SchemeRegistryBuilder.java

/*
 * RHQ Management Platform
 * Copyright (C) 2005-2014 Red Hat, Inc.
 * All rights reserved.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation version 2 of the License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
 */

package org.rhq.modules.plugins.jbossas7;

import static org.apache.http.conn.ssl.SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
import static org.apache.http.conn.ssl.SSLSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER;
import static org.apache.http.conn.ssl.SSLSocketFactory.STRICT_HOSTNAME_VERIFIER;
import static org.rhq.modules.plugins.jbossas7.ASConnection.HTTPS_SCHEME;
import static org.rhq.modules.plugins.jbossas7.ASConnection.HTTP_SCHEME;
import static org.rhq.modules.plugins.jbossas7.util.SecurityUtil.loadKeystore;

import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.conn.ssl.X509HostnameVerifier;

/**
 * Helper class which creates Apache HTTP Client 4.x {@link SchemeRegistry} instances.
 *
 * @author Thomas Segismont
 */
class SchemeRegistryBuilder {
    private static final TrustSelfSignedStrategy TRUST_SELF_SIGNED_STRATEGY = new TrustSelfSignedStrategy();
    private static final TrustAnyStrategy TRUST_ANY_STRATEGY = new TrustAnyStrategy();

    private final ASConnectionParams asConnectionParams;

    public SchemeRegistryBuilder(ASConnectionParams asConnectionParams) {
        this.asConnectionParams = asConnectionParams;
    }

    public SchemeRegistry buildSchemeRegistry() {
        SchemeRegistry schemeRegistry = new SchemeRegistry();
        if (asConnectionParams.isSecure()) {
            SSLSocketFactory sslSocketFactory;
            try {
                KeyStore truststore = null;
                if (asConnectionParams.getTruststore() != null) {
                    truststore = loadKeystore( //
                        asConnectionParams.getTruststoreType(), //
                        asConnectionParams.getTruststore(), //
                        asConnectionParams.getTruststorePassword() //
                    );
                }
                KeyStore keystore = null;
                String keyPassword = null;
                if (asConnectionParams.isClientcertAuthentication()) {
                    if (asConnectionParams.getKeystore() == null) {
                        keystore = loadKeystore( //
                            System.getProperty("javax.net.ssl.keyStoreType", KeyStore.getDefaultType()), //
                            System.getProperty("javax.net.ssl.keyStore"), //
                            System.getProperty("javax.net.ssl.keyStorePassword") //
                        );
                    } else {
                        keystore = loadKeystore( //
                            asConnectionParams.getKeystoreType(), //
                            asConnectionParams.getKeystore(), //
                            asConnectionParams.getKeystorePassword() //
                        );
                        keyPassword = asConnectionParams.getKeyPassword();
                    }
                }
                sslSocketFactory = new SSLSocketFactory(null, keystore, keyPassword, truststore, null,
                    getTrustStrategy(), getHostnameVerifier());
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
            schemeRegistry.register(new Scheme(HTTPS_SCHEME, asConnectionParams.getPort(), sslSocketFactory));
        } else {
            schemeRegistry.register(new Scheme(HTTP_SCHEME, asConnectionParams.getPort(), PlainSocketFactory
                .getSocketFactory()));
        }
        return schemeRegistry;
    }

    private TrustStrategy getTrustStrategy() {
        switch (asConnectionParams.getTrustStrategy()) {
        case TRUST_SELFSIGNED:
            return TRUST_SELF_SIGNED_STRATEGY;
        case TRUST_ANY:
            return TRUST_ANY_STRATEGY;
        case STANDARD:
            return null;
        }
        throw new UnsupportedOperationException(asConnectionParams.getTrustStrategy().name);
    }

    private X509HostnameVerifier getHostnameVerifier() {
        switch (asConnectionParams.getHostnameVerification()) {
        case STRICT:
            return STRICT_HOSTNAME_VERIFIER;
        case BROWSER_COMPATIBLE:
            return BROWSER_COMPATIBLE_HOSTNAME_VERIFIER;
        case SKIP:
            return ALLOW_ALL_HOSTNAME_VERIFIER;
        }
        throw new UnsupportedOperationException(asConnectionParams.getHostnameVerification().name);
    }

    private static class TrustAnyStrategy implements TrustStrategy {
        @Override
        public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            return true;
        }
    }
}