pr feedbacks

xinsong-cui · xinsong-cui · commit 7e7bf1ac99b6 · 2025-08-26T17:21:51.000-04:00
diff --git a/runtime/protocol/http-client-engines/http-client-engine-okhttp/api/http-client-engine-okhttp.api b/runtime/protocol/http-client-engines/http-client-engine-okhttp/api/http-client-engine-okhttp.api
@@ -70,11 +70,11 @@ public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConf
 	public final fun getCipherSuites ()Ljava/util/List;
 	public final fun getConnectionIdlePollingInterval-FghU774 ()Lkotlin/time/Duration;
 	public final fun getHostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
-	public final fun getKeyManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;
+	public final fun getKeyManager ()Ljavax/net/ssl/KeyManager;
 	public final fun getMaxConcurrencyPerHost-pVg5ArA ()I
-	public final fun getTrustManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;
-	public final fun setKeyManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;)V
-	public final fun setTrustManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;)V
+	public final fun getTrustManager ()Ljavax/net/ssl/X509TrustManager;
+	public final fun setKeyManager (Ljavax/net/ssl/KeyManager;)V
+	public final fun setTrustManager (Ljavax/net/ssl/X509TrustManager;)V
 	public fun toBuilderApplicator ()Lkotlin/jvm/functions/Function1;
 }
 
@@ -84,18 +84,18 @@ public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConf
 	public final fun getCipherSuites ()Ljava/util/List;
 	public final fun getConnectionIdlePollingInterval-FghU774 ()Lkotlin/time/Duration;
 	public final fun getHostnameVerifier ()Ljavax/net/ssl/HostnameVerifier;
-	public final fun getKeyManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;
+	public final fun getKeyManager ()Ljavax/net/ssl/KeyManager;
 	public final fun getMaxConcurrencyPerHost-0hXNFcg ()Lkotlin/UInt;
 	public fun getTelemetryProvider ()Laws/smithy/kotlin/runtime/telemetry/TelemetryProvider;
-	public final fun getTrustManagerProvider ()Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;
+	public final fun getTrustManager ()Ljavax/net/ssl/X509TrustManager;
 	public final fun setCertificatePinner (Lokhttp3/CertificatePinner;)V
 	public final fun setCipherSuites (Ljava/util/List;)V
 	public final fun setConnectionIdlePollingInterval-BwNAW2A (Lkotlin/time/Duration;)V
 	public final fun setHostnameVerifier (Ljavax/net/ssl/HostnameVerifier;)V
-	public final fun setKeyManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider;)V
+	public final fun setKeyManager (Ljavax/net/ssl/KeyManager;)V
 	public final fun setMaxConcurrencyPerHost-ExVfyTY (Lkotlin/UInt;)V
 	public fun setTelemetryProvider (Laws/smithy/kotlin/runtime/telemetry/TelemetryProvider;)V
-	public final fun setTrustManagerProvider (Laws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider;)V
+	public final fun setTrustManager (Ljavax/net/ssl/X509TrustManager;)V
 }
 
 public final class aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig$Companion {
@@ -151,11 +151,3 @@ public final class aws/smithy/kotlin/runtime/http/engine/okhttp/StreamingRequest
 	public fun writeTo (Lokio/BufferedSink;)V
 }
 
-public abstract interface class aws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider {
-	public abstract fun keyManagers ()[Ljavax/net/ssl/KeyManager;
-}
-
-public abstract interface class aws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider {
-	public abstract fun trustManagers ()[Ljavax/net/ssl/TrustManager;
-}
-
diff --git a/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngine.kt b/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngine.kt
@@ -24,6 +24,7 @@ import kotlinx.coroutines.job
 import okhttp3.*
 import okhttp3.coroutines.executeAsync
 import java.util.concurrent.TimeUnit
+import javax.net.ssl.KeyManager
 import javax.net.ssl.SSLContext
 import javax.net.ssl.X509TrustManager
 import kotlin.time.toJavaDuration
@@ -107,18 +108,13 @@ public fun OkHttpEngineConfig.buildClient(
 
         connectionSpecs(listOf(tlsConnectionSpec(config.tlsContext, config.cipherSuites), ConnectionSpec.CLEARTEXT))
 
-        if (config.trustManagerProvider != null) {
-            val (sslContext, trustManager) = createSslContext(config.trustManagerProvider, config.keyManagerProvider)
-            sslSocketFactory(sslContext.socketFactory, trustManager)
+        config.trustManager?.let {
+            val sslContext = createSslContext(it, config.keyManager)
+            sslSocketFactory(sslContext.socketFactory, trustManager!!)
         }
 
-        if (config.certificatePinner != null) {
-            certificatePinner(config.certificatePinner)
-        }
-
-        if (config.hostnameVerifier != null) {
-            hostnameVerifier(config.hostnameVerifier)
-        }
+        config.certificatePinner?.let(::certificatePinner)
+        config.hostnameVerifier?.let(::hostnameVerifier)
 
         // Transient connection errors are handled by retry strategy (exceptions are wrapped and marked retryable
         // appropriately internally). We don't want inner retry logic that inflates the number of retries.
@@ -186,9 +182,7 @@ private fun tlsConnectionSpec(tlsContext: TlsContext, cipherSuites: List<String>
         .Builder(ConnectionSpec.MODERN_TLS)
         .tlsVersions(*okHttpTlsVersions)
         .apply {
-            if (cipherSuites != null) {
-                cipherSuites(*cipherSuites.toTypedArray())
-            }
+            cipherSuites?.toTypedArray()?.let(::cipherSuites)
         }
         .build()
 }
@@ -203,19 +197,12 @@ private fun toOkHttpTlsVersion(sdkTlsVersion: SdkTlsVersion): OkHttpTlsVersion =
 /**
  * Creates an SSL context with custom trust and key managers
  */
-private fun createSslContext(trustManagersProvider: TlsTrustManagersProvider?, keyManagersProvider: TlsKeyManagersProvider?): Pair<SSLContext, X509TrustManager> {
-    val trustManagers = trustManagersProvider?.trustManagers()
-    val keyManagers = keyManagersProvider?.keyManagers()
-
-    if (trustManagersProvider != null) {
-        check(!trustManagers.isNullOrEmpty()) { "Trust managers provider returned null or empty trust managers." }
-        check(trustManagers[0] is X509TrustManager) { "Trust managers provider must return X509TrustManager." }
-    }
+private fun createSslContext(trustManager: X509TrustManager, keyManager: KeyManager?): SSLContext {
+    val keyManagers = keyManager?.let { arrayOf(it) }
+    val trustManagers = arrayOf(trustManager)
 
     val sslContext = SSLContext.getInstance("TLS")
     sslContext.init(keyManagers, trustManagers, null)
 
-    val trustManager = trustManagers!![0] as X509TrustManager
-
-    return sslContext to trustManager
+    return sslContext
 }
diff --git a/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig.kt b/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/OkHttpEngineConfig.kt
@@ -11,6 +11,8 @@ import aws.smithy.kotlin.runtime.telemetry.Global
 import aws.smithy.kotlin.runtime.telemetry.TelemetryProvider
 import okhttp3.CertificatePinner
 import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.KeyManager
+import javax.net.ssl.X509TrustManager
 import kotlin.time.Duration
 
 /**
@@ -53,18 +55,18 @@ public class OkHttpEngineConfig private constructor(builder: Builder) : HttpClie
     public val maxConcurrencyPerHost: UInt = builder.maxConcurrencyPerHost ?: builder.maxConcurrency
 
     /**
-     * Provider for TLS trust managers used to validate server certificates during TLS handshake.
-     * Trust managers determine whether to trust the certificate chain presented by a remote server.
-     * When provided, these trust managers will be used instead of the default system trust store.
+     * Trust manager used to validate server certificates during TLS handshake.
+     * Determines whether to trust the certificate chain presented by a remote server.
+     * When provided, this trust manager will be used instead of the default system trust store.
      */
-    public var trustManagerProvider: TlsTrustManagersProvider? = builder.trustManagerProvider
+    public var trustManager: X509TrustManager? = builder.trustManager
 
     /**
-     * Provider for KeyManagers that supply client certificates for mutual TLS (mTLS) authentication.
-     * When provided, the client will present certificates from these KeyManagers when the server
+     * Key manager that supplies client certificates for mutual TLS (mTLS) authentication.
+     * When provided, the client will present certificates from this key manager when the server
      * requests client authentication. Used for scenarios requiring client certificate authentication.
      */
-    public var keyManagerProvider: TlsKeyManagersProvider? = builder.keyManagerProvider
+    public var keyManager: KeyManager? = builder.keyManager
 
     /**
      * List of cipher suites to enable for TLS connections. If null, uses OkHttp defaults.
@@ -91,8 +93,8 @@ public class OkHttpEngineConfig private constructor(builder: Builder) : HttpClie
         if (this is Builder) {
             connectionIdlePollingInterval = this@OkHttpEngineConfig.connectionIdlePollingInterval
             maxConcurrencyPerHost = this@OkHttpEngineConfig.maxConcurrencyPerHost
-            trustManagerProvider = this@OkHttpEngineConfig.trustManagerProvider
-            keyManagerProvider = this@OkHttpEngineConfig.keyManagerProvider
+            trustManager = this@OkHttpEngineConfig.trustManager
+            keyManager = this@OkHttpEngineConfig.keyManager
             cipherSuites = this@OkHttpEngineConfig.cipherSuites
             certificatePinner = this@OkHttpEngineConfig.certificatePinner
             hostnameVerifier = this@OkHttpEngineConfig.hostnameVerifier
@@ -125,18 +127,18 @@ public class OkHttpEngineConfig private constructor(builder: Builder) : HttpClie
         public var maxConcurrencyPerHost: UInt? = null
 
         /**
-         * Provider for TLS trust managers used to validate server certificates during TLS handshake.
-         * Trust managers determine whether to trust the certificate chain presented by a remote server.
-         * When provided, these trust managers will be used instead of the default system trust store.
+         * Trust manager used to validate server certificates during TLS handshake.
+         * Determines whether to trust the certificate chain presented by a remote server.
+         * When provided, this trust manager will be used instead of the default system trust store.
          */
-        public var trustManagerProvider: TlsTrustManagersProvider? = null
+        public var trustManager: X509TrustManager? = null
 
         /**
-         * Provider for KeyManagers that supply client certificates for mutual TLS (mTLS) authentication.
-         * When provided, the client will present certificates from these KeyManagers when the server
+         * Key manager that supplies client certificates for mutual TLS (mTLS) authentication.
+         * When provided, the client will present certificates from this key manager when the server
          * requests client authentication. Used for scenarios requiring client certificate authentication.
          */
-        public var keyManagerProvider: TlsKeyManagersProvider? = null
+        public var keyManager: KeyManager? = null
 
         /**
          * List of cipher suites to enable for TLS connections. If null, uses OkHttp defaults.
diff --git a/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider.kt b/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/TlsKeyManagersProvider.kt
diff --git a/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider.kt b/runtime/protocol/http-client-engines/http-client-engine-okhttp/jvm/src/aws/smithy/kotlin/runtime/http/engine/okhttp/TlsTrustManagersProvider.kt
diff --git a/runtime/protocol/http-client-engines/test-suite/jvm/test/aws/smithy/kotlin/runtime/http/test/ConnectionTest.kt b/runtime/protocol/http-client-engines/test-suite/jvm/test/aws/smithy/kotlin/runtime/http/test/ConnectionTest.kt
@@ -108,7 +108,7 @@ class ConnectionTest : AbstractEngineTest() {
             ServerType.TLS_1_2,
             TlsContext { minVersion = TlsVersion.TLS_1_2 },
             okHttpConfigBlock = {
-                trustManagerProvider = createTestTrustManagerProvider(testCert)
+                trustManager = createTestTrustManager(testCert)
             },
         )
     }
@@ -120,7 +120,7 @@ class ConnectionTest : AbstractEngineTest() {
             ServerType.TLS_1_3,
             TlsContext { minVersion = TlsVersion.TLS_1_3 },
             okHttpConfigBlock = {
-                trustManagerProvider = createTestTrustManagerProvider(testCert)
+                trustManager = createTestTrustManager(testCert)
             },
         )
     }
diff --git a/runtime/protocol/http-client-engines/test-suite/jvm/test/aws/smithy/kotlin/runtime/http/test/util/ConnectionTestUtils.kt b/runtime/protocol/http-client-engines/test-suite/jvm/test/aws/smithy/kotlin/runtime/http/test/util/ConnectionTestUtils.kt
@@ -5,7 +5,6 @@
  */
 package aws.smithy.kotlin.runtime.http.test.util
 
-import aws.smithy.kotlin.runtime.http.engine.okhttp.TlsTrustManagersProvider
 import aws.smithy.kotlin.runtime.net.toUrlString
 import okhttp3.CertificatePinner
 import org.bouncycastle.asn1.x500.X500Name
@@ -16,8 +15,8 @@ import java.nio.file.Paths
 import java.security.KeyPairGenerator
 import java.security.cert.X509Certificate
 import java.util.*
-import javax.net.ssl.TrustManager
 import javax.net.ssl.TrustManagerFactory
+import javax.net.ssl.X509TrustManager
 
 internal val testSslConfig by lazy {
     val sslConfigPath = System.getProperty("SSL_CONFIG_PATH")
@@ -28,18 +27,15 @@ internal val testCert by lazy {
     testSslConfig.keyStore.getCertificate(testSslConfig.certificateAlias) as X509Certificate
 }
 
-fun createTestTrustManagerProvider(testCert: X509Certificate): TlsTrustManagersProvider =
-    object : TlsTrustManagersProvider {
-        override fun trustManagers(): Array<TrustManager> {
-            val keyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType())
-            keyStore.load(null, null)
-            keyStore.setCertificateEntry("test-cert", testCert)
+fun createTestTrustManager(testCert: X509Certificate): X509TrustManager {
+    val keyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType())
+    keyStore.load(null, null)
+    keyStore.setCertificateEntry("test-cert", testCert)
 
-            val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
-            trustManagerFactory.init(keyStore)
-            return trustManagerFactory.trustManagers
-        }
-    }
+    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+    trustManagerFactory.init(keyStore)
+    return trustManagerFactory.trustManagers[0] as X509TrustManager
+}
 
 fun createTestCertificatePinner(testCert: X509Certificate, serverType: ServerType): CertificatePinner {
     val sha256Hash = java.security.MessageDigest.getInstance("SHA-256").digest(testCert.publicKey.encoded)

Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,7 @@ class ConnectionTest : AbstractEngineTest() {`
`108`	`108`	`ServerType.TLS_1_2,`
`109`	`109`	`TlsContext { minVersion = TlsVersion.TLS_1_2 },`
`110`	`110`	`okHttpConfigBlock = {`
`111`		`- trustManagerProvider = createTestTrustManagerProvider(testCert)`
	`111`	`+ trustManager = createTestTrustManager(testCert)`
`112`	`112`	`},`
`113`	`113`	`)`
`114`	`114`	`}`
`@@ -120,7 +120,7 @@ class ConnectionTest : AbstractEngineTest() {`
`120`	`120`	`ServerType.TLS_1_3,`
`121`	`121`	`TlsContext { minVersion = TlsVersion.TLS_1_3 },`
`122`	`122`	`okHttpConfigBlock = {`
`123`		`- trustManagerProvider = createTestTrustManagerProvider(testCert)`
	`123`	`+ trustManager = createTestTrustManager(testCert)`
`124`	`124`	`},`
`125`	`125`	`)`
`126`	`126`	`}`