2021.2 patch 5 Release

perforce · Jul 21, 2022 · 6574683 · 6574683
1 parent 0d2d07c
commit 6574683
Show file tree

Hide file tree

Showing 10 changed files with 540 additions and 55 deletions.
diff --git a/RELEASE.md b/RELEASE.md
@@ -1,7 +1,7 @@
                             Release Notes for
                        P4Java, the Perforce Java API
 
-                              Version 2021.2 Patch 3
+                              Version 2021.2 Patch 5
 
 Introduction
 
@@ -120,6 +120,42 @@ Known Limitations
 
 	  <java-home>/lib/security/local_policy.jar
 	  <java-home>/lib/security/US_export_policy.jar
+	  
+-------------------------------------------
+Updates in 2021.2 Patch 5
+
+    #2299942 (Job #108736)
+        P4TRUST is no longer required for SSL connections where the server
+	    provides a certificate that's not self-signed and the certificate 
+	    chain can be verified by the client.  If verified, P4TRUST is 
+	    not required.
+	    
+	    The default java truststore is used unless you specify an 
+	    alternative truststore with java system properties
+	    javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword
+	    
+	    Chain Validation can be disabled using p4java property 
+	    secureClientCertValidate set to 0 which does P4TRUST only.
+	    Setting to 2 will skip Chain validation and will ensure
+	    the server certificates' subject or subject alternate names
+	    match the hostname in the server URI.  The default of 1 will 
+	    validate the chain.  Both 1 and 2 fallback to P4TRUST if
+	    the chain cannot be validated.
+	    
+	    Fingerprints will now read and write the hostname in
+	    addition to the IP in the P4TRUST file.  Set the p4java property
+	    secureClientTrustName to 0 to only write the IP.  The default of
+	    1 writes entries for both the IP and hostname.  A value of 2
+	    will only write the hostname.   A matching fingerprint for either
+	    the IP or hostname will establish trust.
+	    
+	          
+-------------------------------------------
+Updates in 2021.2 Patch 4
+
+    #2286431 (Job #099302)
+        Fixed parallel sync authetication issue on case insensitive servers.
+        Fixes JENKINS-48525 and JENKINS-68104.
 
 -------------------------------------------
 Updates in 2021.2 Patch 3
@@ -128,7 +164,7 @@ Updates in 2021.2 Patch 3
         Fixed parallel sync batchsize.
 
 	#2277668 (Job #110201)
-		Parallel sync now passes charset to parallel threads.
+        Parallel sync now passes charset to parallel threads.
 
 -------------------------------------------
 Updates in 2021.2 Patch 2

diff --git a/src/main/java/com/perforce/p4java/impl/generic/core/DefaultParallelSync.java b/src/main/java/com/perforce/p4java/impl/generic/core/DefaultParallelSync.java
@@ -75,13 +75,14 @@ public void run() {
 
 					server.setCurrentServerInfo(cmdEnv.getServer().getCurrentServerInfo());
 					server.setUserName(cmdEnv.getServer().getUserName());
-					server.setAuthTicket(cmdEnv.getServer().getAuthTicket());
 					server.setCurrentClient(cmdEnv.getServer().getCurrentClient());
 					server.setWorkingDirectory(cmdEnv.getServer().getWorkingDirectory());
 					server.setTrustFilePath(cmdEnv.getServer().getTrustFilePath());
 					server.setTicketsFilePath(cmdEnv.getServer().getTicketsFilePath());
 					server.setCharsetName(cmdEnv.getServer().getCharsetName());
 					server.connect();
+					// P4JAVA-1264:  must call setAuthTicket() after connect() to properly cache the ticket.
+					server.setAuthTicket(cmdEnv.getServer().getAuthTicket());
 
 					//pass the result to the handle result
 					Map<String, Object>[] results = server.execMapCmd("transmit", args.toArray(new String[]{}), null);

diff --git a/src/main/java/com/perforce/p4java/impl/mapbased/rpc/NtsServerImpl.java b/src/main/java/com/perforce/p4java/impl/mapbased/rpc/NtsServerImpl.java
@@ -1,5 +1,5 @@
-/**
- * 
+/*
+ * Copyright 2009 - 2022 Perforce Software Inc., All Rights Reserved.
  */
 package com.perforce.p4java.impl.mapbased.rpc;
 
@@ -614,8 +614,9 @@ protected ExternalEnv setupCmd(String cmdName, String[] cmdArgs,
 		// Should use tags?
 		boolean useTags = useTags(cmdName, cmdArgs, inMap, isStream);
 
-		// Check fingerprint
-		checkFingerprint(rpcConnection);
+		// Check certificate chain and/or fingerprint.
+		// An exception (ConnectionException) is thrown if ssl but not trusted.
+		trustConnectionCheck(rpcConnection);
 
 		ExternalEnv env = new ExternalEnv(
 					this.getUsageOptions().getProgramName(),
@@ -749,4 +750,5 @@ public IServerAddress getServerAddressDetails() {
 
 		return builder.build();
 	}
+
 }
diff --git a/src/main/java/com/perforce/p4java/impl/mapbased/rpc/OneShotServerImpl.java b/src/main/java/com/perforce/p4java/impl/mapbased/rpc/OneShotServerImpl.java
@@ -1,5 +1,5 @@
-/**
- * 
+/*
+ * Copyright 2009 - 2022 Perforce Software Inc., All Rights Reserved.
  */
 package com.perforce.p4java.impl.mapbased.rpc;
 
@@ -604,9 +604,10 @@ protected ExternalEnv setupCmd(RpcPacketDispatcher dispatcher,
 
 		// Should use tags?
 		boolean useTags = useTags(cmdName, cmdArgs, inMap, isStream);
-
-		// Check fingerprint
-		checkFingerprint(rpcConnection);
+
+		// Check certificate chain and/or fingerprint.
+		// An exception (ConnectionException) is thrown if ssl but not trusted.
+		trustConnectionCheck(rpcConnection);
 
 		ExternalEnv env = new ExternalEnv(
 					this.getUsageOptions().getProgramName(),
@@ -694,6 +695,7 @@ protected ExternalEnv setupCmd(RpcPacketDispatcher dispatcher,
 		return env;
 	}
 
+
 	/**
 	 * Get server address object
 	 * 

diff --git a/src/main/java/com/perforce/p4java/impl/mapbased/rpc/RpcPropertyDefs.java b/src/main/java/com/perforce/p4java/impl/mapbased/rpc/RpcPropertyDefs.java
@@ -200,6 +200,38 @@ public class RpcPropertyDefs {
 	 */
 	public static final String RPC_DEFAULT_SECURE_SOCKET_PROTOCOL = "TLS";
 
+	/**
+	 * Client Certificate validation Method, corresponds to p4api ssl.client.cert.validate
+	 * <p>
+	 * 0:   always use the P4TRUST mechanism.   This is pre 2022.1 behavior.<br/>
+	 * 1:   validate the certificate chain (default)<br/>
+	 * 2:   validate the subject matches the P4PORT.     The chain is not validated. but the CN of the
+	 * certificate is compared to the host in the P4PORT.<br/>
+	 */
+	public static final String RPC_SECURE_CLIENT_CERT_VALIDATE_NICK = "secureClientCertValidate";
+
+
+	/**
+	 * Default for Certificate validation Method
+	 */
+	public static final int RPC_DEFAULT_SECURE_CLIENT_CERT_VALIDATE = 1;
+
+	/**
+	 * P4TRUST file entries, corresponds to p4api ssl.client.trust.name
+	 * <br/>
+	 * 0:   Only IP address    This is pre 2022.1 behavior.<br/>
+	 * 1:   both IP and hostname (default)<br/>
+	 * 2:   Only hostname     The chain is not validated. but the CN of the
+	 * certificate is compared to the host in the P4PORT.<br/>
+	 */
+	public static final String RPC_SECURE_CLIENT_TRUST_NAME_NICK = "secureClientCertValidate";
+
+
+	/**
+	 * Default for Certificate validation Method
+	 */
+	public static final int RPC_DEFAULT_SECURE_CLIENT_TRUST_NAME = 1;
+
 	/**
 	 * If this property is set and equals "false", do not attempt to set enabled
 	 * protocol versions (SSLSocket.setEnabledProtocols()) for the connection