fix(build): implement certificate pinning

author: Harsh Shandilya <me@msfjarvis.dev> 2023-04-27 15:57:23 +0530
committer: Harsh Shandilya <me@msfjarvis.dev> 2023-04-27 15:57:23 +0530
commit: 0542963ae0ce0ab9cae4935ac5419d8bbfc939f9 (patch)
tree: 6762b204637e09695f9e10b236b43a6798047f54 /build-logic
parent: 3e67280f654012c7f9898dbfb66c87f0f2b06bc0 (diff)
3 files changed, 36 insertions, 15 deletions
diff --git a/build-logic/src/main/kotlin/app/passwordstore/gradle/OkHttp.kt b/build-logic/src/main/kotlin/app/passwordstore/gradle/OkHttp.kt
new file mode 100644
index 00000000..057c6dd1
--- /dev/null
+++ b/build-logic/src/main/kotlin/app/passwordstore/gradle/OkHttp.kt
@@ -0,0 +1,31 @@
+package app.passwordstore.gradle
+
+import java.util.concurrent.TimeUnit
+import okhttp3.CertificatePinner
+import okhttp3.OkHttpClient
+
+object OkHttp {
+  private val certificatePinner =
+    CertificatePinner.Builder()
+      .add(
+        "api.crowdin.com",
+        "sha256/qKpGqFXXIteblI82BcMyRX0eC2o7lpL9XVInWKIG7rc=",
+        "sha256/DxH4tt40L+eduF6szpY6TONlxhZhBd+pJ9wbHlQ2fuw=",
+        "sha256/++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=",
+      )
+      .add(
+        "publicsuffix.org",
+        "sha256/GHmZgxELzHuqpSexbC20wv6kqtrqS6BFdKs0z5pciGw=",
+        "sha256/cXjPgKdVe6iojP8s0YQJ3rtmDFHTnYZxcYvmYGFiYME=",
+        "sha256/hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=",
+      )
+      .build()
+  val CLIENT =
+    OkHttpClient.Builder()
+      .connectTimeout(5, TimeUnit.MINUTES)
+      .writeTimeout(5, TimeUnit.MINUTES)
+      .readTimeout(5, TimeUnit.MINUTES)
+      .callTimeout(10, TimeUnit.MINUTES)
+      .certificatePinner(certificatePinner)
+      .build()
+}
diff --git a/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt b/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt
index 8e7edaa8..8ec162d6 100644
--- a/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt
+++ b/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt
@@ -1,11 +1,10 @@
 package app.passwordstore.gradle.crowdin
 
+import app.passwordstore.gradle.OkHttp
 import app.passwordstore.gradle.crowdin.api.ListProjects
 import com.squareup.moshi.Moshi
 import com.squareup.moshi.kotlin.reflect.KotlinJsonAdapterFactory
-import java.util.concurrent.TimeUnit
 import okhttp3.MediaType.Companion.toMediaType
-import okhttp3.OkHttpClient
 import okhttp3.Request
 import okhttp3.RequestBody.Companion.toRequestBody
 import org.gradle.api.DefaultTask
@@ -24,13 +23,6 @@ abstract class BuildOnApiTask : DefaultTask() {
 
   @TaskAction
   fun doWork() {
-    val client =
-      OkHttpClient.Builder()
-        .connectTimeout(5, TimeUnit.MINUTES)
-        .writeTimeout(5, TimeUnit.MINUTES)
-        .readTimeout(5, TimeUnit.MINUTES)
-        .callTimeout(10, TimeUnit.MINUTES)
-        .build()
     val moshi = Moshi.Builder().add(KotlinJsonAdapterFactory()).build()
     val projectAdapter = moshi.adapter(ListProjects::class.java)
     val projectRequest =
@@ -39,7 +31,7 @@ abstract class BuildOnApiTask : DefaultTask() {
         .header("Authorization", "Bearer ${crowdinKey.get()}")
         .get()
         .build()
-    client.newCall(projectRequest).execute().use { response ->
+    OkHttp.CLIENT.newCall(projectRequest).execute().use { response ->
       val projects = projectAdapter.fromJson(response.body!!.source())
       if (projects != null) {
         val identifier =
@@ -54,7 +46,7 @@ abstract class BuildOnApiTask : DefaultTask() {
             .header("Authorization", "Bearer ${crowdinKey.get()}")
             .post("{}".toRequestBody("application/json".toMediaType()))
             .build()
-        client.newCall(buildRequest).execute().close()
+        OkHttp.CLIENT.newCall(buildRequest).execute().close()
       }
     }
   }
diff --git a/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt b/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt
index 381cb40e..914ea188 100644
--- a/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt
+++ b/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt
@@ -5,8 +5,8 @@
 
 package app.passwordstore.gradle.psl
 
+import app.passwordstore.gradle.OkHttp
 import java.util.TreeSet
-import okhttp3.OkHttpClient
 import okhttp3.Request
 import okio.ByteString
 import okio.ByteString.Companion.encodeUtf8
@@ -32,12 +32,10 @@ abstract class PSLUpdateTask : DefaultTask() {
   }
 
   private fun fetchPublicSuffixList(): PublicSuffixListData {
-    val client = OkHttpClient.Builder().build()
-
     val request =
       Request.Builder().url("https://publicsuffix.org/list/public_suffix_list.dat").build()
 
-    client.newCall(request).execute().use { response ->
+    OkHttp.CLIENT.newCall(request).execute().use { response ->
       val source = requireNotNull(response.body).source()
 
       val data = PublicSuffixListData()
author	Harsh Shandilya <me@msfjarvis.dev>	2023-04-27 15:57:23 +0530
committer	Harsh Shandilya <me@msfjarvis.dev>	2023-04-27 15:57:23 +0530
commit	0542963ae0ce0ab9cae4935ac5419d8bbfc939f9 (patch)
tree	6762b204637e09695f9e10b236b43a6798047f54 /build-logic
parent	3e67280f654012c7f9898dbfb66c87f0f2b06bc0 (diff)