immich/mobile/lib/utils/http_ssl_cert_override.dart

import 'dart:io';
import 'package:immich_mobile/services/app_settings.service.dart';
import 'package:immich_mobile/entities/store.entity.dart';
import 'package:logging/logging.dart';

class HttpSSLCertOverride extends HttpOverrides {
  static final Logger _log = Logger("HttpSSLCertOverride");
  final SSLClientCertStoreVal? _clientCert;
  late final SecurityContext? _ctxWithCert;

  HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load() {
    if (_clientCert != null) {
      _ctxWithCert = SecurityContext(withTrustedRoots: true);
      if (_ctxWithCert != null) {
        setClientCert(_ctxWithCert, _clientCert);
      } else {
        _log.severe("Failed to create security context with client cert!");
      }
    } else {
      _ctxWithCert = null;
    }
  }

  static bool setClientCert(SecurityContext ctx, SSLClientCertStoreVal cert) {
    try {
      _log.info("Setting client certificate");
      ctx.usePrivateKeyBytes(cert.data, password: cert.password);
      ctx.useCertificateChainBytes(cert.data, password: cert.password);
    } catch (e) {
      _log.severe("Failed to set SSL client cert: $e");
      return false;
    }
    return true;
  }

  @override
  HttpClient createHttpClient(SecurityContext? context) {
    if (context != null) {
      if (_clientCert != null) {
        setClientCert(context, _clientCert);
      }
    } else {
      context = _ctxWithCert;
    }

    return super.createHttpClient(context)
      ..badCertificateCallback = (X509Certificate cert, String host, int port) {
        AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;

        // Check if user has allowed self signed SSL certificates.
        bool selfSignedCertsAllowed =
            Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);

        bool isLoggedIn = Store.tryGet(StoreKey.currentUser) != null;

        // Conduct server host checks if user is logged in to avoid making
        // insecure SSL connections to services that are not the immich server.
        if (isLoggedIn && selfSignedCertsAllowed) {
          String serverHost =
              Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;

          selfSignedCertsAllowed &= serverHost.contains(host);
        }

        if (!selfSignedCertsAllowed) {
          _log.severe("Invalid SSL certificate for $host:$port");
        }

        return selfSignedCertsAllowed;
      };
  }
}
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 14:51:43 +00:00			`import 'dart:io';`
refactor(mobile): services and providers (#9232) * refactor(mobile): services and provider * providers 2024-05-02 20:59:14 +00:00			`import 'package:immich_mobile/services/app_settings.service.dart';`
refactor(mobile): entities and models (#9182) * refactor(mobile): entities * store entity * refactor: models * remove domain * save all * bad refactor 2024-05-01 02:36:40 +00:00			`import 'package:immich_mobile/entities/store.entity.dart';`
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 14:51:43 +00:00			`import 'package:logging/logging.dart';`

			`class HttpSSLCertOverride extends HttpOverrides {`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 13:59:02 +00:00			`static final Logger _log = Logger("HttpSSLCertOverride");`
			`final SSLClientCertStoreVal? _clientCert;`
			`late final SecurityContext? _ctxWithCert;`

			`HttpSSLCertOverride() : _clientCert = SSLClientCertStoreVal.load() {`
			`if (_clientCert != null) {`
			`_ctxWithCert = SecurityContext(withTrustedRoots: true);`
			`if (_ctxWithCert != null) {`
			`setClientCert(_ctxWithCert, _clientCert);`
			`} else {`
			`_log.severe("Failed to create security context with client cert!");`
			`}`
			`} else {`
			`_ctxWithCert = null;`
			`}`
			`}`

			`static bool setClientCert(SecurityContext ctx, SSLClientCertStoreVal cert) {`
			`try {`
			`_log.info("Setting client certificate");`
			`ctx.usePrivateKeyBytes(cert.data, password: cert.password);`
fix(mobile): client TLS on ios (#11415) 2024-07-28 22:32:53 +00:00			`ctx.useCertificateChainBytes(cert.data, password: cert.password);`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 13:59:02 +00:00			`} catch (e) {`
			`_log.severe("Failed to set SSL client cert: $e");`
			`return false;`
			`}`
			`return true;`
			`}`

feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 14:51:43 +00:00			`@override`
			`HttpClient createHttpClient(SecurityContext? context) {`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 13:59:02 +00:00			`if (context != null) {`
			`if (_clientCert != null) {`
			`setClientCert(context, _clientCert);`
			`}`
			`} else {`
			`context = _ctxWithCert;`
			`}`

feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 14:51:43 +00:00			`return super.createHttpClient(context)`
			`..badCertificateCallback = (X509Certificate cert, String host, int port) {`
			`AppSettingsEnum setting = AppSettingsEnum.allowSelfSignedSSLCert;`
deps(mobile): flutter 3.16 (#6677) * dep(mobile): update flutter and deps * chore: dart analyzer * chore: update flutter workflow version * chore: dart format * fix: gallery_viewer PopScope --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com> 2024-01-27 16:14:32 +00:00
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 14:51:43 +00:00			`// Check if user has allowed self signed SSL certificates.`
			`bool selfSignedCertsAllowed =`
			`Store.get(setting.storeKey as StoreKey<bool>, setting.defaultValue);`

			`bool isLoggedIn = Store.tryGet(StoreKey.currentUser) != null;`

			`// Conduct server host checks if user is logged in to avoid making`
			`// insecure SSL connections to services that are not the immich server.`
			`if (isLoggedIn && selfSignedCertsAllowed) {`
			`String serverHost =`
			`Uri.parse(Store.tryGet(StoreKey.serverEndpoint) ?? "").host;`

			`selfSignedCertsAllowed &= serverHost.contains(host);`
			`}`

			`if (!selfSignedCertsAllowed) {`
feat(mobile): Adding setting in mobile app to TLS client certificate (#10860) * feat(mobile): Adding setting in mobile app to import TLS client certificate and private key * Formating dart source code to pass dart format test * Adding missed required trailing commas to pass dart static analysis * update lock file * variable names --------- Co-authored-by: Yun Jiang <yjiang@roku.com> Co-authored-by: Alex Tran <alex.tran1502@gmail.com> 2024-07-26 13:59:02 +00:00			`_log.severe("Invalid SSL certificate for $host:$port");`
feat(mobile): allow self-signed certificate on the mobile app (#4051) * WIP: self-signed certs accept * WIP: format * WIP: pushing up adding settings menu * Add serverEndpointURL check * Add translation update * Handle errors properly * format * typo * cleanup * styling and permission * remove deadcode * put pack condition * styling * remove hiding settings options * format + match drop shadow * match color * remove deadcode --------- Co-authored-by: Alex <alex.tran1502@gmail.com> 2023-09-12 14:51:43 +00:00			`}`

			`return selfSignedCertsAllowed;`
			`};`
			`}`
			`}`