Fix OkHttp client mTLS when using the platform default trust store#8565
Fix OkHttp client mTLS when using the platform default trust store#8565Debashismitra01 wants to merge 7 commits into
Conversation
d6866b5 to
76a1e10
Compare
# Conflicts: # exporters/otlp/testing-internal/src/main/java/io/opentelemetry/exporter/otlp/testing/internal/AbstractHttpTelemetryExporterTest.java
76a1e10 to
1f4e437
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8565 +/- ##
============================================
- Coverage 91.55% 91.54% -0.01%
- Complexity 10262 10263 +1
============================================
Files 1013 1013
Lines 27102 27123 +21
Branches 3182 3185 +3
============================================
+ Hits 24812 24831 +19
+ Misses 1565 1564 -1
- Partials 725 728 +3 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
Hi! I ran into an issue with the patch coverage check. The remaining uncovered lines are primarily defensive exception paths introduced by the new default trust manager resolution (e.g. TlsUtil.defaultTrustManager() failure handling). These paths are difficult to exercise without introducing static mocking of JDK/Mockito internals. I considered refactoring the implementation to reduce the uncovered branches, but that would either reintroduce the original bug or require resolving the default trust manager multiple times, which I'd prefer to avoid. Before I proceed further, could you advise on the preferred direction? Should I add tests using static mocking for these exception paths? I'd appreciate your guidance on which approach best fits the project's expectations. |
09b53c2 to
b6f5f6b
Compare
|
Hey Mitra, thanks for taking care of this just couple things. The default trust manager gets resolved twice (once in |
103d4b8 to
1a24c95
Compare
|
This PR has review comments. Review suggestions, whether from maintainers or automated reviewers, aren't always correct or required. Please evaluate each comment on its merits, then make sure each thread has a clear outcome. For example, link to the commit if you applied a suggestion, explain why it wasn't applied, or ask a follow-up question. Automation flags a PR for human review once every review thread has a reply or is marked as resolved. Status across open PRs is visible on the pull request dashboard. |
1a24c95 to
2befe38
Compare
I could not find any instances where static mocking is used in the repo, so I think we want to avoid that even though the mocking section did not explicitly mention it. I think you could follow a pattern similar to how keyManager is being tested using a method added explicitly to facilitate testing. // Visible for testing
static X509TrustManager defaultTrustManager(TrustManagerFactory tmf) throws SSLException {
...
}You could then refactor your existing method: public static X509TrustManager defaultTrustManager() throws SSLException {
try {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
return defaultTrustManager(tmf); // <-- the visible for testing method
} catch (NoSuchAlgorithmException e) {
throw new SSLException("Could not build default TrustManager.", e);
}
}Hopefully this should increase coverage by allowing you to pass mocked |
Thanks for the suggestion! I was able to get the patch coverage above the required threshold without introducing static mocking. I kept the current approach and avoided adding extra testing hooks since coverage is now passing. |
Summary
This PR fixes an inconsistency between the OkHttp and JDK OTLP HTTP senders when client mTLS is configured without custom trusted certificates.
Previously, when only
setClientTls(...)(or the equivalent autoconfigure properties) was configured,TlsConfigHelpercorrectly created anSSLContextcontaining the clientKeyManager, but the OkHttp sender skipped installing the customSSLSocketFactorybecause no explicitX509TrustManagerwas provided. As a result, OkHttp fell back to the platform defaultSSLSocketFactory, causing the configured client certificate to be silently omitted during the TLS handshake.This change resolves the platform default
X509TrustManagerwhen no custom trust manager is configured and uses it when installing the customSSLSocketFactory, making the OkHttp sender behave consistently with the JDK sender.Changes
X509TrustManager.Fixes #8562