Allow configuration of DNS-over-HTTPS

Implement QWebEngineGlobalSettings, a singleton class that contains
global web engine settings (currently only for DoH).

Allow the user to configure the stub host resolver to enable
DNS-over-HTTPS.

Fixes: QTBUG-98284
Change-Id: I1b06737c84e1b8d613aa257f4a891f82cac21013
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

8 files changed, 219 insertions, 2 deletions

diff --git a/tests/auto/core/CMakeLists.txt b/tests/auto/core/CMakeLists.txt
index 9d131da56..ae10d918b 100644
--- a/tests/auto/core/CMakeLists.txt
+++ b/tests/auto/core/CMakeLists.txt
@@ -4,6 +4,7 @@
 add_subdirectory(qwebenginecookiestore)
 add_subdirectory(qwebengineloadinginfo)
 add_subdirectory(qwebenginesettings)
+add_subdirectory(qwebengineglobalsettings)
 add_subdirectory(qwebengineurlrequestinterceptor)
 add_subdirectory(qwebengineurlresponseinterceptor)
 add_subdirectory(qwebengineurlrequestjob)
diff --git a/tests/auto/core/qwebengineglobalsettings/CMakeLists.txt b/tests/auto/core/qwebengineglobalsettings/CMakeLists.txt
new file mode 100644
index 000000000..fa81ba8df
--- /dev/null
+++ b/tests/auto/core/qwebengineglobalsettings/CMakeLists.txt
@@ -0,0 +1,29 @@
+# Copyright (C) 2023 The Qt Company Ltd.
+# SPDX-License-Identifier: BSD-3-Clause
+
+include(../../httpserver/httpserver.cmake)
+include(../../util/util.cmake)
+
+qt_internal_add_test(tst_qwebengineglobalsettings
+    SOURCES
+        tst_qwebengineglobalsettings.cpp
+    LIBRARIES
+        Qt::WebEngineCore
+        Test::HttpServer
+        Qt::WebEngineWidgets
+        Test::Util
+)
+
+# Resources:
+set(tst_qwebengineglobalsettings_resource_files
+    "cert/localhost.crt"
+    "cert/localhost.key"
+    "cert/RootCA.pem"
+)
+
+qt_add_resources(tst_qwebengineglobalsettings "tst_qwebengineglobalsettings"
+    PREFIX
+        "/"
+    FILES
+        ${tst_qwebengineglobalsettings_resource_files}
+)
diff --git a/tests/auto/core/qwebengineglobalsettings/cert/RootCA.pem b/tests/auto/core/qwebengineglobalsettings/cert/RootCA.pem
new file mode 100644
index 000000000..16be384bb
--- /dev/null
+++ b/tests/auto/core/qwebengineglobalsettings/cert/RootCA.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUNYpmREIW67Fh7WNzCwPL6nnSgRMwDQYJKoZIhvcNAQEL
+BQAwNzELMAkGA1UEBhMCREUxKDAmBgNVBAMMH1dlYkVuZ2luZUdsb2JhbFNldHRp
+bmdzLVRlc3QtQ0EwHhcNMjMwMzI5MTYwMzMzWhcNMjYwMTE2MTYwMzMzWjA3MQsw
+CQYDVQQGEwJERTEoMCYGA1UEAwwfV2ViRW5naW5lR2xvYmFsU2V0dGluZ3MtVGVz
+dC1DQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJhZ9DwcdbVBzMyY
+/nEqt5KUi74LFwEnS0G2ne8IYco9+Pbkpb8wV5u6n43IsQ2c3u8D/KVtu1Vy3tf2
+G3aKOwhFzaj7GWLE9FweZyMoL6ASOtWEa55myT5zAysVQtHAkePu0smAPP0gVq3E
+vjSTwV1W1mVXv4wMwffR8AvNGhKrJIa3L2/uYKGbzEmaCk2kt0vIqfrx8095RlXC
+lUcwTMJ6/d/e/DMDtqQ1ypUuz5QYQybIVKwuqkhojT2DXbitv0rE4HLQub8CxOZ+
+9GcQjeAt8Tzrlp1UP6c9OtlsMoo37gJYzb/XDE6OPnk42chQXDxGQjtVRs+60kcT
+Dx/YHG0CAwEAAaNTMFEwHQYDVR0OBBYEFP1FK1U9CUHQEp7coaab7IdR18zDMB8G
+A1UdIwQYMBaAFP1FK1U9CUHQEp7coaab7IdR18zDMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAGTlcxmRsuwBeRW0CsjX/qbdcB0OWkIC857Jn8RU
+6yGa7P9i6EQb1O/DEF+Z7dkASx5zfN6LPIrph6J56/mmcNBeqArovWJwxQUTNO9i
+1kOU3xoH5n/ya+gdBr3reA90bAMKWXwa6uI3smPJKy+2hOkdDaSBa5KECYWhniH0
+yRxL7YdhQhuCc7Ijf+S6WzeHRwdLkdiV8c2vAGWdunDFuGT2iYVOZ1qbp6O/tmjv
+TxWAnvP4+0ykFIlMor0vYWD8xbnq28263VmNh7mrFwkBYnHJiY/nTDwxaL+g6Uji
+9n6+VuxUDgfQWX1YRHC4a89zI/Zvnn2z/92To7zRmNd73RQ=
+-----END CERTIFICATE-----
diff --git a/tests/auto/core/qwebengineglobalsettings/cert/localhost.crt b/tests/auto/core/qwebengineglobalsettings/cert/localhost.crt
new file mode 100644
index 000000000..c063bf268
--- /dev/null
+++ b/tests/auto/core/qwebengineglobalsettings/cert/localhost.crt
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtDCCApygAwIBAgIURotPFTfDJxwaqhZsr0IpAahl2EMwDQYJKoZIhvcNAQEL
+BQAwNzELMAkGA1UEBhMCREUxKDAmBgNVBAMMH1dlYkVuZ2luZUdsb2JhbFNldHRp
+bmdzLVRlc3QtQ0EwHhcNMjMwMzI5MTYwNDI1WhcNMjYwMTE2MTYwNDI1WjB0MQsw
+CQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xKTAn
+BgNVBAoMIFFXZWJFbmdpbmVHbG9iYWxTZXR0aW5ncy1FeGFtcGxlMRgwFgYDVQQD
+DA9sb2NhbGhvc3QubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCY9FX/8YetuJKSFSoYPxMKPvjt2zJ5g13DywqZtbDzLAIASCxn4iad3qgxaoWB
+uI0g4ykzrhUa98YHU8fDH4T4Vwhwu72SRYW4+MgT9ohc1oCKBX05b+BWSuTSeuHy
+leqdL78bj3bu5TtFs2dJt2t8eA6SNR9lDa5g4v7oA4xVp93gMo2YqZwaLONmxIKY
+cI4lcETnHHsvc6+dB2UqWHJEN75UkdC/XnDLM/VbL3/4zxU+9x34nvvfSJwCHVnE
+u+zYwrZXkbiDVDovT855phVC/K5skVgBL2miz3eygljuw1tIwnmVix/e/xHZyqMg
+Lje/LZN53v5G61Wut6bbdkeVAgMBAAGjezB5MB8GA1UdIwQYMBaAFP1FK1U9CUHQ
+Ep7coaab7IdR18zDMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMB8GA1UdEQQYMBaC
+CWxvY2FsaG9zdIIJMTI3LjAuMC4xMB0GA1UdDgQWBBQv20ImViFtvMm5gHqTeML6
+pi5BtTANBgkqhkiG9w0BAQsFAAOCAQEAGsL7eOms30+IPdKQZ2pjtX22GfM6EiUs
+xsQfsX/Q3bus30B2m9GJ6AVIwVUJimOGiMauDCLjDeXWCMZpihzodExhC0D/X1B+
+FsCLagcjlgfWwekKEo8sUWUZp0DNCyacPtTPxqoS2RA7foEzQhRLViLSvf+UXU8g
+jZAwWGB/5V849zcbbNBcWKzRsPvNOqeENWEn1ByGcsWhas2V0KzRcUODuA9UHv1x
++eDlLZYsWV9c1MuL8a1VDEluIR19eR/Gl9axjPZY2oiPvlp2b7I4z1bY+wV2i6vh
+NeDCAxAxJ42tXeb86vtnVXfSDbzedDbLv0l2kEhcywVN3MwhsEpmpg==
+-----END CERTIFICATE-----
diff --git a/tests/auto/core/qwebengineglobalsettings/cert/localhost.key b/tests/auto/core/qwebengineglobalsettings/cert/localhost.key
new file mode 100644
index 000000000..49502ab9a
--- /dev/null
+++ b/tests/auto/core/qwebengineglobalsettings/cert/localhost.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCY9FX/8YetuJKS
+FSoYPxMKPvjt2zJ5g13DywqZtbDzLAIASCxn4iad3qgxaoWBuI0g4ykzrhUa98YH
+U8fDH4T4Vwhwu72SRYW4+MgT9ohc1oCKBX05b+BWSuTSeuHyleqdL78bj3bu5TtF
+s2dJt2t8eA6SNR9lDa5g4v7oA4xVp93gMo2YqZwaLONmxIKYcI4lcETnHHsvc6+d
+B2UqWHJEN75UkdC/XnDLM/VbL3/4zxU+9x34nvvfSJwCHVnEu+zYwrZXkbiDVDov
+T855phVC/K5skVgBL2miz3eygljuw1tIwnmVix/e/xHZyqMgLje/LZN53v5G61Wu
+t6bbdkeVAgMBAAECggEAF7ADX5NivUsv29LORZoDE1ukRoXjX8Ex9MANoLdsM4S1
+vKBwzBfQfjN83cZO7cOMi7LSby//EcGcmAboEXZgq+siof7ZQX1l07snlTvha2tG
+1dk6xvnmBscrf9NLCbwg7P33fUevFhlHICjEDr0KtuiK7Sav+YDwaA3Ph1QBWERd
+GO3sVlnuGsDpf/0GijlwqEGuDKUePEEANOhXcByh693VmvlKVf9SbrimYeunKW1O
+FvvcAiBMzqurhZotb9/juiq+fIMID29OULCCxlZZSySRYw0REpnAAxgWvaSZqyWd
+tGosSKEgc4SptPTmC8DzRDDfN/zqvXmkmYnN9o4qMwKBgQC3tVYdEPn3fHX973Df
+Ukp55cRpZFuNxjOiV3Qo1aTAKqpbmJ4/x8tUL7rhsmJXSxlW7xdNQ/WIHM1PJlZx
+UAIr5eBq1MUVd5OENP8PuVIdAIumHXICB5FioJR/WnXRXLJEbGxSRr5gwaTw3sXd
+ObPRQEUOrJtK+W0aeBKePRtIiwKBgQDVJN7A26vy8PMcE4TcDp75vAY/qasZl6ES
+oksaHf3c4/jsnr70wRoOXi3fPo/DpWmVFylttMSEnzh3nfnOkDXZD3mQx3sdVw8l
+12++t59733hllJZlwqk5OAc990kE1X44UW/gPA+5Vb9kpo6ahpFtqwhDmqa4RjtZ
+0R/1H/KUXwKBgGjR7Qq0rwwJVgHIZ2zlNV2MPp+sBZlFaBzPLZZHILQNJBsTX+gg
+heHJQiaZdAc+8Hxr+624gxZg6LyqsVQCRNrrVTtfn/x5uBANdSNxqGqn7wafcne5
+/bh6y4BHC0akT4s/Gidv+hyXIRfW5Ksvy2wv8bdHwWvsGdaqgGUNlM21AoGAe9Vc
+BbibAh6zYBCHFEL6YiW3i61L1yadUnIwKBBcucVJjk/8qb63ILne9OEoLYcg/Jnk
+W/S2aEcJS5Xg2P44CtBO1KrRAI7gIiA0sB2G7zU6gen+J0kdgDzpGDtflQtktdu6
+oBDFIeyLsjKCj4y3WXwQ5RYo3s8PFHPHmWbiTQkCgYBViqAHaAaPJQZG7Q6/Xqhf
+rFosC0DeZk5PHrEDbpAnuJbySafGZ4LxY5Oq05+aM8BeR+IuGopciBBDWXoh7msO
+N8WItu7WI86lIu7JZRbeju2w59tgj0EA+GyU1udPjTjseP5qpB27X1JEGV6TYBNs
+LMmQSgdGWqwteKsc50UrkA==
+-----END PRIVATE KEY-----
diff --git a/tests/auto/core/qwebengineglobalsettings/tst_qwebengineglobalsettings.cpp b/tests/auto/core/qwebengineglobalsettings/tst_qwebengineglobalsettings.cpp
new file mode 100644
index 000000000..40bd525bc
--- /dev/null
+++ b/tests/auto/core/qwebengineglobalsettings/tst_qwebengineglobalsettings.cpp
@@ -0,0 +1,107 @@
+// Copyright (C) 2023 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
+
+#include <QtTest>
+#include <widgetutil.h>
+#include <QWebEngineProfile>
+#include <QWebEnginePage>
+#include <QWebEngineGlobalSettings>
+#include <QWebEngineLoadingInfo>
+
+#include "httpsserver.h"
+#include "httpreqrep.h"
+
+class tst_QWebEngineGlobalSettings : public QObject
+{
+    Q_OBJECT
+
+public:
+    tst_QWebEngineGlobalSettings() { }
+    ~tst_QWebEngineGlobalSettings() { }
+
+public Q_SLOTS:
+    void init() { }
+    void cleanup() { }
+
+private Q_SLOTS:
+    void initTestCase() { }
+    void cleanupTestCase() { }
+    void dnsOverHttps_data();
+    void dnsOverHttps();
+};
+
+Q_LOGGING_CATEGORY(lc, "qt.webengine.tests")
+
+void tst_QWebEngineGlobalSettings::dnsOverHttps_data()
+{
+    QTest::addColumn<QWebEngineGlobalSettings::DnsMode>("dnsMode");
+    QTest::addColumn<QString>("uriTemplate");
+    QTest::addColumn<bool>("isWithCustomDnsServer");
+    QTest::addColumn<bool>("isDnsResolutionSuccessExpected");
+    QTest::newRow("DnsMode::Secure (mock DNS)")
+            << QWebEngineGlobalSettings::DnsMode::Secure
+            << QStringLiteral("https://127.0.0.1:3000/dns-query{?dns}") << true << false;
+    QTest::newRow("DnsMode::Secure (real DNS)")
+            << QWebEngineGlobalSettings::DnsMode::Secure
+            << QStringLiteral("https://dns.google/dns-query{?dns}") << false << true;
+
+    // Note: In the following test, we can't verify that the DoH server is called first and
+    // afterwards insecure DNS is tried, because for the DoH server to ever be used when the DNS
+    // mode is set to DnsMode::WithFallback, Chromium starts an asynchronous DoH server DnsProbe and
+    // requires that the connection is successful. That is, we'd have to implement a correct
+    // DNS response, which in turn requires that certificate errors aren't ignored and
+    // non-self-signed certificates are used for correct encryption. Instead of implementing
+    // all of that, this test verifies that Chromium tries probing the configured DoH server only.
+    QTest::newRow("DnsMode::WithFallback (mock DNS)")
+            << QWebEngineGlobalSettings::DnsMode::WithFallback
+            << QStringLiteral("https://127.0.0.1:3000/dns-query{?dns}") << true << true;
+}
+
+void tst_QWebEngineGlobalSettings::dnsOverHttps()
+{
+    QFETCH(QWebEngineGlobalSettings::DnsMode, dnsMode);
+    QFETCH(QString, uriTemplate);
+    QFETCH(bool, isWithCustomDnsServer);
+    QFETCH(bool, isDnsResolutionSuccessExpected);
+    bool isDnsServerCalled = false;
+    bool isLoadSuccessful = false;
+
+    HttpsServer *httpsServer;
+    if (isWithCustomDnsServer) {
+        httpsServer = new HttpsServer(":/cert/localhost.crt", ":/cert/localhost.key",
+                                      ":/cert/RootCA.pem", 3000, this);
+        QObject::connect(
+                httpsServer, &HttpsServer::newRequest, this, [&isDnsServerCalled](HttpReqRep *rr) {
+                    QVERIFY(rr->requestPath().contains(QByteArrayLiteral("/dns-query?dns=")));
+                    isDnsServerCalled = true;
+                    rr->close();
+                });
+        QVERIFY(httpsServer->start());
+        httpsServer->setExpectError(true);
+        httpsServer->setVerifyMode(QSslSocket::PeerVerifyMode::VerifyNone);
+    }
+
+    QWebEngineProfile profile;
+    QWebEnginePage page(&profile);
+    QSignalSpy loadSpy(&page, SIGNAL(loadFinished(bool)));
+
+    connect(&page, &QWebEnginePage::loadFinished, this,
+            [&isLoadSuccessful](bool ok) { isLoadSuccessful = ok; });
+
+    QWebEngineGlobalSettings *globalSettings = QWebEngineGlobalSettings::GetInstance();
+    globalSettings->configureDnsOverHttps(dnsMode, uriTemplate);
+
+    page.load(QUrl("https://google.com/"));
+    QVERIFY(loadSpy.wait());
+
+    QTRY_COMPARE(isDnsServerCalled, isWithCustomDnsServer);
+    QCOMPARE(isLoadSuccessful, isDnsResolutionSuccessExpected);
+
+    if (isWithCustomDnsServer)
+        QVERIFY(httpsServer->stop());
+}
+
+static QByteArrayList params = QByteArrayList() << "--ignore-certificate-errors";
+
+W_QTEST_MAIN(tst_QWebEngineGlobalSettings, params)
+#include "tst_qwebengineglobalsettings.moc"
diff --git a/tests/auto/httpserver/httpserver.h b/tests/auto/httpserver/httpserver.h
index 270b6265f..201eef4c6 100644
--- a/tests/auto/httpserver/httpserver.h
+++ b/tests/auto/httpserver/httpserver.h
@@ -59,6 +59,8 @@ public:
 
     Q_INVOKABLE void setHostDomain(const QString &host) { m_url.setHost(host); }
 
+    Q_INVOKABLE QTcpServer *getTcpServer() const { return m_tcpServer; }
+
 Q_SIGNALS:
     // Emitted after a HTTP request has been successfully parsed.
     void newRequest(HttpReqRep *reqRep);
diff --git a/tests/auto/httpserver/httpsserver.h b/tests/auto/httpserver/httpsserver.h
index 10deeb322..d029851aa 100644
--- a/tests/auto/httpserver/httpsserver.h
+++ b/tests/auto/httpserver/httpsserver.h
@@ -55,11 +55,19 @@ static QSslServer *createServer(const QString &certificateFileName, const QStrin
 struct HttpsServer : HttpServer
 {
     HttpsServer(const QString &certPath, const QString &keyPath, const QString &ca,
-                QObject *parent = nullptr)
-        : HttpServer(createServer(certPath, keyPath, ca), "https", QHostAddress::LocalHost, 0,
+                quint16 port = 0, QObject *parent = nullptr)
+        : HttpServer(createServer(certPath, keyPath, ca), "https", QHostAddress::LocalHost, port,
                      parent)
     {
     }
+
+    void setVerifyMode(const QSslSocket::PeerVerifyMode verifyMode)
+    {
+        QSslServer *server = static_cast<QSslServer *>(getTcpServer());
+        QSslConfiguration config = server->sslConfiguration();
+        config.setPeerVerifyMode(verifyMode);
+        server->setSslConfiguration(config);
+    }
 };
 
 #endif