Lift ssl-context coercion to connection-pool fn

src/aleph/http.clj

@@ -229,7 +229,10 @@
     (when (and force-h2c? (not-any? #{:http2} http-versions))
       (throw (IllegalArgumentException. "force-h2c? may only be true when HTTP/2 is enabled."))))
 
-  (let [log-activity (:log-activity connection-options)
+  (let [{:keys [log-activity
+                ssl-context
+                http-versions]
+         :or   {http-versions [:http1]}} connection-options
         dns-options' (if-not (and (some? dns-options)
                                   (not (or (contains? dns-options :transport)
                                            (contains? dns-options :epoll?))))
@@ -242,7 +245,13 @@
                               (assoc :name-resolver (netty/dns-resolver-group dns-options'))
 
                               (some? log-activity)
-                              (assoc :log-activity (netty/activity-logger "aleph-client" log-activity)))
+                              (assoc :log-activity (netty/activity-logger "aleph-client" log-activity))
+
+                              (some? ssl-context)
+                              (update :ssl-context
+                                      #(-> %
+                                           (common/ensure-consistent-alpn-config http-versions)
+                                           (netty/coerce-ssl-client-context))))
         p (promise)
         create-pool-fn (or pool-builder-fn
                            flow/instrumented-pool)

test/aleph/http_test.clj

@@ -452,6 +452,37 @@
                  :body
                  bs/to-string))))))
 
+(deftest using-input-stream-as-ssl-context-trust-store
+  (let [num-requests 2
+        file-name "test/ca_cert.pem"
+        client-options (fn [stream]
+                         {:connection-options {:ssl-context {:private-key test-ssl/client-key
+                                                             :certificate-chain [test-ssl/client-cert]
+                                                             :trust-store stream}}})
+        requests (fn [pool]
+                   (repeatedly num-requests #(http-post "/"
+                                                        {:body "hello!"
+                                                         :pool pool})))]
+    (testing "multiple serial requests without connection reuse"
+      (with-open [stream (io/input-stream file-name)]
+        (let [client-pool (http/connection-pool (-> (client-options stream)
+                                                    (assoc-in [:connection-options :keep-alive?] false)))]
+          (with-http-ssl-servers echo-handler {}
+            (is (every?
+                  #{"hello!"}
+                  (->> (requests client-pool)
+                       (mapv (comp bs/to-string :body deref)))))))))
+
+    (testing "multiple concurrent requests"
+      (with-open [stream (io/input-stream file-name)]
+        (let [client-pool (http/connection-pool (client-options stream))]
+          (with-http-ssl-servers echo-handler {}
+            (is (every?
+                  #{"hello!"}
+                  (->> (requests client-pool)
+                       (doall)
+                       (mapv (comp bs/to-string :body deref)))))))))))
+
 (defn ssl-session-capture-handler [ssl-session-atom]
   (fn [req]
     (reset! ssl-session-atom (http.core/ring-request-ssl-session req))

test/ca_cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDyjCCArKgAwIBAgIJAPj8IfB83MXVMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
+BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlDdXBlcnRpbm8x
+GDAWBgNVBAoMD0JGUCBDb3Jwb3JhdGlvbjEOMAwGA1UECwwFQWxlcGgxEDAOBgNV
+BAMMB1Jvb3QgQ0EwHhcNMTYxMTIxMjEzMTIzWhcNMzcwMjI0MjEzMTIzWjByMQsw
+CQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0
+aW5vMRgwFgYDVQQKDA9CRlAgQ29ycG9yYXRpb24xDjAMBgNVBAsMBUFsZXBoMRAw
+DgYDVQQDDAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+1kKISz7cCJIU7pk+JBOH8+6UfvtR7BS1hTkWMw+IsTa9O1EJJqEtiJZTF267nLog
++jfUr8AHSTR+qtKkbs77XrOMlaa6Zyq3Z2d/p8R3oUdurg6T3JECGwilYDsEMLNL
+XnqnUdkeWQJ7ea7UzgJ7ACZ61I4+Dv9xJQ+5BGMRkH+SUTDQ/um8UmrPxbDDljR7
+TbTY7WtAPbxbALrEKA5EfNS1vdcYCfguN0BUcHaHEiBDAIU7IXZigdPBnSTDHhqB
+YHjmgQZ9U/ojrvmjG9lsG6X5WGj5H1SZCmpWbp+WiNEgHckzhRkCKU5V53mpqcrF
+Q5WJjAHGQrBF7CD1IUj6VwIDAQABo2MwYTAdBgNVHQ4EFgQUHZFU7TsvVmLorae0
+LntY0bhIRwIwHwYDVR0jBBgwFoAUHZFU7TsvVmLorae0LntY0bhIRwIwDwYDVR0T
+AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBACfu
+Sp0gy8QI1BP6bAueT6/t7Nz2Yg2kwbIXac5sanLc9MjhjG/EjLrkwhCpEVEfFrKD
+Bl/s0wdYoHcVTDlev4H3QOM4WeciaSUsEytihhey72f89ZyvQ+FGbif2BXNk4kPN
+0eo3t5TXS8Fw/iBi371KZo4jTpdsB0Y3fwKtXw8ieUAlaF86yGHA9bMF7eGXorpS
+hEJ8JRWWy2pV9WtkYw+tBWj7PtXQAIUx4t+J3+B9pSUyHxxArKmZUKa3GpJzBAKX
+TLHddtadJLqptjZ6pq7OSiihAs3fxVF+TGDJyPyk8K48y9G2MinrYXVzKHeQWqPT
+rO0jz1F4FL9LiD+HwLc=
+-----END CERTIFICATE-----