子类化URLProtectionSpace [英] Subclassing URLProtectionSpace

问题描述

目标：

使用URLProtocol测试SSL固定。

Test SSL pinning by using URLProtocol.

问题：

无法以预期的方式对URLProtectionSpace进行子类化。永远不会调用服务器信任属性，并且即使调用了自定义类的初始化程序，alamofire auth回调也只会收到URLProtectionSpace类类型，而不是我的类。

Cannot subclass URLProtectionSpace in the expected manner. The server trust property is never called and the alamofire auth callback only receives a URLProtectionSpace class type instead of my class even though the initializer of my custom class gets called.

配置： [使用Alamofire]

Configuration: [using Alamofire]

let sessionConfiguration: URLSessionConfiguration = .default
    sessionConfiguration.protocolClasses?.insert(BaseURLProtocol.self, at: 0)
    let sessionManager = AlamofireSessionBuilderImpl(configuration: sessionConfiguration).default
    // overriding the auth challenge in Alamofire in order to test what is being called
    sessionManager.delegate.sessionDidReceiveChallengeWithCompletion = { session, challenge, completionHandler in
        let protectionSpace = challenge.protectionSpace

        guard protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust,
            protectionSpace.host.contains("myDummyURL.com") else {
                // otherwise it means a different challenge is encountered and we are only interested in certificate validation
                completionHandler(.performDefaultHandling, nil)
                return
        }

        guard let serverTrust = protectionSpace.serverTrust else {
            completionHandler(.performDefaultHandling, nil)
            return
        }

        guard let serverCertificate = SecTrustGetCertificateAtIndex(serverTrust, 0) else {
            return completionHandler(.cancelAuthenticationChallenge, nil)
        }

        let serverCertificateData = SecCertificateCopyData(serverCertificate) as Data

        // cannot find the local certificate
        guard let localCertPath = Bundle.main.path(forResource: "cert", ofType: "der"),
            let localCertificateData = NSData(contentsOfFile: localCertPath) else {
                return completionHandler(.cancelAuthenticationChallenge, nil)
        }

        guard localCertificateData.isEqual(to: serverCertificateData) else {
            // the certificate received from the server is invalid
            completionHandler(.cancelAuthenticationChallenge, nil)
            return
        }

        let credential = URLCredential(trust: serverTrust)

        completionHandler(.useCredential, credential)
    }

BaseURLProtocol定义：

class BaseURLProtocol: URLProtocol {
override class func canInit(with request: URLRequest) -> Bool {
    return true
}

override class func canonicalRequest(for request: URLRequest) -> URLRequest {
    return request
}

override func startLoading() {
    debugPrint("--- request loading \(request)")

    guard request.url?.host?.contains("myDummyURL.com") ?? false else {
        debugPrint("--- caught untargetted request --- skipping ---host is \(request.url?.host)")
        return
    }

    let protectionSpace = CertificatePinningMockURLProtectionSpace(host: "https://myDummyURL.com", port: 443, protocol: nil, realm: nil, authenticationMethod: NSURLAuthenticationMethodServerTrust)

    let challenge = URLAuthenticationChallenge(protectionSpace: protectionSpace, proposedCredential: nil, previousFailureCount: 0, failureResponse: nil, error: nil, sender: self)

    client?.urlProtocol(self, didReceive: challenge)
}

}

CertificatePinningMockURLProtectionSpace： [使用Alamofire ServerTrustPolicy获取证书]

CertificatePinningMockURLProtectionSpace: [using Alamofire ServerTrustPolicy for getting the certs]

-从不调用serverTrust属性。我还重写了URLProtectionSpace的所有其他属性，除了调用了init外什么都没有。

-- The serverTrust property never gets called. I've also overridden all other properties of URLProtectionSpace and nothing except for the init gets called.

class CertificatePinningMockURLProtectionSpace: URLProtectionSpace {
private static let expectedHost = "myDummyURL.com"

override init(host: String, port: Int, protocol: String?, realm: String?, authenticationMethod: String?) {
    debugPrint("--- super init will be called")
    super.init(host: host, port: port, protocol: `protocol`, realm: realm, authenticationMethod: authenticationMethod)
}

override var serverTrust: SecTrust? {
    guard let certificate = ServerTrustPolicy.certificates(in: .main).first else {
        return nil
    }

    let policy: SecPolicy = SecPolicyCreateSSL(true, CertificatePinningMockURLProtectionSpace.expectedHost as CFString)

    var serverTrust: SecTrust?

    SecTrustCreateWithCertificates(certificate, policy, &serverTrust)

    return serverTrust
}

}

测试语句：

sessionManager.request("https://myDummyURL.com").responseString(completionHandler: { response in
                        debugPrint("--- response is \(response)")
                        done()
                    })

URLProtectionSpace是否可以成功覆盖并作为URLProtocol内部的URLProtocolClient的模拟？

Can the URLProtectionSpace successfully be overridden and provided as a mock to the URLProtocolClient inside the URLProtocol?

推荐答案

许多由Core Foundation派生的类对子类有很高的抵抗力，所以这也就不足为奇了。它可能基本上只是一个带有引擎盖下的魔术胶的结构。 ：-）

A lot of those Core-Foundation-derived "classes" are highly resistant to subclassing, so it's no surprise that this one would be, too. It is probably basically just a struct with some magic glue under the hood. :-)

在这里，单元测试可能比功能测试更好。创建一个任意的保护空间对象，将其填充，然后将其直接传递给委托方法，并断言使用预期结果调用了该回调。

A unit test might be a better approach here than a functional test. Create an arbitrary protection space object, populate it, and pass it to the delegate method directly, and assert that the callback gets called with the expected results.

要进行完整的端到端测试，您可以实例化本地Web服务器，然后您的测试可以调整其配置以实时控制提供给应用程序的凭据。

Or if you really want to do a complete end-to-end test, you could instantiate a local web server, and then your test could tweak its configuration to control the credentials provided to your app on-the-fly.

这篇关于子类化URLProtectionSpace的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！