Add support for TLS1.2 on pre-lollipop devices.

[dj-mal]

• Add method enableTls12OnPreLollipop to UsersAPIClient and AuthenticationAPIClient, which would enable support for TLS 1.2 on Pre-lollipop devices when called.
• Add OkHttpTls12Compat and Tls12SocketFactory to support TLS 1.2 by patching the socket on devices with API level 16-21.
• References:
  • https://developer.android.com/reference/javax/net/ssl/SSLSocket.html
  • support enabling TLSv1.2 on Android 4.1-4.4. square/okhttp#2372

Fixes #126

[lbalmaceda]

Hey! thanks for the contribution. I've left you some comments. I'd prefer the new classes to be package private and I also don't like the use of PowerMock as well. Please, try to refactor the OkHttpTLS12Compat class and it's usage to achieve the same result without static methods. That would help you not requiring PowerMock at all. Cheers

[lbalmaceda]

Rename to enableTLS12OnPreLollipop, try to make it package private.

[dj-mal]

If this is made package private, the users have no means to enable TLS 1.2 on the client, since they need to call this method explicitly to enable support. Do you want to move this into the constructor?

[lbalmaceda]

Rename to TLS12SocketFactory, try to make it package private

[dj-mal]

Renamed and made package private.

[lbalmaceda]

Rename to enableTLS12OnPreLollipop, try to make it package private.

[dj-mal]

If this is made package private, the users have no means to enable TLS 1.2 on the client, since they need to call this method explicitly to enable support. Do you want to move this into the constructor?

[lbalmaceda]

Rename to OkHttpTLS12Compat, try to make it package private.

[dj-mal]

We can't make this package private because both AutehnticationAPIClient and UsersAPIClient use it, and they're in different package.

[lbalmaceda]

Because this method is "transparent" and will do nothing on already valid API versions, let's rename it to enableForClient. Also keep in mind that static methods are difficult to test if you're just using Mockito/Robolectric.

[dj-mal]

Method renamed.

[lbalmaceda]

The whole IF condition can be simplified to:

if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN && Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP_MR1)

I don't find useful the log.w line.

[dj-mal]

Removed the log line and simplified the if condition.

[lbalmaceda]

I know the class already has it, but add an explicit @Config(sdk=21) line here too.

[dj-mal]

Added config annotation.

[lbalmaceda]

Because the min API for this library is 15 and that's excluded from the TLS logic, please add a test for that one as well.

[dj-mal]

I tried but Robolectric doesn't support API level 15 so we can't just add that like other supported APIs.

[dj-mal]

Thanks for reviewing! I've made the changes accordingly. Most of the comments are reflected in the updated code, although some isn't implemented with reasons explained in individual comments.

I tried making OkHttpTLS12Compat non static, but the outcome may be a bit clumsy in my opinion. I've made a new branch with that, you can check the changes over there:
https://github.com/dj-mal/Auth0.Android/compare/prelollipop-tls...dj-mal:prelollipop-tls-non-static?expand=1

If you think that's OK I can merge the changes into this branch / PR.
Cheers.

[lbalmaceda]

I thought about this and actually, it makes sense to have the TLS flag inside the Auth0 class, like we do for the logging and the OIDC flag. Based on the non-static branch, these are the changes I'd make:

• Rename OkHttpTLS12Compat to OkHttpClientFactory, which has a single method "createClient(boolean loggingEnabled, boolean tls12Enforced)". Both values are obtained from the Auth0 instance.
• Change the non-public constructors of the API Clients that receive an OkHttpClient instance to just receive the factory instance. These constructors exist for test purposes only.
• Factory won't be stored in any variable/field on the API Clients... Use it to create and assign the client on the constructor, but don't assign the factory anywhere (let gc do it's thing).
• Helper methods inside the Factory will be private. (or package-private if you need to test them).
• The class will be public and stored inside com.auth0.android/request/internal. Can't think of a better place now.. it must be public because both clients are in separate packages.. so keeping it inside the "internal" package will make people aware that we can break them at any time, and that they should not use it directly. That can be clarified in the class javadoc as well..
• Remove flag setters/getters from the API Client. Move them to Auth0. Test them.

Please share your thoughts. I think it's cleaner this way.. Ideally we should hide any helper method/class from the users (or keep them in "internal") and try not to put external dependencies on the methods signatures.

[dj-mal]

All are good suggestions and can reduce duplication across the API clients. They're implemented accordingly.

However, since OkHttpClientFactory.createClient uses only parameters from Auth0, maybe an Auth0 instance could be passed (i.e., createClient(auth0)) instead of separate booleans (i.e., createClient(loggingEnabled, tlsEnforced))?

[lbalmaceda]

Regarding your last comment, I prefer you don't so we avoid coupling it to another class. The class is already in "internal" so it won't matter a lot the amount of parameters we choose. 👍 I left you the final comments, looks much clearer now thanks 🙂 .

[lbalmaceda]

Please add an additional javadoc at the class level:

Factory class used to configure and obtain a new OkHttpClient instance. This class is meant for internal use only, breaking changes may appear at any time without backwards compatibility guarantee.

or something like that 🙂

[lbalmaceda]

Remove client==null check as the client is always valid, since the only entry point is the createClient method. Add a @NonNull annotation to these methods parameters if you want instead, just to help devs as users won't see them.

[lbalmaceda]

rename generateInterceptorsMockList

[dj-mal]

Updated according to the comments. Cheers 😃