chemistry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pweschm...@apache.org
Subject svn commit: r1483738 - in /chemistry/objectivecmis/trunk/ObjectiveCMIS: Common/ Utils/
Date Fri, 17 May 2013 11:08:56 GMT
Author: pweschmidt
Date: Fri May 17 11:08:55 2013
New Revision: 1483738

URL: http://svn.apache.org/r1483738
Log:
renamed TrustedSSL constant to something more meaningful; added comments; also check the server
URL against the expected one before trusting it

Modified:
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.h
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.m
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.h
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.m
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h
    chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.h
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.h?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.h (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.h Fri May 17
11:08:55 2013
@@ -41,8 +41,10 @@ extern NSString * const kCMISSessionPara
 
 // TODO: Temporary, must be extracted into separate project
 extern NSString * const kCMISSessionParameterMode;
-
-extern NSString * const kCMISSessionTrustedSSLServerFlag;
+/**
+ This flag is used for SSL self certification and indicates, whether a server is trusted.
Default value is NO.
+ */
+extern NSString * const kCMISSessionAllowUntrustedSSLCertificate;
 
 @interface CMISSessionParameters : NSObject
 

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.m
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.m?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.m (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISSessionParameters.m Fri May 17
11:08:55 2013
@@ -26,7 +26,7 @@ NSString * const kCMISSessionParameterLi
 NSString * const kCMISSessionParameterMode = @"session_param_mode";
 
 
-NSString * const kCMISSessionTrustedSSLServerFlag = @"session_param_trusted_ssl_server_flag";
+NSString * const kCMISSessionAllowUntrustedSSLCertificate = @"session_param_trusted_ssl_server_flag";
 
 @interface CMISSessionParameters ()
 @property (nonatomic, assign, readwrite) CMISBindingType bindingType;

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m
(original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Common/CMISStandardAuthenticationProvider.m
Fri May 17 11:08:55 2013
@@ -63,7 +63,10 @@
     }
 }
 
-
+/**
+ This checks whether a request can be authenticated. It gets called from the CMISHttpRequest.
For SSL servers we filter the call directly in HttpRequest.
+ So that when we reach this call, we know, the SSL server can be trusted.
+ */
 - (BOOL)canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace
 {
     // default implementation mimics default NSURLConnectionDelegate behavior
@@ -86,7 +89,10 @@
     // nothing to do in the default implementation
 }
 
-
+/**
+ This gets called from CMISHttpRequest. CMISHttpRequest also filters out any unauthorised
calls to SSL server. We only get called here, if the SSL server
+ is actually trusted.
+ */
 - (void)didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
 {
     if (challenge.previousFailureCount == 0) {

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISDefaultNetworkProvider.m Fri May
17 11:08:55 2013
@@ -46,13 +46,13 @@ completionBlock:(void (^)(CMISHttpRespon
                                                                               session:session];
     if (!cmisRequest.isCancelled)
     {
-        BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber
numberWithBool:NO]] boolValue];
+        BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate
defaultValue:[NSNumber numberWithBool:NO]] boolValue];
         CMISHttpRequest* request = [CMISHttpRequest startRequest:urlRequest
                                                       httpMethod:httpRequestMethod
                                                      requestBody:body
                                                          headers:additionalHeaders
                                           authenticationProvider:session.authenticationProvider
-                                                trustedSSLServer:isTrusted
+                                             useTrustedSSLServer:useTrustedSSLServer
                                                  completionBlock:completionBlock];
         if (request)
         {
@@ -79,14 +79,14 @@ completionBlock:(void (^)(CMISHttpRespon
                                                                                httpMethod:httpRequestMethod
                                                                                   session:session];
         
-        BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber
numberWithBool:NO]] boolValue];
+        BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate
defaultValue:[NSNumber numberWithBool:NO]] boolValue];
         CMISHttpUploadRequest* request = [CMISHttpUploadRequest startRequest:urlRequest
                                                                   httpMethod:httpRequestMethod
                                                                  inputStream:inputStream
                                                                      headers:additionalHeaders
                                                                bytesExpected:0
                                                       authenticationProvider:session.authenticationProvider
-                                                            trustedSSLServer:isTrusted
+                                                         useTrustedSSLServer:useTrustedSSLServer
                                                              completionBlock:completionBlock
                                                                progressBlock:nil];
         if (request)
@@ -116,14 +116,14 @@ completionBlock:(void (^)(CMISHttpRespon
                                                                                httpMethod:httpRequestMethod
                                                                                   session:session];
         
-        BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber
numberWithBool:NO]] boolValue];
+        BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate
defaultValue:[NSNumber numberWithBool:NO]] boolValue];
         CMISHttpUploadRequest* request = [CMISHttpUploadRequest startRequest:urlRequest
                                                                   httpMethod:httpRequestMethod
                                                                  inputStream:inputStream
                                                                      headers:additionalHeaders
                                                                bytesExpected:bytesExpected
                                                       authenticationProvider:session.authenticationProvider
-                                                            trustedSSLServer:isTrusted
+                                                         useTrustedSSLServer:useTrustedSSLServer
                                                              completionBlock:completionBlock
                                                                progressBlock:progressBlock];
         if (request){
@@ -154,7 +154,7 @@ completionBlock:(void (^)(CMISHttpRespon
                                                                                httpMethod:httpRequestMethod
                                                                                   session:session];
         
-        BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber
numberWithBool:NO]] boolValue];
+        BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate
defaultValue:[NSNumber numberWithBool:NO]] boolValue];
         CMISHttpUploadRequest* request = [CMISHttpUploadRequest startRequest:urlRequest
                                                                   httpMethod:httpRequestMethod
                                                                  inputStream:inputStream
@@ -163,7 +163,7 @@ completionBlock:(void (^)(CMISHttpRespon
                                                       authenticationProvider:session.authenticationProvider
                                                               cmisProperties:cmisProperties
                                                                     mimeType:mimeType
-                                                            trustedSSLServer:isTrusted
+                                                         useTrustedSSLServer:useTrustedSSLServer
                                                              completionBlock:completionBlock
                                                                progressBlock:progressBlock];
         if (request){
@@ -192,13 +192,13 @@ completionBlock:(void (^)(CMISHttpRespon
                                                                                httpMethod:HTTP_GET
                                                                                   session:session];
         
-        BOOL isTrusted = [[session objectForKey:kCMISSessionTrustedSSLServerFlag defaultValue:[NSNumber
numberWithBool:NO]] boolValue];
+        BOOL useTrustedSSLServer = [[session objectForKey:kCMISSessionAllowUntrustedSSLCertificate
defaultValue:[NSNumber numberWithBool:NO]] boolValue];
         CMISHttpDownloadRequest* request = [CMISHttpDownloadRequest startRequest:urlRequest
                                                                       httpMethod:httpRequestMethod
                                                                     outputStream:outputStream
                                                                    bytesExpected:bytesExpected
                                                           authenticationProvider:session.authenticationProvider
-                                                                trustedSSLServer:isTrusted
+                                                             useTrustedSSLServer:useTrustedSSLServer
                                                                  completionBlock:completionBlock
                                                                    progressBlock:progressBlock];
         if (request) {

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.h Fri May 17
11:08:55 2013
@@ -38,7 +38,7 @@
                             outputStream:(NSOutputStream*)outputStream
                            bytesExpected:(unsigned long long)bytesExpected
                   authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
-                        trustedSSLServer:(BOOL)trustedSSLServer
+                     useTrustedSSLServer:(BOOL)trustedSSLServer
                          completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError
*error))completionBlock
                            progressBlock:(void (^)(unsigned long long bytesDownloaded, unsigned
long long bytesTotal))progressBlock;
 

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpDownloadRequest.m Fri May 17
11:08:55 2013
@@ -40,7 +40,7 @@
                             outputStream:(NSOutputStream*)outputStream
                            bytesExpected:(unsigned long long)bytesExpected
                   authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
-                        trustedSSLServer:(BOOL)trustedSSLServer
+                        useTrustedSSLServer:(BOOL)trustedSSLServer
                          completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError
*error))completionBlock
                            progressBlock:(void (^)(unsigned long long bytesDownloaded, unsigned
long long bytesTotal))progressBlock
 {

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.h
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.h?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.h (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.h Fri May 17 11:08:55
2013
@@ -34,7 +34,7 @@
 @property (nonatomic, strong) id<CMISAuthenticationProvider> authenticationProvider;
 @property (nonatomic, assign) BOOL trustedSSLServer;
 @property (nonatomic, copy) void (^completionBlock)(CMISHttpResponse *httpResponse, NSError
*error);
-
+@property (nonatomic, strong) NSURL *requestURL;
 /**
  * starts a URL request for given HTTP method 
  * @param requestBody (optional)
@@ -47,7 +47,7 @@
                      requestBody:(NSData*)requestBody
                          headers:(NSDictionary*)additionalHeaders
           authenticationProvider:(id<CMISAuthenticationProvider>)authenticationProvider
-                trustedSSLServer:(BOOL)trustedSSLServer
+             useTrustedSSLServer:(BOOL)trustedSSLServer
                  completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock;
 
 /**

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.m
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.m?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.m (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpRequest.m Fri May 17 11:08:55
2013
@@ -47,7 +47,7 @@ NSString * const kCMISExceptionVersionin
                      requestBody:(NSData*)requestBody
                          headers:(NSDictionary*)additionalHeaders
           authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
-                trustedSSLServer:(BOOL)trustedSSLServer
+             useTrustedSSLServer:(BOOL)trustedSSLServer
                  completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
 {
     CMISHttpRequest *httpRequest = [[self alloc] initWithHttpMethod:httpRequestMethod
@@ -78,6 +78,7 @@ NSString * const kCMISExceptionVersionin
 
 - (BOOL)startRequest:(NSMutableURLRequest*)urlRequest
 {
+    self.requestURL = urlRequest.URL;
     if (self.requestBody) {
         if ([CMISLog sharedInstance].logLevel == CMISLogLevelTrace) {
             CMISLogTrace(@"Request body: %@", [[NSString alloc] initWithData:self.requestBody
encoding:NSUTF8StringEncoding]);
@@ -124,10 +125,15 @@ NSString * const kCMISExceptionVersionin
     }
 }
 
-
+/**
+ In case of SSL self certification: developers need to set the appropriate session parameter
flag to mark the SSL server as trusted. If it is, and if the
+ host URL is what we expect, then we pass on the request to the authenticationProvider, which
handles all authentication challenges. If not, we return NO.
+ For all other requests, we pass this on to the authenticationProvider
+ */
 - (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace
*)protectionSpace
 {
-    if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]
&& !self.trustedSSLServer)
+    BOOL isTrusted = (self.trustedSSLServer && [[self.requestURL absoluteString]
hasSuffix:protectionSpace.host]);
+    if ([protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]
&& !isTrusted)
     {
             return NO;
     }
@@ -143,10 +149,15 @@ NSString * const kCMISExceptionVersionin
     [self.authenticationProvider didCancelAuthenticationChallenge:challenge];
 }
 
-
+/**
+ this method gets called if the canAuthenticateAgainstProtectionSpace call has returned YES
previously. For SSL server certificates, we check if the server is trusted
+ (a parameter that developers must set when creating a CMISSession) and the host URL matches
the one we actually requested
+ If all this passes, we delegate the handling to the authenticationProvider
+ */
 - (void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge
*)challenge
 {
-    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]
&& !self.trustedSSLServer)
+    BOOL isTrusted = (self.trustedSSLServer && [[self.requestURL absoluteString]
hasSuffix:challenge.protectionSpace.host]);
+    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]
&& !isTrusted)
     {
         [challenge.sender cancelAuthenticationChallenge:challenge];
         return;

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.h Fri May 17 11:08:55
2013
@@ -35,7 +35,7 @@
                                headers:(NSDictionary*)addionalHeaders
                          bytesExpected:(unsigned long long)bytesExpected
                 authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
-                      trustedSSLServer:(BOOL)trustedSSLServer
+                   useTrustedSSLServer:(BOOL)trustedSSLServer
                        completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError
*error))completionBlock
                          progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned
long long bytesTotal))progressBlock;
 
@@ -54,7 +54,7 @@
 authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
     cmisProperties:(CMISProperties *)cmisProperties
           mimeType:(NSString *)mimeType
-  trustedSSLServer:(BOOL)trustedSSLServer
+useTrustedSSLServer:(BOOL)trustedSSLServer
    completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
      progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned long long bytesTotal))progressBlock;
 

Modified: chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m
URL: http://svn.apache.org/viewvc/chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m?rev=1483738&r1=1483737&r2=1483738&view=diff
==============================================================================
--- chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m (original)
+++ chemistry/objectivecmis/trunk/ObjectiveCMIS/Utils/CMISHttpUploadRequest.m Fri May 17 11:08:55
2013
@@ -116,7 +116,7 @@ const NSUInteger kRawBufferSize = 24576;
                                headers:(NSDictionary*)additionalHeaders
                          bytesExpected:(unsigned long long)bytesExpected
                 authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
-                      trustedSSLServer:(BOOL)trustedSSLServer
+                      useTrustedSSLServer:(BOOL)trustedSSLServer
                        completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError
*error))completionBlock
                          progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned
long long bytesTotal))progressBlock
 {
@@ -147,7 +147,7 @@ const NSUInteger kRawBufferSize = 24576;
 authenticationProvider:(id<CMISAuthenticationProvider>) authenticationProvider
     cmisProperties:(CMISProperties *)cmisProperties
           mimeType:(NSString *)mimeType
-  trustedSSLServer:(BOOL)trustedSSLServer
+  useTrustedSSLServer:(BOOL)trustedSSLServer
    completionBlock:(void (^)(CMISHttpResponse *httpResponse, NSError *error))completionBlock
      progressBlock:(void (^)(unsigned long long bytesUploaded, unsigned long long bytesTotal))progressBlock
 {



Mime
View raw message