Ssl only made once (#72)

* First fixes

* refactor(*): add cert generation script for the tests and lrs-api-client bean for singleton

---------

Co-authored-by: Ewan Donovan <ewan.donovan@digital.justice.com>

Author: malaw-moj

.gitignore

@@ -77,6 +77,7 @@ sonar-project.properties
 
 # Certificate files
 *.pfx
+*.jks
 
 # env files
 .env*

Dockerfile

@@ -29,8 +29,6 @@ COPY --from=builder --chown=appuser:appgroup /app/build/libs/applicationinsights
 COPY --from=builder --chown=appuser:appgroup /app/applicationinsights.json /app
 COPY --from=builder --chown=appuser:appgroup /app/applicationinsights.dev.json /app
 #COPY WebServiceClientCert.pfx /app/WebServiceClientCert.pfx
-#RUN ls -la /app/WebServiceClientCert.pfx
-
 USER 2000
 
 ENTRYPOINT ["java", "-XX:+AlwaysActAsServerClassMachine", "-javaagent:/app/agent.jar", "-jar", "/app/app.jar"]

build.gradle.kts

@@ -32,12 +32,17 @@ kotlin {
   jvmToolchain(21)
 }
 
+tasks.register<Exec>("generateSSLCertificate") {
+  commandLine("bash", "./generateSSLCertificate.sh")
+}
+
 tasks {
   withType<org.jetbrains.kotlin.gradle.tasks.KotlinCompile> {
     compilerOptions.jvmTarget = org.jetbrains.kotlin.gradle.dsl.JvmTarget.JVM_21
   }
   test {
-    environment("PFX_FILE_PASSWORD", "TEST")
+    dependsOn("generateSSLCertificate")
+    environment("PFX_FILE_PASSWORD", "changeit")
     environment("UK_PRN", "TEST")
     environment("ORG_PASSWORD", "TEST")
     environment("VENDOR_ID", "TEST")

generateSSLCertificate.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# Define variables for file names, passwords, etc.
+KEYSTORE_PASSWORD="changeit"
+ALIAS="dummyClientAlias"
+KEYSTORE_FILE="dummyClient.jks"
+PFX_FILE="WebServiceClientCert.pfx"
+KEY_PASSWORD="changeit"
+VALIDITY_DAYS=3650
+
+rm -rf *.pfx *.jks
+
+# Generate a self-signed certificate using keytool
+keytool -genkeypair -keyalg RSA -keysize 2048 -alias $ALIAS -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -keypass $KEY_PASSWORD -validity $VALIDITY_DAYS -dname "CN=Dummy Client, OU=Test, O=Test Corp, L=Test City, S=Test State, C=US" -noprompt
+
+# Convert the generated JKS keystore to PFX format
+keytool -importkeystore -srckeystore $KEYSTORE_FILE -srcstorepass $KEYSTORE_PASSWORD -destkeystore $PFX_FILE -deststoretype PKCS12 -deststorepass $KEYSTORE_PASSWORD -noprompt
+
+echo "Self-signed certificate generated and converted to PFX format."

src/main/kotlin/uk/gov/justice/digital/hmpps/learnerrecordsapi/config/HttpClientConfiguration.kt

@@ -6,57 +6,53 @@ import okhttp3.logging.HttpLoggingInterceptor.Level
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
+import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import retrofit2.Retrofit
 import retrofit2.converter.jaxb.JaxbConverterFactory
+import uk.gov.justice.digital.hmpps.learnerrecordsapi.interfaces.LRSApiInterface
 import java.util.concurrent.TimeUnit
 
 @Configuration
-class HttpClientConfiguration(
-  @Value("\${lrs.pfx-path}") val pfxFilePath: String,
-  @Value("\${lrs.base-url}") val baseUrl: String,
+class HttpClientConfiguration {
+
+  @Value("\${lrs.pfx-path}")
+  lateinit var pfxFilePath: String
+
+  @Value("\${lrs.base-url}")
+  lateinit var baseUrl: String
+
   @Autowired
-  private val appConfig: AppConfig,
-) {
-  fun buildSSLHttpClient(): OkHttpClient {
+  lateinit var appConfig: AppConfig
+
+  @Bean
+  fun lrsClient(): LRSApiInterface = Retrofit.Builder()
+    .baseUrl(baseUrl)
+    .client(sslHttpClient())
+    .addConverterFactory(JaxbConverterFactory.create())
+    .build().create(LRSApiInterface::class.java)
+
+  companion object {
+    private val log = LoggerFactory.getLogger(this::class.java)
+  }
+
+  fun sslHttpClient(): OkHttpClient {
     log.info("Building HTTP client with SSL")
     val loggingInterceptor = HttpLoggingInterceptor()
     loggingInterceptor.level = Level.BODY
 
-    try {
-      val sslContextConfiguration = SSLContextConfiguration(pfxFilePath)
-      val sslContext = sslContextConfiguration.createSSLContext()
-      val trustManager = sslContextConfiguration.getTrustManager()
-
-      val httpClientBuilder = OkHttpClient.Builder()
-        .connectTimeout(appConfig.lrsConnectTimeout(), TimeUnit.SECONDS)
-        .writeTimeout(appConfig.lrsWriteTimeout(), TimeUnit.SECONDS)
-        .readTimeout(appConfig.lrsReadTimeout(), TimeUnit.SECONDS)
-        .sslSocketFactory(sslContext.socketFactory, trustManager)
-        .addInterceptor(loggingInterceptor)
-
-      log.info("HTTP client with SSL built successfully!")
-      return httpClientBuilder.build()
-    } catch (e: Exception) {
-      log.info(e.message + " Falling back to HTTP client without SSL")
-      val httpClientBuilder = OkHttpClient.Builder()
-        .addInterceptor(loggingInterceptor)
-
-      return httpClientBuilder.build()
-    }
-  }
+    val sslContextConfiguration = SSLContextConfiguration(pfxFilePath)
+    val sslContext = sslContextConfiguration.createSSLContext()
+    val trustManager = sslContextConfiguration.getTrustManager()
 
-  fun retrofit(): Retrofit {
-    log.info("Retrofit Client")
+    val httpClientBuilder = OkHttpClient.Builder()
+      .connectTimeout(appConfig.lrsConnectTimeout(), TimeUnit.SECONDS)
+      .writeTimeout(appConfig.lrsWriteTimeout(), TimeUnit.SECONDS)
+      .readTimeout(appConfig.lrsReadTimeout(), TimeUnit.SECONDS)
+      .sslSocketFactory(sslContext.socketFactory, trustManager)
+      .addInterceptor(loggingInterceptor)
 
-    return Retrofit.Builder()
-      .baseUrl(baseUrl)
-      .client(buildSSLHttpClient())
-      .addConverterFactory(JaxbConverterFactory.create())
-      .build()
-  }
-
-  companion object {
-    private val log = LoggerFactory.getLogger(this::class.java)
+    log.info("HTTP client with SSL built successfully!")
+    return httpClientBuilder.build()
   }
 }

src/main/kotlin/uk/gov/justice/digital/hmpps/learnerrecordsapi/service/LearnerEventsService.kt

@@ -4,7 +4,6 @@ import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Service
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.config.AppConfig
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.config.HttpClientConfiguration
-import uk.gov.justice.digital.hmpps.learnerrecordsapi.interfaces.LRSApiInterface
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.logging.LoggerUtil
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.models.lrsapi.response.LearningEventsResponse
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.models.lrsapi.response.MIAPAPIException
@@ -24,8 +23,6 @@ class LearnerEventsService(
 ) {
   private val log: LoggerUtil = LoggerUtil(javaClass)
 
-  private fun lrsClient(): LRSApiInterface = httpClientConfiguration.retrofit().create(LRSApiInterface::class.java)
-
   private fun parseError(xmlString: String): MIAPAPIException? {
     val regex = Regex("<ns10:MIAPAPIException[\\s\\S]*?</ns10:MIAPAPIException>")
     val match = regex.find(xmlString)
@@ -41,7 +38,7 @@ class LearnerEventsService(
       .transformToLRSRequest(appConfig.ukprn(), appConfig.password(), appConfig.vendorId(), userName)
     log.debug("Calling LRS API")
 
-    val learningEventsResponse = lrsClient().getLearnerLearningEvents(requestBody)
+    val learningEventsResponse = httpClientConfiguration.lrsClient().getLearnerLearningEvents(requestBody)
     val learningEventsObject = learningEventsResponse.body()?.body?.learningEventsResponse
 
     if (learningEventsResponse.isSuccessful && learningEventsObject != null) {

src/main/kotlin/uk/gov/justice/digital/hmpps/learnerrecordsapi/service/LearnersService.kt

@@ -4,7 +4,6 @@ import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Service
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.config.AppConfig
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.config.HttpClientConfiguration
-import uk.gov.justice.digital.hmpps.learnerrecordsapi.interfaces.LRSApiInterface
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.logging.LoggerUtil
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.models.lrsapi.response.FindLearnerResponse
 import uk.gov.justice.digital.hmpps.learnerrecordsapi.models.lrsapi.response.Learner
@@ -27,8 +26,6 @@ class LearnersService(
 
   private val log: LoggerUtil = LoggerUtil(javaClass)
 
-  private fun lrsClient(): LRSApiInterface = httpClientConfiguration.retrofit().create(LRSApiInterface::class.java)
-
   private fun parseError(xmlString: String): MIAPAPIException? {
     val regex = Regex("<ns10:MIAPAPIException[\\s\\S]*?</ns10:MIAPAPIException>")
     val match = regex.find(xmlString)
@@ -45,7 +42,7 @@ class LearnersService(
 
     log.debug("Calling LRS API")
 
-    val lrsResponse = lrsClient().findLearnerByDemographics(requestBody)
+    val lrsResponse = httpClientConfiguration.lrsClient().findLearnerByDemographics(requestBody)
     val lrsResponseBody = lrsResponse.body()?.body?.findLearnerResponse
 
     if (lrsResponse.isSuccessful && lrsResponseBody != null) {

src/test/kotlin/uk/gov/justice/digital/hmpps/learnerrecordsapi/config/TestExceptionResource.kt

@@ -53,14 +53,14 @@ class TestExceptionResource(
   @PostMapping("/test/okhttp-timeout")
   fun triggerOkhttpTimeout(): String? {
     val mockTimeoutServer = MockWebServer()
-    mockTimeoutServer.enqueue(MockResponse().setBody("Delayed response").setBodyDelay(15, TimeUnit.SECONDS))
+    mockTimeoutServer.enqueue(MockResponse().setBody("Delayed response").setBodyDelay(40, TimeUnit.SECONDS))
     mockTimeoutServer.start()
 
     val request = Request.Builder()
       .url(mockTimeoutServer.url("/timeout")) // Point to the MockWebServer URL
       .build()
 
-    val response = httpClientConfiguration.buildSSLHttpClient().newCall(request).execute()
+    val response = httpClientConfiguration.sslHttpClient().newCall(request).execute()
     return response.body?.string()
   }
 }

src/test/kotlin/uk/gov/justice/digital/hmpps/learnerrecordsapi/service/LearnerEventsServiceTest.kt

@@ -45,8 +45,7 @@ class LearnerEventsServiceTest {
     retrofitMock = mock(Retrofit::class.java)
     lrsApiInterfaceMock =
       mock(LRSApiInterface::class.java)
-    `when`(httpClientConfigurationMock.retrofit()).thenReturn(retrofitMock)
-    `when`(retrofitMock.create(LRSApiInterface::class.java)).thenReturn(lrsApiInterfaceMock)
+    `when`(httpClientConfigurationMock.lrsClient()).thenReturn(lrsApiInterfaceMock)
     appConfigMock = mock(AppConfig::class.java)
     learnerEventsService = LearnerEventsService(httpClientConfigurationMock, appConfigMock)
     `when`(appConfigMock.ukprn()).thenReturn("test")

src/test/kotlin/uk/gov/justice/digital/hmpps/learnerrecordsapi/service/LearnersServiceTest.kt

@@ -48,8 +48,7 @@ class LearnersServiceTest {
     retrofitMock = mock(Retrofit::class.java)
     lrsApiInterfaceMock =
       mock(LRSApiInterface::class.java)
-    `when`(httpClientConfigurationMock.retrofit()).thenReturn(retrofitMock)
-    `when`(retrofitMock.create(LRSApiInterface::class.java)).thenReturn(lrsApiInterfaceMock)
+    `when`(httpClientConfigurationMock.lrsClient()).thenReturn(lrsApiInterfaceMock)
     appConfigMock = mock(AppConfig::class.java)
     learnersService = LearnersService(httpClientConfigurationMock, appConfigMock)
     `when`(appConfigMock.ukprn()).thenReturn("test")