fix(rabbitmq): use Netty SslContext for SSL setup (#158)

* build(deps): update jackson-databind dependency to latest version

* fix: simplify SSL setup in RabbitMQSetupUtils and utilize Netty's SslContext

---------

Co-authored-by: luisgomez29 <luisgaleano002@gamil.com>

Author: luisgomez29

async/async-commons/async-commons.gradle

@@ -9,7 +9,7 @@ dependencies {
     api project(':cloudevents-json-jackson')
 
     compileOnly 'io.projectreactor:reactor-core'
-    api 'tools.jackson.core:jackson-databind:3.0.3'
+    api 'tools.jackson.core:jackson-databind'
     implementation 'commons-io:commons-io:2.21.0'
     implementation 'io.cloudevents:cloudevents-core:4.0.1'
 

async/async-rabbit/async-rabbit.gradle

@@ -13,7 +13,7 @@ dependencies {
     api 'io.projectreactor:reactor-core-micrometer'
     api 'io.projectreactor.rabbitmq:reactor-rabbitmq:1.5.6'
     api 'com.rabbitmq:amqp-client'
-    api 'tools.jackson.core:jackson-databind:3.0.3'
+    api 'tools.jackson.core:jackson-databind'
 
     implementation 'io.cloudevents:cloudevents-core:4.0.1'
     testImplementation 'io.projectreactor:reactor-test'

async/cloudevents-json-jackson/cloudevents-json-jackson.gradle

@@ -4,7 +4,7 @@ ext {
 }
 
 dependencies {
-    api 'tools.jackson.core:jackson-databind:3.0.3'
+    api 'tools.jackson.core:jackson-databind'
     implementation 'io.cloudevents:cloudevents-api:4.0.1'
     implementation 'io.cloudevents:cloudevents-core:4.0.1'
 }

async/cloudevents-json-jackson/src/main/java/io/cloudevents/jackson/CloudEventDeserializer.java

@@ -45,10 +45,6 @@ class CloudEventDeserializer extends StdDeserializer<CloudEvent> {
     private final boolean forceIgnoreInvalidExtensionNameDeserialization;
     private final boolean disableDataContentTypeDefaulting;
 
-    protected CloudEventDeserializer() {
-        this(false, false, false);
-    }
-
     protected CloudEventDeserializer(
             boolean forceExtensionNameLowerCaseDeserialization,
             boolean forceIgnoreInvalidExtensionNameDeserialization,

async/cloudevents-json-jackson/src/test/java/io/cloudevents/jackson/data/Data.java

@@ -125,7 +125,7 @@ public class Data {
             .withExtension("integer", 42)
             .withExtension("decimal", new BigDecimal("42.42"))
             .withExtension("float", 4.2f)
-            .withExtension("long", new Long(4200))
+            .withExtension("long",4200L)
             .build();
 
     public static Stream<CloudEvent> allEvents() {

build.gradle

@@ -12,15 +12,15 @@ buildscript {
 
 plugins {
     id 'jacoco'
-    id 'org.sonarqube' version '7.2.0.6526'
-    id 'org.springframework.boot' version '4.0.0' apply false
+    id 'org.sonarqube' version '7.2.2.6593'
+    id 'org.springframework.boot' version '4.0.1' apply false
     id 'io.github.gradle-nexus.publish-plugin' version '2.0.0'
-    id 'co.com.bancolombia.cleanArchitecture' version '3.28.0'
+    id 'co.com.bancolombia.cleanArchitecture' version '4.0.0'
 }
 
 repositories {
     mavenCentral()
 }
 
 apply from: './main.gradle'
-apply plugin: 'com.github.ben-manes.versions'
+apply plugin: 'com.github.ben-manes.versions'

domain/domain-events/domain-events-api.gradle

@@ -6,5 +6,4 @@ ext {
 dependencies {
     api 'org.reactivestreams:reactive-streams:1.0.4'
     api 'io.cloudevents:cloudevents-api:4.0.1'
-    implementation 'io.cloudevents:cloudevents-json-jackson:4.0.1'
 }

main.gradle

@@ -66,7 +66,7 @@ subprojects {
         testCompileOnly 'org.projectlombok:lombok'
     }
 
-    //TODO: Remove once it has been updated in spring boot 4.0.1
+    //TODO: Remove once it has been updated in spring boot
     ext["rabbit-amqp-client.version"] = '5.28.0'
 
     test.finalizedBy(project.tasks.jacocoTestReport)
@@ -90,7 +90,7 @@ subprojects {
 
     dependencyManagement {
         imports {
-            mavenBom 'org.springframework.boot:spring-boot-dependencies:4.0.0'
+            mavenBom 'org.springframework.boot:spring-boot-dependencies:4.0.1'
         }
     }
 

starters/async-rabbit-starter/src/main/java/org/reactivecommons/async/rabbit/RabbitMQSetupUtils.java

@@ -2,6 +2,8 @@
 
 import com.rabbitmq.client.Connection;
 import com.rabbitmq.client.ConnectionFactory;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
 import lombok.extern.java.Log;
@@ -31,24 +33,17 @@
 import reactor.rabbitmq.Utils;
 import reactor.util.retry.Retry;
 
-import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509TrustManager;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.security.KeyManagementException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertificateException;
 import java.time.Duration;
-import java.util.Arrays;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.logging.Level;
@@ -57,29 +52,12 @@
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public final class RabbitMQSetupUtils {
     private static final String SHARED_TYPE = "shared";
-    private static final String DEFAULT_PROTOCOL;
     public static final int START_INTERVAL = 300;
     public static final int MAX_BACKOFF_INTERVAL = 3000;
 
     private static final ConcurrentMap<AsyncProps, ConnectionFactory> FACTORY_CACHE = new ConcurrentHashMap<>();
     private static final ConcurrentMap<ConnectionFactory, Mono<Connection>> CONNECTION_CACHE = new ConcurrentHashMap<>();
 
-    static {
-        String protocol = "TLSv1.1";
-        try {
-            String[] protocols = SSLContext.getDefault().getSupportedSSLParameters().getProtocols();
-            for (String prot : protocols) {
-                if ("TLSv1.2".equals(prot)) {
-                    protocol = "TLSv1.2";
-                    break;
-                }
-            }
-        } catch (NoSuchAlgorithmException e) {
-            // nothing
-        }
-        DEFAULT_PROTOCOL = protocol;
-    }
-
     public static ConnectionFactoryProvider connectionFactoryProvider(AsyncProps asyncProps,
                                                                       ConnectionFactoryCustomizer cfCustomizer) {
         final ConnectionFactory factory = FACTORY_CACHE.computeIfAbsent(asyncProps, props -> {
@@ -177,54 +155,56 @@ private static Mono<Connection> createConnectionMono(ConnectionFactory factory,
 
     // SSL based on RabbitConnectionFactoryBean
     // https://github.com/spring-projects/spring-amqp/blob/main/spring-rabbit/src/main/java/org/springframework/amqp/rabbit/connection/RabbitConnectionFactoryBean.java
+    // Adapted for Netty: https://www.rabbitmq.com/client-libraries/java-api-guide#netty
 
     private static void setUpSSL(ConnectionFactory factory, RabbitProperties properties)
-            throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException,
+            throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException,
             CertificateException, IOException {
         var ssl = properties.getSsl();
         if (ssl != null && ssl.isEnabled()) {
-            var keyManagers = configureKeyManagers(ssl);
-            var trustManagers = configureTrustManagers(ssl);
-            var secureRandom = SecureRandom.getInstanceStrong();
+            SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+            // Configure TrustManager
+            var trustManagerFactory = configureTrustManagerFactory(ssl);
+            sslContextBuilder.trustManager(trustManagerFactory);
 
-            if (log.isLoggable(Level.FINE)) {
-                log.fine("Initializing SSLContext with KM: " + Arrays.toString(keyManagers) +
-                        ", TM: " + Arrays.toString(trustManagers) + ", random: " + secureRandom);
+            // Configure KeyManager if keystore is provided
+            if (ssl.getKeyStore() != null) {
+                var keyManagerFactory = configureKeyManagerFactory(ssl);
+                sslContextBuilder.keyManager(keyManagerFactory);
             }
-            var context = createSSLContext(ssl);
-            context.init(keyManagers, trustManagers, secureRandom);
-            factory.useSslProtocol(context);
 
-            logDetails(trustManagers);
+            // Set SSL protocol if specified
+            if (ssl.getAlgorithm() != null) {
+                log.info("Using SSL protocol: " + ssl.getAlgorithm());
+            }
+
+            SslContext sslContext = sslContextBuilder.build();
+            factory.netty().sslContext(sslContext);
 
             if (ssl.isVerifyHostname()) {
                 factory.enableHostnameVerification();
             }
         }
     }
 
-    private static KeyManager[] configureKeyManagers(RabbitPropertiesBase.Ssl ssl) throws KeyStoreException,
-            IOException,
-            NoSuchAlgorithmException,
+    private static KeyManagerFactory configureKeyManagerFactory(RabbitPropertiesBase.Ssl ssl)
+            throws KeyStoreException, IOException, NoSuchAlgorithmException,
             CertificateException, UnrecoverableKeyException {
-        KeyManager[] keyManagers = null;
-        if (ssl.getKeyStore() != null) {
-            var ks = KeyStore.getInstance(ssl.getKeyStoreType());
-            char[] keyPassphrase = null;
-            if (ssl.getKeyStorePassword() != null) {
-                keyPassphrase = ssl.getKeyStorePassword().toCharArray();
-            }
-            try (var inputStream = new FileInputStream(ssl.getKeyStore())) {
-                ks.load(inputStream, keyPassphrase);
-            }
-            var kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-            kmf.init(ks, keyPassphrase);
-            keyManagers = kmf.getKeyManagers();
+        var ks = KeyStore.getInstance(ssl.getKeyStoreType());
+        char[] keyPassphrase = null;
+        if (ssl.getKeyStorePassword() != null) {
+            keyPassphrase = ssl.getKeyStorePassword().toCharArray();
         }
-        return keyManagers;
+        try (var inputStream = new FileInputStream(ssl.getKeyStore())) {
+            ks.load(inputStream, keyPassphrase);
+        }
+        var kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        kmf.init(ks, keyPassphrase);
+        return kmf;
     }
 
-    private static TrustManager[] configureTrustManagers(RabbitPropertiesBase.Ssl ssl)
+    private static TrustManagerFactory configureTrustManagerFactory(RabbitPropertiesBase.Ssl ssl)
             throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
         KeyStore tks = null;
         if (ssl.getTrustStore() != null) {
@@ -240,24 +220,7 @@ private static TrustManager[] configureTrustManagers(RabbitPropertiesBase.Ssl ss
 
         var tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
         tmf.init(tks);
-        return tmf.getTrustManagers();
-    }
-
-    private static SSLContext createSSLContext(RabbitPropertiesBase.Ssl ssl) throws NoSuchAlgorithmException {
-        return SSLContext.getInstance(ssl.getAlgorithm() != null ? ssl.getAlgorithm() : DEFAULT_PROTOCOL);
-    }
-
-    private static void logDetails(TrustManager[] managers) {
-        var found = false;
-        for (var trustManager : managers) {
-            if (trustManager instanceof X509TrustManager x509TrustManager) {
-                found = true;
-                log.info("Loaded " + x509TrustManager.getAcceptedIssuers().length + " accepted issuers for rabbitmq");
-            }
-        }
-        if (!found) {
-            log.warning("No X509TrustManager found in the truststore.");
-        }
+        return tmf;
     }
 
 }