Support passing a custom truststore with central calls

cli/central-client/src/main/java/org/ballerinalang/central/client/CentralAPIClient.java

@@ -51,11 +51,19 @@
 import org.ballerinalang.central.client.model.ToolResolutionCentralResponse;
 import org.ballerinalang.central.client.model.ToolSearchResult;
 
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.PrintStream;
 import java.net.Proxy;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -64,6 +72,9 @@
 import java.util.concurrent.TimeUnit;
 
 import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 
 import static java.net.HttpURLConnection.HTTP_BAD_GATEWAY;
 import static java.net.HttpURLConnection.HTTP_BAD_REQUEST;
@@ -143,14 +154,15 @@ public class CentralAPIClient {
     private static final MediaType JSON = MediaType.parse("application/json; charset=utf-8");
     private static final MediaType JSON_CONTENT_TYPE = MediaType.parse("application/json");
 
-    // System property name for enabling central verbose
-    public static final String SYS_PROP_CENTRAL_VERBOSE_ENABLED = "CENTRAL_VERBOSE_ENABLED";
     private static final int DEFAULT_CONNECT_TIMEOUT = 60;
     private static final int DEFAULT_READ_TIMEOUT = 60;
     private static final int DEFAULT_WRITE_TIMEOUT = 60;
     private static final int DEFAULT_CALL_TIMEOUT = 0;
     private static final int MAX_RETRY = 1;
     public static final String CONNECTION_RESET = "Connection reset";
+    private static final String ENV_CENTRAL_VERBOSE_ENABLED = "CENTRAL_VERBOSE_ENABLED";
+    private static final String ENV_TRUSTSTORE_PATH = "BALLERINA_TRUSTSTORE_PATH";
+    private static final String ENV_TRUSTSTORE_PASSWORD = "BALLERINA_TRUSTSTORE_PASSWORD";
 
     private final String baseUrl;
     private final Proxy proxy;
@@ -164,20 +176,24 @@ public class CentralAPIClient {
     private final int writeTimeout;
     private final int callTimeout;
     private final int maxRetries;
+    private final String trustStorePath;
+    private final String trustStorePassword;
 
     public CentralAPIClient(String baseUrl, Proxy proxy, String accessToken) {
         this.outStream = System.out;
         this.baseUrl = baseUrl;
         this.proxy = proxy;
         this.accessToken = accessToken;
-        this.verboseEnabled = Boolean.parseBoolean(System.getenv(SYS_PROP_CENTRAL_VERBOSE_ENABLED));
+        this.verboseEnabled = Boolean.parseBoolean(System.getenv(ENV_CENTRAL_VERBOSE_ENABLED));
         this.proxyUsername = "";
         this.proxyPassword = "";
         this.connectTimeout = DEFAULT_CONNECT_TIMEOUT;
         this.readTimeout = DEFAULT_READ_TIMEOUT;
         this.writeTimeout = DEFAULT_WRITE_TIMEOUT;
         this.callTimeout = DEFAULT_CALL_TIMEOUT;
         this.maxRetries = MAX_RETRY;
+        this.trustStorePath = System.getenv(ENV_TRUSTSTORE_PATH);
+        this.trustStorePassword = System.getenv(ENV_TRUSTSTORE_PASSWORD);
     }
 
     public CentralAPIClient(String baseUrl, Proxy proxy, String accessToken, boolean verboseEnabled, int maxRetries,
@@ -194,6 +210,8 @@ public CentralAPIClient(String baseUrl, Proxy proxy, String accessToken, boolean
         this.writeTimeout = DEFAULT_WRITE_TIMEOUT;
         this.callTimeout = DEFAULT_CALL_TIMEOUT;
         this.maxRetries = maxRetries;
+        this.trustStorePath = System.getenv(ENV_TRUSTSTORE_PATH);
+        this.trustStorePassword = System.getenv(ENV_TRUSTSTORE_PASSWORD);
     }
 
     public CentralAPIClient(String baseUrl, Proxy proxy, String proxyUsername, String proxyPassword,
@@ -203,14 +221,16 @@ public CentralAPIClient(String baseUrl, Proxy proxy, String proxyUsername, Strin
         this.baseUrl = baseUrl;
         this.proxy = proxy;
         this.accessToken = accessToken;
-        this.verboseEnabled = Boolean.parseBoolean(System.getenv(SYS_PROP_CENTRAL_VERBOSE_ENABLED));
+        this.verboseEnabled = Boolean.parseBoolean(System.getenv(ENV_CENTRAL_VERBOSE_ENABLED));
         this.proxyUsername = proxyUsername;
         this.proxyPassword = proxyPassword;
         this.connectTimeout = connectionTimeout;
         this.readTimeout = readTimeout;
         this.writeTimeout = writeTimeout;
         this.callTimeout = callTimeout;
         this.maxRetries = maxRetries;
+        this.trustStorePath = System.getenv(ENV_TRUSTSTORE_PATH);
+        this.trustStorePassword = System.getenv(ENV_TRUSTSTORE_PASSWORD);
     }
 
     /**
@@ -1579,17 +1599,39 @@ public JsonObject getConnector(ConnectorInfo connector, String supportedPlatform
      *
      * @return the client
      */
-    protected OkHttpClient getClient() {
-        OkHttpClient okHttpClient = new OkHttpClient.Builder()
+    protected OkHttpClient getClient() throws CentralClientException {
+        OkHttpClient.Builder builder = new OkHttpClient.Builder()
                 .connectTimeout(connectTimeout, TimeUnit.SECONDS)
                 .readTimeout(readTimeout, TimeUnit.SECONDS)
                 .writeTimeout(writeTimeout, TimeUnit.SECONDS)
                 .callTimeout(callTimeout, TimeUnit.SECONDS)
                 .followRedirects(false)
                 .retryOnConnectionFailure(true)
                 .proxy(this.proxy)
-                .addInterceptor(new CustomRetryInterceptor(this.maxRetries))
-                .build();
+                .addInterceptor(new CustomRetryInterceptor(this.maxRetries));
+        if (this.trustStorePath != null && this.trustStorePassword != null) {
+            try {
+                KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
+                try (InputStream keys = new FileInputStream(trustStorePath)) {
+                    truststore.load(keys, trustStorePassword.toCharArray());
+                }
+                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
+                        TrustManagerFactory.getDefaultAlgorithm());
+                trustManagerFactory.init(truststore);
+
+                SSLContext sslContext = SSLContext.getInstance("TLS");
+                sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
+                SSLContext.setDefault(sslContext);
+
+                builder.sslSocketFactory(sslContext.getSocketFactory(),
+                        (X509TrustManager) trustManagerFactory.getTrustManagers()[0]);
+            } catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException |
+                     KeyManagementException e) {
+                throw new CentralClientException(e.getMessage());
+            }
+        }
+
+        OkHttpClient okHttpClient = builder.build();
 
         if ((!(this.proxyUsername).isEmpty() && !(this.proxyPassword).isEmpty())) {
             Authenticator proxyAuthenticator = (route, response) -> {

cli/central-client/src/test/java/org/ballerinalang/central/client/TestCustomRetryInterceptor.java

@@ -23,6 +23,7 @@
 import okhttp3.Response;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
+import org.ballerinalang.central.client.exceptions.CentralClientException;
 import org.testng.Assert;
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.Test;
@@ -49,7 +50,7 @@ public class TestCustomRetryInterceptor {
 
 
     @BeforeClass
-    public void setUp() {
+    public void setUp() throws CentralClientException {
         this.console = new ByteArrayOutputStream();
         PrintStream outStream = new PrintStream(this.console);
         CentralAPIClient centralAPIClient = new CentralAPIClient("https://localhost:9090/registry",