HTTPClient: added signature validation and introduced ErrorCode.signatureVerificationFailed

[NachoSoto]

Fixes CSDK-634.

Changes:

• Created HTTPResponseValidationResult
• Added HTTPResponseValidationResult and HTTPClient.ResponseHeaders to HTTPResponse
• Added new ErrorCode.signatureVerificationFailed
• Extracted SigningType to create MockSigning to test HTTPClient without bothering with signatures
• Refactored ETagManager to use HTTPResponse, making it easier to pass through response headers and verification results
• Stored HTTPResponseValidationResult in ETagManager cache
• HTTPClient handles signatures from response based on SystemInfo.responseVerificationLevel
• Renamed HTTPRequest.createIntegrityEnforcedRequestRequest to HTTPRequest.createWithResponseVerification
• Added lots of tests for this new behavior in HTTPClient
• Added lots of new tests for ETagManager

[NachoSoto]

This tests backwards compatibility with old responses. We handle that as a cache miss.

[NachoSoto]

This test was moved below to SignatureVerificationHTTPClientTests

[codecov]

Codecov Report

Merging #2272 (45b2ea1) into main (6a52a64) will decrease coverage by 0.01%.
The diff coverage is 98.23%.

❗ Current head 45b2ea1 differs from pull request most recent head 7a62e5b. Consider uploading reports for the commit 7a62e5b to get more accurate results

@@            Coverage Diff             @@
##             main    #2272      +/-   ##
==========================================
- Coverage   86.20%   86.20%   -0.01%     
==========================================
  Files         186      187       +1     
  Lines       12306    12407     +101     
==========================================
+ Hits        10609    10696      +87     
- Misses       1697     1711      +14     

Impacted Files	Coverage Δ
Sources/Misc/Signing.swift	90.27% <ø> (ø)
Sources/Networking/HTTPClient/HTTPResponse.swift	92.45% <95.65%> (+1.34%)	⬆️
Sources/Misc/Signing+ResponseValidation.swift	97.29% <97.29%> (ø)
Sources/Error Handling/ErrorCode.swift	94.79% <100.00%> (+0.13%)	⬆️
Sources/Error Handling/ErrorUtils.swift	85.83% <100.00%> (+0.41%)	⬆️
Sources/Logging/Strings/SigningStrings.swift	100.00% <100.00%> (ø)
Sources/Networking/HTTPClient/ETagManager.swift	99.14% <100.00%> (+0.12%)	⬆️
Sources/Networking/HTTPClient/HTTPClient.swift	98.29% <100.00%> (+0.30%)	⬆️
Sources/Networking/HTTPClient/HTTPRequest.swift	100.00% <100.00%> (ø)
Sources/Networking/HTTPClient/NetworkError.swift	99.21% <100.00%> (+0.09%)	⬆️
... and 10 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[bisho]

Can we extend HTTPRequest to have a IntegrityVerifiedHTTPRequest that guarantees contains a Nonce? And then make this signature expect that class in particular. Doesn't make sense to validate a HTTPRequest that is not sending Nonces.

[NachoSoto]

That's definitely an alternative approach, but that's not very Swift-y. We'd have to move away from it being a struct and lose the value semantics on this type (can't inherit structs)

I think the main issue is this is bad name. It returns HTTPResponseValidationResult.notRequested if the request doesn't need to be verified, so maybe instead of createAndValidate it should just be HTTPResponse.create(with:...).

[NachoSoto]

Alternatively we'd have to make HTTPResponse a protocol and use a generic <Response: HTTPResponseType> everywhere to maintain type safety at compile time instead of doing that at runtime. But at that point it would be an overkill.

[bisho]

Hummm... I see... I have no clue about swift :)

And something like createRequestAndValidator() that returns a request with the nonce, and a validator ready to use (contains the nonce)? It feels weird to have this generic create and validate that sometimes will not validate, plus there is not a lot of type safety, there is no way to enforce validation for some kind of request.

That way the request remains generic, you will just build a validator when requesting a request with validation. If not requesting validation, you will just have a create that builds a request.

Again, all this not knowing a thing about swift patterns :)

[NachoSoto]

I renamed this, I think it's clearer now. I do get your point of seemingly validating requests that don't require it.
HTTPResponse always has an HTTPResponseValidationResult (even if it's .notRequested).
So HTTPResponse.create(with:body:request:..) is the new API. It may or may not do any validation, but it'll return an HTTPResponse with the appropriate information. Does that sound less weird?

[NachoSoto]

Apologies for the big diff 🙏🏻 I couldn't really split the changes here into multiple PRs since they're all connected.
Most of the changes are a lot of new tests though

[cadamsdotcom]

Nice change @NachoSoto. Not a swift expert, but looks good to me. The API with the optional requesting of verification is going to prove handy if we decide to do this for more endpoint in future..

PS particularly liked how simple the sign and createSalt test methods got, the simple keypair generation with private let (privateKey, publicKey) = SigningTests.createRandomKey(), and how packing things into test classes creates clean encapsulation. Learned a bunch about Swift reading this, thanks for sending it through!

[NachoSoto]

I'm thinking of renaming the ErrorCode here instead if we agree with the name in #2277.

[tonidero]

I'm thinking of renaming the ErrorCode here instead if we agree with the name in #2277.

I think that name makes sense 👍

[aboedo]

we need to be very careful with the case where it wasn't available. I can see us messing this up and breaking things for iOS 12 easily.
I wouldn't even mind having a separate case where for .unsupportedOSVersion or something

[aboedo]

but, when in doubt, I'd just consider it "valid" for older OS versions. You can't "cheat" this check so it's not really a useful hack, and being forced into staying with iOS 12 is probably a dealbreaker for most attackers anyway

[NachoSoto]

We talked about this offline.
We're going to solve this by making the "validated" APIs only available in iOS 13+, to force users to decide how to handle older versions.

The configuration API is already not available below, so it's also clear that you can't use it on older devices.

[tonidero]

So this will change in a followup PR I imagine right?

[aboedo]

we're interchangeably using validation and verification throughout the feature, we should pick one and settle. I think verification is more technically appropriate for this

[aboedo]

also... do we ever clean these up?

It feels like if we have an eTag but it doesn't have validation information and validation has been activated, we should kill the old eTag, but I don't recall what our cleanup mechanism for this was

[aboedo]

also, we're not storing when validationResult = failed, so this would never be true, right?

[aboedo]

last question: what are we doing here when validation wasn't requested at all? Like, if validation is disabled, this should behave exactly as it always has

[NachoSoto]

we're interchangeably using validation and verification throughout the feature, we should pick one and settle. I think verification is more technically appropriate for this

I fixed those inconsistencies in #2277. I went with validation but we can change it back.

It feels like if we have an eTag but it doesn't have validation information and validation has been activated, we should kill the old eTag

Hmm good point, let me see if we have a test case for that and if not I'll add it.

also, we're not storing when validationResult = failed, so this would never be true, right?

That's correct, it's just an extra safety check. I can add a comment.

what are we doing here when validation wasn't requested at all? Like, if validation is disabled, this should behave exactly as it always has

It does, and all the existing tests still pass.

[NachoSoto]

Okay, updated ETagManager to ignore etags for the case where the stored cache had no validation but the new request requires a signature.

[tonidero]

Still need to review tests but looking good!

[tonidero]

🎉

[NachoSoto]

All comments addressed.

[tonidero]

LGTM!

[tonidero]

So this will change in a followup PR I imagine right?

[tonidero]

I may be missing something but why did we make these var instead of let?

[NachoSoto]

So we can modify the validation result after it's initially created in HTTPClient (just an implementation detail).
Note that structs have value semantics, so this isn't like having mutable data in other languages.

Example:

struct Data {
  // Technically mutable
  var a: Int
  var b: String
}

let d = Data(a: 1, b: "test")
d.a +=1 // Error, `d` is immutable!

func f(_ d: Data) {
  d.a += 1 // Error, d is immutable
}

Additionally, structs get implicitly copied (they have value semantics, not reference), they're passed by value, so you can't lead to shared mutable state.

So basically it doesn't make a difference if these are vars, it just makes creating copies with different values easier without needing to do it manually calling the constructor again.

[tonidero]

Right, I asked about this before and I forgot 😅 thanks for explaining again!

[tonidero]

Same here, could these be let? I don't think callers of this mock would need to modify this?

[NachoSoto]

Ditto, it doesn't make a difference, it would only be mutable for a var ETagHeaderRequest anyway.