Merge pull request #511 from cloudant/okhttp-3.12.12

Limitations of customSSLSocketFactory and disableSSLAuthentication

Author: ricellis

CHANGES.md

@@ -1,6 +1,7 @@
 # Unreleased
 - [FIXED] Connection leak regression introduced in 2.18.0 caused by not closing streams from
   successful session response bodies.
+- [UPGRADED] Optional OkHttp dependency to version 3.12.12.
 
 # 2.19.0 (2020-03-02)
 - [NEW] Add getter for total row count to `AllDocsResponse`

README.md

@@ -30,7 +30,7 @@ Gradle with [optional `okhttp-urlconnection` dependency](#optional-okhttp-depend
 ```groovy
 dependencies {
     compile group: 'com.cloudant', name: 'cloudant-client', version: '2.19.0'
-    compile group: 'com.squareup.okhttp3', name: 'okhttp-urlconnection', version: '3.12.5'
+    compile group: 'com.squareup.okhttp3', name: 'okhttp-urlconnection', version: '3.12.12'
 }
 ```
 
@@ -55,7 +55,7 @@ Maven with [optional `okhttp-urlconnection` dependency](#optional-okhttp-depende
 <dependency>
   <groupId>com.squareup.okhttp3</groupId>
   <artifactId>okhttp-urlconnection</artifactId>
-  <version>3.12.5</version>
+  <version>3.12.12</version>
 </dependency>
 ~~~
 
@@ -68,6 +68,10 @@ The main use case that is supported by this optional dependency is configuration
 ([see the javadoc](http://www.javadoc.io/doc/com.cloudant/cloudant-client/) for ClientBuilder.maxConnections). If the OkHttp dependency is
 available at runtime it will be used automatically. Not using OkHttp will result in a smaller application size.
 
+**Note:** The configuration options `ClientBuilder.customSSLSocketFactory` and
+`ClientBuilder.disableSSLAuthentication` are not usable with the combination of the optional OkHttp
+dependency and Java versions of 8u252 or newer.
+
 ## Getting Started
 
 This section contains a simple example of creating a `com.cloudant.client.api.CloudantClient` instance and interacting with Cloudant.

cloudant-client/build.gradle

@@ -20,7 +20,7 @@ dependencies {
     testImplementation 'org.junit.jupiter:junit-jupiter-api:5.1.0'
     testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.1.0'
     testCompile group: 'org.hamcrest', name: 'hamcrest-library', version: '1.3'
-    testCompile group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '3.12.5'
+    testCompile group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '3.12.12'
     testCompile group: 'org.jmockit', name: 'jmockit', version: '1.34'
     testCompile group: 'org.littleshoot', name: 'littleproxy', version: '1.1.0'
 }

cloudant-client/src/main/java/com/cloudant/client/api/ClientBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2019 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -514,6 +514,9 @@ public ClientBuilder proxyPassword(String proxyPassword) {
      * The SSL authentication is enabled by default meaning that hostname verification
      * and certificate chain validation is done using the JVM default settings.
      * </P>
+     * <P>
+     * <B>Not supported with Java 8u252 or newer and the optional OkHttp dependency.</B>
+     * </P>
      *
      * @return this ClientBuilder object for setting additional options
      * @throws IllegalStateException if {@link #customSSLSocketFactory(SSLSocketFactory)}
@@ -534,6 +537,9 @@ public ClientBuilder disableSSLAuthentication() {
     /**
      * Specifies the custom SSLSocketFactory to use when connecting to Cloudant over a
      * <code>https</code> URL, when SSL authentication is enabled.
+     * <P>
+     * <B>Not supported with Java 8u252 or newer and the optional OkHttp dependency.</B>
+     * </P>
      *
      * @param factory An SSLSocketFactory, or <code>null</code> for the
      *                default SSLSocketFactory of the JRE.

cloudant-client/src/test/java/com/cloudant/tests/CloudFoundryServiceTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2016, 2019 IBM Corp. All rights reserved.
+ * Copyright © 2016, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -24,6 +24,7 @@
 import com.cloudant.client.api.ClientBuilder;
 import com.cloudant.client.api.CloudantClient;
 import com.cloudant.tests.extensions.MockWebServerExtension;
+import com.cloudant.tests.util.HttpFactoryParameterizedTest;
 import com.cloudant.tests.util.MockWebServerResources;
 import com.google.gson.GsonBuilder;
 
@@ -63,6 +64,11 @@ public class CloudFoundryServiceTest {
 
     @BeforeEach
     public void beforeEach() {
+        // Default test running uses OkHttp because it is in the classpath
+        // These tests need to use disableSSLAuthentication because the mock server https does not
+        // have a trusted certificate. That option is not valid with OkHttp and Java 8_252 or newer
+        // but we want to run these tests, so use the OkHelperMock to disable OkHttp.
+        new HttpFactoryParameterizedTest.OkHelperMock();
         server = mockWebServerExt.get();
         server.useHttps(MockWebServerResources.getSSLSocketFactory(), false);
         mockServerHostPort = String.format("%s:%s/", server.getHostName(), server.getPort());

cloudant-client/src/test/java/com/cloudant/tests/HttpProxyTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2018 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -23,6 +23,7 @@
 import com.cloudant.tests.extensions.MockWebServerExtension;
 import com.cloudant.tests.util.HttpFactoryParameterizedTest;
 import com.cloudant.tests.util.MockWebServerResources;
+import com.cloudant.tests.util.Utils;
 
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -300,6 +301,10 @@ public void proxiedRequest(final boolean okUsable,
                                final boolean useHttpsServer,
                                final boolean useProxyAuth) throws Exception {
 
+        // Test uses disableSSLAuthentication because the mock server doesn't have a trusted cert
+        // - need to disable the test for OkHttp and Java 8_252 or newer
+        Utils.assumeCustomSslAuthUsable(okUsable);
+
         //mock a 200 OK
         server.setDispatcher(new Dispatcher() {
             @Override

cloudant-client/src/test/java/com/cloudant/tests/SslAuthenticationTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2019 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -24,6 +24,7 @@
 import com.cloudant.tests.extensions.MockWebServerExtension;
 import com.cloudant.tests.util.HttpFactoryParameterizedTest;
 import com.cloudant.tests.util.MockWebServerResources;
+import com.cloudant.tests.util.Utils;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.TestTemplate;
@@ -136,7 +137,8 @@ private static void validateClientAuthenticationException(CouchDbException e) {
      */
     @TestTemplate
     public void localSslAuthenticationDisabled() throws Exception {
-
+        // disableSSLAuthentication not usable with OkHttp and 8_252 or newer
+        Utils.assumeCustomSslAuthUsable(isOkUsable);
         // Build a client that connects to the mock server with SSL authentication disabled
         CloudantClient dbClient = CloudantClientHelper.newMockWebServerClientBuilder(server)
                 .disableSSLAuthentication()
@@ -251,7 +253,8 @@ public void execute() throws Throwable {
      */
     @TestTemplate
     public void localSSLAuthenticationDisabledWithCookieAuth() throws Exception {
-
+        // disableSSLAuthentication not usable with OkHttp and 8_252 or newer
+        Utils.assumeCustomSslAuthUsable(isOkUsable);
         // Mock up an OK cookie response then an OK response for the getAllDbs()
         server.enqueue(MockWebServerResources.OK_COOKIE);
         server.enqueue(new MockResponse()); //OK 200

cloudant-client/src/test/java/com/cloudant/tests/util/HttpFactoryParameterizedTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2016, 2018 IBM Corp. All rights reserved.
+ * Copyright © 2016, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -37,7 +37,7 @@ public abstract class HttpFactoryParameterizedTest extends TestWithDbPerClass {
      * A mock OkHelper that always returns false to force use of the JVM HttpURLConnection
      * via the {@link DefaultHttpUrlConnectionFactory}
      */
-    static class OkHelperMock extends MockUp<OkHelper> {
+    public static class OkHelperMock extends MockUp<OkHelper> {
         @Mock
         public static boolean isOkUsable() {
             return false;

cloudant-client/src/test/java/com/cloudant/tests/util/Utils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2018 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -35,6 +35,8 @@
 import com.cloudant.http.HttpConnectionInterceptorContext;
 import com.cloudant.http.HttpConnectionResponseInterceptor;
 
+import org.junit.jupiter.api.Assumptions;
+
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.net.URI;
@@ -225,4 +227,34 @@ public static void assertOKResponse(Response r) throws Exception {
         assertTrue(r.getStatusCode()
                 / 100 == 2, "The response code should be 2XX was " + r.getStatusCode());
     }
+
+    /**
+     * Utility to ignore tests when running with optional OkHttp dependency and Java 8_252 or newer.
+     * This should be applied to any test that uses the customSSLSocketFactory or
+     * disableSSLAuthentication options.
+     *
+     * These options cannot be used with OkHttp and Java 8_252 or newer
+     * (see https://github.com/square/okhttp/issues/5970.
+     * OkHttp treats 8_252 and newer as equivalent to 9+ because of the availability of ALPN
+     * support. In 9+ reflection cannot be used to infer the TrustManager from the SslSocketFactory
+     * so setting the SslSocketFactory without a TrustManager is prevented. This blocks the route we
+     * currently use to supply custom SslSocketFactory via the deprecated OkHttp OkUrlFactory path
+     * via javax.net.ssl.HttpsURLConnection#setSSLSocketFactory(javax.net.ssl.SSLSocketFactory).
+     *
+     */
+    public static void assumeCustomSslAuthUsable(boolean isOkUsable) {
+        String version = System.getProperty("java.version");
+        boolean java8_252OrHigher = false;
+        // Java 1.8 or lower, 9+ are 9, 10 etc
+        if (version.startsWith("1.")) {
+            if (version.startsWith("1.8.")) {
+                int update = Integer.parseInt(version.split("_")[1]);
+                if (update >= 252) java8_252OrHigher = true;
+            }
+        } else {
+            java8_252OrHigher = true;
+        }
+        Assumptions.assumeFalse(isOkUsable && java8_252OrHigher, "Test uses custom " +
+                "SslSocketFactory, incompatible with OkHttp and Java 8_252 or newer.");
+    }
 }

cloudant-http/build.gradle

@@ -15,7 +15,7 @@
 dependencies {
     compile group: 'commons-io', name: 'commons-io', version: '2.4'
     //needed to compile, but optional for consumers of java-cloudant
-    compile(group: 'com.squareup.okhttp3', name: 'okhttp-urlconnection', version: '3.12.5') {
+    compile(group: 'com.squareup.okhttp3', name: 'okhttp-urlconnection', version: '3.12.12') {
         ext.optional = true
     }
 }