qbaware
diff --git a/‎build.gradle‎
Lines changed: 6 additions & 0 deletions b/‎build.gradle‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎cruise-control-metrics-reporter/src/test/java/com/linkedin/kafka/cruisecontrol/metricsreporter/utils/CCEmbeddedBrokerBuilder.java‎
Lines changed: 2 additions & 3 deletions b/‎cruise-control-metrics-reporter/src/test/java/com/linkedin/kafka/cruisecontrol/metricsreporter/utils/CCEmbeddedBrokerBuilder.java‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎cruise-control-metrics-reporter/src/test/java/com/linkedin/kafka/cruisecontrol/metricsreporter/utils/CCKafkaClientsIntegrationTestHarness.java‎
Lines changed: 2 additions & 3 deletions b/‎cruise-control-metrics-reporter/src/test/java/com/linkedin/kafka/cruisecontrol/metricsreporter/utils/CCKafkaClientsIntegrationTestHarness.java‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎cruise-control-metrics-reporter/src/test/java/com/linkedin/kafka/cruisecontrol/metricsreporter/utils/CCSslConfigsBuilder.java‎
Lines changed: 166 additions & 0 deletions b/‎cruise-control-metrics-reporter/src/test/java/com/linkedin/kafka/cruisecontrol/metricsreporter/utils/CCSslConfigsBuilder.java‎
Lines changed: 166 additions & 0 deletions
@@ -321,6 +321,12 @@ project(':cruise-control') {
     api 'org.json:json:20231013'
     api 'org.xerial.snappy:snappy-java:1.1.10.5'
 
+    constraints {
+      implementation("commons-beanutils:commons-beanutils:1.11.0") {
+        because("version 1.9.4 pulled from kafa 3.9.1 has CVE-2025-48734 in it, which is fixed in 1.11.0")
+      }
+    }
+
     testImplementation project(path: ':cruise-control-metrics-reporter', configuration: 'testOutput')
     testImplementation project(path: ':cruise-control-core', configuration: 'testOutput')
     testImplementation "org.scala-lang:scala-library:$scalaVersion"
 
@@ -10,7 +10,6 @@
 import java.util.StringJoiner;
 import java.util.concurrent.atomic.AtomicInteger;
 import org.apache.kafka.common.config.SslConfigs;
-import org.apache.kafka.common.network.Mode;
 import org.apache.kafka.common.security.auth.SecurityProtocol;
 import org.apache.kafka.coordinator.group.GroupCoordinatorConfig;
 import org.apache.kafka.network.SocketServerConfigs;
@@ -19,7 +18,6 @@
 import org.apache.kafka.server.config.ServerLogConfigs;
 import org.apache.kafka.server.config.ZkConfigs;
 import org.apache.kafka.storage.internals.log.CleanerConfig;
-import org.apache.kafka.test.TestSslUtils;
 
 
 public class CCEmbeddedBrokerBuilder {
@@ -282,7 +280,8 @@ public Map<Object, Object> buildConfig() {
     }
     if (_trustStore != null || _sslPort > 0) {
       try {
-        props.putAll(TestSslUtils.createSslConfig(false, true, Mode.SERVER, _trustStore, "server" + _nodeId));
+        props.putAll(CCSslTestUtils.createSslConfig(false, true,
+            CCSslTestUtils.ConnectionMode.SERVER, _trustStore, "server" + _nodeId));
         // Switch interbroker to ssl
         props.put(ReplicationConfigs.INTER_BROKER_SECURITY_PROTOCOL_CONFIG, SecurityProtocol.SSL.name);
       } catch (Exception e) {
 
@@ -11,10 +11,8 @@
 import org.apache.kafka.clients.producer.Producer;
 import org.apache.kafka.clients.producer.KafkaProducer;
 import org.apache.kafka.common.config.SslConfigs;
-import org.apache.kafka.common.network.Mode;
 import org.apache.kafka.common.security.auth.SecurityProtocol;
 import org.apache.kafka.common.serialization.StringSerializer;
-import org.apache.kafka.test.TestSslUtils;
 
 
 public abstract class CCKafkaClientsIntegrationTestHarness extends CCKafkaIntegrationTestHarness {
@@ -58,7 +56,8 @@ protected void setSecurityConfigs(Properties clientProps, String certAlias) {
       clientProps.setProperty(CommonClientConfigs.SECURITY_PROTOCOL_CONFIG, protocol.name);
       clientProps.setProperty(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG, "");
       try {
-        clientProps.putAll(TestSslUtils.createSslConfig(true, true, Mode.CLIENT, trustStoreFile, certAlias));
+        clientProps.putAll(CCSslTestUtils.createSslConfig(true, true,
+            CCSslTestUtils.ConnectionMode.CLIENT, trustStoreFile, certAlias));
       } catch (Exception e) {
         throw new IllegalStateException(e);
       }
 
@@ -0,0 +1,166 @@
+/*
+ * Copyright 2025 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License").See License in the project root for license information.
+ */
+
+package com.linkedin.kafka.cruisecontrol.metricsreporter.utils;
+
+import com.linkedin.kafka.cruisecontrol.metricsreporter.utils.CCSslTestUtils.ConnectionMode;
+import org.apache.kafka.common.config.SslConfigs;
+import org.apache.kafka.common.config.types.Password;
+import org.bouncycastle.asn1.x500.X500Name;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.File;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import static com.linkedin.kafka.cruisecontrol.metricsreporter.utils.CCSslTestUtils.createKeyStore;
+import static com.linkedin.kafka.cruisecontrol.metricsreporter.utils.CCSslTestUtils.createTrustStore;
+import static com.linkedin.kafka.cruisecontrol.metricsreporter.utils.CCSslTestUtils.generate;
+import static com.linkedin.kafka.cruisecontrol.metricsreporter.utils.CCSslTestUtils.generateKeyPair;
+import static com.linkedin.kafka.cruisecontrol.metricsreporter.utils.CCSslTestUtils.tempFile;
+
+public class CCSslConfigsBuilder {
+    private final ConnectionMode _connectionMode;
+    private String _tlsProtocol;
+    private boolean _useClientCert;
+    private boolean _createTrustStore;
+    private File _trustStoreFile;
+    private Password _trustStorePassword;
+    private Password _keyStorePassword;
+    private Password _keyPassword;
+    private String _certAlias;
+    private String _cn;
+    private String _algorithm;
+
+    public CCSslConfigsBuilder(ConnectionMode connectionMode) {
+        this._connectionMode = connectionMode;
+        this._tlsProtocol = SslConfigs.DEFAULT_SSL_PROTOCOL;
+        this._trustStorePassword = new Password("TrustStorePassword");
+        this._keyStorePassword = connectionMode == CCSslTestUtils.ConnectionMode.SERVER ? new Password("ServerPassword")
+            : new Password("ClientPassword");
+        this._keyPassword = this._keyStorePassword;
+        this._cn = "localhost";
+        this._certAlias = connectionMode.name().toLowerCase(Locale.ROOT);
+        this._algorithm = "RSA";
+        this._createTrustStore = true;
+    }
+
+    /**
+     * Set trust store file and create a new trust store to true.
+     *
+     * @param trustStoreFile Trust store file to set.
+     * @return This.
+     */
+    public CCSslConfigsBuilder createNewTrustStore(File trustStoreFile) {
+        this._trustStoreFile = trustStoreFile;
+        this._createTrustStore = true;
+        return this;
+    }
+
+    /**
+     * Set trust store file and create a new trust store to false.
+     * 
+     * @param trustStoreFile The existing trust store file to use.
+     * @return This.
+     */
+    public CCSslConfigsBuilder useExistingTrustStore(File trustStoreFile) {
+        this._trustStoreFile = trustStoreFile;
+        this._createTrustStore = false;
+        return this;
+    }
+
+    /**
+     * Set use client cert.
+     *
+     * @param useClientCert Whether to use a client certificate.
+     * @return This.
+     */
+    public CCSslConfigsBuilder useClientCert(boolean useClientCert) {
+        this._useClientCert = useClientCert;
+        return this;
+    }
+
+    /**
+     * Set use cert alias.
+     *
+     * @param certAlias The alias for the certificate in the trust store.
+     * @return This.
+     */
+    public CCSslConfigsBuilder certAlias(String certAlias) {
+        this._certAlias = certAlias;
+        return this;
+    }
+
+    /**
+     * Set cn.
+     *
+     * @param cn The common name (CN) for the certificate.
+     * @return This.
+     */
+    public CCSslConfigsBuilder cn(String cn) {
+        this._cn = cn;
+        return this;
+    }
+
+    /**
+     * Builds the Java KeyStore (JKS)-based SSL configuration.
+     * Depending on the connection mode (CLIENT or SERVER), this method generates the required
+     * key pairs and self-signed certificates, creates keystores, and optionally creates a trust store.
+     *
+     * @return A map of SSL configuration properties suitable for use with Kafka or other TLS-based systems.
+     * @throws IOException If file operations fail during keystore or trust store creation.
+     * @throws GeneralSecurityException If a cryptographic error occurs while generating keys or certificates.
+     */
+    public Map<String, Object> buildJks() throws IOException, GeneralSecurityException {
+        Map<String, X509Certificate> certs = new HashMap<>();
+        File keyStoreFile = null;
+        if (this._connectionMode == CCSslTestUtils.ConnectionMode.CLIENT && this._useClientCert) {
+            keyStoreFile = tempFile("clientKS", ".jks");
+            KeyPair cKP = generateKeyPair(this._algorithm);
+            X509Certificate cCert = generate(new X500Name("CN=" + _cn + ", O=A client"), cKP);
+            createKeyStore(keyStoreFile.getPath(), this._keyStorePassword, this._keyPassword, "client",
+                cKP.getPrivate(), cCert);
+            certs.put(this._certAlias, cCert);
+        } else if (this._connectionMode == CCSslTestUtils.ConnectionMode.SERVER) {
+            keyStoreFile = tempFile("serverKS", ".jks");
+            KeyPair sKP = generateKeyPair(this._algorithm);
+            X509Certificate sCert = generate(new X500Name("CN=" + _cn + ", O=A server"), sKP);
+            createKeyStore(keyStoreFile.getPath(), this._keyStorePassword, this._keyPassword, "server",
+                sKP.getPrivate(), sCert);
+            certs.put(this._certAlias, sCert);
+            keyStoreFile.deleteOnExit();
+        }
+
+        if (this._createTrustStore) {
+            createTrustStore(this._trustStoreFile.getPath(), this._trustStorePassword, certs);
+            this._trustStoreFile.deleteOnExit();
+        }
+
+        Map<String, Object> sslConfigs = new HashMap<>();
+        sslConfigs.put("ssl.protocol", this._tlsProtocol);
+        if (this._connectionMode == CCSslTestUtils.ConnectionMode.SERVER || this._connectionMode == CCSslTestUtils.ConnectionMode.CLIENT
+            && keyStoreFile != null) {
+            sslConfigs.put("ssl.keystore.location", keyStoreFile.getPath());
+            sslConfigs.put("ssl.keystore.type", "JKS");
+            sslConfigs.put("ssl.keymanager.algorithm", TrustManagerFactory.getDefaultAlgorithm());
+            sslConfigs.put("ssl.keystore.password", this._keyStorePassword);
+            sslConfigs.put("ssl.key.password", this._keyPassword);
+        }
+
+        sslConfigs.put("ssl.truststore.location", this._trustStoreFile.getPath());
+        sslConfigs.put("ssl.truststore.password", this._trustStorePassword);
+        sslConfigs.put("ssl.truststore.type", "JKS");
+        sslConfigs.put("ssl.trustmanager.algorithm", TrustManagerFactory.getDefaultAlgorithm());
+        List<String> enabledProtocols = new ArrayList<>();
+        enabledProtocols.add(this._tlsProtocol);
+        sslConfigs.put("ssl.enabled.protocols", enabledProtocols);
+        return sslConfigs;
+    }
+}