SCANNERAPI-179 Upgrade OkHttpIO to 3.11.0

Recreation of certificates to make them works

Author: ehartmann

api/src/main/java/org/sonarsource/scanner/api/internal/OkHttpClientFactory.java

@@ -40,6 +40,7 @@
 import okhttp3.ConnectionSpec;
 import okhttp3.Credentials;
 import okhttp3.OkHttpClient;
+import okhttp3.internal.tls.OkHostnameVerifier;
 import org.sonarsource.scanner.api.internal.cache.Logger;
 
 import static java.util.Arrays.asList;
@@ -68,8 +69,10 @@ static OkHttpClient create(Logger logger) {
       .supportsTlsExtensions(true)
       .build();
     okHttpClientBuilder.connectionSpecs(asList(tls, ConnectionSpec.CLEARTEXT));
+
     X509TrustManager systemDefaultTrustManager = systemDefaultTrustManager();
     okHttpClientBuilder.sslSocketFactory(systemDefaultSslSocketFactory(systemDefaultTrustManager, logger), systemDefaultTrustManager);
+    okHttpClientBuilder.hostnameVerifier(OkHostnameVerifier.INSTANCE);
 
     // OkHttp detect 'http.proxyHost' java property, but credentials should be filled
     final String proxyUser = System.getProperty("http.proxyUser", "");
@@ -148,6 +151,8 @@ private static synchronized KeyManager[] getDefaultKeyManager(Logger logger) {
       logger.debug("init keymanager of type " + KeyManagerFactory.getDefaultAlgorithm());
       KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
 
+      // FIXME : The password for opening keys inside the JKS is not mandatory to be the same
+      // as opening the JKS KeyStore
       if (P11KEYSTORE.equals(defaultKeyStoreType)) {
         // do not pass key passwd if using token
         kmf.init(ks, null);

api/src/test/java/org/sonarsource/scanner/api/internal/OkHttpClientFactoryTest.java

@@ -19,21 +19,58 @@
  */
 package org.sonarsource.scanner.api.internal;
 
-import okhttp3.ConnectionSpec;
-import okhttp3.OkHttpClient;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.KeyStore;
+import java.security.SecureRandom;
 import java.util.List;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLHandshakeException;
 import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
+import okhttp3.ConnectionSpec;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.Response;
+import okhttp3.mockwebserver.Dispatcher;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
+import okhttp3.mockwebserver.RecordedRequest;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.experimental.theories.DataPoint;
+import org.junit.experimental.theories.Theories;
+import org.junit.experimental.theories.Theory;
+import org.junit.rules.ExpectedException;
+import org.junit.runner.RunWith;
 import org.sonarsource.scanner.api.internal.cache.Logger;
 
+import static java.lang.String.format;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.fail;
 import static org.mockito.Mockito.mock;
 
+@RunWith(Theories.class)
 public class OkHttpClientFactoryTest {
 
+  @DataPoint
+  public static final String KEYSTORE_CLIENT_WITH_CA = "/client-with-ca.jks";
+  @DataPoint
+  public static final String KEYSTORE_CLIENT_WITH_CERTIFICATE = "/client-with-certificate.jks";
+
+  private static final String KEYSTORE_PASSWORD = "abcdef";
+  private static final String KEYSTORE_FILE = "/server.jks";
+  private static final Logger logger = mock(Logger.class);
+
+  @Rule
+  public ExpectedException expectedException = ExpectedException.none();
+
   @Test
   public void support_tls_versions_of_java8() {
-    Logger logger = mock(Logger.class);
     OkHttpClient underTest = OkHttpClientFactory.create(logger);
 
     assertTlsAndClearTextSpecifications(underTest);
@@ -52,4 +89,111 @@ private void assertTlsAndClearTextSpecifications(OkHttpClient client) {
     assertThat(connectionSpecs.get(1).tlsVersions()).isNull();
     assertThat(connectionSpecs.get(1).isTls()).isFalse();
   }
+
+  @Test
+  public void test_with_external_http_server() throws IOException {
+    Response response = call("http://www.google.com");
+    assertThat(response.code()).isEqualTo(200);
+    assertThat(response.body().string()).contains("doctype html");
+  }
+
+  @Test
+  public void test_with_external_https_server_with_correct_certificate() throws IOException {
+    Response response = call("https://www.google.com");
+    assertThat(response.code()).isEqualTo(200);
+    assertThat(response.body().string()).contains("doctype html");
+  }
+
+  @Theory
+  public void when_overriding_truststore_known_websites_are_failing(String clientKeyStore) throws IOException, URISyntaxException {
+    try {
+      Path clientTruststore = Paths.get(getClass().getResource(clientKeyStore).toURI()).toAbsolutePath();
+      System.setProperty("javax.net.ssl.trustStore", clientTruststore.toString());
+      System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASSWORD);
+
+      expectedException.expect(SSLHandshakeException.class);
+      call("https://www.google.com");
+    } finally {
+      // Ensure to not keeping this property for other tests
+      System.clearProperty("javax.net.ssl.trustStore");
+      System.clearProperty("javax.net.ssl.trustStorePassword");
+    }
+  }
+
+  @Theory
+  public void test_with_custom_https_server(String clientKeyStore) throws Exception {
+    try (MockWebServer server = buildTLSServer()) {
+      String url = format("https://localhost:%d/", server.getPort());
+
+      // First test without any truststore is expecting to fail
+      try {
+        call(url);
+        fail("Must have failed with an IOException");
+      } catch (IOException e) {
+        assertThat(e).hasMessageContaining("unable to find valid certification path to requested target");
+      }
+
+      // Add the truststore
+      Path clientTruststore = Paths.get(getClass().getResource(clientKeyStore).toURI()).toAbsolutePath();
+      System.setProperty("javax.net.ssl.trustStore", clientTruststore.toString());
+      System.setProperty("javax.net.ssl.trustStorePassword", KEYSTORE_PASSWORD);
+
+      Response response = call(url);
+      assertThat(response.code()).isEqualTo(200);
+      assertThat(response.body().string()).contains("OK");
+    } finally {
+      // Ensure to not keeping this property for other tests
+      System.clearProperty("javax.net.ssl.trustStore");
+      System.clearProperty("javax.net.ssl.trustStorePassword");
+    }
+  }
+
+  private static Response call(String url) throws IOException {
+    return OkHttpClientFactory.create(logger).newCall(
+      new Request.Builder()
+        .url(url)
+        .get()
+        .build())
+      .execute();
+  }
+
+  /**
+   * Build a MockWebServer with a dispatcher always sending 200 response with OK
+   * This webserver will use respond only to https protocol
+   */
+  private MockWebServer buildTLSServer() throws Exception {
+    MockWebServer server = new MockWebServer();
+    server.setDispatcher(new Dispatcher() {
+      @Override
+      public MockResponse dispatch(RecordedRequest request) {
+        return new MockResponse().setResponseCode(200).setBody("OK");
+      }
+    });
+
+    // JKS file storing the private key and TLS certificate
+    Path serverCertificate = Paths.get(getClass().getResource(KEYSTORE_FILE).toURI()).toAbsolutePath();
+
+    // Load the KeyStore
+    KeyStore serverKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+    FileInputStream stream = new FileInputStream(serverCertificate.toFile());
+    serverKeyStore.load(stream, KEYSTORE_PASSWORD.toCharArray());
+
+    // Load the KeyManager from the KeyStore
+    String kmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
+    KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmfAlgorithm);
+    kmf.init(serverKeyStore, "".toCharArray());
+
+    // Add the "Keys" (ie. private key and TLS certificate to the TrustManager
+    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(kmfAlgorithm);
+    trustManagerFactory.init(serverKeyStore);
+
+    // Create the SocketFactory using the TrustManager so the private key and certificate
+    SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
+    sslContext.init(kmf.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
+
+    // Let's use it for the WebServer
+    server.useHttps(sslContext.getSocketFactory(), false);
+
+    return server;
+  }
 }

api/src/test/resources/README.md

@@ -0,0 +1,2 @@
+Those files are copied from its/it-test/src/test/resources/SSLTest.
+Symlink are not used because they will make tests failing.

api/src/test/resources/client-with-ca.jks

@@ -47,22 +47,29 @@
 import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Test;
+import org.junit.experimental.theories.DataPoint;
+import org.junit.experimental.theories.Theories;
+import org.junit.experimental.theories.Theory;
+import org.junit.runner.RunWith;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
+@RunWith(Theories.class)
 public class SSLTest {
 
-  private static final String CLIENT_KEYSTORE = "/SSLTest/clientkeystore.jks";
-  private static final String CLIENT_KEYSTORE_PWD = "clientp12pwd";
+  private static final String JKS_PASSWORD = "abcdef";
 
-  private static final String CLIENT_TRUSTSTORE = "/SSLTest/clienttruststore.jks";
-  private static final String CLIENT_TRUSTSTORE_PWD = "clienttruststorepwd";
+  // This truststore contains only the CA used to sign the server certificate
+  @DataPoint
+  public static final String CLIENT_TRUSTSTORE_WITH_CA = "/SSLTest/client-with-ca.jks";
 
-  private static final String SERVER_TRUSTSTORE = "/SSLTest/servertruststore.jks";
-  private static final String SERVER_TRUSTSTORE_PWD = "servertruststorepwd";
+  // This truststore contains only the server certificate
+  @DataPoint
+  public static final String CLIENT_TRUSTSTORE_WITH_CERTIFICATE = "/SSLTest/client-with-certificate.jks";
 
-  private static final String SERVER_KEYSTORE = "/SSLTest/serverkeystore.jks";
-  private static final String SERVER_KEYSTORE_PWD = "serverkeystorepwd";
+  private static final String SERVER_TRUSTSTORE = "/SSLTest/server-with-client-ca.jks";
+  private static final String SERVER_KEYSTORE = "/SSLTest/server.jks";
+  private static final String CLIENT_KEYSTORE = "/SSLTest/client.jks";
 
   private static Server server;
   private static int httpsPort;
@@ -109,18 +116,19 @@ private static void startSSLTransparentReverseProxy(boolean requireClientAuth) t
     server.addConnector(http);
 
     Path serverKeyStore = Paths.get(SSLTest.class.getResource(SERVER_KEYSTORE).toURI()).toAbsolutePath();
-    String serverKeyPassword = "serverp12pwd";
-    Path serverTrustStore = Paths.get(SSLTest.class.getResource(SERVER_TRUSTSTORE).toURI()).toAbsolutePath();
     assertThat(serverKeyStore).exists();
-    assertThat(serverTrustStore).exists();
 
     // SSL Context Factory
     SslContextFactory sslContextFactory = new SslContextFactory();
     sslContextFactory.setKeyStorePath(serverKeyStore.toString());
-    sslContextFactory.setKeyStorePassword(SERVER_KEYSTORE_PWD);
-    sslContextFactory.setKeyManagerPassword(serverKeyPassword);
-    sslContextFactory.setTrustStorePath(serverTrustStore.toString());
-    sslContextFactory.setTrustStorePassword(SERVER_TRUSTSTORE_PWD);
+    sslContextFactory.setKeyStorePassword(JKS_PASSWORD);
+    sslContextFactory.setKeyManagerPassword("");
+    if (  requireClientAuth) {
+      Path serverTrustStore = Paths.get(SSLTest.class.getResource(SERVER_TRUSTSTORE).toURI()).toAbsolutePath();
+      sslContextFactory.setTrustStorePath(serverTrustStore.toString());
+      assertThat(serverTrustStore).exists();
+      sslContextFactory.setTrustStorePassword(JKS_PASSWORD);
+    }
     sslContextFactory.setNeedClientAuth(requireClientAuth);
     sslContextFactory.setExcludeCipherSuites("SSL_RSA_WITH_DES_CBC_SHA",
       "SSL_DHE_RSA_WITH_DES_CBC_SHA",
@@ -165,41 +173,67 @@ public void simple_analysis_with_server_and_client_certificate() throws Exceptio
     assertThat(buildResult.getLastStatus()).isNotEqualTo(0);
     assertThat(buildResult.getLogs()).contains("javax.net.ssl.SSLHandshakeException");
 
-    Path clientTruststore = Paths.get(SSLTest.class.getResource(CLIENT_TRUSTSTORE).toURI()).toAbsolutePath();
+    Path clientTruststore = Paths.get(SSLTest.class.getResource(CLIENT_TRUSTSTORE_WITH_CA).toURI()).toAbsolutePath();
     assertThat(clientTruststore).exists();
     Path clientKeystore = Paths.get(SSLTest.class.getResource(CLIENT_KEYSTORE).toURI()).toAbsolutePath();
     assertThat(clientKeystore).exists();
 
     Map<String, String> params = new HashMap<>();
+    // In the truststore we have the CA allowing to connect to local TLS server
     params.put("javax.net.ssl.trustStore", clientTruststore.toString());
-    params.put("javax.net.ssl.trustStorePassword", CLIENT_TRUSTSTORE_PWD);
+    params.put("javax.net.ssl.trustStorePassword", JKS_PASSWORD);
+    // The KeyStore is storing the certificate to identify the user
     params.put("javax.net.ssl.keyStore", clientKeystore.toString());
-    params.put("javax.net.ssl.keyStorePassword", CLIENT_KEYSTORE_PWD);
+    params.put("javax.net.ssl.keyStorePassword", JKS_PASSWORD);
 
     buildResult = scanner.executeSimpleProject(project("js-sample"), "https://localhost:" + httpsPort, params);
     assertThat(buildResult.getLastStatus()).isEqualTo(0);
   }
 
+  @Test
+  public void simple_analysis_with_server_and_without_client_certificate_is_failing() throws Exception {
+    startSSLTransparentReverseProxy(true);
+    SimpleScanner scanner = new SimpleScanner();
+    BuildResult buildResult = scanner.executeSimpleProject(project("js-sample"), "https://localhost:" + httpsPort);
+
+    assertThat(buildResult.getLastStatus()).isNotEqualTo(0);
+    assertThat(buildResult.getLogs()).contains("javax.net.ssl.SSLHandshakeException");
+
+    Path clientTruststore = Paths.get(SSLTest.class.getResource(CLIENT_TRUSTSTORE_WITH_CA).toURI()).toAbsolutePath();
+    assertThat(clientTruststore).exists();
+    Path clientKeystore = Paths.get(SSLTest.class.getResource(CLIENT_KEYSTORE).toURI()).toAbsolutePath();
+    assertThat(clientKeystore).exists();
+
+    Map<String, String> params = new HashMap<>();
+    // In the truststore we have the CA allowing to connect to local TLS server
+    params.put("javax.net.ssl.trustStore", clientTruststore.toString());
+    params.put("javax.net.ssl.trustStorePassword", JKS_PASSWORD);
+    // Voluntary missing client keystore
+
+    buildResult = scanner.executeSimpleProject(project("js-sample"), "https://localhost:" + httpsPort, params);
+    assertThat(buildResult.getLastStatus()).isEqualTo(1);
+    assertThat(buildResult.getLogs()).contains("bad_certificate");
+  }
+
   private static Path project(String projectName) {
     return Paths.get("..", "projects", projectName);
   }
 
-  @Test
-  public void simple_analysis_with_server_certificate() throws Exception {
+  @Theory
+  public void simple_analysis_with_server_certificate(String clientTrustStore) throws Exception {
     startSSLTransparentReverseProxy(false);
     SimpleScanner scanner = new SimpleScanner();
 
     BuildResult buildResult = scanner.executeSimpleProject(project("js-sample"), "https://localhost:" + httpsPort);
     assertThat(buildResult.getLastStatus()).isNotEqualTo(0);
     assertThat(buildResult.getLogs()).contains("javax.net.ssl.SSLHandshakeException");
 
-    Path clientTruststore = Paths.get(SSLTest.class.getResource(CLIENT_TRUSTSTORE).toURI()).toAbsolutePath();
-    String truststorePassword = CLIENT_TRUSTSTORE_PWD;
+    Path clientTruststore = Paths.get(SSLTest.class.getResource(clientTrustStore).toURI()).toAbsolutePath();
     assertThat(clientTruststore).exists();
 
     Map<String, String> params = new HashMap<>();
     params.put("javax.net.ssl.trustStore", clientTruststore.toString());
-    params.put("javax.net.ssl.trustStorePassword", truststorePassword);
+    params.put("javax.net.ssl.trustStorePassword", JKS_PASSWORD);
 
     buildResult = scanner.executeSimpleProject(project("js-sample"), "https://localhost:" + httpsPort, params);
     assertThat(buildResult.getLastStatus()).isEqualTo(0);