Java: implement support for using insecure TLS

mthemis-provenir · mthemis-provenir · commit 354e9be63ea7 · 2025-03-18T15:16:48.000Z
Signed-off-by: Matt &lt;mthemis@provenir.com&gt;
diff --git a/java/client/src/main/java/glide/api/models/configuration/BaseClientConfiguration.java b/java/client/src/main/java/glide/api/models/configuration/BaseClientConfiguration.java
@@ -36,6 +36,19 @@ public abstract class BaseClientConfiguration {
      */
     @Builder.Default private final boolean useTLS = false;
 
+    /**
+     * True if communication with the cluster should check certificate validity.
+     *
+     * <p>If the server/cluster's certificate does not validate, not setting this will cause the connection
+     * attempt to fail.
+     *
+     * <p>If the server/cluster's certificate does not validate, setting this will cause the connection
+     * to ignore the certificate's validity and succeed.
+     *
+     * This is useful for when CNAMEs are used to point to a server/cluster.
+     */
+    @Builder.Default private final boolean useInsecureTLS = false;
+
     /** Represents the client's read from strategy. */
     @NonNull @Builder.Default private final ReadFrom readFrom = ReadFrom.PRIMARY;
 
diff --git a/java/client/src/main/java/glide/managers/ConnectionManager.java b/java/client/src/main/java/glide/managers/ConnectionManager.java
@@ -99,9 +99,15 @@ private ConnectionRequest.Builder setupConnectionRequestBuilderBaseConfiguration
                             .build());
         }
 
-        connectionRequestBuilder
-                .setTlsMode(configuration.isUseTLS() ? TlsMode.SecureTls : TlsMode.NoTls)
-                .setReadFrom(mapReadFromEnum(configuration.getReadFrom()));
+        if (configuration.isUseTLS()) {
+            connectionRequestBuilder
+                    .setTlsMode(configuration.isUseInsecureTLS() ? TlsMode.InsecureTls : TlsMode.SecureTls)
+                    .setReadFrom(mapReadFromEnum(configuration.getReadFrom()));
+        } else {
+            connectionRequestBuilder
+                    .setTlsMode(TlsMode.NoTls)
+                    .setReadFrom(mapReadFromEnum(configuration.getReadFrom()));
+        }
 
         if (configuration.getCredentials() != null) {
             AuthenticationInfo.Builder authenticationInfoBuilder = AuthenticationInfo.newBuilder();
diff --git a/java/client/src/test/java/glide/managers/ConnectionManagerTest.java b/java/client/src/test/java/glide/managers/ConnectionManagerTest.java
@@ -136,6 +136,7 @@ public void connection_request_protobuf_generation_with_all_fields_set() {
                         .address(NodeAddress.builder().host(HOST).port(PORT).build())
                         .address(NodeAddress.builder().host(DEFAULT_HOST).port(DEFAULT_PORT).build())
                         .useTLS(true)
+                        .useInsecureTLS(false)
                         .readFrom(ReadFrom.PREFER_REPLICA)
                         .credentials(ServerCredentials.builder().username(USERNAME).password(PASSWORD).build())
                         .requestTimeout(REQUEST_TIMEOUT)
@@ -348,6 +349,35 @@ private void testAzAffinityWithoutClientAzThrowsConfigurationError(ReadFrom read
         assertThrows(ConfigurationError.class, () -> connectionManager.connectToValkey(config));
     }
 
+    @SneakyThrows
+    @Test
+    public void connection_request_protobuf_generation_use_insecure_tls() {
+        // setup
+        GlideClusterClientConfiguration glideClusterClientConfiguration =
+                GlideClusterClientConfiguration.builder()
+                .useTLS(true)
+                .useInsecureTLS(true)
+                .build();
+        ConnectionRequest expectedProtobufConnectionRequest =
+                ConnectionRequest.newBuilder()
+                        .setTlsMode(TlsMode.InsecureTls)
+                        .setClusterModeEnabled(true)
+                        .setReadFrom(ConnectionRequestOuterClass.ReadFrom.Primary)
+                        .build();
+        CompletableFuture<Response> completedFuture = new CompletableFuture<>();
+        Response response = Response.newBuilder().setConstantResponse(ConstantResponse.OK).build();
+        completedFuture.complete(response);
+
+        // execute
+        when(channel.connect(eq(expectedProtobufConnectionRequest))).thenReturn(completedFuture);
+        CompletableFuture<Void> result =
+                connectionManager.connectToValkey(glideClusterClientConfiguration);
+
+        // verify
+        assertNull(result.get());
+        verify(channel).connect(eq(expectedProtobufConnectionRequest));
+    }
+
     private ConnectionRequestOuterClass.ReadFrom mapReadFrom(ReadFrom readFrom) {
         switch (readFrom) {
             case AZ_AFFINITY:
