Configure RestTemplates to properly use http proxy authentication

Author: J12934

build.gradle

@@ -17,6 +17,7 @@ dependencies {
     testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
 
     implementation group: 'org.springframework', name: 'spring-web', version: '5.3.9'
+    implementation group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.13'
 
     implementation 'com.fasterxml.jackson.core:jackson-core:2.12.4'
     implementation 'com.fasterxml.jackson.core:jackson-annotations:2.12.4'

src/main/java/io/securecodebox/persistence/defectdojo/service/GenericDefectDojoService.java

@@ -25,10 +25,19 @@
 import io.securecodebox.persistence.defectdojo.exceptions.DefectDojoLoopException;
 import io.securecodebox.persistence.defectdojo.models.DefectDojoModel;
 import io.securecodebox.persistence.defectdojo.models.DefectDojoResponse;
+import org.apache.http.HttpHost;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.ProxyAuthenticationStrategy;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.ResponseEntity;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -77,14 +86,39 @@ private HttpHeaders getDefectDojoAuthorizationHeaders() {
         return headers;
     }
 
+    protected RestTemplate getRestTemplate() {
+        if (System.getProperty("http.proxyUser") != null && System.getProperty("http.proxyPassword") != null) {
+            // Configuring Proxy Authentication explicitly as it isn't done by default for spring rest templates :(
+            CredentialsProvider credsProvider = new BasicCredentialsProvider();
+            credsProvider.setCredentials(
+                    new AuthScope(System.getProperty("http.proxyHost"), Integer.parseInt(System.getProperty("http.proxyPort"))),
+                    new UsernamePasswordCredentials(System.getProperty("http.proxyUser"), System.getProperty("http.proxyPassword"))
+            );
+            HttpClientBuilder clientBuilder = HttpClientBuilder.create();
+
+            clientBuilder.useSystemProperties();
+            clientBuilder.setProxy(new HttpHost(System.getProperty("http.proxyHost"), Integer.parseInt(System.getProperty("http.proxyPort"))));
+            clientBuilder.setDefaultCredentialsProvider(credsProvider);
+            clientBuilder.setProxyAuthenticationStrategy(new ProxyAuthenticationStrategy());
+
+            CloseableHttpClient client = clientBuilder.build();
+
+            HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory();
+            factory.setHttpClient(client);
+            return new RestTemplate(factory);
+        } else {
+            return new RestTemplate();
+        }
+    }
+
     protected abstract String getUrlPath();
 
     protected abstract Class<T> getModelClass();
 
     protected abstract DefectDojoResponse<T> deserializeList(String response) throws JsonProcessingException;
 
     public T get(long id) {
-        RestTemplate restTemplate = new RestTemplate();
+        var restTemplate = this.getRestTemplate();
         HttpEntity<String> payload = new HttpEntity<>(getDefectDojoAuthorizationHeaders());
 
         ResponseEntity<T> response = restTemplate.exchange(
@@ -98,7 +132,7 @@ public T get(long id) {
     }
 
     protected DefectDojoResponse<T> internalSearch(Map<String, Object> queryParams, long limit, long offset) throws JsonProcessingException, URISyntaxException {
-        RestTemplate restTemplate = new RestTemplate();
+        var restTemplate = this.getRestTemplate();
         HttpEntity<String> payload = new HttpEntity<>(getDefectDojoAuthorizationHeaders());
 
         var mutableQueryParams = new HashMap<String, Object>(queryParams);
@@ -135,7 +169,7 @@ public List<T> search(Map<String, Object> queryParams) throws URISyntaxException
 
             hasNext = response.getNext() != null;
             if (page > this.defectDojoConfig.getMaxPageCountForGets()) {
-                throw new DefectDojoLoopException("Found too many response object. Quitting after " + (page - 1)  + " paginated API pages of " + DEFECT_DOJO_OBJET_LIMIT + " each.");
+                throw new DefectDojoLoopException("Found too many response object. Quitting after " + (page - 1) + " paginated API pages of " + DEFECT_DOJO_OBJET_LIMIT + " each.");
             }
         } while (hasNext);
 
@@ -166,22 +200,22 @@ public Optional<T> searchUnique(Map<String, Object> queryParams) throws URISynta
     }
 
     public T create(T object) {
-        RestTemplate restTemplate = new RestTemplate();
+        var restTemplate = this.getRestTemplate();
         HttpEntity<T> payload = new HttpEntity<T>(object, getDefectDojoAuthorizationHeaders());
 
         ResponseEntity<T> response = restTemplate.exchange(this.defectDojoConfig.getUrl() + "/api/v2/" + getUrlPath() + "/", HttpMethod.POST, payload, getModelClass());
         return response.getBody();
     }
 
     public void delete(long id) {
-        RestTemplate restTemplate = new RestTemplate();
+        var restTemplate = this.getRestTemplate();
         HttpEntity<String> payload = new HttpEntity<>(getDefectDojoAuthorizationHeaders());
 
         restTemplate.exchange(this.defectDojoConfig.getUrl() + "/api/v2/" + getUrlPath() + "/" + id + "/", HttpMethod.DELETE, payload, String.class);
     }
 
     public T update(T object, long objectId) {
-        RestTemplate restTemplate = new RestTemplate();
+        var restTemplate = this.getRestTemplate();
         HttpEntity<T> payload = new HttpEntity<T>(object, getDefectDojoAuthorizationHeaders());
 
         ResponseEntity<T> response = restTemplate.exchange(this.defectDojoConfig.getUrl() + "/api/v2/" + getUrlPath() + "/" + objectId + "/", HttpMethod.PUT, payload, getModelClass());

src/main/java/io/securecodebox/persistence/defectdojo/service/ImportScanService.java

@@ -23,11 +23,20 @@
 import io.securecodebox.persistence.defectdojo.exceptions.DefectDojoPersistenceException;
 import io.securecodebox.persistence.defectdojo.models.ScanFile;
 import lombok.Data;
+import org.apache.http.HttpHost;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.http.client.CredentialsProvider;
+import org.apache.http.impl.client.BasicCredentialsProvider;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.impl.client.ProxyAuthenticationStrategy;
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.MediaType;
+import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.http.converter.FormHttpMessageConverter;
 import org.springframework.http.converter.ResourceHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
@@ -41,91 +50,116 @@
 
 public class ImportScanService {
 
-  protected String defectDojoUrl;
-  protected String defectDojoApiKey;
-
-  public ImportScanService(DefectDojoConfig config){
-    this.defectDojoUrl = config.getUrl();
-    this.defectDojoApiKey = config.getApiKey();
-  }
-
-  /**
-   * @return The DefectDojo Authentication Header
-   */
-  private HttpHeaders getDefectDojoAuthorizationHeaders() {
-    HttpHeaders headers = new HttpHeaders();
-    headers.set("Authorization", "Token " + defectDojoApiKey);
-    return headers;
-  }
-
-  /**
-   * Before version 1.5.4. testName (in DefectDojo _test_type_) must be defectDojoScanName, afterwards, you can have somethings else
-   */
-  protected ImportScanResponse createFindings(ScanFile scanFile, String endpoint, long lead, String currentDate, ScanType scanType, long testType, MultiValueMap<String, Object> options) {
-    RestTemplate restTemplate = new RestTemplate();
-    HttpHeaders headers = getDefectDojoAuthorizationHeaders();
-    headers.setContentType(MediaType.MULTIPART_FORM_DATA);
-    restTemplate.setMessageConverters(List.of(
-      new FormHttpMessageConverter(),
-      new ResourceHttpMessageConverter(),
-      new MappingJackson2HttpMessageConverter())
-    );
-
-    MultiValueMap<String, Object> mvn = new LinkedMultiValueMap<>();
-
-    mvn.add("lead", Long.toString(lead));
-    mvn.add("scan_date", currentDate);
-    mvn.add("scan_type", scanType.getTestType());
-    mvn.add("close_old_findings", "true");
-    mvn.add("skip_duplicates", "false");
-    mvn.add("test_type", String.valueOf(testType));
-
-    for (String theKey : options.keySet()) {
-      mvn.remove(theKey);
+    protected String defectDojoUrl;
+    protected String defectDojoApiKey;
+
+    public ImportScanService(DefectDojoConfig config) {
+        this.defectDojoUrl = config.getUrl();
+        this.defectDojoApiKey = config.getApiKey();
+    }
+
+    /**
+     * @return The DefectDojo Authentication Header
+     */
+    private HttpHeaders getDefectDojoAuthorizationHeaders() {
+        HttpHeaders headers = new HttpHeaders();
+        headers.set("Authorization", "Token " + defectDojoApiKey);
+        return headers;
+    }
+
+    protected RestTemplate getRestTemplate() {
+        if (System.getProperty("http.proxyUser") != null && System.getProperty("http.proxyPassword") != null) {
+            // Configuring Proxy Authentication explicitly as it isn't done by default for spring rest templates :(
+            CredentialsProvider credsProvider = new BasicCredentialsProvider();
+            credsProvider.setCredentials(
+                    new AuthScope(System.getProperty("http.proxyHost"), Integer.parseInt(System.getProperty("http.proxyPort"))),
+                    new UsernamePasswordCredentials(System.getProperty("http.proxyUser"), System.getProperty("http.proxyPassword"))
+            );
+            HttpClientBuilder clientBuilder = HttpClientBuilder.create();
+
+            clientBuilder.useSystemProperties();
+            clientBuilder.setProxy(new HttpHost(System.getProperty("http.proxyHost"), Integer.parseInt(System.getProperty("http.proxyPort"))));
+            clientBuilder.setDefaultCredentialsProvider(credsProvider);
+            clientBuilder.setProxyAuthenticationStrategy(new ProxyAuthenticationStrategy());
+
+            CloseableHttpClient client = clientBuilder.build();
+
+            HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory();
+            factory.setHttpClient(client);
+            return new RestTemplate(factory);
+        } else {
+            return new RestTemplate();
+        }
     }
-    mvn.addAll(options);
 
-    try {
-      ByteArrayResource contentsAsResource = new ByteArrayResource(scanFile.getContent().getBytes(StandardCharsets.UTF_8)) {
-        @Override
-        public String getFilename() {
-          return scanFile.getName();
+    /**
+     * Before version 1.5.4. testName (in DefectDojo _test_type_) must be defectDojoScanName, afterwards, you can have somethings else
+     */
+    protected ImportScanResponse createFindings(ScanFile scanFile, String endpoint, long lead, String currentDate, ScanType scanType, long testType, MultiValueMap<String, Object> options) {
+        var restTemplate = this.getRestTemplate();
+        HttpHeaders headers = getDefectDojoAuthorizationHeaders();
+        headers.setContentType(MediaType.MULTIPART_FORM_DATA);
+        restTemplate.setMessageConverters(List.of(
+                new FormHttpMessageConverter(),
+                new ResourceHttpMessageConverter(),
+                new MappingJackson2HttpMessageConverter())
+        );
+
+        MultiValueMap<String, Object> mvn = new LinkedMultiValueMap<>();
+
+        mvn.add("lead", Long.toString(lead));
+        mvn.add("scan_date", currentDate);
+        mvn.add("scan_type", scanType.getTestType());
+        mvn.add("close_old_findings", "true");
+        mvn.add("skip_duplicates", "false");
+        mvn.add("test_type", String.valueOf(testType));
+
+        for (String theKey : options.keySet()) {
+            mvn.remove(theKey);
         }
-      };
+        mvn.addAll(options);
 
-      mvn.add("file", contentsAsResource);
+        try {
+            ByteArrayResource contentsAsResource = new ByteArrayResource(scanFile.getContent().getBytes(StandardCharsets.UTF_8)) {
+                @Override
+                public String getFilename() {
+                    return scanFile.getName();
+                }
+            };
 
-      var payload = new HttpEntity<>(mvn, headers);
+            mvn.add("file", contentsAsResource);
 
-      return restTemplate.exchange(defectDojoUrl + "/api/v2/" + endpoint + "/", HttpMethod.POST, payload, ImportScanResponse.class).getBody();
-    } catch (HttpClientErrorException e) {
-      throw new DefectDojoPersistenceException("Failed to attach findings to engagement.");
+            var payload = new HttpEntity<>(mvn, headers);
+
+            return restTemplate.exchange(defectDojoUrl + "/api/v2/" + endpoint + "/", HttpMethod.POST, payload, ImportScanResponse.class).getBody();
+        } catch (HttpClientErrorException e) {
+            throw new DefectDojoPersistenceException("Failed to attach findings to engagement.");
+        }
     }
-  }
 
-  public ImportScanResponse importScan(ScanFile scanFile, long engagementId, long lead, String currentDate, ScanType scanType, long testType) {
-    var additionalValues = new LinkedMultiValueMap<String, Object>();
-    additionalValues.add("engagement", Long.toString(engagementId));
+    public ImportScanResponse importScan(ScanFile scanFile, long engagementId, long lead, String currentDate, ScanType scanType, long testType) {
+        var additionalValues = new LinkedMultiValueMap<String, Object>();
+        additionalValues.add("engagement", Long.toString(engagementId));
 
-    return this.createFindings(scanFile, "import-scan", lead, currentDate, scanType, testType, additionalValues);
-  }
+        return this.createFindings(scanFile, "import-scan", lead, currentDate, scanType, testType, additionalValues);
+    }
 
-  public ImportScanResponse reimportScan(ScanFile scanFile, long testId, long lead, String currentDate, ScanType scanType, long testType) {
-    var additionalValues = new LinkedMultiValueMap<String, Object>();
-    additionalValues.add("test", Long.toString(testId));
+    public ImportScanResponse reimportScan(ScanFile scanFile, long testId, long lead, String currentDate, ScanType scanType, long testType) {
+        var additionalValues = new LinkedMultiValueMap<String, Object>();
+        additionalValues.add("test", Long.toString(testId));
 
-    return this.createFindings(scanFile, "reimport-scan", lead, currentDate, scanType, testType, additionalValues);
-  }
+        return this.createFindings(scanFile, "reimport-scan", lead, currentDate, scanType, testType, additionalValues);
+    }
 
-  @Data
-  public static class ImportScanResponse {
-    @JsonProperty
-    protected Boolean verified;
+    @Data
+    public static class ImportScanResponse {
+        @JsonProperty
+        protected Boolean verified;
 
-    @JsonProperty
-    protected Boolean active;
+        @JsonProperty
+        protected Boolean active;
 
-    @JsonProperty("test")
-    protected long testId;
-  }
+        @JsonProperty("test")
+        protected long testId;
+    }
 }