add fallback to CN verification option

service-config/.gitignore

@@ -0,0 +1 @@
+/generated/

service-config/src/main/java/com/palantir/conjure/java/api/config/service/PartialServiceConfiguration.java

@@ -68,6 +68,14 @@ public interface PartialServiceConfiguration {
     @JsonAlias("enable-gcm-cipher-suites")
     Optional<Boolean> enableGcmCipherSuites();
 
+    /**
+     * Enables fallback to common name verification, defaults to false.
+     * @deprecated This option will be removed by the end of 2019. Certificates are expected to provide valid SANs.
+     */
+    @Deprecated
+    @JsonAlias("fallback-to-common-name-verification")
+    Optional<Boolean> fallbackToCommonNameVerification();
+
     /** Proxy configuration for connecting to the service. If absent, uses system proxy configuration. */
     @JsonAlias("proxy-configuration")
     Optional<ProxyConfiguration> proxyConfiguration();

service-config/src/main/java/com/palantir/conjure/java/api/config/service/ServiceConfiguration.java

@@ -48,6 +48,8 @@ public interface ServiceConfiguration {
 
     Optional<Boolean> enableGcmCipherSuites();
 
+    Optional<Boolean> fallbackToCommonNameVerification();
+
     Optional<ProxyConfiguration> proxy();
 
     static ImmutableServiceConfiguration.Builder builder() {

service-config/src/main/java/com/palantir/conjure/java/api/config/service/ServiceConfigurationFactory.java

@@ -86,6 +86,9 @@ private ServiceConfiguration propagateDefaults(String serviceName, PartialServic
                 .proxy(orElse(partial.proxyConfiguration(), services.defaultProxyConfiguration()))
                 .enableGcmCipherSuites(
                         orElse(partial.enableGcmCipherSuites(), services.defaultEnableGcmCipherSuites()))
+                .fallbackToCommonNameVerification(orElse(
+                        partial.fallbackToCommonNameVerification(),
+                        services.defaultFallbackToCommonNameVerification()))
                 .build();
     }
 

service-config/src/main/java/com/palantir/conjure/java/api/config/service/ServicesConfigBlock.java

@@ -98,6 +98,15 @@ public abstract class ServicesConfigBlock {
     @JsonAlias("enable-gcm-cipher-suites")
     public abstract Optional<Boolean> defaultEnableGcmCipherSuites();
 
+    /**
+     * Default fallback to common name verification, defaults to false.
+     * @deprecated This option will be removed by the end of 2019. Certificates are expected to provide valid SANs.
+     */
+    @Deprecated
+    @JsonProperty("fallbackToCommonNameVerification")
+    @JsonAlias("fallback-to-common-name-verification")
+    public abstract Optional<Boolean> defaultFallbackToCommonNameVerification();
+
     public static Builder builder() {
         return new Builder();
     }

service-config/src/test/java/com/palantir/conjure/java/api/config/service/PartialServiceConfigurationTest.java

@@ -48,7 +48,7 @@ public void serDe() throws Exception {
                 + "\"keyStorePassword\":null,\"keyStoreType\":\"JKS\",\"keyStoreKeyAlias\":null},\"uris\":[\"uri1\"],"
                 + "\"connectTimeout\":\"1 day\",\"readTimeout\":\"1 day\",\"writeTimeout\":\"1 day\","
                 + "\"maxNumRetries\":5,\"backoffSlotSize\":\"1 day\","
-                + "\"enableGcmCipherSuites\":null,"
+                + "\"enableGcmCipherSuites\":null,\"fallbackToCommonNameVerification\":null,"
                 + "\"proxyConfiguration\":{\"hostAndPort\":\"host:80\",\"credentials\":null,"
                 + "\"type\":\"HTTP\"}}";
         String kebabCase = "{\"api-token\":\"bearerToken\",\"security\":"
@@ -57,7 +57,7 @@ public void serDe() throws Exception {
                 + "\"connect-timeout\":\"1 day\",\"read-timeout\":\"1 day\",\"write-timeout\":\"1 day\","
                 + "\"max-num-retries\":5,\"backoff-slot-size\":\"1 day\","
                 + "\"uris\":[\"uri1\"],\"proxy-configuration\":{\"host-and-port\":\"host:80\",\"credentials\":null},"
-                + "\"enable-gcm-cipher-suites\":null}";
+                + "\"enable-gcm-cipher-suites\":null,\"fallback-to-common-name-verification\":null}";
 
         assertThat(mapper.writeValueAsString(serialized)).isEqualTo(camelCase);
         assertThat(mapper.readValue(camelCase, PartialServiceConfiguration.class)).isEqualTo(serialized);
@@ -69,11 +69,11 @@ public void serDe_optional() throws Exception {
         PartialServiceConfiguration serialized = PartialServiceConfiguration.builder().build();
         String camelCase = "{\"apiToken\":null,\"security\":null,\"uris\":[],\"connectTimeout\":null,"
                 + "\"readTimeout\":null,\"writeTimeout\":null,\"maxNumRetries\":null,\"backoffSlotSize\":null,"
-                + "\"enableGcmCipherSuites\":null,"
+                + "\"enableGcmCipherSuites\":null,\"fallbackToCommonNameVerification\":null,"
                 + "\"proxyConfiguration\":null}";
         String kebabCase = "{\"api-token\":null,\"security\":null,\"connect-timeout\":null,"
                 + "\"read-timeout\":null,\"write-timeout\":null,\"max-num-retries\":null,\"backoff-slot-size\":null,"
-                + "\"enable-gcm-cipher-suites\":null,"
+                + "\"enable-gcm-cipher-suites\":null,\"fallback-to-common-name-verification\":null,"
                 + "\"uris\":[],\"proxy-configuration\":null}";
 
         assertThat(ObjectMappers.newClientObjectMapper().writeValueAsString(serialized)).isEqualTo(camelCase);

service-config/src/test/java/com/palantir/conjure/java/api/config/service/ServiceConfigurationFactoryTests.java

@@ -59,6 +59,8 @@ public final class ServiceConfigurationFactoryTests {
     private static final ImmutableList<String> uris = ImmutableList.of("uri");
     private static final boolean defaultEnableGcm = true;
     private static final boolean enableGcm = false;
+    private static final boolean defaultFallbackToCn = true;
+    private static final boolean fallbackToCn = false;
 
     private final ObjectMapper mapper = new ObjectMapper(new YAMLFactory())
             .registerModule(new ShimJdk7Module())
@@ -100,6 +102,7 @@ public void testUsesDefaultConfigurationWhenNoExplicitConfigIsGiven() {
                 .defaultWriteTimeout(defaultWriteTimeout)
                 .defaultBackoffSlotSize(defaultBackoffSlotSize)
                 .defaultEnableGcmCipherSuites(defaultEnableGcm)
+                .defaultFallbackToCommonNameVerification(defaultFallbackToCn)
                 .build();
         ServiceConfiguration service = ServiceConfigurationFactory.of(services).get("service1");
 
@@ -112,6 +115,7 @@ public void testUsesDefaultConfigurationWhenNoExplicitConfigIsGiven() {
                 .writeTimeout(Duration.ofHours(defaultWriteTimeout.toHours()))
                 .backoffSlotSize(Duration.ofHours(defaultBackoffSlotSize.toHours()))
                 .enableGcmCipherSuites(defaultEnableGcm)
+                .fallbackToCommonNameVerification(defaultFallbackToCn)
                 .proxy(defaultProxyConfiguration)
                 .build();
 
@@ -130,6 +134,7 @@ public void testServiceSpecificConfigTrumpsDefaultConfig() {
                 .maxNumRetries(maxNumRetries)
                 .backoffSlotSize(backoffSlotSize)
                 .enableGcmCipherSuites(enableGcm)
+                .fallbackToCommonNameVerification(fallbackToCn)
                 .proxyConfiguration(proxy)
                 .build();
         ServicesConfigBlock services = ServicesConfigBlock.builder()
@@ -142,6 +147,7 @@ public void testServiceSpecificConfigTrumpsDefaultConfig() {
                 .defaultWriteTimeout(defaultWriteTimeout)
                 .defaultBackoffSlotSize(defaultBackoffSlotSize)
                 .defaultEnableGcmCipherSuites(defaultEnableGcm)
+                .defaultFallbackToCommonNameVerification(defaultFallbackToCn)
                 .build();
         ServiceConfiguration service = ServiceConfigurationFactory.of(services).get("service1");
 
@@ -155,6 +161,7 @@ public void testServiceSpecificConfigTrumpsDefaultConfig() {
                 .maxNumRetries(maxNumRetries)
                 .backoffSlotSize(Duration.ofHours(backoffSlotSize.toHours()))
                 .enableGcmCipherSuites(enableGcm)
+                .fallbackToCommonNameVerification(fallbackToCn)
                 .proxy(proxy)
                 .build();
 
@@ -187,17 +194,17 @@ public void serDe() throws Exception {
                 + "\"keyStorePassword\":null,\"keyStoreType\":\"JKS\",\"keyStoreKeyAlias\":null},\"services\":"
                 + "{\"service\":{\"apiToken\":null,\"security\":null,\"uris\":[\"uri\"],\"connectTimeout\":null,"
                 + "\"readTimeout\":null,\"writeTimeout\":null,\"maxNumRetries\":null,\"backoffSlotSize\":null,"
-                + "\"enableGcmCipherSuites\":null,"
+                + "\"enableGcmCipherSuites\":null,\"fallbackToCommonNameVerification\":null,"
                 + "\"proxyConfiguration\":null}},\"proxyConfiguration\":"
                 + "{\"hostAndPort\":\"host:80\",\"credentials\":null,\"type\":\"HTTP\"},\"connectTimeout\":\"1 day\","
                 + "\"readTimeout\":\"1 day\",\"writeTimeout\":\"1 day\",\"backoffSlotSize\":\"1 day\","
-                + "\"enableGcmCipherSuites\":null}";
+                + "\"enableGcmCipherSuites\":null,\"fallbackToCommonNameVerification\":null}";
         String kebabCase = "{\"api-token\":\"bearerToken\",\"security\":"
                 + "{\"trust-store-path\":\"truststore.jks\",\"trust-store-type\":\"JKS\",\"key-store-path\":null,"
                 + "\"key-store-password\":null,\"key-store-type\":\"JKS\",\"key-store-key-alias\":null},\"services\":"
                 + "{\"service\":{\"apiToken\":null,\"security\":null,\"connect-timeout\":null,\"read-timeout\":null,"
                 + "\"write-timeout\":null,\"max-num-retries\":null,\"backoffSlotSize\":null,\"uris\":[\"uri\"],"
-                + "\"enable-gcm-cipher-suites\":null,"
+                + "\"enable-gcm-cipher-suites\":null,\"fallback-to-common-name-verification\":null,"
                 + "\"proxy-configuration\":null}},\"proxy-configuration\":"
                 + "{\"host-and-port\":\"host:80\",\"credentials\":null},\"connect-timeout\":\"1 day\","
                 + "\"read-timeout\":\"1 day\",\"write-timeout\":\"1 day\",\"backoff-slot-size\":\"1 day\"}";
@@ -216,10 +223,11 @@ public void serDe_optional() throws Exception {
         ServicesConfigBlock deserialized = ServicesConfigBlock.builder().build();
         String serializedCamelCase = "{\"apiToken\":null,\"security\":null,\"services\":{},"
                 + "\"proxyConfiguration\":null,\"connectTimeout\":null,\"readTimeout\":null,\"writeTimeout\":null,"
-                + "\"backoffSlotSize\":null,\"enableGcmCipherSuites\":null}";
+                + "\"backoffSlotSize\":null,\"enableGcmCipherSuites\":null,\"fallbackToCommonNameVerification\":null}";
         String serializedKebabCase = "{\"api-token\":null,\"security\":null,\"services\":{},"
                 + "\"proxy-configuration\":null,\"connect-timeout\":null,\"read-timeout\":null,\"write-timeout\":null,"
-                + "\"backoff-slot-size\":null,\"enable-gcm-cipher-suites\":null}";
+                + "\"backoff-slot-size\":null,\"enable-gcm-cipher-suites\":null,"
+                + "\"fallback-to-common-name-verification\":null}";
 
         assertThat(ObjectMappers.newClientObjectMapper().writeValueAsString(deserialized))
                 .isEqualTo(serializedCamelCase);