summaryrefslogtreecommitdiffstats
path: root/sonar-plugin-api
diff options
context:
space:
mode:
authorSimon Brandhof <simon.brandhof@gmail.com>2013-10-29 23:02:10 +0100
committerSimon Brandhof <simon.brandhof@gmail.com>2013-10-29 23:02:10 +0100
commitf03b9836fa44542999ddf593575ae1ae9297b225 (patch)
treebffe17edee58ab0ca135c24bad88376308a3d6e5 /sonar-plugin-api
parentcf8b89e598f53cefd01cdb45a0c67ad53b473ab5 (diff)
downloadsonarqube-f03b9836fa44542999ddf593575ae1ae9297b225.tar.gz
sonarqube-f03b9836fa44542999ddf593575ae1ae9297b225.zip
SONAR-4741 client must ignore certificates on HTTPS connections
Diffstat (limited to 'sonar-plugin-api')
-rw-r--r--sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpDownloader.java2
-rw-r--r--sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpsTrust.java95
-rw-r--r--sonar-plugin-api/src/test/java/org/sonar/api/utils/HttpsTrustTest.java102
3 files changed, 199 insertions, 0 deletions
diff --git a/sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpDownloader.java b/sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpDownloader.java
index 32d4044781e..c00792c4bfa 100644
--- a/sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpDownloader.java
+++ b/sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpDownloader.java
@@ -251,6 +251,8 @@ public class HttpDownloader extends UriReader.SchemeProcessor implements BatchCo
LoggerFactory.getLogger(getClass()).debug("Download: " + uri + " (" + getProxySynthesis(uri, ProxySelector.getDefault()) + ")");
HttpURLConnection connection = (HttpURLConnection) uri.toURL().openConnection();
+ HttpsTrust.INSTANCE.trust(connection);
+
// allow both GZip and Deflate (ZLib) encodings
connection.setRequestProperty("Accept-Encoding", "gzip");
if (!Strings.isNullOrEmpty(login)) {
diff --git a/sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpsTrust.java b/sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpsTrust.java
new file mode 100644
index 00000000000..d07f3690d35
--- /dev/null
+++ b/sonar-plugin-api/src/main/java/org/sonar/api/utils/HttpsTrust.java
@@ -0,0 +1,95 @@
+/*
+ * SonarQube, open source software quality management tool.
+ * Copyright (C) 2008-2013 SonarSource
+ * mailto:contact AT sonarsource DOT com
+ *
+ * SonarQube is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * SonarQube is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.api.utils;
+
+import javax.net.ssl.*;
+import java.net.HttpURLConnection;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+
+/**
+ * @since 4.0
+ */
+class HttpsTrust {
+
+ static HttpsTrust INSTANCE = new HttpsTrust(new SslContext());
+
+ static class SslContext {
+ SSLSocketFactory newFactory(TrustManager... managers) throws NoSuchAlgorithmException, KeyManagementException {
+ SSLContext context = SSLContext.getInstance("TLS");
+ context.init(null, managers, new SecureRandom());
+ return context.getSocketFactory();
+ }
+ }
+
+ private final SSLSocketFactory socketFactory;
+ private final HostnameVerifier hostnameVerifier;
+
+ HttpsTrust(SslContext context) {
+ this.socketFactory = createSocketFactory(context);
+ this.hostnameVerifier = createHostnameVerifier();
+ }
+
+ void trust(HttpURLConnection connection) {
+ if (connection instanceof HttpsURLConnection) {
+ HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
+ httpsConnection.setSSLSocketFactory(socketFactory);
+ httpsConnection.setHostnameVerifier(hostnameVerifier);
+ }
+ }
+
+ /**
+ * Trust all certificates
+ */
+ private SSLSocketFactory createSocketFactory(SslContext context) {
+ try {
+ return context.newFactory(new AlwaysTrustManager());
+ } catch (Exception e) {
+ throw new IllegalStateException("Fail to build SSL factory", e);
+ }
+ }
+
+ /**
+ * Trust all hosts
+ */
+ private HostnameVerifier createHostnameVerifier() {
+ return new HostnameVerifier() {
+ public boolean verify(String hostname, SSLSession session) {
+ return true;
+ }
+ };
+ }
+
+ static class AlwaysTrustManager implements X509TrustManager {
+ public X509Certificate[] getAcceptedIssuers() {
+ return new X509Certificate[0];
+ }
+
+ public void checkClientTrusted(X509Certificate[] chain, String authType) {
+ // Do not check
+ }
+
+ public void checkServerTrusted(X509Certificate[] chain, String authType) {
+ // Do not check
+ }
+ }
+}
diff --git a/sonar-plugin-api/src/test/java/org/sonar/api/utils/HttpsTrustTest.java b/sonar-plugin-api/src/test/java/org/sonar/api/utils/HttpsTrustTest.java
new file mode 100644
index 00000000000..494b504a734
--- /dev/null
+++ b/sonar-plugin-api/src/test/java/org/sonar/api/utils/HttpsTrustTest.java
@@ -0,0 +1,102 @@
+/*
+ * SonarQube, open source software quality management tool.
+ * Copyright (C) 2008-2013 SonarSource
+ * mailto:contact AT sonarsource DOT com
+ *
+ * SonarQube is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * SonarQube is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.api.utils;
+
+import org.junit.Test;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.TrustManager;
+import java.io.IOException;
+import java.net.URL;
+import java.security.KeyManagementException;
+
+import static org.fest.assertions.Assertions.assertThat;
+import static org.fest.assertions.Fail.fail;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class HttpsTrustTest {
+ @Test
+ public void trustAllHosts() throws Exception {
+ HttpsURLConnection connection = newHttpsConnection();
+ HttpsTrust.INSTANCE.trust(connection);
+
+ assertThat(connection.getHostnameVerifier()).isNotNull();
+ assertThat(connection.getHostnameVerifier().verify("foo", null)).isTrue();
+ }
+
+ @Test
+ public void singleHostnameVerifier() throws Exception {
+ HttpsURLConnection connection1 = newHttpsConnection();
+ HttpsTrust.INSTANCE.trust(connection1);
+ HttpsURLConnection connection2 = newHttpsConnection();
+ HttpsTrust.INSTANCE.trust(connection2);
+
+ assertThat(connection1.getHostnameVerifier()).isSameAs(connection2.getHostnameVerifier());
+ }
+
+ @Test
+ public void trustAllCerts() throws Exception {
+ HttpsURLConnection connection1 = newHttpsConnection();
+ HttpsTrust.INSTANCE.trust(connection1);
+
+ assertThat(connection1.getSSLSocketFactory()).isNotNull();
+ assertThat(connection1.getSSLSocketFactory().getDefaultCipherSuites()).isNotEmpty();
+ }
+
+ @Test
+ public void singleSslFactory() throws Exception {
+ HttpsURLConnection connection1 = newHttpsConnection();
+ HttpsTrust.INSTANCE.trust(connection1);
+ HttpsURLConnection connection2 = newHttpsConnection();
+ HttpsTrust.INSTANCE.trust(connection2);
+
+ assertThat(connection1.getSSLSocketFactory()).isSameAs(connection2.getSSLSocketFactory());
+ }
+
+ @Test
+ public void testAlwaysTrustManager() throws Exception {
+ HttpsTrust.AlwaysTrustManager manager = new HttpsTrust.AlwaysTrustManager();
+ assertThat(manager.getAcceptedIssuers()).isEmpty();
+ // does nothing
+ manager.checkClientTrusted(null, null);
+ manager.checkServerTrusted(null, null);
+ }
+
+ @Test
+ public void failOnError() throws Exception {
+ HttpsTrust.SslContext context = mock(HttpsTrust.SslContext.class);
+ KeyManagementException cause = new KeyManagementException("foo");
+ when(context.newFactory(any(TrustManager.class))).thenThrow(cause);
+
+ try {
+ new HttpsTrust(context);
+ fail();
+ } catch (IllegalStateException e) {
+ assertThat(e.getMessage()).isEqualTo("Fail to build SSL factory");
+ assertThat(e.getCause()).isSameAs(cause);
+ }
+ }
+
+ private HttpsURLConnection newHttpsConnection() throws IOException {
+ return (HttpsURLConnection) new URL("https://localhost").openConnection();
+ }
+}