diff --git a/app/build.gradle.kts b/app/build.gradle.kts index 39df639fe6f..746f7f1d765 100644 --- a/app/build.gradle.kts +++ b/app/build.gradle.kts @@ -259,6 +259,7 @@ dependencies { implementation(libs.androidx.work.runtime.ktx) implementation(libs.bitwarden.sdk) implementation(libs.bumptech.glide) + ksp(libs.bumptech.glide.compiler) implementation(libs.google.hilt.android) ksp(libs.google.hilt.compiler) implementation(libs.kotlinx.collections.immutable) diff --git a/app/src/main/kotlin/com/x8bit/bitwarden/ui/platform/glide/BitwardenAppGlideModule.kt b/app/src/main/kotlin/com/x8bit/bitwarden/ui/platform/glide/BitwardenAppGlideModule.kt new file mode 100644 index 00000000000..723595edbef --- /dev/null +++ b/app/src/main/kotlin/com/x8bit/bitwarden/ui/platform/glide/BitwardenAppGlideModule.kt @@ -0,0 +1,154 @@ +package com.x8bit.bitwarden.ui.platform.glide + +import android.content.Context +import com.bitwarden.network.ssl.createMtlsOkHttpClient +import com.bumptech.glide.Glide +import com.bumptech.glide.Priority +import com.bumptech.glide.Registry +import com.bumptech.glide.annotation.GlideModule +import com.bumptech.glide.load.DataSource +import com.bumptech.glide.load.HttpException +import com.bumptech.glide.load.Options +import com.bumptech.glide.load.data.DataFetcher +import com.bumptech.glide.load.model.GlideUrl +import com.bumptech.glide.load.model.ModelLoader +import com.bumptech.glide.load.model.ModelLoaderFactory +import com.bumptech.glide.load.model.MultiModelLoaderFactory +import com.bumptech.glide.module.AppGlideModule +import com.x8bit.bitwarden.data.platform.manager.CertificateManager +import dagger.hilt.EntryPoint +import dagger.hilt.InstallIn +import dagger.hilt.android.EntryPointAccessors +import dagger.hilt.components.SingletonComponent +import okhttp3.Call +import okhttp3.OkHttpClient +import okhttp3.Request +import java.io.IOException +import java.io.InputStream + +/** + * Custom Glide module for the Bitwarden app that configures Glide to use an OkHttpClient + * with mTLS (mutual TLS) support. + * + * This ensures that all icon/image loading requests through Glide present the client certificate + * for mutual TLS authentication, allowing them to pass through Cloudflare's mTLS checks. + * + * The configuration mirrors the SSL setup used in RetrofitsImpl for API calls. + */ +@GlideModule +class BitwardenAppGlideModule : AppGlideModule() { + + /** + * Entry point to access Hilt-provided dependencies from non-Hilt managed classes. + */ + @EntryPoint + @InstallIn(SingletonComponent::class) + interface BitwardenGlideEntryPoint { + /** + * Provides access to [CertificateManager] for mTLS certificate management. + */ + fun certificateManager(): CertificateManager + } + + override fun registerComponents(context: Context, glide: Glide, registry: Registry) { + // Get CertificateManager from Hilt + val entryPoint = EntryPointAccessors.fromApplication( + context.applicationContext, + BitwardenGlideEntryPoint::class.java, + ) + val certificateManager = entryPoint.certificateManager() + + val okHttpClient = certificateManager.createMtlsOkHttpClient() + + // Register custom ModelLoader that uses our mTLS OkHttpClient + registry.replace( + GlideUrl::class.java, + InputStream::class.java, + OkHttpModelLoaderFactory(okHttpClient), + ) + } + + /** + * Custom ModelLoaderFactory for Glide 5.x that uses our mTLS-configured OkHttpClient. + */ + private class OkHttpModelLoaderFactory( + private val client: OkHttpClient, + ) : ModelLoaderFactory { + + override fun build( + multiFactory: MultiModelLoaderFactory, + ): ModelLoader = OkHttpModelLoader(client) + + override fun teardown() { + // No-op + } + } + + /** + * Custom ModelLoader that uses OkHttpClient to load images. + */ + private class OkHttpModelLoader( + private val client: OkHttpClient, + ) : ModelLoader { + + override fun buildLoadData( + model: GlideUrl, + width: Int, + height: Int, + options: Options, + ): ModelLoader.LoadData { + return ModelLoader.LoadData(model, OkHttpDataFetcher(client, model)) + } + + override fun handles(model: GlideUrl): Boolean = true + } + + /** + * DataFetcher that uses OkHttpClient to execute HTTP requests. + */ + private class OkHttpDataFetcher( + private val client: OkHttpClient, + private val url: GlideUrl, + ) : DataFetcher { + + private var call: Call? = null + + override fun loadData( + priority: Priority, + callback: DataFetcher.DataCallback, + ) { + val request = Request.Builder() + .url(url.toStringUrl()) + .build() + + call = client.newCall(request) + + val localCall = client.newCall(request).also { call = it } + + val response = try { + localCall.execute() + } catch (e: IOException) { + callback.onLoadFailed(e) + return + } + + if (response.isSuccessful) { + callback.onDataReady(response.body.byteStream()) + } else { + callback.onLoadFailed(HttpException(response.message, response.code)) + } + } + + override fun cleanup() { + // Response body cleanup is handled by Glide + } + + override fun cancel() { + call?.cancel() + } + + override fun getDataClass(): Class = InputStream::class.java + + override fun getDataSource(): DataSource = DataSource.REMOTE + } +} diff --git a/app/src/test/kotlin/com/x8bit/bitwarden/ui/platform/glide/BitwardenAppGlideModuleTest.kt b/app/src/test/kotlin/com/x8bit/bitwarden/ui/platform/glide/BitwardenAppGlideModuleTest.kt new file mode 100644 index 00000000000..26e13ad0d26 --- /dev/null +++ b/app/src/test/kotlin/com/x8bit/bitwarden/ui/platform/glide/BitwardenAppGlideModuleTest.kt @@ -0,0 +1,49 @@ +package com.x8bit.bitwarden.ui.platform.glide + +import org.junit.jupiter.api.Assertions.assertNotNull +import org.junit.jupiter.api.Assertions.assertTrue +import org.junit.jupiter.api.Test + +/** + * Test class for [BitwardenAppGlideModule] to verify mTLS configuration is properly applied + * to Glide without requiring a real mTLS server. + * + * These tests verify the module's structure and that it can be instantiated. + * Full integration testing requires running the app and checking logcat for + * "BitwardenGlide" logs when images are loaded. + */ +class BitwardenAppGlideModuleTest { + + @Test + fun `BitwardenAppGlideModule should be instantiable`() { + // Verify the module can be created + val module = BitwardenAppGlideModule() + + assertNotNull(module) + } + + @Test + fun `BitwardenAppGlideModule should have EntryPoint interface for Hilt dependency injection`() { + // Verify the Hilt EntryPoint interface exists for accessing CertificateManager + val entryPointInterface = BitwardenAppGlideModule::class.java + .declaredClasses + .firstOrNull { it.simpleName == "BitwardenGlideEntryPoint" } + + assertNotNull(entryPointInterface) + } + + @Test + fun `BitwardenGlideEntryPoint should declare certificateManager method`() { + // Verify the EntryPoint has the required method to access CertificateManager + val entryPointInterface = BitwardenAppGlideModule::class.java + .declaredClasses + .firstOrNull { it.simpleName == "BitwardenGlideEntryPoint" } + + assertNotNull(entryPointInterface, "BitwardenGlideEntryPoint must exist") + + val methods = entryPointInterface!!.declaredMethods + val hasCertificateManagerMethod = methods.any { it.name == "certificateManager" } + + assertTrue(hasCertificateManagerMethod) + } +} diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index f83812cd642..19bb8115329 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -35,6 +35,7 @@ crashlytics = "3.0.6" detekt = "1.23.8" firebaseBom = "34.4.0" glide = "1.0.0-beta01" +glideKsp = "5.0.0-rc01" googleGuava = "33.5.0-jre" googleProtoBufJava = "4.33.0" googleProtoBufPlugin = "0.9.5" @@ -98,6 +99,7 @@ androidx-splashscreen = { module = "androidx.core:core-splashscreen", version.re androidx-work-runtime-ktx = { module = "androidx.work:work-runtime-ktx", version.ref = "androidxWork" } bitwarden-sdk = { module = "com.bitwarden:sdk-android", version.ref = "bitwardenSdk" } bumptech-glide = { module = "com.github.bumptech.glide:compose", version.ref = "glide" } +bumptech-glide-compiler = { module = "com.github.bumptech.glide:ksp", version.ref = "glideKsp" } detekt-detekt-formatting = { module = "io.gitlab.arturbosch.detekt:detekt-formatting", version.ref = "detekt" } detekt-detekt-rules = { module = "io.gitlab.arturbosch.detekt:detekt-rules-libraries", version.ref = "detekt" } google-firebase-bom = { module = "com.google.firebase:firebase-bom", version.ref = "firebaseBom" } diff --git a/network/src/main/kotlin/com/bitwarden/network/retrofit/RetrofitsImpl.kt b/network/src/main/kotlin/com/bitwarden/network/retrofit/RetrofitsImpl.kt index 8d0a6efe8eb..4046170faa0 100644 --- a/network/src/main/kotlin/com/bitwarden/network/retrofit/RetrofitsImpl.kt +++ b/network/src/main/kotlin/com/bitwarden/network/retrofit/RetrofitsImpl.kt @@ -5,8 +5,8 @@ import com.bitwarden.network.interceptor.AuthTokenManager import com.bitwarden.network.interceptor.BaseUrlInterceptor import com.bitwarden.network.interceptor.BaseUrlInterceptors import com.bitwarden.network.interceptor.HeadersInterceptor -import com.bitwarden.network.ssl.BitwardenX509ExtendedKeyManager import com.bitwarden.network.ssl.CertificateProvider +import com.bitwarden.network.ssl.createSslContext import com.bitwarden.network.util.HEADER_KEY_AUTHORIZATION import kotlinx.serialization.json.Json import okhttp3.MediaType.Companion.toMediaType @@ -16,8 +16,6 @@ import retrofit2.Retrofit import retrofit2.converter.kotlinx.serialization.asConverterFactory import timber.log.Timber import java.security.KeyStore -import javax.net.ssl.SSLContext -import javax.net.ssl.TrustManager import javax.net.ssl.TrustManagerFactory import javax.net.ssl.X509TrustManager @@ -149,28 +147,18 @@ internal class RetrofitsImpl( ) .build() - private fun createSslTrustManagers(): Array = - TrustManagerFactory + private fun OkHttpClient.Builder.configureSsl(): OkHttpClient.Builder { + val sslContext = certificateProvider.createSslContext() + val trustManagers = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()) .apply { init(null as KeyStore?) } .trustManagers - private fun createSslContext(certificateProvider: CertificateProvider): SSLContext = SSLContext - .getInstance("TLS").apply { - init( - arrayOf( - BitwardenX509ExtendedKeyManager(certificateProvider = certificateProvider), - ), - createSslTrustManagers(), - null, - ) - } - - private fun OkHttpClient.Builder.configureSsl(): OkHttpClient.Builder = - sslSocketFactory( - createSslContext(certificateProvider = certificateProvider).socketFactory, - createSslTrustManagers().first() as X509TrustManager, + return sslSocketFactory( + sslContext.socketFactory, + trustManagers.first() as X509TrustManager, ) + } //endregion Helper properties and functions } diff --git a/network/src/main/kotlin/com/bitwarden/network/ssl/CertificateProviderExtensions.kt b/network/src/main/kotlin/com/bitwarden/network/ssl/CertificateProviderExtensions.kt new file mode 100644 index 00000000000..c25e688ac76 --- /dev/null +++ b/network/src/main/kotlin/com/bitwarden/network/ssl/CertificateProviderExtensions.kt @@ -0,0 +1,54 @@ +package com.bitwarden.network.ssl + +import okhttp3.OkHttpClient +import java.security.KeyStore +import javax.net.ssl.SSLContext +import javax.net.ssl.TrustManager +import javax.net.ssl.TrustManagerFactory +import javax.net.ssl.X509TrustManager + +/** + * Creates an [SSLContext] configured with mTLS support using this [CertificateProvider]. + * + * The returned SSLContext will present the client certificate from this provider during + * TLS handshakes, enabling mutual TLS authentication. + */ +fun CertificateProvider.createSslContext(): SSLContext = + SSLContext.getInstance("TLS").apply { + init( + arrayOf( + BitwardenX509ExtendedKeyManager(certificateProvider = this@createSslContext), + ), + createSslTrustManagers(), + null, + ) + } + +/** + * Creates an [OkHttpClient] configured with mTLS support using this [CertificateProvider]. + * + * The returned client will present the client certificate from this provider during TLS + * handshakes, allowing requests to pass through mTLS checks. + */ +fun CertificateProvider.createMtlsOkHttpClient(): OkHttpClient { + val sslContext = createSslContext() + val trustManagers = createSslTrustManagers() + + return OkHttpClient.Builder() + .sslSocketFactory( + sslContext.socketFactory, + trustManagers.first() as X509TrustManager, + ) + .build() +} + +/** + * Creates default [TrustManager]s for verifying server certificates. + * + * Uses the system's default trust anchors (trusted CA certificates). + */ +private fun createSslTrustManagers(): Array = + TrustManagerFactory + .getInstance(TrustManagerFactory.getDefaultAlgorithm()) + .apply { init(null as KeyStore?) } + .trustManagers