added SSL configuration properties

rashtao · rashtao · commit fdbf96b189c8 · 2025-07-22T15:12:08.000+02:00
diff --git a/core/src/main/java/com/arangodb/ArangoDB.java b/core/src/main/java/com/arangodb/ArangoDB.java
@@ -356,6 +356,7 @@ public interface ArangoDB extends ArangoSerdeAccessor {
     /**
      * Reset the server log levels
      * Revert the server's log level settings to the values they had at startup, as determined by the startup options specified on the command-line, a configuration file, and the factory defaults.
+     *
      * @since ArangoDB 3.12
      */
     LogLevelEntity resetLogLevels(LogLevelOptions options);
@@ -484,6 +485,61 @@ public Builder useSsl(final Boolean useSsl) {
             return this;
         }
 
+        /**
+         * Sets the SSL certificate value as Base64 encoded String
+         *
+         * @param sslCertValue the SSL certificate value as Base64 encoded String
+         * @return {@link ArangoDB.Builder}
+         */
+        public Builder sslCertValue(final String sslCertValue) {
+            config.setSslCertValue(sslCertValue);
+            return this;
+        }
+
+        /**
+         * Sets the SSL certificate type, default: {@code X.509}
+         *
+         * @param sslCertType the SSL certificate type
+         * @return {@link ArangoDB.Builder}
+         */
+        public Builder sslCertType(final String sslCertType) {
+            config.setSslCertType(sslCertType);
+            return this;
+        }
+
+        /**
+         * Sets the SSL Trust manager algorithm
+         *
+         * @param sslAlgorithm the name of the SSL Trust manager algorithm
+         * @return {@link ArangoDB.Builder}
+         */
+        public Builder sslAlgorithm(final String sslAlgorithm) {
+            config.setSslAlgorithm(sslAlgorithm);
+            return this;
+        }
+
+        /**
+         * Sets the SSL keystore type
+         *
+         * @param sslKeystoreType the SSL keystore type
+         * @return {@link ArangoDB.Builder}
+         */
+        public Builder sslKeystoreType(final String sslKeystoreType) {
+            config.setSslKeystoreType(sslKeystoreType);
+            return this;
+        }
+
+        /**
+         * Sets the SSLContext protocol, default: {@code TLS}
+         *
+         * @param sslProtocol the name of the SSLContext protocol
+         * @return {@link ArangoDB.Builder}
+         */
+        public Builder sslProtocol(final String sslProtocol) {
+            config.setSslProtocol(sslProtocol);
+            return this;
+        }
+
         /**
          * Sets the SSL context to be used when {@code true} is passed through {@link #useSsl(Boolean)}.
          *
@@ -716,6 +772,7 @@ public Builder compressionLevel(Integer level) {
 
         /**
          * Configuration specific for {@link com.arangodb.internal.net.ProtocolProvider}.
+         *
          * @return {@link ArangoDB.Builder}
          */
         public Builder protocolConfig(ProtocolConfig protocolConfig) {
diff --git a/core/src/main/java/com/arangodb/config/ArangoConfigProperties.java b/core/src/main/java/com/arangodb/config/ArangoConfigProperties.java
@@ -19,6 +19,11 @@ public interface ArangoConfigProperties {
     String KEY_JWT = "jwt";
     String KEY_TIMEOUT = "timeout";
     String KEY_USE_SSL = "useSsl";
+    String KEY_SSL_CERT_VALUE = "sslCertValue";
+    String KEY_SSL_CERT_TYPE = "sslCertType";
+    String KEY_SSL_ALGORITHM = "sslAlgorithm";
+    String KEY_SSL_KEYSTORE_TYPE = "sslKeystoreType";
+    String KEY_SSL_PROTOCOL = "sslProtocol";
     String KEY_VERIFY_HOST = "verifyHost";
     String KEY_CHUNK_SIZE = "chunkSize";
     String KEY_PIPELINING = "pipelining";
@@ -103,6 +108,26 @@ default Optional<Boolean> getUseSsl() {
         return Optional.empty();
     }
 
+    default Optional<String> getSslCertValue() {
+        return Optional.empty();
+    }
+
+    default Optional<String> getSslCertType() {
+        return Optional.empty();
+    }
+
+    default Optional<String> getSslAlgorithm() {
+        return Optional.empty();
+    }
+
+    default Optional<String> getSslKeystoreType() {
+        return Optional.empty();
+    }
+
+    default Optional<String> getSslProtocol() {
+        return Optional.empty();
+    }
+
     default Optional<Boolean> getVerifyHost() {
         return Optional.empty();
     }
diff --git a/core/src/main/java/com/arangodb/internal/ArangoDefaults.java b/core/src/main/java/com/arangodb/internal/ArangoDefaults.java
@@ -48,6 +48,9 @@ public final class ArangoDefaults {
     public static final Integer DEFAULT_TIMEOUT = 0;
     public static final Long DEFAULT_CONNECTION_TTL_HTTP = 30_000L;
     public static final Boolean DEFAULT_USE_SSL = false;
+    public static final String DEFAULT_SSL_CERT_TYPE = "X.509";
+    public static final String DEFAULT_SSL_CERT_ALIAS = "arangodb";
+    public static final String DEFAULT_SSL_PROTOCOL = "TLS";
     public static final Boolean DEFAULT_VERIFY_HOST = true;
     public static final Integer DEFAULT_CHUNK_SIZE = 30_000;
     public static final Boolean DEFAULT_PIPELINING = false;
diff --git a/core/src/main/java/com/arangodb/internal/config/ArangoConfig.java b/core/src/main/java/com/arangodb/internal/config/ArangoConfig.java
@@ -16,7 +16,12 @@
 import com.fasterxml.jackson.databind.Module;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.ByteArrayInputStream;
 import java.lang.reflect.InvocationTargetException;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
 import java.util.*;
 import java.util.concurrent.Executor;
 import java.util.stream.Collectors;
@@ -30,6 +35,11 @@ public class ArangoConfig {
     private String password;
     private String jwt;
     private Boolean useSsl;
+    private Optional<String> sslCertValue;
+    private String sslCertType;
+    private Optional<String> sslAlgorithm;
+    private Optional<String> sslKeystoreType;
+    private String sslProtocol;
     private SSLContext sslContext;
     private Boolean verifyHost;
     private Integer chunkSize;
@@ -69,6 +79,11 @@ public void loadProperties(final ArangoConfigProperties properties) {
         // FIXME: make jwt field Optional
         jwt = properties.getJwt().orElse(null);
         useSsl = properties.getUseSsl().orElse(ArangoDefaults.DEFAULT_USE_SSL);
+        sslCertValue = properties.getSslCertValue();
+        sslCertType = properties.getSslCertType().orElse(ArangoDefaults.DEFAULT_SSL_CERT_TYPE);
+        sslAlgorithm = properties.getSslAlgorithm();
+        sslKeystoreType = properties.getSslKeystoreType();
+        sslProtocol = properties.getSslProtocol().orElse(ArangoDefaults.DEFAULT_SSL_PROTOCOL);
         verifyHost = properties.getVerifyHost().orElse(ArangoDefaults.DEFAULT_VERIFY_HOST);
         chunkSize = properties.getChunkSize().orElse(ArangoDefaults.DEFAULT_CHUNK_SIZE);
         pipelining = properties.getPipelining().orElse(ArangoDefaults.DEFAULT_PIPELINING);
@@ -151,7 +166,30 @@ public void setUseSsl(Boolean useSsl) {
         this.useSsl = useSsl;
     }
 
+    public void setSslCertValue(String sslCertValue) {
+        this.sslCertValue = Optional.ofNullable(sslCertValue);
+    }
+
+    public void setSslCertType(String sslCertType) {
+        this.sslCertType = sslCertType;
+    }
+
+    public void setSslAlgorithm(String sslAlgorithm) {
+        this.sslAlgorithm = Optional.ofNullable(sslAlgorithm);
+    }
+
+    public void setSslKeystoreType(String sslKeystoreType) {
+        this.sslKeystoreType = Optional.ofNullable(sslKeystoreType);
+    }
+
+    public void setSslProtocol(String sslProtocol) {
+        this.sslProtocol = sslProtocol;
+    }
+
     public SSLContext getSslContext() {
+        if (sslContext == null) {
+            sslContext = createSslContext();
+        }
         return sslContext;
     }
 
@@ -342,4 +380,26 @@ public ProtocolConfig getProtocolConfig() {
     public void setProtocolConfig(ProtocolConfig protocolConfig) {
         this.protocolConfig = protocolConfig;
     }
+
+    private SSLContext createSslContext() {
+        try {
+            if (sslCertValue.isPresent()) {
+                ByteArrayInputStream is = new ByteArrayInputStream(Base64.getDecoder().decode(sslCertValue.get()));
+                Certificate cert = CertificateFactory.getInstance(sslCertType).generateCertificate(is);
+                KeyStore ks = KeyStore.getInstance(sslKeystoreType.orElseGet(KeyStore::getDefaultType));
+                ks.load(null);
+                ks.setCertificateEntry("arangodb", cert);
+                TrustManagerFactory tmf = TrustManagerFactory.getInstance(sslAlgorithm.orElseGet(TrustManagerFactory::getDefaultAlgorithm));
+                tmf.init(ks);
+                SSLContext sc = SSLContext.getInstance(sslProtocol);
+                sc.init(null, tmf.getTrustManagers(), null);
+                return sc;
+            } else {
+                return SSLContext.getDefault();
+            }
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
 }
diff --git a/core/src/main/java/com/arangodb/internal/config/ArangoConfigPropertiesImpl.java b/core/src/main/java/com/arangodb/internal/config/ArangoConfigPropertiesImpl.java
@@ -109,6 +109,31 @@ public Optional<Boolean> getUseSsl() {
         return Optional.ofNullable(getProperty(KEY_USE_SSL)).map(Boolean::valueOf);
     }
 
+    @Override
+    public Optional<String> getSslCertValue() {
+        return Optional.ofNullable(getProperty(KEY_SSL_CERT_VALUE));
+    }
+
+    @Override
+    public Optional<String> getSslCertType() {
+        return Optional.ofNullable(getProperty(KEY_SSL_CERT_TYPE));
+    }
+
+    @Override
+    public Optional<String> getSslAlgorithm() {
+        return Optional.ofNullable(getProperty(KEY_SSL_ALGORITHM));
+    }
+
+    @Override
+    public Optional<String> getSslKeystoreType() {
+        return Optional.ofNullable(getProperty(KEY_SSL_KEYSTORE_TYPE));
+    }
+
+    @Override
+    public Optional<String> getSslProtocol() {
+        return Optional.ofNullable(getProperty(KEY_SSL_PROTOCOL));
+    }
+
     @Override
     public Optional<Boolean> getVerifyHost() {
         return Optional.ofNullable(getProperty(KEY_VERIFY_HOST)).map(Boolean::valueOf);
diff --git a/http-protocol/src/main/java/com/arangodb/http/HttpConnection.java b/http-protocol/src/main/java/com/arangodb/http/HttpConnection.java
@@ -55,7 +55,6 @@
 import org.slf4j.LoggerFactory;
 
 import javax.net.ssl.SSLContext;
-import java.security.NoSuchAlgorithmException;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.Map.Entry;
@@ -169,17 +168,7 @@ private static String getUserAgent() {
         }
 
         if (Boolean.TRUE.equals(config.getUseSsl())) {
-            SSLContext ctx;
-            if (config.getSslContext() != null) {
-                ctx = config.getSslContext();
-            } else {
-                try {
-                    ctx = SSLContext.getDefault();
-                } catch (NoSuchAlgorithmException e) {
-                    throw ArangoDBException.of(e);
-                }
-            }
-
+            SSLContext ctx = config.getSslContext();
             webClientOptions
                     .setSsl(true)
                     .setUseAlpn(true)
diff --git a/test-functional/src/test-ssl/java/com/arangodb/ArangoSslTest.java b/test-functional/src/test-ssl/java/com/arangodb/ArangoSslTest.java
@@ -20,6 +20,7 @@
 
 package com.arangodb;
 
+import com.arangodb.config.ArangoConfigProperties;
 import com.arangodb.entity.ArangoDBVersion;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.EnumSource;
@@ -55,6 +56,36 @@ void connect(Protocol protocol) {
         assertThat(version).isNotNull();
     }
 
+    @ParameterizedTest
+    @EnumSource(Protocol.class)
+    void connectWithProperties(Protocol protocol) {
+        assumeTrue(protocol != Protocol.VST);
+
+        final ArangoDB arangoDB = new ArangoDB.Builder()
+                .protocol(protocol)
+                .host("172.28.0.1", 8529)
+                .password("test")
+                .useSsl(true)
+                .sslCertValue("MIIDezCCAmOgAwIBAgIEeDCzXzANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjAxMTAxMTg1MTE5WhcNMzAxMDMwMTg1MTE5WjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WiDnd4+uCmMG539ZNZB8NwI0RZF3sUSQGPx3lkqaFTZVEzMZL76HYvdc9Qg7difyKyQ09RLSpMALX9euSseD7bZGnfQH52BnKcT09eQ3wh7aVQ5sN2omygdHLC7X9usntxAfv7NzmvdogNXoJQyY/hSZff7RIqWH8NnAUKkjqOe6Bf5LDbxHKESmrFBxOCOnhcpvZWetwpiRdJVPwUn5P82CAZzfiBfmBZnB7D0l+/6Cv4jMuH26uAIcixnVekBQzl1RgwczuiZf2MGO64vDMMJJWE9ClZF1uQuQrwXF6qwhuP1Hnkii6wNbTtPWlGSkqeutr004+Hzbf8KnRY4PAgMBAAGjITAfMB0GA1UdDgQWBBTBrv9Awynt3C5IbaCNyOW5v4DNkTANBgkqhkiG9w0BAQsFAAOCAQEAIm9rPvDkYpmzpSIhR3VXG9Y71gxRDrqkEeLsMoEyqGnw/zx1bDCNeGg2PncLlW6zTIipEBooixIE9U7KxHgZxBy0Et6EEWvIUmnr6F4F+dbTD050GHlcZ7eOeqYTPYeQC502G1Fo4tdNi4lDP9L9XZpf7Q1QimRH2qaLS03ZFZa2tY7ah/RQqZL8Dkxx8/zc25sgTHVpxoK853glBVBs/ENMiyGJWmAXQayewY3EPt/9wGwV4KmU3dPDleQeXSUGPUISeQxFjy+jCw21pYviWVJTNBA9l5ny3GhEmcnOT/gQHCvVRLyGLMbaMZ4JrPwb+aAtBgrgeiK4xeSMMvrbhw==")
+                .verifyHost(false)
+                .build();
+        final ArangoDBVersion version = arangoDB.getVersion();
+        assertThat(version).isNotNull();
+    }
+
+    @ParameterizedTest
+    @EnumSource(Protocol.class)
+    void connectWithFileProperties(Protocol protocol) {
+        assumeTrue(protocol != Protocol.VST);
+
+        final ArangoDB arangoDB = new ArangoDB.Builder()
+                .loadProperties(ArangoConfigProperties.fromFile("arangodb-ssl.properties"))
+                .protocol(protocol)
+                .build();
+        final ArangoDBVersion version = arangoDB.getVersion();
+        assertThat(version).isNotNull();
+    }
+
     @ParameterizedTest
     @EnumSource(Protocol.class)
     void connectWithoutValidSslContext(Protocol protocol) {
diff --git a/test-functional/src/test/java/com/arangodb/ArangoConfigTest.java b/test-functional/src/test/java/com/arangodb/ArangoConfigTest.java
@@ -5,11 +5,15 @@
 import com.arangodb.internal.config.ArangoConfig;
 import org.junit.jupiter.api.Test;
 
+import javax.net.ssl.SSLContext;
+
+import java.security.NoSuchAlgorithmException;
+
 import static org.assertj.core.api.Assertions.assertThat;
 
 public class ArangoConfigTest {
     @Test
-    void ArangoConfigDefaultValues() {
+    void ArangoConfigDefaultValues() throws NoSuchAlgorithmException {
         ArangoConfig cfg = new ArangoConfig();
         assertThat(cfg.getHosts()).isEqualTo(ArangoDefaults.DEFAULT_HOSTS);
         assertThat(cfg.getProtocol()).isEqualTo(Protocol.HTTP2_JSON);
@@ -18,7 +22,7 @@ void ArangoConfigDefaultValues() {
         assertThat(cfg.getPassword()).isNull();
         assertThat(cfg.getJwt()).isNull();
         assertThat(cfg.getUseSsl()).isEqualTo(ArangoDefaults.DEFAULT_USE_SSL);
-        assertThat(cfg.getSslContext()).isNull();
+        assertThat(cfg.getSslContext()).isEqualTo(SSLContext.getDefault());
         assertThat(cfg.getVerifyHost()).isEqualTo(ArangoDefaults.DEFAULT_VERIFY_HOST);
         assertThat(cfg.getChunkSize()).isEqualTo(ArangoDefaults.DEFAULT_CHUNK_SIZE);
         assertThat(cfg.getMaxConnections()).isEqualTo(ArangoDefaults.MAX_CONNECTIONS_HTTP2_DEFAULT);
diff --git a/test-functional/src/test/resources/arangodb-ssl.properties b/test-functional/src/test/resources/arangodb-ssl.properties
@@ -0,0 +1,9 @@
+arangodb.hosts=172.28.0.1:8529
+arangodb.password=test
+arangodb.useSsl=true
+arangodb.sslCertValue=MIIDezCCAmOgAwIBAgIEeDCzXzANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjAxMTAxMTg1MTE5WhcNMzAxMDMwMTg1MTE5WjBuMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WiDnd4+uCmMG539ZNZB8NwI0RZF3sUSQGPx3lkqaFTZVEzMZL76HYvdc9Qg7difyKyQ09RLSpMALX9euSseD7bZGnfQH52BnKcT09eQ3wh7aVQ5sN2omygdHLC7X9usntxAfv7NzmvdogNXoJQyY/hSZff7RIqWH8NnAUKkjqOe6Bf5LDbxHKESmrFBxOCOnhcpvZWetwpiRdJVPwUn5P82CAZzfiBfmBZnB7D0l+/6Cv4jMuH26uAIcixnVekBQzl1RgwczuiZf2MGO64vDMMJJWE9ClZF1uQuQrwXF6qwhuP1Hnkii6wNbTtPWlGSkqeutr004+Hzbf8KnRY4PAgMBAAGjITAfMB0GA1UdDgQWBBTBrv9Awynt3C5IbaCNyOW5v4DNkTANBgkqhkiG9w0BAQsFAAOCAQEAIm9rPvDkYpmzpSIhR3VXG9Y71gxRDrqkEeLsMoEyqGnw/zx1bDCNeGg2PncLlW6zTIipEBooixIE9U7KxHgZxBy0Et6EEWvIUmnr6F4F+dbTD050GHlcZ7eOeqYTPYeQC502G1Fo4tdNi4lDP9L9XZpf7Q1QimRH2qaLS03ZFZa2tY7ah/RQqZL8Dkxx8/zc25sgTHVpxoK853glBVBs/ENMiyGJWmAXQayewY3EPt/9wGwV4KmU3dPDleQeXSUGPUISeQxFjy+jCw21pYviWVJTNBA9l5ny3GhEmcnOT/gQHCvVRLyGLMbaMZ4JrPwb+aAtBgrgeiK4xeSMMvrbhw==
+arangodb.sslCertType=X.509
+arangodb.sslAlgorithm=SunX509
+arangodb.sslKeystoreType=jks
+arangodb.sslProtocol=TLS
+arangodb.verifyHost=false
diff --git a/test-non-functional/src/test/java/mp/ConfigMPDefaultsTest.java b/test-non-functional/src/test/java/mp/ConfigMPDefaultsTest.java
@@ -23,6 +23,11 @@ private void checkResult(ArangoConfigProperties config) {
         assertThat(config.getJwt()).isNotPresent();
         assertThat(config.getTimeout()).isEmpty();
         assertThat(config.getUseSsl()).isEmpty();
+        assertThat(config.getSslCertValue()).isEmpty();
+        assertThat(config.getSslCertType()).isEmpty();
+        assertThat(config.getSslAlgorithm()).isEmpty();
+        assertThat(config.getSslKeystoreType()).isEmpty();
+        assertThat(config.getSslProtocol()).isEmpty();
         assertThat(config.getVerifyHost()).isEmpty();
         assertThat(config.getChunkSize()).isEmpty();
         assertThat(config.getPipelining()).isEmpty();
diff --git a/test-non-functional/src/test/java/mp/ConfigMPTest.java b/test-non-functional/src/test/java/mp/ConfigMPTest.java
@@ -21,6 +21,11 @@ class ConfigMPTest {
     private final String jwt = "testJwt";
     private final Integer timeout = 9876;
     private final Boolean useSsl = true;
+    private final String sslCertValue = "sslCertValue";
+    private final String sslCertType = "sslCertType";
+    private final String sslAlgorithm = "sslAlgorithm";
+    private final String sslKeystoreType = "sslKeystoreType";
+    private final String sslProtocol = "sslProtocol";
     private final Boolean verifyHost = false;
     private final Integer vstChunkSize = 1234;
     private final Boolean pipelining = true;
@@ -57,6 +62,11 @@ private void checkResult(ArangoConfigProperties config) {
                 .hasValue(jwt);
         assertThat(config.getTimeout()).hasValue(timeout);
         assertThat(config.getUseSsl()).hasValue(useSsl);
+        assertThat(config.getSslCertValue()).hasValue(sslCertValue);
+        assertThat(config.getSslCertType()).hasValue(sslCertType);
+        assertThat(config.getSslAlgorithm()).hasValue(sslAlgorithm);
+        assertThat(config.getSslKeystoreType()).hasValue(sslKeystoreType);
+        assertThat(config.getSslProtocol()).hasValue(sslProtocol);
         assertThat(config.getVerifyHost()).hasValue(verifyHost);
         assertThat(config.getChunkSize()).hasValue(vstChunkSize);
         assertThat(config.getPipelining()).hasValue(pipelining);
diff --git a/test-non-functional/src/test/resources/arangodb-config-test.properties b/test-non-functional/src/test/resources/arangodb-config-test.properties
diff --git a/vst-protocol/src/main/java/com/arangodb/vst/internal/VstConnection.java b/vst-protocol/src/main/java/com/arangodb/vst/internal/VstConnection.java
