Merge pull request #282 from ForgeRock/Bug/FRURLProtocol_ignores_SSL_…

…Pinning FRURLProtocol ignores ssl pinning
ForgeRock · Jun 4, 2024 · 3814770 · 3814770
2 parents a4baee6 + f8bf9a3
commit 3814770
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 21 deletions.
diff --git a/FRAuth/FRAuth/Network/FRURLProtocol.swift b/FRAuth/FRAuth/Network/FRURLProtocol.swift
@@ -1,24 +1,27 @@
-// 
+//
 //  FRURLProtocol2.swift
 //  FRAuth
 //
-//  Copyright (c) 2020 ForgeRock. All rights reserved.
+//  Copyright (c) 2020-2024 ForgeRock. All rights reserved.
 //
 //  This software may be modified and distributed under the terms
 //  of the MIT license. See the LICENSE file for details.
 //
 
 
 import Foundation
+import FRCore
 
-@objc public class FRURLProtocol: URLProtocol {
+@objc open class FRURLProtocol: URLProtocol {
 
     //  MARK: - Public Property
 
     /// TokenManagementPolicy for URLProtocol
     @objc public static var tokenManagementPolicy: TokenManagementPolicy?
     /// AuthorizationPolicy for URLProtocol
     @objc public static var authorizationPolicy: AuthorizationPolicy?
+    /// FRSecurityConfiguration for URLProtocol - Used for SSL Pinning
+    @objc public static var frSecurityConfiguration: FRSecurityConfiguration?
 
     //  MARK: - Private Property
 
@@ -131,7 +134,7 @@ import Foundation
             self.sessionTask?.resume()
             return
         }
-
+        
         FRURLProtocol.setProperty(true, forKey: Constants.FRURLProtocolHandled, in: mutableRequest)
         session?.dataTask(with: mutableRequest as URLRequest, completionHandler: { (data, response, error) in
             if let returnData = data {
@@ -198,7 +201,7 @@ import Foundation
 
 
 extension FRURLProtocol: URLSessionDataDelegate {
-
+    
     /// URLSessionDataDelegate method for receiving data
     ///
     /// - Parameters:
@@ -214,7 +217,7 @@ extension FRURLProtocol: URLSessionDataDelegate {
             self.responseData = data
         }
     }
-
+    
 
     /// URLSessionDataDelegate method for receiving response
     ///
@@ -229,7 +232,7 @@ extension FRURLProtocol: URLSessionDataDelegate {
         completionHandler(.allow)
     }
 
-
+    
     /// URLSessionDataDelegate method to notify completion of the request
     ///
     /// In this delegation method, FRURLProtocol will validate the result of the request with given ValidatedURLs, RefreshTokenPolicy, and maximum retry attempt, and perform token refresh if necessary
@@ -317,7 +320,7 @@ extension FRURLProtocol: URLSessionDataDelegate {
             }
         }
 
-
+        
         if shouldRetry {
             self.responseData = nil
             self.client?.urlProtocol(self, didLoad: Data())
@@ -334,7 +337,7 @@ extension FRURLProtocol: URLSessionDataDelegate {
             self.completeRequest(error: error)
         }
     }
-
+    
 
     /// URLSessionDataDelegate method for HTTP Redirection
     ///
@@ -373,7 +376,7 @@ extension FRURLProtocol: URLSessionDataDelegate {
         client?.urlProtocol(self, wasRedirectedTo: request, redirectResponse: response)
         completionHandler(request)
     }
-
+    
 
     /// URLSessionDataDelegate method for invalidating the current request with an error
     ///
@@ -384,28 +387,65 @@ extension FRURLProtocol: URLSessionDataDelegate {
         guard let error = error else { return }
         client?.urlProtocol(self, didFailWithError: error)
     }
-
 
-    /// URLSessionDataDelegate method for Authentication Challenge
+
+    /// URLSessionDelegate method for Authentication Challenge
     ///
     /// - Parameters:
     ///   - session: URLSession
     ///   - challenge: URLAuthenticationChallenge
     ///   - completionHandler: Completion callback
     public func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
-        let protectionSpace = challenge.protectionSpace
-        let sender = challenge.sender
-
-        if protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
-            if let serverTrust = protectionSpace.serverTrust {
-                let credential = URLCredential(trust: serverTrust)
-                sender?.use(credential, for: challenge)
-                completionHandler(.useCredential, credential)
+        if let frSecurityConfiguration = FRURLProtocol.frSecurityConfiguration {
+            frSecurityConfiguration.validateSessionAuthChallenge(session: session, challenge: challenge, completionHandler: completionHandler)
+        } else {
+            let protectionSpace = challenge.protectionSpace
+            let sender = challenge.sender
+
+            if protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
+                if let serverTrust = protectionSpace.serverTrust {
+                    let credential = URLCredential(trust: serverTrust)
+                    sender?.use(credential, for: challenge)
+                    completionHandler(.useCredential, credential)
+                    return
+                }
+            } else {
+                completionHandler(.performDefaultHandling, nil)
                 return
             }
         }
+
     }
-
+
+    /// URLSessionTaskDelegate method for Authentication Challenge
+    ///
+    /// - Parameters:
+    ///   - session: URLSession
+    ///   - task: URLSessionTask
+    ///   - challenge: URLAuthenticationChallenge
+    ///   - completionHandler: Completion callback
+    public func urlSession(_ session: URLSession, task: URLSessionTask, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
+        if let frSecurityConfiguration = FRURLProtocol.frSecurityConfiguration {
+            frSecurityConfiguration.validateTaskAuthChallenge(session: session, task: task, challenge: challenge, completionHandler: completionHandler)
+        } else {
+            let protectionSpace = challenge.protectionSpace
+            let sender = challenge.sender
+
+            if protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust {
+                if let serverTrust = protectionSpace.serverTrust {
+                    let credential = URLCredential(trust: serverTrust)
+                    sender?.use(credential, for: challenge)
+                    completionHandler(.useCredential, credential)
+                    return
+                }
+            } else {
+                completionHandler(.performDefaultHandling, nil)
+                return
+            }
+        }
+
+    }
+
 
     /// URLSessionDataDelegate method
     ///

diff --git a/SampleApps/FRExample/FRExample/ViewController.swift b/SampleApps/FRExample/FRExample/ViewController.swift
@@ -174,6 +174,20 @@ class ViewController: UIViewController, ErrorAlertShowing {
         config.protocolClasses = [FRURLProtocol.self]
         self.urlSession = URLSession(configuration: config)
 
+        // Configure FRSecurityConfiguration to set SSL Pinning on the FRURLProtocol
+        // This needs to be set up if using Authroization or Token Policies with FRURLProtocol
+        // and want to force SSL Pinning on those endpoints.
+        // Make sure to add the Key Hashes of the certificates that correspont to the URLs 
+        // set on the `FRURLProtocol.tokenManagementPolicy` & `FRURLProtocol.authorizationPolicy`
+
+        var sslPinningKeyHashes: [String] = []
+        //sslPinningKeyHashes = ["Key1", "Key2"] --> Add Key hashes and uncomment to enable
+
+        if(!sslPinningKeyHashes.isEmpty) {
+            let frSecurityConfiguration = FRSecurityConfiguration(hashes: sslPinningKeyHashes)
+            FRURLProtocol.frSecurityConfiguration = frSecurityConfiguration
+        }
+
         //  - MARK: FRUI Customize Cell example
         // Comment out below code to demonstrate FRUI customization
 //        CallbackTableViewCellFactory.shared.registerCallbackTableViewCell(callbackType: "NameCallback", cellClass: CustomNameCallbackCell.self, nibName: "CustomNameCallbackCell")