launchdarkly · cwaldren-ld · May 13, 2024 · Apr 2, 2024 · Apr 4, 2024 · Apr 4, 2024
@@ -29,7 +29,7 @@ jobs:
           run_tests: false
       - name: 'Launch test service as background task'
         run: $TEST_SERVICE_BINARY $TEST_SERVICE_PORT 2>&1 &
-      - uses: launchdarkly/gh-actions/actions/[email protected].0
+      - uses: launchdarkly/gh-actions/actions/[email protected].2
         with:
           # Inform the test harness of test service's port.
           test_service_port: ${{ env.TEST_SERVICE_PORT }}

@@ -28,7 +28,7 @@ jobs:
           run_tests: false
       - name: 'Launch test service as background task'
         run: $TEST_SERVICE_BINARY $TEST_SERVICE_PORT 2>&1 &
-      - uses: launchdarkly/gh-actions/actions/[email protected].0
+      - uses: launchdarkly/gh-actions/actions/[email protected].2
         with:
           # Inform the test harness of test service's port.
           test_service_port: ${{ env.TEST_SERVICE_PORT }}

@@ -1,4 +1,4 @@
 #include "entity_manager.hpp"

 #include <launchdarkly/config/client.hpp>
 #include <launchdarkly/context_builder.hpp>
@@ -17,7 +17,7 @@
      logger_{logger} {}

 static tl::expected<launchdarkly::Context, launchdarkly::JsonError>
 ParseContext(nlohmann::json value) {
    auto boost_json_val = boost::json::parse(value.dump());
    return boost::json::value_to<
        tl::expected<launchdarkly::Context, launchdarkly::JsonError>>(
@@ -129,6 +129,14 @@
         }
     }
 
+    if (in.tls) {
+        auto builder = TlsBuilder();
+        if (in.tls->skipVerifyPeer) {
+            builder.SkipVerifyPeer(*in.tls->skipVerifyPeer);
+        }
+        config_builder.HttpProperties().Tls(std::move(builder));
+    }
+
     auto config = config_builder.Build();
     if (!config) {
         LD_LOG(logger_, LogLevel::kWarn)

@@ -1,4 +1,4 @@
 #include "server.hpp"

 #include <launchdarkly/logging/console_backend.hpp>

@@ -18,10 +18,10 @@
 using launchdarkly::LogLevel;

 int main(int argc, char* argv[]) {
     launchdarkly::Logger logger{
         std::make_unique<ConsoleBackend>("client-contract-tests")};
 
-    const std::string default_port = "8123";
+    std::string const default_port = "8123";
     std::string port = default_port;
     if (argc == 2) {
         port =
@@ -31,8 +31,8 @@
    try {
        net::io_context ioc{1};

        auto p = boost::lexical_cast<unsigned short>(port);
        server srv(ioc, "0.0.0.0", p, logger);

        srv.add_capability("client-side");
        srv.add_capability("mobile");
@@ -43,6 +43,8 @@
         srv.add_capability("client-independence");
         srv.add_capability("inline-context");
         srv.add_capability("anonymous-redaction");
+        srv.add_capability("tls:verify-peer");
+        srv.add_capability("tls:skip-verify-peer");
 
         net::signal_set signals{ioc, SIGINT, SIGTERM};
 

@@ -3,7 +3,7 @@
 #include <optional>
 #include <string>
 #include <unordered_map>
 #include "nlohmann/json.hpp"

 namespace nlohmann {

@@ -29,7 +29,13 @@
 };
 }  // namespace nlohmann
 
+struct ConfigTLSParams {
+    std::optional<bool> skipVerifyPeer;
+};
+NLOHMANN_DEFINE_TYPE_NON_INTRUSIVE_WITH_DEFAULT(ConfigTLSParams,
+                                                skipVerifyPeer);
+
 struct ConfigStreamingParams {
     std::optional<std::string> baseUri;
     std::optional<uint32_t> initialRetryDelayMs;
 };
@@ -37,7 +43,7 @@
                                                baseUri,
                                                initialRetryDelayMs);

 struct ConfigPollingParams {
    std::optional<std::string> baseUri;
    std::optional<uint32_t> pollIntervalMs;
 };
@@ -45,7 +51,7 @@
                                                baseUri,
                                                pollIntervalMs);

 struct ConfigEventParams {
    std::optional<std::string> baseUri;
    std::optional<uint32_t> capacity;
    std::optional<bool> enableDiagnostics;
@@ -70,7 +76,7 @@
                                                polling,
                                                events);

 struct ConfigClientSideParams {
    nlohmann::json initialContext;
    std::optional<bool> evaluationReasons;
    std::optional<bool> useReport;
@@ -98,6 +104,7 @@
     std::optional<ConfigServiceEndpointsParams> serviceEndpoints;
     std::optional<ConfigClientSideParams> clientSide;
     std::optional<ConfigTags> tags;
+    std::optional<ConfigTLSParams> tls;
 };
 NLOHMANN_DEFINE_TYPE_NON_INTRUSIVE_WITH_DEFAULT(ConfigParams,
                                                 credential,
@@ -108,9 +115,10 @@
                                                 events,
                                                 serviceEndpoints,
                                                 clientSide,
-                                                tags);
+                                                tags,
+                                                tls);
 
 struct ContextSingleParams {
     std::optional<std::string> kind;
    std::string key;
    std::optional<std::string> name;
@@ -201,7 +209,7 @@
                                                defaultValue,
                                                detail);

 struct EvaluateFlagResponse {
    nlohmann::json value;
    std::optional<uint32_t> variationIndex;
    std::optional<nlohmann::json> reason;

@@ -1,4 +1,4 @@
 #include "entity_manager.hpp"

 #include <launchdarkly/context_builder.hpp>
 #include <launchdarkly/serialization/json_context.hpp>
@@ -120,6 +120,14 @@
         }
     }
 
+    if (in.tls) {
+        auto builder = config::builders::TlsBuilder();
+        if (in.tls->skipVerifyPeer) {
+            builder.SkipVerifyPeer(*in.tls->skipVerifyPeer);
+        }
+        config_builder.HttpProperties().Tls(std::move(builder));
+    }
+
     auto config = config_builder.Build();
     if (!config) {
         LD_LOG(logger_, LogLevel::kWarn)

@@ -1,4 +1,4 @@
 #include "server.hpp"

 #include <launchdarkly/logging/console_backend.hpp>

@@ -21,7 +21,7 @@
     launchdarkly::Logger logger{
         std::make_unique<ConsoleBackend>("server-contract-tests")};
 
-    const std::string default_port = "8123";
+    std::string const default_port = "8123";
     std::string port = default_port;
     if (argc == 2) {
         port =
@@ -42,6 +42,8 @@
         srv.add_capability("server-side-polling");
         srv.add_capability("inline-context");
         srv.add_capability("anonymous-redaction");
+        srv.add_capability("tls:verify-peer");
+        srv.add_capability("tls:skip-verify-peer");
 
         net::signal_set signals{ioc, SIGINT, SIGTERM};
 

@@ -21,6 +21,8 @@ typedef struct _LDClientConfigBuilder* LDClientConfigBuilder;
 typedef struct _LDDataSourceStreamBuilder* LDDataSourceStreamBuilder;
 typedef struct _LDDataSourcePollBuilder* LDDataSourcePollBuilder;
 typedef struct _LDPersistenceCustomBuilder* LDPersistenceCustomBuilder;
+typedef struct _LDClientHttpPropertiesTlsBuilder*
+    LDClientHttpPropertiesTlsBuilder;
 
 typedef void (*SetFn)(char const* storage_namespace,
                       char const* key,
@@ -333,7 +335,6 @@ LD_EXPORT(void) LDDataSourceStreamBuilder_Free(LDDataSourceStreamBuilder b);
  *
  * @return New builder for Polling method.
  */
-
 LD_EXPORT(LDDataSourcePollBuilder)
 LDDataSourcePollBuilder_New();
 
@@ -390,6 +391,51 @@ LDClientConfigBuilder_HttpProperties_Header(LDClientConfigBuilder b,
                                             char const* key,
                                             char const* value);
 
+/**
+ * Sets the TLS options builder. The builder is consumed; do not free it.
+ * @param b Client config builder. Must not be NULL.
+ * @param tls_builder The TLS options builder. Must not be NULL.
+ */
+LD_EXPORT(void)
+LDClientConfigBuilder_HttpProperties_Tls(
+    LDClientConfigBuilder b,
+    LDClientHttpPropertiesTlsBuilder tls_builder);
+
+/**
+ * Creates a new TLS options builder for the HttpProperties builder.
+ *
+ * If not passed into the HttpProperties
+ * builder, must be manually freed with LDClientHttpPropertiesTlsBuilder_Free.
+ *
+ * @return New builder for TLS options.
+ */
+LD_EXPORT(LDClientHttpPropertiesTlsBuilder)
+LDClientHttpPropertiesTlsBuilder_New(void);
+
+/**
+ * Frees a TLS options builder. Do not call if the builder was consumed by
+ * the HttpProperties builder.
+ *
+ * @param b Builder to free.
+ */
+LD_EXPORT(void)
+LDClientHttpPropertiesTlsBuilder_Free(LDClientHttpPropertiesTlsBuilder b);
+
+/**
+ * Configures TLS peer certificate verification. Peer verification
+ * is enabled by default.
+ *
+ * Disabling peer verification is not recommended unless a specific
+ * use-case calls for it.
+ *
+ * @param b Client config builder. Must not be NULL.
+ * @param skip_verify_peer True to skip verification.
+ */
+LD_EXPORT(void)
+LDClientHttpPropertiesTlsBuilder_SkipVerifyPeer(
+    LDClientHttpPropertiesTlsBuilder b,
+    bool skip_verify_peer);
+
 /**
  * Disables the default SDK logging.
  * @param b Client config builder. Must not be NULL.

@@ -41,6 +41,11 @@ using namespace launchdarkly::client_side;
 #define FROM_CUSTOM_PERSISTENCE_BUILDER(ptr) \
     (reinterpret_cast<LDPersistenceCustomBuilder>(ptr))
 
+#define TO_TLS_BUILDER(ptr) (reinterpret_cast<TlsBuilder*>(ptr))
+
+#define FROM_TLS_BUILDER(ptr) \
+    (reinterpret_cast<LDClientHttpPropertiesTlsBuilder>(ptr))
+
 class PersistenceImplementationWrapper : public IPersistence {
    public:
     explicit PersistenceImplementationWrapper(LDPersistence impl)
@@ -306,6 +311,37 @@ LDClientConfigBuilder_HttpProperties_Header(LDClientConfigBuilder b,
     TO_BUILDER(b)->HttpProperties().Header(key, value);
 }
 
+LD_EXPORT(void)
+LDClientConfigBuilder_HttpProperties_Tls(
+    LDClientConfigBuilder b,
+    LDClientHttpPropertiesTlsBuilder tls_builder) {
+    LD_ASSERT_NOT_NULL(b);
+    LD_ASSERT_NOT_NULL(tls_builder);
+
+    TO_BUILDER(b)->HttpProperties().Tls(*TO_TLS_BUILDER(tls_builder));
+
+    LDClientHttpPropertiesTlsBuilder_Free(tls_builder);
+}
+
+LD_EXPORT(void)
+LDClientHttpPropertiesTlsBuilder_SkipVerifyPeer(
+    LDClientHttpPropertiesTlsBuilder b,
+    bool skip_verify_peer) {
+    LD_ASSERT_NOT_NULL(b);
+
+    TO_TLS_BUILDER(b)->SkipVerifyPeer(skip_verify_peer);
+}
+
+LD_EXPORT(LDClientHttpPropertiesTlsBuilder)
+LDClientHttpPropertiesTlsBuilder_New(void) {
+    return FROM_TLS_BUILDER(new TlsBuilder());
+}
+
+LD_EXPORT(void)
+LDClientHttpPropertiesTlsBuilder_Free(LDClientHttpPropertiesTlsBuilder b) {
+    delete TO_TLS_BUILDER(b);
+}
+
 LD_EXPORT(void)
 LDClientConfigBuilder_Logging_Disable(LDClientConfigBuilder b) {
     LD_ASSERT_NOT_NULL(b);

@@ -74,7 +74,7 @@ PollingDataSource::PollingDataSource(
       status_manager_(status_manager),
       data_source_handler_(
           DataSourceEventHandler(context, handler, logger, status_manager_)),
-      requester_(ioc),
+      requester_(ioc, http_properties.Tls().PeerVerifyMode()),
       timer_(ioc),
       polling_interval_(
           std::get<
@@ -88,6 +88,10 @@ PollingDataSource::PollingDataSource(
     auto const& polling_config = std::get<
         config::shared::built::PollingConfig<config::shared::ClientSDK>>(
         data_source_config.method);
+    if (http_properties.Tls().PeerVerifyMode() ==
+        config::shared::built::TlsOptions::VerifyMode::kVerifyNone) {
+        LD_LOG(logger_, LogLevel::kDebug) << "TLS peer verification disabled";
+    }
     if (polling_interval_ < polling_config.min_polling_interval) {
         LD_LOG(logger_, LogLevel::kWarn)
             << "Polling interval too frequent, defaulting to "

@@ -127,6 +127,11 @@ void StreamingDataSource::Start() {
         client_builder.header(header.first, header.second);
     }
 
+    if (http_config_.Tls().PeerVerifyMode() ==
+        config::shared::built::TlsOptions::VerifyMode::kVerifyNone) {
+        client_builder.skip_verify_peer(true);
+    }
+
     auto weak_self = weak_from_this();
 
     client_builder.receiver([weak_self](launchdarkly::sse::Event const& event) {

@@ -65,14 +65,29 @@ TEST(ClientConfigBindings, AllConfigs) {
     LDDataSourceStreamBuilder_InitialReconnectDelayMs(stream_builder, 500);
     LDClientConfigBuilder_DataSource_MethodStream(builder, stream_builder);
 
+    LDDataSourceStreamBuilder stream_builder2 = LDDataSourceStreamBuilder_New();
+    LDDataSourceStreamBuilder_Free(stream_builder2);
+
     LDDataSourcePollBuilder poll_builder = LDDataSourcePollBuilder_New();
     LDDataSourcePollBuilder_IntervalS(poll_builder, 10);
     LDClientConfigBuilder_DataSource_MethodPoll(builder, poll_builder);
 
+    LDDataSourcePollBuilder poll_builder2 = LDDataSourcePollBuilder_New();
+    LDDataSourcePollBuilder_Free(poll_builder2);
+
     LDClientConfigBuilder_HttpProperties_Header(builder, "foo", "bar");
     LDClientConfigBuilder_HttpProperties_WrapperName(builder, "wrapper");
     LDClientConfigBuilder_HttpProperties_WrapperVersion(builder, "v1.2.3");
 
+    LDClientHttpPropertiesTlsBuilder tls_builder =
+        LDClientHttpPropertiesTlsBuilder_New();
+    LDClientHttpPropertiesTlsBuilder_SkipVerifyPeer(tls_builder, false);
+    LDClientConfigBuilder_HttpProperties_Tls(builder, tls_builder);
+
+    LDClientHttpPropertiesTlsBuilder tls_builder2 =
+        LDClientHttpPropertiesTlsBuilder_New();
+    LDClientHttpPropertiesTlsBuilder_Free(tls_builder2);
+
     LDClientConfigBuilder_Logging_Disable(builder);
 
     LDLoggingBasicBuilder log_builder = LDLoggingBasicBuilder_New();

@@ -22,6 +22,7 @@ using HttpPropertiesBuilder =
 using DataSourceBuilder = config::shared::builders::DataSourceBuilder<SDK>;
 using LoggingBuilder = config::shared::builders::LoggingBuilder;
 using PersistenceBuilder = config::shared::builders::PersistenceBuilder<SDK>;
+using TlsBuilder = config::shared::builders::TlsBuilder<SDK>;
 
 using Config = config::Config<SDK>;
 

@@ -10,6 +10,45 @@
 
 namespace launchdarkly::config::shared::builders {
 
+/**
+ * Class used for building TLS options used within HttpProperties.
+ * @tparam SDK The SDK type to build options for. This affects the default
+ * values of the built options.
+ */
+template <typename SDK>
+class TlsBuilder {
+   public:
+    /**
+     * Construct a new TlsBuilder. The builder will use the default
+     * properties based on the SDK type. Setting a property will override
+     * the default value.
+     */
+    TlsBuilder();
+
+    /**
+     * Create a TLS builder from an initial set of options.
+     * This can be useful when extending a set of options for a request.
+     *
+     * @param tls The TLS options to start with.
+     */
+    TlsBuilder(built::TlsOptions const& tls);
+
+    /**
+     * Whether to skip verifying the remote peer's certificates.
+     * @param skip_verify_peer True to skip verification, false to verify.
+     * @return A reference to this builder.
+     */
+    TlsBuilder& SkipVerifyPeer(bool skip_verify_peer);
+
+    /**
+     * Builds the TLS options.
+     * @return The built options.
+     */
+    [[nodiscard]] built::TlsOptions Build() const;
+
+   private:
+    enum built::TlsOptions::VerifyMode verify_mode_;
+};
 /**
  * Class used for building a set of HttpProperties.
  * @tparam SDK The SDK type to build properties for. This affects the default
@@ -116,6 +155,13 @@ class HttpPropertiesBuilder {
     HttpPropertiesBuilder& Header(std::string key,
                                   std::optional<std::string> value);
 
+    /**
+     * Sets the builder for TLS properties.
+     * @param builder The TLS property builder.
+     * @return A reference to this builder.
+     */
+    HttpPropertiesBuilder& Tls(TlsBuilder<SDK> builder);
+
     /**
      * Build a set of HttpProperties.
      * @return The built properties.
@@ -130,6 +176,7 @@ class HttpPropertiesBuilder {
     std::string wrapper_name_;
     std::string wrapper_version_;
     std::map<std::string, std::string> base_headers_;
+    TlsBuilder<SDK> tls_;
 };
 
 }  // namespace launchdarkly::config::shared::builders