-
Notifications
You must be signed in to change notification settings - Fork 994
Fix OkHttp client mTLS when using the platform default trust store #8565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
64d015e
ea96f60
c0a6159
1f4e437
dbc453f
b6f5f6b
e99a75d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,9 @@ | |
|
|
||
| package io.opentelemetry.exporter.internal; | ||
|
|
||
| import static org.assertj.core.api.Assertions.assertThat; | ||
| import static org.assertj.core.api.Assertions.assertThatCode; | ||
| import static org.mockito.Mockito.mock; | ||
|
|
||
| import com.linecorp.armeria.internal.common.util.SelfSignedCertificate; | ||
| import java.io.File; | ||
|
|
@@ -15,13 +17,19 @@ | |
| import java.nio.file.Path; | ||
| import java.nio.file.StandardOpenOption; | ||
| import java.security.KeyFactory; | ||
| import java.security.KeyStore; | ||
| import java.security.cert.CertificateException; | ||
| import java.security.spec.PKCS8EncodedKeySpec; | ||
| import java.time.Instant; | ||
| import java.util.Collections; | ||
| import java.util.Date; | ||
| import java.util.stream.Stream; | ||
| import javax.net.ssl.ManagerFactoryParameters; | ||
| import javax.net.ssl.SSLException; | ||
| import javax.net.ssl.TrustManager; | ||
| import javax.net.ssl.TrustManagerFactory; | ||
| import javax.net.ssl.TrustManagerFactorySpi; | ||
| import javax.net.ssl.X509TrustManager; | ||
| import org.junit.jupiter.api.BeforeEach; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.junit.jupiter.api.io.TempDir; | ||
|
|
@@ -79,6 +87,44 @@ void generatePrivateKey_Invalid() { | |
| .hasMessage("Unable to generate key from supported algorithms: [EC]"); | ||
| } | ||
|
|
||
| @Test | ||
| void defaultTrustManager() { | ||
| assertThatCode(TlsUtil::defaultTrustManager).doesNotThrowAnyException(); | ||
| } | ||
|
|
||
| @Test | ||
|
psx95 marked this conversation as resolved.
|
||
| void defaultTrustManager_returnsX509TrustManager() throws Exception { | ||
| X509TrustManager trustManager = mock(X509TrustManager.class); | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the purpose of this test to verify that the if so, then I don't think mocking for this test is necessary. Would the following assertion cover what you're trying to test here? @Test
void defaultTrustManager_returnsX509TrustManager() throws Exception {
assertThat(TlsUtil.defaultTrustManager()).isInstanceOf(X509TrustManager.class);
} |
||
|
|
||
| assertThat(TlsUtil.defaultTrustManager(trustManagerFactory(new TrustManager[] {trustManager}))) | ||
| .isSameAs(trustManager); | ||
| } | ||
|
|
||
| private static TrustManagerFactory trustManagerFactory(TrustManager[] trustManagers) { | ||
| return new TrustManagerFactory( | ||
| new TrustManagerFactorySpi() { | ||
| @Override | ||
| protected void engineInit(KeyStore keyStore) {} | ||
|
|
||
| @Override | ||
| protected void engineInit(ManagerFactoryParameters spec) {} | ||
|
|
||
| @Override | ||
| protected TrustManager[] engineGetTrustManagers() { | ||
| return trustManagers; | ||
| } | ||
| }, | ||
| null, | ||
| "test") {}; | ||
| } | ||
|
|
||
| @Test | ||
| void defaultTrustManager_NoX509TrustManagerFound() { | ||
| assertThatCode(() -> TlsUtil.defaultTrustManager(trustManagerFactory(new TrustManager[0]))) | ||
| .isInstanceOf(SSLException.class) | ||
| .hasMessage("No X509TrustManager found"); | ||
| } | ||
|
Comment on lines
+122
to
+126
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Optional: This test could benefit from mocking behavior and the method you added @Test
@SuppressWarnings("CannotMockMethod")
void defaultTrustManager_NoX509TrustManagerFound() {
TrustManagerFactory trustManagerFactory = mock(TrustManagerFactory.class);
when(trustManagerFactory.getTrustManagers()).thenReturn(new TrustManager[0]);
when(trustManagerFactory.getAlgorithm()).thenReturn("PKIX");
assertThatCode(() -> TlsUtil.defaultTrustManager(trustManagerFactory))
.isInstanceOf(SSLException.class)
.hasMessage("No X509TrustManager found");
}This would allow you to remove But I notice that the repository has not used this pattern before. So I'll let other reviewers weigh-in here. |
||
|
|
||
| /** | ||
| * Append <a href="https://datatracker.ietf.org/doc/html/rfc7468#section-5.2">explanatory text</a> | ||
| * prefix and verify {@link TlsUtil#keyManager(byte[], byte[])} succeeds. | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.