Merge pull request #192 from AikidoSec/update-http-client-ssl-context

Update way API works: use custom SSL Context

Author: bitterpanda63

agent_api/src/main/java/dev/aikido/agent_api/background/cloud/RealtimeAPI.java

@@ -11,7 +11,11 @@
 import java.net.http.HttpResponse;
 import java.time.Duration;
 import java.util.Optional;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.security.KeyStore;
 
+import static dev.aikido.agent_api.background.cloud.SSLContextHelper.createDefaultSSLContext;
 import static dev.aikido.agent_api.helpers.env.Endpoints.getAikidoRealtimeEndpoint;
 
 public class RealtimeAPI {
@@ -25,10 +29,12 @@ public RealtimeAPI(Token token) {
         this.token = token;
     }
     public record ConfigResponse(long configUpdatedAt) {}
+
     public Optional<ConfigResponse> getConfig() {
         try {
             HttpClient httpClient = HttpClient.newBuilder()
                     .connectTimeout(Duration.ofSeconds(timeoutInSec))
+                    .sslContext(createDefaultSSLContext())
                     .build();
             URI uri = URI.create(endpoint + "config");
             HttpRequest request = createConfigRequest(token.get(), uri);

agent_api/src/main/java/dev/aikido/agent_api/background/cloud/SSLContextHelper.java

@@ -0,0 +1,20 @@
+package dev.aikido.agent_api.background.cloud;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.security.KeyStore;
+
+public final class SSLContextHelper {
+    private SSLContextHelper() {}
+    public static SSLContext createDefaultSSLContext() throws Exception {
+        // Get the default TrustManagerFactory
+        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        trustManagerFactory.init((KeyStore) null); // Use the default trust store
+
+        // Create an SSLContext with the default TrustManager
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
+
+        return sslContext;
+    }
+}

agent_api/src/main/java/dev/aikido/agent_api/background/cloud/api/ReportingApiHTTP.java

@@ -17,6 +17,11 @@
 import java.time.Duration;
 import java.util.Optional;
 import java.util.zip.GZIPInputStream;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.security.KeyStore;
+
+import static dev.aikido.agent_api.background.cloud.SSLContextHelper.createDefaultSSLContext;
 
 public class ReportingApiHTTP extends ReportingApi {
     private final Logger logger = LogManager.getLogger(ReportingApiHTTP.class);
@@ -34,6 +39,7 @@ public Optional<APIResponse> fetchNewConfig() {
         try {
             HttpClient httpClient = HttpClient.newBuilder()
                     .connectTimeout(Duration.ofSeconds(timeoutInSec))
+                    .sslContext(createDefaultSSLContext())
                     .build();
 
             URI uri = URI.create(reportingUrl + "api/runtime/config");
@@ -54,6 +60,7 @@ public Optional<APIResponse> report(APIEvent event) {
         try {
             HttpClient httpClient = HttpClient.newBuilder()
                 .connectTimeout(Duration.ofSeconds(timeoutInSec))
+                .sslContext(createDefaultSSLContext())
                 .build();
 
             URI uri = URI.create(reportingUrl + "api/runtime/events");
@@ -75,25 +82,32 @@ public Optional<APIListsResponse> fetchBlockedLists() {
             return Optional.empty();
         }
         try {
-            // Make a GET request to api/runtime/firewall/lists
-            URL url = new URL(reportingUrl + "api/runtime/firewall/lists");
-            HttpURLConnection connection = (HttpURLConnection) url.openConnection();
-            connection.setRequestMethod("GET");
+            HttpClient httpClient = HttpClient.newBuilder()
+                    .connectTimeout(Duration.ofSeconds(timeoutInSec))
+                    .sslContext(createDefaultSSLContext())
+                    .build();
 
-            // Set the Accept-Encoding header to gzip
-            connection.setRequestProperty("Accept-Encoding", "gzip");
-            connection.setRequestProperty("Authorization", token.get());
+            URI uri = URI.create(reportingUrl + "api/runtime/firewall/lists");
+            HttpRequest request = HttpRequest.newBuilder()
+                    .uri(uri)
+                    .timeout(Duration.ofSeconds(timeoutInSec))
+                    .header("Accept-Encoding", "gzip")
+                    .header("Authorization", token.get())
+                    .build();
 
-            if (connection.getResponseCode() != HttpURLConnection.HTTP_OK) {
+            // Send the request and get the response
+            HttpResponse<InputStream> httpResponse = httpClient.send(request, HttpResponse.BodyHandlers.ofInputStream());
+            if (httpResponse.statusCode() != HttpURLConnection.HTTP_OK) {
                 return Optional.empty();
             }
-            InputStream inputStream = connection.getInputStream();
+
+            InputStream inputStream = httpResponse.body();
             // Check if the response is gzipped
-            if ("gzip".equalsIgnoreCase(connection.getContentEncoding())) {
+            if ("gzip".equalsIgnoreCase(httpResponse.headers().firstValue("Content-Encoding").orElse(""))) {
                 inputStream = new GZIPInputStream(inputStream);
             }
 
-            // Read the response :
+            // Read the response
             APIListsResponse res = gson.fromJson(new InputStreamReader(inputStream), APIListsResponse.class);
             return Optional.of(res);
         } catch (Exception e) {