[Mono.Android] ServerCertificateValidationCallback() and redirects (#7662)

simonrozsival · web-flow · commit d78d7866b670 · 2023-01-09T13:44:40.000-05:00
Fixes: #7650 `AndroidMessageHandler` was incorrectly validating SSL certificate after a redirect to another domain if and only if `AndroidMessageHandler.ServerCertificateCustomValidationCallback` was set; consider: const string url = "https://httpbin.org/redirect-to?url=https://www.microsoft.com/"; using var handler = new AndroidMessageHandler() { ServerCertificateCustomValidationCallback = (message, certificate, chain, errors) => errors == SslPolicyErrors.None }; using var client = new HttpClient(handler); await client.GetAsync(url); The expectation is that `AndroidMessageHandler.ServerCertificateCustomValidationCallback` will be called *twice*: 1. Once with `message.RequestUri` set to `https://httpbin.org/redirect-to?…`, and 2. Once again with `message.RequestUri` set to `https://www.microsoft.com`. The problem was that in actuality the 2nd invocation was unchanged from (1), with `message.RequestUri` set to `https://httpbin.org/redirect-to…?…`, and `errors` set to `SslPolicyErrors.RemoteCertificateNameMismatch` (!). The problem was that `AndroidMessageHandler.DoSendAsync()` didn't update `HttpRequestMessage.RequestUri` to the redirected URI, causing the `errors` enum value to contain an error, and the second `ServerCertificateCustomValidationCallback` invocation to have the wrong information. Update `AndroidMessageHandler.DoSendAsync()` so that when dealing with an HTTP redirect, `message.RequestUri` always contains the "current" value in the redirect chain. This keeps `RequestUri` in sync with the redirect status to avoid this problem.
diff --git a/src/Mono.Android/Xamarin.Android.Net/AndroidMessageHandler.cs b/src/Mono.Android/Xamarin.Android.Net/AndroidMessageHandler.cs
@@ -425,6 +425,7 @@ string EncodeUrl (Uri url)
 					if (redirectState.NewUrl == null)
 						throw new InvalidOperationException ("Request redirected but no new URI specified");
 					request.Method = redirectState.Method;
+					request.RequestUri = redirectState.NewUrl;
 				} catch (Java.Net.SocketTimeoutException ex) when (JNIEnv.ShouldWrapJavaException (ex)) {
 					throw new WebException (ex.Message, ex, WebExceptionStatus.Timeout, null);
 				} catch (Java.Net.UnknownServiceException ex) when (JNIEnv.ShouldWrapJavaException (ex)) {
diff --git a/tests/Mono.Android-Tests/Xamarin.Android.Net/AndroidMessageHandlerTests.cs b/tests/Mono.Android-Tests/Xamarin.Android.Net/AndroidMessageHandlerTests.cs
@@ -27,9 +27,9 @@ public async Task ServerCertificateCustomValidationCallback_ApproveRequest ()
 			var handler = new AndroidMessageHandler {
 				ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => {
 					Assert.NotNull (request, "request");
-					Assert.AreEqual ("microsoft.com", request.RequestUri.Host);
+					Assert.AreEqual ("www.microsoft.com", request.RequestUri.Host);
 					Assert.NotNull (cert, "cert");
-					Assert.True (cert!.Subject.Contains ("microsoft.com"), $"Unexpected certificate subject {cert!.Subject}");
+					Assert.True (cert!.Subject.Contains ("www.microsoft.com"), $"Unexpected certificate subject {cert!.Subject}");
 					Assert.True (cert!.Issuer.Contains ("Microsoft"), $"Unexpected certificate issuer {cert!.Issuer}");
 					Assert.NotNull (chain, "chain");
 					Assert.AreEqual (SslPolicyErrors.None, errors);
@@ -40,7 +40,7 @@ public async Task ServerCertificateCustomValidationCallback_ApproveRequest ()
 			};
 
 			var client = new HttpClient (handler);
-			await client.GetStringAsync ("https://microsoft.com/");
+			await client.GetStringAsync ("https://www.microsoft.com/");
 
 			Assert.IsTrue (callbackHasBeenCalled, "custom validation callback hasn't been called");
 		}
@@ -58,7 +58,7 @@ public async Task ServerCertificateCustomValidationCallback_RejectRequest ()
 			};
 			var client = new HttpClient (handler);
 
-			await AssertRejectsRemoteCertificate (() => client.GetStringAsync ("https://microsoft.com/"));
+			await AssertRejectsRemoteCertificate (() => client.GetStringAsync ("https://www.microsoft.com/"));
 
 			Assert.IsTrue (callbackHasBeenCalled, "custom validation callback hasn't been called");
 		}
@@ -111,6 +111,25 @@ public async Task ServerCertificateCustomValidationCallback_IgnoresCertificateHo
 			Assert.AreEqual (SslPolicyErrors.RemoteCertificateNameMismatch, reportedErrors & SslPolicyErrors.RemoteCertificateNameMismatch);
 		}
 
+		[Test]
+		public async Task ServerCertificateCustomValidationCallback_Redirects ()
+		{
+			int callbackCounter = 0;
+
+			var handler = new AndroidMessageHandler {
+				ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => {
+					callbackCounter++;
+					return errors == SslPolicyErrors.None;
+				}
+			};
+
+			var client = new HttpClient (handler);
+			var result = await client.GetAsync ("https://httpbin.org/redirect-to?url=https://www.microsoft.com/");
+
+			Assert.AreEqual (2, callbackCounter);
+			Assert.IsTrue (result.IsSuccessStatusCode);
+		}
+
 		private async Task AssertRejectsRemoteCertificate (Func<Task> makeRequest)
 		{
 			// there is a difference between the exception that's thrown in the .NET build and the legacy Xamarin
