From 9af47c10c6a268877c1d232c8d71ee6df4f8a7ab Mon Sep 17 00:00:00 2001
From: Jeroen Baten <jeroen@jeroenbaten.nl>
Date: Fri, 04 Jan 2013 05:18:37 -0500
Subject: [PATCH] Dutch translation before spellcheck

---
 src/com/gitblit/GitBlitServer.java |  121 ++++++++++++++++++++++++++++------------
 1 files changed, 84 insertions(+), 37 deletions(-)

diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index 1307bc3..4c0e89f 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -16,7 +16,9 @@
 package com.gitblit;
 
 import java.io.BufferedReader;
+import java.io.BufferedWriter;
 import java.io.File;
+import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
@@ -29,6 +31,7 @@
 import java.security.ProtectionDomain;
 import java.text.MessageFormat;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.List;
 import java.util.Scanner;
 
@@ -43,6 +46,8 @@
 import org.eclipse.jetty.server.ssl.SslSocketConnector;
 import org.eclipse.jetty.util.thread.QueuedThreadPool;
 import org.eclipse.jetty.webapp.WebAppContext;
+import org.eclipse.jgit.storage.file.FileBasedConfig;
+import org.eclipse.jgit.util.FS;
 import org.eclipse.jgit.util.FileUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -51,7 +56,13 @@
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.ParameterException;
 import com.beust.jcommander.Parameters;
+import com.gitblit.authority.GitblitAuthority;
+import com.gitblit.authority.NewCertificateConfig;
 import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.TimeUtils;
+import com.gitblit.utils.X509Utils;
+import com.gitblit.utils.X509Utils.X509Log;
+import com.gitblit.utils.X509Utils.X509Metadata;
 import com.unboundid.ldap.listener.InMemoryDirectoryServer;
 import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
 import com.unboundid.ldap.listener.InMemoryListenerConfig;
@@ -186,15 +197,52 @@
 
 		// conditionally configure the https connector
 		if (params.securePort > 0) {
-			File keystore = new File("keystore");
-			if (!keystore.exists()) {
-				logger.info("Generating self-signed SSL certificate for localhost");
-				MakeCertificate.generateSelfSignedCertificate("localhost", keystore,
-						params.storePassword);
+			final File folder = new File(System.getProperty("user.dir"));
+			File certificatesConf = new File(folder, X509Utils.CA_CONFIG);
+			File serverKeyStore = new File(folder, X509Utils.SERVER_KEY_STORE);
+			File serverTrustStore = new File(folder, X509Utils.SERVER_TRUST_STORE);
+			File caRevocationList = new File(folder, X509Utils.CA_REVOCATION_LIST);
+
+			// generate CA & web certificates, create certificate stores
+			X509Metadata metadata = new X509Metadata("localhost", params.storePassword);
+			// set default certificate values from config file
+			if (certificatesConf.exists()) {
+				FileBasedConfig config = new FileBasedConfig(certificatesConf, FS.detect());
+				try {
+					config.load();
+				} catch (Exception e) {
+					logger.error("Error parsing " + certificatesConf, e);
+				}
+				NewCertificateConfig certificateConfig = NewCertificateConfig.KEY.parse(config);
+				certificateConfig.update(metadata);
 			}
-			if (keystore.exists()) {
-				Connector secureConnector = createSSLConnector(keystore, params.storePassword,
-						params.useNIO, params.securePort);
+			
+			metadata.notAfter = new Date(System.currentTimeMillis() + 10*TimeUtils.ONEYEAR);
+			X509Utils.prepareX509Infrastructure(metadata, folder, new X509Log() {
+				@Override
+				public void log(String message) {
+					BufferedWriter writer = null;
+					try {
+						writer = new BufferedWriter(new FileWriter(new File(folder, X509Utils.CERTS + File.separator + "log.txt"), true));
+						writer.write(MessageFormat.format("{0,date,yyyy-MM-dd HH:mm}: {1}", new Date(), message));
+						writer.newLine();
+						writer.flush();
+					} catch (Exception e) {
+						LoggerFactory.getLogger(GitblitAuthority.class).error("Failed to append log entry!", e);
+					} finally {
+						if (writer != null) {
+							try {
+								writer.close();
+							} catch (IOException e) {
+							}
+						}
+					}
+				}
+			});
+
+			if (serverKeyStore.exists()) {		        
+				Connector secureConnector = createSSLConnector(params.alias, serverKeyStore, serverTrustStore, params.storePassword,
+						caRevocationList, params.useNIO, params.securePort, params.requireClientCertificates);
 				String bindInterface = settings.getString(Keys.server.httpsBindInterface, null);
 				if (!StringUtils.isEmpty(bindInterface)) {
 					logger.warn(MessageFormat.format(
@@ -280,11 +328,11 @@
 			if (StringUtils.isEmpty(params.ldapLdifFile) == false) {
 				File ldifFile = new File(params.ldapLdifFile);
 				if (ldifFile != null && ldifFile.exists()) {
-					URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap_server));
+					URI ldapUrl = new URI(settings.getRequiredString(Keys.realm.ldap.server));
 					String firstLine = new Scanner(ldifFile).nextLine();
 					String rootDN = firstLine.substring(4);
-					String bindUserName = settings.getString(Keys.realm.ldap_username, "");
-					String bindPassword = settings.getString(Keys.realm.ldap_password, "");
+					String bindUserName = settings.getString(Keys.realm.ldap.username, "");
+					String bindPassword = settings.getString(Keys.realm.ldap.password, "");
 					
 					// Get the port
 					int port = ldapUrl.getPort();
@@ -364,48 +412,41 @@
 	 * SSL renegotiation will be enabled if the JVM is 1.6.0_22 or later.
 	 * oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
 	 * 
-	 * @param keystore
-	 * @param password
+	 * @param certAlias
+	 * @param keyStore
+	 * @param clientTrustStore
+	 * @param storePassword
+	 * @param caRevocationList
 	 * @param useNIO
 	 * @param port
+	 * @param requireClientCertificates
 	 * @return an https connector
 	 */
-	private static Connector createSSLConnector(File keystore, String password, boolean useNIO,
-			int port) {
+	private static Connector createSSLConnector(String certAlias, File keyStore, File clientTrustStore,
+			String storePassword, File caRevocationList, boolean useNIO, int port, 
+			boolean requireClientCertificates) {
+		GitblitSslContextFactory factory = new GitblitSslContextFactory(certAlias,
+				keyStore, clientTrustStore, storePassword, caRevocationList);
 		SslConnector connector;
 		if (useNIO) {
 			logger.info("Setting up NIO SslSelectChannelConnector on port " + port);
-			SslSelectChannelConnector ssl = new SslSelectChannelConnector();
+			SslSelectChannelConnector ssl = new SslSelectChannelConnector(factory);
 			ssl.setSoLingerTime(-1);
+			if (requireClientCertificates) {
+				factory.setNeedClientAuth(true);
+			} else {
+				factory.setWantClientAuth(true);
+			}
 			ssl.setThreadPool(new QueuedThreadPool(20));
 			connector = ssl;
 		} else {
 			logger.info("Setting up NIO SslSocketConnector on port " + port);
-			SslSocketConnector ssl = new SslSocketConnector();
+			SslSocketConnector ssl = new SslSocketConnector(factory);
 			connector = ssl;
 		}
-		// disable renegotiation unless this is a patched JVM
-		boolean allowRenegotiation = false;
-		String v = System.getProperty("java.version");
-		if (v.startsWith("1.7")) {
-			allowRenegotiation = true;
-		} else if (v.startsWith("1.6")) {
-			// 1.6.0_22 was first release with RFC-5746 implemented fix.
-			if (v.indexOf('_') > -1) {
-				String b = v.substring(v.indexOf('_') + 1);
-				if (Integer.parseInt(b) >= 22) {
-					allowRenegotiation = true;
-				}
-			}
-		}
-		if (allowRenegotiation) {
-			logger.info("   allowing SSL renegotiation on Java " + v);
-			connector.setAllowRenegotiate(allowRenegotiation);
-		}
-		connector.setKeystore(keystore.getAbsolutePath());
-		connector.setPassword(password);
 		connector.setPort(port);
 		connector.setMaxIdleTime(30000);
+
 		return connector;
 	}
 	
@@ -534,12 +575,18 @@
 		@Parameter(names = "--ajpPort", description = "AJP port to serve.  (port <= 0 will disable this connector)")
 		public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
 
+		@Parameter(names = "--alias", description = "Alias of SSL certificate in keystore for serving https.")
+		public String alias = FILESETTINGS.getString(Keys.server.certificateAlias, "");
+
 		@Parameter(names = "--storePassword", description = "Password for SSL (https) keystore.")
 		public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
 
 		@Parameter(names = "--shutdownPort", description = "Port for Shutdown Monitor to listen on. (port <= 0 will disable this monitor)")
 		public Integer shutdownPort = FILESETTINGS.getInteger(Keys.server.shutdownPort, 8081);
 
+		@Parameter(names = "--requireClientCertificates", description = "Require client X509 certificates for https connections.")
+		public Boolean requireClientCertificates = FILESETTINGS.getBoolean(Keys.server.requireClientCertificates, false);
+
 		/*
 		 * Setting overrides
 		 */

--
Gitblit v1.9.1