfig) {
       sslFactoryBuilder.withSystemPropertyDerivedIdentityMaterial();
     }
     var keyStoreConfig = sslConfig.getKeyStore();
-    if (keyStoreConfig != null && Files.exists(keyStoreConfig.getPath())) {
+    if (keyStoreConfig != null) {
       sslFactoryBuilder.withIdentityMaterial(keyStoreConfig.getPath(), keyStoreConfig.getKeyStorePassword().toCharArray(), keyStoreConfig.getKeyStoreType());
     }
     var trustStoreConfig = sslConfig.getTrustStore();
-    if (trustStoreConfig != null && Files.exists(trustStoreConfig.getPath())) {
+    if (trustStoreConfig != null) {
       KeyStore trustStore = loadKeyStoreWithBouncyCastle(
         trustStoreConfig.getPath(),
         trustStoreConfig.getKeyStorePassword().toCharArray(),

lib/src/test/java/org/sonarsource/scanner/lib/ScannerEngineBootstrapperTest.java

@@ -269,7 +269,7 @@ void should_set_deprecated_timeout_property() {
 
     when(httpConfig.getSocketTimeout()).thenReturn(Duration.ofSeconds(100));
 
-    var adapted = underTest.adaptDeprecatedProperties(Map.of(), httpConfig);
+    var adapted = underTest.adaptDeprecatedPropertiesForInProcessBootstrapping(Map.of(), httpConfig);
     assertThat(adapted).containsEntry("sonar.ws.timeout", "100");
   }
 
@@ -282,7 +282,7 @@ void should_set_deprecated_proxy_properties() {
 
     when(httpConfig.getProxy()).thenReturn(new Proxy(Proxy.Type.HTTP, new InetSocketAddress("myproxy", 8080)));
 
-    underTest.adaptDeprecatedProperties(Map.of(), httpConfig);
+    underTest.adaptDeprecatedPropertiesForInProcessBootstrapping(Map.of(), httpConfig);
 
     assertThat(System.getProperties()).contains(
       entry("http.proxyHost", "myproxy"),
@@ -302,12 +302,50 @@ void should_set_deprecated_ssl_properties() {
         new CertificateStore(Paths.get("some/keystore.p12"), "keystorePass"),
         new CertificateStore(Paths.get("some/truststore.p12"), "truststorePass")));
 
-    underTest.adaptDeprecatedProperties(Map.of(), httpConfig);
+    underTest.adaptDeprecatedPropertiesForInProcessBootstrapping(Map.of(), httpConfig);
 
     assertThat(System.getProperties()).contains(
       entry("javax.net.ssl.keyStore", "some/keystore.p12"),
       entry("javax.net.ssl.keyStorePassword", "keystorePass"),
       entry("javax.net.ssl.trustStore", "some/truststore.p12"),
       entry("javax.net.ssl.trustStorePassword", "truststorePass"));
   }
+
+  @Test
+  void should_set_ssl_properties_from_cacerts() {
+    var httpConfig = mock(HttpConfig.class);
+    when(httpConfig.getSslConfig()).thenReturn(new SslConfig(null, null));
+
+    var adapted = underTest.adaptDeprecatedPropertiesForForkedBootstrapping(Map.of(), httpConfig);
+
+    assertThat(adapted).contains(
+      entry("sonar.scanner.truststorePath", Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts").toString()),
+      entry("sonar.scanner.truststorePassword", "changeit"));
+  }
+
+  @Test
+  void should_not_set_ssl_properties_from_cacerts_if_already_set_as_scanner_props(@TempDir Path tempDir) throws IOException {
+    var cacerts = tempDir.resolve("truststore.p12");
+    Files.createFile(cacerts);
+    var httpConfig = mock(HttpConfig.class);
+    when(httpConfig.getSslConfig()).thenReturn(new SslConfig(null, new CertificateStore(cacerts, "something")));
+
+    var adapted = underTest.adaptDeprecatedPropertiesForForkedBootstrapping(Map.of(), httpConfig);
+
+    assertThat(adapted).isEmpty();
+  }
+
+  @Test
+  void should_not_set_ssl_properties_from_cacerts_if_already_set_as_JVM_props(@TempDir Path tempDir) throws IOException {
+    var cacerts = tempDir.resolve("truststore.p12");
+    Files.createFile(cacerts);
+    var httpConfig = mock(HttpConfig.class);
+    when(httpConfig.getSslConfig()).thenReturn(new SslConfig(null, null));
+
+    when(system.getProperty("javax.net.ssl.trustStore")).thenReturn(cacerts.toString());
+
+    var adapted = underTest.adaptDeprecatedPropertiesForForkedBootstrapping(Map.of(), httpConfig);
+
+    assertThat(adapted).isEmpty();
+  }
 }