Fix "Validate TLS Certificates" option for WS and GRPC (#218)

2026-04-21 00:01:22 +02:00 · 2025-05-29 10:02:27 -04:00
parent 085b640b3c
commit bd1986f31f
17 changed files with 124 additions and 66 deletions
--- a/src-tauri/yaak-grpc/src/client.rs
+++ b/src-tauri/yaak-grpc/src/client.rs
@@ -26,13 +26,13 @@ pub struct AutoReflectionClient<T = Client<HttpsConnector<HttpConnector>, BoxBod
 }

 impl AutoReflectionClient {
-    pub fn new(uri: &Uri) -> Self {
+    pub fn new(uri: &Uri, validate_certificates: bool) -> Self {
        let client_v1 = v1::server_reflection_client::ServerReflectionClient::with_origin(
-            get_transport(),
+            get_transport(validate_certificates),
            uri.clone(),
        );
        let client_v1alpha = v1alpha::server_reflection_client::ServerReflectionClient::with_origin(
-            get_transport(),
+            get_transport(validate_certificates),
            uri.clone(),
        );
        AutoReflectionClient {
--- a/src-tauri/yaak-grpc/src/manager.rs
+++ b/src-tauri/yaak-grpc/src/manager.rs
@@ -181,10 +181,11 @@ impl GrpcHandle {
        uri: &str,
        proto_files: &Vec<PathBuf>,
        metadata: &BTreeMap<String, String>,
+        validate_certificates: bool,
    ) -> Result<(), String> {
        let pool = if proto_files.is_empty() {
            let full_uri = uri_from_str(uri)?;
-            fill_pool_from_reflection(&full_uri, metadata).await
+            fill_pool_from_reflection(&full_uri, metadata, validate_certificates).await
        } else {
            fill_pool_from_files(&self.app_handle, proto_files).await
        }?;
@@ -199,9 +200,10 @@ impl GrpcHandle {
        uri: &str,
        proto_files: &Vec<PathBuf>,
        metadata: &BTreeMap<String, String>,
+        validate_certificates: bool,
    ) -> Result<Vec<ServiceDefinition>, String> {
        // Ensure reflection is up-to-date
-        self.reflect(id, uri, proto_files, metadata).await?;
+        self.reflect(id, uri, proto_files, metadata, validate_certificates).await?;

        let pool = self.get_pool(id, uri, proto_files).ok_or("Failed to get pool".to_string())?;
        Ok(self.services_from_pool(&pool))
@@ -238,12 +240,13 @@ impl GrpcHandle {
        uri: &str,
        proto_files: &Vec<PathBuf>,
        metadata: &BTreeMap<String, String>,
+        validate_certificates: bool,
    ) -> Result<GrpcConnection, String> {
-        self.reflect(id, uri, proto_files, metadata).await?;
+        self.reflect(id, uri, proto_files, metadata, validate_certificates).await?;
        let pool = self.get_pool(id, uri, proto_files).ok_or("Failed to get pool")?;

        let uri = uri_from_str(uri)?;
-        let conn = get_transport();
+        let conn = get_transport(validate_certificates);
        let connection = GrpcConnection {
            pool: pool.clone(),
            conn,
--- a/src-tauri/yaak-grpc/src/reflection.rs
+++ b/src-tauri/yaak-grpc/src/reflection.rs
@@ -93,9 +93,10 @@ pub async fn fill_pool_from_files(
 pub async fn fill_pool_from_reflection(
    uri: &Uri,
    metadata: &BTreeMap<String, String>,
+    validate_certificates: bool,
 ) -> Result<DescriptorPool, String> {
    let mut pool = DescriptorPool::new();
-    let mut client = AutoReflectionClient::new(uri);
+    let mut client = AutoReflectionClient::new(uri, validate_certificates);

    for service in list_services(&mut client, metadata).await? {
        if service == "grpc.reflection.v1alpha.ServerReflection" {
--- a/src-tauri/yaak-grpc/src/transport.rs
+++ b/src-tauri/yaak-grpc/src/transport.rs
@@ -2,25 +2,16 @@ use hyper_rustls::{HttpsConnector, HttpsConnectorBuilder};
 use hyper_util::client::legacy::connect::HttpConnector;
 use hyper_util::client::legacy::Client;
 use hyper_util::rt::TokioExecutor;
-use rustls::crypto::ring;
-use rustls::ClientConfig;
-use rustls_platform_verifier::BuilderVerifierExt;
-use std::sync::Arc;
 use tonic::body::BoxBody;

-pub(crate) fn get_transport() -> Client<HttpsConnector<HttpConnector>, BoxBody> {
-    let arc_crypto_provider = Arc::new(ring::default_provider());
-    let config = ClientConfig::builder_with_provider(arc_crypto_provider)
-        .with_safe_default_protocol_versions()
-        .unwrap()
-        .with_platform_verifier()
-        .with_no_client_auth();
+pub(crate) fn get_transport(validate_certificates: bool) -> Client<HttpsConnector<HttpConnector>, BoxBody> {
+    let tls_config = yaak_http::tls::get_config(validate_certificates);

    let mut http = HttpConnector::new();
    http.enforce_http(false);

    let connector =
-        HttpsConnectorBuilder::new().with_tls_config(config).https_or_http().enable_http2().build();
+        HttpsConnectorBuilder::new().with_tls_config(tls_config).https_or_http().enable_http2().build();

    let client = Client::builder(TokioExecutor::new())
        .pool_max_idle_per_host(0)