[KOGITO-9231] Configure RestWorkItemHandler SSL behaviour through pro…

quarkus/extensions/kogito-quarkus-extension-common/kogito-quarkus-common/src/main/java/org/kie/kogito/quarkus/runtime/SSLWebClientOptionsProducer.java

@@ -22,14 +22,14 @@
 import io.quarkus.arc.DefaultBean;
 import io.vertx.ext.web.client.WebClientOptions;
 
-import static org.kogito.workitem.rest.RestWorkItemHandlerUtils.sslWebClientOptions;
+import static org.kie.kogito.quarkus.runtime.SSLWebClientOptionsUtils.sslQuarkusWebClientOptions;
 
 @ApplicationScoped
 public class SSLWebClientOptionsProducer {
 
     @Produces
     @DefaultBean
-    public WebClientOptions webClientOptions() {
-        return sslWebClientOptions();
+    public WebClientOptions quarkusWebClientOptions() {
+        return sslQuarkusWebClientOptions();
     }
 }

quarkus/extensions/kogito-quarkus-extension-common/kogito-quarkus-common/src/main/java/org/kie/kogito/quarkus/runtime/SSLWebClientOptionsUtils.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.kie.kogito.quarkus.runtime;
+
+import java.util.Optional;
+
+import org.eclipse.microprofile.config.Config;
+import org.eclipse.microprofile.config.ConfigProvider;
+
+import io.vertx.core.net.JksOptions;
+import io.vertx.core.net.PemKeyCertOptions;
+import io.vertx.core.net.PemTrustOptions;
+import io.vertx.ext.web.client.WebClientOptions;
+
+public class SSLWebClientOptionsUtils {
+
+    public static final String QUARKUS_HTTP_SSL_CERTIFICATE_FILE = "quarkus.http.ssl.certificate.file";
+    public static final String QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILE = "quarkus.http.ssl.certificate.key-file";
+    public static final String QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_FILE = "quarkus.http.ssl.certificate.key-store-file";
+    public static final String QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_PASSWORD = "quarkus.http.ssl.certificate.key-store-password";
+    public static final String QUARKUS_HTTP_SSL_VERIFY_CLIENT = "quarkus.http.ssl.verify-client";
+    public static final String QUARKUS_HTTP_SSL_TRUST_CERTIFICATE_FILE = "quarkus.http.ssl.trust-certificate-file";
+
+    public static WebClientOptions sslQuarkusWebClientOptions() {
+        WebClientOptions webClientOptions = new WebClientOptions();
+
+        Config config = ConfigProvider.getConfig();
+
+        getOptionalStringValue(config, QUARKUS_HTTP_SSL_CERTIFICATE_FILE)
+                .ifPresent(certificateFilePath -> {
+                    getOptionalStringValue(config, QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILE)
+                            .ifPresent(keyFilePath -> {
+                                webClientOptions.setPemKeyCertOptions(new PemKeyCertOptions()
+                                        .setCertPath(certificateFilePath)
+                                        .setKeyPath(keyFilePath));
+                            });
+                });
+
+        getOptionalStringValue(config, QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_FILE)
+                .ifPresent(keystorePath -> {
+                    getOptionalStringValue(config, QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_PASSWORD)
+                            .ifPresent(keystorePassword -> {
+                                Boolean verifyClient = getOptionalBooleanValue(config, QUARKUS_HTTP_SSL_VERIFY_CLIENT).orElse(false);
+
+                                webClientOptions.setSsl(true)
+                                        .setTrustAll(false)
+                                        .setVerifyHost(verifyClient)
+                                        .setTrustStoreOptions(new JksOptions()
+                                                .setPath(keystorePath)
+                                                .setPassword(keystorePassword));
+                            });
+                });
+
+        getOptionalStringValue(config, QUARKUS_HTTP_SSL_TRUST_CERTIFICATE_FILE)
+                .ifPresent(trustCertFilePath -> {
+                    webClientOptions.setPemTrustOptions(new PemTrustOptions()
+                            .addCertPath(trustCertFilePath));
+                });
+
+        return webClientOptions;
+    }
+
+    private static Optional<String> getOptionalStringValue(Config config, String key) {
+        return config.getOptionalValue(key, String.class);
+    }
+
+    private static Optional<Boolean> getOptionalBooleanValue(Config config, String key) {
+        return config.getOptionalValue(key, Boolean.class);
+    }
+}

quarkus/integration-tests/integration-tests-quarkus-ssl-webclient-options/pom.xml

@@ -0,0 +1,123 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.kie.kogito</groupId>
+    <artifactId>kogito-quarkus-integration-tests</artifactId>
+    <version>2.0.0-SNAPSHOT</version>
+  </parent>
+  <name>Kogito :: Integration Tests :: Quarkus :: SSL WebClient Options</name>
+  <artifactId>integration-tests-quarkus-ssl-webclient-options</artifactId>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.kie.kogito</groupId>
+        <artifactId>kogito-quarkus-bom</artifactId>
+        <version>${project.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.kie.kogito</groupId>
+      <artifactId>kogito-quarkus-serverless-workflow</artifactId>
+    </dependency>
+
+    <!-- this is used implicitly by kogito-quarkus-serverless-workflow, let's make Maven parallel build to be aware of it. -->
+    <dependency>
+      <groupId>org.kie.kogito</groupId>
+      <artifactId>kogito-quarkus-serverless-workflow-deployment</artifactId>
+      <version>${project.version}</version>
+      <type>pom</type>
+      <scope>test</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>*</groupId>
+          <artifactId>*</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-resteasy</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-resteasy-jackson</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-smallrye-openapi</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-smallrye-health</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-junit5</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.rest-assured</groupId>
+      <artifactId>rest-assured</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>com.github.tomakehurst</groupId>
+      <artifactId>wiremock-jre8</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.kie.kogito</groupId>
+      <artifactId>kogito-test-utils</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <pluginManagement>
+      <plugins>
+        <plugin>
+          <groupId>io.quarkus</groupId>
+          <artifactId>quarkus-maven-plugin</artifactId>
+          <configuration>
+            <noDeps>true</noDeps>
+            <skip>${skipTests}</skip>
+          </configuration>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+    <plugins>
+      <plugin>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-maven-plugin</artifactId>
+        <executions>
+          <execution>
+            <goals>
+              <goal>build</goal>
+              <goal>generate-code</goal>
+              <goal>generate-code-tests</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <configuration>
+          <systemPropertyVariables>
+            <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
+          </systemPropertyVariables>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>

quarkus/integration-tests/integration-tests-quarkus-ssl-webclient-options/src/main/java/org/kie/kogito/integrationtests/GreetingService.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.kie.kogito.integrationtests;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+@Path("/greeting")
+public class GreetingService {
+
+    @ConfigProperty(name = "greeting.message")
+    String greetingMessage;
+
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    public String secureHello() {
+        return greetingMessage;
+    }
+}

quarkus/integration-tests/integration-tests-quarkus-ssl-webclient-options/src/main/resources/application.properties

@@ -0,0 +1,7 @@
+# SSL Configuration
+quarkus.http.ssl.certificate.file=classpath:ssl/server.crt
+quarkus.http.ssl.certificate.key-file=classpath:ssl/server.key
+quarkus.http.ssl.certificate.key-store-file=classpath:ssl/keystore.jks
+quarkus.http.ssl.certificate.key-store-password=test
+quarkus.http.ssl.verify-client=false
+greeting.message=Hello, Quarkus!

quarkus/integration-tests/integration-tests-quarkus-ssl-webclient-options/src/main/resources/ssl/server.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnzCCAocCFE1I2Ic8KGoy9Zrk75toWuS1LhVgMA0GCSqGSIb3DQEBCwUAMIGL
+MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxDzANBgNVBAcMBkZyaXNjbzEQ
+MA4GA1UECgwHUmVkIEhhdDETMBEGA1UECwwKTWlkZGxld2FyZTEQMA4GA1UEAwwH
+b3BlbnNzbDEiMCAGCSqGSIb3DQEJARYTdm11ZGFkbGFAcmVkaGF0LmNvbTAeFw0y
+MzA4MzEwMjU5NThaFw0yNDA4MzAwMjU5NThaMIGLMQswCQYDVQQGEwJVUzEOMAwG
+A1UECAwFVGV4YXMxDzANBgNVBAcMBkZyaXNjbzEQMA4GA1UECgwHUmVkIEhhdDET
+MBEGA1UECwwKTWlkZGxld2FyZTEQMA4GA1UEAwwHb3BlbnNzbDEiMCAGCSqGSIb3
+DQEJARYTdm11ZGFkbGFAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALGx5CmXoawQ/JGC8Si7YQ2TvIgpsv+Ci1dGhoWawL6IAbM6BaMh
++p7OaxyruUfz+HEvhkEdJ80fd7pi+IMImp+HXJpF7zrnu0E5dirodjSxuUKTNLVE
+LooumiwblYuVRbQ0ut7Zs6jkxE9sryK8XXAbOGHeA/d2illwj1F2Uf/vN6DJdzmD
+Ze3znLHP2MHfCkG71e5Pizna6H3Onax5rgNiD7A883QRvvv3Y9WKJqk2mYD+W7Zn
++zRtDcDAg8cFj4hb3qNM5nsOH4aaPEExhLWlsgKW0x8jlBYvJ7oaQTv8zCqn5J94
+TgtuFLKqRq65t3YfYir8l3dOf4LyWJUQueMCAwEAATANBgkqhkiG9w0BAQsFAAOC
+AQEAJxz5TcflDXSbnAbrCF56CAdLYhY61LgTTwmpyZDkgCaAsFwaAPUoQrOapmDh
+ciDVCb2sc18emWq0yhPo4lDxSpWFtkfj4he0ITivu1u0tOkHzNEUKvfqcHKeEApq
+HlNLxH+DhSLE4nhWx9aKjCgNyJdv87gbhOGfpOT0Kt8KagtUc4YR5JdbtJRERZMS
+5KCfC3wwVZ+U4V5Bemgt4EaZI/LxiCS79THEozfKjUNmHwMjOfbtXmzD5iJdfbBB
+Rmx7ToUJ2ljBV+sAVFR+/DeFpz/hpaZ9QEDzYYpI5qnGDWJQtDDpmAxsk3bvYIfE
+/FKIWqt0wBgaGRKI0UUysd/c+Q==
+-----END CERTIFICATE-----

quarkus/integration-tests/integration-tests-quarkus-ssl-webclient-options/src/main/resources/ssl/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxseQpl6GsEPyR
+gvEou2ENk7yIKbL/gotXRoaFmsC+iAGzOgWjIfqezmscq7lH8/hxL4ZBHSfNH3e6
+YviDCJqfh1yaRe8657tBOXYq6HY0sblCkzS1RC6KLposG5WLlUW0NLre2bOo5MRP
+bK8ivF1wGzhh3gP3dopZcI9RdlH/7zegyXc5g2Xt85yxz9jB3wpBu9XuT4s52uh9
+zp2sea4DYg+wPPN0Eb7792PViiapNpmA/lu2Z/s0bQ3AwIPHBY+IW96jTOZ7Dh+G
+mjxBMYS1pbICltMfI5QWLye6GkE7/Mwqp+SfeE4LbhSyqkauubd2H2Iq/Jd3Tn+C
+8liVELnjAgMBAAECggEAB0vZpYePYORVqpfo1RZUlt0hGao0ql8u34eK0IOZNHmb
+MEPKpXcotkqdhVDby8ONyP/9kEDlOHv5S5Lyx1acGr7RI5iJiS6otrXoTzy6VdGS
+XNR0jpjdHFlrhTIgwtl/QjYEElB4GxBBq004J8H6SDcl6obWPNwGNEP17o9gMJUN
+esUfYd5tBuFo7ixbUU6J+9txULJGQBen6RW4y6db/pxmnQ9IZNyq50JmbZ5o3DLd
+mc4/J/k9dj300GaNXd681hU/B/fDRtqQTeTi0o1Cn+b2N55pdxN0MXYgCN9LbC4W
+IBNkAcfc7q1rUMif7UwzFUAaeSMV9U4a3EzoVJn5cQKBgQDbsyaOFBkelcVKTjtJ
+3/1XAvYA4SEAZyWjDGQ2SMoG+sl69Bspz3puY+PMQXtmttsIVBDMDiTPXSIlBSyN
+mkK5yeLNDBY5Af00V5dYOZCH4pMqtydlI48dWgO09WMJ0XSWn9ske0I7Dt9yNmRJ
+SnmjP/p1+cSTYB1JCPCJSxhKyQKBgQDPDgTh0mIbdaFatIKgayuvZvkXiRUlqbcU
+GB8qeB/xDI3PStb4h3mPlA1X1pH8fOVWUfLkZhuma5BBRD9pVuUD5muk7f5WFUmy
+iV5W6FKVBSavYpZs/CiPAHG0H9IcWoBhGOC4a2Hctb7eBMsbXZQ8B2quPQ6f4Sa7
+hw/souPJSwKBgQDIeJOwx4QYVX++Ct6szVelQw1oxgTQEk7UleUHZ6n5bnPU3tO+
+dhT4j+t4ITRSCH6a/eKJ4EoUcZ5Le4oo9971GtP6WJIamMcMMPTnyzcn10aEjrXC
+4wyfMtj5EYS6m8av/tP/WP2ZWDvqQtmFyxBtN176sdt+wxBV6XNbRAu5iQKBgHTZ
+S4YJjZZDjxi6UBGqCZBGQ4K1uPp1Sb2MU2JLQnNti0YVzTWads7BVbphfCeKcH6D
+ZtjgivAjOdirZEHVaQ8HZW5BZUw9XUblYRkYqSoyKv/FWnEM6PKy5HgrkQ6xQEwL
+lx5cc3D0HE/9UoYSDIrIALtt96fgj1Q7R5Ba6MP7AoGBAKJ1EDPGI3Nma1+RpkwS
+KHS1Ipp2AFnx+ziJ09hBTrARIBFEtcqavC9FUYIco2ZO1WQRv86XiUXJc358cOQM
++tsQoD2SzZwXsrhAg+jPHR02t4f0WY3fSO6xO3Xshh4iLBYC20RUWlWppJYQXTVm
+0MovnTnbRJ7bMNKX3o0z881a
+-----END PRIVATE KEY-----

quarkus/integration-tests/integration-tests-quarkus-ssl-webclient-options/src/test/java/org/kie/kogito/integrationtests/SecureResourceTest.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.kie.kogito.integrationtests;
+
+import javax.inject.Inject;
+
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.test.junit.QuarkusTest;
+import io.restassured.RestAssured;
+
+import static org.hamcrest.Matchers.equalTo;
+
+@QuarkusTest
+public class SecureResourceTest {
+
+    @Inject
+    GreetingService greetingService;
+
+    @Test
+    public void testSecureResource() {
+        RestAssured.given()
+                .relaxedHTTPSValidation() // Disable strict validation for testing
+                .when()
+                .get("/greeting")
+                .then()
+                .statusCode(200)
+                .body(equalTo("Hello, Quarkus!"));
+    }
+}

quarkus/integration-tests/integration-tests-quarkus-ssl-webclient-options/src/test/resources/application.properties

@@ -0,0 +1 @@
+quarkus.http.test-port=0

quarkus/integration-tests/pom.xml

@@ -41,6 +41,7 @@
         <module>integration-tests-quarkus-processes-persistence</module>
         <module>integration-tests-quarkus-source-files</module>
         <module>integration-tests-quarkus-gradle</module>
+        <module>integration-tests-quarkus-ssl-webclient-options</module>
       </modules>
     </profile>
   </profiles>