Fix etag handling in WebDAV client

[aivanovski]

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced SSL validation options in the server login interface, allowing users to choose whether to ignore SSL certificate validation.
  • Added a checkbox for SSL validation settings in the login UI.

• Bug Fixes

  • Removed deprecated string resource related to SSL validation from debug strings.

• Documentation

  • Updated string resources to include user-facing text for ignoring SSL certificate validation.

These updates enhance user control over SSL validation settings during server login, improving the overall user experience.

[coderabbitai]

Walkthrough

The pull request introduces modifications primarily focused on the handling of SSL validation within various components of the application. Key changes include the addition of an isIgnoreSslValidation parameter to the BasicCredentials class, updates to the UsedFileDaoTest to reflect this change, and enhancements to the ServerLoginScreen and ServerLoginViewModel to manage SSL validation settings. Additionally, new utility classes and methods have been introduced to facilitate the creation of HTTP clients with SSL configurations, while some network-related functionalities have been removed from the core module.

Changes

File	Change Summary
app/src/androidTest/kotlin/com/ivanovsky/passnotes/data/repository/db/dao/UsedFileDaoTest.kt	Modified UsedFile initialization in UsedFileDaoTest to include isIgnoreSslValidation parameter in BasicCredentials. Default set to false for main file and true for key file.
app/src/main/kotlin/com/ivanovsky/passnotes/data/entity/FSCredentials.kt	Added isIgnoreSslValidation property to BasicCredentials class constructor.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/db/converters/FSAuthorityTypeConverter.kt	Updated parseEncodedCredentials and encodeCredentialsToString methods to handle isIgnoreSslValidation property in JSON parsing and encoding. Added constant for property handling.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/FileSystemResolver.kt	Removed second parameter from WebDavClientV2 constructor call, affecting RemoteApiClientAdapter instantiation.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/fake/FakeFileSystemProvider.kt	Updated FS_AUTHORITY to include isIgnoreSslValidation = false in BasicCredentials.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientFactory.kt	Introduced HttpClientFactory object with method to create OkHttpClient based on HttpClientType, including unsecured client handling.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientType.kt	Added HttpClientType enum with SECURE and UNSECURE constants.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavClientV2.kt	Updated constructor to remove OkHttpClient parameter. Modified toRemoteFileMetadata method to change how revision is set based on etag.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt	Removed constructor dependency on OkHttpClient, introduced ConcurrentHashMap for managing multiple clients based on SSL validation settings.
app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/keepass/kotpass/EncryptedDatabaseKeyExtensions.kt	Updated toCredentials method to include SecureRandom in EncryptedValue.fromBinary method call.
app/src/main/kotlin/com/ivanovsky/passnotes/domain/usecases/test/GetTestCredentialsUseCase.kt	Updated getDebugWebDavCredentials and getDebugFakeCredentials methods to include isIgnoreSslValidation parameter in BasicCredentials.
app/src/main/kotlin/com/ivanovsky/passnotes/injection/modules/CoreModule.kt	Removed provideOkHttp and createUnsecuredTrustManager functions, along with associated imports, streamlining the module by eliminating unused network handling code.
app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginScreen.kt	Enhanced UI with new callback for SSL validation state, updated function signatures to manage SSL validation checkbox state.
app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginViewModel.kt	Added handling for OnIgnoreSslValidationStateChanged intent, updated getFsCredentials to include isIgnoreSslValidation parameter.
app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/model/ServerLoginIntent.kt	Introduced OnIgnoreSslValidationStateChanged data class to manage SSL validation state changes.
app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/model/ServerLoginState.kt	Added isIgnoreSslValidationCheckboxEnabled and isIgnoreSslValidationChecked properties to Data class for managing SSL validation state in the UI.
app/src/main/res/values/debug-strings.xml	Removed string resource for ignoring SSL certificate validation, indicating its functionality is no longer supported in the debug menu.
app/src/main/res/values/strings.xml	Added new string resource for ignoring SSL certificate validation, providing user-facing text for this option.

Possibly related PRs

• Update kotpass to 0.10.0 #281: Updates to the kotpass library version, which may indirectly relate to the handling of credentials, but no direct modifications to the UsedFileDaoTest or FSCredentials.BasicCredentials that connect it to the main PR's changes regarding SSL validation handling.

Poem

🐰 In the land of code where the rabbits play,
New SSL rules have come to stay.
With credentials strong and validations clear,
We hop along without any fear!
Ignoring SSL? Not anymore,
Our code is tidy, that's for sure! 🐇

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 11

🧹 Outside diff range and nitpick comments (5)

app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/model/ServerLoginState.kt (1)

30-30: Consider adding documentation about SSL validation security implications

Adding the ability to ignore SSL validation can pose security risks. Consider:

1. Adding KDoc comments explaining the security implications
2. Ensuring the UI shows appropriate security warnings when isIgnoreSslValidationChecked is true

     @Immutable
     data class Data(
         val loginType: LoginType,
         val errorMessage: String?,
         val url: String,
         val urlError: String?,
         val username: String,
         val password: String,
         val isUsernameEnabled: Boolean,
         val isPasswordEnabled: Boolean,
         val isSecretUrlCheckboxEnabled: Boolean,
+        /** 
+         * Controls whether SSL validation can be disabled. 
+         * SECURITY NOTE: Disabling SSL validation makes connections vulnerable to MITM attacks.
+         */
         val isIgnoreSslValidationCheckboxEnabled: Boolean,
         val isPasswordVisible: Boolean,
         val isSshConfigurationEnabled: Boolean,
         val isSecretUrlChecked: Boolean,
+        /** 
+         * Indicates if SSL validation is disabled.
+         * SECURITY NOTE: When true, connections are vulnerable to MITM attacks.
+         */
         val isIgnoreSslValidationChecked: Boolean,
         val selectedSshOption: SshOption,
         val sshOptions: List<SshOption>
     ) : ServerLoginState

Also applies to: 34-34

app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/model/ServerLoginIntent.kt (1)

37-39: Add KDoc documentation about security implications.

Consider adding documentation to explain when this intent should be used and the security implications of ignoring SSL validation.

+    /**
+     * Intent to handle SSL validation settings.
+     * SECURITY WARNING: Disabling SSL validation makes the connection vulnerable to
+     * man-in-the-middle attacks. Use only for development/testing or when connecting
+     * to servers with self-signed certificates.
+     */
     data class OnIgnoreSslValidationStateChanged(
         val isChecked: Boolean
     ) : ServerLoginIntent(isImmediate = true)

app/src/main/kotlin/com/ivanovsky/passnotes/domain/usecases/test/GetTestCredentialsUseCase.kt (1)

24-25: Consider making SSL validation configurable for testing scenarios

The hardcoded isIgnoreSslValidation = false might limit testing scenarios, especially when testing against development servers with self-signed certificates. Consider making this configurable through the test settings.

 FSCredentials.BasicCredentials(
     url = data.webdavUrl,
     username = data.webdavUsername,
     password = data.webdavPassword,
-    isIgnoreSslValidation = false
+    isIgnoreSslValidation = data.ignoreSslValidation
 )

Also applies to: 60-61

app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginScreen.kt (1)

167-172: Document security implications of SSL validation toggle

Consider adding a warning message or documentation about the security implications of disabling SSL certificate validation. Users should understand the risks involved.

Would you like me to help draft the warning message or documentation?

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientFactory.kt (1)

27-42: Ensure that SSL certificate validation is appropriately handled.

Disabling SSL certificate validation can introduce significant security risks. Even though this behavior is restricted to BuildConfig.DEBUG and HttpClientType.UNSECURE, it's crucial to ensure that this code cannot be inadvertently enabled in production builds.

Consider adding additional safeguards or comments to prevent misuse, and ensure that HttpClientType.UNSECURE is used exclusively in development or testing environments.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 83605c1 and a953eee.

📒 Files selected for processing (18)

• app/src/androidTest/kotlin/com/ivanovsky/passnotes/data/repository/db/dao/UsedFileDaoTest.kt (2 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/entity/FSCredentials.kt (1 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/db/converters/FSAuthorityTypeConverter.kt (3 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/FileSystemResolver.kt (1 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/fake/FakeFileSystemProvider.kt (1 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientFactory.kt (1 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientType.kt (1 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavClientV2.kt (2 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt (2 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/keepass/kotpass/EncryptedDatabaseKeyExtensions.kt (2 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/domain/usecases/test/GetTestCredentialsUseCase.kt (2 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/injection/modules/CoreModule.kt (0 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginScreen.kt (13 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginViewModel.kt (8 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/model/ServerLoginIntent.kt (1 hunks)
• app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/model/ServerLoginState.kt (1 hunks)
• app/src/main/res/values/debug-strings.xml (0 hunks)
• app/src/main/res/values/strings.xml (1 hunks)

💤 Files with no reviewable changes (2)

• app/src/main/res/values/debug-strings.xml
• app/src/main/kotlin/com/ivanovsky/passnotes/injection/modules/CoreModule.kt

✅ Files skipped from review due to trivial changes (2)

• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientType.kt
• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/fake/FakeFileSystemProvider.kt

🧰 Additional context used

🪛 detekt (1.23.7)

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientFactory.kt

[warning] 54-55: This empty block of code can be removed.

(detekt.empty-blocks.EmptyFunctionBlock)

---

[warning] 61-62: This empty block of code can be removed.

(detekt.empty-blocks.EmptyFunctionBlock)

🔇 Additional comments (20)

app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/model/ServerLoginState.kt (1)

30-30: Verify PR scope: SSL validation changes vs etag handling

The PR title mentions "Fix etag handling" but these changes are related to SSL validation. Could you clarify if this is intentional or if these changes should be in a separate PR?

Also applies to: 34-34

✅ Verification successful

Based on the evidence gathered, I can now generate the final response:

SSL validation and etag handling are separate, valid changes in this PR

The changes are actually related as both are WebDAV client improvements:

• Etag handling is being fixed in WebDavClientV2.kt for proper file revision tracking
• SSL validation is being added as a debug feature for WebDAV connections (LoginType.USERNAME_PASSWORD), controlled via UI state

The changes are well-scoped and properly implemented:

• SSL validation is only enabled in debug builds (BuildConfig.DEBUG)
• Etag changes are focused on the WebDAV client implementation
• Both changes improve the WebDAV client functionality in different aspects

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for related etag handling changes
rg -l "etag" --type kotlin

Length of output: 116

---

Script:

#!/bin/bash
# Let's check the WebDavClientV2.kt file for etag-related changes and SSL validation changes
rg -B 2 -A 2 "etag|ssl|SSL" app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavClientV2.kt

Length of output: 348

---

Script:

#!/bin/bash
# Let's also check for any commit messages or PR description that might explain the relationship
git log --grep="etag\|ssl\|SSL" --pretty=format:"%h %s" -n 5

Length of output: 0

---

Script:

#!/bin/bash
# Check if there are other files with SSL validation changes
rg -l "ignoreSslValidation|IgnoreSslValidation" --type kotlin

Length of output: 989

---

Script:

#!/bin/bash
# Let's check the changes in WebDavNetworkLayer.kt to understand if SSL and etag changes are related
rg -B 5 -A 5 "etag|ssl|SSL" app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt

Length of output: 123

---

Script:

#!/bin/bash
# Let's also check the ServerLoginViewModel for the relationship between these features
rg -B 5 -A 5 "ignoreSslValidation|IgnoreSslValidation" app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginViewModel.kt

Length of output: 4057

app/src/main/kotlin/com/ivanovsky/passnotes/data/entity/FSCredentials.kt (1)

16-17: Breaking Change: Adding required parameter to BasicCredentials

The addition of isIgnoreSslValidation parameter is a breaking change that will affect all existing instantiations of BasicCredentials. This requires updates to:

• All constructor calls
• Any serialized data using this class
• Unit tests

Let's verify the impact:

app/src/main/kotlin/com/ivanovsky/passnotes/domain/usecases/test/GetTestCredentialsUseCase.kt (1)

24-25: Verify PR scope: SSL validation vs etag handling

The PR title mentions "Fix etag handling in WebDAV client", but these changes are related to SSL certificate validation. This suggests a potential scope mismatch or missing context.

Also applies to: 60-61

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/keepass/kotpass/EncryptedDatabaseKeyExtensions.kt (1)

Line range hint 1-71: Verify alignment with PR objectives

The changes in this file relate to encryption and key handling, but the PR title suggests fixing etag handling in WebDAV client. Could you clarify how these changes contribute to the PR's objective?

Let's check for related WebDAV and etag changes:

app/src/androidTest/kotlin/com/ivanovsky/passnotes/data/repository/db/dao/UsedFileDaoTest.kt (2)

113-114: LGTM! Secure default for SSL validation.

The isIgnoreSslValidation = false is a secure default as it ensures SSL certificate validation is enabled for the main file operations.

---

129-130: Verify the security implications of disabled SSL validation for key files.

Setting isIgnoreSslValidation = true for key files disables SSL certificate validation, which could expose these operations to man-in-the-middle attacks. Please verify if this is intentional and document the security considerations.

Let's check if this pattern is consistent across the codebase:

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/FileSystemResolver.kt (1)

101-101: Verify WebDavClientV2 changes related to etag handling

The removal of a parameter from WebDavClientV2 constructor might be related to etag handling changes. Let's verify the implementation.

✅ Verification successful

Based on the shell script results, I can now generate the final response:

WebDavClientV2 constructor change is safe and aligns with etag handling

The code inspection shows that the WebDavClientV2 constructor simplification is safe and properly handles etags. The etag handling is implemented in the toRemoteFileMetadata method where it's used as the primary source for the revision field, with a fallback to timestamp when etag is null. No additional parameters were needed in the constructor for this functionality.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check WebDavClientV2 implementation and related changes

# Look for WebDavClientV2 class definition and etag-related code
ast-grep --pattern 'class WebDavClientV2' -A 10
rg -A 5 'etag|ETag' 

# Look for any tests related to etag handling
fd -e kt -e java test | xargs rg -A 5 'WebDavClientV2.*etag|ETag'

Length of output: 40095

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/db/converters/FSAuthorityTypeConverter.kt (3)

129-129: LGTM!

The isIgnoreSslValidation property is correctly serialized using the defined constant.

---

167-167: LGTM!

The constant follows the established naming convention and is appropriately grouped with other credential-related constants.

---

76-77: LGTM! Verify backward compatibility with existing stored credentials.

The implementation correctly handles the new isIgnoreSslValidation property using optBoolean, which safely defaults to false for existing stored credentials.

Let's verify the handling of existing credentials in the database:

✅ Verification successful

Backward compatibility is properly maintained ✅

The implementation is safe for existing stored credentials because:

1. The isIgnoreSslValidation property is handled using optBoolean() which defaults to false when the field is missing in stored JSON
2. The FSCredentials.BasicCredentials data class has been updated to include the new field
3. The type converter properly handles both serialization and deserialization of the new field
4. No database schema changes were required since credentials are stored as an encoded JSON string

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for database migrations or schema changes related to FSAuthority
rg -l "FSAuthority|BasicCredentials" --type kotlin

Length of output: 4420

---

Script:

#!/bin/bash
# Check database migrations and schema changes
rg -A 10 "FSAuthority|BasicCredentials" "app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/db/migration/"

# Check database version and schema
rg "version =" "app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/db/AppDatabase.kt"

# Check FSAuthority and BasicCredentials entity definitions
cat app/src/main/kotlin/com/ivanovsky/passnotes/data/entity/FSAuthority.kt

Length of output: 1542

---

Script:

#!/bin/bash
# Check FSCredentials entity to understand the structure and BasicCredentials
cat app/src/main/kotlin/com/ivanovsky/passnotes/data/entity/FSCredentials.kt

# Check existing stored credentials handling in the converter
cat app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/db/converters/FSAuthorityTypeConverter.kt

Length of output: 8344

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavClientV2.kt (2)

30-30: LGTM: Improved encapsulation of HTTP client creation

The removal of the httpClient parameter and initialization of webDavClient using WebDavNetworkLayer improves encapsulation by moving HTTP client creation responsibility to the appropriate layer.

Also applies to: 33-38

---

331-335: LGTM: Improved etag handling with proper fallback

The change properly handles null etags by falling back to the modified timestamp, which is a good practice for versioning.

Let's verify if any code relies on specific etag formats:

✅ Verification successful

Based on the search results, I can generate the final response since I have enough information to verify the etag handling change. The search shows that:

1. The etag/revision is only used for sync state tracking and file metadata comparison
2. There are no string operations or format-specific checks on the etag/revision values
3. The revision value is treated as an opaque string for equality comparisons only

LGTM: Etag handling change is safe

The fallback to using modified timestamp as revision when etag is null is safe since:

• No code relies on specific etag formats or performs string operations on revision values
• Revision is only used for equality comparisons to detect changes
• This matches common WebDAV server behavior where some servers don't provide etags

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Search for code that might be affected by the etag format change

# Look for etag usage in the codebase
rg -A 3 "revision\s*=|etag\s*=" --type kotlin

# Look for any equality checks or string operations on revision/etag
ast-grep --pattern 'if ($EXPR == $REVISION) { $$$ }' --lang kotlin
ast-grep --pattern '$REVISION.equals($EXPR)' --lang kotlin
ast-grep --pattern '$REVISION.startsWith($EXPR)' --lang kotlin

Length of output: 71506

app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginViewModel.kt (3)

153-159: LGTM: Clean implementation of SSL validation state handler

The implementation follows the established pattern for state updates in the ViewModel.

---

382-382: LGTM: State initialization

The SSL validation checkbox state is properly initialized to false by default.

Also applies to: 386-386

---

408-410: Verify DEBUG build restriction

The SSL validation toggle is correctly restricted to DEBUG builds, but let's verify this is consistently enforced across the codebase.

✅ Verification successful

SSL validation bypass is properly restricted to DEBUG builds

The codebase shows consistent enforcement of SSL validation bypass restrictions:

1. In WebDavNetworkLayer.kt, SSL validation is only disabled when both conditions are met:

val clientType = if (isIgnoreSslValidation && BuildConfig.DEBUG) {
    HttpClientType.UNSECURE
} else {
    HttpClientType.SECURE
}

2. In ServerLoginViewModel.kt, the SSL validation toggle is only enabled in DEBUG builds:

private fun isIgnoreSslValidationCheckboxEnabled(): Boolean {
    return args.loginType == LoginType.USERNAME_PASSWORD && BuildConfig.DEBUG
}

3. The implementation in HttpClientFactory.kt includes proper warning logs when SSL validation is disabled.

4. Test credentials and fake filesystem implementations maintain secure defaults with isIgnoreSslValidation = false.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any other DEBUG build checks related to SSL validation
rg "BuildConfig.DEBUG.*SSL|SSL.*BuildConfig.DEBUG"

# Look for any potential SSL validation bypasses
ast-grep --pattern 'isIgnoreSslValidation = true'

Length of output: 104

---

Script:

#!/bin/bash
# Search for SSL validation related code more broadly
rg -i "ssl.*validation|validation.*ssl" -A 3 -B 3

# Look for SSL trust manager or certificate related code
rg -i "trustmanager|sslsocketfactory|x509|certificate" -A 3 -B 3

# Search for ignore SSL related variables and settings
rg -i "ignoressl|ssl.*ignore" -A 3 -B 3

Length of output: 98551

app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ServerLoginScreen.kt (2)

64-66: LGTM: Callback implementation follows existing patterns

The new SSL validation callback is properly implemented and follows the same pattern as other callbacks in the file.

---

160-165: LGTM: Clean checkbox implementation with good reusability

The new CheckboxItem composable is well-implemented and properly reused for both secret URL and SSL validation checkboxes. The implementation follows Material3 guidelines and maintains consistent styling.

Also applies to: 167-172

app/src/main/res/values/strings.xml (1)

300-300: LGTM! String resource addition looks good.

The new string resource is well-placed, follows naming conventions, and clearly describes the SSL validation setting.

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt (2)

48-52: Confirm intentional usage of isIgnoreSslValidation only in DEBUG builds

In setupClient, the isIgnoreSslValidation parameter is only considered when BuildConfig.DEBUG is true. This means SSL validation cannot be ignored in release builds. Verify if this behavior is intended.

Please confirm if ignoring SSL validation should be restricted to DEBUG builds. If not, consider removing the BuildConfig.DEBUG check.

 private fun setupClient(
     isIgnoreSslValidation: Boolean
 ) {
-    val clientType = if (isIgnoreSslValidation && BuildConfig.DEBUG) {
+    val clientType = if (isIgnoreSslValidation) {
         HttpClientType.UNSECURE
     } else {
         HttpClientType.SECURE
     }

---

45-59: ⚠️ Potential issue

Ensure proper client initialization in setupClient

Verify that the client creation in setupClient cannot fail silently. If HttpClientFactory.createHttpClient(clientType) returns null or throws an exception, webDavClient may remain null. Consider adding error handling for client creation.

Run the following script to check if HttpClientFactory.createHttpClient(clientType) can return null or throw exceptions:

[coderabbitai]

💡 Codebase verification

Security warning needs to be improved for SSL validation bypass

Based on the verification results, while the implementation is technically correct, there are security concerns:

1. The SSL validation checkbox is labeled simply as "Ignore SSL certificate validation" without any warning about security risks
2. No confirmation dialog or explicit warning is shown when users disable SSL validation
3. The option is not restricted to debug/development builds (though the actual SSL bypass is limited to DEBUG builds as seen in WebDavNetworkLayer.kt)

Recommendations:

• Add a warning message to clearly communicate the security risks of disabling SSL validation
• Consider showing a confirmation dialog when enabling this option
• Update the string resource to include security implications in its label

🔗 Analysis chain

Implementation looks good, but consider security implications.

The implementation follows the existing pattern and is technically sound. However, since this intent controls SSL validation which is a critical security feature, ensure that:

1. Users are clearly warned about the security risks when disabling SSL validation
2. This option is only used for development/testing purposes or in very specific scenarios

Let's verify if appropriate warning dialogs are implemented:

---

Let's check the string resource to see the actual warning message shown to users:

---

Let's check if there are any additional warning dialogs or messages shown when enabling this option:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for warning messages or dialogs related to SSL validation
rg -i "ssl.*warning|warning.*ssl|disable.*ssl|ssl.*validation" --type kotlin

Length of output: 8578

---

Script:

#!/bin/bash
# Search for the string resource containing SSL validation warning
rg "ignore_ssl_certificate_validation" app/src/main/res/ -A 2

Length of output: 659

---

Script:

#!/bin/bash
# Search for dialog implementations in ServerLoginScreen and ViewModel
rg "Dialog|AlertDialog|showDialog|dialog" app/src/main/kotlin/com/ivanovsky/passnotes/presentation/serverLogin/ -B 2 -A 2

Length of output: 123

[coderabbitai]

⚠️ Potential issue

Security Consideration: SSL Validation Control

Adding the ability to disable SSL validation could lead to security vulnerabilities if not properly documented and controlled. Consider:

1. Adding KDoc comments explaining the security implications
2. Making this an opt-in feature with a default value of false
3. Adding runtime warnings when SSL validation is disabled

Suggested improvement:

    data class BasicCredentials(
        val url: String,
        val username: String,
        val password: String,
-       val isIgnoreSslValidation: Boolean
+       /** 
+        * WARNING: Disabling SSL validation is dangerous and should only be used in controlled environments
+        * as it makes the connection vulnerable to man-in-the-middle attacks.
+        */
+       val isIgnoreSslValidation: Boolean = false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	val isIgnoreSslValidation: Boolean
	/**
	* WARNING: Disabling SSL validation is dangerous and should only be used in controlled environments
	* as it makes the connection vulnerable to man-in-the-middle attacks.
	*/
	val isIgnoreSslValidation: Boolean = false

[coderabbitai]

💡 Codebase verification

PR title should be updated to reflect both changes

The PR includes two distinct changes:

1. Etag handling improvement: Adding a fallback to use modified time when etag is null
2. SSL validation configuration: Adding the ability to ignore SSL certificate validation

The PR title should be updated to: "Fix etag handling and add SSL validation configuration in WebDAV client"

🔗 Analysis chain

Verify PR Title vs Implementation

The PR title mentions "Fix etag handling in WebDAV client" but the changes are focused on SSL validation. This discrepancy should be clarified:

1. Is this change part of the etag handling fix?
2. Should the PR title be updated to reflect the SSL validation changes?

Let's check for etag-related changes:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Look for etag-related changes in the codebase
rg "etag|ETag" --type kotlin

# Check if there are other files in this PR that handle etags
git diff --name-only HEAD~1 | xargs rg "etag|ETag" --type kotlin

Length of output: 605

---

Script:

#!/bin/bash
# Let's check the PR diff to understand the full scope of changes
git diff HEAD~1

# Also check the PR title and description
git log -1 --pretty=%B

Length of output: 33733

---

Script:

#!/bin/bash
# Let's check the PR title and commit message
git log -1 --format=%s

# Let's check for etag-related changes in WebDavClientV2.kt
git diff HEAD~1 app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavClientV2.kt | grep -A 5 -B 5 "etag"

Length of output: 569

[coderabbitai]

🛠️ Refactor suggestion

Consider reusing SecureRandom instance

Creating a new SecureRandom instance for each encryption operation could lead to predictable seeds if called in rapid succession on some platforms. Consider reusing a single instance.

Here's a suggested implementation:

+ private val secureRandom = SecureRandom()
+
 fun EncryptedDatabaseKey.toCredentials(
     fileSystemResolver: FileSystemResolver
 ): OperationResult<Credentials> {
     // ...
                     EncryptedValue.fromBinary(
                         bytes = bytes,
-                        random = SecureRandom()
+                        random = secureRandom
                     )
     // ...
 }

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

💡 Codebase verification

Based on the findings, I can now generate the final response.

Security improvements needed for SSL validation toggle

The SSL validation toggle lacks sufficient safety measures:

• No warning messages in the UI beyond the basic checkbox label "Ignore SSL certificate validation"
• No logging when SSL validation is disabled
• While the toggle is guarded by BuildConfig.DEBUG, additional safeguards are recommended

Required changes:

• Add a prominent warning dialog or UI indicator when SSL validation is disabled
• Implement logging through Timber when SSL validation is toggled off
• Add documentation about security implications in code comments
• Consider adding a persistent notification when running with disabled SSL validation

🔗 Analysis chain

Security consideration: SSL validation toggle

The ability to disable SSL validation could pose security risks if accidentally enabled in production builds. While it's currently restricted to DEBUG builds, consider:

1. Adding a prominent warning in the UI when SSL validation is disabled
2. Adding logging when SSL validation is disabled
3. Adding documentation about the security implications

Also applies to: 243-244

---

Let me verify if there are any UI warnings or logging related to SSL validation.

---

Let me check the implementation to verify if SSL validation is properly guarded.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the SSL validation toggle is properly guarded in the codebase
rg -A 2 "isIgnoreSslValidation|ignoreSslValidation" 

Length of output: 10452

---

Script:

#!/bin/bash
# Check for any warning messages or logging related to SSL validation
rg -i "ssl.*warn|warn.*ssl" 

# Check string resources for any SSL-related warnings
fd "strings.*xml" | xargs cat | grep -i "ssl\|certif"

Length of output: 307

---

Script:

#!/bin/bash
# Check how SSL validation is implemented and guarded
rg -A 5 "BuildConfig.DEBUG.*ssl|ssl.*BuildConfig.DEBUG" 

# Check for any logging implementations
rg -A 2 "Log\." --type kotlin

Length of output: 724

[coderabbitai]

🛠️ Refactor suggestion

Handle uninitialized webDavClient in execute method

Currently, if webDavClient is null, requireNotNull(client) will throw an IllegalArgumentException. Consider returning an OperationResult with an appropriate error message to handle this case more gracefully.

Apply this diff to return an error when webDavClient is not initialized:

 fun <T> execute(call: (webDavClient: OkHttpSardine) -> T): OperationResult<T> {
     val client = webDavClient
-    requireNotNull(client)
+    if (client == null) {
+        return OperationResult.error(OperationError.newGenericError("Client is not initialized"))
+    }

     try {
         return OperationResult.success(call.invoke(client))

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	val client = webDavClient
	requireNotNull(client)
	val client = webDavClient
	if (client == null) {
	return OperationResult.error(OperationError.newGenericError("Client is not initialized"))
	}

[coderabbitai]

⚠️ Potential issue

Handle potential null webDavClient after setup

After calling setupClient, webDavClient might still be null if client creation fails. Ensure that webDavClient is properly initialized before setting credentials.

Apply this diff to check for null and handle the error appropriately:

 fun setCredentials(credentials: FSCredentials.BasicCredentials) {
     setupClient(isIgnoreSslValidation = credentials.isIgnoreSslValidation)
-    webDavClient?.setCredentials(credentials.username, credentials.password)
+    val client = webDavClient
+    if (client != null) {
+        client.setCredentials(credentials.username, credentials.password)
+    } else {
+        // Handle the error, e.g., log or throw an exception
+        Timber.e("Failed to initialize WebDav client")
+    }
 }

Committable suggestion skipped: line range outside the PR's diff.

[coderabbitai]

🛠️ Refactor suggestion

Ensure thread safety for webDavClient and clients

Access to webDavClient and clients may not be thread-safe, leading to potential concurrency issues when used in a multithreaded environment. Consider adding synchronization or using thread-safe implementations to prevent inconsistent states.

Apply this diff to make webDavClient volatile and synchronize the setupClient method:

 class WebDavNetworkLayer {

-    private val clients: MutableMap<HttpClientType, OkHttpSardine> = ConcurrentHashMap()
-    private var webDavClient: OkHttpSardine? = null
+    private val clients: ConcurrentHashMap<HttpClientType, OkHttpSardine> = ConcurrentHashMap()
+    @Volatile private var webDavClient: OkHttpSardine? = null

     fun setCredentials(credentials: FSCredentials.BasicCredentials) {
         setupClient(isIgnoreSslValidation = credentials.isIgnoreSslValidation)
         webDavClient?.setCredentials(credentials.username, credentials.password)
     }

+    @Synchronized
     private fun setupClient(
         isIgnoreSslValidation: Boolean
     ) {
         // existing implementation
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	private val clients: MutableMap<HttpClientType, OkHttpSardine> = ConcurrentHashMap()
	private var webDavClient: OkHttpSardine? = null
	private val clients: ConcurrentHashMap<HttpClientType, OkHttpSardine> = ConcurrentHashMap()
	@Volatile private var webDavClient: OkHttpSardine? = null

[coderabbitai]

⚠️ Potential issue

Correct the import and usage of OkHttp.

The class OkHttp does not exist in the OkHttp library, which may lead to a compilation error. In line 9, the import import okhttp3.OkHttp is incorrect, and in line 20, using OkHttp::class.java.simpleName will not function as intended.

Apply this diff to fix the issue:

-import okhttp3.OkHttp
+// Removed incorrect import of OkHttp

And update the logging statement:

-            Timber.tag(OkHttp::class.java.simpleName).d(it)
+            Timber.tag(OkHttpClient::class.java.simpleName).d(it)

Also applies to: 20-20

[coderabbitai]

🛠️ Refactor suggestion

Provide justification for suppressing lint warnings and empty method bodies.

The methods checkClientTrusted and checkServerTrusted have empty bodies, and lint warnings are suppressed using @SuppressLint("TrustAllX509TrustManager"). While this is necessary for creating an unsecured trust manager, suppressing these warnings without explanation can be risky.

Include comments within the methods or before the suppression annotations explaining the reasoning behind suppressing lint warnings and leaving the methods empty. This will aid future maintainers in understanding the intent and prevent accidental misuse.

Also applies to: 58-63

🧰 Tools

🪛 detekt (1.23.7)

[warning] 54-55: This empty block of code can be removed.

(detekt.empty-blocks.EmptyFunctionBlock)

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt (2)

Line range hint 24-44: Improve error handling in execute method.

Using requireNotNull could lead to uncaught exceptions. Consider handling the null case explicitly and adding more specific error messages.

Apply this diff to improve error handling:

 fun <T> execute(call: (webDavClient: OkHttpSardine) -> T): OperationResult<T> {
     val client = webDavClient
-    requireNotNull(client)
+    if (client == null) {
+        Timber.e("WebDAV client is not initialized")
+        return OperationResult.error(
+            OperationError.newGenericError("WebDAV client is not initialized")
+        )
+    }

     try {
         return OperationResult.success(call.invoke(client))
     } catch (exception: SardineException) {
-        Timber.d(exception)
+        Timber.e(exception, "WebDAV operation failed with status code: ${exception.statusCode}")
         return when (exception.statusCode) {
             HTTP_UNAUTHORIZED -> OperationResult.error(OperationError.newAuthError())
             HTTP_NOT_FOUND -> OperationResult.error(OperationError.newFileNotFoundError())
             else -> OperationResult.error(OperationError.newRemoteApiError(exception.message))
         }
     } catch (exception: IOException) {
-        Timber.d(exception)
+        Timber.e(exception, "Network I/O error during WebDAV operation")
         return OperationResult.error(OperationError.newNetworkIOError(exception))
     } catch (exception: Exception) {
-        Timber.d(exception)
+        Timber.e(exception, "Unexpected error during WebDAV operation")
         return OperationResult.error(OperationError.newGenericError(exception))
     }
 }

---

55-59: Consider adding client lifecycle management.

The current implementation keeps adding clients to the map without any cleanup mechanism, which could lead to memory leaks in long-running applications.

Consider adding a cleanup method:

+    fun cleanup() {
+        clients.clear()
+        webDavClient = null
+    }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between a953eee and 4bb7505.

📒 Files selected for processing (1)

• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt (2 hunks)

🔇 Additional comments (3)

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt (3)

15-17: LGTM! Thread-safe implementation of client management.

The use of ConcurrentHashMap and @volatile annotation provides proper thread safety for managing WebDAV clients.

---

19-21: ⚠️ Potential issue

Add error handling for credential setting failure.

The method could fail silently if webDavClient is null after setupClient. Consider adding error handling and logging.

Apply this diff to improve error handling:

 fun setCredentials(credentials: FSCredentials.BasicCredentials) {
     setupClient(isIgnoreSslValidation = credentials.isIgnoreSslValidation)
-    webDavClient?.setCredentials(credentials.username, credentials.password)
+    val client = webDavClient
+    if (client != null) {
+        try {
+            client.setCredentials(credentials.username, credentials.password)
+        } catch (e: Exception) {
+            Timber.e(e, "Failed to set credentials")
+            throw IllegalStateException("Failed to set credentials", e)
+        }
+    } else {
+        Timber.e("WebDAV client is not initialized")
+        throw IllegalStateException("WebDAV client is not initialized")
+    }
 }

Likely invalid or redundant comment.

---

49-53: Security: Verify SSL validation bypass is only in debug builds.

The code allows SSL validation bypass only in debug builds, which is good. However, ensure this is thoroughly tested and documented.

Run the following script to verify SSL validation is enforced in release builds:

✅ Verification successful

Let's examine the specific implementations to verify the SSL validation bypass is properly guarded.

---

Let's verify how the BuildConfig.DEBUG flag is used across the codebase to ensure there are no other SSL bypass implementations.

---

Let's check one final aspect - how the isIgnoreSslValidation flag is set and managed in the codebase.

---

Based on the comprehensive analysis of the codebase, I can now provide the final response:

SSL validation bypass is properly implemented with multiple safeguards

The implementation is secure because:

1. SSL validation bypass requires both BuildConfig.DEBUG and isIgnoreSslValidation to be true
2. The UI only enables the SSL validation bypass checkbox in debug builds (isIgnoreSslValidationCheckboxEnabled(): Boolean { return args.loginType == LoginType.USERNAME_PASSWORD && BuildConfig.DEBUG })
3. The unsecure client creation in HttpClientFactory is guarded by the same debug check
4. All test credentials and fake implementations default to isIgnoreSslValidation = false

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any SSL validation bypasses in release builds
# Look for patterns that might bypass SSL validation
rg -l "isIgnoreSslValidation|UNSECURE|SSL|TrustAll" --type kotlin

Length of output: 1165

---

Script:

#!/bin/bash
# Check the implementation of HttpClientType and HttpClientFactory
cat app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientType.kt
echo "---"
cat app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/HttpClientFactory.kt

Length of output: 2789

---

Script:

#!/bin/bash
# Search for any other instances where BuildConfig.DEBUG is used in conjunction with SSL or security-related code
rg -A 5 -B 5 "BuildConfig\.DEBUG.*(?:SSL|UNSECURE|TrustAll|hostnameVerifier)" --type kotlin

Length of output: 1642

---

Script:

#!/bin/bash
# Search for where isIgnoreSslValidation is set or modified
rg -A 5 -B 5 "isIgnoreSslValidation" --type kotlin

Length of output: 30864

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (1)

app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt (1)

56-60: Improve code readability

The current implementation uses nested Elvis operator with apply block, which reduces code readability.

Consider separating the client creation logic:

-    webDavClient = clients[clientType]
-        ?: OkHttpSardine(HttpClientFactory.createHttpClient(clientType))
-            .apply {
-                clients[clientType] = this
-            }
+    webDavClient = clients[clientType] ?: createAndCacheClient(clientType)
+
+    private fun createAndCacheClient(clientType: HttpClientType): OkHttpSardine {
+        val client = OkHttpSardine(HttpClientFactory.createHttpClient(clientType))
+        clients[clientType] = client
+        return client
+    }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 4bb7505 and a5c2a2e.

📒 Files selected for processing (1)

• app/src/main/kotlin/com/ivanovsky/passnotes/data/repository/file/webdav/WebDavNetworkLayer.kt (2 hunks)

[coderabbitai]

⚠️ Potential issue

Reconsider DEBUG flag usage for SSL validation

The current implementation only allows SSL validation to be ignored in debug builds. This could make it difficult to test or troubleshoot SSL issues in production environments.

Consider making this configurable independent of the build type:

-    val clientType = if (isIgnoreSslValidation && BuildConfig.DEBUG) {
+    val clientType = if (isIgnoreSslValidation) {
         HttpClientType.UNSECURE
     } else {
         HttpClientType.SECURE
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	val clientType = if (isIgnoreSslValidation && BuildConfig.DEBUG) {
	HttpClientType.UNSECURE
	} else {
	HttpClientType.SECURE
	}
	val clientType = if (isIgnoreSslValidation) {
	HttpClientType.UNSECURE
	} else {
	HttpClientType.SECURE
	}

[coderabbitai]

🛠️ Refactor suggestion

Implement client cache management

The current implementation caches clients indefinitely without any cleanup mechanism, which could lead to memory leaks if multiple clients are created over time.

Consider:

1. Adding a maximum cache size
2. Implementing a cleanup mechanism
3. Adding client disposal

Here's a suggested implementation:

+    private const val MAX_CLIENTS = 2
+
     private fun setupClient(
         isIgnoreSslValidation: Boolean
     ) {
         val clientType = if (isIgnoreSslValidation) {
             HttpClientType.UNSECURE
         } else {
             HttpClientType.SECURE
         }
 
+        if (clients.size >= MAX_CLIENTS) {
+            val unusedClients = clients.entries
+                .filter { it.value != webDavClient }
+                .map { it.key }
+            unusedClients.forEach { clients.remove(it) }
+        }
+
         webDavClient = clients[clientType]
             ?: OkHttpSardine(HttpClientFactory.createHttpClient(clientType))
                 .apply {
                     clients[clientType] = this
                 }
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	webDavClient = clients[clientType]
	?: OkHttpSardine(HttpClientFactory.createHttpClient(clientType))
	.apply {
	clients[clientType] = this
	}
	private const val MAX_CLIENTS = 2
	private fun setupClient(
	isIgnoreSslValidation: Boolean
	) {
	val clientType = if (isIgnoreSslValidation) {
	HttpClientType.UNSECURE
	} else {
	HttpClientType.SECURE
	}
	if (clients.size >= MAX_CLIENTS) {
	val unusedClients = clients.entries
	.filter { it.value != webDavClient }
	.map { it.key }
	unusedClients.forEach { clients.remove(it) }
	}
	webDavClient = clients[clientType]
	?: OkHttpSardine(HttpClientFactory.createHttpClient(clientType))
	.apply {
	clients[clientType] = this
	}
	}