Add client certificate support for Linkding (mTLS)

- Add `LinkdingClientCertKeyManager`: a `X509ExtendedKeyManager` implementation backed by `android.security.KeyChain`
- Add `LinkdingSSLSocketFactory`: a `SSLSocketFactory` implementation to control the lifecycle of TLS sessions as the user certificate changes
- Update the `NetworkModule` to provide a `HttpClientBuilder` instead of a base `HttpClient`, allowing proper customization
- Update `LinkdingModule` to always register the new socket factory in Linkding's `HttpClient`
- Update app storage to persist the selected client cert alias
- Update `AuthScreen` and `AccountSwitcherScreen ` to allow selecting a certificate using `android.security.KeyChain`

Author: fibelatti

app/src/androidTest/kotlin/com/fibelatti/pinboard/core/di/modules/TestLinkdingModule.kt

@@ -3,6 +3,7 @@ package com.fibelatti.pinboard.core.di.modules
 import com.fibelatti.pinboard.LinkdingMockServer
 import com.fibelatti.pinboard.core.di.RestApi
 import com.fibelatti.pinboard.core.di.RestApiProvider
+import com.fibelatti.pinboard.core.network.LinkdingSSLSocketFactory
 import com.fibelatti.pinboard.core.network.UnauthorizedPluginProvider
 import com.fibelatti.pinboard.features.user.domain.UserRepository
 import dagger.Module
@@ -15,6 +16,8 @@ import io.ktor.client.request.accept
 import io.ktor.client.request.header
 import io.ktor.http.ContentType
 import io.ktor.http.URLProtocol
+import javax.inject.Singleton
+import okhttp3.ConnectionSpec
 
 @Module
 @TestInstallIn(
@@ -24,15 +27,20 @@ import io.ktor.http.URLProtocol
 object TestLinkdingModule {
 
     @Provides
+    @Singleton
     @RestApi(RestApiProvider.LINKDING)
     fun linkdingHttpClient(
-        @RestApi(RestApiProvider.BASE) httpClient: HttpClient,
+        httpClientBuilder: HttpClientBuilder,
         userRepository: UserRepository,
         unauthorizedPluginProvider: UnauthorizedPluginProvider,
-    ): HttpClient {
-        val mockServerUrl = LinkdingMockServer.instance.url("/")
+        linkdingSSLSocketFactory: LinkdingSSLSocketFactory,
+    ): HttpClient = httpClientBuilder.build(
+        extraHttpClientConfig = {
+            install(unauthorizedPluginProvider.plugin)
+
+            expectSuccess = true
 
-        return httpClient.config {
+            val mockServerUrl = LinkdingMockServer.instance.url("/")
             defaultRequest {
                 val credentials = userRepository.userCredentials.value
 
@@ -46,8 +54,22 @@ object TestLinkdingModule {
                 }
                 accept(ContentType.Application.Json)
             }
+        },
+        extraOkHttpClientConfig = {
+            connectionSpecs(
+                listOf(
+                    ConnectionSpec.COMPATIBLE_TLS,
+                    // Linkding instances can be self-hosted and use insecure connections
+                    ConnectionSpec.CLEARTEXT,
+                ),
+            )
 
-            install(unauthorizedPluginProvider.plugin)
-        }
-    }
+            // Always registering the factory to avoid having to recreate objects if the alias
+            // changes. It uses the default behavior when there's no alias set by the user.
+            sslSocketFactory(
+                sslSocketFactory = linkdingSSLSocketFactory,
+                trustManager = linkdingSSLSocketFactory.trustManager,
+            )
+        },
+    )
 }

app/src/androidTest/kotlin/com/fibelatti/pinboard/core/di/modules/TestPinboardModule.kt

@@ -4,16 +4,25 @@ import com.fibelatti.pinboard.PinboardMockServer
 import com.fibelatti.pinboard.core.di.RestApi
 import com.fibelatti.pinboard.core.di.RestApiProvider
 import com.fibelatti.pinboard.core.network.UnauthorizedPluginProvider
+import com.fibelatti.pinboard.features.posts.data.model.GenericResponseDto
+import com.fibelatti.pinboard.features.posts.data.model.isDone
 import com.fibelatti.pinboard.features.user.domain.UserRepository
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.components.SingletonComponent
 import dagger.hilt.testing.TestInstallIn
 import io.ktor.client.HttpClient
+import io.ktor.client.call.body
+import io.ktor.client.plugins.HttpResponseValidator
+import io.ktor.client.plugins.ResponseException
 import io.ktor.client.plugins.defaultRequest
 import io.ktor.client.request.accept
 import io.ktor.http.ContentType
+import io.ktor.http.HttpStatusCode
 import io.ktor.http.URLProtocol
+import javax.inject.Singleton
+import okhttp3.CipherSuite
+import okhttp3.ConnectionSpec
 
 @Module
 @TestInstallIn(
@@ -23,15 +32,17 @@ import io.ktor.http.URLProtocol
 object TestPinboardModule {
 
     @Provides
+    @Singleton
     @RestApi(RestApiProvider.PINBOARD)
     fun pinboardHttpClient(
-        @RestApi(RestApiProvider.BASE) httpClient: HttpClient,
+        httpClientBuilder: HttpClientBuilder,
         userRepository: UserRepository,
         unauthorizedPluginProvider: UnauthorizedPluginProvider,
-    ): HttpClient {
-        val mockServerUrl = PinboardMockServer.instance.url("/")
+    ): HttpClient = httpClientBuilder.build(
+        extraHttpClientConfig = {
+            install(unauthorizedPluginProvider.plugin)
 
-        return httpClient.config {
+            val mockServerUrl = PinboardMockServer.instance.url("/")
             defaultRequest {
                 val credentials = userRepository.userCredentials.value
 
@@ -48,7 +59,41 @@ object TestPinboardModule {
                 accept(ContentType.Application.Json)
             }
 
-            install(unauthorizedPluginProvider.plugin)
-        }
-    }
+            HttpResponseValidator {
+                validateResponse { response ->
+                    // Unfortunately nothing can be done if the server is acting up.
+                    if (response.status == HttpStatusCode.InternalServerError) {
+                        runCatching {
+                            // Although, the action may have succeeded despite the 500 status code.
+                            if (response.body<GenericResponseDto>().isDone) {
+                                // In that case, no need to abort.
+                                return@validateResponse
+                            }
+                        }
+
+                        // A `ResponseException` is used when handling exceptions to notify users.
+                        throw ResponseException(response, "")
+                    }
+                }
+            }
+        },
+        extraOkHttpClientConfig = {
+            // These are the server preferred Ciphers + all the ones included in COMPATIBLE_TLS
+            val cipherSuites: List<CipherSuite> = listOf(
+                CipherSuite.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+                CipherSuite.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+                CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+                CipherSuite.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+            ) + ConnectionSpec.COMPATIBLE_TLS.cipherSuites.orEmpty()
+
+            connectionSpecs(
+                listOf(
+                    ConnectionSpec.Builder(ConnectionSpec.COMPATIBLE_TLS)
+                        .cipherSuites(*cipherSuites.toTypedArray())
+                        .build(),
+                    ConnectionSpec.CLEARTEXT,
+                ),
+            )
+        },
+    )
 }

app/src/main/kotlin/com/fibelatti/pinboard/core/di/RestApi.kt

@@ -8,7 +8,7 @@ import javax.inject.Qualifier
 annotation class RestApi(val restApi: RestApiProvider)
 
 enum class RestApiProvider {
-    BASE,
+    COMMON,
     PINBOARD,
     LINKDING,
 }

app/src/main/kotlin/com/fibelatti/pinboard/core/di/modules/LinkdingModule.kt

@@ -2,54 +2,64 @@ package com.fibelatti.pinboard.core.di.modules
 
 import com.fibelatti.pinboard.core.di.RestApi
 import com.fibelatti.pinboard.core.di.RestApiProvider
+import com.fibelatti.pinboard.core.network.LinkdingSSLSocketFactory
 import com.fibelatti.pinboard.core.network.UnauthorizedPluginProvider
 import com.fibelatti.pinboard.features.user.domain.UserRepository
 import dagger.Module
 import dagger.Provides
 import dagger.hilt.InstallIn
 import dagger.hilt.components.SingletonComponent
 import io.ktor.client.HttpClient
-import io.ktor.client.engine.okhttp.OkHttpConfig
 import io.ktor.client.plugins.defaultRequest
 import io.ktor.client.request.accept
 import io.ktor.client.request.header
 import io.ktor.http.ContentType
+import javax.inject.Singleton
 import okhttp3.ConnectionSpec
 
 @Module
 @InstallIn(SingletonComponent::class)
 object LinkdingModule {
 
     @Provides
+    @Singleton
     @RestApi(RestApiProvider.LINKDING)
     fun linkdingHttpClient(
-        @RestApi(RestApiProvider.BASE) httpClient: HttpClient,
+        httpClientBuilder: HttpClientBuilder,
         userRepository: UserRepository,
         unauthorizedPluginProvider: UnauthorizedPluginProvider,
-    ): HttpClient = httpClient.config {
-        engine {
-            (this as OkHttpConfig).config {
-                connectionSpecs(
-                    listOf(
-                        ConnectionSpec.COMPATIBLE_TLS,
-                        ConnectionSpec.CLEARTEXT,
-                    ),
-                )
-            }
-        }
+        linkdingSSLSocketFactory: LinkdingSSLSocketFactory,
+    ): HttpClient = httpClientBuilder.build(
+        extraHttpClientConfig = {
+            install(unauthorizedPluginProvider.plugin)
 
-        defaultRequest {
-            val credentials = userRepository.userCredentials.value
+            expectSuccess = true
 
-            url(requireNotNull(credentials.linkdingInstanceUrl))
-            credentials.linkdingAuthToken?.let { token ->
-                header("Authorization", "Token $token")
-            }
-            accept(ContentType.Application.Json)
-        }
+            defaultRequest {
+                val credentials = userRepository.userCredentials.value
 
-        expectSuccess = true
+                url(requireNotNull(credentials.linkdingInstanceUrl))
+                credentials.linkdingAuthToken?.let { token ->
+                    header("Authorization", "Token $token")
+                }
+                accept(ContentType.Application.Json)
+            }
+        },
+        extraOkHttpClientConfig = {
+            connectionSpecs(
+                listOf(
+                    ConnectionSpec.COMPATIBLE_TLS,
+                    // Linkding instances can be self-hosted and use insecure connections
+                    ConnectionSpec.CLEARTEXT,
+                ),
+            )
 
-        install(unauthorizedPluginProvider.plugin)
-    }
+            // Always registering the factory to avoid having to recreate objects if the alias
+            // changes. It uses the default behavior when there's no alias set by the user.
+            sslSocketFactory(
+                sslSocketFactory = linkdingSSLSocketFactory,
+                trustManager = linkdingSSLSocketFactory.trustManager,
+            )
+        },
+    )
 }

app/src/main/kotlin/com/fibelatti/pinboard/core/di/modules/NetworkModule.kt

@@ -22,6 +22,7 @@ import dagger.hilt.InstallIn
 import dagger.hilt.android.qualifiers.ApplicationContext
 import dagger.hilt.components.SingletonComponent
 import io.ktor.client.HttpClient
+import io.ktor.client.HttpClientConfig
 import io.ktor.client.engine.okhttp.OkHttp
 import io.ktor.client.plugins.cache.HttpCache
 import io.ktor.client.plugins.cache.storage.FileStorage
@@ -64,46 +65,62 @@ object NetworkModule {
     }
 
     @Provides
-    @RestApi(RestApiProvider.BASE)
-    fun baseHttpClient(
+    @Singleton
+    @RestApi(RestApiProvider.COMMON)
+    fun commonHttpClient(builder: HttpClientBuilder): HttpClient = builder.build()
+
+    @Provides
+    @Singleton
+    fun httpClientBuilder(
         json: Json,
         threadStatsTagInterceptor: Interceptor,
         @ApplicationContext context: Context,
-    ): HttpClient = HttpClient(OkHttp) {
-        engine {
-            config {
-                connectionPool(
-                    ConnectionPool(
-                        maxIdleConnections = 0,
-                        keepAliveDuration = 5,
-                        timeUnit = TimeUnit.MINUTES,
-                    ),
-                )
-
-                connectTimeout(60, TimeUnit.SECONDS)
-                readTimeout(30, TimeUnit.SECONDS)
-                writeTimeout(30, TimeUnit.SECONDS)
-
-                followRedirects(true)
-                followSslRedirects(true)
-
-                addInterceptor(threadStatsTagInterceptor)
+    ): HttpClientBuilder = object : HttpClientBuilder {
+
+        override fun build(
+            extraHttpClientConfig: HttpClientConfig<*>.() -> Unit,
+            extraOkHttpClientConfig: OkHttpClient.Builder.() -> Unit,
+        ): HttpClient = HttpClient(OkHttp) {
+            install(PinboardResponseFixerPlugin)
+
+            install(ContentNegotiation) {
+                json(json, contentType = ContentType.Any)
             }
-        }
 
-        install(PinboardResponseFixerPlugin)
-        install(ContentNegotiation) {
-            json(json, contentType = ContentType.Any)
-        }
+            install(HttpCache) {
+                publicStorage(FileStorage(File("${context.cacheDir}/http-cache")))
+            }
 
-        install(HttpCache) {
-            publicStorage(FileStorage(File("${context.cacheDir}/http-cache")))
-        }
+            extraHttpClientConfig()
 
-        if (BuildConfig.DEBUG) {
-            install(Logging) {
-                level = LogLevel.INFO
-                logger = Logger.ANDROID
+            if (BuildConfig.DEBUG) {
+                install(Logging) {
+                    level = LogLevel.INFO
+                    logger = Logger.ANDROID
+                }
+            }
+
+            engine {
+                config {
+                    connectionPool(
+                        ConnectionPool(
+                            maxIdleConnections = 0,
+                            keepAliveDuration = 5,
+                            timeUnit = TimeUnit.MINUTES,
+                        ),
+                    )
+
+                    connectTimeout(60, TimeUnit.SECONDS)
+                    readTimeout(30, TimeUnit.SECONDS)
+                    writeTimeout(30, TimeUnit.SECONDS)
+
+                    followRedirects(true)
+                    followSslRedirects(true)
+
+                    addInterceptor(threadStatsTagInterceptor)
+
+                    extraOkHttpClientConfig(this)
+                }
             }
         }
     }
@@ -143,3 +160,11 @@ object NetworkModule {
         .crossfade(enable = true)
         .build()
 }
+
+interface HttpClientBuilder {
+
+    fun build(
+        extraHttpClientConfig: HttpClientConfig<*>.() -> Unit = {},
+        extraOkHttpClientConfig: OkHttpClient.Builder.() -> Unit = {},
+    ): HttpClient
+}