Accommodate for hackney 1.23.0 bug (#220)

dbernheisel · web-flow · commit 5574fafea071 · 2025-03-27T12:05:07.000-05:00
diff --git a/README.md b/README.md
@@ -32,20 +32,26 @@ end
 Within your application you will need to configure the merchant id and
 authorization keys. You do *not* want to put this information in your
 `config.exs` file! Either put it in a `{prod,dev,test}.secret.exs` file which is
-sourced by `config.exs`, or read the values in from the environment:
+sourced by `config.exs`, or read the values in from the environment in
+`runtime.exs`:
 
 ```elixir
 config :braintree,
   environment: :sandbox,
-  master_merchant_id: {:system, "BRAINTREE_MASTER_MERCHANT_ID"},
-  merchant_id: {:system, "BRAINTREE_MERCHANT_ID"},
-  public_key:  {:system, "BRAINTREE_PUBLIC_KEY"},
-  private_key: {:system, "BRAINTREE_PRIVATE_KEY"}
+  master_merchant_id: System.fetch_env!("BRAINTREE_MASTER_MERCHANT_ID"),
+  merchant_id: System.fetch_env!("BRAINTREE_MERCHANT_ID"),
+  public_key:  System.fetch_env!("BRAINTREE_PUBLIC_KEY"),
+  private_key: System.fetch_env!("BRAINTREE_PRIVATE_KEY")
 ```
 
 Furthermore, the environment defaults to `:sandbox`, so you'll want to configure
 it with `:production` in `prod.exs`.
 
+Braintree has certificates that will be used for verification during the HTTP
+request. This library includes them and will use them by default, but if you
+need to override them, you may provide the configuration `:cacertfile` and
+`:sandbox_cacertfile`.
+
 You may optionally pass directly those configuration keys to all functions
 performing an API call. In that case, those keys will be used to perform the
 call.
@@ -60,7 +66,7 @@ config :braintree,
   ]
 ```
 
-[opts]: https://github.com/benoitc/hackney/blob/master/doc/hackney.md#request5
+[opts]: https://hexdocs.pm/hackney/hackney.html#request/5
 
 ## Usage
 
@@ -130,7 +136,7 @@ Immediately before the HTTP request is fired, a start event will be fired with t
  meta data:     %{method: method, path: path}
 ```
 
-Once the HTTP call completes, a stop event will be fired with the following shape: 
+Once the HTTP call completes, a stop event will be fired with the following shape:
 
 ```
  event name:    [:braintree, :request, :stop]
diff --git a/lib/braintree.ex b/lib/braintree.ex
@@ -81,6 +81,7 @@ defmodule Braintree do
   end
 
   defp fallback_or_raise(key, nil, nil), do: raise(ConfigError, key)
+  defp fallback_or_raise(_, nil, default) when is_function(default, 0), do: default.()
   defp fallback_or_raise(_, nil, default), do: default
   defp fallback_or_raise(_, value, _), do: value
 end
diff --git a/lib/http.ex b/lib/http.ex
@@ -30,10 +30,9 @@ defmodule Braintree.HTTP do
 
   @type response :: {:ok, map} | error
 
-  @production_endpoint "https://api.braintreegateway.com/merchants/"
-  @sandbox_endpoint "https://api.sandbox.braintreegateway.com/merchants/"
-
+  @production_endpoint "https://api.braintreegateway.com/"
   @cacertfile "/certs/api_braintreegateway_com.ca.crt"
+  @sandbox_endpoint "https://api.sandbox.braintreegateway.com/"
 
   @headers [
     {"Accept", "application/xml"},
@@ -81,12 +80,14 @@ defmodule Braintree.HTTP do
     start_time = System.monotonic_time()
 
     try do
+      url = build_url(path, opts)
+
       :hackney.request(
         method,
-        build_url(path, opts),
+        url,
         build_headers(opts),
         encode_body(body),
-        build_options()
+        build_options([{:url, url} | opts])
       )
     catch
       kind, reason ->
@@ -207,17 +208,43 @@ defmodule Braintree.HTTP do
   end
 
   @doc false
-  @spec build_options() :: [...]
-  def build_options do
-    cacertfile = Path.join(:code.priv_dir(:braintree), @cacertfile)
+  @spec build_options(Keyword.t()) :: [...]
+  def build_options(opts) do
     http_opts = Braintree.get_env(:http_options, [])
+    [:with_body] ++ ssl_opts(opts) ++ http_opts
+  end
 
-    ssl_opts = [
-      cacertfile: cacertfile,
-      verify: :verify_peer
-    ]
-
-    [:with_body, ssl_options: ssl_opts] ++ http_opts
+  defp ssl_opts(opts) do
+    case opts[:url] do
+      @production_endpoint <> _ ->
+        [
+          ssl_options: [
+            verify: :verify_peer,
+            # avoid bug in hackney 1.23.0 that compares SSL hostname to resolved IP
+            server_name_indication: String.to_charlist("api.braintreegateway.com"),
+            cacertfile:
+              get_lazy_env(opts, :cacertfile, fn ->
+                Path.join(:code.priv_dir(:braintree), @cacertfile)
+              end)
+          ]
+        ]
+
+      @sandbox_endpoint <> _ ->
+        [
+          ssl_options: [
+            verify: :verify_peer,
+            # avoid bug in hackney 1.23.0 that compares SSL hostname to resolved IP
+            server_name_indication: String.to_charlist("api.sandbox.braintreegateway.com"),
+            cacertfile:
+              get_lazy_env(opts, :sandbox_cacertfile, fn ->
+                Path.join(:code.priv_dir(:braintree), @cacertfile)
+              end)
+          ]
+        ]
+
+      _ ->
+        []
+    end
   end
 
   @doc false
@@ -237,14 +264,14 @@ defmodule Braintree.HTTP do
   end
 
   defp endpoints do
-    [production: @production_endpoint, sandbox: sandbox_endpoint()]
+    [production: @production_endpoint <> "merchants/", sandbox: sandbox_endpoint()]
   end
 
   defp sandbox_endpoint do
     Application.get_env(
       :braintree,
       :sandbox_endpoint,
-      @sandbox_endpoint
+      @sandbox_endpoint <> "merchants/"
     )
   end
 
diff --git a/mix.lock b/mix.lock
@@ -20,7 +20,7 @@
   "metrics": {:hex, :metrics, "1.0.1", "25f094dea2cda98213cecc3aeff09e940299d950904393b2a29d191c346a8486", [:rebar3], [], "hexpm", "69b09adddc4f74a40716ae54d140f93beb0fb8978d8636eaded0c31b6f099f16"},
   "mime": {:hex, :mime, "2.0.5", "dc34c8efd439abe6ae0343edbb8556f4d63f178594894720607772a041b04b02", [:mix], [], "hexpm", "da0d64a365c45bc9935cc5c8a7fc5e49a0e0f9932a761c55d6c52b142780a05c"},
   "mimerl": {:hex, :mimerl, "1.2.0", "67e2d3f571088d5cfd3e550c383094b47159f3eee8ffa08e64106cdf5e981be3", [:rebar3], [], "hexpm", "f278585650aa581986264638ebf698f8bb19df297f66ad91b18910dfc6e19323"},
-  "nimble_parsec": {:hex, :nimble_parsec, "1.4.2", "8efba0122db06df95bfaa78f791344a89352ba04baedd3849593bfce4d0dc1c6", [], [], "hexpm", "4b21398942dda052b403bbe1da991ccd03a053668d147d53fb8c4e0efe09c973"},
+  "nimble_parsec": {:hex, :nimble_parsec, "1.4.2", "8efba0122db06df95bfaa78f791344a89352ba04baedd3849593bfce4d0dc1c6", [:mix], [], "hexpm", "4b21398942dda052b403bbe1da991ccd03a053668d147d53fb8c4e0efe09c973"},
   "parse_trans": {:hex, :parse_trans, "3.4.1", "6e6aa8167cb44cc8f39441d05193be6e6f4e7c2946cb2759f015f8c56b76e5ff", [:rebar3], [], "hexpm", "620a406ce75dada827b82e453c19cf06776be266f5a67cff34e1ef2cbb60e49a"},
   "plug": {:hex, :plug, "1.15.0", "f40df58e1277fc7189f260daf788d628f03ae3053ce7ac1ca63eaf0423238714", [:mix], [{:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_crypto, "~> 1.1.1 or ~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4.3 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "e434478d1015d968cf98ae2073e78bd63c4a06a94fe328c2df45fcd01df8ae30"},
   "plug_cowboy": {:hex, :plug_cowboy, "2.5.1", "7cc96ff645158a94cf3ec9744464414f02287f832d6847079adfe0b58761cbd0", [:mix], [{:cowboy, "~> 2.7", [hex: :cowboy, repo: "hexpm", optional: false]}, {:cowboy_telemetry, "~> 0.3", [hex: :cowboy_telemetry, repo: "hexpm", optional: false]}, {:plug, "~> 1.7", [hex: :plug, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "107d0a5865fa92bcb48e631cc0729ae9ccfa0a9f9a1bd8f01acb513abf1c2d64"},
diff --git a/test/http_test.exs b/test/http_test.exs
@@ -78,13 +78,40 @@ defmodule Braintree.HTTPTest do
 
   test "build_options/0 considers the application environment" do
     with_applicaton_config(:http_options, [timeout: 9000], fn ->
-      options = HTTP.build_options()
+      options = HTTP.build_options([])
 
       assert :with_body in options
       assert {:timeout, 9000} in options
     end)
   end
 
+  test "build_options/1 adds the cacertfile for production" do
+    options = HTTP.build_options(url: "https://api.braintreegateway.com/merchants/123foo/")
+
+    assert {:ssl_options, ssl_options} = :lists.keyfind(:ssl_options, 1, options)
+    ssl_options = Map.new(ssl_options)
+    assert %{cacertfile: _} = ssl_options
+    assert %{server_name_indication: ~c"api.braintreegateway.com"} = ssl_options
+    assert %{verify: :verify_peer} = ssl_options
+  end
+
+  test "build_options/1 adds the cacertfile for sandbox" do
+    options =
+      HTTP.build_options(url: "https://api.sandbox.braintreegateway.com/merchants/123foo/")
+
+    assert {:ssl_options, ssl_options} = :lists.keyfind(:ssl_options, 1, options)
+    ssl_options = Map.new(ssl_options)
+    assert %{cacertfile: _} = ssl_options
+    assert %{server_name_indication: ~c"api.sandbox.braintreegateway.com"} = ssl_options
+    assert %{verify: :verify_peer} = ssl_options
+  end
+
+  test "build_options/1 does not add the cacertfile for other endpoints" do
+    options = HTTP.build_options(url: "http://localhost:5000/merchants/123foo/")
+
+    refute :lists.keyfind(:ssl_options, 1, options)
+  end
+
   describe "request/3" do
     test "unauthorized response with an invalid merchant id" do
       with_applicaton_config(:merchant_id, "junkmerchantid", fn ->
