Pass through connection builder to token requests

jevakallio · jevakallio · commit 9d82377f2382 · 2018-02-20T16:42:32.000Z
diff --git a/android/src/main/java/com/reactlibrary/ConnectionBuilderForTesting.java b/android/src/main/java/com/reactlibrary/ConnectionBuilderForTesting.java
@@ -0,0 +1,128 @@
+package com.reactlibrary;
+
+/*
+ * Copyright 2016 The AppAuth for Android Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the
+ * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+import android.annotation.SuppressLint;
+import android.net.Uri;
+import android.support.annotation.NonNull;
+import android.support.annotation.Nullable;
+import android.util.Log;
+
+import net.openid.appauth.Preconditions;
+import net.openid.appauth.connectivity.ConnectionBuilder;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.util.concurrent.TimeUnit;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+/**
+ * An implementation of {@link ConnectionBuilder} that permits connecting to http
+ * links, and ignores certificates for https connections. *THIS SHOULD NOT BE USED IN PRODUCTION
+ * CODE*. It is intended to facilitate easier testing of AppAuth against development servers
+ * only.
+ */
+public final class ConnectionBuilderForTesting implements ConnectionBuilder {
+
+    public static final ConnectionBuilderForTesting INSTANCE = new ConnectionBuilderForTesting();
+
+    private static final String TAG = "ConnBuilder";
+
+    private static final int CONNECTION_TIMEOUT_MS = (int) TimeUnit.SECONDS.toMillis(15);
+    private static final int READ_TIMEOUT_MS = (int) TimeUnit.SECONDS.toMillis(10);
+
+    private static final String HTTP = "http";
+    private static final String HTTPS = "https";
+
+    @SuppressLint("TrustAllX509TrustManager")
+    private static final TrustManager[] ANY_CERT_MANAGER = new TrustManager[] {
+            new X509TrustManager() {
+                public X509Certificate[] getAcceptedIssuers() {
+                    return null;
+                }
+
+                public void checkClientTrusted(X509Certificate[] certs, String authType) {}
+
+                public void checkServerTrusted(X509Certificate[] certs, String authType) {}
+            }
+    };
+
+    @SuppressLint("BadHostnameVerifier")
+    private static final HostnameVerifier ANY_HOSTNAME_VERIFIER = new HostnameVerifier() {
+        public boolean verify(String hostname, SSLSession session) {
+            return true;
+        }
+    };
+
+    @Nullable
+    private static final SSLContext TRUSTING_CONTEXT;
+
+    static {
+        SSLContext context;
+        try {
+            context = SSLContext.getInstance("SSL");
+        } catch (NoSuchAlgorithmException e) {
+            Log.e("ConnBuilder", "Unable to acquire SSL context");
+            context = null;
+        }
+
+        SSLContext initializedContext = null;
+        if (context != null) {
+            try {
+                context.init(null, ANY_CERT_MANAGER, new java.security.SecureRandom());
+                initializedContext = context;
+            } catch (KeyManagementException e) {
+                Log.e(TAG, "Failed to initialize trusting SSL context");
+            }
+        }
+
+        TRUSTING_CONTEXT = initializedContext;
+    }
+
+    private ConnectionBuilderForTesting() {
+        // no need to construct new instances
+    }
+
+    @NonNull
+    @Override
+    public HttpURLConnection openConnection(@NonNull Uri uri) throws IOException {
+        Preconditions.checkNotNull(uri, "url must not be null");
+        Preconditions.checkArgument(HTTP.equals(uri.getScheme()) || HTTPS.equals(uri.getScheme()),
+                "scheme or uri must be http or https");
+        HttpURLConnection conn = (HttpURLConnection) new URL(uri.toString()).openConnection();
+        conn.setConnectTimeout(CONNECTION_TIMEOUT_MS);
+        conn.setReadTimeout(READ_TIMEOUT_MS);
+        conn.setInstanceFollowRedirects(false);
+
+        if (conn instanceof HttpsURLConnection && TRUSTING_CONTEXT != null) {
+            HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
+            httpsConn.setSSLSocketFactory(TRUSTING_CONTEXT.getSocketFactory());
+            httpsConn.setHostnameVerifier(ANY_HOSTNAME_VERIFIER);
+        }
+
+        return conn;
+    }
+}
diff --git a/android/src/main/java/com/reactlibrary/RNAppAuthModule.java b/android/src/main/java/com/reactlibrary/RNAppAuthModule.java
@@ -18,6 +18,7 @@
 import com.facebook.react.bridge.ReadableMapKeySetIterator;
 import com.facebook.react.bridge.WritableMap;
 
+import net.openid.appauth.AppAuthConfiguration;
 import net.openid.appauth.AuthorizationException;
 import net.openid.appauth.AuthorizationRequest;
 import net.openid.appauth.AuthorizationResponse;
@@ -45,6 +46,7 @@ public class RNAppAuthModule extends ReactContextBaseJavaModule implements Activ
 
     private final ReactApplicationContext reactContext;
     private Promise promise;
+    private Boolean dangerouslyAllowInsecureHttpRequests;
 
     public RNAppAuthModule(ReactApplicationContext reactContext) {
         super(reactContext);
@@ -109,7 +111,7 @@ private HashMap<String, String> additionalParametersToMap(ReadableMap additional
     private ConnectionBuilder createConnectionBuilder(Boolean allowInsecureConnections) {
 
         if (allowInsecureConnections.equals(true)) {
-            return new UnsafeConnectionBuilder();
+            return ConnectionBuilderForTesting.INSTANCE;
         }
 
         return DefaultConnectionBuilder.INSTANCE;
@@ -135,6 +137,7 @@ public void authorize(
 
         final Context context = this.reactContext;
         this.promise = promise;
+        this.dangerouslyAllowInsecureHttpRequests = dangerouslyAllowInsecureHttpRequests;
         final Activity currentActivity = getCurrentActivity();
 
         final String scopesString = this.arrayToString(scopes);
@@ -152,6 +155,7 @@ public void onFetchConfigurationCompleted(
                             return;
                         }
 
+
                         AuthorizationRequest.Builder authRequestBuilder =
                                 new AuthorizationRequest.Builder(
                                         serviceConfiguration,
@@ -165,9 +169,14 @@ public void onFetchConfigurationCompleted(
                             authRequestBuilder.setAdditionalParameters(additionalParametersToMap(additionalParameters));
                         }
 
-                        AuthorizationRequest authRequest = authRequestBuilder.build();
+                        AppAuthConfiguration configuration =
+                                new AppAuthConfiguration
+                                    .Builder()
+                                    .setConnectionBuilder(builder)
+                                    .build();
 
-                        AuthorizationService authService = new AuthorizationService(context);
+                        AuthorizationRequest authRequest = authRequestBuilder.build();
+                        AuthorizationService authService = new AuthorizationService(context, configuration);
                         Intent authIntent = authService.getAuthorizationRequestIntent(authRequest);
                         currentActivity.startActivityForResult(authIntent, 0);
 
@@ -194,6 +203,8 @@ public void refresh(
         final Uri issuerUri = Uri.parse(issuer);
         final ConnectionBuilder builder = createConnectionBuilder(dangerouslyAllowInsecureHttpRequests);
 
+        this.dangerouslyAllowInsecureHttpRequests = dangerouslyAllowInsecureHttpRequests;
+
         AuthorizationServiceConfiguration.fetchFromUrl(
                 buildConfigurationUriFromIssuer(issuerUri),
                 new AuthorizationServiceConfiguration.RetrieveConfigurationCallback() {
@@ -221,7 +232,12 @@ public void onFetchConfigurationCompleted(
                         TokenRequest tokenRequest = tokenRequestBuilder.build();
 
 
-                        AuthorizationService authService = new AuthorizationService(context);
+                        final AppAuthConfiguration configuration =
+                                new AppAuthConfiguration
+                                        .Builder()
+                                        .setConnectionBuilder(createConnectionBuilder(dangerouslyAllowInsecureHttpRequests))
+                                        .build();
+                        AuthorizationService authService = new AuthorizationService(context, configuration);
 
                         authService.performTokenRequest(tokenRequest, new AuthorizationService.TokenResponseCallback() {
                             @Override
@@ -252,7 +268,13 @@ public void onActivityResult(Activity activity, int requestCode, int resultCode,
 
             final Promise authorizePromise = this.promise;
 
-            AuthorizationService authService = new AuthorizationService(this.reactContext);
+            final AppAuthConfiguration configuration =
+                    new AppAuthConfiguration
+                            .Builder()
+                            .setConnectionBuilder(createConnectionBuilder(this.dangerouslyAllowInsecureHttpRequests))
+                            .build();
+
+            AuthorizationService authService = new AuthorizationService(this.reactContext, configuration);
 
             authService.performTokenRequest(
                     response.createTokenExchangeRequest(),
@@ -282,23 +304,4 @@ public void onNewIntent(Intent intent) {
     public String getName() {
         return "RNAppAuth";
     }
-}
-
-
-final class UnsafeConnectionBuilder implements ConnectionBuilder {
-
-    private static final int CONNECTION_TIMEOUT_MS = (int) TimeUnit.SECONDS.toMillis(15);
-    private static final int READ_TIMEOUT_MS = (int) TimeUnit.SECONDS.toMillis(10);
-
-
-    @NonNull
-    @Override
-    public HttpURLConnection openConnection(@NonNull Uri uri) throws IOException {
-        Preconditions.checkNotNull(uri, "url must not be null");
-        HttpURLConnection conn = (HttpURLConnection) new URL(uri.toString()).openConnection();
-        conn.setConnectTimeout(CONNECTION_TIMEOUT_MS);
-        conn.setReadTimeout(READ_TIMEOUT_MS);
-        conn.setInstanceFollowRedirects(false);
-        return conn;
-    }
 }
