-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: allow http calls when checking Certificate Revocation List (WPB-6493) #2491
Conversation
Test Results2 271 tests - 636 2 221 ✔️ - 564 14s ⏱️ - 2m 20s Results for commit a634d73. ± Comparison against base commit fff203c. This pull request removes 2907 and adds 2271 tests. Note that renamed tests count towards both.
This pull request removes 122 skipped tests and adds 50 skipped tests. Note that renamed tests count towards both.
♻️ This comment has been updated with latest results. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perfect 🔥
@@ -35,8 +39,15 @@ private object OkHttpSingleton { | |||
.writeTimeout(WEBSOCKET_TIMEOUT, TimeUnit.MILLISECONDS) | |||
}.connectionSpecs(supportedConnectionSpecs()).build() | |||
} | |||
private val clearTextTrafficClient by lazy { | |||
OkHttpClient.Builder().apply { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please do not create multiple instances of okHttp you can reuse the same one that is already in the singleton
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something like
fun buildClearTextTrafficOkhttpClient(): OkHttpClient = OkHttpSingleton.createNew {
connectionSpecs(listOf(ConnectionSpec.CLEARTEXT))
}
and the private val clearTextTrafficClient by lazy {
can be deleted
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The current okHttp client has RESTRICTED_TLS
spec, I created another one that have CLEARTEXT
spec to allow HTTP connection
Datadog ReportAll test runs ✅ 2 Total Test Services: 0 Failed, 2 Passed Test Services
|
@@ -103,5 +103,9 @@ private fun OkHttpClient.Builder.ignoreAllSSLErrors() { | |||
|
|||
fun supportedConnectionSpecs(): List<ConnectionSpec> { | |||
val wireSpec = ConnectionSpec.Builder(ConnectionSpec.RESTRICTED_TLS).build() | |||
return listOf(wireSpec, ConnectionSpec.CLEARTEXT) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ConnectionSpec.CLEARTEXT
was already added, so not sure why the new Http client is needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because wireSpec has RESTRICTED_TLS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which will only allow connections through HTTPS
…l' into allow_http_call_when_checking_crl
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## develop #2491 +/- ##
=============================================
- Coverage 58.41% 58.38% -0.03%
Complexity 21 21
=============================================
Files 1172 1172
Lines 45313 45332 +19
Branches 4286 4287 +1
=============================================
- Hits 26470 26468 -2
- Misses 16920 16940 +20
- Partials 1923 1924 +1
... and 3 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
|
…-6493) (#2491) * feat: allow http calls when checking Certificate Revocation List * chore: detekt * chore: unit test * fix: use of okhttp sharedClient instead of creating a new one * chore: unit test * chore: unit test * chore: add missing function for ios target --------- Co-authored-by: Mojtaba Chenani <chenani@outlook.com>
PR Submission Checklist for internal contributors
The PR Title
SQPIT-764
The PR Description
What's new in this PR?
Issues
We need to verify certificates by fetching Certificate Revocation List. This CRL can only be called on HTTP, it's already signed by the issuer so there is no security issue.
BUT by default, Android OS does not allow HTTP calls and throw an exception for that.
Solutions
In AndroidManifest, I allowed
usesCleartextTraffic
and created in a new okhttp client that could be use on HTTP.Others calls are still called on HTTPS as we
okhttpClient
withConnectionSpec.RESTRICTED_TLS
Needs releases with:
Testing
Test Coverage (Optional)
PR Post Submission Checklist for internal contributors (Optional)
PR Post Merge Checklist for internal contributors
References
feat(conversation-list): Sort conversations by most emojis in the title #SQPIT-764
.