Use hostname aware isCleartextTrafficPermitted

The cleartext traffic blocking feature of
android.net.NetworkSecurityPolicy is being expanded to provide finer
grained controls (per hostname). This change integrates the OkHttp
stack with these finer grained controls.

Bug: 22666071
Change-Id: I36ffa2f8bd2960cf25cef95b9d11e599c508d14b

2 files changed, 22 insertions, 8 deletions

diff --git a/android/main/java/com/squareup/okhttp/HttpHandler.java b/android/main/java/com/squareup/okhttp/HttpHandler.java
index 4423efb..38eecb4 100644
--- a/android/main/java/com/squareup/okhttp/HttpHandler.java
+++ b/android/main/java/com/squareup/okhttp/HttpHandler.java
@@ -17,6 +17,7 @@
 
 package com.squareup.okhttp;
 
+import com.squareup.okhttp.internal.URLFilter;
 import libcore.net.NetworkSecurityPolicy;
 import java.io.IOException;
 import java.net.HttpURLConnection;
@@ -34,6 +35,8 @@ public class HttpHandler extends URLStreamHandler {
     private final static List<ConnectionSpec> CLEARTEXT_ONLY =
         Collections.singletonList(ConnectionSpec.CLEARTEXT);
 
+    private static final CleartextURLFilter CLEARTEXT_FILTER = new CleartextURLFilter();
+
     private final ConfigAwareConnectionPool configAwareConnectionPool =
             ConfigAwareConnectionPool.getInstance();
 
@@ -81,14 +84,8 @@ public class HttpHandler extends URLStreamHandler {
         // Do not permit http -> https and https -> http redirects.
         client.setFollowSslRedirects(false);
 
-        if (NetworkSecurityPolicy.getInstance().isCleartextTrafficPermitted()) {
-          // Permit cleartext traffic only (this is a handler for HTTP, not for HTTPS).
-          client.setConnectionSpecs(CLEARTEXT_ONLY);
-        } else {
-          // Cleartext HTTP denied by policy. Make okhttp deny cleartext HTTP attempts using the
-          // only mechanism it currently provides -- pretend there are no suitable routes.
-          client.setConnectionSpecs(Collections.<ConnectionSpec>emptyList());
-        }
+        // Permit cleartext traffic only (this is a handler for HTTP, not for HTTPS).
+        client.setConnectionSpecs(CLEARTEXT_ONLY);
 
         // When we do not set the Proxy explicitly OkHttp picks up a ProxySelector using
         // ProxySelector.getDefault().
@@ -98,6 +95,11 @@ public class HttpHandler extends URLStreamHandler {
 
         // OkHttp requires that we explicitly set the response cache.
         OkUrlFactory okUrlFactory = new OkUrlFactory(client);
+
+        // Use the installed NetworkSecurityPolicy to determine which requests are permitted over
+        // http.
+        okUrlFactory.setUrlFilter(CLEARTEXT_FILTER);
+
         ResponseCache responseCache = ResponseCache.getDefault();
         if (responseCache != null) {
             AndroidInternal.setResponseCache(okUrlFactory, responseCache);
@@ -105,4 +107,13 @@ public class HttpHandler extends URLStreamHandler {
         return okUrlFactory;
     }
 
+    private static final class CleartextURLFilter implements URLFilter {
+        @Override
+        public void checkURLPermitted(URL url) throws IOException {
+            String host = url.getHost();
+            if (!NetworkSecurityPolicy.getInstance().isCleartextTrafficPermitted(host)) {
+                throw new IOException("Cleartext HTTP traffic to " + host + " not permitted");
+            }
+        }
+    }
 }
diff --git a/android/main/java/com/squareup/okhttp/HttpsHandler.java b/android/main/java/com/squareup/okhttp/HttpsHandler.java
index 149d860..6b127b2 100644
--- a/android/main/java/com/squareup/okhttp/HttpsHandler.java
+++ b/android/main/java/com/squareup/okhttp/HttpsHandler.java
@@ -87,6 +87,9 @@ public final class HttpsHandler extends HttpHandler {
         // The HTTPS OkHttpClient is an HTTP OkHttpClient with extra configuration.
         OkUrlFactory okUrlFactory = HttpHandler.createHttpOkUrlFactory(proxy);
 
+        // All HTTPS requests are allowed.
+        okUrlFactory.setUrlFilter(null);
+
         OkHttpClient okHttpClient = okUrlFactory.client();
 
         // Only enable HTTP/1.1 (implies HTTP/1.0). Disable SPDY / HTTP/2.0.