Apply :insecure? ssl opt only to current request (#47)

Was formerly also being applied to all subsequent requests.

Includes a small work-around for bb compatibility.

Closes #45

Author: lread

CHANGELOG.md

@@ -3,8 +3,9 @@
 - If specified, request's body encoding is now applied, else defaults to UTF-8 ([#18](https://github.com/clj-commons/clj-http-lite/issues/18)) ([@lread](https://github.com/lread))
 - User info from request URL now applied to basic auth ([#34](https://github.com/clj-commons/clj-http-lite/issues/34)) ([@lread](https://github.com/lread))
 - Nested query and form parameters are now automatically flattened ([#43](https://github.com/clj-commons/clj-http-lite/issues/43)) ([@lread](https://github.com/lread))
+- The `:insecure?` option is now applied only to the current request ([#45](https://github.com/clj-commons/clj-http-lite/issues/45)) ([@lread](https://github.com/lread))
 - Quality
-  - Docstrings reviewed and updated
+  - Docstrings and README reviewed and updated
   - Automated CI testing added for Windows ([#21](https://github.com/clj-commons/clj-http-lite/issues/21)) ([@lread](https://github.com/lread))
 
 ### 0.4.384

bb/clj_http/lite/client_test.clj

@@ -29,3 +29,10 @@
        (is false "should not reach here")
        (catch Exception e
          (is (:headers (ex-data e))))))
+
+(deftest insecure-test
+  (is (thrown? Exception
+               (client/get "https://expired.badssl.com")))
+  (is (= 200 (:status (client/get "https://expired.badssl.com" {:insecure? true}))))
+  (is (thrown? Exception
+               (client/get "https://expired.badssl.com"))))

src/clj_http/lite/core.clj

@@ -41,35 +41,37 @@
         (.flush baos)
         (.toByteArray baos)))))
 
-(def ^:private insecure-mode
-  (delay (throw (ex-info "insecure? option not supported in this environment"
-                         {}))))
+(defn- trust-all-ssl!
+  [_conn]
+  (throw (ex-info "insecure? option not supported in this environment"
+                  {})))
 
 (defmacro ^:private def-insecure []
   (when (try (import '[javax.net.ssl
                        HttpsURLConnection SSLContext TrustManager X509TrustManager HostnameVerifier SSLSession])
              (catch Exception _))
     '(do
-       (defn- my-host-verifier []
-         (proxy [HostnameVerifier] []
-           (verify [^String hostname ^javax.net.ssl.SSLSession session] true)))
-
-       (defn trust-invalid-manager
-         "This allows the ssl socket to connect with invalid/self-signed SSL certs."
-         []
-         (reify javax.net.ssl.X509TrustManager
-           (getAcceptedIssuers [this] nil)
-           (checkClientTrusted [this certs authType])
-           (checkServerTrusted [this certs authType])))
+       (def ^:private trust-all-hostname-verifier
+         (delay
+          (proxy [HostnameVerifier] []
+            (verify [^String hostname ^SSLSession session] true))))
 
-       (def ^:private insecure-mode
+       (def ^:private trust-all-ssl-socket-factory
          (delay
-           (HttpsURLConnection/setDefaultSSLSocketFactory
-            (.getSocketFactory
-             (doto (SSLContext/getInstance "SSL")
-               (.init nil (into-array TrustManager [(trust-invalid-manager)])
-                      (new java.security.SecureRandom)))))
-           (HttpsURLConnection/setDefaultHostnameVerifier (my-host-verifier)))))))
+          (.getSocketFactory
+           (doto (SSLContext/getInstance "SSL")
+             (.init nil (into-array TrustManager [(reify X509TrustManager
+                                                    (getAcceptedIssuers [this] nil)
+                                                    (checkClientTrusted [this certs authType])
+                                                    (checkServerTrusted [this certs authType]))])
+                    (new java.security.SecureRandom))))))
+
+       (defn- trust-all-ssl!
+         [conn]
+         (when (instance? HttpsURLConnection conn)
+           (let [^HttpsURLConnection ssl-conn conn]
+             (.setHostnameVerifier ssl-conn @trust-all-hostname-verifier)
+             (.setSSLSocketFactory ssl-conn @trust-all-ssl-socket-factory)))))))
 
 (def-insecure)
 
@@ -84,9 +86,9 @@
                       (when server-port (str ":" server-port))
                       uri
                       (when query-string (str "?" query-string)))
-        _ (when insecure?
-            @insecure-mode)
         ^HttpURLConnection conn (.openConnection (URL. http-url))]
+    (when insecure?
+      (trust-all-ssl! conn))
     (when (and content-type character-encoding)
       (.setRequestProperty conn "Content-Type" (str content-type
                                                     "; charset="
@@ -116,4 +118,4 @@
                     (coerce-body-entity req conn))}
            (when save-request?
              {:request (assoc (dissoc req :save-request?)
-                         :http-url http-url)}))))
+                              :http-url http-url)}))))

test/clj_http/test/core_test.clj

@@ -172,7 +172,10 @@
                  (request client-opts)))
     (let [resp (request (assoc client-opts :insecure? true))]
       (is (= 200 (:status resp)))
-      (is (= "get" (slurp-body resp))))))
+      (is (= "get" (slurp-body resp))))
+    (is (thrown? javax.net.ssl.SSLException
+                 (request client-opts))
+        "subsequent bad cert fetch throws")))
 
 (deftest ^{:integration true} t-save-request-obj
   (let [resp (request {:request-method :post :uri "/post"