-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trusted Entitlements
: added tests to verify offerings and product entitlement mapping
#2667
Trusted Entitlements
: added tests to verify offerings and product entitlement mapping
#2667
Conversation
@@ -154,15 +154,15 @@ extension HTTPRequest.Path { | |||
case .getCustomerInfo, | |||
.logIn, | |||
.postReceiptData, | |||
.getProductEntitlementMapping, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm don't we need to align on the mechanism for signing these requests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I’m doing that separately. I thought these already had signing with nonces but no, that’s what tests are failing,
Offline Entitlements
: added signature validation to entitlement mappingOffline Entitlements
: added signature validation to entitlement mapping
### New format: - 32 bytes: intermediate public key - 4 bytes: Expiration (in days since epoch) - 64 bytes: intermediate public key signature, signed with the root private key - 16 bytes: salt - 64 bytes: payload signature: - salt - nonce (if present) - request time (as int string) - etag (if present) - payload This also adds support for optional nonces for "static" signatures, which is required for #2667.
21d22eb
to
4e85b64
Compare
Offline Entitlements
: added signature validation to entitlement mappingTrusted Entitlements
: added tests to verify offerings and product entitlement mapping
This is ready now. Didn't need to do any code changes 🎉 simply covered this behavior in tests. |
self.backend.offlineEntitlements.getProductEntitlementMapping(withRandomDelay: false, | ||
completion: completion) | ||
self.backend.offlineEntitlements.getProductEntitlementMapping(withRandomDelay: false) { result in | ||
completion(result.mapError(\.asPublicError)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was forwarding the wrong error.
Mentioned this over Slack but I believe we need to add a check to make sure that, when verification is enabled and the signature is missing in offerings/product-entitlement-mapping, it fails to verify. Currently, since those requests won't have a nonce, it won't fail I believe. This change can be done in a different PR though. |
@tonidero thanks! Yeah, I'll do that in a separate PR. |
ab7562a
to
005db80
Compare
…ntitlement mapping These new integration tests verify that: 1. The response contains signature 2. In `enforced` mode, the signature must be valid 3. Response fails if it's not 4. In `informational` mode, no error is thrown
005db80
to
49cae7c
Compare
These new integration tests verify that:
enforced
mode, the signature must be validinformational
mode, no error is thrown