puppet: remove okhttp dependency (#160)

tasks/puppet/README.md

@@ -159,3 +159,30 @@ connectivity from a process.
 ```
 docker network connect pupperware_default agent
 ```
+
+## Wiremock Certificate
+
+A certificate and private key are included in [`./wiremock_cert`](./wiremock_cert)
+for unit testing https termination. The tests depend on validation of connections
+to `localhost`.
+
+To recreate the cert and private key, if needed, execute:
+
+```shell
+# generate the private key to become a local CA
+$ openssl genrsa -des3 -out ca.key 2048
+
+# generate CA root cert
+$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 99999 -out ca.pem
+
+# generate private key for server certificate
+$ openssl genrsa -out server.key 2048
+
+# create CSR
+$ openssl req -new -key server.key -out server.csr
+
+# generate server cert
+# cert.ext is also a resource in the project
+$ openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 99999 -sha256 -extfile cert.ext
+```

tasks/puppet/pom.xml

@@ -55,11 +55,6 @@
             <artifactId>jackson-annotations</artifactId>
             <scope>provided</scope>
         </dependency>
-        <dependency>
-            <groupId>com.squareup.okhttp3</groupId>
-            <artifactId>okhttp</artifactId>
-            <version>${okhttp.version}</version>
-        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>
@@ -82,5 +77,11 @@
             <artifactId>mockito-core</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <version>4.9.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
-</project>
+</project>

tasks/puppet/src/main/java/com/walmartlabs/concord/plugins/puppet/Constants.java

@@ -48,13 +48,16 @@ public static class Keys {
         public static final String TOKEN_LABEL_KEY = "tokenLabel";
         public static final String TOKEN_DESCRIPTION_KEY = "tokenDescription";
 
-        // Connection Keys
+        // HTTP Connection Keys
         public static final String CONNECT_TIMEOUT_KEY = "connectTimeout";
         public static final String READ_TIMEOUT_KEY = "readTimeout";
         public static final String WRITE_TIMEOUT_KEY = "writeTimeout";
+        public static final String HTTP_VERSION_KEY = "httpVersion";
+        public static final String HTTP_RETRIES_KEY = "httpRetries";
 
         // Certificate info
         public static final String VALIDATE_CERTS_KEY = "validateCerts";
+        public static final String VALIDATE_CERTS_NOT_AFTER_KEY = "validateCertsNotAfter";
         public static final String CERTIFICATE_KEY = "certificate";
         public static final String CERTIFICATE_SECRET_KEY = "secret";
         public static final String CERTIFICATE_ORG_KEY = "org";

tasks/puppet/src/main/java/com/walmartlabs/concord/plugins/puppet/IgnoringTrustManager.java

@@ -0,0 +1,81 @@
+package com.walmartlabs.concord.plugins.puppet;
+
+/*-
+ * *****
+ * Concord
+ * -----
+ * Copyright (C) 2017 - 2024 Walmart Inc., Concord Authors
+ * -----
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * =====
+ */
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.time.ZoneOffset;
+import java.time.ZonedDateTime;
+
+public class IgnoringTrustManager implements X509TrustManager {
+    private final boolean validateNotAfter;
+
+    public IgnoringTrustManager(boolean validateNotAfter) {
+        this.validateNotAfter = validateNotAfter;
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        assertDateValidity(chain);
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        assertDateValidity(chain);
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return new X509Certificate[0];
+    }
+
+    private void assertDateValidity(X509Certificate[] chain) throws CertificateException {
+        if (!validateNotAfter) {
+            return;
+        }
+
+        for (X509Certificate cert : chain) {
+            assertDateValidity(cert);
+        }
+    }
+
+    static void assertDateValidity(X509Certificate cert) throws CertificateException {
+        var epochSecond = cert.getNotAfter().toInstant().getEpochSecond();
+        var notAfter = LocalDateTime.ofEpochSecond(epochSecond, 0, ZoneOffset.ofHours(0));
+        var now = ZonedDateTime.now(ZoneId.of("UTC")).toLocalDateTime();
+
+        if (now.isAfter(notAfter)) {
+            var name = cert.getSubjectX500Principal().getName();
+            throw new CertificateException("Validity expired for certificate '"
+                    + name + "'. Now: " + now + ", notAfter: " + notAfter);
+        }
+    }
+
+    public static TrustManager[] getManagers(boolean validateNotAfter) {
+        TrustManager[] tms = new TrustManager[1];
+        tms[0] = new IgnoringTrustManager(validateNotAfter);
+        return tms;
+    }
+}