Add support for TLS configuration

Author: dayaffe

Sources/ClientRuntime/Networking/Http/NIO/NIOHTTPClient.swift

@@ -6,15 +6,20 @@
 //
 
 import AsyncHTTPClient
+import Foundation
 import NIOCore
 import NIOPosix
+import NIOSSL
 import SmithyHTTPAPI
+import NIOHTTP1
 
 /// AsyncHTTPClient-based HTTP client implementation that conforms to SmithyHTTPAPI.HTTPClient
 /// This implementation is thread-safe and supports concurrent request execution.
 public final class NIOHTTPClient: SmithyHTTPAPI.HTTPClient {
     private let client: AsyncHTTPClient.HTTPClient
     private let config: HttpClientConfiguration
+    private let tlsConfiguration: NIOHTTPClientTLSOptions?
+    private let allocator: ByteBufferAllocator
 
     /// Creates a new `NIOHTTPClient`.
     ///
@@ -25,13 +30,22 @@ public final class NIOHTTPClient: SmithyHTTPAPI.HTTPClient {
         httpClientConfiguration: HttpClientConfiguration
     ) throws {
         self.config = httpClientConfiguration
-        self.client = AsyncHTTPClient.HTTPClient(
-            configuration: .init() // TODO
-        )
+        self.tlsConfiguration = httpClientConfiguration.tlsConfiguration as? NIOHTTPClientTLSOptions
+        self.allocator = ByteBufferAllocator()
+
+        var clientConfig = AsyncHTTPClient.HTTPClient.Configuration()
+
+        // Configure TLS if options are provided
+        if let tlsOptions = tlsConfiguration {
+            clientConfig.tlsConfiguration = try tlsOptions.makeNIOSSLConfiguration()
+        }
+
+        self.client = AsyncHTTPClient.HTTPClient(configuration: clientConfig)
     }
 
     public func send(request: SmithyHTTPAPI.HTTPRequest) async throws -> SmithyHTTPAPI.HTTPResponse {
         // TODO
         return HTTPResponse()
     }
+
 }

Sources/ClientRuntime/Networking/Http/NIO/NIOHTTPClientTLSOptions.swift

@@ -0,0 +1,52 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Foundation
+import NIOSSL
+
+public struct NIOHTTPClientTLSOptions: TLSConfiguration, Sendable {
+
+    /// Optional path to a PEM certificate
+    public var certificate: String?
+
+    /// Optional path to certificate directory
+    public var certificateDir: String?
+
+    /// Optional path to a PEM format private key
+    public var privateKey: String?
+
+    /// Optional path to PKCS #12 certificate, in PEM format
+    public var pkcs12Path: String?
+
+    /// Optional PKCS#12 password
+    public var pkcs12Password: String?
+
+    /// Information is provided to use custom trust store
+    public var useSelfSignedCertificate: Bool {
+        return certificate != nil || certificateDir != nil
+    }
+
+    /// Information is provided to use custom key store
+    public var useProvidedKeystore: Bool {
+        return (pkcs12Path != nil && pkcs12Password != nil) ||
+               (certificate != nil && privateKey != nil)
+    }
+
+    public init(
+        certificate: String? = nil,
+        certificateDir: String? = nil,
+        privateKey: String? = nil,
+        pkcs12Path: String? = nil,
+        pkcs12Password: String? = nil
+    ) {
+        self.certificate = certificate
+        self.certificateDir = certificateDir
+        self.privateKey = privateKey
+        self.pkcs12Path = pkcs12Path
+        self.pkcs12Password = pkcs12Password
+    }
+}

Sources/ClientRuntime/Networking/Http/NIO/NIOHTTPClientTLSResolverUtils.swift

@@ -0,0 +1,85 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Foundation
+import NIOSSL
+
+extension NIOHTTPClientTLSOptions {
+
+    func makeNIOSSLConfiguration() throws -> NIOSSL.TLSConfiguration {
+        var tlsConfig = NIOSSL.TLSConfiguration.makeClientConfiguration()
+
+        if useSelfSignedCertificate {
+            if let certificateDir = certificateDir, let certificate = certificate {
+                let certificatePath = "\(certificateDir)/\(certificate)"
+                let certificates = try NIOHTTPClientTLSOptions.loadCertificates(from: certificatePath)
+                tlsConfig.trustRoots = .certificates(certificates)
+            } else if let certificate = certificate {
+                let certificates = try NIOHTTPClientTLSOptions.loadCertificates(from: certificate)
+                tlsConfig.trustRoots = .certificates(certificates)
+            }
+        }
+
+        if useProvidedKeystore {
+            if let pkcs12Path = pkcs12Path, let pkcs12Password = pkcs12Password {
+                let bundle = try NIOHTTPClientTLSOptions.loadPKCS12Bundle(from: pkcs12Path, password: pkcs12Password)
+                tlsConfig.certificateChain = bundle.certificateChain.map { .certificate($0) }
+                tlsConfig.privateKey = .privateKey(bundle.privateKey)
+            } else if let certificate = certificate, let privateKey = privateKey {
+                let cert = try NIOHTTPClientTLSOptions.loadCertificate(from: certificate)
+                let key = try NIOHTTPClientTLSOptions.loadPrivateKey(from: privateKey)
+                tlsConfig.certificateChain = [.certificate(cert)]
+                tlsConfig.privateKey = .privateKey(key)
+            }
+        }
+
+        return tlsConfig
+    }
+}
+
+extension NIOHTTPClientTLSOptions {
+
+    static func loadCertificates(from filePath: String) throws -> [NIOSSLCertificate] {
+        let fileData = try Data(contentsOf: URL(fileURLWithPath: filePath))
+        return try NIOSSLCertificate.fromPEMBytes(Array(fileData))
+    }
+
+    static func loadCertificate(from filePath: String) throws -> NIOSSLCertificate {
+        let certificates = try loadCertificates(from: filePath)
+        guard let certificate = certificates.first else {
+            throw NIOHTTPClientTLSError.noCertificateFound(filePath)
+        }
+        return certificate
+    }
+
+    static func loadPrivateKey(from filePath: String) throws -> NIOSSLPrivateKey {
+        let fileData = try Data(contentsOf: URL(fileURLWithPath: filePath))
+        return try NIOSSLPrivateKey(bytes: Array(fileData), format: .pem)
+    }
+
+    static func loadPKCS12Bundle(from filePath: String, password: String) throws -> NIOSSLPKCS12Bundle {
+        do {
+            return try NIOSSLPKCS12Bundle(file: filePath, passphrase: password.utf8)
+        } catch {
+            throw NIOHTTPClientTLSError.invalidPKCS12(filePath, underlying: error)
+        }
+    }
+}
+
+public enum NIOHTTPClientTLSError: Error, LocalizedError {
+    case noCertificateFound(String)
+    case invalidPKCS12(String, underlying: Error)
+
+    public var errorDescription: String? {
+        switch self {
+        case .noCertificateFound(let path):
+            return "No certificate found at path: \(path)"
+        case .invalidPKCS12(let path, let underlying):
+            return "Failed to load PKCS#12 file at path: \(path). Error: \(underlying.localizedDescription)"
+        }
+    }
+}

Tests/ClientRuntimeTests/NetworkingTests/Http/NIO/NIOHTTPClientTLSOptionsTests.swift

@@ -0,0 +1,65 @@
+//
+// Copyright Amazon.com Inc. or its affiliates.
+// All Rights Reserved.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+import Foundation
+import XCTest
+@testable import ClientRuntime
+
+class NIOHTTPClientTLSOptionsTests: XCTestCase {
+
+    func test_init_withDefaults() {
+        let tlsOptions = NIOHTTPClientTLSOptions()
+        
+        XCTAssertNil(tlsOptions.certificate)
+        XCTAssertNil(tlsOptions.certificateDir)
+        XCTAssertNil(tlsOptions.privateKey)
+        XCTAssertNil(tlsOptions.pkcs12Path)
+        XCTAssertNil(tlsOptions.pkcs12Password)
+        XCTAssertFalse(tlsOptions.useSelfSignedCertificate)
+        XCTAssertFalse(tlsOptions.useProvidedKeystore)
+    }
+
+    func test_init_withCertificate() {
+        let tlsOptions = NIOHTTPClientTLSOptions(certificate: "/path/to/cert.pem")
+        
+        XCTAssertEqual(tlsOptions.certificate, "/path/to/cert.pem")
+        XCTAssertTrue(tlsOptions.useSelfSignedCertificate)
+        XCTAssertFalse(tlsOptions.useProvidedKeystore)
+    }
+
+    func test_init_withCertificateDir() {
+        let tlsOptions = NIOHTTPClientTLSOptions(certificateDir: "/path/to/certs/")
+        
+        XCTAssertEqual(tlsOptions.certificateDir, "/path/to/certs/")
+        XCTAssertTrue(tlsOptions.useSelfSignedCertificate)
+        XCTAssertFalse(tlsOptions.useProvidedKeystore)
+    }
+
+    func test_init_withPKCS12() {
+        let tlsOptions = NIOHTTPClientTLSOptions(
+            pkcs12Path: "/path/to/cert.p12",
+            pkcs12Password: "password"
+        )
+        
+        XCTAssertEqual(tlsOptions.pkcs12Path, "/path/to/cert.p12")
+        XCTAssertEqual(tlsOptions.pkcs12Password, "password")
+        XCTAssertFalse(tlsOptions.useSelfSignedCertificate)
+        XCTAssertTrue(tlsOptions.useProvidedKeystore)
+    }
+
+    func test_init_withCertificateAndPrivateKey() {
+        let tlsOptions = NIOHTTPClientTLSOptions(
+            certificate: "/path/to/cert.pem",
+            privateKey: "/path/to/key.pem"
+        )
+        
+        XCTAssertEqual(tlsOptions.certificate, "/path/to/cert.pem")
+        XCTAssertEqual(tlsOptions.privateKey, "/path/to/key.pem")
+        XCTAssertTrue(tlsOptions.useSelfSignedCertificate)
+        XCTAssertTrue(tlsOptions.useProvidedKeystore)
+    }
+}