Indicate custom SSL limitations

Document the limitations of OkHttp and Java 8_252 or newer being unable to use disableSSLAuthentication and customSSLSocketFactory options. Ignore test combinations that intersect that. Make the CloudFoundryServiceTest not use OkHttp.

Author: ricellis

README.md

@@ -68,6 +68,10 @@ The main use case that is supported by this optional dependency is configuration
 ([see the javadoc](http://www.javadoc.io/doc/com.cloudant/cloudant-client/) for ClientBuilder.maxConnections). If the OkHttp dependency is
 available at runtime it will be used automatically. Not using OkHttp will result in a smaller application size.
 
+**Note:** The configuration options `ClientBuilder.customSSLSocketFactory` and
+`ClientBuilder.disableSSLAuthentication` are not usable with the combination of the optional OkHttp
+dependency and Java versions of 8u252 or newer.
+
 ## Getting Started
 
 This section contains a simple example of creating a `com.cloudant.client.api.CloudantClient` instance and interacting with Cloudant.

cloudant-client/src/main/java/com/cloudant/client/api/ClientBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2019 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -514,6 +514,9 @@ public ClientBuilder proxyPassword(String proxyPassword) {
  * The SSL authentication is enabled by default meaning that hostname verification
  * and certificate chain validation is done using the JVM default settings.
  * </P>
+ * <P>
+ * <B>Not supported with Java 8u252 or newer and the optional OkHttp dependency.</B>
+ * </P>
  *
  * @return this ClientBuilder object for setting additional options
  * @throws IllegalStateException if {@link #customSSLSocketFactory(SSLSocketFactory)}
@@ -534,6 +537,9 @@ public ClientBuilder disableSSLAuthentication() {
  /**
  * Specifies the custom SSLSocketFactory to use when connecting to Cloudant over a
  * <code>https</code> URL, when SSL authentication is enabled.
+ * <P>
+ * <B>Not supported with Java 8u252 or newer and the optional OkHttp dependency.</B>
+ * </P>
  *
  * @param factory An SSLSocketFactory, or <code>null</code> for the
  * default SSLSocketFactory of the JRE.

cloudant-client/src/test/java/com/cloudant/tests/CloudFoundryServiceTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2016, 2019 IBM Corp. All rights reserved.
+ * Copyright © 2016, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -24,6 +24,7 @@
 import com.cloudant.client.api.ClientBuilder;
 import com.cloudant.client.api.CloudantClient;
 import com.cloudant.tests.extensions.MockWebServerExtension;
+import com.cloudant.tests.util.HttpFactoryParameterizedTest;
 import com.cloudant.tests.util.MockWebServerResources;
 import com.google.gson.GsonBuilder;
 
@@ -63,6 +64,11 @@ public class CloudFoundryServiceTest {
 
  @BeforeEach
  public void beforeEach() {
+ // Default test running uses OkHttp because it is in the classpath
+ // These tests need to use disableSSLAuthentication because the mock server https does not
+ // have a trusted certificate. That option is not valid with OkHttp and Java 8_252 or newer
+ // but we want to run these tests, so use the OkHelperMock to disable OkHttp.
+ new HttpFactoryParameterizedTest.OkHelperMock();
  server = mockWebServerExt.get();
  server.useHttps(MockWebServerResources.getSSLSocketFactory(), false);
  mockServerHostPort = String.format("%s:%s/", server.getHostName(), server.getPort());

cloudant-client/src/test/java/com/cloudant/tests/HttpProxyTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2018 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -23,6 +23,7 @@
 import com.cloudant.tests.extensions.MockWebServerExtension;
 import com.cloudant.tests.util.HttpFactoryParameterizedTest;
 import com.cloudant.tests.util.MockWebServerResources;
+import com.cloudant.tests.util.Utils;
 
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
@@ -300,6 +301,10 @@ public void proxiedRequest(final boolean okUsable,
  final boolean useHttpsServer,
  final boolean useProxyAuth) throws Exception {
 
+ // Test uses disableSSLAuthentication because the mock server doesn't have a trusted cert
+ // - need to disable the test for OkHttp and Java 8_252 or newer
+ Utils.assumeCustomSslAuthUsable(okUsable);
+
  //mock a 200 OK
  server.setDispatcher(new Dispatcher() {
  @Override

cloudant-client/src/test/java/com/cloudant/tests/SslAuthenticationTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2019 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -24,6 +24,7 @@
 import com.cloudant.tests.extensions.MockWebServerExtension;
 import com.cloudant.tests.util.HttpFactoryParameterizedTest;
 import com.cloudant.tests.util.MockWebServerResources;
+import com.cloudant.tests.util.Utils;
 
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.TestTemplate;
@@ -136,7 +137,8 @@ private static void validateClientAuthenticationException(CouchDbException e) {
  */
  @TestTemplate
  public void localSslAuthenticationDisabled() throws Exception {
-
+ // disableSSLAuthentication not usable with OkHttp and 8_252 or newer
+ Utils.assumeCustomSslAuthUsable(isOkUsable);
  // Build a client that connects to the mock server with SSL authentication disabled
  CloudantClient dbClient = CloudantClientHelper.newMockWebServerClientBuilder(server)
  .disableSSLAuthentication()
@@ -251,7 +253,8 @@ public void execute() throws Throwable {
  */
  @TestTemplate
  public void localSSLAuthenticationDisabledWithCookieAuth() throws Exception {
-
+ // disableSSLAuthentication not usable with OkHttp and 8_252 or newer
+ Utils.assumeCustomSslAuthUsable(isOkUsable);
  // Mock up an OK cookie response then an OK response for the getAllDbs()
  server.enqueue(MockWebServerResources.OK_COOKIE);
  server.enqueue(new MockResponse()); //OK 200

cloudant-client/src/test/java/com/cloudant/tests/util/HttpFactoryParameterizedTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2016, 2018 IBM Corp. All rights reserved.
+ * Copyright © 2016, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -37,7 +37,7 @@ public abstract class HttpFactoryParameterizedTest extends TestWithDbPerClass {
  * A mock OkHelper that always returns false to force use of the JVM HttpURLConnection
  * via the {@link DefaultHttpUrlConnectionFactory}
  */
- static class OkHelperMock extends MockUp<OkHelper> {
+ public static class OkHelperMock extends MockUp<OkHelper> {
  @Mock
  public static boolean isOkUsable() {
  return false;

cloudant-client/src/test/java/com/cloudant/tests/util/Utils.java

@@ -1,5 +1,5 @@
 /*
- * Copyright © 2015, 2018 IBM Corp. All rights reserved.
+ * Copyright © 2015, 2020 IBM Corp. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
  * except in compliance with the License. You may obtain a copy of the License at
@@ -35,6 +35,8 @@
 import com.cloudant.http.HttpConnectionInterceptorContext;
 import com.cloudant.http.HttpConnectionResponseInterceptor;
 
+import org.junit.jupiter.api.Assumptions;
+
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.net.URI;
@@ -225,4 +227,34 @@ public static void assertOKResponse(Response r) throws Exception {
  assertTrue(r.getStatusCode()
  / 100 == 2, "The response code should be 2XX was " + r.getStatusCode());
  }
+
+ /**
+ * Utility to ignore tests when running with optional OkHttp dependency and Java 8_252 or newer.
+ * This should be applied to any test that uses the customSSLSocketFactory or
+ * disableSSLAuthentication options.
+ *
+ * These options cannot be used with OkHttp and Java 8_252 or newer
+ * (see https://github.com/square/okhttp/issues/5970.
+ * OkHttp treats 8_252 and newer as equivalent to 9+ because of the availability of ALPN
+ * support. In 9+ reflection cannot be used to infer the TrustManager from the SslSocketFactory
+ * so setting the SslSocketFactory without a TrustManager is prevented. This blocks the route we
+ * currently use to supply custom SslSocketFactory via the deprecated OkHttp OkUrlFactory path
+ * via javax.net.ssl.HttpsURLConnection#setSSLSocketFactory(javax.net.ssl.SSLSocketFactory).
+ *
+ */
+ public static void assumeCustomSslAuthUsable(boolean isOkUsable) {
+ String version = System.getProperty("java.version");
+ boolean java8_252OrHigher = false;
+ // Java 1.8 or lower, 9+ are 9, 10 etc
+ if (version.startsWith("1.")) {
+ if (version.startsWith("1.8.")) {
+ int update = Integer.parseInt(version.split("_")[1]);
+ if (update >= 252) java8_252OrHigher = true;
+ }
+ } else {
+ java8_252OrHigher = true;
+ }
+ Assumptions.assumeFalse(isOkUsable && java8_252OrHigher, "Test uses custom " +
+ "SslSocketFactory, incompatible with OkHttp and Java 8_252 or newer.");
+ }
 }