github-advanced-security[bot] commented on code in PR #2365: URL: https://github.com/apache/incubator-hugegraph/pull/2365#discussion_r1410625749
########## hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/gremlin/AbstractJerseyRestClient.java: ########## @@ -0,0 +1,412 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with this + * work for additional information regarding copyright ownership. The ASF + * licenses this file to You under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + */ + +package org.apache.hugegraph.api.gremlin; + +import java.net.URI; +import java.security.KeyManagementException; +import java.security.SecureRandom; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.Map; +import java.util.concurrent.Callable; +import java.util.concurrent.ScheduledExecutorService; +import java.util.concurrent.TimeUnit; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; + +import org.apache.commons.collections.MapUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.tuple.Pair; +import org.apache.http.HttpHeaders; +import org.apache.http.config.Registry; +import org.apache.http.config.RegistryBuilder; +import org.apache.http.conn.socket.ConnectionSocketFactory; +import org.apache.http.conn.socket.PlainConnectionSocketFactory; +import org.apache.http.conn.ssl.SSLConnectionSocketFactory; +import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; +import org.apache.http.pool.PoolStats; +import org.apache.hugegraph.rest.ClientException; +import org.apache.hugegraph.util.E; +import org.apache.hugegraph.util.ExecutorUtil; +import org.glassfish.jersey.SslConfigurator; +import org.glassfish.jersey.apache.connector.ApacheClientProperties; +import org.glassfish.jersey.apache.connector.ApacheConnectorProvider; +import org.glassfish.jersey.client.ClientConfig; +import org.glassfish.jersey.client.ClientProperties; +import org.glassfish.jersey.client.JerseyClientBuilder; +import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature; +import org.glassfish.jersey.message.GZipEncoder; +import org.glassfish.jersey.uri.UriComponent; + +import jakarta.ws.rs.client.Client; +import jakarta.ws.rs.client.ClientRequestContext; +import jakarta.ws.rs.client.ClientRequestFilter; +import jakarta.ws.rs.client.Entity; +import jakarta.ws.rs.client.Invocation.Builder; +import jakarta.ws.rs.client.WebTarget; +import jakarta.ws.rs.core.MediaType; +import jakarta.ws.rs.core.MultivaluedMap; +import jakarta.ws.rs.core.Response; +import jakarta.ws.rs.core.Variant; + +/** + * This class is a simplified class of AbstractRestClient from hugegraph-common. + * For some reason we replace the rest implementation from jersey to okhttp. + * But GremlinClient still use jersey-client to forward request, so we copy the old + * AbstractRestClient from hugegraph-common and rename the name to AbstractJerseyRestClient. + * Because we don't need the full feature of AbstractRestClient, so we reduce some useless code. + */ +public abstract class AbstractJerseyRestClient { + + // Time unit: hours + private static final long TTL = 24L; + // Time unit: ms + private static final long IDLE_TIME = 40L * 1000L; + + private static final String TOKEN_KEY = "tokenKey"; + + private final Client client; + private final WebTarget target; + private final ThreadLocal<String> authContext = + new InheritableThreadLocal<>(); + private final PoolingHttpClientConnectionManager pool; + private ScheduledExecutorService cleanExecutor; + + public AbstractJerseyRestClient(String url, int timeout, + int maxTotal, int maxPerRoute) { + this(url, new ConfigBuilder().configTimeout(timeout) + .configPool(maxTotal, maxPerRoute) + .build()); + } + + public AbstractJerseyRestClient(String url, ClientConfig config) { + configConnectionManager(url, config); + + this.client = JerseyClientBuilder.newClient(config); + this.client.register(GZipEncoder.class); + this.target = this.client.target(url); + this.pool = (PoolingHttpClientConnectionManager) config.getProperty( + ApacheClientProperties.CONNECTION_MANAGER); + if (this.pool != null) { + this.cleanExecutor = ExecutorUtil.newScheduledThreadPool( + "conn-clean-worker-%d"); + Number idleTimeProp = (Number) config.getProperty("idleTime"); + final long idleTime = idleTimeProp == null ? + IDLE_TIME : idleTimeProp.longValue(); + final long checkPeriod = idleTime / 2L; + this.cleanExecutor.scheduleWithFixedDelay(() -> { + PoolStats stats = this.pool.getTotalStats(); + int using = stats.getLeased() + stats.getPending(); + if (using > 0) { + // Do clean only when all connections are idle + return; + } + // Release connections when all clients are inactive + this.pool.closeIdleConnections(idleTime, TimeUnit.MILLISECONDS); + this.pool.closeExpiredConnections(); + }, checkPeriod, checkPeriod, TimeUnit.MILLISECONDS); + } + } + + /** + * parse user custom content-type, returns MediaType.APPLICATION_JSON_TYPE default. + * + * @param headers custom http header + */ + private static MediaType parseCustomContentType(MultivaluedMap<String, Object> headers) { + String customContentType = null; + if (MapUtils.isNotEmpty(headers) && headers.get("Content-Type") != null) { + List<?> contentTypeObj = headers.get("Content-Type"); + if (contentTypeObj != null && !contentTypeObj.isEmpty()) { + customContentType = contentTypeObj.get(0).toString(); + } + return MediaType.valueOf(customContentType); + } + return MediaType.APPLICATION_JSON_TYPE; + } + + private static void configConnectionManager(String url, ClientConfig conf) { + /* + * Using httpclient with connection pooling, and configuring the + * jersey connector. But the jersey that has been released in the maven central + * repository seems to have a bug: https://github.com/jersey/jersey/pull/3752 + */ + PoolingHttpClientConnectionManager pool = connectionManager(url, conf); + Object maxTotal = conf.getProperty("maxTotal"); + Object maxPerRoute = conf.getProperty("maxPerRoute"); + if (maxTotal != null) { + pool.setMaxTotal((int) maxTotal); + } + if (maxPerRoute != null) { + pool.setDefaultMaxPerRoute((int) maxPerRoute); + } + conf.property(ApacheClientProperties.CONNECTION_MANAGER, pool); + conf.connectorProvider(new ApacheConnectorProvider()); + } + + private static PoolingHttpClientConnectionManager connectionManager( + String url, + ClientConfig conf) { + String protocol = (String) conf.getProperty("protocol"); + if (protocol == null || "http".equals(protocol)) { + return new PoolingHttpClientConnectionManager(TTL, TimeUnit.HOURS); + } + + assert "https".equals(protocol); + String trustStoreFile = (String) conf.getProperty("trustStoreFile"); + E.checkArgument(trustStoreFile != null && !trustStoreFile.isEmpty(), + "The trust store file must be set when use https"); + String trustStorePass = (String) conf.getProperty("trustStorePassword"); + E.checkArgument(trustStorePass != null, + "The trust store password must be set when use https"); + SSLContext context = SslConfigurator.newInstance() + .trustStoreFile(trustStoreFile) + .trustStorePassword(trustStorePass) + .securityProtocol("SSL") + .createSSLContext(); + TrustManager[] trustAllManager = NoCheckTrustManager.create(); + try { + context.init(null, trustAllManager, new SecureRandom()); Review Comment: ## `TrustManager` that accepts all certificates This uses [TrustManager](1), which is defined in [AbstractJerseyRestClient$NoCheckTrustManager](2) and trusts any certificate. [Show more details](https://github.com/apache/incubator-hugegraph/security/code-scanning/69) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
