From 0457a664599cd78755aa5babb8bf8dea22a0f8c1 Mon Sep 17 00:00:00 2001
From: German Osin <german.osin@gmail.com>
Date: Fri, 21 Feb 2025 16:30:12 +0100
Subject: [PATCH] ssl verification skip

---
 .../java/io/kafbat/ui/KafkaUiApplication.java |  3 ++
 .../builtin/sr/SchemaRegistrySerde.java       | 19 +++++++--
 .../ui/service/ssl/SkipSecurityProvider.java  | 12 ++++++
 .../ssl/SkipTrustManagerFactorySpi.java       | 40 +++++++++++++++++++
 4 files changed, 71 insertions(+), 3 deletions(-)
 create mode 100644 api/src/main/java/io/kafbat/ui/service/ssl/SkipSecurityProvider.java
 create mode 100644 api/src/main/java/io/kafbat/ui/service/ssl/SkipTrustManagerFactorySpi.java

diff --git a/api/src/main/java/io/kafbat/ui/KafkaUiApplication.java b/api/src/main/java/io/kafbat/ui/KafkaUiApplication.java
index 51d693983..0586d341a 100644
--- a/api/src/main/java/io/kafbat/ui/KafkaUiApplication.java
+++ b/api/src/main/java/io/kafbat/ui/KafkaUiApplication.java
@@ -1,6 +1,8 @@
 package io.kafbat.ui;
 
+import io.kafbat.ui.service.ssl.SkipSecurityProvider;
 import io.kafbat.ui.util.DynamicConfigOperations;
+import java.security.Security;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.ldap.LdapAutoConfiguration;
 import org.springframework.boot.builder.SpringApplicationBuilder;
@@ -18,6 +20,7 @@ public static void main(String[] args) {
   }
 
   public static ConfigurableApplicationContext startApplication(String[] args) {
+    Security.addProvider(new SkipSecurityProvider());
     return new SpringApplicationBuilder(KafkaUiApplication.class)
         .initializers(DynamicConfigOperations.dynamicConfigPropertiesInitializer())
         .build()
diff --git a/api/src/main/java/io/kafbat/ui/serdes/builtin/sr/SchemaRegistrySerde.java b/api/src/main/java/io/kafbat/ui/serdes/builtin/sr/SchemaRegistrySerde.java
index d6f7a3699..2bf821ff3 100644
--- a/api/src/main/java/io/kafbat/ui/serdes/builtin/sr/SchemaRegistrySerde.java
+++ b/api/src/main/java/io/kafbat/ui/serdes/builtin/sr/SchemaRegistrySerde.java
@@ -24,6 +24,7 @@
 import io.kafbat.ui.serde.api.PropertyResolver;
 import io.kafbat.ui.serde.api.SchemaDescription;
 import io.kafbat.ui.serdes.BuiltInSerde;
+import io.kafbat.ui.service.ssl.SkipSecurityProvider;
 import io.kafbat.ui.util.jsonschema.AvroJsonSchemaConverter;
 import io.kafbat.ui.util.jsonschema.ProtobufSchemaConverter;
 import java.net.URI;
@@ -34,6 +35,7 @@
 import java.util.Optional;
 import java.util.concurrent.Callable;
 import javax.annotation.Nullable;
+import javax.net.ssl.TrustManagerFactory;
 import lombok.SneakyThrows;
 import org.apache.kafka.common.config.SslConfigs;
 
@@ -80,7 +82,8 @@ public void autoConfigure(PropertyResolver kafkaClusterProperties,
             kafkaClusterProperties.getProperty("schemaRegistrySsl.keystoreLocation", String.class).orElse(null),
             kafkaClusterProperties.getProperty("schemaRegistrySsl.keystorePassword", String.class).orElse(null),
             kafkaClusterProperties.getProperty("ssl.truststoreLocation", String.class).orElse(null),
-            kafkaClusterProperties.getProperty("ssl.truststorePassword", String.class).orElse(null)
+            kafkaClusterProperties.getProperty("ssl.truststorePassword", String.class).orElse(null),
+            kafkaClusterProperties.getProperty("ssl.verifySsl", Boolean.class).orElse(true)
         ),
         kafkaClusterProperties.getProperty("schemaRegistryKeySchemaNameTemplate", String.class).orElse("%s-key"),
         kafkaClusterProperties.getProperty("schemaRegistrySchemaNameTemplate", String.class).orElse("%s-value"),
@@ -106,7 +109,8 @@ public void configure(PropertyResolver serdeProperties,
             serdeProperties.getProperty("keystoreLocation", String.class).orElse(null),
             serdeProperties.getProperty("keystorePassword", String.class).orElse(null),
             kafkaClusterProperties.getProperty("ssl.truststoreLocation", String.class).orElse(null),
-            kafkaClusterProperties.getProperty("ssl.truststorePassword", String.class).orElse(null)
+            kafkaClusterProperties.getProperty("ssl.truststorePassword", String.class).orElse(null),
+            kafkaClusterProperties.getProperty("ssl.verifySsl", Boolean.class).orElse(true)
         ),
         serdeProperties.getProperty("keySchemaNameTemplate", String.class).orElse("%s-key"),
         serdeProperties.getProperty("schemaNameTemplate", String.class).orElse("%s-value"),
@@ -136,7 +140,9 @@ private static SchemaRegistryClient createSchemaRegistryClient(List<String> urls
                                                                  @Nullable String keyStoreLocation,
                                                                  @Nullable String keyStorePassword,
                                                                  @Nullable String trustStoreLocation,
-                                                                 @Nullable String trustStorePassword) {
+                                                                 @Nullable String trustStorePassword,
+                                                                 boolean verifySsl
+  ) {
     Map<String, String> configs = new HashMap<>();
     if (username != null && password != null) {
       configs.put(BASIC_AUTH_CREDENTIALS_SOURCE, "USER_INFO");
@@ -166,6 +172,13 @@ private static SchemaRegistryClient createSchemaRegistryClient(List<String> urls
           keyStorePassword);
     }
 
+    if (!verifySsl) {
+      configs.put(
+          SchemaRegistryClientConfig.CLIENT_NAMESPACE + SslConfigs.SSL_TRUSTMANAGER_ALGORITHM_CONFIG,
+          SkipSecurityProvider.NAME
+      );
+    }
+
     return new CachedSchemaRegistryClient(
         urls,
         1_000,
diff --git a/api/src/main/java/io/kafbat/ui/service/ssl/SkipSecurityProvider.java b/api/src/main/java/io/kafbat/ui/service/ssl/SkipSecurityProvider.java
new file mode 100644
index 000000000..dbac8fb8b
--- /dev/null
+++ b/api/src/main/java/io/kafbat/ui/service/ssl/SkipSecurityProvider.java
@@ -0,0 +1,12 @@
+package io.kafbat.ui.service.ssl;
+
+import java.security.Provider;
+
+public class SkipSecurityProvider extends Provider {
+  public static final String NAME = "Skip";
+
+  public SkipSecurityProvider() {
+    super("SkipProvider", 1.0, "Skip TrustManagerFactory Provider");
+    put("TrustManagerFactory."+NAME, "SkipTrustManagerFactorySpi");
+  }
+}
diff --git a/api/src/main/java/io/kafbat/ui/service/ssl/SkipTrustManagerFactorySpi.java b/api/src/main/java/io/kafbat/ui/service/ssl/SkipTrustManagerFactorySpi.java
new file mode 100644
index 000000000..1ac5021a1
--- /dev/null
+++ b/api/src/main/java/io/kafbat/ui/service/ssl/SkipTrustManagerFactorySpi.java
@@ -0,0 +1,40 @@
+package io.kafbat.ui.service.ssl;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.ManagerFactoryParameters;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+public class SkipTrustManagerFactorySpi extends javax.net.ssl.TrustManagerFactorySpi {
+
+  private final TrustManager[] trustAllCertificates;
+
+  public SkipTrustManagerFactorySpi() {
+    this.trustAllCertificates =  new TrustManager[]{
+        new X509TrustManager() {
+          public X509Certificate[] getAcceptedIssuers() { return null; }
+          public void checkClientTrusted(X509Certificate[] certs, String authType) { }
+          public void checkServerTrusted(X509Certificate[] certs, String authType) { }
+        }
+    };
+  }
+
+  @Override
+  protected void engineInit(KeyStore ks) throws KeyStoreException {
+
+  }
+
+  @Override
+  protected void engineInit(ManagerFactoryParameters spec)
+      throws InvalidAlgorithmParameterException {
+
+  }
+
+  @Override
+  protected TrustManager[] engineGetTrustManagers() {
+    return trustAllCertificates;
+  }
+}