Fix ConfigureGerrit Task to respect http.sslVerify config parameter

The ConfigureGerritAfterCloneTask opens a HttpURLConnection to talk to
the REST API of a potential gerrit server. If this is a connection for
the https protocol and if the repository has http.sslVerfiy configured
to false then this task should respect this and accept connections from
servers which certificates can't be validated.

Bug: 456904
Change-Id: I730446d100422e677caa5cd958104666c0833960
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>

2 files changed, 91 insertions, 2 deletions

diff --git a/org.eclipse.egit.core/src/org/eclipse/egit/core/NetUtil.java b/org.eclipse.egit.core/src/org/eclipse/egit/core/NetUtil.java
new file mode 100644
index 0000000000..e2e0406dc7
--- /dev/null
+++ b/org.eclipse.egit.core/src/org/eclipse/egit/core/NetUtil.java
@@ -0,0 +1,83 @@
+/*******************************************************************************
+ * Copyright (C) 2015, Christian Halstrick <christian.halstrick@sap.com>
+ *
+ * All rights reserved. This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License v1.0 which
+ * accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *******************************************************************************/
+package org.eclipse.egit.core;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import org.eclipse.jgit.lib.Repository;
+
+/**
+ * Networking utilities
+ */
+public class NetUtil {
+
+	private static TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
+		public X509Certificate[] getAcceptedIssuers() {
+			return null;
+		}
+
+		public void checkClientTrusted(X509Certificate[] certs, String authType) {
+			// no check
+		}
+
+		public void checkServerTrusted(X509Certificate[] certs, String authType) {
+			// no check
+		}
+	} };
+
+	private static HostnameVerifier trustAllHostNames = new HostnameVerifier() {
+		public boolean verify(String hostname, SSLSession session) {
+			// always accept
+			return true;
+		}
+	};
+
+	/**
+	 * Configures a {@link HttpURLConnection} according to the value of the
+	 * repositories configuration parameter "http.sslVerify". When this value is
+	 * false and when the URL is for the "https" protocol then all hostnames are
+	 * accepted and certificates are also accepted when they can't be validated
+	 *
+	 * @param repo
+	 *            the repository to be asked for the configuration parameter
+	 *            http.sslVerify
+	 * @param conn
+	 *            the connection to be configured
+	 * @throws IOException
+	 */
+	public static void setSslVerification(Repository repo,
+			HttpURLConnection conn) throws IOException {
+		if ("https".equals(conn.getURL().getProtocol())) { //$NON-NLS-1$
+			HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
+			if (!repo.getConfig().getBoolean("http", "sslVerify", true)) { //$NON-NLS-1$ //$NON-NLS-2$
+				try {
+					SSLContext ctx = SSLContext.getInstance("TLS"); //$NON-NLS-1$
+					ctx.init(null, trustAllCerts, null);
+					httpsConn.setSSLSocketFactory(ctx.getSocketFactory());
+					httpsConn.setHostnameVerifier(trustAllHostNames);
+				} catch (KeyManagementException e) {
+					throw new IOException(e.getMessage());
+				} catch (NoSuchAlgorithmException e) {
+					throw new IOException(e.getMessage());
+				}
+			}
+		}
+	}
+}
diff --git a/org.eclipse.egit.core/src/org/eclipse/egit/core/op/ConfigureGerritAfterCloneTask.java b/org.eclipse.egit.core/src/org/eclipse/egit/core/op/ConfigureGerritAfterCloneTask.java
index 48fc3ab6dd..7ce6be3096 100644
--- a/org.eclipse.egit.core/src/org/eclipse/egit/core/op/ConfigureGerritAfterCloneTask.java
+++ b/org.eclipse.egit.core/src/org/eclipse/egit/core/op/ConfigureGerritAfterCloneTask.java
@@ -19,6 +19,7 @@ import java.net.URL;
 import org.eclipse.core.runtime.CoreException;
 import org.eclipse.core.runtime.IProgressMonitor;
 import org.eclipse.egit.core.Activator;
+import org.eclipse.egit.core.NetUtil;
 import org.eclipse.egit.core.internal.gerrit.GerritUtil;
 import org.eclipse.egit.core.op.CloneOperation.PostCloneTask;
 import org.eclipse.jgit.lib.Constants;
@@ -80,7 +81,7 @@ public class ConfigureGerritAfterCloneTask implements PostCloneTask {
 	public void execute(Repository repository, IProgressMonitor monitor)
 			throws CoreException {
 		try {
-			if (isGerrit()) {
+			if (isGerrit(repository)) {
 				Activator.logInfo(uri
 						+ " was detected to be hosted by a Gerrit server"); //$NON-NLS-1$
 				configureGerrit(repository);
@@ -99,12 +100,16 @@ public class ConfigureGerritAfterCloneTask implements PostCloneTask {
 	 * /rest-api-config.html#get-version">Gerrit 2.11 Get Version REST
 	 * endpoint</a>
 	 *
+	 * @param repo
+	 *            the repository to be configured
+	 *
 	 * @return {@code true} if the repository is hosted on a Gerrit server
 	 * @throws IOException
 	 * @throws MalformedURLException
 	 * @throws URISyntaxException
 	 */
-	private boolean isGerrit() throws MalformedURLException, IOException,
+	private boolean isGerrit(Repository repo) throws MalformedURLException,
+			IOException,
 			URISyntaxException {
 		URIish u = new URIish(uri);
 		final String s = u.getScheme();
@@ -133,6 +138,7 @@ public class ConfigureGerritAfterCloneTask implements PostCloneTask {
 						httpConnection = (HttpURLConnection) new URL(baseURL
 								+ tmpPath + GERRIT_CONFIG_SERVER_VERSION_API)
 								.openConnection();
+						NetUtil.setSslVerification(repo, httpConnection);
 						httpConnection.setRequestMethod("GET"); //$NON-NLS-1$
 						httpConnection.setReadTimeout(1000 * timeout);
 						int responseCode = httpConnection.getResponseCode();