From 4325e5cca129536134e0f3580bb17916282ed8bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ce=CC=81dric=20Luthi?= Date: Wed, 21 Sep 2016 12:04:13 +0200 Subject: [PATCH] [objc] Remove the custom security policy There are several issues with the security policy: * The security policy is created with `AFSSLPinningModeNone` which means that even if pinned certificates are set (if config.sslCaCert is not nil), they will be ignored. Pinning will not work at all with this security policy. * The configuration wrapper for the security policy is a bad idea. * `verifySSL` controls both invalid certificates and domain validation. A vanilla `AFSecurityPolicy` clearly exposes both `allowInvalidCertificates` and `validatesDomainName`. * `sslCaCert` only allows for a single pinned certificate. A vanilla `AFSecurityPolicy` clearly exposes a set of pinned certificates and makes it very convenient to load them with either `+[AFSecurityPolicy policyWithPinningMode:]` or `+[AFSecurityPolicy certificatesInBundle:]` Since the security policy does not work at all and adds confusion, it is better to just remove it and let the user configure a security policy that fits their needs. --- .../resources/objc/ApiClient-body.mustache | 22 ------------------- .../objc/Configuration-protocol.mustache | 12 ---------- .../objc/DefaultConfiguration-body.mustache | 1 - .../default/SwaggerClient/Core/SWGApiClient.m | 22 ------------------- .../SwaggerClient/Core/SWGConfiguration.h | 12 ---------- .../Core/SWGDefaultConfiguration.m | 1 - 6 files changed, 70 deletions(-) diff --git a/modules/swagger-codegen/src/main/resources/objc/ApiClient-body.mustache b/modules/swagger-codegen/src/main/resources/objc/ApiClient-body.mustache index 7e56be1491b..288708041ec 100644 --- a/modules/swagger-codegen/src/main/resources/objc/ApiClient-body.mustache +++ b/modules/swagger-codegen/src/main/resources/objc/ApiClient-body.mustache @@ -80,7 +80,6 @@ static NSString * {{classPrefix}}__fileNameForResponse(NSURLResponse *response) @"application/x-www-form-urlencoded": afhttpRequestSerializer, @"multipart/form-data": afhttpRequestSerializer }; - self.securityPolicy = [self createSecurityPolicy]; self.responseSerializer = [AFHTTPResponseSerializer serializer]; } return self; @@ -352,25 +351,4 @@ static NSString * {{classPrefix}}__fileNameForResponse(NSURLResponse *response) *querys = [NSDictionary dictionaryWithDictionary:querysWithAuth]; } -- (AFSecurityPolicy *) createSecurityPolicy { - AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone]; - - id<{{classPrefix}}Configuration> config = self.configuration; - - if (config.sslCaCert) { - NSData *certData = [NSData dataWithContentsOfFile:config.sslCaCert]; - [securityPolicy setPinnedCertificates:[NSSet setWithObject:certData]]; - } - - if (config.verifySSL) { - [securityPolicy setAllowInvalidCertificates:NO]; - } - else { - [securityPolicy setAllowInvalidCertificates:YES]; - [securityPolicy setValidatesDomainName:NO]; - } - - return securityPolicy; -} - @end diff --git a/modules/swagger-codegen/src/main/resources/objc/Configuration-protocol.mustache b/modules/swagger-codegen/src/main/resources/objc/Configuration-protocol.mustache index ffb6b6971f0..b9cd2c2edd6 100644 --- a/modules/swagger-codegen/src/main/resources/objc/Configuration-protocol.mustache +++ b/modules/swagger-codegen/src/main/resources/objc/Configuration-protocol.mustache @@ -53,18 +53,6 @@ static NSString * const k{{classPrefix}}APIVersion = @"{{podVersion}}"; */ @property (readonly, nonatomic) BOOL debug; -/** - * SSL/TLS verification - * Set this to NO to skip verifying SSL certificate when calling API from https server - */ -@property (readonly, nonatomic) BOOL verifySSL; - -/** - * SSL/TLS verification - * Set this to customize the certificate file to verify the peer - */ -@property (readonly, nonatomic) NSString *sslCaCert; - /** * Authentication Settings */ diff --git a/modules/swagger-codegen/src/main/resources/objc/DefaultConfiguration-body.mustache b/modules/swagger-codegen/src/main/resources/objc/DefaultConfiguration-body.mustache index 548383a7e1e..6b0c9fe9745 100644 --- a/modules/swagger-codegen/src/main/resources/objc/DefaultConfiguration-body.mustache +++ b/modules/swagger-codegen/src/main/resources/objc/DefaultConfiguration-body.mustache @@ -32,7 +32,6 @@ _username = @""; _password = @""; _accessToken= @""; - _verifySSL = YES; _mutableApiKey = [NSMutableDictionary dictionary]; _mutableApiKeyPrefix = [NSMutableDictionary dictionary]; _mutableDefaultHeaders = [NSMutableDictionary dictionary]; diff --git a/samples/client/petstore/objc/default/SwaggerClient/Core/SWGApiClient.m b/samples/client/petstore/objc/default/SwaggerClient/Core/SWGApiClient.m index f757e139d0e..16fabe93089 100644 --- a/samples/client/petstore/objc/default/SwaggerClient/Core/SWGApiClient.m +++ b/samples/client/petstore/objc/default/SwaggerClient/Core/SWGApiClient.m @@ -80,7 +80,6 @@ static NSString * SWG__fileNameForResponse(NSURLResponse *response) { @"application/x-www-form-urlencoded": afhttpRequestSerializer, @"multipart/form-data": afhttpRequestSerializer }; - self.securityPolicy = [self createSecurityPolicy]; self.responseSerializer = [AFHTTPResponseSerializer serializer]; } return self; @@ -352,25 +351,4 @@ static NSString * SWG__fileNameForResponse(NSURLResponse *response) { *querys = [NSDictionary dictionaryWithDictionary:querysWithAuth]; } -- (AFSecurityPolicy *) createSecurityPolicy { - AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeNone]; - - id config = self.configuration; - - if (config.sslCaCert) { - NSData *certData = [NSData dataWithContentsOfFile:config.sslCaCert]; - [securityPolicy setPinnedCertificates:[NSSet setWithObject:certData]]; - } - - if (config.verifySSL) { - [securityPolicy setAllowInvalidCertificates:NO]; - } - else { - [securityPolicy setAllowInvalidCertificates:YES]; - [securityPolicy setValidatesDomainName:NO]; - } - - return securityPolicy; -} - @end diff --git a/samples/client/petstore/objc/default/SwaggerClient/Core/SWGConfiguration.h b/samples/client/petstore/objc/default/SwaggerClient/Core/SWGConfiguration.h index 864d87d2535..555f6d52035 100644 --- a/samples/client/petstore/objc/default/SwaggerClient/Core/SWGConfiguration.h +++ b/samples/client/petstore/objc/default/SwaggerClient/Core/SWGConfiguration.h @@ -75,18 +75,6 @@ static NSString * const kSWGAPIVersion = @"1.0.0"; */ @property (readonly, nonatomic) BOOL debug; -/** - * SSL/TLS verification - * Set this to NO to skip verifying SSL certificate when calling API from https server - */ -@property (readonly, nonatomic) BOOL verifySSL; - -/** - * SSL/TLS verification - * Set this to customize the certificate file to verify the peer - */ -@property (readonly, nonatomic) NSString *sslCaCert; - /** * Authentication Settings */ diff --git a/samples/client/petstore/objc/default/SwaggerClient/Core/SWGDefaultConfiguration.m b/samples/client/petstore/objc/default/SwaggerClient/Core/SWGDefaultConfiguration.m index 705580e9a54..b809ac4d6bb 100644 --- a/samples/client/petstore/objc/default/SwaggerClient/Core/SWGDefaultConfiguration.m +++ b/samples/client/petstore/objc/default/SwaggerClient/Core/SWGDefaultConfiguration.m @@ -32,7 +32,6 @@ _username = @""; _password = @""; _accessToken= @""; - _verifySSL = YES; _mutableApiKey = [NSMutableDictionary dictionary]; _mutableApiKeyPrefix = [NSMutableDictionary dictionary]; _mutableDefaultHeaders = [NSMutableDictionary dictionary];