Release 3.1.1 (#106)

Author: GreatG0ose

.github/CODEOWNERS

@@ -0,0 +1 @@
+*       @unzerdev/merchantconnectivity

.github/workflows/maven.yml renamed to .github/workflows/unit.yml

@@ -1,7 +1,7 @@
 # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
 # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
 
-name: Java CI with Maven
+name: Unit tests
 
 on:
   pull_request:

CHANGELOG.md

@@ -6,6 +6,16 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres
 to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [3.1.1][3.1.1]
+
+This release updates dependencies with security issues
+
+### Changed
+
+* Upgraded Apache HttpClient from version 4 to version 5.
+* Made `HttpCommunicationException` unchecked exception.
+* Updated `jackson-core` dependency.
+
 ## [3.1.0][3.1.0]
 
 This release introduces Unzer PayPal Express in Java SDK.
@@ -315,6 +325,8 @@ This release brings Unzer Paylater Invoice payment type support to Java SDK.
 *   Remove deprecated classes
     *   RestCommunication
 
+[3.1.1]: http://github.com/unzerdev/java-sdk/compare/3.1.0..3.1.1
+
 [3.1.0]: http://github.com/unzerdev/java-sdk/compare/3.0.0..3.1.0
 
 [3.0.0]: http://github.com/unzerdev/java-sdk/compare/1.3.0.0..3.0.0

README.md

@@ -14,7 +14,7 @@ Java 1.8 or later.
 <dependency>
   <groupId>com.unzer.payment</groupId>
   <artifactId>java-sdk</artifactId>
-  <version>3.1.0</version>
+  <version>3.1.1</version>
 </dependency>
 ```
 

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.unzer.payment</groupId>
     <artifactId>java-sdk</artifactId>
-    <version>3.1.0</version>
+    <version>3.1.1</version>
     <name>Unzer Java SDK</name>
     <description>Unzer Java SDK provides an easy way to connect to the Unzer Rest API.</description>
     <url>https://docs.unzer.com/</url>
@@ -41,9 +41,9 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <additionalparam>-Xdoclint:none</additionalparam>
         <skip.dependency.check>true</skip.dependency.check>
-        <log4j.version>2.18.0</log4j.version>
-        <jackson.version>2.14.0-rc1</jackson.version>
-        <junit.version>5.9.0</junit.version>
+        <log4j.version>2.19.0</log4j.version>
+        <jackson.version>2.14.1</jackson.version>
+        <junit.version>5.9.1</junit.version>
         <system-stubs.version>2.0.1</system-stubs.version>
     </properties>
 
@@ -236,7 +236,6 @@
                             <excludes>
                                 <exclude>**/*.md</exclude>
                                 <exclude>**/*.xml</exclude>
-                                <exclude>selenium/**</exclude>
                                 <exclude>src/test/resources/**</exclude>
                                 <exclude>src/main/resources/**</exclude>
                             </excludes>
@@ -285,14 +284,12 @@
             <artifactId>jaxb-api</artifactId>
             <version>2.3.1</version>
         </dependency>
-
         <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
+            <groupId>org.apache.httpcomponents.client5</groupId>
+            <artifactId>httpclient5</artifactId>
+            <version>5.2.1</version>
         </dependency>
 
-
         <!-- Test dependencies       -->
         <dependency>
             <groupId>org.junit.jupiter</groupId>

src/main/java/com/unzer/payment/AbstractPayment.java

@@ -38,6 +38,7 @@ public abstract class AbstractPayment implements PaymentType {
     private Metadata metadata;
     private String basketId;
     private Basket basket;
+    @Deprecated
     private transient Unzer unzer;
 
     @Deprecated

src/main/java/com/unzer/payment/communication/AbstractUnzerRestCommunication.java

@@ -24,12 +24,13 @@
 
 import javax.xml.bind.DatatypeConverter;
 import java.io.UnsupportedEncodingException;
+import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Locale;
 import java.util.Objects;
 
-import static org.apache.http.HttpHeaders.*;
+import static org.apache.hc.core5.http.HttpHeaders.*;
 
 /**
  * Template implementation of the {@code UnzerRestCommunication}. You should

src/main/java/com/unzer/payment/communication/HttpCommunicationException.java

@@ -18,7 +18,7 @@
 /**
  * Generic exception for HttpCommunication module
  */
-public class HttpCommunicationException extends Exception {
+public class HttpCommunicationException extends RuntimeException {
 
     private static final long serialVersionUID = 1L;
 

src/main/java/com/unzer/payment/communication/UnzerHttpRequest.java

@@ -16,6 +16,7 @@
 package com.unzer.payment.communication;
 
 import java.net.URI;
+import java.net.URISyntaxException;
 
 /**
  * Abstraction for any http-request executed by the
@@ -26,7 +27,7 @@ public interface UnzerHttpRequest {
 
     void addHeader(String header, String value);
 
-    URI getURI();
+    URI getURI() throws URISyntaxException;
 
     void setContent(String content, String encoding);
 

src/main/java/com/unzer/payment/communication/impl/HttpClientBasedHttpRequest.java

@@ -16,12 +16,13 @@
 package com.unzer.payment.communication.impl;
 
 import com.unzer.payment.communication.UnzerHttpRequest;
-import org.apache.http.HttpEntity;
-import org.apache.http.HttpEntityEnclosingRequest;
-import org.apache.http.client.methods.*;
-import org.apache.http.entity.StringEntity;
+import org.apache.hc.client5.http.classic.methods.*;
+import org.apache.hc.core5.http.ClassicHttpRequest;
+import org.apache.hc.core5.http.ContentType;
+import org.apache.hc.core5.http.io.entity.StringEntity;
 
 import java.net.URI;
+import java.net.URISyntaxException;
 
 /**
  * Implementation of the {@code UnzerHttpRequest} wrapping an apache
@@ -35,19 +36,17 @@
  */
 public class HttpClientBasedHttpRequest implements UnzerHttpRequest {
 
-    protected HttpUriRequest request;
+    protected ClassicHttpRequest request;
     protected UnzerHttpMethod method;
 
     /**
      * Creates a {@code HttpClientBasedHttpRequest} wrapping a
      * {@code HttpUriRequest} defined by the given {@code UnzerHttpMethod}.
      *
-	 * @param uri
-	 *            - the RUI of the request
-	 * @param method
-	 *            - the {@code UnzerHttpMethod} representing one of
-	 *            {@code HttpGet}, {@code HttpPost}, {@code HttpPut},
-	 *            {@code HttpDelete}
+     * @param uri    - the RUI of the request
+     * @param method - the {@code UnzerHttpMethod} representing one of
+     *               {@code HttpGet}, {@code HttpPost}, {@code HttpPut},
+     *               {@code HttpDelete}
      */
     public HttpClientBasedHttpRequest(String uri, UnzerHttpMethod method) {
         this.method = method;
@@ -77,24 +76,28 @@ public void addHeader(String header, String value) {
     }
 
     /**
-	 * Returns the wrapped {@code HttpUriRequest} to be passed to the {@code HttpClient} within the {@code HttpClientBasedRestCommunication} implementation. 
-	 * @return - the the wrapped {@code HttpUriRequest}  
+     * Returns the wrapped {@code HttpUriRequest} to be passed to the {@code HttpClient} within the {@code HttpClientBasedRestCommunication} implementation.
+     *
+     * @return - the the wrapped {@code HttpUriRequest}
      */
-    public HttpUriRequest getRequest() {
+    public ClassicHttpRequest getRequest() {
         return request;
     }
 
     @Override
-    public URI getURI() {
-        return request.getURI();
+    public URI getURI() throws URISyntaxException {
+        return request.getUri();
     }
 
     @Override
     public void setContent(String content, String encoding) {
-        if (request instanceof HttpEntityEnclosingRequest) {
-            HttpEntity entity = new StringEntity(content, encoding);
-            ((HttpEntityEnclosingRequest) request).setEntity(entity);
-        }
+        StringEntity entity = new StringEntity(
+                content,
+                ContentType.APPLICATION_JSON,
+                encoding,
+                false
+        );
+        request.setEntity(entity);
     }
 
     @Override

src/main/java/com/unzer/payment/communication/impl/HttpClientBasedRestCommunication.java

@@ -19,36 +19,36 @@
 import com.unzer.payment.communication.HttpCommunicationException;
 import com.unzer.payment.communication.UnzerHttpRequest;
 import com.unzer.payment.communication.UnzerHttpResponse;
-import org.apache.http.ParseException;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.apache.http.impl.client.HttpClients;
-import org.apache.http.util.EntityUtils;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
+import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.core5.http.ParseException;
+import org.apache.hc.core5.http.io.entity.EntityUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.util.Locale;
 
 /**
  * Reference implementation of the {@code UnzerRestCommunication}, based on apaches {@code HttpClient}.
- *
  */
 public class HttpClientBasedRestCommunication extends AbstractUnzerRestCommunication {
 
     private static final Logger logger = LogManager.getLogger(HttpClientBasedRestCommunication.class);
 
     public HttpClientBasedRestCommunication() {
-        this(null,null);
+        this(null, null);
     }
 
     public HttpClientBasedRestCommunication(Locale locale) {
         this(locale, null);
-	}
+    }
 
-	public HttpClientBasedRestCommunication(Locale locale, String clientIp) {
-		super(locale, clientIp);
+    public HttpClientBasedRestCommunication(Locale locale, String clientIp) {
+        super(locale, clientIp);
     }
 
     @Override
@@ -77,14 +77,28 @@ protected UnzerHttpResponse doExecute(UnzerHttpRequest request) throws HttpCommu
         if (!(request instanceof HttpClientBasedHttpRequest)) {
             throw new IllegalArgumentException("Request is not an instance of HttpClientBasedHttpRequest");
         }
-        CloseableHttpResponse response = null;
+
         try {
-            response = getHttpClient().execute(((HttpClientBasedHttpRequest) request).getRequest());
-            return new UnzerHttpResponse(EntityUtils.toString(response.getEntity()),
-                    response.getStatusLine().getStatusCode());
-        } catch (IOException |ParseException e) {
-            throw new HttpCommunicationException(
-                    "Error communicating to " + request.getURI() + ": Detail: " + e.getMessage());
+            request.getURI();
+        } catch (URISyntaxException e) {
+            throw new IllegalArgumentException("Request URI is not correct", e);
+        }
+
+        CloseableHttpResponse response = null;
+        try (CloseableHttpClient client = createClient()) {
+            response = client.execute(((HttpClientBasedHttpRequest) request).getRequest());
+            return new UnzerHttpResponse(EntityUtils.toString(response.getEntity()), response.getCode());
+        } catch (IOException | ParseException e) {
+            try {
+                throw new HttpCommunicationException(String.format(
+                        "Error communicating to %s: Detail: %s",
+                        request.getURI().toString(),
+                        e.getMessage()
+                ));
+            } catch (URISyntaxException ex) {
+                // happens never, because uri validation happens in the beginning of this method
+                throw new RuntimeException(ex);
+            }
         } finally {
             if (response != null) {
                 try {
@@ -96,7 +110,8 @@ protected UnzerHttpResponse doExecute(UnzerHttpRequest request) throws HttpCommu
         }
     }
 
-    private CloseableHttpClient getHttpClient() {
+    @Deprecated
+    private CloseableHttpClient createClient() {
         HttpClientBuilder builder = HttpClients.custom().useSystemProperties();
         return builder.build();
     }

src/main/java/com/unzer/payment/util/ApplePayAdapterUtil.java

@@ -17,15 +17,19 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.unzer.payment.ApplePaySession;
-import org.apache.http.HttpEntity;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.client.methods.HttpPost;
-import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
-import org.apache.http.entity.ContentType;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
-import org.apache.http.util.EntityUtils;
+import org.apache.hc.client5.http.classic.methods.HttpPost;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
+import org.apache.hc.client5.http.io.HttpClientConnectionManager;
+import org.apache.hc.client5.http.ssl.HttpsSupport;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.core5.http.ContentType;
+import org.apache.hc.core5.http.HttpEntity;
+import org.apache.hc.core5.http.ParseException;
+import org.apache.hc.core5.http.io.entity.EntityUtils;
+import org.apache.hc.core5.http.io.entity.StringEntity;
 
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
@@ -71,18 +75,26 @@ public static void setCustomAppleValidationUrls(List<String> appleUrls) {
         urls = new HashSet<>(appleUrls);
     }
 
-    public static String validateApplePayMerchant(String merchantValidationURL, ApplePaySession applePaySession, KeyManagerFactory keyManagerFactory, TrustManagerFactory trustManagerFactory) throws IOException, NoSuchAlgorithmException, KeyManagementException, URISyntaxException {
+    public static String validateApplePayMerchant(
+            String merchantValidationURL,
+            ApplePaySession applePaySession,
+            KeyManagerFactory keyManagerFactory,
+            TrustManagerFactory trustManagerFactory
+    ) throws IOException, NoSuchAlgorithmException, KeyManagementException, URISyntaxException, ParseException {
         ObjectMapper mapper = new ObjectMapper();
         SSLConnectionSocketFactory sslsf = setupSSLSocketFactory(keyManagerFactory, trustManagerFactory);
         String response = "";
 
+
+        HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(sslsf).build();
+
         if (doesUrlContainValidDomainName(merchantValidationURL)) {
-            try (CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build()) {
+            try (CloseableHttpClient client = HttpClients.custom().setConnectionManager(cm).build()) {
                 HttpPost post = new HttpPost(merchantValidationURL);
                 StringEntity reqEntity = new StringEntity(mapper.writeValueAsString(applePaySession), ContentType.APPLICATION_JSON);
                 post.setEntity(reqEntity);
 
-                CloseableHttpResponse res = httpclient.execute(post);
+                CloseableHttpResponse res = client.execute(post);
                 HttpEntity entity = res.getEntity();
                 response = EntityUtils.toString(entity, "UTF-8");
                 EntityUtils.consume(entity);
@@ -98,11 +110,14 @@ public static boolean doesUrlContainValidDomainName(String merchantValidationURL
         return urls.contains(merchantValidationUrlDomain);
     }
 
-    private static SSLConnectionSocketFactory setupSSLSocketFactory(KeyManagerFactory keyManagerFactory, TrustManagerFactory trustManagerFactory) throws KeyManagementException, NoSuchAlgorithmException {
+    private static SSLConnectionSocketFactory setupSSLSocketFactory(
+            KeyManagerFactory keyManagerFactory,
+            TrustManagerFactory trustManagerFactory
+    ) throws KeyManagementException, NoSuchAlgorithmException {
         SSLContext sslcontext = SSLContext.getInstance("TLS");
         sslcontext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
 
-        return new SSLConnectionSocketFactory(sslcontext, new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
+        return new SSLConnectionSocketFactory(sslcontext, new String[]{"TLSv1.2"}, null, HttpsSupport.getDefaultHostnameVerifier());
     }
 
     private static String getPlainDomainName(String url) throws URISyntaxException {