feat: enhance SSL configuration with security warnings and logging (#250)

CodeCasterX · web-flow · commit 2917747df440 · 2025-08-13T15:46:27.000+08:00
- Add prominent security warning logs when CLIENT_SECURE_IGNORE_TRUST is enabled - Add detailed debug logging in TrustManager to record bypassed certificate information - Add JavaDoc at method and class level to clearly document security risks - Add @SuppressWarnings annotation to mark intentional design decision - Include certificate details in debug logs for easier troubleshooting These improvements ensure framework users are fully aware of the security risks of disabling certificate validation, while maintaining the flexibility needed for development environments.
diff --git a/framework/fit/java/fit-builtin/plugins/fit-http-client-okhttp/src/main/java/modelengine/fit/http/client/okhttp/OkHttpClientBuilderFactory.java b/framework/fit/java/fit-builtin/plugins/fit-http-client-okhttp/src/main/java/modelengine/fit/http/client/okhttp/OkHttpClientBuilderFactory.java
@@ -14,6 +14,7 @@
 import modelengine.fit.http.client.HttpClassicClientFactory;
 import modelengine.fit.http.protocol.util.SslUtils;
 import modelengine.fitframework.log.Logger;
+import modelengine.fitframework.util.ArrayUtils;
 import modelengine.fitframework.util.StringUtils;
 import okhttp3.OkHttpClient;
 
@@ -29,6 +30,17 @@
 /**
  * 创建 OkHttpClient.Builder 实例工厂。
  *
+ * <p><strong>安全配置说明：</strong></p>
+ * <p>本框架提供 {@link HttpsConstants#CLIENT_SECURE_IGNORE_TRUST} 配置项，允许忽略SSL证书验证。</p>
+ * <p><strong>警告：</strong>启用此选项将使应用程序容易受到中间人攻击！</p>
+ *
+ * <p>使用场景：</p>
+ * <ul>
+ *   <li>开发环境：使用自签名证书或内网测试</li>
+ *   <li>测试环境：快速原型验证</li>
+ *   <li><strong>生产环境：绝对不应启用此选项</strong></li>
+ * </ul>
+ *
  * @author 杭潇
  * @since 2024-04-15
  */
@@ -79,7 +91,7 @@ private static void setSslConfig(OkHttpClient.Builder clientBuilder, HttpClassic
         TrustManager[] trustManagers = getTrustManagersConfig(config, isIgnoreTrust);
 
         SSLContext sslContext = SslUtils.getSslContext(keyManagers, trustManagers, isStrongRandom, secureProtocol);
-        if (isIgnoreTrust || isTrustManagerSet(trustManagers)) {
+        if (isTrustManagerSet(trustManagers)) {
             clientBuilder.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustManagers[0]);
         }
         if (isIgnoreTrust || isHostnameVerificationIgnored(trustManagers, config)) {
@@ -100,6 +112,15 @@ private static KeyManager[] getKeyManagersConfig(HttpClassicClientFactory.Config
     private static TrustManager[] getTrustManagersConfig(HttpClassicClientFactory.Config config, boolean isIgnoreTrust)
             throws GeneralSecurityException {
         if (isIgnoreTrust) {
+            log.warn("========================================================");
+            log.warn("SECURITY WARNING: SSL/TLS Certificate Validation DISABLED!");
+            log.warn("This configuration is INSECURE and should NEVER be used in production!");
+            log.warn("Your application is vulnerable to man-in-the-middle attacks!");
+            log.warn("Current setting: {} = true", HttpsConstants.CLIENT_SECURE_IGNORE_TRUST);
+            log.warn("========================================================");
+            if (log.isDebugEnabled()) {
+                log.debug("Certificate validation disabled at:", new Exception("Stack trace for debugging"));
+            }
             return getTrustAllCerts();
         }
         String trustStoreFile = cast(config.custom().get(HttpsConstants.CLIENT_SECURE_TRUST_STORE_FILE));
@@ -120,13 +141,37 @@ private static boolean isHostnameVerificationIgnored(TrustManager[] trustManager
                 .getOrDefault(HttpsConstants.CLIENT_SECURE_IGNORE_HOSTNAME, false)));
     }
 
+    /**
+     * 创建一个接受所有证书的 {@link TrustManager}{@code []}，其中仅有一个 {@link TrustManager}。
+     * <p>此方法是框架设计的一部分，用于支持开发环境的快速集成，安全风险已通过配置和日志机制向用户明确告知。</p>
+     * <p><strong>安全警告：</strong>此 {@link TrustManager}
+     * 不验证任何证书，会接受所有证书包括无效、过期或伪造的证书，仅应在开发环境中使用，生产环境使用将导致严重的安全风险。</p>
+     *
+     * @return 不验证任何证书的 {@link TrustManager}{@code []}。
+     */
     private static TrustManager[] getTrustAllCerts() {
         X509TrustManager x509TrustManager = new X509TrustManager() {
             @Override
-            public void checkClientTrusted(X509Certificate[] chain, String authType) {}
+            public void checkClientTrusted(X509Certificate[] chain, String authType) {
+                // 记录客户端证书验证被跳过
+                if (log.isDebugEnabled()) {
+                    log.debug("Bypassing client certificate validation (INSECURE MODE). [authType={}]", authType);
+                }
+            }
 
             @Override
-            public void checkServerTrusted(X509Certificate[] chain, String authType) {}
+            public void checkServerTrusted(X509Certificate[] chain, String authType) {
+                // 记录服务器证书验证被跳过，包含证书信息便于调试
+                if (log.isDebugEnabled() && ArrayUtils.isNotEmpty(chain)) {
+                    X509Certificate cert = chain[0];
+                    log.debug("Bypassing server certificate validation (INSECURE MODE):");
+                    log.debug("  - Subject: {}", cert.getSubjectX500Principal());
+                    log.debug("  - Issuer: {}", cert.getIssuerX500Principal());
+                    log.debug("  - Serial Number: {}", cert.getSerialNumber());
+                    log.debug("  - Valid from {} to {}", cert.getNotBefore(), cert.getNotAfter());
+                    log.debug("  - Auth Type: {}", authType);
+                }
+            }
 
             @Override
             public X509Certificate[] getAcceptedIssuers() {
