ArtifactorySearch

/*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2018 Nicolas Henneaux. All Rights Reserved.
 */
package org.owasp.dependencycheck.data.artifactory;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.UUID;

import javax.annotation.concurrent.ThreadSafe;

import org.apache.hc.core5.http.message.BasicHeader;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.dependency.Dependency;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.Downloader;
import org.owasp.dependencycheck.utils.ResourceNotFoundException;
import org.owasp.dependencycheck.utils.Settings;
import org.owasp.dependencycheck.utils.TooManyRequestsException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;


/**
 * Class of methods to search Artifactory for hashes and determine Maven GAV
 * from there.
 *
 * Data classes copied from JFrog's artifactory-client-java project.
 *
 * @author nhenneaux
 */
@ThreadSafe
public class ArtifactorySearch {

    /**
     * Used for logging.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(ArtifactorySearch.class);

    /**
     * The URL for the Central service.
     */
    private final String rootURL;

    /**
     * Whether to use the Proxy when making requests.
     */
    private final boolean allowUsingProxy;


    /**
     * Creates a ArtifactorySearch for the given repository URL.
     *
     * @param settings the configured settings
     */
    public ArtifactorySearch(Settings settings) {

        final String searchUrl = settings.getString(Settings.KEYS.ANALYZER_ARTIFACTORY_URL);

        this.rootURL = searchUrl;
        LOGGER.debug("Artifactory Search URL {}", searchUrl);

        if (null != settings.getString(Settings.KEYS.PROXY_SERVER)) {
            this.allowUsingProxy = settings.getBoolean(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, false);
            LOGGER.debug("Using proxy configuration? {}", allowUsingProxy);
        } else {
            this.allowUsingProxy = settings.getBoolean(Settings.KEYS.ANALYZER_ARTIFACTORY_USES_PROXY, true);
            LOGGER.debug("Using default non-legacy proxy configuration");
        }

    }

    /**
     * Searches the configured Central URL for the given hash (MD5, SHA1 and
     * SHA256). If the artifact is found, a <code>MavenArtifact</code> is
     * populated with the GAV.
     *
     * @param dependency the dependency for which to search (search is based on
     * hashes)
     * @return the populated Maven GAV.
     * @throws FileNotFoundException if the specified artifact is not found
     * @throws IOException if it's unable to connect to the specified repository
     */
    public List<MavenArtifact> search(Dependency dependency) throws IOException {

        final String sha1sum = dependency.getSha1sum();
        final URL url = buildUrl(sha1sum);
        final StringBuilder msg = new StringBuilder("Could not connect to Artifactory at")
                .append(url);
        try {
            final BasicHeader artifactoryResultDetail = new BasicHeader("X-Result-Detail", "info");
            return Downloader.getInstance().fetchAndHandle(url, new ArtifactorySearchResponseHandler(dependency), List.of(artifactoryResultDetail),
                    allowUsingProxy);
        } catch (TooManyRequestsException e) {
            throw new IOException(msg.append(" (429): Too manu requests").toString(), e);
        } catch (URISyntaxException e) {
            throw new IOException(msg.append(" (400): Invalid URL").toString(), e);
        } catch (ResourceNotFoundException e) {
            throw new IOException(msg.append(" (404): Not found").toString(), e);
        }
    }

    /**
     * Constructs the URL using the SHA1 checksum.
     *
     * @param sha1sum the SHA1 checksum
     * @return the API URL to search for the given checksum
     * @throws MalformedURLException thrown if the URL is malformed
     */
    private URL buildUrl(String sha1sum) throws MalformedURLException {
        // TODO Investigate why sha256 parameter is not working
        // API defined https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-ChecksumSearch
        return new URL(rootURL + "/api/search/checksum?sha1=" + sha1sum);
    }

    /**
     * Performs a pre-flight request to ensure the Artifactory service is
     * reachable.
     *
     * @return <code>true</code> if Artifactory could be reached; otherwise
     * <code>false</code>.
     */
    public boolean preflightRequest() {
        URL url = null;
        try {
            url = buildUrl(Checksum.getSHA1Checksum(UUID.randomUUID().toString()));
            Downloader.getInstance().fetchContent(url, StandardCharsets.UTF_8);
            return true;
        } catch (IOException e) {
            LOGGER.error("Cannot connect to Artifactory", e);
            return false;
        } catch (TooManyRequestsException e) {
            LOGGER.warn("Expected 200 result from Artifactory ({}), got 429", url);
            return false;
        } catch (ResourceNotFoundException e) {
            LOGGER.warn("Expected 200 result from Artifactory ({}), got 404", url);
            return false;
        }

    }
}