Trusted entitlements: Support signing static endpoints

[tonidero]

Description

This adds support for static endpoint signing. Currently, that would be the offerings and product-entitlement mapping endpoints.

[codecov]

Codecov Report

Merging #1119 (6575c19) into new-trusted-entitlements-signature-format (77e8fb3) will increase coverage by 0.22%.
The diff coverage is 100.00%.

❗ Current head 6575c19 differs from pull request most recent head 784f8d9. Consider uploading reports for the commit 784f8d9 to get more accurate results

@@                              Coverage Diff                              @@
##           new-trusted-entitlements-signature-format    #1119      +/-   ##
=============================================================================
+ Coverage                                      84.91%   85.13%   +0.22%     
=============================================================================
  Files                                            186      186              
  Lines                                           6614     6586      -28     
  Branches                                         947      944       -3     
=============================================================================
- Hits                                            5616     5607       -9     
+ Misses                                           622      603      -19     
  Partials                                         376      376              

Impacted Files	Coverage Δ
...java/com/revenuecat/purchases/common/HTTPClient.kt	90.07% <100.00%> (+0.07%)	⬆️
...revenuecat/purchases/common/networking/Endpoint.kt	100.00% <100.00%> (ø)

... and 1 file with indirect coverage changes

[tonidero]

Backend integration tests are expected to fail until the backend changes have been deployed. I'm also pointing these changes to an integration branch until those changes are deployed.

[NachoSoto]

This is great 👍🏻

[tonidero]

Here I changed to a spy so we can see and verify the calls more easily, but it's using the actual implementation. Since there is no way to know that the offerings/product-entitlement mapping calls were verified or not, this made easier to make sure we were verifying those endpoints

[NachoSoto]

Since there is no way to know that the offerings/product-entitlement mapping calls were verified or not

I checked that by using the "fake invalid signature" thing. Did you add a way to do that in Android too?

[tonidero]

Well, I meant in the "success" case, we should make sure we are verifying the signature. But right now there is no way to detect whether a SUCCESS or a NOT_REQUESTED happened. We could maybe if we could verify the logs, but I haven't added that in Android yet. Until then, this makes sure we are at least calling the signingManager.verify method, so it shouldn't be NOT_REQUESTED.

[NachoSoto]

Love it.

[NachoSoto]

👍🏻

[NachoSoto]

Since there is no way to know that the offerings/product-entitlement mapping calls were verified or not

I checked that by using the "fake invalid signature" thing. Did you add a way to do that in Android too?

[NachoSoto]

These tests are great.

[NachoSoto]

Also this isn't used now?

[NachoSoto]

Done in iOS: RevenueCat/purchases-ios#2752

[tonidero]

Also this isn't used now?

It's used in the signing manager:

purchases-android/purchases/src/main/kotlin/com/revenuecat/purchases/common/verification/SigningManager.kt

Line 23 in ef34062

return endpoint.supportsSignatureValidation && signatureVerificationMode.shouldVerify

[tonidero]

Will merge this and rerun the backend integration tests there once the backend is deployed.