Re-use SSL connections by specifying a user principal as part of all remoting connections.

ketan · ketan · commit 670df798e92e · 2016-08-17T14:57:32.000+05:30
diff --git a/agent/resources/applicationContext.xml b/agent/resources/applicationContext.xml
@@ -46,6 +46,7 @@
         <property name="httpInvokerRequestExecutor">
             <bean class="com.thoughtworks.go.agent.GoHttpClientHttpInvokerRequestExecutor">
                 <constructor-arg ref="httpClient"/>
+                <constructor-arg ref="systemEnvironment"/>
             </bean>
         </property>
     </bean>
diff --git a/agent/src/com/thoughtworks/go/agent/GoHttpClientHttpInvokerRequestExecutor.java b/agent/src/com/thoughtworks/go/agent/GoHttpClientHttpInvokerRequestExecutor.java
@@ -17,13 +17,16 @@
 package com.thoughtworks.go.agent;
 
 import com.thoughtworks.go.agent.common.ssl.GoAgentServerHttpClient;
+import com.thoughtworks.go.util.SystemEnvironment;
 import org.apache.http.Header;
 import org.apache.http.HttpResponse;
 import org.apache.http.NoHttpResponseException;
 import org.apache.http.StatusLine;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.protocol.HttpClientContext;
 import org.apache.http.entity.ByteArrayEntity;
+import org.apache.http.protocol.BasicHttpContext;
 import org.springframework.remoting.httpinvoker.AbstractHttpInvokerRequestExecutor;
 import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;
 import org.springframework.remoting.support.RemoteInvocationResult;
@@ -35,9 +38,11 @@
 
 public class GoHttpClientHttpInvokerRequestExecutor extends AbstractHttpInvokerRequestExecutor {
     private final GoAgentServerHttpClient goAgentServerHttpClient;
+    private final SystemEnvironment environment;
 
-    public GoHttpClientHttpInvokerRequestExecutor(GoAgentServerHttpClient goAgentServerHttpClient) {
+    public GoHttpClientHttpInvokerRequestExecutor(GoAgentServerHttpClient goAgentServerHttpClient, SystemEnvironment environment) {
         this.goAgentServerHttpClient = goAgentServerHttpClient;
+        this.environment = environment;
     }
 
     @Override
@@ -48,7 +53,14 @@ protected RemoteInvocationResult doExecuteRequest(HttpInvokerClientConfiguration
         entity.setContentType(getContentType());
         postMethod.setEntity(entity);
 
-        try (CloseableHttpResponse response = goAgentServerHttpClient.execute(postMethod)) {
+        BasicHttpContext context = null;
+
+        if (environment.useSslContext()) {
+            context = new BasicHttpContext();
+            context.setAttribute(HttpClientContext.USER_TOKEN, goAgentServerHttpClient.principal());
+        }
+
+        try (CloseableHttpResponse response = goAgentServerHttpClient.execute(postMethod, context)) {
             validateResponse(response);
             InputStream responseBody = getResponseBody(response);
             return readRemoteInvocationResult(responseBody, config.getCodebaseUrl());
diff --git a/base/src/com/thoughtworks/go/agent/common/ssl/GoAgentServerHttpClient.java b/base/src/com/thoughtworks/go/agent/common/ssl/GoAgentServerHttpClient.java
@@ -24,6 +24,7 @@
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.protocol.HttpContext;
 
+import javax.security.auth.x500.X500Principal;
 import java.io.Closeable;
 import java.io.IOException;
 
@@ -32,14 +33,17 @@ public class GoAgentServerHttpClient implements Closeable {
 
     private final SystemEnvironment systemEnvironment;
     private CloseableHttpClient client;
+    private X500Principal principal;
 
     public GoAgentServerHttpClient(SystemEnvironment systemEnvironment) {
         this.systemEnvironment = systemEnvironment;
     }
 
     // called by spring
     public void init() throws Exception {
-        this.client = new GoAgentServerHttpClientBuilder(systemEnvironment).httpClient();
+        GoAgentServerHttpClientBuilder builder = new GoAgentServerHttpClientBuilder(systemEnvironment);
+        this.client = builder.httpClient();
+        this.principal = builder.principal();
     }
 
 
@@ -71,4 +75,8 @@ public synchronized void close() {
     public void reset() throws IOException {
         close();
     }
+
+    public X500Principal principal() {
+        return this.principal;
+    }
 }
diff --git a/base/src/com/thoughtworks/go/agent/common/ssl/GoAgentServerHttpClientBuilder.java b/base/src/com/thoughtworks/go/agent/common/ssl/GoAgentServerHttpClientBuilder.java
@@ -28,6 +28,7 @@
 import org.apache.http.ssl.SSLContextBuilder;
 
 import javax.net.ssl.HostnameVerifier;
+import javax.security.auth.x500.X500Principal;
 import java.io.*;
 import java.security.*;
 import java.security.cert.CertificateException;
@@ -134,4 +135,15 @@ private InputStream keyStoreInputStream() throws FileNotFoundException {
         return !keyStoreFile.exists() ? null : new FileInputStream(keyStoreFile);
     }
 
+    public X500Principal principal() {
+        try {
+            KeyStore keyStore = agentKeystore();
+            if (keyStore.containsAlias("agent")) {
+                return ((X509Certificate) keyStore.getCertificate("agent")).getSubjectX500Principal();
+            }
+        } catch (Exception e) {
+            // ignore
+        }
+        return null;
+    }
 }
diff --git a/base/src/com/thoughtworks/go/util/SystemEnvironment.java b/base/src/com/thoughtworks/go/util/SystemEnvironment.java
@@ -193,7 +193,7 @@ public class SystemEnvironment implements Serializable, ConfigDirProvider {
     public static GoSystemProperty<Integer> MAX_PENDING_AGENTS_ALLOWED = new GoIntSystemProperty("max.pending.agents.allowed", 100);
     public static GoSystemProperty<Boolean> CHECK_AND_REMOVE_DUPLICATE_MODIFICATIONS = new GoBooleanSystemProperty("go.modifications.removeDuplicates", true);
     public static GoSystemProperty<String> GO_AGENT_KEYSTORE_PASSWORD = new GoStringSystemProperty("go.agent.keystore.password", "agent5s0repa55w0rd");
-
+    private static final GoSystemProperty<Boolean> GO_AGENT_USE_SSL_CONTEXT = new GoBooleanSystemProperty("go.agent.reuse.ssl.context", true);
     public static final GoSystemProperty<? extends Boolean> ENABLE_BUILD_COMMAND_PROTOCOL = new GoBooleanSystemProperty("go.agent.enableBuildCommandProtocol", false);
 
     private final static Map<String, String> GIT_ALLOW_PROTOCOL;
@@ -765,6 +765,10 @@ public boolean isApiSafeModeEnabled() {
         return GO_API_WITH_SAFE_MODE.getValue();
     }
 
+    public boolean useSslContext() {
+        return GO_AGENT_USE_SSL_CONTEXT.getValue();
+    }
+
     public static abstract class GoSystemProperty<T> {
         private String propertyName;
         private T defaultValue;
