Added public docstrings for all public APIs in the ServerTrustPolicy.

8094b368 · Christian Noon · eed31ab5 · 8094b368
隐藏空白更改
内联并排

Showing with 67 addition and 6 deletion

Source/ServerTrustPolicy.swift Source/ServerTrustPolicy.swift +67 -6

未找到文件。
--- a/Source/ServerTrustPolicy.swift
+++ b/Source/ServerTrustPolicy.swift
@@ -22,11 +22,22 @@

 import Foundation

-// TODO: DocStrings
+/// Responsible for managing the mapping of `ServerTrustPolicy` objects to a given host.
 public class ServerTrustPolicyManager {
    let policies: [String: ServerTrustPolicy]

-    // TODO: DocStrings
+    /**
+        Initializes the `ServerTrustPolicyManager` instance with the given policies.
+
+        Since different servers and web services can have different leaf certificates, intermediate and even root 
+        certficates, it is important to have the flexibility to specify evaluation policies on a per host basis. This 
+        allows for scenarios such as using default evaluation for host1, certificate pinning for host2, public key 
+        pinning for host3 and disabling evaluation for host4.
+
+        :param: policies A dictionary of all policies mapped to a particular host.
+
+        :returns: The new `ServerTrustPolicyManager` instance.
+    */
    public init(policies: [String: ServerTrustPolicy]) {
        self.policies = policies
    }
@@ -55,7 +66,38 @@ extension NSURLSession {

 // MARK: - ServerTrustPolicy

-// TODO: DocStrings
+/**
+    The `ServerTrustPolicy` evaluates the server trust generally provided by an `NSURLAuthenticationChallenge` when 
+    connecting to a server over a secure HTTPS connection. The policy configuration then evaluates the server trust 
+    with a given set of criteria to determine whether the server trust is valid and the connection should be made.
+
+    Using pinned certificates or public keys for evaluation helps prevent man-in-the-middle (MITM) attacks and other 
+    vulnerabilities. Applications dealing with sensitive customer data or financial information are strongly encouraged 
+    to route all communication over an HTTPS connection with pinning enabled.
+
+    - PerformDefaultEvaluation: Uses the default server trust evaluation while allowing you to control whether to 
+                                validate the host provided by the challenge. Applications are encouraged to always 
+                                validate the host in production environments to guarantee the validity of the server's 
+                                certificate chain.
+
+    - PinCertificates:          Uses the pinned certificates to validate the server trust. The server trust is
+                                considered valid if one of the pinned certificates match one of the server certificates. 
+                                By validating both the certificate chain and host, certificate pinning provides a very 
+                                secure form of server trust validation mitigating most, if not all, MITM attacks. 
+                                Applications are encouraged to always validate the host and require a valid certificate 
+                                chain in production environments.
+
+    - PinPublicKeys:            Uses the pinned public keys to validate the server trust. The server trust is considered
+                                valid if one of the pinned public keys match one of the server certificate public keys. 
+                                By validating both the certificate chain and host, public key pinning provides a very 
+                                secure form of server trust validation mitigating most, if not all, MITM attacks. 
+                                Applications are encouraged to always validate the host and require a valid certificate 
+                                chain in production environments.
+
+    - DisableEvaluation:        Disables all evaluation which in turn will always consider any server trust as valid.
+
+    - CustomEvaluation:         Uses the associated closure to evaluate the validity of the server trust.
+*/
 public enum ServerTrustPolicy {
    case PerformDefaultEvaluation(validateHost: Bool)
    case PinCertificates(certificates: [SecCertificate], validateCertificateChain: Bool, validateHost: Bool)
@@ -65,7 +107,13 @@ public enum ServerTrustPolicy {

    // MARK: - Bundle Location

-    // TODO: DocStrings
+    /**
+        Returns all certificates within the given bundle with a `.cer` file extension.
+
+        :param: bundle The bundle to search for all `.cer` files.
+
+        :returns: All certificates within the given bundle.
+    */
    public func certificatesInBundle(bundle: NSBundle = NSBundle.mainBundle()) -> [SecCertificate] {
        var certificates: [SecCertificate] = []

@@ -81,7 +129,13 @@ public enum ServerTrustPolicy {
        return certificates
    }

-    // TODO: DocStrings
+    /**
+        Returns all public keys within the given bundle with a `.cer` file extension.
+
+        :param: bundle The bundle to search for all `*.cer` files.
+
+        :returns: All public keys within the given bundle.
+    */
    public func publicKeysInBundle(bundle: NSBundle = NSBundle.mainBundle()) -> [SecKey] {
        var publicKeys: [SecKey] = []

@@ -96,7 +150,14 @@ public enum ServerTrustPolicy {

    // MARK: - Evaluation

-    // TODO: DocStrings
+    /**
+        Evaluates whether the server trust is valid for the given host.
+
+        :param: serverTrust The server trust to evaluate.
+        :param: host        The host of the challenge protection space.
+
+        :returns: Whether the server trust is valid.
+    */
    public func evaluateServerTrust(serverTrust: SecTrust, isValidForHost host: String) -> Bool {
        var serverTrustIsValid = false