SONAR-8522 Support custom SSLSocketFactory and TrustManager

3 files changed, 62 insertions, 2 deletions

diff --git a/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java b/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java
index 47e756defc3..3d93191f9c6 100644
--- a/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java
+++ b/sonar-ws/src/main/java/org/sonarqube/ws/client/HttpConnector.java
@@ -23,6 +23,9 @@ import java.io.IOException;
 import java.net.Proxy;
 import java.util.Map;
 import javax.annotation.Nullable;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.X509TrustManager;
+
 import okhttp3.Call;
 import okhttp3.Credentials;
 import okhttp3.Headers;
@@ -77,6 +80,8 @@ public class HttpConnector implements WsConnector {
     okHttpClientBuilder.setProxyPassword(builder.proxyPassword);
     okHttpClientBuilder.setConnectTimeoutMs(builder.connectTimeoutMs);
     okHttpClientBuilder.setReadTimeoutMs(builder.readTimeoutMs);
+    okHttpClientBuilder.setSSLSocketFactory(builder.sslSocketFactory);
+    okHttpClientBuilder.setTrustManager(builder.sslTrustManager);
     this.okHttpClient = okHttpClientBuilder.build();
   }
 
@@ -178,6 +183,8 @@ public class HttpConnector implements WsConnector {
     private String proxyPassword;
     private int connectTimeoutMs = DEFAULT_CONNECT_TIMEOUT_MILLISECONDS;
     private int readTimeoutMs = DEFAULT_READ_TIMEOUT_MILLISECONDS;
+    private SSLSocketFactory sslSocketFactory = null;
+    private X509TrustManager sslTrustManager = null;
 
     /**
      * Private since 5.5.
@@ -228,6 +235,24 @@ public class HttpConnector implements WsConnector {
       this.connectTimeoutMs = i;
       return this;
     }
+    
+    /**
+     * Optional SSL socket factory with which SSL sockets will be created to establish SSL connections.
+     * If not set, a default SSL socket factory will be used, base d on the JVM's default key store.
+     */
+    public Builder setSSLSocketFactory(@Nullable SSLSocketFactory sslSocketFactory) {
+      this.sslSocketFactory = sslSocketFactory;
+      return this;
+    }
+
+    /**
+     * Optional SSL trust manager used to validate certificates.
+     * If not set, a default system trust manager will be used, based on the JVM's default truststore.
+     */
+    public Builder setTrustManager(@Nullable X509TrustManager sslTrustManager) {
+      this.sslTrustManager = sslTrustManager;
+      return this;
+    }
 
     /**
      * Sets the read timeout to a specified timeout, in milliseconds.
diff --git a/sonar-ws/src/main/java/org/sonarqube/ws/client/OkHttpClientBuilder.java b/sonar-ws/src/main/java/org/sonarqube/ws/client/OkHttpClientBuilder.java
index fafdd706941..313bba0eadc 100644
--- a/sonar-ws/src/main/java/org/sonarqube/ws/client/OkHttpClientBuilder.java
+++ b/sonar-ws/src/main/java/org/sonarqube/ws/client/OkHttpClientBuilder.java
@@ -65,6 +65,8 @@ public class OkHttpClientBuilder {
   private String proxyPassword;
   private long connectTimeoutMs = -1;
   private long readTimeoutMs = -1;
+  private SSLSocketFactory sslSocketFactory = null;
+  private X509TrustManager sslTrustManager = null;
 
   /**
    * Optional User-Agent. If set, then all the requests sent by the
@@ -76,6 +78,24 @@ public class OkHttpClientBuilder {
   }
 
   /**
+   * Optional SSL socket factory with which SSL sockets will be created to establish SSL connections.
+   * If not set, a default SSL socket factory will be used, base d on the JVM's default key store.
+   */
+  public OkHttpClientBuilder setSSLSocketFactory(@Nullable SSLSocketFactory sslSocketFactory) {
+    this.sslSocketFactory = sslSocketFactory;
+    return this;
+  }
+
+  /**
+   * Optional SSL trust manager used to validate certificates.
+   * If not set, a default system trust manager will be used, based on the JVM's default truststore.
+   */
+  public OkHttpClientBuilder setTrustManager(@Nullable X509TrustManager sslTrustManager) {
+    this.sslTrustManager = sslTrustManager;
+    return this;
+  }
+
+  /**
    * Optional proxy. If set, then all the requests sent by the
    * {@link OkHttpClient} will reach the proxy. If not set,
    * then the system-wide proxy is used.
@@ -144,8 +164,10 @@ public class OkHttpClientBuilder {
       .supportsTlsExtensions(true)
       .build();
     builder.connectionSpecs(asList(tls, ConnectionSpec.CLEARTEXT));
-    X509TrustManager systemDefaultTrustManager = systemDefaultTrustManager();
-    builder.sslSocketFactory(systemDefaultSslSocketFactory(systemDefaultTrustManager), systemDefaultTrustManager);
+
+    X509TrustManager trustManager = sslTrustManager != null ? sslTrustManager : systemDefaultTrustManager();
+    SSLSocketFactory sslFactory = sslSocketFactory != null ? sslSocketFactory : systemDefaultSslSocketFactory(trustManager);
+    builder.sslSocketFactory(sslFactory, trustManager);
 
     return builder.build();
   }
diff --git a/sonar-ws/src/test/java/org/sonarqube/ws/client/OkHttpClientBuilderTest.java b/sonar-ws/src/test/java/org/sonarqube/ws/client/OkHttpClientBuilderTest.java
index a96e7a35888..f4ed7eb9267 100644
--- a/sonar-ws/src/test/java/org/sonarqube/ws/client/OkHttpClientBuilderTest.java
+++ b/sonar-ws/src/test/java/org/sonarqube/ws/client/OkHttpClientBuilderTest.java
@@ -25,6 +25,9 @@ import org.junit.Test;
 import org.junit.rules.ExpectedException;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+
+import javax.net.ssl.SSLSocketFactory;
 
 public class OkHttpClientBuilderTest {
 
@@ -43,6 +46,16 @@ public class OkHttpClientBuilderTest {
   }
 
   @Test
+  public void build_with_custom_sslSocketFactory() {
+    SSLSocketFactory sslSocketFactory = mock(SSLSocketFactory.class);
+    OkHttpClient okHttpClient = underTest
+      .setSSLSocketFactory(sslSocketFactory)
+      .build();
+
+    assertThat(okHttpClient.sslSocketFactory()).isEqualTo(sslSocketFactory);
+  }
+
+  @Test
   public void build_throws_IAE_if_connect_timeout_is_negative() {
     expectedException.expect(IllegalArgumentException.class);
     expectedException.expectMessage("Connect timeout must be positive. Got -10");