Got HTTPS tests working, fixed testStressGetHttpsSSLError for TS.

adam-fowler · adam-fowler · commit 9efc087ab5f6 · 2020-03-31T07:36:55.000+01:00
Added temporary code to disable certificate verification if required
Fixed testStressGetHttpsSSLError() for TS: Need to check for Network.framework specific errors. Maybe NIOTransportServices should be  translating these into an NIO error.
(The Network.framework errors are not super unfriendly).
diff --git a/Sources/AsyncHTTPClient/Utils.swift b/Sources/AsyncHTTPClient/Utils.swift
@@ -12,6 +12,8 @@
 //
 //===----------------------------------------------------------------------===//
 
+import Foundation
+import Network
 import NIO
 import NIOHTTP1
 import NIOHTTPCompression
@@ -63,7 +65,46 @@ extension ClientBootstrap {
     }
 }
 
+// Used by temporary code below
+let tlsDispatchQueue = DispatchQueue(label: "TLSDispatch")
+
 extension NIOClientTCPBootstrap {
+    
+    // TEMPORARY: This is temporary code and an extended version of this should really be in NIOTransportServices. But this allows us to run tests and get results back
+    // for the TLS tests
+    #if canImport(Network)
+    @available (macOS 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *)
+    fileprivate static func getTLSOptions(tlsConfiguration: TLSConfiguration?, queue: DispatchQueue) -> NWProtocolTLS.Options {
+        guard let tlsConfiguration = tlsConfiguration else { return .init() }
+        let options = NWProtocolTLS.Options()
+        
+        sec_protocol_options_set_verify_block(options.securityProtocolOptions, { (sec_protocol_metadata, sec_trust, sec_protocol_verify_complete) in
+            let trust = sec_trust_copy_ref(sec_trust).takeRetainedValue()
+            
+            var error: CFError?
+            if SecTrustEvaluateWithError(trust, &error) {
+                sec_protocol_verify_complete(true)
+            } else {
+                // check error
+                var errorCode: CFIndex = 0
+                if let userInfo = CFErrorCopyUserInfo(error) {
+                    let userInfoDictionary = userInfo as NSDictionary
+                    let underlyingError = userInfoDictionary[kCFErrorUnderlyingErrorKey!] as! CFError
+                    errorCode = CFErrorGetCode(underlyingError)
+                }
+                if tlsConfiguration.certificateVerification == .none ||
+                    (tlsConfiguration.certificateVerification == .noHostnameVerification && errorCode == errSecNotTrusted) {
+                    sec_protocol_verify_complete(true)
+                } else {
+                    sec_protocol_verify_complete(false)
+                }
+            }
+        }, queue)
+          
+        return options
+    }
+    #endif
+    
     /// create a TCP Bootstrap based off what type of `EventLoop` has been passed to the function.
     fileprivate static func makeBootstrap(
         on eventLoop: EventLoop,
@@ -80,7 +121,8 @@ extension NIOClientTCPBootstrap {
                 let hostname = (!requiresTLS || host.isIPAddress) ? nil : host
                 bootstrap = try NIOClientTCPBootstrap(NIOTSConnectionBootstrap(group: eventLoop), tls: NIOSSLClientTLSProvider(context: sslContext, serverHostname: hostname))
             } else {
-                let tlsProvider = NIOTSClientTLSProvider(tlsOptions: .init())
+                let parameters = NIOClientTCPBootstrap.getTLSOptions(tlsConfiguration: configuration.tlsConfiguration, queue: tlsDispatchQueue)
+                let tlsProvider = NIOTSClientTLSProvider(tlsOptions: parameters)
                 bootstrap = NIOClientTCPBootstrap(NIOTSConnectionBootstrap(group: eventLoop), tls: tlsProvider)
             }
         } else {
diff --git a/Tests/AsyncHTTPClientTests/HTTPClientTests.swift b/Tests/AsyncHTTPClientTests/HTTPClientTests.swift
@@ -13,6 +13,9 @@
 //===----------------------------------------------------------------------===//
 
 @testable import AsyncHTTPClient
+#if canImport(Network)
+import Network
+#endif
 import NIO
 import NIOConcurrencyHelpers
 import NIOFoundationCompat
@@ -1014,6 +1017,18 @@ class HTTPClientTests: XCTestCase {
                 XCTFail("Shouldn't succeed")
                 continue
             case .failure(let error):
+                #if canImport(Network)
+                if isTestingNIOTS() {
+                    if #available(OSX 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *) {
+                        guard let clientError = error as? NWError, case NWError.tls(let status) = clientError else {
+                            XCTFail("Unexpected error: \(error)")
+                            continue
+                        }
+                        XCTAssertEqual(status, errSSLHandshakeFail)
+                    }
+                    continue
+                }
+                #endif
                 guard let clientError = error as? NIOSSLError, case NIOSSLError.handshakeFailed = clientError else {
                     XCTFail("Unexpected error: \(error)")
                     continue
