KTOR-6182 Support throwing UnknownServiceException if there is no cleartext traffic permitted

[Goooler]

https://youtrack.jetbrains.com/issue/KTOR-6182

This part had been implemented in Okhttp & HttpURLConnection, we just need to patch it for CIO.

Staled some code from:
https://github.com/square/okhttp/blob/735ed1a6e5a15042f6d7e8f100fb3c8376f6aa27/okhttp/src/jvmMain/kotlin/okhttp3/internal/connection/RealRoutePlanner.kt#L205-L208
https://github.com/square/okhttp/blob/550cc11989e5117ed3d8afaf20c7b6c419b5351f/okhttp/src/main/kotlin/okhttp3/internal/platform/AndroidPlatform.kt#L105-L148

[rsinukov]

Thanks for the PR.

Can you explain what is the current behaviour and what is the benefit of this change, please?

[Goooler]

If we are using CIO to request an HTTP URL on Android 9+, there is no exception thrown (an example here), but thrown with the use of OkHttp or Android engine, cause the isCleartextTrafficPermitted check had been implemented by them, like this, this is a suggested behavior on Android:

This flag is honored on a best effort basis because it's impossible to prevent all cleartext traffic from Android applications given the level of access provided to them.

We should catch up what Okhttp did on Android, to provide the same experience.

[Goooler]

Not very sure if we should put this check here.

[rsinukov]

I think we can do it earlier, before creating connection. Maybe even in the CIOEngine.executemethod. Also, don't you need to check that the traffic is clear text?

[Goooler]

I believe we can, but I see this check had been seated at a simular position in Okhttp, not very sure why.

@yschimke Can you take a look?

[yschimke]

I don't know enough about CIO to comment, is this HTTP only here? Or could it be HTTPS also?

Probably worth adding tests to validate the behaviour for both cases.

Some extra context for OkHttp. We position it

• After application interceptors have a chance to modify the request, in case they have an AlwaysSecureInterceptor configured.
• Before we connect via various options - proxies, or IPv4/IPv6 fallback, which might involve connecting to an IP instead of a host. So we avoid working around the platform restrictions.

[Goooler]

It could be HTTP or HTTPS here. Thanks for your explanation, especially for the second point.

[rsinukov]

I think we can do it earlier, before creating connection. Maybe even in the CIOEngine.executemethod. Also, don't you need to check that the traffic is clear text?

[yschimke]

These aren't the full story for OkHttp.

We compile against robolectric android-all in order to call these APIs directly.

https://github.com/square/okhttp/blob/okhttp_4x/okhttp/src/main/kotlin/okhttp3/internal/platform/AndroidPlatform.kt

It's way simpler than the reflection.

[Goooler]

Yeah, I borrowed these code from the old implementation, cause I see there is no Android Runtime applied in CIO module.

[yschimke]

Same for OkHttp. It's a compile only dependency

[e5l]

Hey @Goooler, thank you for the PR.

It looks like this code is Android specific, it also could be helpful not only for CIO.
Could you please extract this check to the separate client plugin?

[Goooler]

What do you mean? You mean I should move Platform into a new module under ktor-client/ktor-client-plugins?

[e5l]

Yep! We also can install this plugin by default in case the VM is Dalvik

[Goooler]

How can I install this plugin for CIO by default?

[e5l]

let's make this in the separate PR, it looks like it require service loader or some similar mechanism

[Goooler]

Seems nonJvm source set hasn't been recognized, how can I implement this actual object for non-jvm platforms?

[e5l]

Hey @Goooler, it will need to be implemented for js and posix source sets.

To check the implementation in ide, you can invert the flag ktor.ide.jvmAndCommonOnly in gradle.properties https://github.com/ktorio/ktor/blob/92ece71d433f6d96754ef7d18ab2691e1f36160a/gradle.properties#L7C1-L7C1 and import project again

[Goooler]

9ff3467

[Goooler]

Seems the style check failure is not related to my change.