Trusted entitlements: Support signing static endpoints#1119
Conversation
Codecov Report
@@ Coverage Diff @@
## new-trusted-entitlements-signature-format #1119 +/- ##
=============================================================================
+ Coverage 84.91% 85.13% +0.22%
=============================================================================
Files 186 186
Lines 6614 6586 -28
Branches 947 944 -3
=============================================================================
- Hits 5616 5607 -9
+ Misses 622 603 -19
Partials 376 376
|
6575c19 to
d29e3a5
Compare
|
Backend integration tests are expected to fail until the backend changes have been deployed. I'm also pointing these changes to an integration branch until those changes are deployed. |
| false | ||
| } | ||
|
|
||
| val needsNonceToPerformSigning: Boolean |
| } | ||
| eTagManager = ETagManager(sharedPreferences) | ||
| signingManager = SigningManager(SignatureVerificationMode.Disabled, appConfig, apiKey()) | ||
| signingManager = spyk(SigningManager(signatureVerificationMode, appConfig, apiKey())) |
There was a problem hiding this comment.
Here I changed to a spy so we can see and verify the calls more easily, but it's using the actual implementation. Since there is no way to know that the offerings/product-entitlement mapping calls were verified or not, this made easier to make sure we were verifying those endpoints
There was a problem hiding this comment.
Since there is no way to know that the offerings/product-entitlement mapping calls were verified or not
I checked that by using the "fake invalid signature" thing. Did you add a way to do that in Android too?
There was a problem hiding this comment.
Well, I meant in the "success" case, we should make sure we are verifying the signature. But right now there is no way to detect whether a SUCCESS or a NOT_REQUESTED happened. We could maybe if we could verify the logs, but I haven't added that in Android yet. Until then, this makes sure we are at least calling the signingManager.verify method, so it shouldn't be NOT_REQUESTED.
| ) | ||
|
|
||
| return if (verificationResult) { | ||
| verboseLog(NetworkStrings.VERIFICATION_SUCCESS.format(urlPath)) |
| } | ||
| eTagManager = ETagManager(sharedPreferences) | ||
| signingManager = SigningManager(SignatureVerificationMode.Disabled, appConfig, apiKey()) | ||
| signingManager = spyk(SigningManager(signatureVerificationMode, appConfig, apiKey())) |
There was a problem hiding this comment.
Since there is no way to know that the offerings/product-entitlement mapping calls were verified or not
I checked that by using the "fake invalid signature" thing. Did you add a way to do that in Android too?
| } | ||
|
|
||
| @Test | ||
| fun `needsNonceToPerformSigning is true for expected values`() { |
| @@ -33,6 +33,22 @@ sealed class Endpoint(val pathTemplate: String, val name: String) { | |||
| } | |||
|
|
|||
| val supportsSignatureValidation: Boolean | |||
There was a problem hiding this comment.
Also this isn't used now?
There was a problem hiding this comment.
Also this isn't used now?
It's used in the signing manager:
|
Will merge this and rerun the backend integration tests there once the backend is deployed. |
…oints with no signature (#2752) Equivalent to RevenueCat/purchases-android#1119
Description
This adds support for static endpoint signing. Currently, that would be the offerings and product-entitlement mapping endpoints.