From 0ec929d8f1583ce22f13543fdb63765eb5b2ec3d Mon Sep 17 00:00:00 2001
From: Himanshu <g.himanshu@gmail.com>
Date: Wed, 15 Apr 2020 15:59:24 -0700
Subject: [PATCH] druid-pac4j:add custom SSL handling to
 com.nimbusds.oauth2.sdk.http.HTTPRequest objects (#9695)

---
 extensions-core/druid-pac4j/pom.xml                  | 12 +++++++++++-
 .../druid/security/pac4j/Pac4jAuthenticator.java     | 10 ++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/extensions-core/druid-pac4j/pom.xml b/extensions-core/druid-pac4j/pom.xml
index ce4483c7c5a8..bf4ebb8ccc11 100644
--- a/extensions-core/druid-pac4j/pom.xml
+++ b/extensions-core/druid-pac4j/pom.xml
@@ -35,6 +35,10 @@
 
   <properties>
     <pac4j.version>3.8.3</pac4j.version>
+
+    <!-- Following must be updated along with any updates to pac4j version -->
+    <nimbus.jose.jwt.version>7.9</nimbus.jose.jwt.version>
+    <oauth2.oidc.sdk.version>6.5</oauth2.oidc.sdk.version>
   </properties>
 
   <dependencies>
@@ -60,10 +64,16 @@
       <artifactId>pac4j-oidc</artifactId>
       <version>${pac4j.version}</version>
     </dependency>
+
     <dependency>
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
-      <version>7.9</version>
+      <version>${nimbus.jose.jwt.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>oauth2-oidc-sdk</artifactId>
+      <version>${oauth2.oidc.sdk.version}</version>
     </dependency>
 
     <dependency>
diff --git a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
index c0473ce42542..2ca500020f6a 100644
--- a/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
+++ b/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jAuthenticator.java
@@ -25,7 +25,9 @@
 import com.fasterxml.jackson.annotation.JsonTypeName;
 import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
+import com.google.common.primitives.Ints;
 import com.google.inject.Provider;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
 import org.apache.druid.server.security.AuthenticationResult;
 import org.apache.druid.server.security.Authenticator;
 import org.pac4j.core.config.Config;
@@ -130,7 +132,10 @@ private Config createPac4jConfig(OIDCConfig oidcConfig)
     oidcConf.setDiscoveryURI(oidcConfig.getDiscoveryURI());
     oidcConf.setExpireSessionWithToken(true);
     oidcConf.setUseNonce(true);
+    oidcConf.setReadTimeout(Ints.checkedCast(pac4jCommonConfig.getReadTimeout().getMillis()));
+
     oidcConf.setResourceRetriever(
+        // ResourceRetriever is used to get Auth server configuration from "discoveryURI"
         new CustomSSLResourceRetriever(pac4jCommonConfig.getReadTimeout().getMillis(), sslSocketFactory)
     );
 
@@ -138,6 +143,11 @@ private Config createPac4jConfig(OIDCConfig oidcConfig)
     oidcClient.setUrlResolver(new DefaultUrlResolver(true));
     oidcClient.setCallbackUrlResolver(new NoParameterCallbackUrlResolver());
 
+    // This is used by OidcClient in various places to make HTTPrequests.
+    if (sslSocketFactory != null) {
+      HTTPRequest.setDefaultSSLSocketFactory(sslSocketFactory);
+    }
+
     return new Config(Pac4jCallbackResource.SELF_URL, oidcClient);
   }
 }