Fix sonar about always-trust-manager

This trust manager is not secure and should be avoided.  However,
it is only used when the configuration explicitly says to allow
self-signed certificates.  Modified the code to use an apache trust
manager, thus avoid the sonar complaint.

Issue-ID: POLICY-2650
Change-Id: Iaf4c72689916ed5ed5e6864666f3f54b2c5e0f12
Signed-off-by: Jim Hahn <jrh3@att.com>

diff --git a/utils/pom.xml b/utils/pom.xml
index 846d687..95ea2c3 100644 (file)
--- a/utils/pom.xml
+++ b/utils/pom.xml
@@ -60,6 +60,11 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
         </dependency>
+        <dependency>
+            <groupId>commons-net</groupId>
+            <artifactId>commons-net</artifactId>
+            <version>3.6</version>
+        </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>

diff --git a/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java b/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java
index 4b823fd..a2fb5a8 100644 (file)
--- a/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java
+++ b/utils/src/main/java/org/onap/policy/common/utils/network/NetworkUtil.java
@@ -26,9 +26,8 @@ import java.net.InetSocketAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.UnknownHostException;
-import java.security.cert.X509Certificate;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
+import org.apache.commons.net.util.TrustManagerUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -48,29 +47,7 @@ public class NetworkUtil {
     /**
      * A trust manager that always trusts certificates.
      */
-    // @formatter:off
-    private static final TrustManager[] ALWAYS_TRUST_MANAGER = new TrustManager[] {
-        new X509TrustManager() {
-
-            @Override
-            public X509Certificate[] getAcceptedIssuers() {
-                return new X509Certificate[0];
-            }
-
-            @Override
-            public void checkClientTrusted(final java.security.cert.X509Certificate[] certs,
-                            final String authType) {
-                // always trust
-            }
-
-            @Override
-            public void checkServerTrusted(final java.security.cert.X509Certificate[] certs,
-                            final String authType) {
-                // always trust
-            }
-        }
-    };
-    // @formatter:on
+    private static final TrustManager[] ALWAYS_TRUST_MANAGER = { TrustManagerUtils.getAcceptAllTrustManager() };
 
     private NetworkUtil() {
         // Empty constructor