fix: check secured and sni for tcp server

gravitee-apim-gateway/gravitee-apim-gateway-reactor/src/test/java/io/gravitee/gateway/reactive/reactor/DefaultTcpSocketDispatcherTest.java

@@ -15,7 +15,10 @@
  */
 package io.gravitee.gateway.reactive.reactor;
 
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 import io.gravitee.common.utils.UUID;
 import io.gravitee.definition.model.v4.Api;
@@ -79,9 +82,7 @@ void should_fail_dispatching_no_acceptor() {
         when(netSocket.indicatedServerName()).thenReturn("turlututu");
         cut
             .dispatch(netSocket, "server1")
-            .doFinally(() -> {
-                verify(reactorHandler.handle(any(DefaultExecutionContext.class)), never());
-            })
+            .doFinally(() -> verify(reactorHandler.handle(any(DefaultExecutionContext.class)), never()))
             .test()
             .assertError(err -> err.getMessage().contains("SNI: turlututu"))
             .awaitDone(100, TimeUnit.MILLISECONDS);
@@ -94,9 +95,7 @@ void should_fail_dispatching_exception() {
         when(netSocket.pause()).thenThrow(unexpected);
         cut
             .dispatch(netSocket, "server1")
-            .doFinally(() -> {
-                verify(reactorHandler.handle(any(DefaultExecutionContext.class)), never());
-            })
+            .doFinally(() -> verify(reactorHandler.handle(any(DefaultExecutionContext.class)), never()))
             .test()
             .assertError(unexpected)
             .awaitDone(100, TimeUnit.MILLISECONDS);

gravitee-apim-gateway/gravitee-apim-gateway-standalone/gravitee-apim-gateway-standalone-container/src/main/java/io/gravitee/gateway/standalone/vertx/VertxReactorConfiguration.java

@@ -36,7 +36,6 @@
 import org.springframework.beans.factory.config.ConfigurableBeanFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Lazy;
 import org.springframework.context.annotation.Scope;
 import org.springframework.core.env.Environment;
 
@@ -57,15 +56,20 @@ public ServerManager serverManager(
         int counter = 0;
 
         final DefaultServerManager serverManager = new DefaultServerManager();
-        if (environment.getProperty(SERVERS_PREFIX + "[" + counter + "].type") != null) {
+        if (getServerType(environment, SERVERS_PREFIX + "[" + counter + "]") != null) {
             // There is, at least one server configured in the list.
             String prefix = SERVERS_PREFIX + "[" + counter++ + "]";
 
-            while ((environment.getProperty(prefix + ".type")) != null) {
+            while (getServerType(environment, prefix) != null) {
+                String property = getServerType(environment, prefix);
+                boolean isTcpServer = Objects.equals(property, TCP_PREFIX);
                 final VertxServerOptions options = VertxServerOptions
                     .builder(environment, prefix)
-                    .defaultPort(Objects.equals(environment.getProperty("%s.type".formatted(prefix)), TCP_PREFIX) ? TCP_DEFAULT_PORT : 8082)
+                    .defaultPort(isTcpServer ? TCP_DEFAULT_PORT : 8082)
                     .build();
+                if (isTcpServer) {
+                    assertTcpOptions(options);
+                }
                 serverManager.register(serverFactory.create(options));
                 prefix = SERVERS_PREFIX + "[" + counter++ + "]";
             }
@@ -91,13 +95,24 @@ public ServerManager serverManager(
                     .environment(environment)
                     .id("tcp")
                     .build();
+                assertTcpOptions(tcpOptions);
                 serverManager.register(serverFactory.create(tcpOptions));
             }
         }
 
         return serverManager;
     }
 
+    private void assertTcpOptions(VertxServerOptions options) {
+        if (!(options.isSecured() && options.isSni())) {
+            throw new IllegalArgumentException("TCP API requires TLS and SNI to be enabled");
+        }
+    }
+
+    private static String getServerType(Environment environment, String prefix) {
+        return environment.getProperty("%s.type".formatted(prefix));
+    }
+
     @Bean
     @Scope(ConfigurableBeanFactory.SCOPE_PROTOTYPE)
     public HttpProtocolVerticle graviteeVerticle(

gravitee-apim-gateway/gravitee-apim-gateway-standalone/gravitee-apim-gateway-standalone-container/src/test/java/io/gravitee/gateway/standalone/vertx/VertxReactorConfigurationTest.java

@@ -16,11 +16,13 @@
 package io.gravitee.gateway.standalone.vertx;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.*;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 
 import io.gravitee.node.api.server.ServerManager;
-import io.gravitee.node.certificates.KeyStoreLoaderManager;
 import io.gravitee.node.vertx.server.VertxServer;
 import io.gravitee.node.vertx.server.VertxServerFactory;
 import io.gravitee.node.vertx.server.VertxServerOptions;
@@ -29,6 +31,8 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.CsvSource;
 import org.mockito.ArgumentCaptor;
 import org.mockito.Captor;
 import org.mockito.Mock;
@@ -156,6 +160,8 @@ void should_create_http_and_tcp_server() {
         when(tcpVertxServer.id()).thenReturn("tcp");
 
         environment.setProperty("tcp.enabled", "true");
+        environment.setProperty("tcp.secured", "true");
+        environment.setProperty("tcp.ssl.sni", "true");
 
         when(serverFactory.create(any(VertxHttpServerOptions.class))).thenReturn(httpVertxServer);
         when(serverFactory.create(any(VertxTcpServerOptions.class))).thenReturn(tcpVertxServer);
@@ -165,4 +171,33 @@ void should_create_http_and_tcp_server() {
         assertThat(serverManager.servers()).isNotNull();
         assertThat(serverManager.servers()).containsExactlyInAnyOrder(httpVertxServer, tcpVertxServer);
     }
+
+    @ParameterizedTest
+    @CsvSource({ "true,false", "false,false", "false,true" })
+    void should_fail_creating_default_tcp_server(String secured, String sni) {
+        // there is always a http server
+        final VertxServer httpVertxServer = mock(VertxServer.class);
+        when(httpVertxServer.id()).thenReturn("http");
+        when(serverFactory.create(any(VertxHttpServerOptions.class))).thenReturn(httpVertxServer);
+
+        environment.setProperty("tcp.enabled", "true");
+        environment.setProperty("tcp.secured", secured);
+        environment.setProperty("tcp.ssl.sni", sni);
+
+        assertThatCode(() -> cut.serverManager(serverFactory, environment))
+            .isInstanceOf(IllegalArgumentException.class)
+            .hasMessageContaining("SNI");
+    }
+
+    @ParameterizedTest
+    @CsvSource({ "true,false", "false,false", "false,true" })
+    void should_fail_creating_multi_tcp_server(String secured, String sni) {
+        environment.setProperty("servers[0].type", "tcp");
+        environment.setProperty("servers[0].secured", secured);
+        environment.setProperty("servers[0].ssl.sni", sni);
+
+        assertThatCode(() -> cut.serverManager(serverFactory, environment))
+            .isInstanceOf(IllegalArgumentException.class)
+            .hasMessageContaining("SNI");
+    }
 }