Simplifying SSL configuration

Having to set sslProtocol was bothering me because I don't think there's any way for something besides "default" to work.

Author: rjrudin

docs/configuration.md

@@ -26,8 +26,8 @@ These options define how the connector connects and authenticates with MarkLogic
 | spark.marklogic.client.cloud.apiKey         | Required for MarkLogic `cloud` authentication. |
 | spark.marklogic.client.kerberos.principal | Required for `kerberos` authentication. |
 | spark.marklogic.client.saml.token | Required for `saml` authentication. |
-| spark.marklogic.client.sslProtocol | If `default`, an SSL connection is created using the JVM's default SSL context; else the value is passed to the [SSLContext method](https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html#getInstance-java.lang.String-) for instantiating an SSL context. |
-| spark.marklogic.client.sslHostnameVerifier | Either `any`, `common`, or `strict`. |
+| spark.marklogic.client.sslEnabled | If 'true', an SSL connection is created using the JVM's default SSL context.
+| spark.marklogic.client.sslHostnameVerifier | Either `any`, `common`, or `strict`; see the [MarkLogic Java Client documentation](https://docs.marklogic.com/javadoc/client/com/marklogic/client/DatabaseClientFactory.SSLHostnameVerifier.html) for more information on these choices. |
 | spark.marklogic.client.uri | Shortcut for setting the host, port, username, and password when using `basic` or `digest` authentication. See below for more information. |
 
 ### Connecting with a client URI
@@ -61,11 +61,10 @@ triplet. For example, a password of `sp@r:k` must appear in the `spark.marklogic
 
 ### Configuring SSL 
 
-If the MarkLogic app server that the connector will connect to requires SSL, you will need to configure the 
-`spark.marklogic.client.sslProtocol` option. The common approach is to set this to `default`, causing the associated
-JVM's certificate store - typically the `$JAVA_HOME/jre/lib/security/cacerts` file - to be used for establishing an 
-SSL connection. The certificate store should contain the public certificate associated with the SSL certificate template
-used by the MarkLogic app server. 
+If the MarkLogic app server that the connector will connect to requires SSL, the `spark.marklogic.client.sslEnabled` 
+option must be set to 'true'. This causes the associated JVM's certificate store - typically the 
+`$JAVA_HOME/jre/lib/security/cacerts` file - to be used for establishing an SSL connection. The certificate store 
+should contain the public certificate associated with the SSL certificate template used by the MarkLogic app server. 
 
 If you receive an error containing a message of "PKIX path building failed", the most likely issue is that your JVM's
 certificate store does not contain the public certificate associated with the MarkLogic app server, or your Spark
@@ -75,7 +74,9 @@ error.
 
 If you receive an `javax.net.ssl.SSLPeerUnverifiedException` error, you will need to adjust the 
 `spark.marklogic.client.sslHostnameVerifier` option. A value of `ANY` will disable hostname verification, 
-which may be appropriate in a development or test environment. 
+which may be appropriate in a development or test environment. The 
+[MarkLogic Java Client documentation](https://docs.marklogic.com/javadoc/client/com/marklogic/client/DatabaseClientFactory.SSLHostnameVerifier.html)
+describes the other choices for this option.
 
 ## Read options
 

src/main/java/com/marklogic/spark/ContextSupport.java

@@ -62,6 +62,10 @@ protected final Map<String, String> buildConnectionProperties() {
             parseClientUri(clientUri, connectionProps);
         }
 
+        if ("true".equalsIgnoreCase(properties.get(Options.CLIENT_SSL_ENABLED))) {
+            connectionProps.put("spark.marklogic.client.sslProtocol", "default");
+        }
+
         return connectionProps;
     }
 

src/main/java/com/marklogic/spark/Options.java

@@ -18,6 +18,7 @@
 public interface Options {
 
     String CLIENT_URI = "spark.marklogic.client.uri";
+    String CLIENT_SSL_ENABLED = "spark.marklogic.client.sslEnabled";
 
     String READ_OPTIC_QUERY = "spark.marklogic.read.opticQuery";
     String READ_NUM_PARTITIONS = "spark.marklogic.read.numPartitions";

src/test/java/com/marklogic/spark/BuildConnectionPropertiesTest.java

@@ -21,6 +21,7 @@
 import java.util.Map;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 
 public class BuildConnectionPropertiesTest {
 
@@ -48,4 +49,25 @@ void overrideDefaults() {
         assertEquals("direct", connectionProps.get(CONNECTION_TYPE));
     }
 
+    @Test
+    void sslEnabled() {
+        properties.put(Options.CLIENT_SSL_ENABLED, "true");
+
+        Map<String, String> connectionProps = new ContextSupport(properties).buildConnectionProperties();
+        assertEquals("default", connectionProps.get("spark.marklogic.client.sslProtocol"),
+            "While the Java Client allows for actual protocol values for the sslProtocol property, the SSLContext " +
+                "that's created still needs an X509TrustManager. But since Spark options only allow for simple values, " +
+                "there's no way for a Spark user to provide a custom X509TrustManager. It appears the only possibility " +
+                "is to use the JVM's default trust manager. Thus, instead of forcing the user to set " +
+                "sslProtocol=default (which implies there are other valid choices), the Spark connector lets a user " +
+                "set sslEnabled=true, which is a shortcut for requesting that the JVM's default trust manager be used.");
+    }
+
+    @Test
+    void sslDisabled() {
+        properties.put(Options.CLIENT_SSL_ENABLED, "false");
+
+        Map<String, String> connectionProps = new ContextSupport(properties).buildConnectionProperties();
+        assertFalse(connectionProps.containsKey("spark.marklogic.client.sslProtocol"));
+    }
 }