Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trusted entitlements: New trusted entitlements signature format #1117

Merged
merged 5 commits into from
Jul 7, 2023
Merged

Trusted entitlements: New trusted entitlements signature format #1117

merged 5 commits into from
Jul 7, 2023

Conversation

tonidero
Copy link
Contributor

@tonidero tonidero commented Jul 3, 2023
edited
Loading

@codecov
Copy link

codecov bot commented Jul 3, 2023
edited
Loading

Codecov Report

Merging #1117 (9a6e413) into main (982d3f8) will decrease coverage by 0.28%.
The diff coverage is 70.78%.

❗ Current head 9a6e413 differs from pull request most recent head 58c305d. Consider uploading reports for the commit 58c305d to get more accurate results

@@            Coverage Diff             @@
##             main    #1117      +/-   ##
==========================================
- Coverage   85.60%   85.33%   -0.28%     
==========================================
  Files         175      175              
  Lines        6038     6096      +58     
  Branches      875      892      +17     
==========================================
+ Hits         5169     5202      +33     
- Misses        528      549      +21     
- Partials      341      345       +4
Impacted Files Coverage Δ
...com/revenuecat/purchases/strings/NetworkStrings.kt 0.00% <ø> (ø)
...s/common/verification/SignatureVerificationMode.kt 80.95% <66.66%> (-13.50%) ⬇️
...at/purchases/common/verification/SigningManager.kt 74.41% <68.11%> (-25.59%) ⬇️
...enuecat/purchases/common/networking/ETagManager.kt 95.77% <83.33%> (-1.25%) ⬇️
...otlin/com/revenuecat/purchases/PurchasesFactory.kt 87.11% <100.00%> (ø)
...tlin/com/revenuecat/purchases/common/HTTPClient.kt 90.00% <100.00%> (+0.56%) ⬆️

@tonidero tonidero force-pushed the new-trusted-entitlements-signature-format branch from 467003f to 10a1baf Compare July 6, 2023 09:00
@tonidero tonidero marked this pull request as ready for review July 6, 2023 13:57
@tonidero tonidero requested a review from a team July 6, 2023 13:57
@tonidero
Copy link
Contributor Author

tonidero commented Jul 6, 2023

This has the changes from previously reviewed PRs only. Will hold until the backend is deployed.

@tonidero
Trusted entitlements: Use new signature verification format (#1111)
7c66509 
### Description
Third PR for SDK-3200

- Adds support to the new signature format (salt + nonce + TS + etag +
content)
- Adds support for intermediate signatures verification
- Makes nonce optional in preparation of static endpoint signing.

Based on #1109 and #1110.
@tonidero
Trusted entitlements: Do not use etags if cache version not requested…
47c0bb2 
… and verification enabled (#1114)

### Description
Added additional checks to not use cached etags when cached result is
NOT_REQUESTED and verification is enabled. This will be used for other
signed requests aside from the customer info/post receipt/login
endpoints.
@tonidero
Trusted entitlements: Support API key and url in signature (#1118)
a859392 
### Description
This will support the newer form of signature that includes the API key
and url
@tonidero tonidero force-pushed the new-trusted-entitlements-signature-format branch from 10a1baf to a859392 Compare July 7, 2023 07:52
@tonidero tonidero removed the HOLD label Jul 7, 2023
@tonidero
Trusted entitlements: Remove decoding of url to verify signatures (#1124
9a6e413 
)

### Description
We made one more change to the signature verification. Now we don't need
to decode the url in order to verify the signature.
aboedo
aboedo approved these changes Jul 7, 2023
View reviewed changes
...es/src/main/kotlin/com/revenuecat/purchases/common/verification/SignatureVerificationMode.kt
): SignatureVerificationMode {
return when (verificationMode) {
EntitlementVerificationMode.DISABLED -> Disabled
EntitlementVerificationMode.INFORMATIONAL ->
Informational(signatureVerifier ?: DefaultSignatureVerifier())
Informational(IntermediateSignatureHelper(rootVerifier ?: DefaultSignatureVerifier()))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could update the "during feature beta" comment below since we're not calling this beta now

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh good catch! Will update that

@tonidero tonidero enabled auto-merge (squash) July 7, 2023 14:55
@tonidero tonidero merged commit e8a90a0 into main Jul 7, 2023
@tonidero tonidero deleted the new-trusted-entitlements-signature-format branch July 7, 2023 15:03
@RCGitBot RCGitBot mentioned this pull request Jul 10, 2023
Merged
@tonidero tonidero mentioned this pull request Jul 10, 2023
Merged
tonidero added a commit that referenced this pull request Jul 11, 2023
@tonidero
Trusted entitlements: Support signing static endpoints (#1131)
373f94b 
### Description
This is based on #1119. Looks like the merge commit for that PR was lost
in a rebase in the base PR #1117 😬.
 
This adds support for static endpoint signing. Currently, that would be
the offerings and product-entitlement mapping endpoints.
tonidero added a commit that referenced this pull request Jul 12, 2023
@RCGitBot @tonidero
[AUTOMATIC] Release/6.6.0 (#1130)
5acb6ee 
**This is an automatic release.**

### New Features
* `Trusted Entitlements`: made API stable (#1105) via NachoSoto
(@NachoSoto)

This new feature prevents MitM attacks between the SDK and the
RevenueCat server.
With verification enabled, the SDK ensures that the response created by
the server was not modified by a third-party, and the entitlements
received are exactly what was sent.
This is 100% opt-in. `EntitlementInfos` have a new `VerificationResult`
property, which will indicate the validity of the responses when this
feature is enabled.

```kotlin
fun configureRevenueCat() {
    val configuration = PurchasesConfiguration.Builder(context, apiKey)
        .entitlementVerificationMode(EntitlementVerificationMode.INFORMATIONAL)
        .build()
    Purchases.configure(configuration)
}
```
### Experimental features
* Add await offerings (#1096) via Cesar de la Vega (@vegaro)
### Bugfixes
* Fix issue updating customer info on app open (#1128) via Toni Rico
(@tonidero)
### Dependency Updates
* Bump fastlane-plugin-revenuecat_internal from `13773d2` to `b2108fb`
(#1095) via dependabot[bot] (@dependabot[bot])
### Other Changes
* [PurchaseTester] Add option to purchase an arbitrary product id
(#1099) via Mark Villacampa (@MarkVillacampa)
* Fix release path after module refactor (#1129) via Toni Rico
(@tonidero)
* Fix load shedder integration tests (#1125) via Toni Rico (@tonidero)
* Trusted entitlements: New trusted entitlements signature format
(#1117) via Toni Rico (@tonidero)
* Fix integration tests and change to a different project (#1123) via
Toni Rico (@tonidero)
* Move files into src/main/kotlin (#1122) via Cesar de la Vega (@vegaro)
* Remove public module (#1113) via Cesar de la Vega (@vegaro)
* Remove common module (#1106) via Cesar de la Vega (@vegaro)
* Fix flaky integration tests: Wait for coroutines to finish before
continuing (#1120) via Toni Rico (@tonidero)
* Move amazon module into purchases (#1112) via Cesar de la Vega
(@vegaro)
* Trusted entitlements: Add IntermediateSignatureHelper to handle
intermediate signature verification process (#1110) via Toni Rico
(@tonidero)
* Trusted entitlements: Add Signature type to process new signature
response format (#1109) via Toni Rico (@tonidero)
* [EXTERNAL] Add `awaitCustomerInfo` / coroutines tests to
`TrustedEntitlementsInformationalModeIntegrationTest` (#1077) via
@pablo-guardiola (#1107) via Toni Rico (@tonidero)
* Remove feature:google module (#1104) via Cesar de la Vega (@vegaro)
* Remove identity module (#1103) via Cesar de la Vega (@vegaro)
* Remove subscriber attributes module (#1102) via Cesar de la Vega
(@vegaro)
* Delete utils module (#1098) via Cesar de la Vega (@vegaro)
* Remove strings module (#1097) via Cesar de la Vega (@vegaro)
* Update CHANGELOG.md to include external contribution (#1100) via Cesar
de la Vega (@vegaro)
* [EXTERNAL] Add missing `fetchPolicy` parameter to `awaitCustomerInfo`
API (#1086) via @pablo-guardiola (#1090) via Toni Rico (@tonidero)

---------

Co-authored-by: revenuecat-ops <[email protected]>
Co-authored-by: Toni Rico <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aboedo aboedo aboedo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tonidero @aboedo