Coverage Report

Coverage Report - org.owasp.dependencycheck.utils.URLConnectionFactory

Classes in this File

Line Coverage

Branch Coverage

Complexity

URLConnectionFactory

0/70

0/44

6.833

URLConnectionFactory$1

0/4

0/2

6.833

 /*
  * This file is part of dependency-check-core.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.utils;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.commons.lang3.StringUtils;
 
 import java.io.IOException;
 import java.net.Authenticator;
 import java.net.HttpURLConnection;
 import java.net.InetSocketAddress;
 import java.net.PasswordAuthentication;
 import java.net.Proxy;
 import java.net.SocketAddress;
 import java.net.URL;
 import java.net.URLConnection;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import javax.net.ssl.HttpsURLConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
  * A URLConnection Factory to create new connections. This encapsulates several
  * configuration checks to ensure that the connection uses the correct proxy
  * settings.
  *
  * @author Jeremy Long
  */
 public final class URLConnectionFactory {
 
     /**
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(URLConnectionFactory.class);
 
     /**
      * Private constructor for this factory.
      */
     private URLConnectionFactory() {
     }
 
     /**
      * Utility method to create an HttpURLConnection. If the application is
      * configured to use a proxy this method will retrieve the proxy settings
      * and use them when setting up the connection.
      *
      * @param url the url to connect to
      * @return an HttpURLConnection
      * @throws URLConnectionFailureException thrown if there is an exception
      */
     @SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe")
     public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
         HttpURLConnection conn = null;
         final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
 
         try {
             if (proxyUrl != null && !matchNonProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
 
                 final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
                 final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
 
                 if (username != null && password != null) {
                     final Authenticator auth = new Authenticator() {
                         @Override
                         public PasswordAuthentication getPasswordAuthentication() {
                             if (getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
                                 return new PasswordAuthentication(username, password.toCharArray());
                             }
                             return super.getPasswordAuthentication();
                         }
                     };
                     Authenticator.setDefault(auth);
                 }
 
                 final Proxy proxy = new Proxy(Proxy.Type.HTTP, address);
                 conn = (HttpURLConnection) url.openConnection(proxy);
             } else {
                 conn = (HttpURLConnection) url.openConnection();
             }
             final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
             conn.setConnectTimeout(timeout);
             conn.setInstanceFollowRedirects(true);
         } catch (IOException ex) {
             if (conn != null) {
                 try {
                     conn.disconnect();
                 } finally {
                     conn = null;
                 }
             }
             throw new URLConnectionFailureException("Error getting connection.", ex);
         }
         configureTLS(url, conn);
         return conn;
     }
 
     /**
      * Check if hostname matches nonProxy settings
      *
      * @param url the url to connect to
      * @return matching result. true: match nonProxy
      */
     private static boolean matchNonProxy(final URL url) {
         final String host = url.getHost();
 
         // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
         final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
         if (null != nonProxyHosts) {
             final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
             for (final String nonProxyHost : nonProxies) {
                 //if ( StringUtils.contains( nonProxyHost, "*" ) )
                 if (null != nonProxyHost && nonProxyHost.contains("*")) {
                     // Handle wildcard at the end, beginning or middle of the nonProxyHost
                     final int pos = nonProxyHost.indexOf('*');
                     final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
                     final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
                     // prefix*
                     if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
                         return true;
                     }
                     // *suffix
                     if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
                         return true;
                     }
                     // prefix*suffix
                     if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
                             && host.endsWith(nonProxyHostSuffix)) {
                         return true;
                     }
                 } else if (host.equals(nonProxyHost)) {
                     return true;
                 }
             }
         }
         return false;
     }
 
     /**
      * Utility method to create an HttpURLConnection. The use of a proxy here is
      * optional as there may be cases where a proxy is configured but we don't
      * want to use it (for example, if there's an internal repository
      * configured)
      *
      * @param url the URL to connect to
      * @param proxy whether to use the proxy (if configured)
      * @return a newly constructed HttpURLConnection
      * @throws URLConnectionFailureException thrown if there is an exception
      */
     public static HttpURLConnection createHttpURLConnection(URL url, boolean proxy) throws URLConnectionFailureException {
         if (proxy) {
             return createHttpURLConnection(url);
         }
         HttpURLConnection conn = null;
         try {
             conn = (HttpURLConnection) url.openConnection();
             final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
             conn.setConnectTimeout(timeout);
             conn.setInstanceFollowRedirects(true);
         } catch (IOException ioe) {
             throw new URLConnectionFailureException("Error getting connection.", ioe);
         }
         configureTLS(url, conn);
         return conn;
     }
 
     /**
      * If the protocol is HTTPS, this will configure the cipher suites so that
      * connections can be made to the NVD, and others, using older versions of
      * Java.
      *
      * @param url the URL
      * @param conn the connection
      */
     private static void configureTLS(URL url, URLConnection conn) {
         if ("https".equals(url.getProtocol())) {
             try {
                 final HttpsURLConnection secCon = (HttpsURLConnection) conn;
                 final SSLSocketFactoryEx factory = new SSLSocketFactoryEx();
                 secCon.setSSLSocketFactory(factory);
             } catch (NoSuchAlgorithmException ex) {
                 LOGGER.debug("Unsupported algorithm in SSLSocketFactoryEx", ex);
             } catch (KeyManagementException ex) {
                 LOGGER.debug("Key management exception in SSLSocketFactoryEx", ex);
             }
         }
     }
 }

1		/*
2		* This file is part of dependency-check-core.
3		*
4		* Licensed under the Apache License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.apache.org/licenses/LICENSE-2.0
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*
16		* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
17		*/
18		package org.owasp.dependencycheck.utils;
19
20		import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
21		import org.apache.commons.lang3.StringUtils;
22
23		import java.io.IOException;
24		import java.net.Authenticator;
25		import java.net.HttpURLConnection;
26		import java.net.InetSocketAddress;
27		import java.net.PasswordAuthentication;
28		import java.net.Proxy;
29		import java.net.SocketAddress;
30		import java.net.URL;
31		import java.net.URLConnection;
32		import java.security.KeyManagementException;
33		import java.security.NoSuchAlgorithmException;
34		import javax.net.ssl.HttpsURLConnection;
35		import org.slf4j.Logger;
36		import org.slf4j.LoggerFactory;
37
38		/**
39		* A URLConnection Factory to create new connections. This encapsulates several
40		* configuration checks to ensure that the connection uses the correct proxy
41		* settings.
42		*
43		* @author Jeremy Long
44		*/
45		public final class URLConnectionFactory {
46
47		/**
48		* The logger.
49		*/
50	0	private static final Logger LOGGER = LoggerFactory.getLogger(URLConnectionFactory.class);
51
52		/**
53		* Private constructor for this factory.
54		*/
55	0	private URLConnectionFactory() {
56	0	}
57
58		/**
59		* Utility method to create an HttpURLConnection. If the application is
60		* configured to use a proxy this method will retrieve the proxy settings
61		* and use them when setting up the connection.
62		*
63		* @param url the url to connect to
64		* @return an HttpURLConnection
65		* @throws URLConnectionFailureException thrown if there is an exception
66		*/
67		@SuppressFBWarnings(value = "RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE", justification = "Just being extra safe")
68		public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
69	0	HttpURLConnection conn = null;
70	0	final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
71
72		try {
73	0	if (proxyUrl != null && !matchNonProxy(url)) {
74	0	final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
75	0	final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
76
77	0	final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
78	0	final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
79
80	0	if (username != null && password != null) {
81	0	final Authenticator auth = new Authenticator() {
82		@Override
83		public PasswordAuthentication getPasswordAuthentication() {
84	0	if (getRequestorType().equals(Authenticator.RequestorType.PROXY)) {
85	0	return new PasswordAuthentication(username, password.toCharArray());
86		}
87	0	return super.getPasswordAuthentication();
88		}
89		};
90	0	Authenticator.setDefault(auth);
91		}
92
93	0	final Proxy proxy = new Proxy(Proxy.Type.HTTP, address);
94	0	conn = (HttpURLConnection) url.openConnection(proxy);
95	0	} else {
96	0	conn = (HttpURLConnection) url.openConnection();
97		}
98	0	final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
99	0	conn.setConnectTimeout(timeout);
100	0	conn.setInstanceFollowRedirects(true);
101	0	} catch (IOException ex) {
102	0	if (conn != null) {
103		try {
104	0	conn.disconnect();
105		} finally {
106	0	conn = null;
107	0	}
108		}
109	0	throw new URLConnectionFailureException("Error getting connection.", ex);
110	0	}
111	0	configureTLS(url, conn);
112	0	return conn;
113		}
114
115		/**
116		* Check if hostname matches nonProxy settings
117		*
118		* @param url the url to connect to
119		* @return matching result. true: match nonProxy
120		*/
121		private static boolean matchNonProxy(final URL url) {
122	0	final String host = url.getHost();
123
124		// code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
125	0	final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
126	0	if (null != nonProxyHosts) {
127	0	final String[] nonProxies = nonProxyHosts.split("(,)\|(;)\|(\\\|)");
128	0	for (final String nonProxyHost : nonProxies) {
129		//if ( StringUtils.contains( nonProxyHost, "*" ) )
130	0	if (null != nonProxyHost && nonProxyHost.contains("*")) {
131		// Handle wildcard at the end, beginning or middle of the nonProxyHost
132	0	final int pos = nonProxyHost.indexOf('*');
133	0	final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
134	0	final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
135		// prefix*
136	0	if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
137	0	return true;
138		}
139		// *suffix
140	0	if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
141	0	return true;
142		}
143		// prefix*suffix
144	0	if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
145	0	&& host.endsWith(nonProxyHostSuffix)) {
146	0	return true;
147		}
148	0	} else if (host.equals(nonProxyHost)) {
149	0	return true;
150		}
151		}
152		}
153	0	return false;
154		}
155
156		/**
157		* Utility method to create an HttpURLConnection. The use of a proxy here is
158		* optional as there may be cases where a proxy is configured but we don't
159		* want to use it (for example, if there's an internal repository
160		* configured)
161		*
162		* @param url the URL to connect to
163		* @param proxy whether to use the proxy (if configured)
164		* @return a newly constructed HttpURLConnection
165		* @throws URLConnectionFailureException thrown if there is an exception
166		*/
167		public static HttpURLConnection createHttpURLConnection(URL url, boolean proxy) throws URLConnectionFailureException {
168	0	if (proxy) {
169	0	return createHttpURLConnection(url);
170		}
171	0	HttpURLConnection conn = null;
172		try {
173	0	conn = (HttpURLConnection) url.openConnection();
174	0	final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT, 10000);
175	0	conn.setConnectTimeout(timeout);
176	0	conn.setInstanceFollowRedirects(true);
177	0	} catch (IOException ioe) {
178	0	throw new URLConnectionFailureException("Error getting connection.", ioe);
179	0	}
180	0	configureTLS(url, conn);
181	0	return conn;
182		}
183
184		/**
185		* If the protocol is HTTPS, this will configure the cipher suites so that
186		* connections can be made to the NVD, and others, using older versions of
187		* Java.
188		*
189		* @param url the URL
190		* @param conn the connection
191		*/
192		private static void configureTLS(URL url, URLConnection conn) {
193	0	if ("https".equals(url.getProtocol())) {
194		try {
195	0	final HttpsURLConnection secCon = (HttpsURLConnection) conn;
196	0	final SSLSocketFactoryEx factory = new SSLSocketFactoryEx();
197	0	secCon.setSSLSocketFactory(factory);
198	0	} catch (NoSuchAlgorithmException ex) {
199	0	LOGGER.debug("Unsupported algorithm in SSLSocketFactoryEx", ex);
200	0	} catch (KeyManagementException ex) {
201	0	LOGGER.debug("Key management exception in SSLSocketFactoryEx", ex);
202	0	}
203		}
204	0	}
205		}