Merge pull request #1189 from tchapgouv/1188-probleme-avec-le-certificat-tls-de-proconnect

Permettre l'identification par ProConnect pour les UIA

Author: NicolasBuquet

Riot/Modules/Home/Fallback/AuthFallBackViewController.m

@@ -143,6 +143,9 @@ - (void)webView:(WKWebView *)webView decidePolicyForNavigationAction:(WKNavigati
 {
     NSString *urlString = navigationAction.request.URL.absoluteString;
 
+    // Tchap: set flag meaning the webview is handling a Tchap domain request.
+    self.ImOnATchapGouvFrPage = [self urlBelongsToTchapGouvFrDomain:navigationAction.request.URL];
+
     // TODO: We should use the WebKit PostMessage API and the
     // `didReceiveScriptMessage` delegate to manage the JS<->Native bridge
     if ([urlString hasPrefix:@"js:"])

Riot/Modules/MatrixKit/Controllers/MXKWebViewViewController.h

@@ -60,4 +60,10 @@ Please see LICENSE in the repository root for full details.
 // Tchap: give access to backButton to allow a 'Cancel' functionnality.
 - (void)setBackButton:(UIBarButtonItem *)button;
 
+// Tchap: flag to get and set if the current loading request belong to Tchap domain.
+@property (nonatomic) BOOL ImOnATchapGouvFrPage;
+
+// Tchap: method to call to know if a request url belongs to Tchap domain.
+- (BOOL)urlBelongsToTchapGouvFrDomain:(NSURL *)url;
+
 @end

Riot/Modules/MatrixKit/Controllers/MXKWebViewViewController.m

@@ -48,6 +48,9 @@ - (instancetype)init
     if (self)
     {
         enableDebug = NO;
+
+        // Tchap: initialize Tchap domain flag.
+        self.ImOnATchapGouvFrPage = NO;
     }
     return self;
 }
@@ -58,6 +61,9 @@ - (id)initWithURL:(NSString*)URL
     if (self)
     {
         _URL = URL;
+
+        // Tchap: initialize Tchap domain flag.
+        self.ImOnATchapGouvFrPage = [self urlBelongsToTchapGouvFrDomain:[NSURL URLWithString:URL]];
     }
     return self;
 }
@@ -267,6 +273,15 @@ - (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAut
 
     // Check first whether there are some pinned certificates (certificate included in the bundle).
     NSArray *paths = [[NSBundle mainBundle] pathsForResourcesOfType:@"cer" inDirectory:@"."];
+    
+    // Tchap: if current request doesn't belong to Tchap domain, ignore Certificate Pinning system.
+    // It is to avoid activating Certificate Pinning (using Certigna Root Certificate) on ProConnect (agentconnect.gouv.fr) page
+    // that is using Let's Encrypt certificate actually.
+    // This case happens when launching UIA on a ProConnect SSO logged user.
+    if (!self.ImOnATchapGouvFrPage) {
+        paths = @[];
+    }
+    
     if (paths.count)
     {
         NSMutableArray *pinnedCertificates = [NSMutableArray array];
@@ -324,6 +339,15 @@ - (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAut
     }
 }
 
+// Tchap: public method to help subclasses know if current request belongs to Tchap domain.
+- (BOOL)urlBelongsToTchapGouvFrDomain:(NSURL *)url
+{
+    // Tchap: Tchap domain substring.
+    static NSString *const kTchapMXKWebViewViewControllerTchapGouvFrHostnamePart = @".tchap.gouv.fr";
+
+    return [url.host containsString:kTchapMXKWebViewViewControllerTchapGouvFrHostnamePart];
+}
+
 #pragma mark - WKUIDelegate
 
 - (WKWebView *)webView:(WKWebView *)webView createWebViewWithConfiguration:(nonnull WKWebViewConfiguration *)configuration forNavigationAction:(nonnull WKNavigationAction *)navigationAction windowFeatures:(nonnull WKWindowFeatures *)windowFeatures

changelog.d/1188.change

@@ -0,0 +1 @@
+Permettre l'identification par ProConnect pour les opérations sécurisées par une ré-authentification (comme la régénération du Code de Récupération)