Add TrustAllCertificates in CRT S3 Client options (#3903)

* Add TrustAllCertificates in CRT S3 Client options

* Handled PR comments

Author: joviegas

.changes/next-release/feature-AWSSDKforJavav2-e102314.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "API to Add TrustAllCertificates in CRT S3 Client options for test purposes"
+}

services/s3/src/main/java/software/amazon/awssdk/services/s3/crt/S3CrtHttpConfiguration.java

@@ -38,11 +38,13 @@ public final class S3CrtHttpConfiguration implements ToCopyableBuilder<S3CrtHttp
     private final Duration connectionTimeout;
     private final S3CrtProxyConfiguration proxyConfiguration;
     private final S3CrtConnectionHealthConfiguration healthConfiguration;
+    private final Boolean trustAllCertificatesEnabled;
 
     private S3CrtHttpConfiguration(DefaultBuilder builder) {
         this.connectionTimeout = builder.connectionTimeout;
         this.proxyConfiguration = builder.proxyConfiguration;
         this.healthConfiguration = builder.healthConfiguration;
+        this.trustAllCertificatesEnabled = builder.trustAllCertificatesEnabled;
     }
 
     /**
@@ -73,6 +75,13 @@ public S3CrtConnectionHealthConfiguration healthConfiguration() {
         return healthConfiguration;
     }
 
+    /**
+     * Return the configured {@link Builder#trustAllCertificatesEnabled}.
+     */
+    public Boolean trustAllCertificatesEnabled() {
+        return trustAllCertificatesEnabled;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) {
@@ -90,14 +99,18 @@ public boolean equals(Object o) {
         if (!Objects.equals(proxyConfiguration, that.proxyConfiguration)) {
             return false;
         }
-        return Objects.equals(healthConfiguration, that.healthConfiguration);
+        if (!Objects.equals(healthConfiguration, that.healthConfiguration)) {
+            return false;
+        }
+        return Objects.equals(trustAllCertificatesEnabled, that.trustAllCertificatesEnabled);
     }
 
     @Override
     public int hashCode() {
         int result = connectionTimeout != null ? connectionTimeout.hashCode() : 0;
         result = 31 * result + (proxyConfiguration != null ? proxyConfiguration.hashCode() : 0);
         result = 31 * result + (healthConfiguration != null ? healthConfiguration.hashCode() : 0);
+        result = 31 * result + (trustAllCertificatesEnabled != null ? trustAllCertificatesEnabled.hashCode() : 0);
         return result;
     }
 
@@ -115,6 +128,18 @@ public interface Builder extends CopyableBuilder<S3CrtHttpConfiguration.Builder,
          */
         Builder connectionTimeout(Duration connectionTimeout);
 
+
+        /**
+         * <p>
+         *     Option to disable SSL cert validation and SSL host name verification.
+         *     This turns off x.509 validation.
+         *     By default, this option is off.
+         *     Only enable this option for testing purposes.
+         * @param trustAllCertificatesEnabled True if SSL cert validation is disabled.
+         * @return The builder of the method chaining.
+         */
+        Builder trustAllCertificatesEnabled(Boolean trustAllCertificatesEnabled);
+
         /**
          * Sets the http proxy configuration to use for this client.
          *
@@ -165,6 +190,7 @@ Builder connectionHealthConfiguration(Consumer<S3CrtConnectionHealthConfiguratio
     private static final class DefaultBuilder implements Builder {
         private S3CrtConnectionHealthConfiguration healthConfiguration;
         private Duration connectionTimeout;
+        private Boolean trustAllCertificatesEnabled;
         private S3CrtProxyConfiguration proxyConfiguration;
 
         private DefaultBuilder() {
@@ -174,6 +200,7 @@ private DefaultBuilder(S3CrtHttpConfiguration httpConfiguration) {
             this.healthConfiguration = httpConfiguration.healthConfiguration;
             this.connectionTimeout = httpConfiguration.connectionTimeout;
             this.proxyConfiguration = httpConfiguration.proxyConfiguration;
+            this.trustAllCertificatesEnabled = httpConfiguration.trustAllCertificatesEnabled;
         }
 
         @Override
@@ -182,6 +209,12 @@ public Builder connectionTimeout(Duration connectionTimeout) {
             return this;
         }
 
+        @Override
+        public Builder trustAllCertificatesEnabled(Boolean trustAllCertificatesEnabled) {
+            this.trustAllCertificatesEnabled = trustAllCertificatesEnabled;
+            return this;
+        }
+
         @Override
         public Builder proxyConfiguration(S3CrtProxyConfiguration proxyConfiguration) {
             this.proxyConfiguration = proxyConfiguration;

services/s3/src/main/java/software/amazon/awssdk/services/s3/internal/crt/S3NativeClientConfiguration.java

@@ -33,6 +33,7 @@
 import software.amazon.awssdk.crt.io.TlsContextOptions;
 import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain;
 import software.amazon.awssdk.services.s3.crt.S3CrtHttpConfiguration;
+import software.amazon.awssdk.utils.Logger;
 import software.amazon.awssdk.utils.SdkAutoCloseable;
 
 /**
@@ -41,6 +42,7 @@
 @SdkInternalApi
 public class S3NativeClientConfiguration implements SdkAutoCloseable {
     static final long DEFAULT_PART_SIZE_IN_BYTES = 8L * 1024 * 1024;
+    private static final Logger log = Logger.loggerFor(S3NativeClientConfiguration.class);
     private static final long DEFAULT_TARGET_THROUGHPUT_IN_GBPS = 10;
 
     private final String signingRegion;
@@ -67,6 +69,13 @@ public S3NativeClientConfiguration(Builder builder) {
         TlsContextOptions clientTlsContextOptions =
             TlsContextOptions.createDefaultClient()
                              .withCipherPreference(TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT);
+
+        if (builder.httpConfiguration != null
+            && builder.httpConfiguration.trustAllCertificatesEnabled() != null) {
+            log.warn(() -> "SSL Certificate verification is disabled. "
+                           + "This is not a safe setting and should only be used for testing.");
+            clientTlsContextOptions.withVerifyPeer(!builder.httpConfiguration.trustAllCertificatesEnabled());
+        }
         this.tlsContext = new TlsContext(clientTlsContextOptions);
         this.credentialProviderAdapter =
             builder.credentialsProvider == null ?
@@ -175,6 +184,7 @@ public static final class Builder {
         private Integer maxConcurrency;
         private URI endpointOverride;
         private Boolean checksumValidationEnabled;
+
         private S3CrtHttpConfiguration httpConfiguration;
         private StandardRetryOptions standardRetryOptions;