/* |
File: ClientIdentityChallengeHandler.m |
|
Contains: Handles HTTPS client identity challenges. |
|
Written by: DTS |
|
Copyright: Copyright (c) 2011 Apple Inc. All Rights Reserved. |
|
Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple Inc. |
("Apple") in consideration of your agreement to the following |
terms, and your use, installation, modification or |
redistribution of this Apple software constitutes acceptance of |
these terms. If you do not agree with these terms, please do |
not use, install, modify or redistribute this Apple software. |
|
In consideration of your agreement to abide by the following |
terms, and subject to these terms, Apple grants you a personal, |
non-exclusive license, under Apple's copyrights in this |
original Apple software (the "Apple Software"), to use, |
reproduce, modify and redistribute the Apple Software, with or |
without modifications, in source and/or binary forms; provided |
that if you redistribute the Apple Software in its entirety and |
without modifications, you must retain this notice and the |
following text and disclaimers in all such redistributions of |
the Apple Software. Neither the name, trademarks, service marks |
or logos of Apple Inc. may be used to endorse or promote |
products derived from the Apple Software without specific prior |
written permission from Apple. Except as expressly stated in |
this notice, no other rights or licenses, express or implied, |
are granted by Apple herein, including but not limited to any |
patent rights that may be infringed by your derivative works or |
by other works in which the Apple Software may be incorporated. |
|
The Apple Software is provided by Apple on an "AS IS" basis. |
APPLE MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING |
WITHOUT LIMITATION THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, |
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, REGARDING |
THE APPLE SOFTWARE OR ITS USE AND OPERATION ALONE OR IN |
COMBINATION WITH YOUR PRODUCTS. |
|
IN NO EVENT SHALL APPLE BE LIABLE FOR ANY SPECIAL, INDIRECT, |
INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED |
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ARISING IN ANY WAY |
OUT OF THE USE, REPRODUCTION, MODIFICATION AND/OR DISTRIBUTION |
OF THE APPLE SOFTWARE, HOWEVER CAUSED AND WHETHER UNDER THEORY |
OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR |
OTHERWISE, EVEN IF APPLE HAS BEEN ADVISED OF THE POSSIBILITY OF |
SUCH DAMAGE. |
|
*/ |
|
#import "ClientIdentityChallengeHandler.h" |
|
#import "ClientIdentityController.h" |
|
#import "Credentials.h" |
|
#import "DebugOptions.h" |
|
@interface ClientIdentityChallengeHandler () <ClientIdentityControllerDelegate> |
|
@property (nonatomic, retain, readwrite) ClientIdentityController * viewController; |
@property (nonatomic, retain, readwrite) UIAlertView * alertView; |
|
@end |
|
@implementation ClientIdentityChallengeHandler |
|
+ (void)registerHandlers |
// Called by the handler registry within ChallengeHandler to request that the |
// concrete subclass register itself. |
{ |
[ChallengeHandler registerHandlerClass:[self class] forAuthenticationMethod:NSURLAuthenticationMethodClientCertificate]; |
} |
|
- (void)dealloc |
{ |
assert(self.alertView == nil); |
assert(self.viewController == nil); |
[super dealloc]; |
} |
|
#pragma mark * View management |
|
@synthesize viewController = _viewController; |
@synthesize alertView = _alertView; |
|
- (void)_clientIdentityResolvedWithIdentity:(SecIdentityRef)identity |
// Some common code that's called in a variety of places to finally |
// resolve the challenge. |
{ |
// identity may be NULL |
NSURLCredential * credential; |
|
// If we got an identity, create a credential for that identity. |
|
credential = nil; |
if (identity != NULL) { |
NSURLCredentialPersistence persistence; |
|
persistence = [DebugOptions sharedDebugOptions].credentialPersistence; |
// assert(persistence >= NSURLCredentialPersistenceNone); -- not necessary because NSURLCredentialPersistence is unsigned |
assert(persistence <= NSURLCredentialPersistencePermanent); |
|
credential = [NSURLCredential credentialWithIdentity:identity certificates:nil persistence:persistence]; |
assert(credential != nil); |
} |
|
// Pass the final credential to the base class's stop code (which in turn |
// tells us to tear down our UI) and then tell our delegate. |
|
[self stopWithCredential:credential]; |
[self.delegate challengeHandlerDidFinish:self]; |
} |
|
- (void)_bringUpView |
// Displays the authentication user interface. |
{ |
NSArray * identities; |
NSUInteger identityCount; |
|
identities = [Credentials sharedCredentials].identities; |
assert(identities != nil); |
|
identityCount = identities.count; |
if ( [DebugOptions sharedDebugOptions].alwaysPresentIdentityChoice ) { |
identityCount = 2; |
} |
|
switch (identityCount) { |
case 0: { |
// If there are no available identities, we just fail. |
|
assert(self.alertView == nil); |
self.alertView = [[[UIAlertView alloc] initWithTitle:@"THIS WEBSITE REQUIRES AN IDENTITY" |
message:@"THE REQUIRED IDENTITY IS NOT INSTALLED." |
delegate:self |
cancelButtonTitle:@"DISMISS" |
otherButtonTitles:nil |
] autorelease]; |
assert(self.alertView != nil); |
|
[self.alertView show]; |
|
// continues in -alertView:clickedButtonAtIndex: |
} break; |
case 1: { |
SecIdentityRef identity; |
|
// If there's only one available identity, that's gotta be the right one. |
|
identity = (SecIdentityRef) [identities objectAtIndex:0]; |
assert( (identity != NULL) && (CFGetTypeID(identity) == SecIdentityGetTypeID()) ); |
|
[self _clientIdentityResolvedWithIdentity:identity]; |
} break; |
default: { |
// If there are multiple available identities, ask the user to choose. |
|
assert(self.viewController == nil); |
self.viewController = [[[ClientIdentityController alloc] initWithChallenge:self.challenge] autorelease]; |
assert(self.viewController != nil); |
|
self.viewController.delegate = self; |
|
[self.parentViewController presentModalViewController:self.viewController animated:YES]; |
|
// continues in -identityView:didChooseIdentity: |
} break; |
} |
} |
|
- (void)_tearDownView |
// Hides the authentication user interface. |
{ |
// See comments in -[AuthenticationChallengeHandler _tearDownView]. |
|
// The view controller might be up, or the alert view, or neither. The only |
// combination that's illegal is having them /both/ up! |
assert( (self.viewController == nil) || (self.alertView == nil) ); |
|
// Tear down the view controller if it's up. |
|
if (self.viewController != nil) { |
self.viewController.delegate = nil; |
|
if (self.viewController.parentViewController != nil) { |
[self.parentViewController dismissModalViewControllerAnimated:NO]; |
} |
self.viewController = nil; |
} |
|
// Tear down our alert view if it's up. |
|
if (self.alertView != nil) { |
self.alertView.delegate = nil; // Just in case we get hit by the same sort of problem |
// that we saw in the view controller case, as described |
// in -[AuthenticationChallengeHandler _tearDownView]. |
[self.alertView dismissWithClickedButtonIndex:self.alertView.cancelButtonIndex animated:NO]; |
self.alertView = nil; |
} |
} |
|
- (void)alertView:(UIAlertView *)alertView clickedButtonAtIndex:(NSInteger)buttonIndex |
// An alert view delegate callback that's called when the alert is dismissed. |
// As we only use the alert view to display errors, we also respond to this |
// by failing (calling -_clientIdentityResolvedWithIdentity: with nil). |
{ |
#pragma unused(alertView) |
#pragma unused(buttonIndex) |
assert(alertView == self.alertView); |
assert(buttonIndex == 0); |
[self _clientIdentityResolvedWithIdentity:NULL]; |
} |
|
- (void)_gotIdentity:(SecIdentityRef)identity |
// Called by one of the two ClientIdentityController delegate callbacks when the user |
// taps Cancel or selects an identity. We do the actual work in some common code, |
// -_clientIdentityResolvedWithIdentity:. |
{ |
// identity may be NULL |
[self _clientIdentityResolvedWithIdentity:identity]; |
} |
|
// See the equivalent code in "AuthenticationChallengeHandler.m" for information about |
// <rdar://problem/6291461> and this workaround. |
|
static BOOL kWorkAround_6291461 = YES; |
|
- (void)identityView:(ClientIdentityController *)controller didChooseIdentity:(SecIdentityRef)identity |
// A client authentication controller delegate callback that's called when the user |
// taps Cancel or selects an identity. We respond by dismissing our view controller. |
// Once that's done, in the -identityViewDidDisappear: delegate callback |
// below, we can actually proceed with telling our delegate about the event. |
{ |
#pragma unused(controller) |
assert(controller == self.viewController); |
// identity may be NULL |
|
assert(controller.challenge == self.challenge); |
|
// Dismiss the modal view controller. Actually, /start/ to dismiss it. |
// When it's done, we'll get the -identityViewDidDisappear: callback |
// to continue processing. |
|
[self.parentViewController dismissModalViewControllerAnimated:YES]; |
|
if (kWorkAround_6291461) { |
// We do this work in -identityViewDidDisappear:, but it has know |
// whether this method was called so that it can tell whether to notify |
// our delegate. Otherwise, if our client cancels the challenge |
// (by calling -stop), we end up calling it back (via the delegate callback) |
// indicating that we cancelled, which is pretty silly: it knows we cancelled, |
// it asked us to. |
self->_didEnterIdentity = YES; |
} else { |
[self _gotIdentity:identity]; |
} |
} |
|
- (void)identityViewDidDisappear:(ClientIdentityController *)controller |
// A client identiy controller delegate callback that's called when the |
// view controller finally disappears. We use this to continue the processing |
// we deferred in -identityView:didChooseIdentity:. |
{ |
assert(controller == self.viewController); |
|
if (kWorkAround_6291461) { |
if (self->_didEnterIdentity) { |
[self _gotIdentity:controller.chosenIdentity]; |
self->_didEnterIdentity = NO; |
} |
} |
} |
|
- (NSArray *)identityViewIdentitiesToDisplay:(ClientIdentityController *)controller |
{ |
#pragma unused(controller) |
NSArray * result; |
|
assert(controller == self.viewController); |
|
if ([DebugOptions sharedDebugOptions].naiveIdentityList) { |
result = nil; |
} else { |
result = [Credentials sharedCredentials].identities; |
} |
return result; |
} |
|
#pragma mark * Override points |
|
- (void)didStart |
// Called by our base class to tell us to create our UI. |
{ |
[super didStart]; |
[self _bringUpView]; |
} |
|
- (void)willFinish |
// Called by our base class to tell us to tear down our UI. |
{ |
[super willFinish]; |
[self _tearDownView]; |
} |
|
@end |