1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
/*
* Copyright 2000-2013 JetBrains s.r.o.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.jetbrains.idea.svn.commandLine;
import com.intellij.openapi.util.text.StringUtil;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.idea.svn.auth.AuthenticationService;
import org.tmatesoft.svn.core.SVNException;
import org.tmatesoft.svn.core.SVNURL;
/**
* @author Konstantin Kolosovsky.
*/
public class CertificateCallbackCase extends AuthCallbackCase {
private static final String CERTIFICATE_ERROR = "Error validating server certificate for";
private static final String UNTRUSTED_SERVER_CERTIFICATE = "Server SSL certificate untrusted";
private static final String CERTIFICATE_VERIFICATION_FAILED = "certificate verification failed";
private boolean accepted;
CertificateCallbackCase(@NotNull AuthenticationService authenticationService, SVNURL url) {
super(authenticationService, url);
}
@Override
public boolean canHandle(String error) {
return error.startsWith(CERTIFICATE_ERROR) ||
// https one-way protocol untrusted server certificate
error.contains(UNTRUSTED_SERVER_CERTIFICATE) ||
// for instance, certificate issued for a different hostname, issuer is not trusted - for both 1.7 and 1.8
error.contains(CERTIFICATE_VERIFICATION_FAILED);
}
@Override
public boolean getCredentials(final String errText) throws SvnBindException {
String realm = getRealm(errText);
if (!errText.startsWith(CERTIFICATE_ERROR)) {
// if we do not have explicit realm in error message - use server url and not full repository url
// as SVNKit lifecycle resolves ssl realm (for saving certificate to runtime storage) as server url
SVNURL serverUrl = getServerUrl(realm);
realm = serverUrl != null ? serverUrl.toString() : realm;
}
if (!myTried && myAuthenticationService.acceptSSLServerCertificate(myUrl, realm)) {
accepted = true;
myTried = true;
return true;
}
throw new SvnBindException("Server SSL certificate rejected");
}
private static String getRealm(String errText) throws SvnBindException {
String realm = errText;
final int idx1 = realm.indexOf('\'');
if (idx1 == -1) {
throw new SvnBindException("Can not detect authentication realm name: " + errText);
}
final int idx2 = realm.indexOf('\'', idx1 + 1);
if (idx2 == -1) {
throw new SvnBindException("Can not detect authentication realm name: " + errText);
}
realm = realm.substring(idx1 + 1, idx2);
return realm;
}
@Override
public void updateParameters(@NotNull Command command) {
if (accepted) {
command.put("--trust-server-cert");
// force --non-interactive as it is required by --trust-server-cert, but --non-interactive is not default mode for 1.7 or earlier
command.put("--non-interactive");
}
}
private SVNURL getServerUrl(String realm) {
SVNURL result = parseUrl(realm);
while (result != null && !StringUtil.isEmpty(result.getPath())) {
try {
result = result.removePathTail();
}
catch (SVNException e) {
result = null;
}
}
return result;
}
}
|
