Make mutual TLS (mTLS) authentication configurable via application.pr…

…operties fix #1249

.github/workflows/build.yml

@@ -79,7 +79,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        testModule: ['client', 'client-server', 'fastinfoset', 'hc5', 'metrics', 'mtom', 'mtom-awt', 'opentelemetry', 'santuario-xmlsec', 'server', 'ws-rm-client', 'ws-security', 'ws-security -Djks', 'ws-security-policy', 'ws-security-policy -Djks', 'ws-trust', 'wsdl2java', 'wsdl2java-no-config']
+        testModule: ['client', 'client-server', 'fastinfoset', 'hc5', 'metrics', 'mtls', 'mtls -Djks', 'mtom', 'mtom-awt', 'opentelemetry', 'santuario-xmlsec', 'server', 'ws-rm-client', 'ws-security', 'ws-security -Djks', 'ws-security-policy', 'ws-security-policy -Djks', 'ws-trust', 'wsdl2java', 'wsdl2java-no-config']
     name: ${{matrix.testModule}} native tests
     needs: build-and-run-jvm-tests
     runs-on: ubuntu-latest

docs/modules/ROOT/pages/reference/extensions/quarkus-cxf.adoc

@@ -118,6 +118,28 @@ Larger values may give slight performance increases for large responses, at the
 
 *Environment variable*: `+++QUARKUS_CXF_OUTPUT_BUFFER_SIZE+++`
 
+.<|icon:lock[title=Fixed at build time] [[quarkus-cxf_quarkus-cxf-http-conduit-factory]]`link:#quarkus-cxf_quarkus-cxf-http-conduit-factory[quarkus.cxf.http-conduit-factory]`
+.<| `QuarkusCXFDefault`, `CXFDefault`, `HttpClientHTTPConduitFactory`, `URLConnectionHTTPConduitFactory`
+.<| 
+
+3+a|Select the `HTTPConduitFactory` implementation for all clients except the ones that override this setting via
+`quarkus.cxf.client.myClient.http-conduit-factory`.
+
+- `QuarkusCXFDefault` (default): if `io.quarkiverse.cxf:quarkus-cxf-rt-transports-http-hc5` is present in class path,
+then its `HTTPConduitFactory` implementation will be used; otherwise this value is equivalent with
+`URLConnectionHTTPConduitFactory` (this may change, once issue
+link:https://github.com/quarkiverse/quarkus-cxf/issues/992[++#++992] gets resolved in CXF)
+- `CXFDefault`: the selection of `HTTPConduitFactory` implementation is left to CXF
+- `HttpClientHTTPConduitFactory`: the `HTTPConduitFactory` will be set to an implementation always returning
+`org.apache.cxf.transport.http.HttpClientHTTPConduit`. This will use `java.net.http.HttpClient` as the underlying HTTP
+client.
+- `URLConnectionHTTPConduitFactory`: the `HTTPConduitFactory` will be set to an implementation always returning
+`org.apache.cxf.transport.http.URLConnectionHTTPConduit`. This will use `java.net.HttpURLConnection` as the underlying
+HTTP client.
+
+*Environment variable*: `+++QUARKUS_CXF_HTTP_CONDUIT_FACTORY+++` +
+*Since Quarkus CXF*: 2.3.0
+
 .<| [[quarkus-cxf_quarkus-cxf-decoupled-endpoint-base]]`link:#quarkus-cxf_quarkus-cxf-decoupled-endpoint-base[quarkus.cxf.decoupled-endpoint-base]`
 .<| `string`
 .<| 
@@ -1141,31 +1163,71 @@ underlying HTTP client.
 returning `org.apache.cxf.transport.http.URLConnectionHTTPConduit`. This will use `java.net.HttpURLConnection` as the
 underlying HTTP client.
 
-*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__HTTP_CONDUIT_FACTORY+++`
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__HTTP_CONDUIT_FACTORY+++` +
+*Since Quarkus CXF*: 2.3.0
+
+.<| [[quarkus-cxf_quarkus-cxf-client-clients-key-store]]`link:#quarkus-cxf_quarkus-cxf-client-clients-key-store[quarkus.cxf.client."clients".key-store]`
+.<| `string`
+.<| 
+
+3+a|The key store location for this client. The resource is first looked up in the classpath, then in the file system.
+
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__KEY_STORE+++` +
+*Since Quarkus CXF*: 3.9.0
+
+.<| [[quarkus-cxf_quarkus-cxf-client-clients-key-store-password]]`link:#quarkus-cxf_quarkus-cxf-client-clients-key-store-password[quarkus.cxf.client."clients".key-store-password]`
+.<| `string`
+.<| 
+
+3+a|The key store password
+
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__KEY_STORE_PASSWORD+++` +
+*Since Quarkus CXF*: 3.9.0
+
+.<| [[quarkus-cxf_quarkus-cxf-client-clients-key-store-type]]`link:#quarkus-cxf_quarkus-cxf-client-clients-key-store-type[quarkus.cxf.client."clients".key-store-type]`
+.<| `string`
+.<| `JKS`
+
+3+a|The type of the key store.
+
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__KEY_STORE_TYPE+++` +
+*Since Quarkus CXF*: 3.9.0
+
+.<| [[quarkus-cxf_quarkus-cxf-client-clients-key-password]]`link:#quarkus-cxf_quarkus-cxf-client-clients-key-password[quarkus.cxf.client."clients".key-password]`
+.<| `string`
+.<| 
+
+3+a|The key password.
+
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__KEY_PASSWORD+++` +
+*Since Quarkus CXF*: 3.9.0
 
 .<| [[quarkus-cxf_quarkus-cxf-client-clients-trust-store]]`link:#quarkus-cxf_quarkus-cxf-client-clients-trust-store[quarkus.cxf.client."clients".trust-store]`
 .<| `string`
 .<| 
 
 3+a|The trust store location for this client. The resource is first looked up in the classpath, then in the file system.
 
-*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__TRUST_STORE+++`
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__TRUST_STORE+++` +
+*Since Quarkus CXF*: 2.5.0
 
 .<| [[quarkus-cxf_quarkus-cxf-client-clients-trust-store-password]]`link:#quarkus-cxf_quarkus-cxf-client-clients-trust-store-password[quarkus.cxf.client."clients".trust-store-password]`
 .<| `string`
 .<| 
 
-3+a|The trust store password
+3+a|The trust store password.
 
-*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__TRUST_STORE_PASSWORD+++`
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__TRUST_STORE_PASSWORD+++` +
+*Since Quarkus CXF*: 2.5.0
 
 .<| [[quarkus-cxf_quarkus-cxf-client-clients-trust-store-type]]`link:#quarkus-cxf_quarkus-cxf-client-clients-trust-store-type[quarkus.cxf.client."clients".trust-store-type]`
 .<| `string`
 .<| `JKS`
 
 3+a|The type of the trust store.
 
-*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__TRUST_STORE_TYPE+++`
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__TRUST_STORE_TYPE+++` +
+*Since Quarkus CXF*: 2.5.0
 
 .<| [[quarkus-cxf_quarkus-cxf-client-clients-hostname-verifier]]`link:#quarkus-cxf_quarkus-cxf-client-clients-hostname-verifier[quarkus.cxf.client."clients".hostname-verifier]`
 .<| `string`
@@ -1181,7 +1243,8 @@ not specified, then the creation of the `HostnameVerifier` is delegated to CXF,
 `org.apache.cxf.transport.https.httpclient.PublicSuffixMatcherLoader` as returned from
 `PublicSuffixMatcherLoader.getDefault()`.
 
-*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__HOSTNAME_VERIFIER+++`
+*Environment variable*: `+++QUARKUS_CXF_CLIENT__CLIENTS__HOSTNAME_VERIFIER+++` +
+*Since Quarkus CXF*: 2.5.0
 
 .<| [[quarkus-cxf_quarkus-cxf-client-clients-schema-validation-enabled-for]]`link:#quarkus-cxf_quarkus-cxf-client-clients-schema-validation-enabled-for[quarkus.cxf.client."clients".schema-validation.enabled-for]`
 .<| `in`, `request`, `out`, `response`, `both`, `none`

extensions/core/deployment/src/main/java/io/quarkiverse/cxf/deployment/CxfBuildTimeConfig.java

@@ -4,7 +4,6 @@
 import java.util.Map;
 import java.util.Optional;
 
-import io.quarkiverse.cxf.CxfClientConfig.HTTPConduitImpl;
 import io.quarkiverse.cxf.deployment.codegen.Wsdl2JavaParam;
 import io.quarkiverse.cxf.deployment.codegen.Wsdl2JavaParam.Wsdl2JavaParamCollection;
 import io.quarkiverse.cxf.deployment.codegen.Wsdl2JavaParam.Wsdl2JavaParamTransformer;
@@ -45,26 +44,6 @@ public interface CxfBuildTimeConfig {
     @WithName("java2ws")
     public Java2WsConfig java2ws();
 
-    /**
-     * Select the `HTTPConduitFactory` implementation for all clients except the ones that override this setting via
-     * `quarkus.cxf.client.myClient.http-conduit-factory`.
-     *
-     * - `QuarkusCXFDefault` (default): if `io.quarkiverse.cxf:quarkus-cxf-rt-transports-http-hc5` is present in class path,
-     * then its `HTTPConduitFactory` implementation will be used; otherwise this value is equivalent with
-     * `URLConnectionHTTPConduitFactory` (this may change, once issue
-     * link:https://github.com/quarkiverse/quarkus-cxf/issues/992[++#++992] gets resolved in CXF)
-     * - `CXFDefault`: the selection of `HTTPConduitFactory` implementation is left to CXF
-     * - `HttpClientHTTPConduitFactory`: the `HTTPConduitFactory` will be set to an implementation always returning
-     * `org.apache.cxf.transport.http.HttpClientHTTPConduit`. This will use `java.net.http.HttpClient` as the underlying HTTP
-     * client.
-     * - `URLConnectionHTTPConduitFactory`: the `HTTPConduitFactory` will be set to an implementation always returning
-     * `org.apache.cxf.transport.http.URLConnectionHTTPConduit`. This will use `java.net.HttpURLConnection` as the underlying
-     * HTTP client.
-     *
-     * @asciidoclet
-     */
-    public Optional<HTTPConduitImpl> httpConduitFactory();
-
     @ConfigGroup
     public interface CodeGenConfig {
 

extensions/core/deployment/src/main/java/io/quarkiverse/cxf/deployment/CxfClientProcessor.java

@@ -482,7 +482,7 @@ private void produceUnremovableBean(
     @Record(ExecutionTime.STATIC_INIT)
     void customizers(
             CXFRecorder recorder,
-            CxfBuildTimeConfig config,
+            CxfFixedConfig config,
             BuildProducer<RuntimeBusCustomizerBuildItem> customizers) {
         final HTTPConduitImpl factory = HTTPConduitImpl.fromOptional(
                 config.httpConduitFactory(),

extensions/core/runtime/src/main/java/io/quarkiverse/cxf/CXFClientInfo.java

@@ -172,6 +172,26 @@ public class CXFClientInfo {
      */
     private final String proxyPassword;
 
+    /**
+     * The key store location. Can point to either a classpath resource or a file.
+     */
+    private final String keyStore;
+
+    /**
+     * The key store password.
+     */
+    private final String keyStorePassword;
+
+    /**
+     * The type of the trust store. Defaults to "JKS".
+     */
+    private final String keyStoreType;
+
+    /**
+     * The key password.
+     */
+    private final String keyPassword;
+
     /**
      * The trust store location. Can point to either a classpath resource or a file.
      */
@@ -239,6 +259,10 @@ public CXFClientInfo(CXFClientData other, CxfConfig cxfConfig, CxfClientConfig c
         this.proxyUsername = config.proxyUsername().orElse(null);
         this.proxyPassword = config.proxyPassword().orElse(null);
 
+        this.keyStore = config.keyStore().orElse(null);
+        this.keyStorePassword = config.keyStorePassword().orElse(null);
+        this.keyStoreType = Objects.requireNonNull(config.keyStoreType(), "keyStoreType cannot be null");
+        this.keyPassword = config.keyPassword().orElse(null);
         this.trustStore = config.trustStore().orElse(null);
         this.trustStorePassword = config.trustStorePassword().orElse(null);
         this.trustStoreType = Objects.requireNonNull(config.trustStoreType(), "trustStoreType cannot be null");
@@ -461,6 +485,22 @@ public HTTPConduitImpl getHttpConduitImpl() {
         return httpConduitImpl;
     }
 
+    public String getKeyStore() {
+        return keyStore;
+    }
+
+    public String getKeyStorePassword() {
+        return keyStorePassword;
+    }
+
+    public String getKeyStoreType() {
+        return keyStoreType;
+    }
+
+    public String getKeyPassword() {
+        return keyPassword;
+    }
+
     public String getTrustStore() {
         return trustStore;
     }

extensions/core/runtime/src/main/java/io/quarkiverse/cxf/CxfClientConfig.java

@@ -389,27 +389,64 @@ public interface CxfClientConfig {
      * underlying HTTP client.
      *
      * @asciidoclet
+     * @since 2.3.0
      */
     public Optional<HTTPConduitImpl> httpConduitFactory();
 
+    /**
+     * The key store location for this client. The resource is first looked up in the classpath, then in the file system.
+     *
+     * @asciidoclet
+     * @since 3.9.0
+     */
+    public Optional<String> keyStore();
+
+    /**
+     * The key store password
+     *
+     * @asciidoclet
+     * @since 3.9.0
+     */
+    public Optional<String> keyStorePassword();
+
+    /**
+     * The type of the key store.
+     *
+     * @asciidoclet
+     * @since 3.9.0
+     */
+    @WithDefault("JKS")
+    public String keyStoreType();
+
+    /**
+     * The key password.
+     *
+     * @asciidoclet
+     * @since 3.9.0
+     */
+    public Optional<String> keyPassword();
+
     /**
      * The trust store location for this client. The resource is first looked up in the classpath, then in the file system.
      *
      * @asciidoclet
+     * @since 2.5.0
      */
     public Optional<String> trustStore();
 
     /**
-     * The trust store password
+     * The trust store password.
      *
      * @asciidoclet
+     * @since 2.5.0
      */
     public Optional<String> trustStorePassword();
 
     /**
      * The type of the trust store.
      *
      * @asciidoclet
+     * @since 2.5.0
      */
     @WithDefault("JKS")
     public String trustStoreType();
@@ -426,6 +463,7 @@ public interface CxfClientConfig {
      * `PublicSuffixMatcherLoader.getDefault()`.
      *
      * @asciidoclet
+     * @since 2.5.0
      */
     public Optional<String> hostnameVerifier();