/*
* Copyright 2011 gitblit.com.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.gitblit.utils;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.LoggerFactory;
import com.gitblit.models.UserModel;
import com.gitblit.utils.X509Utils.X509Metadata;
/**
* Collection of utility methods for http requests.
*
* @author James Moger
*
*/
public class HttpUtils {
/**
* Returns the Gitblit URL based on the request.
*
* @param request
* @return the host url
*/
public static String getGitblitURL(HttpServletRequest request) {
// default to the request scheme and port
String scheme = request.getScheme();
int port = request.getServerPort();
// try to use reverse-proxy server's port
String forwardedPort = request.getHeader("X-Forwarded-Port");
if (StringUtils.isEmpty(forwardedPort)) {
forwardedPort = request.getHeader("X_Forwarded_Port");
}
if (!StringUtils.isEmpty(forwardedPort)) {
// reverse-proxy server has supplied the original port
try {
port = Integer.parseInt(forwardedPort);
} catch (Throwable t) {
}
}
// try to use reverse-proxy server's scheme
String forwardedScheme = request.getHeader("X-Forwarded-Proto");
if (StringUtils.isEmpty(forwardedScheme)) {
forwardedScheme = request.getHeader("X_Forwarded_Proto");
}
if (!StringUtils.isEmpty(forwardedScheme)) {
// reverse-proxy server has supplied the original scheme
scheme = forwardedScheme;
if ("https".equals(scheme) && port == 80) {
// proxy server is https, inside server is 80
// this is likely because the proxy server has not supplied
// x-forwarded-port. since 80 is almost definitely wrong,
// make an educated guess that 443 is correct.
port = 443;
}
}
String context = request.getContextPath();
String forwardedContext = request.getHeader("X-Forwarded-Context");
if (StringUtils.isEmpty(forwardedContext)) {
forwardedContext = request.getHeader("X_Forwarded_Context");
}
if (!StringUtils.isEmpty(forwardedContext)) {
context = forwardedContext;
}
// trim any trailing slash
if (context.length() > 0 && context.charAt(context.length() - 1) == '/') {
context = context.substring(1);
}
StringBuilder sb = new StringBuilder();
sb.append(scheme);
sb.append("://");
sb.append(request.getServerName());
if (("http".equals(scheme) && port != 80)
|| ("https".equals(scheme) && port != 443)) {
sb.append(":" + port);
}
sb.append(context);
return sb.toString();
}
/**
* Returns a user model object built from attributes in the SSL certificate.
* This model is not retrieved from the user service.
*
* @param httpRequest
* @param checkValidity ensure certificate can be used now
* @param usernameOIDs if unspecified, CN is used as the username
* @return a UserModel, if a valid certificate is in the request, null otherwise
*/
public static UserModel getUserModelFromCertificate(HttpServletRequest httpRequest, boolean checkValidity, String... usernameOIDs) {
if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) {
X509Certificate[] certChain = (X509Certificate[]) httpRequest
.getAttribute("javax.servlet.request.X509Certificate");
if (certChain != null) {
X509Certificate cert = certChain[0];
// ensure certificate is valid
if (checkValidity) {
try {
cert.checkValidity(new Date());
} catch (CertificateNotYetValidException e) {
LoggerFactory.getLogger(HttpUtils.class).info(MessageFormat.format("X509 certificate {0} is not yet valid", cert.getSubjectDN().getName()));
return null;
} catch (CertificateExpiredException e) {
LoggerFactory.getLogger(HttpUtils.class).info(MessageFormat.format("X509 certificate {0} has expired", cert.getSubjectDN().getName()));
return null;
}
}
return getUserModelFromCertificate(cert, usernameOIDs);
}
}
return null;
}
/**
* Creates a UserModel from a certificate
* @param cert
* @param usernameOids if unspecified CN is used as the username
* @return
*/
public static UserModel getUserModelFromCertificate(X509Certificate cert, String... usernameOIDs) {
X509Metadata metadata = X509Utils.getMetadata(cert);
UserModel user = new UserModel(metadata.commonName);
user.emailAddress = metadata.emailAddress;
user.isAuthenticated = false;
if (usernameOIDs == null || usernameOIDs.length == 0) {
// use default usename<->CN mapping
usernameOIDs = new String [] { "CN" };
}
// determine username from OID fingerprint
StringBuilder an = new StringBuilder();
for (String oid : usernameOIDs) {
String val = metadata.getOID(oid.toUpperCase(), null);
if (val != null) {
an.append(val).append(' ');
}
}
user.username = an.toString().trim();
return user;
}
public static X509Metadata getCertificateMetadata(HttpServletRequest httpRequest) {
if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) {
X509Certificate[] certChain = (X509Certificate[]) httpRequest
.getAttribute("javax.servlet.request.X509Certificate");
if (certChain != null) {
X509Certificate cert = certChain[0];
return X509Utils.getMetadata(cert);
}
}
return null;
}
public static boolean isIpAddress(String address) {
if (StringUtils.isEmpty(address)) {
return false;
}
String [] fields = address.split("\\.");
if (fields.length == 4) {
// IPV4
for (String field : fields) {
try {
int value = Integer.parseInt(field);
if (value < 0 || value > 255) {
return false;
}
} catch (Exception e) {
return false;
}
}
return true;
}
// TODO IPV6?
return false;
}
}