diff --git a/android-test/src/androidTest/java/okhttp/android/test/StrictModeTest.kt b/android-test/src/androidTest/java/okhttp/android/test/StrictModeTest.kt new file mode 100644 index 000000000000..1f16e3fd61f3 --- /dev/null +++ b/android-test/src/androidTest/java/okhttp/android/test/StrictModeTest.kt @@ -0,0 +1,71 @@ +package okhttp.android.test + +import android.os.StrictMode +import android.os.StrictMode.ThreadPolicy +import android.os.strictmode.Violation +import androidx.test.filters.SdkSuppress +import assertk.assertThat +import assertk.assertions.hasSize +import assertk.assertions.isEmpty +import assertk.assertions.isEqualTo +import okhttp3.HttpUrl.Companion.toHttpUrl +import okhttp3.OkHttpClient +import okhttp3.Request +import okhttp3.internal.platform.Platform +import org.junit.After +import org.junit.Test +import org.junit.jupiter.api.parallel.Isolated + +@Isolated +@SdkSuppress(minSdkVersion = 28) +class StrictModeTest { + private val violations = mutableListOf() + + @After + fun cleanup() { + StrictMode.setThreadPolicy( + ThreadPolicy.Builder() + .permitAll() + .build(), + ) + } + + @Test + fun testInit() { + Platform.resetForTests() + + applyStrictMode() + + // Not currently safe + // See https://github.com/square/okhttp/pull/8248 + OkHttpClient() + + assertThat(violations).hasSize(1) + assertThat(violations[0].message).isEqualTo("newSSLContext") + } + + @Test + fun testNewCall() { + Platform.resetForTests() + + val client = OkHttpClient() + + applyStrictMode() + + // Safe on main + client.newCall(Request("https://google.com/robots.txt".toHttpUrl())) + + assertThat(violations).isEmpty() + } + + private fun applyStrictMode() { + StrictMode.setThreadPolicy( + ThreadPolicy.Builder() + .detectCustomSlowCalls() + .penaltyListener({ it.run() }) { + violations.add(it) + } + .build(), + ) + } +} diff --git a/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/Android10Platform.kt b/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/Android10Platform.kt index 5b982bdacce4..2ca1334c58ab 100644 --- a/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/Android10Platform.kt +++ b/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/Android10Platform.kt @@ -18,8 +18,10 @@ package okhttp3.internal.platform import android.annotation.SuppressLint import android.content.Context import android.os.Build +import android.os.StrictMode import android.security.NetworkSecurityPolicy import android.util.CloseGuard +import javax.net.ssl.SSLContext import javax.net.ssl.SSLSocket import javax.net.ssl.SSLSocketFactory import javax.net.ssl.X509TrustManager @@ -32,6 +34,7 @@ import okhttp3.internal.platform.android.BouncyCastleSocketAdapter import okhttp3.internal.platform.android.ConscryptSocketAdapter import okhttp3.internal.platform.android.DeferredSocketAdapter import okhttp3.internal.tls.CertificateChainCleaner +import okhttp3.internal.tls.TrustRootIndex /** Android 10+ (API 29+). */ @SuppressSignatureCheck @@ -51,6 +54,18 @@ class Android10Platform : Platform(), ContextAwarePlatform { socketAdapters.find { it.matchesSocketFactory(sslSocketFactory) } ?.trustManager(sslSocketFactory) + override fun newSSLContext(): SSLContext { + StrictMode.noteSlowCall("newSSLContext") + + return super.newSSLContext() + } + + override fun buildTrustRootIndex(trustManager: X509TrustManager): TrustRootIndex { + StrictMode.noteSlowCall("buildTrustRootIndex") + + return super.buildTrustRootIndex(trustManager) + } + override fun configureTlsExtensions( sslSocket: SSLSocket, hostname: String?, diff --git a/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/AndroidPlatform.kt b/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/AndroidPlatform.kt index 35b8d0aeeb63..0a43568c0496 100644 --- a/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/AndroidPlatform.kt +++ b/okhttp/src/androidMain/kotlin/okhttp3/internal/platform/AndroidPlatform.kt @@ -17,6 +17,7 @@ package okhttp3.internal.platform import android.content.Context import android.os.Build +import android.os.StrictMode import android.security.NetworkSecurityPolicy import android.util.Log import java.io.IOException @@ -26,6 +27,7 @@ import java.net.InetSocketAddress import java.net.Socket import java.security.cert.TrustAnchor import java.security.cert.X509Certificate +import javax.net.ssl.SSLContext import javax.net.ssl.SSLSocket import javax.net.ssl.SSLSocketFactory import javax.net.ssl.X509TrustManager @@ -74,6 +76,12 @@ class AndroidPlatform : Platform(), ContextAwarePlatform { } } + override fun newSSLContext(): SSLContext { + StrictMode.noteSlowCall("newSSLContext") + + return super.newSSLContext() + } + override fun trustManager(sslSocketFactory: SSLSocketFactory): X509TrustManager? = socketAdapters.find { it.matchesSocketFactory(sslSocketFactory) } ?.trustManager(sslSocketFactory) @@ -104,6 +112,8 @@ class AndroidPlatform : Platform(), ContextAwarePlatform { override fun buildTrustRootIndex(trustManager: X509TrustManager): TrustRootIndex = try { + StrictMode.noteSlowCall("buildTrustRootIndex") + // From org.conscrypt.TrustManagerImpl, we want the method with this signature: // private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate lastCert); val method =