Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted Entitlements: added tests to verify offerings and product entitlement mapping #2667

Merged
merged 1 commit into from
Jul 6, 2023
Merged

Trusted Entitlements: added tests to verify offerings and product entitlement mapping #2667

merged 1 commit into from
Jul 6, 2023

Conversation

NachoSoto
Copy link
Contributor

@NachoSoto NachoSoto commented Jun 16, 2023
edited
Loading

These new integration tests verify that:

  1. The response contains signature
  2. In enforced mode, the signature must be valid
  3. Response fails if it's not
  4. In informational mode, no error is thrown

@NachoSoto NachoSoto requested a review from a team June 16, 2023 01:06
@NachoSoto NachoSoto mentioned this pull request Jun 16, 2023
Merged
tonidero
tonidero reviewed Jun 16, 2023
View reviewed changes
Sources/Networking/HTTPClient/HTTPRequest.swift Outdated
@@ -154,15 +154,15 @@ extension HTTPRequest.Path {
case .getCustomerInfo,
.logIn,
.postReceiptData,
.getProductEntitlementMapping,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm don't we need to align on the mechanism for signing these requests?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I’m doing that separately. I thought these already had signing with nonces but no, that’s what tests are failing,

@NachoSoto NachoSoto changed the title Offline Entitlements: added signature validation to entitlement mapping [WIP] Offline Entitlements: added signature validation to entitlement mapping Jun 16, 2023
@NachoSoto NachoSoto marked this pull request as draft June 16, 2023 17:01
@NachoSoto NachoSoto mentioned this pull request Jun 22, 2023
Merged
NachoSoto added a commit that referenced this pull request Jun 30, 2023
@NachoSoto
Trusted Entitlements: new Signature format (#2679)
d457cb0 
### New format:
 - 32 bytes: intermediate public key
 - 4 bytes: Expiration (in days since epoch)
- 64 bytes: intermediate public key signature, signed with the root
private key
 - 16 bytes: salt
 - 64 bytes: payload signature:
   - salt
   - nonce (if present)
   - request time (as int string)
   - etag (if present)
   - payload

This also adds support for optional nonces for "static" signatures,
which is required for #2667.
@NachoSoto NachoSoto force-pushed the nacho/sdk-2989-add-signing-to-the-entitlementmapping-endpoint-ios branch from 21d22eb to 4e85b64 Compare June 30, 2023 22:44
@NachoSoto NachoSoto requested review from tonidero and a team June 30, 2023 22:45
@NachoSoto NachoSoto added test and removed refactor labels Jun 30, 2023
@NachoSoto NachoSoto changed the title [WIP] Offline Entitlements: added signature validation to entitlement mapping Trusted Entitlements: added tests to verify offerings and product entitlement mapping Jun 30, 2023
@NachoSoto NachoSoto marked this pull request as ready for review June 30, 2023 22:45
@NachoSoto
Copy link
Contributor Author

This is ready now. Didn't need to do any code changes 🎉 simply covered this behavior in tests.

NachoSoto
NachoSoto commented Jun 30, 2023
View reviewed changes
Sources/Purchasing/Purchases/Purchases.swift
self.backend.offlineEntitlements.getProductEntitlementMapping(withRandomDelay: false,
completion: completion)
self.backend.offlineEntitlements.getProductEntitlementMapping(withRandomDelay: false) { result in
completion(result.mapError(\.asPublicError))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was forwarding the wrong error.

@tonidero
Copy link
Contributor

tonidero commented Jul 4, 2023
edited
Loading

Mentioned this over Slack but I believe we need to add a check to make sure that, when verification is enabled and the signature is missing in offerings/product-entitlement-mapping, it fails to verify. Currently, since those requests won't have a nonce, it won't fail I believe. This change can be done in a different PR though.

@NachoSoto
Copy link
Contributor Author

@tonidero thanks! Yeah, I'll do that in a separate PR.

@NachoSoto NachoSoto force-pushed the nacho/sdk-2989-add-signing-to-the-entitlementmapping-endpoint-ios branch 2 times, most recently from ab7562a to 005db80 Compare July 6, 2023 00:01
@NachoSoto
Copy link
Contributor Author

@tonidero done in #2752

@NachoSoto
Trusted Entitlements: added tests to verify offerings and product e…
49cae7c 
…ntitlement mapping

These new integration tests verify that:
1. The response contains signature
2. In `enforced` mode, the signature must be valid
3. Response fails if it's not
4. In `informational` mode, no error is thrown
@NachoSoto NachoSoto force-pushed the nacho/sdk-2989-add-signing-to-the-entitlementmapping-endpoint-ios branch from 005db80 to 49cae7c Compare July 6, 2023 16:30
@NachoSoto NachoSoto enabled auto-merge (squash) July 6, 2023 16:32
@NachoSoto NachoSoto merged commit 221f05b into main Jul 6, 2023
@NachoSoto NachoSoto deleted the nacho/sdk-2989-add-signing-to-the-entitlementmapping-endpoint-ios branch July 6, 2023 16:44
@RCGitBot RCGitBot mentioned this pull request Jul 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonidero tonidero tonidero approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NachoSoto @tonidero