Update CustomerInfo.requestDate from 304 responses

[NachoSoto]

Purpose:

This is a prerequisite for #2288. The new grace period means that if we didn't update the date from the cached responses, entitlements would become stale and expired after 3 days.

Changes:

• Added HTTPResponseBody.copy(with newRequestDate:) to be able to modify responses from the header request date
• CustomerInfo implements this method to modify its request date
• Added HTTPResponse.requestDate to be able to keep track of the request date from the server
• Added VerificationResult.from(cache:response:) to determine the most restrictive verification result based on what's cached or checked from a response
• Added HTTPResponse.copy(with:) to modify the verification result of a response using the previous method
• HTTPClient now uses the most restrictive verification result
• HTTPClient updates request date from server responses or cached responses (unless verification failed). This was the missing piece for EntitlementInfo: add a grace period limit to outdated entitlements #2288.

Tests:

• Verify that ETagManager does not use an ETag if verification was previously not enabled
• Verify that ETagManager returns the request date from the server when returning a cached response
• Verify that HTTPClient updates the request date from the server or from a cached response
• Verify that HTTPClient does not update request date if verification failed
• Tests for HTTPResponse request date parsing
• Test for CustomerInfoResponseHandler updating request date
• Tests for CustomerInfo.copy(with newRequestDate:)

Other smaller changes:

• Moved CustomerInfo.asData() into Encodable.asJSONEncodedData()
• Renamed requestTime to requestDate everywhere for consistency

[codecov]

Codecov Report

Merging #2310 (7a2204d) into main (b707f8a) will increase coverage by 0.04%.
The diff coverage is 100.00%.

❗ Current head 7a2204d differs from pull request most recent head 27920fa. Consider uploading reports for the commit 27920fa to get more accurate results

@@            Coverage Diff             @@
##             main    #2310      +/-   ##
==========================================
+ Coverage   86.41%   86.45%   +0.04%     
==========================================
  Files         187      188       +1     
  Lines       12630    12714      +84     
==========================================
+ Hits        10914    10992      +78     
- Misses       1716     1722       +6     

Impacted Files	Coverage Δ
Sources/FoundationExtensions/Date+Extensions.swift	100.00% <100.00%> (ø)
Sources/Identity/CustomerInfo.swift	89.53% <100.00%> (+0.44%)	⬆️
Sources/Logging/Strings/CustomerInfoStrings.swift	92.68% <100.00%> (+0.37%)	⬆️
Sources/Logging/Strings/SigningStrings.swift	95.00% <100.00%> (ø)
Sources/Misc/Signing+ResponseVerification.swift	98.01% <100.00%> (+0.40%)	⬆️
Sources/Misc/Signing.swift	88.76% <100.00%> (ø)
Sources/Networking/HTTPClient/ETagManager.swift	99.19% <100.00%> (+<0.01%)	⬆️
Sources/Networking/HTTPClient/HTTPClient.swift	98.20% <100.00%> (+0.09%)	⬆️
Sources/Networking/HTTPClient/HTTPResponse.swift	93.75% <100.00%> (+0.58%)	⬆️
...urces/Networking/HTTPClient/HTTPResponseBody.swift	100.00% <100.00%> (ø)
... and 8 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[tonidero]

Just a possible edge case I was thinking about but looking great!

[tonidero]

What do these numbers mean? We could also hardcode a date for this and the mockedResponse request date to make it more deterministic.

[NachoSoto]

It's just a simpler way to make a date that's not "now" to avoid false negatives.

[bisho]

Can you add a test in case the server returns a 500 error? Want to ensure that is not treated as verification failure even if the date header is not present.

[bisho]

We should only update the requestDate if the verification result of the NOT_MODIFIED response is green, right?

[bisho]

And do we persist this date change in the cache?
Imagine:

1. 200 OK, valid signature, with request time t=1. SDK gets (valid signature, t=1)
2. 304 NOT_MODIFIED, valid signature, with request time t=2. SDK gets (valid signature, t=2)
3. Timeout or error 500... What the SDK will retrieve t=1 or t=2?. Should be (valid signature, t=2)

[bisho]

Similarly:

1. 200 OK, valid signature with request time t=1. SDK gets (valid signature, t=1)
2. 304 NOT_MODIFIED, INVALID signature, with request time t=2. SDK should get (valid signature, t=1)
3. Timeout or error 500, SDK should get (valid signature, t=1)

And:

1. 200 OK valid signature, t=1. SDK gets (valid signature, t=1)
2. 200 OK INVALID SIGNATURE, t=2. SDK gets (valid signature, t=1)
3. Timeout or error 500, SDK should get (valid signature, t=1)

[tonidero]

Nacho can correct me but I believe we currently cache the request time not at the response level but at the model level. Right now we only cache it for the CustomerInfo model so we only store it in those models. We don't update the response cache on not modified responses either

[NachoSoto]

Timeout or error 500... What the SDK will retrieve t=1 or t=2?. Should be (valid signature, t=2)

Short answer is t2.

@bisho you're conflating 2 separate layers of caching (which is normal because you're not familiar with the codebase).

If the server fails to return a 304 (500 or timeout), HTTPClient won't return the cached data.
That caching would be handled by DeviceCache, which would receive the updated request time.

[NachoSoto]

We should only update the requestDate if the verification result of the NOT_MODIFIED response is green, right?

That I think I have a test for but let me check.

[NachoSoto]

304 NOT_MODIFIED, INVALID signature, with request time t=2. SDK should get (valid signature, t=1)

Oh that's a case I didn't consider.
Are we sure we want to do that? That would break an app without any indication that this is happening.

[NachoSoto]

We should only update the requestDate if the verification result of the NOT_MODIFIED response is green, right?

That's already done:

fileprivate func copyWithNewRequestDate() -> Self {
    // Update request time from server unless it failed verification.
    guard self.verificationResult != .failed, let requestDate = self.requestDate else { return self }

[bisho]

304 NOT_MODIFIED, INVALID signature, with request time t=2. SDK should get (valid signature, t=1)

Oh that's a case I didn't consider.
Are we sure we want to do that? That would break an app without any indication that this is happening.

The thing is that you can't use t=2 as it is not verified. And making the cache not verified in whole defeats the purpose of the cache. Note that there are legit cases of tampering (you are in an airport wifi that intercepts HTTPs. So you can't assume it is a bad actor and use t=2 but making it fail validation. We have a cache, use it until you can. The only case for using t=2 is if there app has disabled verification.

[aboedo]

I agree that we can't use t=2, otherwise that opens us up to an easy attack.

But I'm not sure about the part about considering any result that we have "verified" if we get a signature that we can't verify - even if it's from a 304. Like, "someone told us to use what's in cache but we don't really trust them" seems like a clear use case for "not verified".

I get that we're not entirely sure if any valid tampering will happen in real life, but... this is all happening at the application level, right? Like, there really shouldn't be any modified content in the response content, datetime or request uuid that a public wifi modifies to have us fail validation.

It feels like we might be setting ourselves up for one of those use cases that takes a long time to explain to someone, while just saying "if you got an invalid signature, you get an unverified entitlement" seems a lot simpler

[bisho]

Oh, I see that here you will return the response as not valid if a 304 is not valid. I don't think we should do this. We should act as unable to fetch. There is a legit situation for this, imagine you are in a airport wifi that intercepts and mangles requests. It should not break your cache.

I think I still have trouble with the logic for validation being in two places.

I would rather do something like:

• For validation errors (either 200, 403...), if there is cache, treat this as a 500, just return cache
• For 403 update request time in cache only if cache was checked valid and 304 was valid too (304 invalid would be covered in the above case anyway). Then return cache.
• For valid 200, update cache, return fresh data

Pseudocode:

# On requests:
if cache and (cacheValidationOk or SDKValidationDisabled):
    request_with_cache_etag()
else:
    request_without_etag()

def get_response_or_cache():
# On responses:
wrong_response = response_not_modified and (we_did_not_sent_etag or returned_etag_mistmatch)
  return FailedRequest  # This should not happen, we only expect not modified if we have a etag cached reponse. If the cache data is not trusted we should NOT send etag always to force a refetch (unless SDKValidationDisabled).

if failedRequest or wrong_response:
    if cache:
        return cache
    else:
        return FailedRequest

trust_response = responseValidationOk or SDKValidationDisabled

if trust_response:
    if not_modified:
        update_cache_request_time()
        # While we might trust the response if validation is disabled, we still track
        # wether the cached data is valid or not, and it will be only valid if cache
        # and requests are both valid
        update_cache_validation_to(responseValidationOk and cacheValidationOk)
        return cache
    else:
        store_new_response_in_cache()
        update_cache_validation_to(responseValidationOk)
        return response
elif cacheValidationOk:
    # If we are not trusting response, prefer valid cache always
    return cache
else:
    # We do not trust response nor cache
    if not_modified:
        return cache
    else:
        store_new_response_in_cache()
        update_cache_validation_to(validationFailed)
        return response

This code will handle properly the cache and validation status. In some cases this will return responses with validation failures, but it will try its best to use valid cache over a failed validation response (unless we are using the disable validation mode, in which case uses all responses valid or not (but still tracks validation state irregardless).

Above this, you can put the enforcer layer for strict mode. Having it separate simplifies the request / cache mangling layer.

    response = get_response_or_cache()
    if SDKValidationStrictMode and not response.isValid:
        return failedValidation
    return response

[bisho]

It took me a full hour write what I was thinking was going to be simple pseudocode. This request handling logic is truly complicated XDDD

Perhaps it is better to sync. Ping me if you are available.

[NachoSoto]

Oh, I see that here you will return the response as not valid if a 304 is not valid. I don't think we should do this. We should act as unable to fetch. There is a legit situation for this, imagine you are in an airport wifi that intercepts and mangles requests. It should not break your cache.

I think I still have trouble with the logic for validation being in two places.

I would rather do something like:

For validation errors (either 200, 403...), if there is cache, treat this as a 500, just return cache

That's not changed. As per my other comment, that would be handled by DeviceCache. HTTPClient doesn't return a valid response if there is a 500.

For 403 update request time in cache only if cache was checked valid and 304 was valid too (304 invalid would be covered in the above case anyway). Then return cache.
For valid 200, update cache, return fresh data

That's how it works 👍🏻

[NachoSoto]

Can you add a test in case the server returns a 500 error?

We already have a test for that and it's still passing 👍🏻 (HTTPClient has 64 tests so it's pretty well covered).

[NachoSoto]

I think I handled all comments, but let me know if I missed something.

[NachoSoto]

This fixes #2470.