feat: ssl support (#944)

Author: marandaneto

sentry-spring-boot-starter/src/test/kotlin/io/sentry/spring/boot/SentryAutoConfigurationTest.kt

@@ -70,7 +70,6 @@ class SentryAutoConfigurationTest {
             "sentry.read-timeout-millis=10",
             "sentry.shutdown-timeout=20",
             "sentry.flush-timeout-millis=30",
-            "sentry.bypass-security=true",
             "sentry.debug=true",
             "sentry.diagnostic-level=INFO",
             "sentry.sentry-client-name=my-client",
@@ -89,7 +88,6 @@ class SentryAutoConfigurationTest {
             assertThat(options.readTimeoutMillis).isEqualTo(10)
             assertThat(options.shutdownTimeout).isEqualTo(20)
             assertThat(options.flushTimeoutMillis).isEqualTo(30)
-            assertThat(options.isBypassSecurity).isTrue()
             assertThat(options.isDebug).isTrue()
             assertThat(options.diagnosticLevel).isEqualTo(SentryLevel.INFO)
             assertThat(options.maxBreadcrumbs).isEqualTo(100)

sentry/src/main/java/io/sentry/HttpTransportFactory.java

@@ -28,7 +28,8 @@ static ITransport create(@NotNull SentryOptions options) {
         credentials,
         options.getConnectionTimeoutMillis(),
         options.getReadTimeoutMillis(),
-        options.isBypassSecurity(),
+        options.getSslSocketFactory(),
+        options.getHostnameVerifier(),
         sentryUrl);
   }
 }

sentry/src/main/java/io/sentry/SentryOptions.java

@@ -13,6 +13,8 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.CopyOnWriteArrayList;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLSocketFactory;
 import org.jetbrains.annotations.ApiStatus;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
@@ -194,9 +196,6 @@ public class SentryOptions {
   /** read timeout in milliseconds */
   private int readTimeoutMillis = 5000;
 
-  /** whether to ignore TLS errors */
-  private boolean bypassSecurity = false;
-
   /** Reads and caches envelope files in the disk */
   private @NotNull IEnvelopeCache envelopeDiskCache = NoOpEnvelopeCache.getInstance();
 
@@ -206,6 +205,12 @@ public class SentryOptions {
   /** whether to send personal identifiable information along with events */
   private boolean sendDefaultPii = false;
 
+  /** HostnameVerifier for self-signed certificate trust* */
+  private @Nullable HostnameVerifier hostnameVerifier;
+
+  /** SSLSocketFactory for self-signed certificate trust * */
+  private @Nullable SSLSocketFactory sslSocketFactory;
+
   /** list of scope observers */
   private final @NotNull List<IScopeObserver> observers = new ArrayList<>();
 
@@ -874,24 +879,6 @@ public void setReadTimeoutMillis(int readTimeoutMillis) {
     this.readTimeoutMillis = readTimeoutMillis;
   }
 
-  /**
-   * Returns whether to ignore TLS errors
-   *
-   * @return the bypassSecurity
-   */
-  public boolean isBypassSecurity() {
-    return bypassSecurity;
-  }
-
-  /**
-   * Sets whether to ignore TLS errors
-   *
-   * @param bypassSecurity the bypassSecurity
-   */
-  public void setBypassSecurity(boolean bypassSecurity) {
-    this.bypassSecurity = bypassSecurity;
-  }
-
   /**
    * Returns the EnvelopeCache interface
    *
@@ -940,6 +927,38 @@ public void setMaxQueueSize(int maxQueueSize) {
     return sdkVersion;
   }
 
+  /**
+   * Returns SSLSocketFactory
+   *
+   * @return SSLSocketFactory object or null
+   */
+  public @Nullable SSLSocketFactory getSslSocketFactory() {
+    return sslSocketFactory;
+  }
+
+  /**
+   * Set custom SSLSocketFactory that is trusted to self-signed certificates
+   *
+   * @param sslSocketFactory SSLSocketFactory object
+   */
+  public void setSslSocketFactory(final @Nullable SSLSocketFactory sslSocketFactory) {
+    this.sslSocketFactory = sslSocketFactory;
+  }
+
+  /**
+   * Returns HostnameVerifier
+   *
+   * @return HostnameVerifier objecr or null
+   */
+  public @Nullable HostnameVerifier getHostnameVerifier() {
+    return hostnameVerifier;
+  }
+
+  /** Set HostnameVerifier */
+  public void setHostnameVerifier(final @Nullable HostnameVerifier hostnameVerifier) {
+    this.hostnameVerifier = hostnameVerifier;
+  }
+
   /**
    * Sets the SdkVersion object
    *

sentry/src/main/java/io/sentry/transport/HttpTransport.java

@@ -31,7 +31,9 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.zip.GZIPOutputStream;
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLSocketFactory;
 import org.jetbrains.annotations.ApiStatus;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
@@ -74,8 +76,10 @@ public String getCategory() {
   private final @NotNull ISerializer serializer;
   private final int connectionTimeout;
   private final int readTimeout;
-  private final boolean bypassSecurity;
   private final @NotNull URL envelopeUrl;
+  private final @Nullable SSLSocketFactory sslSocketFactory;
+  private final @Nullable HostnameVerifier hostnameVerifier;
+
   private final @NotNull SentryOptions options;
 
   private final @NotNull Map<DataCategory, Date> sentryRetryAfterLimit = new ConcurrentHashMap<>();
@@ -96,22 +100,25 @@ public String getCategory() {
    *     is sent
    * @param connectionTimeoutMillis connection timeout in milliseconds
    * @param readTimeoutMillis read timeout in milliseconds
-   * @param bypassSecurity whether to ignore TLS errors
+   * @param sslSocketFactory custom sslSocketFactory for self-signed certificate trust
+   * @param hostnameVerifier custom hostnameVerifier for self-signed certificate trust
    * @param sentryUrl sentryUrl which is the parsed DSN
    */
   public HttpTransport(
       final @NotNull SentryOptions options,
       final @NotNull IConnectionConfigurator connectionConfigurator,
       final int connectionTimeoutMillis,
       final int readTimeoutMillis,
-      final boolean bypassSecurity,
+      final @Nullable SSLSocketFactory sslSocketFactory,
+      final @Nullable HostnameVerifier hostnameVerifier,
       final @NotNull URL sentryUrl) {
     this(
         options,
         connectionConfigurator,
         connectionTimeoutMillis,
         readTimeoutMillis,
-        bypassSecurity,
+        sslSocketFactory,
+        hostnameVerifier,
         sentryUrl,
         CurrentDateProvider.getInstance());
   }
@@ -121,7 +128,8 @@ public HttpTransport(
       final @NotNull IConnectionConfigurator connectionConfigurator,
       final int connectionTimeoutMillis,
       final int readTimeoutMillis,
-      final boolean bypassSecurity,
+      final @Nullable SSLSocketFactory sslSocketFactory,
+      final @Nullable HostnameVerifier hostnameVerifier,
       final @NotNull URL sentryUrl,
       final @NotNull ICurrentDateProvider currentDateProvider) {
     this.proxy = options.getProxy();
@@ -130,7 +138,8 @@ public HttpTransport(
     this.connectionTimeout = connectionTimeoutMillis;
     this.readTimeout = readTimeoutMillis;
     this.options = options;
-    this.bypassSecurity = bypassSecurity;
+    this.sslSocketFactory = sslSocketFactory;
+    this.hostnameVerifier = hostnameVerifier;
     this.currentDateProvider =
         Objects.requireNonNull(currentDateProvider, "CurrentDateProvider is required.");
     this.logger = Objects.requireNonNull(options.getLogger(), "Logger is required.");
@@ -227,8 +236,11 @@ public boolean isRetryAfter(final @NotNull String itemType) {
     connection.setConnectTimeout(connectionTimeout);
     connection.setReadTimeout(readTimeout);
 
-    if (bypassSecurity && connection instanceof HttpsURLConnection) {
-      ((HttpsURLConnection) connection).setHostnameVerifier((__, ___) -> true);
+    if (connection instanceof HttpsURLConnection && hostnameVerifier != null) {
+      ((HttpsURLConnection) connection).setHostnameVerifier(hostnameVerifier);
+    }
+    if (connection instanceof HttpsURLConnection && sslSocketFactory != null) {
+      ((HttpsURLConnection) connection).setSSLSocketFactory(sslSocketFactory);
     }
 
     connection.connect();

sentry/src/test/java/io/sentry/SentryClientTest.kt

@@ -387,7 +387,7 @@ class SentryClientTest {
         val sentryOptions: SentryOptions = SentryOptions().apply {
             dsn = dsnString
         }
-        val transport = HttpTransport(sentryOptions, mock(), 500, 500, false, URL("https://[email protected]/proj"))
+        val transport = HttpTransport(sentryOptions, mock(), 500, 500, null, null, URL("https://[email protected]/proj"))
         sentryOptions.setTransport(transport)
 
         val connection = mock<AsyncConnection>()

sentry/src/test/java/io/sentry/transport/HttpTransportTest.kt

@@ -3,6 +3,7 @@ package io.sentry.transport
 import com.nhaarman.mockitokotlin2.any
 import com.nhaarman.mockitokotlin2.eq
 import com.nhaarman.mockitokotlin2.mock
+import com.nhaarman.mockitokotlin2.never
 import com.nhaarman.mockitokotlin2.verify
 import com.nhaarman.mockitokotlin2.whenever
 import io.sentry.ISerializer
@@ -12,10 +13,12 @@ import io.sentry.SentryOptions
 import io.sentry.Session
 import io.sentry.protocol.User
 import java.io.IOException
-import java.net.HttpURLConnection
 import java.net.Proxy
 import java.net.URI
 import java.net.URL
+import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.HttpsURLConnection
+import javax.net.ssl.SSLSocketFactory
 import kotlin.test.Test
 import kotlin.test.assertEquals
 import kotlin.test.assertFalse
@@ -24,28 +27,33 @@ import kotlin.test.assertTrue
 class HttpTransportTest {
 
     private class Fixture {
-        val dsn: URL = URI.create("http://key@localhost/proj").toURL()
+        val dsn: URL = URI.create("https://key@localhost/proj").toURL()
         val serializer = mock<ISerializer>()
         var proxy: Proxy? = null
         var requestUpdater = IConnectionConfigurator {}
         var connectionTimeout = 1000
         var readTimeout = 500
-        var bypassSecurity = false
-        val connection = mock<HttpURLConnection>()
+        val connection = mock<HttpsURLConnection>()
         val currentDateProvider = mock<ICurrentDateProvider>()
+        var sslSocketFactory: SSLSocketFactory? = null
+        var hostnameVerifier: HostnameVerifier? = null
 
         init {
             whenever(connection.outputStream).thenReturn(mock())
             whenever(connection.inputStream).thenReturn(mock())
+            whenever(connection.setHostnameVerifier(any())).thenCallRealMethod()
+            whenever(connection.setSSLSocketFactory(any())).thenCallRealMethod()
         }
 
         fun getSUT(): HttpTransport {
             val options = SentryOptions()
             options.setSerializer(serializer)
             options.proxy = proxy
+            options.sslSocketFactory = sslSocketFactory
+            options.hostnameVerifier = hostnameVerifier
 
-            return object : HttpTransport(options, requestUpdater, connectionTimeout, readTimeout, bypassSecurity, dsn, currentDateProvider) {
-                override fun open(): HttpURLConnection {
+            return object : HttpTransport(options, requestUpdater, connectionTimeout, readTimeout, sslSocketFactory, hostnameVerifier, dsn, currentDateProvider) {
+                override fun open(): HttpsURLConnection {
                     return connection
                 }
             }
@@ -265,6 +273,46 @@ class HttpTransportTest {
         assertTrue(transport.isRetryAfter("event"))
     }
 
+    @Test
+    fun `When SSLSocketFactory is given, set to connection`() {
+        val factory = mock<SSLSocketFactory>()
+        fixture.sslSocketFactory = factory
+        val transport = fixture.getSUT()
+
+        transport.send(createEnvelope())
+
+        verify(fixture.connection).sslSocketFactory = eq(factory)
+    }
+
+    @Test
+    fun `When SSLSocketFactory is not given, do not set to connection`() {
+        val transport = fixture.getSUT()
+
+        transport.send(createEnvelope())
+
+        verify(fixture.connection, never()).sslSocketFactory = any()
+    }
+
+    @Test
+    fun `When HostnameVerifier is given, set to connection`() {
+        val hostname = mock<HostnameVerifier>()
+        fixture.hostnameVerifier = hostname
+        val transport = fixture.getSUT()
+
+        transport.send(createEnvelope())
+
+        verify(fixture.connection).hostnameVerifier = eq(hostname)
+    }
+
+    @Test
+    fun `When HostnameVerifier is not given, do not set to connection`() {
+        val transport = fixture.getSUT()
+
+        transport.send(createEnvelope())
+
+        verify(fixture.connection, never()).hostnameVerifier = any()
+    }
+
     private fun createSession(): Session {
         return Session("123", User(), "env", "release")
     }