[OSJC-125] exclude DHE (SSL) ciphers when supported keys are <= 1024

.gitignore

@@ -7,3 +7,4 @@ bin
 .idea
 *.iml
 **/integrationTest.properties
+/target/

src/main/java/com/openshift/client/OpenShiftConnectionFactory.java

@@ -14,8 +14,10 @@
 import java.io.IOException;
 
 import com.openshift.client.IHttpClient.ISSLCertificateCallback;
+import com.openshift.client.configuration.AbstractOpenshiftConfiguration.ConfigurationOptions;
 import com.openshift.client.configuration.IOpenShiftConfiguration;
 import com.openshift.client.configuration.OpenShiftConfiguration;
+import com.openshift.client.utils.SSLUtils;
 import com.openshift.internal.client.AbstractOpenShiftConnectionFactory;
 import com.openshift.internal.client.IRestService;
 import com.openshift.internal.client.RestService;
@@ -34,8 +36,7 @@
  * 
  */
 public class OpenShiftConnectionFactory extends AbstractOpenShiftConnectionFactory {
-	private IOpenShiftConfiguration configuration = null;
-
+	private IOpenShiftConfiguration configuration;
 	/**
 	 * Establish a connection with the clientId along with user's password.
 	 * User's login and Server URL are retrieved from the local configuration
@@ -51,11 +52,7 @@ public class OpenShiftConnectionFactory extends AbstractOpenShiftConnectionFacto
 	 * @throws OpenShiftException
 	 */
 	public IOpenShiftConnection getConnection(final String clientId, final String password) throws OpenShiftException {
-		try {
-			configuration = new OpenShiftConfiguration();
-		} catch (IOException e) {
-			throw new OpenShiftException(e, "Failed to load OpenShift configuration file.");
-		}
+		IOpenShiftConfiguration configuration = getConfiguration();
 		return getConnection(clientId, configuration.getRhlogin(), password, configuration.getLibraServer());
 	}
 
@@ -77,12 +74,7 @@ public IOpenShiftConnection getConnection(final String clientId, final String pa
 	 */
 	public IOpenShiftConnection getConnection(final String clientId, final String username, final String password)
 			throws OpenShiftException {
-		try {
-			configuration = new OpenShiftConfiguration();
-		} catch (IOException e) {
-			throw new OpenShiftException(e, "Failed to load OpenShift configuration file.");
-		}
-		return getConnection(clientId, username, password, configuration.getLibraServer());
+		return getConnection(clientId, username, password, getConfiguration().getLibraServer());
 	}
 
 	/**
@@ -121,6 +113,23 @@ public IOpenShiftConnection getConnection(final String clientId, final String us
 		return getConnection(clientId, username, password, null, null, null, serverUrl, null);
 	}
 
+	public IOpenShiftConnection getConnection(final String clientId, final String username, final String password,
+			final String authKey, final String authIV, final String token, final String serverUrl,
+			final ISSLCertificateCallback sslCertificateCallback) throws OpenShiftException {
+		return getConnection(clientId, username, password, authKey, authIV, token, serverUrl, sslCertificateCallback, createCipherExclusionRegex(getConfiguration()));
+	}
+
+	protected String createCipherExclusionRegex(IOpenShiftConfiguration configuration) {
+		if(configuration.getDisableBadSSLCiphers() == ConfigurationOptions.YES
+				|| (configuration.getDisableBadSSLCiphers() == ConfigurationOptions.AUTO) && !SSLUtils.supportsDHECipherKeysOf(1024 + 64)) {
+			// jdk < 1.8 only support DHE cipher keys <= 1024 bit
+			// https://issues.jboss.org/browse/JBIDE-18454
+			return SSLUtils.CIPHER_DHE_REGEX;
+		} else {
+			return null;
+		}
+	}
+
 	/**
 	 * Establish a connection with the clientId along with user's login and
 	 * password.
@@ -141,15 +150,9 @@ public IOpenShiftConnection getConnection(final String clientId, final String us
 	 * @throws OpenShiftException
 	 */
 	public IOpenShiftConnection getConnection(final String clientId, final String username, final String password,
-		final String authKey, final String authIV, final String token, final String serverUrl,
-		final ISSLCertificateCallback sslCertificateCallback) throws OpenShiftException {
-		if (configuration == null) {
-			try {
-				configuration = new OpenShiftConfiguration();
-			} catch (IOException e) {
-				throw new OpenShiftException(e, "Failed to load OpenShift configuration file.");
-			}
-		}
+			final String authKey, final String authIV, final String token, final String serverUrl,
+			final ISSLCertificateCallback sslCertificateCallback, String exludeSSLCipherRegex)
+			throws OpenShiftException {
 
 		Assert.notNull(clientId);
 		if (token == null || token.trim().length() == 0) {
@@ -158,21 +161,43 @@ public IOpenShiftConnection getConnection(final String clientId, final String us
 		}
 		Assert.notNull(serverUrl);
 
+		IHttpClient httpClient = createClient(
+				clientId, username, password, authKey, authIV, token, serverUrl, sslCertificateCallback, exludeSSLCipherRegex);
 		try {
-			IHttpClient httpClient =
-					new UrlConnectionHttpClientBuilder()
+			return getConnection(clientId, username, password, token, serverUrl, httpClient);
+		} catch (IOException e) {
+			throw new OpenShiftException(e, "Failed to establish connection for user ''{0}}''", username);
+		}
+	}
+
+	protected IHttpClient createClient(final String clientId, final String username, final String password,
+			final String authKey, final String authIV, final String token, final String serverUrl,
+			final ISSLCertificateCallback sslCertificateCallback, String exludeSSLCipherRegex) {
+			return new UrlConnectionHttpClientBuilder()
 						.setCredentials(username, password, authKey, authIV, token)
 						.setSSLCertificateCallback(sslCertificateCallback)
-						.setConfigTimeout(configuration.getTimeout())
+						.setConfigTimeout(getConfiguration().getTimeout())
+						.excludeSSLCipher(exludeSSLCipherRegex)
 						.client();
-			return getConnection(clientId, username, password, token, serverUrl, httpClient);
+	}
+
+	protected IOpenShiftConfiguration getConfiguration() throws OpenShiftException {
+		if (this.configuration == null) {
+			this.configuration = createConfiguration();
+		}
+		return this.configuration;
+	}
+
+	protected IOpenShiftConfiguration createConfiguration() throws OpenShiftException {
+		try {
+			return new OpenShiftConfiguration();
 		} catch (IOException e) {
-			throw new OpenShiftException(e, "Failed to establish connection for user ''{0}}''", username);
+			throw new OpenShiftException(e, "Failed to load OpenShift configuration file.");
 		}
 	}
 
-	protected IOpenShiftConnection getConnection(final String clientId, final String username, final String password, final String token,
-			final String serverUrl, IHttpClient httpClient) throws OpenShiftException, IOException {
+	protected IOpenShiftConnection getConnection(final String clientId, final String username, final String password,
+			final String token, final String serverUrl, IHttpClient httpClient) throws OpenShiftException, IOException {
 		Assert.notNull(clientId);
 		Assert.notNull(serverUrl);
 		Assert.notNull(httpClient);
@@ -223,6 +248,4 @@ public IOpenShiftConnection getAuthTokenConnection(final String clientId, final
           return getConnection(clientId, null, null,  null, null, token, configuration.getLibraServer(), null);
       }
 
-
-
 }

src/main/java/com/openshift/client/configuration/AbstractOpenshiftConfiguration.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2011 Red Hat, Inc.
+ * Copyright (c) 2011-2014 Red Hat, Inc.
  * Distributed under license by Red Hat, Inc. All rights reserved.
  * This program is made available under the terms of the
  * Eclipse Public License v1.0 which accompanies this distribution,
@@ -33,26 +33,42 @@ public abstract class AbstractOpenshiftConfiguration implements IOpenShiftConfig
 	protected static final String KEY_LIBRA_SERVER = "libra_server";
 	protected static final String KEY_LIBRA_DOMAIN = "libra_domain";
 
-
 	protected static final String KEY_PASSWORD = "rhpassword";
 	protected static final String KEY_CLIENT_ID = "client_id";
 
 	protected static final String KEY_TIMEOUT = "timeout";
-	protected static final String DEFAULT_OPENSHIFT_TIMEOUT = "180000"; //3 minutes
+	protected static final String DEFAULT_OPENSHIFT_TIMEOUT = "180000"; // 3mins
+
+	protected static final String KEY_DISABLE_BAD_SSL_CIPHERS = "disable_bad_sslciphers";
 
 	private static final Pattern QUOTED_REGEX = Pattern.compile("['\"]*([^'\"]+)['\"]*");
 	private static final char SINGLEQUOTE = '\'';
-		
+
 	private static final String SYSPROPERTY_PROXY_PORT = "proxyPort";
 	private static final String SYSPROPERTY_PROXY_HOST = "proxyHost";
 	private static final String SYSPROPERTY_PROXY_SET = "proxySet";
 
 	private Properties properties;
 	private File file;
-
-	// TODO: implement
+
 	private boolean doSSLChecks = false;
 
+	public enum ConfigurationOptions {
+		YES, NO, AUTO;
+
+		private static ConfigurationOptions safeValueOf(String string) {
+			if (string == null) {
+				return NO;
+			}
+
+			try {
+				return valueOf(string.toUpperCase());
+			} catch (IllegalArgumentException e) {
+				return NO;
+			}
+		}
+	}
+
 	protected AbstractOpenshiftConfiguration() throws FileNotFoundException, IOException {
 		this(null, null);
 	}
@@ -164,34 +180,45 @@ protected String removeQuotes(String value) {
 			return value;
 		}
 	}
-	
+
 	public String getPassword() {
 		return removeQuotes(properties.getProperty(KEY_PASSWORD));
 	}
 
 	public String getClientId() {
 		return properties.getProperty(KEY_CLIENT_ID);
 	}
+
+	public ConfigurationOptions getDisableBadSSLCiphers() {
+		return ConfigurationOptions.safeValueOf(
+				removeQuotes(properties.getProperty(KEY_DISABLE_BAD_SSL_CIPHERS)));
+	}
+
+	public void setDisableBadSSLCiphers(ConfigurationOptions option) {
+		properties.setProperty(KEY_DISABLE_BAD_SSL_CIPHERS, option.toString());
+	}
 
 	public void setEnableSSLCertChecks(boolean doSSLChecks) {
 		this.doSSLChecks = doSSLChecks;
 	}
-	
+
 	public boolean getProxySet() {
-		String set = properties.getProperty(SYSPROPERTY_PROXY_SET);
-
-		if (set != null)
-			return Boolean.parseBoolean(removeQuotes(set));
-		else 
-			return false;
+		return toBoolean(removeQuotes(properties.getProperty(SYSPROPERTY_PROXY_SET)));
 	}
-	
+
 	public String getProxyHost() {
 		return removeQuotes(properties.getProperty(SYSPROPERTY_PROXY_HOST));
 	}
-	
+
 	public String getProxyPort() {
 		return removeQuotes(properties.getProperty(SYSPROPERTY_PROXY_PORT));
 	}
 
+	private boolean toBoolean(String string) {
+		if (string != null) {
+			return Boolean.parseBoolean(string);
+		} else {
+			return false;
+		}
+	}
 }

src/main/java/com/openshift/client/configuration/DefaultConfiguration.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2011 Red Hat, Inc.
+ * Copyright (c) 2011-2014 Red Hat, Inc.
  * Distributed under license by Red Hat, Inc. All rights reserved.
  * This program is made available under the terms of the
  * Eclipse Public License v1.0 which accompanies this distribution,
@@ -14,7 +14,6 @@
 import java.io.IOException;
 import java.util.Properties;
 
-import com.openshift.client.IHttpClient;
 import com.openshift.client.OpenShiftException;
 
 /**
@@ -36,6 +35,7 @@ protected Properties getProperties(File file, Properties defaultProperties) {
 	    properties.put(KEY_LIBRA_SERVER, LIBRA_SERVER);
 	    properties.put(KEY_LIBRA_DOMAIN, LIBRA_DOMAIN);
 		properties.put(KEY_TIMEOUT, DEFAULT_OPENSHIFT_TIMEOUT);
+		properties.put(KEY_DISABLE_BAD_SSL_CIPHERS, ConfigurationOptions.NO.toString());
 		return properties;
 	}
 }

src/main/java/com/openshift/client/configuration/IOpenShiftConfiguration.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2011 Red Hat, Inc.
+ * Copyright (c) 2011-2014 Red Hat, Inc.
  * Distributed under license by Red Hat, Inc. All rights reserved.
  * This program is made available under the terms of the
  * Eclipse Public License v1.0 which accompanies this distribution,
@@ -12,25 +12,31 @@
 
 import java.util.Properties;
 
+import com.openshift.client.configuration.AbstractOpenshiftConfiguration.ConfigurationOptions;
+
 /**
  * @author André Dietisheim
  * @author Corey Daley
  */
 public interface IOpenShiftConfiguration {
 
-	public abstract String getRhlogin();
+	public String getRhlogin();
 
-	public abstract void setRhlogin(String rhlogin);
+	public void setRhlogin(String rhlogin);
 
-	public abstract String getLibraServer();
+	public String getLibraServer();
 
-	public abstract void setLibraServer(String libraServer);
+	public void setLibraServer(String libraServer);
 
-	public abstract String getLibraDomain();
+	public String getLibraDomain();
 
 	public Integer getTimeout();
 
-	public abstract void setLibraDomain(String libraDomain);
+	public void setLibraDomain(String libraDomain);
 
+	public ConfigurationOptions getDisableBadSSLCiphers();
+
+	public void setDisableBadSSLCiphers(ConfigurationOptions option);
+
 	public Properties getProperties();
 }

src/main/java/com/openshift/client/configuration/SystemProperties.java

@@ -37,6 +37,7 @@ protected Properties getProperties(File file, Properties defaultProperties) {
 		copySystemProperty(KEY_PASSWORD, properties);
 		copySystemProperty(KEY_CLIENT_ID, properties);
 		copySystemProperty(KEY_OPENSHIFT_TIMEOUT, properties);
+		copySystemProperty(KEY_DISABLE_BAD_SSL_CIPHERS, properties);
 		return properties;
 	}