From 0542963ae0ce0ab9cae4935ac5419d8bbfc939f9 Mon Sep 17 00:00:00 2001 From: Harsh Shandilya Date: Thu, 27 Apr 2023 15:57:23 +0530 Subject: fix(build): implement certificate pinning --- .../main/kotlin/app/passwordstore/gradle/OkHttp.kt | 31 ++++++++++++++++++++++ .../passwordstore/gradle/crowdin/BuildOnApiTask.kt | 14 +++------- .../app/passwordstore/gradle/psl/PSLUpdateTask.kt | 6 ++--- 3 files changed, 36 insertions(+), 15 deletions(-) create mode 100644 build-logic/src/main/kotlin/app/passwordstore/gradle/OkHttp.kt (limited to 'build-logic/src/main/kotlin/app') diff --git a/build-logic/src/main/kotlin/app/passwordstore/gradle/OkHttp.kt b/build-logic/src/main/kotlin/app/passwordstore/gradle/OkHttp.kt new file mode 100644 index 00000000..057c6dd1 --- /dev/null +++ b/build-logic/src/main/kotlin/app/passwordstore/gradle/OkHttp.kt @@ -0,0 +1,31 @@ +package app.passwordstore.gradle + +import java.util.concurrent.TimeUnit +import okhttp3.CertificatePinner +import okhttp3.OkHttpClient + +object OkHttp { + private val certificatePinner = + CertificatePinner.Builder() + .add( + "api.crowdin.com", + "sha256/qKpGqFXXIteblI82BcMyRX0eC2o7lpL9XVInWKIG7rc=", + "sha256/DxH4tt40L+eduF6szpY6TONlxhZhBd+pJ9wbHlQ2fuw=", + "sha256/++MBgDH5WGvL9Bcn5Be30cRcL0f5O+NyoXuWtQdX1aI=", + ) + .add( + "publicsuffix.org", + "sha256/GHmZgxELzHuqpSexbC20wv6kqtrqS6BFdKs0z5pciGw=", + "sha256/cXjPgKdVe6iojP8s0YQJ3rtmDFHTnYZxcYvmYGFiYME=", + "sha256/hxqRlPTu1bMS/0DITB1SSu0vd4u/8l8TjPgfaAp63Gc=", + ) + .build() + val CLIENT = + OkHttpClient.Builder() + .connectTimeout(5, TimeUnit.MINUTES) + .writeTimeout(5, TimeUnit.MINUTES) + .readTimeout(5, TimeUnit.MINUTES) + .callTimeout(10, TimeUnit.MINUTES) + .certificatePinner(certificatePinner) + .build() +} diff --git a/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt b/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt index 8e7edaa8..8ec162d6 100644 --- a/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt +++ b/build-logic/src/main/kotlin/app/passwordstore/gradle/crowdin/BuildOnApiTask.kt @@ -1,11 +1,10 @@ package app.passwordstore.gradle.crowdin +import app.passwordstore.gradle.OkHttp import app.passwordstore.gradle.crowdin.api.ListProjects import com.squareup.moshi.Moshi import com.squareup.moshi.kotlin.reflect.KotlinJsonAdapterFactory -import java.util.concurrent.TimeUnit import okhttp3.MediaType.Companion.toMediaType -import okhttp3.OkHttpClient import okhttp3.Request import okhttp3.RequestBody.Companion.toRequestBody import org.gradle.api.DefaultTask @@ -24,13 +23,6 @@ abstract class BuildOnApiTask : DefaultTask() { @TaskAction fun doWork() { - val client = - OkHttpClient.Builder() - .connectTimeout(5, TimeUnit.MINUTES) - .writeTimeout(5, TimeUnit.MINUTES) - .readTimeout(5, TimeUnit.MINUTES) - .callTimeout(10, TimeUnit.MINUTES) - .build() val moshi = Moshi.Builder().add(KotlinJsonAdapterFactory()).build() val projectAdapter = moshi.adapter(ListProjects::class.java) val projectRequest = @@ -39,7 +31,7 @@ abstract class BuildOnApiTask : DefaultTask() { .header("Authorization", "Bearer ${crowdinKey.get()}") .get() .build() - client.newCall(projectRequest).execute().use { response -> + OkHttp.CLIENT.newCall(projectRequest).execute().use { response -> val projects = projectAdapter.fromJson(response.body!!.source()) if (projects != null) { val identifier = @@ -54,7 +46,7 @@ abstract class BuildOnApiTask : DefaultTask() { .header("Authorization", "Bearer ${crowdinKey.get()}") .post("{}".toRequestBody("application/json".toMediaType())) .build() - client.newCall(buildRequest).execute().close() + OkHttp.CLIENT.newCall(buildRequest).execute().close() } } } diff --git a/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt b/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt index 381cb40e..914ea188 100644 --- a/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt +++ b/build-logic/src/main/kotlin/app/passwordstore/gradle/psl/PSLUpdateTask.kt @@ -5,8 +5,8 @@ package app.passwordstore.gradle.psl +import app.passwordstore.gradle.OkHttp import java.util.TreeSet -import okhttp3.OkHttpClient import okhttp3.Request import okio.ByteString import okio.ByteString.Companion.encodeUtf8 @@ -32,12 +32,10 @@ abstract class PSLUpdateTask : DefaultTask() { } private fun fetchPublicSuffixList(): PublicSuffixListData { - val client = OkHttpClient.Builder().build() - val request = Request.Builder().url("https://publicsuffix.org/list/public_suffix_list.dat").build() - client.newCall(request).execute().use { response -> + OkHttp.CLIENT.newCall(request).execute().use { response -> val source = requireNotNull(response.body).source() val data = PublicSuffixListData() -- cgit v1.2.3