Merge pull request #3337 from AFNetworking/tests/disable_incomplete_cert_chain_test

Tests/disable incomplete cert chain test

AFNetworking.xcodeproj/xcshareddata/xcschemes/AFNetworking OS X.xcscheme

@@ -38,6 +38,11 @@
                BlueprintName = "AFNetworking Mac OS X Tests"
                ReferencedContainer = "container:AFNetworking.xcodeproj">
             </BuildableReference>
+            <SkippedTests>
+               <Test
+                  Identifier = "AFSecurityPolicyTests/testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChainWithRootCertificatePinnedAndValidDomainName">
+               </Test>
+            </SkippedTests>
          </TestableReference>
       </Testables>
       <MacroExpansion>

AFNetworking.xcodeproj/xcshareddata/xcschemes/AFNetworking iOS.xcscheme

@@ -8,10 +8,10 @@
       <BuildActionEntries>
          <BuildActionEntry
             buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
+            buildForRunning = "NO"
+            buildForProfiling = "NO"
+            buildForArchiving = "NO"
+            buildForAnalyzing = "NO">
             <BuildableReference
                BuildableIdentifier = "primary"
                BlueprintIdentifier = "298D7C3A1BC2C79500FD3B3E"
@@ -52,6 +52,11 @@
                BlueprintName = "AFNetworking iOS Tests"
                ReferencedContainer = "container:AFNetworking.xcodeproj">
             </BuildableReference>
+            <SkippedTests>
+               <Test
+                  Identifier = "AFSecurityPolicyTests/testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChainWithRootCertificatePinnedAndValidDomainName">
+               </Test>
+            </SkippedTests>
          </TestableReference>
       </Testables>
       <MacroExpansion>

AFNetworking.xcodeproj/xcshareddata/xcschemes/AFNetworking tvOS.xcscheme

@@ -37,6 +37,11 @@
                BlueprintName = "AFNetworking tvOS Tests"
                ReferencedContainer = "container:AFNetworking.xcodeproj">
             </BuildableReference>
+            <SkippedTests>
+               <Test
+                  Identifier = "AFSecurityPolicyTests/testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChainWithRootCertificatePinnedAndValidDomainName">
+               </Test>
+            </SkippedTests>
          </TestableReference>
       </Testables>
       <MacroExpansion>

Tests/Tests/AFSecurityPolicyTests.m

@@ -418,35 +418,38 @@ static SecTrustRef AFUTTrustWithCertificate(SecCertificateRef certificate) {
     XCTAssertTrue([policy evaluateServerTrust:AFUTHTTPBinOrgServerTrust() forDomain:@"httpbin.org"], @"Policy should allow server trust");
 }
 
-- (void)testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChainWithRootCertificatePinnedAndValidDomainName {
-    // Fix certificate validation for servers providing incomplete chains (#3159) - test case
-    //
-    // google.com has two certification paths and both send incomplete certificate chains, i.e. don't include the Root CA
-    // (this can be validated in https://www.ssllabs.com/ssltest/analyze.html?d=google.com)
-    //
-    // The two certification paths are:
-    // - Path 1: *.google.com, Google Internet Authority G2 (with GeoTrust Global CA Root)
-    // - Path 2: *.google.com, Google Internet Authority G2, GeoTrust Global CA (cross signed) (with Equifax Secure CA Root)
-    //
-    // The common goal of using certificate pinning is to prevent MiTM (man-in-the-middle) attacks, so the Root CA's should be pinned to protect the entire chains.
-    // Since there's no Root CA being sent, when `-evaluateServerTrust:` invokes `AFCertificateTrustChainForServerTrust(serverTrust)`, the Root CA isn't present
-    // Therefore, even though `AFServerTrustIsValid(serverTrust)` succeeds, the next validation fails since no pinned certificate matches the `pinnedCertificates`.
-    // By fetching the `AFCertificateTrustChainForServerTrust(serverTrust)` *after* the `AFServerTrustIsValid(serverTrust)` validation, the complete chain is obtained and the Root CA's match.
-    
-    AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
-
-    // certification path 1
-    SecCertificateRef certificate = AFUTGoogleComGeoTrustGlobalCARootCertificate();
-    policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)];
-    
-    XCTAssertTrue([policy evaluateServerTrust:AFUTGoogleComServerTrustPath1() forDomain:@"google.com"], @"Policy should allow server trust");
-
-    // certification path 2
-    certificate = AFUTGoogleComEquifaxSecureCARootCertificate();
-    policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)];
-
-    XCTAssertTrue([policy evaluateServerTrust:AFUTGoogleComServerTrustPath2() forDomain:@"google.com"], @"Policy should allow server trust");
-}
+//- (void)testPolicyWithCertificatePinningAllowsGoogleComServerTrustIncompleteChainWithRootCertificatePinnedAndValidDomainName {
+//    //TODO THIS TEST HAS BEEN DISABLED UNTIL CERTS HAVE BEEN UPDATED.
+//    //Please see conversation here: https://github.com/AFNetworking/AFNetworking/pull/3159#issuecomment-178647437
+//    //
+//    // Fix certificate validation for servers providing incomplete chains (#3159) - test case
+//    //
+//    // google.com has two certification paths and both send incomplete certificate chains, i.e. don't include the Root CA
+//    // (this can be validated in https://www.ssllabs.com/ssltest/analyze.html?d=google.com)
+//    //
+//    // The two certification paths are:
+//    // - Path 1: *.google.com, Google Internet Authority G2 (with GeoTrust Global CA Root)
+//    // - Path 2: *.google.com, Google Internet Authority G2, GeoTrust Global CA (cross signed) (with Equifax Secure CA Root)
+//    //
+//    // The common goal of using certificate pinning is to prevent MiTM (man-in-the-middle) attacks, so the Root CA's should be pinned to protect the entire chains.
+//    // Since there's no Root CA being sent, when `-evaluateServerTrust:` invokes `AFCertificateTrustChainForServerTrust(serverTrust)`, the Root CA isn't present
+//    // Therefore, even though `AFServerTrustIsValid(serverTrust)` succeeds, the next validation fails since no pinned certificate matches the `pinnedCertificates`.
+//    // By fetching the `AFCertificateTrustChainForServerTrust(serverTrust)` *after* the `AFServerTrustIsValid(serverTrust)` validation, the complete chain is obtained and the Root CA's match.
+//    
+//    AFSecurityPolicy *policy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate];
+//
+//    // certification path 1
+//    SecCertificateRef certificate = AFUTGoogleComGeoTrustGlobalCARootCertificate();
+//    policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)];
+//    
+//    XCTAssertTrue([policy evaluateServerTrust:AFUTGoogleComServerTrustPath1() forDomain:@"google.com"], @"Policy should allow server trust");
+//
+//    // certification path 2
+//    certificate = AFUTGoogleComEquifaxSecureCARootCertificate();
+//    policy.pinnedCertificates = [NSSet setWithObject:(__bridge_transfer id)SecCertificateCopyData(certificate)];
+//
+//    XCTAssertTrue([policy evaluateServerTrust:AFUTGoogleComServerTrustPath2() forDomain:@"google.com"], @"Policy should allow server trust");
+//}
 
 #pragma mark Negative Server Trust Evaluation Tests
 

fastlane/README.md

@@ -0,0 +1,215 @@
+fastlane documentation
+================
+# Installation
+```
+sudo gem install fastlane
+```
+# Available Actions
+### ci_commit
+```
+fastlane ci_commit
+```
+Runs tests and builds example for the given environment
+
+The lane to run by ci on every commit This lanes calls the lanes `test_framework` and `build_example`.
+
+####Example:
+
+```
+fastlane ci_commit configuration:Debug --env ios91
+```
+
+####Options
+
+ * **`configuration`**: The build configuration to use. (`AF_CONFIGURATION`)
+
+
+### test_framework
+```
+fastlane test_framework
+```
+Runs all tests for the given environment
+
+Set `scan` action environment variables to control test configuration
+
+####Example:
+
+```
+fastlane test_framework configuration:Debug --env ios91
+```
+
+####Options
+
+ * **`configuration`**: The build configuration to use.
+
+
+### build_example
+```
+fastlane build_example
+```
+Builds the example file
+
+Set `xcodebuild` action environment variables to control build configuration
+
+####Example:
+
+```
+fastlane build_example configuration:Debug --env ios91
+```
+
+####Options
+
+ * **`configuration`**: The build configuration to use.
+
+
+### code_coverage
+```
+fastlane code_coverage
+```
+Produces code coverage information
+
+Set `scan` action environment variables to control test configuration
+
+####Example:
+
+```
+fastlane code_coverage configuration:Debug
+```
+
+####Options
+
+ * **`configuration`**: The build configuration to use. The only supported configuration is the `Debug` configuration.
+
+
+### prepare_framework_release
+```
+fastlane prepare_framework_release
+```
+Prepares the framework for release
+
+This lane should be run from your local machine, and will push a tag to the remote when finished.
+
+ * Verifies the git branch is clean
+
+ * Ensures the lane is running on the master branch
+
+ * Verifies the Github milestone is ready for release
+
+ * Pulls the remote to verify the latest the branch is up to date
+
+ * Updates the version of the info plist path used by the framework
+
+ * Updates the the version of the podspec
+
+ * Generates a changelog based on the Github milestone
+
+ * Updates the changelog file
+
+ * Commits the changes
+
+ * Pushes the commited branch
+
+ * Creates a tag
+
+ * Pushes the tag
+
+####Example:
+
+```
+fastlane prepare_framework_release version:3.0.0 --env deploy
+```
+
+####Options
+
+It is recommended to manage these options through a .env file. See `fastlane/.env.deploy` for an example.
+
+ * **`version`** (required): The new version of the framework
+
+ * **`allow_dirty_branch`**: Allows the git branch to be dirty before continuing. Defaults to false
+
+ * **`remote`**: The name of the git remote. Defaults to `origin`. (`DEPLOY_REMOTE`)
+
+ * **`allow_branch`**: The name of the branch to build from. Defaults to `master`. (`DEPLOY_BRANCH`)
+
+ * **`skip_validate_github_milestone`**: Skips validating a Github milestone. Defaults to false
+
+ * **`skip_git_pull`**: Skips pulling the git remote. Defaults to false
+
+ * **`skip_plist_update`**: Skips updating the version of the info plist. Defaults to false
+
+ * **`plist_path`**: The path of the plist file to update. (`DEPLOY_PLIST_PATH`)
+
+ * **`skip_podspec_update`**: Skips updating the version of the podspec. Defaults to false
+
+ * **`podspec`**: The path of the podspec file to update. (`DEPLOY_PODSPEC`)
+
+ * **`skip_changelog`**: Skip generating a changelog. Defaults to false.
+
+ * **`changelog_path`**: The path to the changelog file. (`DEPLOY_CHANGELOG_PATH`)
+
+ * **`changelog_insert_delimiter`**: The delimiter to insert the changelog after. (`DEPLOY_CHANGELOG_DELIMITER`)
+
+
+### complete_framework_release
+```
+fastlane complete_framework_release
+```
+Completes the framework release
+
+This lane should be from a CI machine, after the tests have passed on the tag build. This lane does the following:
+
+ * Verifies the git branch is clean
+
+ * Ensures the lane is running on the master branch
+
+ * Pulls the remote to verify the latest the branch is up to date
+
+ * Generates a changelog for the Github Release
+
+ * Creates a Github Release
+
+ * Builds Carthage Frameworks
+
+ * Uploads Carthage Framework to Github Release
+
+ * Pushes podspec to pod trunk
+
+ * Lints the pod spec to ensure it is valid
+
+ * Closes the associated Github milestone
+
+####Example:
+
+```
+fastlane complete_framework_release --env deploy
+```
+
+####Options
+
+It is recommended to manage these options through a .env file. See `fastlane/.env.deploy` for an example.
+
+ * **`version`** (required): The new version of the framework. Defaults to the last tag in the repo
+
+ * **`allow_dirty_branch`**: Allows the git branch to be dirty before continuing. Defaults to false
+
+ * **`remote`**: The name of the git remote. Defaults to `origin`. (`DEPLOY_REMOTE`)
+
+ * **`allow_branch`**: The name of the branch to build from. Defaults to `master`. (`DEPLOY_BRANCH`)
+
+ * **`skip_github_release`**: Skips creating a Github release. Defaults to false
+
+ * **`skip_carthage_framework`**: Skips creating a carthage framework. If building a swift framework, this should be disabled. Defaults to false.
+
+ * **`skip_pod_push`**: Skips pushing the podspec to trunk.
+
+ * **`skip_podspec_update`**: Skips updating the version of the podspec. Defaults to false
+
+ * **`skip_closing_github_milestone`**: Skips closing the associated Github milestone. Defaults to false
+
+
+
+----
+
+This README.md is auto-generated and will be re-generated every time to run [fastlane](https://fastlane.tools).  
+More information about fastlane can be found on [https://fastlane.tools](https://fastlane.tools).  
+The documentation of fastlane can be found on [GitHub](https://github.com/fastlane/fastlane).