Expose HostnameVerificationPolicy in TLSConfigurer

Apache HttpClient 5.4 introduced a new component: `HostnameVerificationPolicy`, which determines whether hostname verification is done by the JSSE provider (at socket level, during TLS handshake), the HttpClient (after TLS handshake), or both.

This change exposes `HostnameVerificationPolicy` in `TLSConfigurer`. This component is particularly useful when attempting to bypass hostname verification, e.g. by using the `NoopHostnameVerifier`. The default policy is set to `BOTH`, which produces the same result as before.

Author: adutra

build.gradle

@@ -399,6 +399,7 @@ project(':iceberg-core') {
       exclude group: 'junit'
     }
     testImplementation libs.awaitility
+    testImplementation libs.bouncycastle.bcpkix
   }
 }
 

core/src/main/java/org/apache/iceberg/rest/HTTPClient.java

@@ -416,6 +416,7 @@ static HttpClientConnectionManager configureConnectionManager(Map<String, String
               tlsConfigurer.supportedProtocols(),
               tlsConfigurer.supportedCipherSuites(),
               SSLBufferMode.STATIC,
+              tlsConfigurer.hostnameVerificationPolicy(),
               tlsConfigurer.hostnameVerifier()));
     }
 

core/src/main/java/org/apache/iceberg/rest/auth/TLSConfigurer.java

@@ -21,6 +21,7 @@
 import java.util.Map;
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
+import org.apache.hc.client5.http.ssl.HostnameVerificationPolicy;
 import org.apache.hc.client5.http.ssl.HttpsSupport;
 import org.apache.hc.core5.ssl.SSLContexts;
 
@@ -32,6 +33,10 @@ default SSLContext sslContext() {
     return SSLContexts.createDefault();
   }
 
+  default HostnameVerificationPolicy hostnameVerificationPolicy() {
+    return HostnameVerificationPolicy.BOTH;
+  }
+
   default HostnameVerifier hostnameVerifier() {
     return HttpsSupport.getDefaultHostnameVerifier();
   }

core/src/test/java/org/apache/iceberg/rest/TestHTTPClient.java

@@ -35,37 +35,49 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
+import java.nio.file.Path;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Consumer;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
 import org.apache.hc.client5.http.auth.AuthScope;
 import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
 import org.apache.hc.client5.http.config.ConnectionConfig;
 import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
+import org.apache.hc.client5.http.ssl.HostnameVerificationPolicy;
+import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.HttpStatus;
 import org.apache.iceberg.IcebergBuild;
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.relocated.com.google.common.collect.ImmutableMap;
+import org.apache.iceberg.relocated.com.google.common.collect.Sets;
 import org.apache.iceberg.rest.auth.AuthSession;
 import org.apache.iceberg.rest.auth.TLSConfigurer;
 import org.apache.iceberg.rest.responses.ErrorResponse;
 import org.apache.iceberg.rest.responses.ErrorResponseParser;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.EnumSource;
 import org.junit.jupiter.params.provider.ValueSource;
 import org.mockserver.configuration.Configuration;
 import org.mockserver.integration.ClientAndServer;
+import org.mockserver.logging.MockServerLogger;
 import org.mockserver.matchers.Times;
 import org.mockserver.model.HttpRequest;
 import org.mockserver.model.HttpResponse;
+import org.mockserver.socket.tls.KeyStoreFactory;
 import org.mockserver.verify.VerificationTimes;
 
 /**
@@ -395,6 +407,99 @@ public void testLoadTLSConfigurerNotImplementTLSConfigurer() {
         .hasMessageContaining("does not implement TLSConfigurer");
   }
 
+  public static class LaxTLSConfigurer implements TLSConfigurer {
+
+    private static HostnameVerificationPolicy policy = HostnameVerificationPolicy.BUILTIN;
+
+    static void setPolicy(HostnameVerificationPolicy policy) {
+      LaxTLSConfigurer.policy = policy;
+    }
+
+    @Override
+    public SSLContext sslContext() {
+      // Create an SSLContext that trusts MockServer's CA certificate but still performs hostname
+      // verification during SSL handshake
+      try {
+        KeyStore keyStore =
+            new KeyStoreFactory(Configuration.configuration(), new MockServerLogger())
+                .loadOrCreateKeyStore();
+        TrustManagerFactory tmf =
+            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(keyStore);
+        SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+        sslContext.init(null, tmf.getTrustManagers(), null);
+        return sslContext;
+      } catch (Exception e) {
+        throw new RuntimeException("Failed to create SSLContext", e);
+      }
+    }
+
+    @Override
+    public HostnameVerificationPolicy hostnameVerificationPolicy() {
+      return policy;
+    }
+
+    @Override
+    public HostnameVerifier hostnameVerifier() {
+      // Disable hostname verification at HttpClient level (post SSL handshake)
+      return NoopHostnameVerifier.INSTANCE;
+    }
+  }
+
+  @ParameterizedTest
+  @EnumSource(HostnameVerificationPolicy.class)
+  public void testTLSConfigurerHostnameVerificationPolicy(HostnameVerificationPolicy policy, @TempDir Path temp)
+      throws IOException {
+
+    // Start a dedicated MockServer with a certificate that does NOT include 127.0.0.1 or localhost
+    // in its SANs. Hostname verification must be disabled for this test to pass.
+    Configuration tlsConfig = Configuration.configuration();
+    tlsConfig.proactivelyInitialiseTLS(true);
+    tlsConfig.preventCertificateDynamicUpdate(true);
+    tlsConfig.sslCertificateDomainName("example.com");
+    tlsConfig.sslSubjectAlternativeNameIps(Sets.newHashSet("1.2.3.4"));
+    tlsConfig.sslSubjectAlternativeNameDomains(Sets.newHashSet("example.com"));
+    tlsConfig.directoryToSaveDynamicSSLCertificate(temp.toFile().getAbsolutePath());
+
+    int tlsPort = PORT + 1;
+    try (ClientAndServer server = startClientAndServer(tlsConfig, tlsPort)) {
+
+      String path = "tls/path";
+      HttpRequest mockRequest =
+          request()
+              .withPath("/" + path)
+              .withMethod(HttpMethod.HEAD.name().toUpperCase(Locale.ROOT));
+      HttpResponse mockResponse = response().withStatusCode(200).withBody("TLS response");
+      server.when(mockRequest).respond(mockResponse);
+
+      LaxTLSConfigurer.setPolicy(policy);
+
+      Map<String, String> properties =
+          Map.of(HTTPClient.REST_TLS_CONFIGURER, LaxTLSConfigurer.class.getName());
+
+      try (HTTPClient client =
+          HTTPClient.builder(properties)
+              .uri(String.format("https://127.0.0.1:%d", tlsPort))
+              .withAuthSession(AuthSession.EMPTY)
+              .build()) {
+
+        if (policy == HostnameVerificationPolicy.CLIENT) {
+          // With hostname verification performed by the HttpClient *only*,
+          // the request should succeed
+          assertThatCode(() -> client.head(path, Map.of(), (unused) -> {}))
+              .doesNotThrowAnyException();
+        } else {
+          // With hostname verification performed by the JSSE provider,
+          // the request should fail with a CertificateException
+          assertThatThrownBy(() -> client.head(path, Map.of(), (unused) -> {}))
+              .rootCause()
+              .isInstanceOf(CertificateException.class)
+              .hasMessage("No subject alternative names matching IP address 127.0.0.1 found");
+        }
+      }
+    }
+  }
+
   @Test
   public void testSocketTimeout() throws IOException {
     long socketTimeoutMs = 2000L;

gradle/libs.versions.toml

@@ -36,6 +36,7 @@ awaitility = "4.3.0"
 awssdk-bom = "2.42.4"
 azuresdk-bom = "1.3.4"
 awssdk-s3accessgrants = "2.4.1"
+bouncycastle = "1.83"
 bson-ver = "4.11.5"
 caffeine = "2.9.3"
 calcite = "1.41.0"
@@ -111,6 +112,7 @@ awssdk-bom = { module = "software.amazon.awssdk:bom", version.ref = "awssdk-bom"
 awssdk-s3accessgrants = { module = "software.amazon.s3.accessgrants:aws-s3-accessgrants-java-plugin", version.ref = "awssdk-s3accessgrants" }
 azuresdk-bom = { module = "com.azure:azure-sdk-bom", version.ref = "azuresdk-bom" }
 bson = { module = "org.mongodb:bson", version.ref = "bson-ver"}
+bouncycastle-bcpkix = { module = "org.bouncycastle:bcpkix-jdk18on", version.ref = "bouncycastle" }
 caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version.ref = "caffeine" }
 calcite-core = { module = "org.apache.calcite:calcite-core", version.ref = "calcite" }
 calcite-druid = { module = "org.apache.calcite:calcite-druid", version.ref = "calcite" }