plugins/svn4idea/src/org/jetbrains/idea/svn/auth/SSLServerCertificateAuthenticator.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

/*
 * Copyright 2000-2014 JetBrains s.r.o.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.jetbrains.idea.svn.auth;

import com.intellij.openapi.util.text.StringUtil;
import org.intellij.lang.annotations.MagicConstant;
import org.jetbrains.annotations.NotNull;
import org.tmatesoft.svn.core.*;
import org.tmatesoft.svn.core.auth.ISVNAuthenticationProvider;
import org.tmatesoft.svn.core.auth.SVNAuthentication;
import org.tmatesoft.svn.core.internal.util.SVNBase64;
import org.tmatesoft.svn.core.internal.util.SVNHashMap;
import org.tmatesoft.svn.core.internal.util.SVNSSLUtil;
import org.tmatesoft.svn.core.internal.wc.SVNFileUtil;
import org.tmatesoft.svn.core.internal.wc.SVNWCProperties;

import java.io.ByteArrayInputStream;
import java.io.File;
import java.security.cert.*;

/**
* @author Konstantin Kolosovsky.
*/ // plus seems that we also should ask for credentials; but we didn't receive realm name yet
class SSLServerCertificateAuthenticator extends AbstractAuthenticator {
  private String myCertificateRealm;
  private String myCredentialsRealm;
  private Object myCertificate;
  private int myResult;
  private SVNAuthentication myAuthentication;

  SSLServerCertificateAuthenticator(@NotNull AuthenticationService authenticationService, @NotNull SVNURL url, String realm) {
    super(authenticationService, url, realm);
  }

  @Override
  public boolean tryAuthenticate() {
    myResult = ISVNAuthenticationProvider.ACCEPTED_TEMPORARY;
    myStoreInUsual = false;
    return super.tryAuthenticate();
  }

  @Override
  protected boolean getWithPassive(SvnAuthenticationManager passive) throws SVNException {
    String stored = (String)passive.getRuntimeAuthStorage().getData("svn.ssl.server", myRealm);
    if (stored == null) return false;

    myCertificate = createCertificate(stored);
    myCertificateRealm = myRealm;
    return true;
  }

  @Override
  public void requestClientAuthentication(SVNURL url, String realm, SVNAuthentication authentication) {
    if (!myUrl.equals(url)) return;
    myCredentialsRealm = realm;
    myAuthentication = authentication;
    if (myAuthentication != null) {
      myStoreInUsual &= myAuthentication.isStorageAllowed();
    }
  }

  @Override
  public void acceptServerAuthentication(SVNURL url, String realm, Object certificate, @MagicConstant int acceptResult) {
    if (!myUrl.equals(url)) return;
    myCertificateRealm = realm;
    myCertificate = certificate;
    myResult = acceptResult;
  }

  @Override
  protected boolean afterAuthCall() {
    myStoreInUsual &= myCertificate != null && ISVNAuthenticationProvider.ACCEPTED == myResult;
    // TODO: Previous code always returned not null value, so Boolean == null check was always false in tryAuthenticate().
    // TODO: This was most likely error in code - check once again.
    return ISVNAuthenticationProvider.REJECTED != myResult && myCertificate != null;
  }

  @Override
  protected boolean acknowledge(SvnAuthenticationManager manager) throws SVNException {
    // we should store certificate, if it wasn't accepted (if temporally tmp)
    if (myCertificate == null) {   // this is if certificate was stored only in passive area
      String stored = (String)manager.getRuntimeAuthStorage().getData("svn.ssl.server", myRealm);
      if (StringUtil.isEmptyOrSpaces(stored)) {
        throw new SVNException(
          SVNErrorMessage.create(SVNErrorCode.AUTHN_CREDS_UNAVAILABLE, "No stored server certificate was found in runtime"));
      }
      myCertificate = createCertificate(stored);
      myCertificateRealm = myRealm;
    }
    if (myAuthenticationService.getTempDirectory() != null && myCertificate != null) {
      storeServerCertificate();

      if (myAuthentication != null) {
        final String realm = myCredentialsRealm == null ? myCertificateRealm : myCredentialsRealm;
        return storeCredentials(manager, myAuthentication, realm);
      }
    }
    return true;
  }

  @NotNull
  private Certificate createCertificate(@NotNull String stored) throws SVNException {
    CertificateFactory factory;
    try {
      factory = CertificateFactory.getInstance("X509");
      final byte[] buffer = new byte[stored.length()];
      SVNBase64.base64ToByteArray(new StringBuffer(stored), buffer);

      return factory.generateCertificate(new ByteArrayInputStream(buffer));
    }
    catch (CertificateException e) {
      throw new SVNException(SVNErrorMessage.create(SVNErrorCode.AUTHN_CREDS_UNAVAILABLE, e));
    }
  }

  private void storeServerCertificate() throws SVNException {
    if (!(myCertificate instanceof X509Certificate)) {
      throw new SVNException(SVNErrorMessage.create(SVNErrorCode.IO_ERROR, "Can not store server certificate: " + myCertificate));
    }
    X509Certificate x509Certificate = (X509Certificate)myCertificate;
    String stored;
    try {
      stored = SVNBase64.byteArrayToBase64(x509Certificate.getEncoded());
    }
    catch (CertificateEncodingException e) {
      throw new SVNException(SVNErrorMessage.create(SVNErrorCode.IO_ERROR, e));
    }

    int failures = SVNSSLUtil.getServerCertificateFailures(x509Certificate, myUrl.getHost());
    storeServerCertificate(myAuthenticationService.getTempDirectory(), myCertificateRealm, stored, failures);
  }

  private void storeServerCertificate(final File configDir, String realm, String data, int failures) throws SVNException {
    //noinspection ResultOfMethodCallIgnored
    configDir.mkdirs();

    File file = new File(configDir, "auth/svn.ssl.server/" + SVNFileUtil.computeChecksum(realm));
    SVNHashMap map = new SVNHashMap();
    map.put("ascii_cert", data);
    map.put("svn:realmstring", realm);
    map.put("failures", Integer.toString(failures));

    SVNFileUtil.deleteFile(file);

    File tmpFile = SVNFileUtil.createUniqueFile(configDir, "auth", ".tmp", true);
    try {
      SVNWCProperties.setProperties(SVNProperties.wrap(map), file, tmpFile, SVNWCProperties.SVN_HASH_TERMINATOR);
    }
    finally {
      SVNFileUtil.deleteFile(tmpFile);
    }
  }
}