Merge pull request #9855 from glefloch/fix/8975

Add global quarkus.tls.trust-all configuration property

core/runtime/src/main/java/io/quarkus/runtime/TlsConfig.java

@@ -0,0 +1,19 @@
+package io.quarkus.runtime;
+
+import io.quarkus.runtime.annotations.ConfigItem;
+import io.quarkus.runtime.annotations.ConfigPhase;
+import io.quarkus.runtime.annotations.ConfigRoot;
+
+/**
+ * Configuration class allowing to globally set TLS properties.
+ */
+@ConfigRoot(phase = ConfigPhase.BUILD_AND_RUN_TIME_FIXED)
+public class TlsConfig {
+
+    /**
+     * Enable trusting all certificates. Disable by default.
+     */
+    @ConfigItem(defaultValue = "false")
+    public boolean trustAll;
+
+}

extensions/keycloak-authorization/deployment/src/main/java/io/quarkus/keycloak/pep/deployment/KeycloakPolicyEnforcerBuildStep.java

@@ -15,6 +15,7 @@
 import io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerRecorder;
 import io.quarkus.oidc.runtime.OidcBuildTimeConfig;
 import io.quarkus.oidc.runtime.OidcConfig;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vertx.http.deployment.RequireBodyHandlerBuildItem;
 import io.quarkus.vertx.http.runtime.HttpConfiguration;
 
@@ -71,11 +72,11 @@ EnableAllSecurityServicesBuildItem security() {
 
     @Record(ExecutionTime.RUNTIME_INIT)
     @BuildStep
-    public void setup(OidcBuildTimeConfig oidcBuildTimeConfig, OidcConfig oidcRunTimeConfig,
+    public void setup(OidcBuildTimeConfig oidcBuildTimeConfig, OidcConfig oidcRunTimeConfig, TlsConfig tlsConfig,
             KeycloakPolicyEnforcerConfig keycloakConfig, KeycloakPolicyEnforcerRecorder recorder, BeanContainerBuildItem bc,
             HttpConfiguration httpConfiguration) {
         if (oidcBuildTimeConfig.enabled && keycloakConfig.policyEnforcer.enable) {
-            recorder.setup(oidcRunTimeConfig, keycloakConfig, bc.getValue(), httpConfiguration);
+            recorder.setup(oidcRunTimeConfig, keycloakConfig, tlsConfig, bc.getValue(), httpConfiguration);
         }
     }
 }

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.java

@@ -20,6 +20,7 @@
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.OidcTenantConfig.Tls.Verification;
 import io.quarkus.oidc.runtime.OidcConfig;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.security.identity.SecurityIdentity;
 import io.quarkus.security.runtime.QuarkusSecurityIdentity;
 import io.quarkus.vertx.http.runtime.HttpConfiguration;
@@ -90,7 +91,8 @@ public Uni<Boolean> apply(Permission permission) {
                 }).build();
     }
 
-    public void init(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, HttpConfiguration httpConfiguration) {
+    public void init(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, TlsConfig tlsConfig,
+            HttpConfiguration httpConfiguration) {
         AdapterConfig adapterConfig = new AdapterConfig();
         String authServerUrl = oidcConfig.defaultTenant.getAuthServerUrl().get();
 
@@ -104,7 +106,10 @@ public void init(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, Htt
         adapterConfig.setResource(oidcConfig.defaultTenant.getClientId().get());
         adapterConfig.setCredentials(getCredentials(oidcConfig.defaultTenant));
 
-        if (oidcConfig.defaultTenant.tls.getVerification() == Verification.NONE) {
+        boolean trustAll = oidcConfig.defaultTenant.tls.getVerification().isPresent()
+                ? oidcConfig.defaultTenant.tls.getVerification().get() == Verification.NONE
+                : tlsConfig.trustAll;
+        if (trustAll) {
             adapterConfig.setDisableTrustManager(true);
             adapterConfig.setAllowAnyHostname(true);
         }

extensions/keycloak-authorization/runtime/src/main/java/io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerRecorder.java

@@ -4,17 +4,19 @@
 import io.quarkus.oidc.OIDCException;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.runtime.OidcConfig;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.vertx.http.runtime.HttpConfiguration;
 
 @Recorder
 public class KeycloakPolicyEnforcerRecorder {
 
-    public void setup(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, BeanContainer beanContainer,
+    public void setup(OidcConfig oidcConfig, KeycloakPolicyEnforcerConfig config, TlsConfig tlsConfig,
+            BeanContainer beanContainer,
             HttpConfiguration httpConfiguration) {
         if (oidcConfig.defaultTenant.applicationType == OidcTenantConfig.ApplicationType.WEB_APP) {
             throw new OIDCException("Application type [" + oidcConfig.defaultTenant.applicationType + "] is not supported");
         }
-        beanContainer.instance(KeycloakPolicyEnforcerAuthorizer.class).init(oidcConfig, config, httpConfiguration);
+        beanContainer.instance(KeycloakPolicyEnforcerAuthorizer.class).init(oidcConfig, config, tlsConfig, httpConfiguration);
     }
 }

extensions/kubernetes-client/deployment-internal/src/main/java/io/quarkus/kubernetes/client/deployment/KubernetesClientBuildStep.java

@@ -5,13 +5,14 @@
 import io.quarkus.deployment.annotations.BuildStep;
 import io.quarkus.kubernetes.client.runtime.KubernetesClientBuildConfig;
 import io.quarkus.kubernetes.client.spi.KubernetesClientBuildItem;
+import io.quarkus.runtime.TlsConfig;
 
 public class KubernetesClientBuildStep {
 
     private KubernetesClientBuildConfig buildConfig;
 
     @BuildStep
-    public KubernetesClientBuildItem process() {
-        return new KubernetesClientBuildItem(createClient(buildConfig));
+    public KubernetesClientBuildItem process(TlsConfig tlsConfig) {
+        return new KubernetesClientBuildItem(createClient(buildConfig, tlsConfig));
     }
 }

extensions/kubernetes-client/runtime-internal/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientBuildConfig.java

@@ -14,7 +14,7 @@ public class KubernetesClientBuildConfig {
      * Whether or not the client should trust a self signed certificate if so presented by the API server
      */
     @ConfigItem
-    public boolean trustCerts;
+    public Optional<Boolean> trustCerts = Optional.empty();
 
     /**
      * URL of the Kubernetes API server

extensions/kubernetes-client/runtime/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientProducer.java

@@ -8,6 +8,7 @@
 import io.fabric8.kubernetes.client.DefaultKubernetesClient;
 import io.fabric8.kubernetes.client.KubernetesClient;
 import io.quarkus.arc.DefaultBean;
+import io.quarkus.runtime.TlsConfig;
 
 @Singleton
 public class KubernetesClientProducer {
@@ -17,8 +18,8 @@ public class KubernetesClientProducer {
     @DefaultBean
     @Singleton
     @Produces
-    public Config config(KubernetesClientBuildConfig buildConfig) {
-        return KubernetesClientUtils.createConfig(buildConfig);
+    public Config config(KubernetesClientBuildConfig buildConfig, TlsConfig tlsConfig) {
+        return KubernetesClientUtils.createConfig(buildConfig, tlsConfig);
     }
 
     @DefaultBean

extensions/kubernetes-client/runtime/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesClientUtils.java

@@ -8,15 +8,17 @@
 import io.fabric8.kubernetes.client.ConfigBuilder;
 import io.fabric8.kubernetes.client.DefaultKubernetesClient;
 import io.fabric8.kubernetes.client.KubernetesClient;
+import io.quarkus.runtime.TlsConfig;
 
 public class KubernetesClientUtils {
 
     private static final String PREFIX = "quarkus.kubernetes-client.";
 
-    public static Config createConfig(KubernetesClientBuildConfig buildConfig) {
+    public static Config createConfig(KubernetesClientBuildConfig buildConfig, TlsConfig tlsConfig) {
         Config base = Config.autoConfigure(null);
+        boolean trustAll = buildConfig.trustCerts.isPresent() ? buildConfig.trustCerts.get() : tlsConfig.trustAll;
         return new ConfigBuilder()
-                .withTrustCerts(buildConfig.trustCerts)
+                .withTrustCerts(trustAll)
                 .withWatchReconnectInterval((int) buildConfig.watchReconnectInterval.toMillis())
                 .withWatchReconnectLimit(buildConfig.watchReconnectLimit)
                 .withConnectionTimeout((int) buildConfig.connectionTimeout.toMillis())
@@ -43,8 +45,8 @@ public static Config createConfig(KubernetesClientBuildConfig buildConfig) {
                 .build();
     }
 
-    public static KubernetesClient createClient(KubernetesClientBuildConfig buildConfig) {
-        return new DefaultKubernetesClient(createConfig(buildConfig));
+    public static KubernetesClient createClient(KubernetesClientBuildConfig buildConfig, TlsConfig tlsConfig) {
+        return new DefaultKubernetesClient(createConfig(buildConfig, tlsConfig));
     }
 
     public static KubernetesClient createClient() {

extensions/kubernetes-config/deployment/src/main/java/io/quarkus/kubernetes/config/deployment/KubernetesConfigProcessor.java

@@ -17,16 +17,18 @@
 import io.quarkus.kubernetes.client.runtime.KubernetesConfigSourceConfig;
 import io.quarkus.kubernetes.spi.KubernetesRoleBindingBuildItem;
 import io.quarkus.kubernetes.spi.KubernetesRoleBuildItem;
+import io.quarkus.runtime.TlsConfig;
 
 public class KubernetesConfigProcessor {
 
     @BuildStep
     @Record(ExecutionTime.RUNTIME_INIT)
     public RunTimeConfigurationSourceValueBuildItem configure(KubernetesConfigRecorder recorder,
             KubernetesConfigSourceConfig config, KubernetesConfigBuildTimeConfig buildTimeConfig,
-            KubernetesClientBuildConfig clientConfig) {
+            KubernetesClientBuildConfig clientConfig,
+            TlsConfig tlsConfig) {
         return new RunTimeConfigurationSourceValueBuildItem(
-                recorder.configSources(config, buildTimeConfig, clientConfig));
+                recorder.configSources(config, buildTimeConfig, clientConfig, tlsConfig));
     }
 
     @BuildStep

extensions/kubernetes-config/runtime/src/main/java/io/quarkus/kubernetes/client/runtime/KubernetesConfigRecorder.java

@@ -9,6 +9,7 @@
 import org.jboss.logging.Logger;
 
 import io.quarkus.runtime.RuntimeValue;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.runtime.annotations.Recorder;
 import io.quarkus.runtime.configuration.AbstractRawDefaultConfigSource;
 
@@ -21,15 +22,16 @@ public class KubernetesConfigRecorder {
 
     public RuntimeValue<ConfigSourceProvider> configSources(KubernetesConfigSourceConfig kubernetesConfigSourceConfig,
             KubernetesConfigBuildTimeConfig buildTimeConfig,
-            KubernetesClientBuildConfig clientConfig) {
+            KubernetesClientBuildConfig clientConfig,
+            TlsConfig tlsConfig) {
         if ((!kubernetesConfigSourceConfig.enabled && !buildTimeConfig.secretsEnabled) || isExplicitlyDisabled()) {
             log.debug(
                     "No attempt will be made to obtain configuration from the Kubernetes API server because the functionality has been disabled via configuration");
             return emptyRuntimeValue();
         }
 
         return new RuntimeValue<>(new KubernetesConfigSourceProvider(kubernetesConfigSourceConfig, buildTimeConfig,
-                KubernetesClientUtils.createClient(clientConfig)));
+                KubernetesClientUtils.createClient(clientConfig, tlsConfig)));
     }
 
     // We don't want to enable the reading of anything if 'quarkus.kubernetes-config.enabled' is EXPLICITLY set to false

extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailClientProducer.java

@@ -7,6 +7,7 @@
 
 import org.jboss.logging.Logger;
 
+import io.quarkus.runtime.TlsConfig;
 import io.vertx.core.Vertx;
 import io.vertx.ext.mail.LoginOption;
 import io.vertx.ext.mail.MailClient;
@@ -23,8 +24,8 @@ public class MailClientProducer {
     private final io.vertx.mutiny.ext.mail.MailClient mutinyClient;
     private final MailClient client;
 
-    public MailClientProducer(Vertx vertx, MailConfig config) {
-        this.client = mailClient(vertx, config);
+    public MailClientProducer(Vertx vertx, MailConfig config, TlsConfig tlsConfig) {
+        this.client = mailClient(vertx, config, tlsConfig);
         this.mutinyClient = io.vertx.mutiny.ext.mail.MailClient.newInstance(this.client);
     }
 
@@ -65,12 +66,12 @@ public void stop() {
         client.close();
     }
 
-    private MailClient mailClient(Vertx vertx, MailConfig config) {
-        io.vertx.ext.mail.MailConfig cfg = toVertxMailConfig(config);
+    private MailClient mailClient(Vertx vertx, MailConfig config, TlsConfig tlsConfig) {
+        io.vertx.ext.mail.MailConfig cfg = toVertxMailConfig(config, tlsConfig);
         return MailClient.createShared(vertx, cfg);
     }
 
-    private io.vertx.ext.mail.MailConfig toVertxMailConfig(MailConfig config) {
+    private io.vertx.ext.mail.MailConfig toVertxMailConfig(MailConfig config, TlsConfig tlsConfig) {
         io.vertx.ext.mail.MailConfig cfg = new io.vertx.ext.mail.MailConfig();
         if (config.authMethods.isPresent()) {
             cfg.setAuthMethods(config.authMethods.get());
@@ -106,7 +107,8 @@ private io.vertx.ext.mail.MailConfig toVertxMailConfig(MailConfig config) {
         if (config.startTLS.isPresent()) {
             cfg.setStarttls(StartTLSOptions.valueOf(config.startTLS.get().toUpperCase()));
         }
-        cfg.setTrustAll(config.trustAll);
+        boolean trustAll = config.trustAll.isPresent() ? config.trustAll.get() : tlsConfig.trustAll;
+        cfg.setTrustAll(trustAll);
         return cfg;
     }
 

extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MailConfig.java

@@ -65,10 +65,10 @@ public class MailConfig {
 
     /**
      * Set whether to trust all certificates on ssl connect the option is also
-     * applied to {@code STARTTLS} operation. {@code false} by default.
+     * applied to {@code STARTTLS} operation. Disabled by default.
      */
     @ConfigItem
-    public boolean trustAll;
+    public Optional<Boolean> trustAll = Optional.empty();
 
     /**
      * Configures the maximum allowed number of open connections to the mail server

extensions/mailer/runtime/src/main/java/io/quarkus/mailer/runtime/MutinyMailerImpl.java

@@ -51,7 +51,7 @@ public class MutinyMailerImpl implements ReactiveMailer {
         public Void apply(List<?> results) {
             return null;
         }
-    };;
+    };
 
     @Override
     public Uni<Void> send(Mail... mails) {

extensions/oidc/deployment/src/main/java/io/quarkus/oidc/deployment/OidcBuildStep.java

@@ -35,6 +35,7 @@
 import io.quarkus.oidc.runtime.OidcRecorder;
 import io.quarkus.oidc.runtime.OidcTokenCredentialProducer;
 import io.quarkus.oidc.runtime.TenantConfigBean;
+import io.quarkus.runtime.TlsConfig;
 import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
 import io.smallrye.jwt.auth.cdi.ClaimValueProducer;
 import io.smallrye.jwt.auth.cdi.CommonJwtProducer;
@@ -92,9 +93,10 @@ EnableAllSecurityServicesBuildItem security() {
     public SyntheticBeanBuildItem setup(
             OidcConfig config,
             OidcRecorder recorder,
-            CoreVertxBuildItem vertxBuildItem) {
+            CoreVertxBuildItem vertxBuildItem,
+            TlsConfig tlsConfig) {
         return SyntheticBeanBuildItem.configure(TenantConfigBean.class).unremovable().types(TenantConfigBean.class)
-                .supplier(recorder.setup(config, vertxBuildItem.getVertx()))
+                .supplier(recorder.setup(config, vertxBuildItem.getVertx(), tlsConfig))
                 .scope(Singleton.class)
                 .setRuntimeInit()
                 .done();

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/OidcTenantConfig.java

@@ -187,15 +187,14 @@ public enum Verification {
          * Certificate validation and hostname verification, which can be one of the following values from enum
          * {@link Verification}. Default is required.
          */
-        @ConfigItem(defaultValue = "REQUIRED")
-        public Verification verification;
+        public Optional<Verification> verification = Optional.empty();
 
-        public Verification getVerification() {
+        public Optional<Verification> getVerification() {
             return verification;
         }
 
         public void setVerification(Verification verification) {
-            this.verification = verification;
+            this.verification = Optional.ofNullable(verification);
         }
 
     }