Add a StrictMode noteSlowCall for SSL init (#8339)

yschimke · web-flow · commit 9c653c7b0a3c · 2025-01-05T13:15:05.000Z
Add strict mode checks on slow calls
diff --git a/android-test/src/androidTest/java/okhttp/android/test/StrictModeTest.kt b/android-test/src/androidTest/java/okhttp/android/test/StrictModeTest.kt
@@ -0,0 +1,71 @@
+package okhttp.android.test
+
+import android.os.StrictMode
+import android.os.StrictMode.ThreadPolicy
+import android.os.strictmode.Violation
+import androidx.test.filters.SdkSuppress
+import assertk.assertThat
+import assertk.assertions.hasSize
+import assertk.assertions.isEmpty
+import assertk.assertions.isEqualTo
+import okhttp3.HttpUrl.Companion.toHttpUrl
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.internal.platform.Platform
+import org.junit.After
+import org.junit.Test
+import org.junit.jupiter.api.parallel.Isolated
+
+@Isolated
+@SdkSuppress(minSdkVersion = 28)
+class StrictModeTest {
+  private val violations = mutableListOf<Violation>()
+
+  @After
+  fun cleanup() {
+    StrictMode.setThreadPolicy(
+      ThreadPolicy.Builder()
+        .permitAll()
+        .build(),
+    )
+  }
+
+  @Test
+  fun testInit() {
+    Platform.resetForTests()
+
+    applyStrictMode()
+
+    // Not currently safe
+    // See https://github.com/square/okhttp/pull/8248
+    OkHttpClient()
+
+    assertThat(violations).hasSize(1)
+    assertThat(violations[0].message).isEqualTo("newSSLContext")
+  }
+
+  @Test
+  fun testNewCall() {
+    Platform.resetForTests()
+
+    val client = OkHttpClient()
+
+    applyStrictMode()
+
+    // Safe on main
+    client.newCall(Request("https://google.com/robots.txt".toHttpUrl()))
+
+    assertThat(violations).isEmpty()
+  }
+
+  private fun applyStrictMode() {
+    StrictMode.setThreadPolicy(
+      ThreadPolicy.Builder()
+        .detectCustomSlowCalls()
+        .penaltyListener({ it.run() }) {
+          violations.add(it)
+        }
+        .build(),
+    )
+  }
+}
diff --git a/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/Android10Platform.kt b/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/Android10Platform.kt
@@ -18,8 +18,10 @@ package okhttp3.internal.platform
 import android.annotation.SuppressLint
 import android.content.Context
 import android.os.Build
+import android.os.StrictMode
 import android.security.NetworkSecurityPolicy
 import android.util.CloseGuard
+import javax.net.ssl.SSLContext
 import javax.net.ssl.SSLSocket
 import javax.net.ssl.SSLSocketFactory
 import javax.net.ssl.X509TrustManager
@@ -32,6 +34,7 @@ import okhttp3.internal.platform.android.BouncyCastleSocketAdapter
 import okhttp3.internal.platform.android.ConscryptSocketAdapter
 import okhttp3.internal.platform.android.DeferredSocketAdapter
 import okhttp3.internal.tls.CertificateChainCleaner
+import okhttp3.internal.tls.TrustRootIndex
 
 /** Android 10+ (API 29+). */
 @SuppressSignatureCheck
@@ -51,6 +54,18 @@ class Android10Platform : Platform(), ContextAwarePlatform {
     socketAdapters.find { it.matchesSocketFactory(sslSocketFactory) }
       ?.trustManager(sslSocketFactory)
 
+  override fun newSSLContext(): SSLContext {
+    StrictMode.noteSlowCall("newSSLContext")
+
+    return super.newSSLContext()
+  }
+
+  override fun buildTrustRootIndex(trustManager: X509TrustManager): TrustRootIndex {
+    StrictMode.noteSlowCall("buildTrustRootIndex")
+
+    return super.buildTrustRootIndex(trustManager)
+  }
+
   override fun configureTlsExtensions(
     sslSocket: SSLSocket,
     hostname: String?,
diff --git a/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/AndroidPlatform.kt b/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/AndroidPlatform.kt
@@ -17,6 +17,7 @@ package okhttp3.internal.platform
 
 import android.content.Context
 import android.os.Build
+import android.os.StrictMode
 import android.security.NetworkSecurityPolicy
 import android.util.Log
 import java.io.IOException
@@ -26,6 +27,7 @@ import java.net.InetSocketAddress
 import java.net.Socket
 import java.security.cert.TrustAnchor
 import java.security.cert.X509Certificate
+import javax.net.ssl.SSLContext
 import javax.net.ssl.SSLSocket
 import javax.net.ssl.SSLSocketFactory
 import javax.net.ssl.X509TrustManager
@@ -74,6 +76,12 @@ class AndroidPlatform : Platform(), ContextAwarePlatform {
     }
   }
 
+  override fun newSSLContext(): SSLContext {
+    StrictMode.noteSlowCall("newSSLContext")
+
+    return super.newSSLContext()
+  }
+
   override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager? =
     socketAdapters.find { it.matchesSocketFactory(sslSocketFactory) }
       ?.trustManager(sslSocketFactory)
@@ -104,6 +112,8 @@ class AndroidPlatform : Platform(), ContextAwarePlatform {
 
   override fun buildTrustRootIndex(trustManager: X509TrustManager): TrustRootIndex =
     try {
+      StrictMode.noteSlowCall("buildTrustRootIndex")
+
       // From org.conscrypt.TrustManagerImpl, we want the method with this signature:
       // private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate lastCert);
       val method =
