authenticator-ios-v2/ForgeRock-Authenticator/FRAPushMechanismFactory.m

/*
 * The contents of this file are subject to the terms of the Common Development and
 * Distribution License (the License). You may not use this file except in compliance with the
 * License.
 *
 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
 * specific language governing permission and limitations under the License.
 *
 * When distributing Covered Software, include this CDDL Header Notice in each file and include
 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
 * Header, with the fields enclosed by brackets [] replaced by your own identifying
 * information: "Portions copyright [year] [name of copyright owner]".
 *
 * Copyright 2016 ForgeRock AS.
 */

#import "FRAError.h"
#import "FRAIdentity.h"
#import "FRAIdentityDatabase.h"
#import "FRAMechanismFactory.h"
#import "FRAMessageUtils.h"
#import "FRAMockURLProtocol.h"
#import "FRAPushMechanism.h"
#import "FRAPushMechanismFactory.h"
#import "FRAQRUtils.h"
#import "FRASerialization.h"

/*! QR code key for the secret. */
NSString *const SECRET_QR_KEY = @"s";
/*! QR code key for the authentication endpoint url. */
NSString *const AUTHENTICATION_ENDPOINT_URL_QR_KEY = @"a";
/*! QR code key for the regsitration endpoint url. */
NSString *const REGISTRATION_ENDPOINT_URL_QR_KEY = @"r";
/*! QR code key for the message. */
NSString *const MESSAGE_ID_QR_KEY = @"m";
/*! QR code key for the background colour of the mechanism. */
NSString *const BACKGROUND_COLOUR_QR_KEY = @"b";
/*! QR code key for the registration challange. */
NSString *const REGISTRATION_CHALLENGE_QR_KEY = @"c";
/*! QR code key for the registration challange. */
NSString *const REGISTRATION_LOAD_BALLANCE_KEY = @"l";
/*! QR code key for the mechanism image. */
NSString *const IMAGE_QR_KEY = @"image";
/*! QR code key for the issuer name. */
NSString *const ISSUER_QR_KEY = @"issuer";

static BOOL SUCCESS = YES;
static BOOL FAILURE = NO;

@interface FRAPushMechanismFactory ()

@property (strong, nonatomic) FRANotificationGateway *gateway;

@end

@implementation FRAPushMechanismFactory {
    FRANotificationGateway* _gateway;
}

#pragma mark -
#pragma mark Lifecyle

- (instancetype)initWithGateway:(FRANotificationGateway *)gateway{
    self = [super init];
    if (self) {
        self.gateway = gateway;
    }
    return self;
}

#pragma mark -
#pragma mark Factory Methods

- (NSString *)utf8StringFromData:(NSData *)data {
    return [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding];
}

- (FRAMechanism *) buildMechanism:(NSURL *)uri database:(FRAIdentityDatabase *)database identityModel:(FRAIdentityModel *)identityModel handler:(void (^)(BOOL, NSError *))handler error:(NSError *__autoreleasing *)error {

    if (![self isValid:self.gateway.deviceToken]) {
        *error = [FRAError createError:NSLocalizedString(@"Cannot register while notifications are disabled or the device is offline", nil) code:FRAMissingDeviceId];
        return nil;
    }

    NSDictionary * query = [self readQRCode:uri];

    NSString *secret = [query objectForKey:SECRET_QR_KEY];
    NSString *regEndpoint = [self utf8StringFromData:[FRAQRUtils decodeURL:[query objectForKey:REGISTRATION_ENDPOINT_URL_QR_KEY]]];
    NSString *authEndpoint = [self utf8StringFromData:[FRAQRUtils decodeURL:[query objectForKey:AUTHENTICATION_ENDPOINT_URL_QR_KEY]]];
    NSString *messageId = [query objectForKey:MESSAGE_ID_QR_KEY];
    NSString *backgroundColor = [query objectForKey:BACKGROUND_COLOUR_QR_KEY];
    NSString *challenge = [FRAQRUtils replaceCharactersForURLDecoding:[query objectForKey:REGISTRATION_CHALLENGE_QR_KEY]];
    NSString *loadBalancer = [self utf8StringFromData:[FRAQRUtils decodeURL:[query objectForKey:REGISTRATION_LOAD_BALLANCE_KEY]]];
    NSString *image = [self utf8StringFromData:[FRAQRUtils decodeURL:[query objectForKey:IMAGE_QR_KEY]]];
    NSString *issuer = [self utf8StringFromData:[FRAQRUtils decodeURL:[query objectForKey:ISSUER_QR_KEY]]];
    NSString *_label = [query objectForKey:@"_label"];

    if (![self isValidSecret:secret] || ![self isValid:regEndpoint] || ![self isValid:authEndpoint] || ![self isValid:messageId] || ![self isValid:challenge] || ![self isValid:issuer]) {
        *error = [FRAError createError:NSLocalizedString(@"Invalid QR code", nil) code:FRAInvalidQRCode];
        return nil;
    }

    FRAPushMechanism* mechanism = [FRAPushMechanism pushMechanismWithDatabase:database identityModel:identityModel authEndpoint:authEndpoint secret:secret];
    FRAIdentity *identity = [self identityWithIssuer:issuer accountName:_label identityModel:identityModel backgroundColor:backgroundColor image:image database:database error:error];

    if (![identity addMechanism:mechanism error:error]) {
        return nil;
    }

    [self registerMechanismWithEndpoint:regEndpoint secret:secret challenge:challenge messageId:messageId mechanismUid:mechanism.mechanismUID identity:identity mechanism:mechanism identityModel:identityModel loadBalancerCookieData:loadBalancer handler:handler];

    return mechanism;
}

- (BOOL)isValidSecret:(NSString *)secret {
    return [self isValid:secret] && [FRAQRUtils isBase64:[FRAQRUtils replaceCharactersForURLDecoding:secret]];
}

- (BOOL)isValid:(NSString *)info {
    return info.length > 0;
}

- (NSDictionary *) readQRCode:(NSURL *)uri {

    NSString* scheme = [uri scheme];
    if (scheme == nil || ![scheme isEqualToString:@"pushauth"]) {
        return nil;
    }
    NSString* _type = [uri host];
    if (_type == nil || ![_type isEqualToString:[FRAPushMechanism mechanismType]]) {
        return nil;
    }
    // Get the path and strip it of its leading '/'
    NSString* path = [uri path];
    if (path == nil) {
        return nil;
    }
    while ([path hasPrefix:@"/"]) {
        path = [path substringFromIndex:1];
    }
    if ([path length] == 0) {
        return nil;
    }
    // Get issuer and label
    NSArray* array = [path componentsSeparatedByString:@":"];
    if (array == nil || [array count] == 0) {
        return nil;
    }
    NSString* _issuer;
    NSString* _label;
    if ([array count] > 1) {
        _issuer = [FRAQRUtils decode:[array objectAtIndex:0]];
        _label = [FRAQRUtils decode:[array objectAtIndex:1]];
    } else {
        _issuer = @"";
        _label = [FRAQRUtils decode:[array objectAtIndex:0]];
    }

    // Parse query
    NSMutableDictionary *query = [[NSMutableDictionary alloc] init];
    array = [[uri query] componentsSeparatedByString:@"&"];
    for (NSString *kv in array) {
        // Value can contain '=' symbols, so look for first symbol.
        NSRange index = [kv rangeOfString:@"="];
        if (index.location == NSNotFound) {
            continue;
        }
        NSString *name = [kv substringToIndex:index.location];
        NSString *value = [kv substringFromIndex:index.location + index.length];
        [query setValue:value forKey:name];
    }

    [query setValue:_issuer forKey:@"_issuer"];
    [query setValue:_label forKey:@"_label"];

    return query;
}

- (FRAIdentity *)identityWithIssuer:(NSString *)issuer accountName:(NSString *)accountName identityModel:(FRAIdentityModel *)identityModel backgroundColor:(NSString *)backgroundColor image:(NSString *)image database:(FRAIdentityDatabase *)database error:(NSError *__autoreleasing *)error {
    FRAIdentity *identity = [identityModel identityWithIssuer:issuer accountName:accountName];
    if (!identity) {
        identity = [FRAIdentity identityWithDatabase:database identityModel:identityModel accountName:accountName issuer:issuer image:[NSURL URLWithString:image] backgroundColor:backgroundColor];
        if (![identityModel addIdentity:identity error:error]) {
            return nil;
        }
    }

    return identity;
}

- (BOOL)supports:(NSURL *)uri {
    NSString *scheme = [uri scheme];
    if (scheme == nil || ![scheme isEqualToString:@"pushauth"]) {
        return NO;
    }
    return YES;
}

- (NSString *)getSupportedProtocol {
    return @"pushauth";
}

- (void)registerMechanismWithEndpoint:(NSString *)regEndpoint secret:(NSString *)secret challenge:(NSString *)challenge messageId:(NSString *)messageId mechanismUid:(NSString *)uid identity:(FRAIdentity *)identity mechanism:(FRAMechanism *)mechanism identityModel:(FRAIdentityModel *)identityModel loadBalancerCookieData:(NSString *)loadBalancerCookieData handler:(void(^)(BOOL, NSError *))handler {

    [FRAMessageUtils respondWithEndpoint:regEndpoint
                            base64Secret:secret
                               messageId:messageId
                  loadBalancerCookieData:loadBalancerCookieData
                                    data:@{@"response":[FRAMessageUtils generateChallengeResponse:challenge secret:secret],
                                           @"mechanismUid":uid,
                                           @"deviceId":self.gateway.deviceToken,
                                           @"deviceType":@"ios",
                                           @"communicationType":@"apns"
                                           }
                                 handler:^(NSInteger statusCode, NSError *error) {
                                     if (200 != statusCode) {
                                         error = [FRAError createError:@"Failed to contact server for registration" code:FRANetworkFailure underlyingError:error];
                                         [identity removeMechanism:mechanism error:&error];
                                         [self invokeRegistrationHandler:handler result:FAILURE error:error];
                                     } else {
                                         [self invokeRegistrationHandler:handler result:SUCCESS error:nil];
                                     }
                                 }];
}

- (void)invokeRegistrationHandler:(void(^)(BOOL, NSError *))handler result:(BOOL)result error:(NSError *) error {
    if (handler) {
        handler(result, error);
    }
}

@end