App Check: App Attest provider #8133
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
maksymmalyhin
commented
May 21, 2021
maksymmalyhin
commented
- support of Apple's App Attest attestation provider.
* App Attest provider: attestation sequence (#761) * App Attest draft WIP * FIRAppAttestProvider initializers * ./scripts/style.sh * FIRAppAttestProvider implementation draft * Basic FIRAppAttestProviderTests and fixes * style * testGetTokenWhenAppAttestIsNotSupported * More FIRAppAttestProviderTests * Cleanup * Remove unused file * Availability annotations on DCAppAttestService category. * Guard FIRAppAttestProvider with #if TARGET_OS_IOS * Formatting * Fix SPM * app_check.yaml: Add diagnostics SPM builds * fix yaml * Fix Firebase-Package scheme bad merge * Fix typo * FIRAppAttestProvider: hide default init * FIRAppAttestKeyIDStorage: methods placeholders * Comments * Fix updated block definition
* Implement FIRAppAttestKeyIDStorage * Add FIRAppAttestKeyIDStorageTests * Review [Draft] * Style * Docs updates * Docs updates 2 * Review [Draft] 2 * Improve tests * Improve test readability * Improve test readability 2
* Handshake adjustments (WIP) * Introduce FIRAppAttestProviderState * WIP: calculate attestation state * WIP: calculate attestation state 2 * formatting * Comments and moving code around * Fix init in tests * Fix state calculation flow * Cleanup state calculation and fix tests. * Cleanup and fixes. * Comments * formatting * Fix import * Typo fixes and additional comments * FIRAppAttestInitialHandshakeResponse API * Cleanup state calculation using FBLPromiseAwait * Cleanup * style
* Update comments * FIRAppAttestArtifactStorage implementation and tests * Fix init * API docs * Clean up storage in tests * Comments * Disable Keychain dependent tests for SPM
* Initial implementation * Parse response body for challenge and stub test cases * Review [Draft] * Avoid encoding challenge again * Add tests * Revert "Avoid encoding challenge again" and add TODO This reverts commit 69eb00d. * Document tests; Add test * Tests: Add URL validation check * Review
* App Attest provider API integration WIP * update tests * Draft attestation response parsing * Attestation request draft * style * AppAttest Attestation API tests draft * Error cases tests * style * Cleanup and API docs * Merge fix * Fix OCMock imports * Fix nullability modifier * Formatting * comments
* calculatre sha256 of random challenge for attestation * Test app adjustments * cleanup * use trailing closures in the test app
* Implement assertion exchange * Tweak existing tests * Add tests * Rename JSON to better match gRPC message * Add HTTPBody helper * Review * Review 2 * Review 3
…e-ios-sdk into appcheck-appattest-main
* App Attest assertion workflow draft * send request * assertion flow tests * style
* Update artifact storage API and tests * Artifact storage implementation update * Save artifact for a key ID * Style * typos
* App Attest multiple get token method invocation tests * Ensure a single App Attest handshake sequence at the time * FIRAppCheckTests: get token request merging tests * FIRAppCheck: Ensure a single get token operation at the time * formatting * Test new request after merged requests * Release finished operation promise * Style * Typos * typo * Request merging tests for error cases * formatting
ncooke3
approved these changes
May 21, 2021
Comment on lines
33
to
38
| // TODO: Verify the following request fields. | ||
| static NSString *const kRequestFieldArtifact = @"artifact"; | ||
| static NSString *const kRequestFieldAssertion = @"assertion"; | ||
| static NSString *const kRequestFieldAttestation = @"attestation_statement"; | ||
| static NSString *const kRequestFieldChallenge = @"challenge"; | ||
| static NSString *const kRequestFieldKeyID = @"key_id"; |
There was a problem hiding this comment.
Just touching base, is this still a valid TODO?
There was a problem hiding this comment.
Actually no, it looks like the backend accepts both variants.
Comment on lines
+40
to
+45
| - (FBLPromise<FIRAppAttestAttestationResponse *> *)attestKeyWithAttestation:(NSData *)attestation | ||
| keyID:(NSString *)keyID | ||
| challenge:(NSData *)challenge; | ||
|
|
||
| /// Exchanges attestation data (artifact & assertion) and a challenge for a FAC token. | ||
| - (FBLPromise<FIRAppCheckToken *> *)getAppCheckTokenWithArtifact:(NSData *)artifact |
There was a problem hiding this comment.
Following this conversation we had, I had changed appCheckTokenWith to getAppCheckTokenWith. Reevaluating now, are you content with the style of the APIs here? I wasn't sure if its preferred to do nothing, prefix attestKeyWithAttestatation with get, or revert getAppCheckTokenWith to appCheckTokenWith
There was a problem hiding this comment.
This is obviously pretty minor, but I had remembered it and wanted to bring up in case you now feel more strongly about one way or another.
Comment on lines
239
to
242
| - (NSString *)base64StringWithData:(NSData *)data { | ||
| // TODO: Need to encode in base64URL? | ||
| return [data base64EncodedStringWithOptions:0]; | ||
| } |
There was a problem hiding this comment.
Addressed in #8170.
|
|
||
| return [self attestKey:keyID challenge:challenge]; | ||
| }) | ||
| // TODO: Handle a possible key rejection - generate another key. |
There was a problem hiding this comment.
Should a task be created to track this?
There was a problem hiding this comment.
Addressed in #8170.
| // internal one. | ||
| XCTAssertEqualObjects(result.error, providerError); | ||
| }]; | ||
| // TODO: Expect a public domain error to be returned - not the |
There was a problem hiding this comment.
Is this TODO still relevant, should a task be added to track this?
There was a problem hiding this comment.
It is still relevant. Currently we don't have public API for this method. The TODO is expected to be addressed when we introduce the public API.
|
@ncooke3 Thank you for the review and spotting the unattended TODOs. I'll add another PR into |
paulb777
approved these changes
May 21, 2021
| @@ -11,7 +11,5 @@ target 'FIRAppCheckTestApp' do | |||
| pod 'FirebaseAppCheck', :path => '../../../' | |||
|
|
|||
| pod 'FirebaseCore', :path => '../../../' | |||
There was a problem hiding this comment.
Not for this PR, but there should be a build test in CI to keep this unstale.
| @@ -0,0 +1,36 @@ | |||
| /* | |||
There was a problem hiding this comment.
Please add to the umbrella header.
* Remove/update outdated TODOs * [WIP] Attestation rejection handling draft * style * retry tests draft * reset key ID before retry * Reset attestation * test error and fixes * style * More details in the name * Some debug logging * style * Use specific codes for log messages * style
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.