src/main/java/com/gitblit/utils/HttpUtils.java - gitblit - Git at Google

 /*
  * Copyright 2011 gitblit.com.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package com.gitblit.utils;

 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.text.MessageFormat;
 import java.util.Date;

 import javax.servlet.http.HttpServletRequest;

 import org.slf4j.LoggerFactory;

 import com.gitblit.models.UserModel;
 import com.gitblit.utils.X509Utils.X509Metadata;

 /**
  * Collection of utility methods for http requests.
  *
  * @author James Moger
  *
  */
 public class HttpUtils {

 	/**
 	 * Returns the Gitblit URL based on the request.
 	 *
 	 * @param request
 	 * @return the host url
 	 */
 	public static String getGitblitURL(HttpServletRequest request) {
 		// default to the request scheme and port
 		String scheme = request.getScheme();
 		int port = request.getServerPort();

 		// try to use reverse-proxy server's port
         String forwardedPort = request.getHeader("X-Forwarded-Port");
         if (StringUtils.isEmpty(forwardedPort)) {
         	forwardedPort = request.getHeader("X_Forwarded_Port");
         }
         if (!StringUtils.isEmpty(forwardedPort)) {
         	// reverse-proxy server has supplied the original port
         	try {
         		port = Integer.parseInt(forwardedPort);
         	} catch (Throwable t) {
         	}
         }

 		// try to use reverse-proxy server's scheme
         String forwardedScheme = request.getHeader("X-Forwarded-Proto");
         if (StringUtils.isEmpty(forwardedScheme)) {
         	forwardedScheme = request.getHeader("X_Forwarded_Proto");
         }
         if (!StringUtils.isEmpty(forwardedScheme)) {
         	// reverse-proxy server has supplied the original scheme
         	scheme = forwardedScheme;

         	if ("https".equals(scheme) && port == 80) {
         		// proxy server is https, inside server is 80
         		// this is likely because the proxy server has not supplied
         		// x-forwarded-port. since 80 is almost definitely wrong,
         		// make an educated guess that 443 is correct.
         		port = 443;
         	}
         }

 		// try to use reverse-proxy's context
         String context = request.getContextPath();
         String forwardedContext = request.getHeader("X-Forwarded-Context");
         if (StringUtils.isEmpty(forwardedContext)) {
         	forwardedContext = request.getHeader("X_Forwarded_Context");
         }
         if (!StringUtils.isEmpty(forwardedContext)) {
         	context = forwardedContext;
         }

         // trim any trailing slash
         if (context.length() > 0 && context.charAt(context.length() - 1) == '/') {
         	context = context.substring(1);
         }

 		// try to use reverse-proxy's hostname
 		String host = request.getServerName();
 		String forwardedHost = request.getHeader("X-Forwarded-Host");
 		if (StringUtils.isEmpty(forwardedHost)) {
 			forwardedHost = request.getHeader("X_Forwarded_Host");
 		}
 		if (!StringUtils.isEmpty(forwardedHost)) {
 			host = forwardedHost;
 		}

 		// build result
 		StringBuilder sb = new StringBuilder();
 		sb.append(scheme);
 		sb.append("://");
 		sb.append(host);
 		if (("http".equals(scheme) && port != 80)
 				|| ("https".equals(scheme) && port != 443)) {
 			if (!host.endsWith(":" + port)) {
 				sb.append(":").append(port);
 			}
 		}
 		sb.append(context);
 		return sb.toString();
 	}

 	/**
 	 * Returns a user model object built from attributes in the SSL certificate.
 	 * This model is not retrieved from the user service.
 	 *
 	 * @param httpRequest
 	 * @param checkValidity ensure certificate can be used now
 	 * @param usernameOIDs if unspecified, CN is used as the username
 	 * @return a UserModel, if a valid certificate is in the request, null otherwise
 	 */
 	public static UserModel getUserModelFromCertificate(HttpServletRequest httpRequest, boolean checkValidity, String... usernameOIDs) {
 		if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) {
 			X509Certificate[] certChain = (X509Certificate[]) httpRequest
 					.getAttribute("javax.servlet.request.X509Certificate");
 			if (certChain != null) {
 				X509Certificate cert = certChain[0];
 				// ensure certificate is valid
 				if (checkValidity) {
 					try {
 						cert.checkValidity(new Date());
 					} catch (CertificateNotYetValidException e) {
 						LoggerFactory.getLogger(HttpUtils.class).info(MessageFormat.format("X509 certificate {0} is not yet valid", cert.getSubjectDN().getName()));
 						return null;
 					} catch (CertificateExpiredException e) {
 						LoggerFactory.getLogger(HttpUtils.class).info(MessageFormat.format("X509 certificate {0} has expired", cert.getSubjectDN().getName()));
 						return null;
 					}
 				}
 				return getUserModelFromCertificate(cert, usernameOIDs);
 			}
 		}
 		return null;
 	}

 	/**
 	 * Creates a UserModel from a certificate
 	 * @param cert
 	 * @param usernameOids if unspecified CN is used as the username
 	 * @return
 	 */
 	public static UserModel getUserModelFromCertificate(X509Certificate cert, String... usernameOIDs) {
 		X509Metadata metadata = X509Utils.getMetadata(cert);

 		UserModel user = new UserModel(metadata.commonName);
 		user.emailAddress = metadata.emailAddress;
 		user.isAuthenticated = false;

 		if (usernameOIDs == null || usernameOIDs.length == 0) {
 			// use default usename<->CN mapping
 			usernameOIDs = new String [] { "CN" };
 		}

 		// determine username from OID fingerprint
 		StringBuilder an = new StringBuilder();
 		for (String oid : usernameOIDs) {
 			String val = metadata.getOID(oid.toUpperCase(), null);
 			if (val != null) {
 				an.append(val).append(' ');
 			}
 		}
 		user.username = an.toString().trim();
 		return user;
 	}

 	public static X509Metadata getCertificateMetadata(HttpServletRequest httpRequest) {
 		if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) {
 			X509Certificate[] certChain = (X509Certificate[]) httpRequest
 					.getAttribute("javax.servlet.request.X509Certificate");
 			if (certChain != null) {
 				X509Certificate cert = certChain[0];
 				return X509Utils.getMetadata(cert);
 			}
 		}
 		return null;
 	}

 	public static boolean isIpAddress(String address) {
 		if (StringUtils.isEmpty(address)) {
 			return false;
 		}
 		String [] fields = address.split("\\.");
 		if (fields.length == 4) {
 			// IPV4
 			for (String field : fields) {
 				try {
 					int value = Integer.parseInt(field);
 					if (value < 0 || value > 255) {
 						return false;
 					}
 				} catch (Exception e) {
 					return false;
 				}
 			}
 			return true;
 		}
 		// TODO IPV6?
 		return false;
 	}
 }
	/*
	* Copyright 2011 gitblit.com.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package com.gitblit.utils;

	import java.security.cert.CertificateExpiredException;
	import java.security.cert.CertificateNotYetValidException;
	import java.security.cert.X509Certificate;
	import java.text.MessageFormat;
	import java.util.Date;

	import javax.servlet.http.HttpServletRequest;

	import org.slf4j.LoggerFactory;

	import com.gitblit.models.UserModel;
	import com.gitblit.utils.X509Utils.X509Metadata;

	/**
	* Collection of utility methods for http requests.
	*
	* @author James Moger
	*
	*/
	public class HttpUtils {

	/**
	* Returns the Gitblit URL based on the request.
	*
	* @param request
	* @return the host url
	*/
	public static String getGitblitURL(HttpServletRequest request) {
	// default to the request scheme and port
	String scheme = request.getScheme();
	int port = request.getServerPort();

	// try to use reverse-proxy server's port
	String forwardedPort = request.getHeader("X-Forwarded-Port");
	if (StringUtils.isEmpty(forwardedPort)) {
	forwardedPort = request.getHeader("X_Forwarded_Port");
	}
	if (!StringUtils.isEmpty(forwardedPort)) {
	// reverse-proxy server has supplied the original port
	try {
	port = Integer.parseInt(forwardedPort);
	} catch (Throwable t) {
	}
	}

	// try to use reverse-proxy server's scheme
	String forwardedScheme = request.getHeader("X-Forwarded-Proto");
	if (StringUtils.isEmpty(forwardedScheme)) {
	forwardedScheme = request.getHeader("X_Forwarded_Proto");
	}
	if (!StringUtils.isEmpty(forwardedScheme)) {
	// reverse-proxy server has supplied the original scheme
	scheme = forwardedScheme;

	if ("https".equals(scheme) && port == 80) {
	// proxy server is https, inside server is 80
	// this is likely because the proxy server has not supplied
	// x-forwarded-port. since 80 is almost definitely wrong,
	// make an educated guess that 443 is correct.
	port = 443;
	}
	}

	// try to use reverse-proxy's context
	String context = request.getContextPath();
	String forwardedContext = request.getHeader("X-Forwarded-Context");
	if (StringUtils.isEmpty(forwardedContext)) {
	forwardedContext = request.getHeader("X_Forwarded_Context");
	}
	if (!StringUtils.isEmpty(forwardedContext)) {
	context = forwardedContext;
	}

	// trim any trailing slash
	if (context.length() > 0 && context.charAt(context.length() - 1) == '/') {
	context = context.substring(1);
	}

	// try to use reverse-proxy's hostname
	String host = request.getServerName();
	String forwardedHost = request.getHeader("X-Forwarded-Host");
	if (StringUtils.isEmpty(forwardedHost)) {
	forwardedHost = request.getHeader("X_Forwarded_Host");
	}
	if (!StringUtils.isEmpty(forwardedHost)) {
	host = forwardedHost;
	}

	// build result
	StringBuilder sb = new StringBuilder();
	sb.append(scheme);
	sb.append("://");
	sb.append(host);
	if (("http".equals(scheme) && port != 80)
	\|\| ("https".equals(scheme) && port != 443)) {
	if (!host.endsWith(":" + port)) {
	sb.append(":").append(port);
	}
	}
	sb.append(context);
	return sb.toString();
	}

	/**
	* Returns a user model object built from attributes in the SSL certificate.
	* This model is not retrieved from the user service.
	*
	* @param httpRequest
	* @param checkValidity ensure certificate can be used now
	* @param usernameOIDs if unspecified, CN is used as the username
	* @return a UserModel, if a valid certificate is in the request, null otherwise
	*/
	public static UserModel getUserModelFromCertificate(HttpServletRequest httpRequest, boolean checkValidity, String... usernameOIDs) {
	if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) {
	X509Certificate[] certChain = (X509Certificate[]) httpRequest
	.getAttribute("javax.servlet.request.X509Certificate");
	if (certChain != null) {
	X509Certificate cert = certChain[0];
	// ensure certificate is valid
	if (checkValidity) {
	try {
	cert.checkValidity(new Date());
	} catch (CertificateNotYetValidException e) {
	LoggerFactory.getLogger(HttpUtils.class).info(MessageFormat.format("X509 certificate {0} is not yet valid", cert.getSubjectDN().getName()));
	return null;
	} catch (CertificateExpiredException e) {
	LoggerFactory.getLogger(HttpUtils.class).info(MessageFormat.format("X509 certificate {0} has expired", cert.getSubjectDN().getName()));
	return null;
	}
	}
	return getUserModelFromCertificate(cert, usernameOIDs);
	}
	}
	return null;
	}

	/**
	* Creates a UserModel from a certificate
	* @param cert
	* @param usernameOids if unspecified CN is used as the username
	* @return
	*/
	public static UserModel getUserModelFromCertificate(X509Certificate cert, String... usernameOIDs) {
	X509Metadata metadata = X509Utils.getMetadata(cert);

	UserModel user = new UserModel(metadata.commonName);
	user.emailAddress = metadata.emailAddress;
	user.isAuthenticated = false;

	if (usernameOIDs == null \|\| usernameOIDs.length == 0) {
	// use default usename<->CN mapping
	usernameOIDs = new String [] { "CN" };
	}

	// determine username from OID fingerprint
	StringBuilder an = new StringBuilder();
	for (String oid : usernameOIDs) {
	String val = metadata.getOID(oid.toUpperCase(), null);
	if (val != null) {
	an.append(val).append(' ');
	}
	}
	user.username = an.toString().trim();
	return user;
	}

	public static X509Metadata getCertificateMetadata(HttpServletRequest httpRequest) {
	if (httpRequest.getAttribute("javax.servlet.request.X509Certificate") != null) {
	X509Certificate[] certChain = (X509Certificate[]) httpRequest
	.getAttribute("javax.servlet.request.X509Certificate");
	if (certChain != null) {
	X509Certificate cert = certChain[0];
	return X509Utils.getMetadata(cert);
	}
	}
	return null;
	}

	public static boolean isIpAddress(String address) {
	if (StringUtils.isEmpty(address)) {
	return false;
	}
	String [] fields = address.split("\\.");
	if (fields.length == 4) {
	// IPV4
	for (String field : fields) {
	try {
	int value = Integer.parseInt(field);
	if (value < 0 \|\| value > 255) {
	return false;
	}
	} catch (Exception e) {
	return false;
	}
	}
	return true;
	}
	// TODO IPV6?
	return false;
	}
	}