Alamofire/Tests/ServerTrustPolicyTests.swift

// MultipartFormDataTests.swift
//
// Copyright (c) 2014–2015 Alamofire Software Foundation (http://alamofire.org/)
//
// Permission is hereby granted, free of charge, to any person obtaining a copy
// of this software and associated documentation files (the "Software"), to deal
// in the Software without restriction, including without limitation the rights
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
// copies of the Software, and to permit persons to whom the Software is
// furnished to do so, subject to the following conditions:
//
// The above copyright notice and this permission notice shall be included in
// all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
// THE SOFTWARE.

import Alamofire
import Foundation
import XCTest

private struct TestCertificates {
    // Root Certificates
    static let RootCA = TestCertificates.certificateWithFileName("alamofire-root-ca")

    // Intermediate Certificates
    static let IntermediateCA1 = TestCertificates.certificateWithFileName("alamofire-signing-ca1")
    static let IntermediateCA2 = TestCertificates.certificateWithFileName("alamofire-signing-ca2")

    // Leaf Certificates - Signed by CA1
    static let LeafWildcard = TestCertificates.certificateWithFileName("*.alamofire.org")
    static let LeafMultipleDNSNames = TestCertificates.certificateWithFileName("multiple-dns-names")
    static let LeafSignedByCA1 = TestCertificates.certificateWithFileName("signed-by-ca1")
    static let LeafDNSNameAndURI = TestCertificates.certificateWithFileName("test.alamofire.org")

    // Leaf Certificates - Signed by CA2
    static let LeafExpired = TestCertificates.certificateWithFileName("expired")
    static let LeafMissingDNSNameAndURI = TestCertificates.certificateWithFileName("missing-dns-name-and-uri")
    static let LeafSignedByCA2 = TestCertificates.certificateWithFileName("signed-by-ca2")
    static let LeafValidDNSName = TestCertificates.certificateWithFileName("valid-dns-name")
    static let LeafValidURI = TestCertificates.certificateWithFileName("valid-uri")

    static func certificateWithFileName(fileName: String) -> SecCertificate {
        class Bundle {}
        let filePath = NSBundle(forClass: Bundle.self).pathForResource(fileName, ofType: "cer")!
        let data = NSData(contentsOfFile: filePath)!
        let certificate = SecCertificateCreateWithData(nil, data).takeRetainedValue()

        return certificate
    }
}

// MARK: -

private struct TestPublicKeys {
    // Root Public Keys
    static let RootCA = TestPublicKeys.publicKeyForCertificate(TestCertificates.RootCA)

    // Intermediate Public Keys
    static let IntermediateCA1 = TestPublicKeys.publicKeyForCertificate(TestCertificates.IntermediateCA1)
    static let IntermediateCA2 = TestPublicKeys.publicKeyForCertificate(TestCertificates.IntermediateCA2)

    // Leaf Public Keys - Signed by CA1
    static let LeafWildcard = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafWildcard)
    static let LeafMultipleDNSNames = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafMultipleDNSNames)
    static let LeafSignedByCA1 = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafSignedByCA1)
    static let LeafDNSNameAndURI = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafDNSNameAndURI)

    // Leaf Public Keys - Signed by CA2
    static let LeafExpired = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafExpired)
    static let LeafMissingDNSNameAndURI = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafMissingDNSNameAndURI)
    static let LeafSignedByCA2 = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafSignedByCA2)
    static let LeafValidDNSName = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafValidDNSName)
    static let LeafValidURI = TestPublicKeys.publicKeyForCertificate(TestCertificates.LeafValidURI)

    static func publicKeyForCertificate(certificate: SecCertificate) -> SecKey {
        let policy = SecPolicyCreateBasicX509().takeRetainedValue()
        var unmanagedTrust: Unmanaged<SecTrust>?
        let trustCreationStatus = SecTrustCreateWithCertificates(certificate, policy, &unmanagedTrust)

        let trust = unmanagedTrust!.takeRetainedValue()
        let publicKey = SecTrustCopyPublicKey(trust).takeRetainedValue()

        return publicKey
    }
}

// MARK: -

private enum TestTrusts {
    // Leaf Trusts - Signed by CA1
    case LeafWildcard
    case LeafMultipleDNSNames
    case LeafSignedByCA1
    case LeafDNSNameAndURI

    // Leaf Trusts - Signed by CA2
    case LeafExpired
    case LeafMissingDNSNameAndURI
    case LeafSignedByCA2
    case LeafValidDNSName
    case LeafValidURI

    // Invalid Trusts
    case LeafValidDNSNameMissingIntermediate
    case LeafValidDNSNameWithIncorrectIntermediate

    var trust: SecTrust {
        let trust: SecTrust

        switch self {
        case .LeafWildcard:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafWildcard,
                TestCertificates.IntermediateCA1,
                TestCertificates.RootCA
            ])
        case .LeafMultipleDNSNames:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafMultipleDNSNames,
                TestCertificates.IntermediateCA1,
                TestCertificates.RootCA
            ])
        case .LeafSignedByCA1:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafSignedByCA1,
                TestCertificates.IntermediateCA1,
                TestCertificates.RootCA
            ])
        case .LeafDNSNameAndURI:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafDNSNameAndURI,
                TestCertificates.IntermediateCA1,
                TestCertificates.RootCA
            ])
        case .LeafExpired:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafExpired,
                TestCertificates.IntermediateCA2,
                TestCertificates.RootCA
            ])
        case .LeafMissingDNSNameAndURI:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafMissingDNSNameAndURI,
                TestCertificates.IntermediateCA2,
                TestCertificates.RootCA
            ])
        case .LeafSignedByCA2:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafSignedByCA2,
                TestCertificates.IntermediateCA2,
                TestCertificates.RootCA
            ])
        case .LeafValidDNSName:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafValidDNSName,
                TestCertificates.IntermediateCA2,
                TestCertificates.RootCA
            ])
        case .LeafValidURI:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafValidURI,
                TestCertificates.IntermediateCA2,
                TestCertificates.RootCA
            ])
        case LeafValidDNSNameMissingIntermediate:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafValidDNSName,
                TestCertificates.RootCA
            ])
        case LeafValidDNSNameWithIncorrectIntermediate:
            trust = TestTrusts.trustWithCertificates([
                TestCertificates.LeafValidDNSName,
                TestCertificates.IntermediateCA1,
                TestCertificates.RootCA
            ])
        }

        return trust
    }

    static func trustWithCertificates(certificates: [SecCertificate]) -> SecTrust {
        let policy = SecPolicyCreateBasicX509().takeRetainedValue()
        var unmanagedTrust: Unmanaged<SecTrust>?
        SecTrustCreateWithCertificates(certificates, policy, &unmanagedTrust)
        let trust = unmanagedTrust!.takeRetainedValue()

        return trust
    }
}

// MARK: - Basic X509 and SSL Exploration Tests -

class ServerTrustPolicyTestCase: BaseTestCase {
    func setRootCertificateAsLoneAnchorCertificateForTrust(trust: SecTrust) {
        SecTrustSetAnchorCertificates(trust, [TestCertificates.RootCA])
        SecTrustSetAnchorCertificatesOnly(trust, 1)
    }

    func trustIsValid(trust: SecTrust) -> Bool {
        var isValid = false

        var result = SecTrustResultType(kSecTrustResultInvalid)
        let status = SecTrustEvaluate(trust, &result)

        if status == errSecSuccess {
            let unspecified = SecTrustResultType(kSecTrustResultUnspecified)
            let proceed = SecTrustResultType(kSecTrustResultProceed)

            isValid = result == unspecified || result == proceed
        }

        return isValid
    }
}

// MARK: -

class ServerTrustPolicyExplorationBasicX509PolicyValidationTestCase: ServerTrustPolicyTestCase {
    func testThatAnchoredRootCertificatePassesBasicX509ValidationWithRootInTrust() {
        // Given
        let trust = TestTrusts.trustWithCertificates([
            TestCertificates.LeafDNSNameAndURI,
            TestCertificates.IntermediateCA1,
            TestCertificates.RootCA
        ])

        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateBasicX509().takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should be valid")
    }

    func testThatAnchoredRootCertificatePassesBasicX509ValidationWithoutRootInTrust() {
        // Given
        let trust = TestTrusts.LeafDNSNameAndURI.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateBasicX509().takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should be valid")
    }

    func testThatCertificateMissingDNSNamePassesBasicX509Validation() {
        // Given
        let trust = TestTrusts.LeafMissingDNSNameAndURI.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateBasicX509().takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should be valid")
    }

    func testThatExpiredCertificateFailsBasicX509Validation() {
        // Given
        let trust = TestTrusts.LeafExpired.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateBasicX509().takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertFalse(trustIsValid(trust), "trust should not be valid")
    }
}

// MARK: -

class ServerTrustPolicyExplorationSSLPolicyValidationTestCase: ServerTrustPolicyTestCase {
    func testThatAnchoredRootCertificatePassesSSLValidationWithRootInTrust() {
        // Given
        let trust = TestTrusts.trustWithCertificates([
            TestCertificates.LeafDNSNameAndURI,
            TestCertificates.IntermediateCA1,
            TestCertificates.RootCA
        ])

        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should be valid")
    }

    func testThatAnchoredRootCertificatePassesSSLValidationWithoutRootInTrust() {
        // Given
        let trust = TestTrusts.LeafDNSNameAndURI.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should be valid")
    }

    func testThatCertificateMissingDNSNameFailsSSLValidation() {
        // Given
        let trust = TestTrusts.LeafMissingDNSNameAndURI.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertFalse(trustIsValid(trust), "trust should not be valid")
    }

    func testThatWildcardCertificatePassesSSLValidation() {
        // Given
        let trust = TestTrusts.LeafWildcard.trust // *.alamofire.org
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should be valid")
    }

    func testThatDNSNameCertificatePassesSSLValidation() {
        // Given
        let trust = TestTrusts.LeafValidDNSName.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should be valid")
    }

    func testThatURICertificateFailsSSLValidation() {
        // Given
        let trust = TestTrusts.LeafValidURI.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertFalse(trustIsValid(trust), "trust should not be valid")
    }

    func testThatMultipleDNSNamesCertificatePassesSSLValidationForAllEntries() {
        // Given
        let trust = TestTrusts.LeafMultipleDNSNames.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [
            SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue(),
            SecPolicyCreateSSL(1, "blog.alamofire.org").takeRetainedValue(),
            SecPolicyCreateSSL(1, "www.alamofire.org").takeRetainedValue()
        ]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should not be valid")
    }

    func testThatPassingNilForHostParameterAllowsCertificateMissingDNSNameToPassSSLValidation() {
        // Given
        let trust = TestTrusts.LeafMissingDNSNameAndURI.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, nil).takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertTrue(trustIsValid(trust), "trust should not be valid")
    }

    func testThatExpiredCertificateFailsSSLValidation() {
        // Given
        let trust = TestTrusts.LeafExpired.trust
        setRootCertificateAsLoneAnchorCertificateForTrust(trust)

        // When
        let policies = [SecPolicyCreateSSL(1, "test.alamofire.org").takeRetainedValue()]
        SecTrustSetPolicies(trust, policies)

        // Then
        XCTAssertFalse(trustIsValid(trust), "trust should not be valid")
    }
}

// MARK: - Server Trust Policy Tests -

class ServerTrustPolicyPerformDefaultEvaluationTestCase: ServerTrustPolicyTestCase {

    // MARK: Without Host Validation

    func testThatValidCertificateChainPassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: false)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatNonAnchoredRootCertificateChainFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatMissingDNSNameLeafCertificatePassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafMissingDNSNameAndURI.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: false)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatExpiredCertificateChainFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: false)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatMissingIntermediateCertificateInChainFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: false)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    // MARK: With Host Validation

    func testThatValidCertificateChainPassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: true)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatNonAnchoredRootCertificateChainFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatMissingDNSNameLeafCertificateFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafMissingDNSNameAndURI.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: true)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatWildcardedLeafCertificateChainPassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafWildcard.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: true)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatExpiredCertificateChainFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: true)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatMissingIntermediateCertificateInChainFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
        let serverTrustPolicy = ServerTrustPolicy.PerformDefaultEvaluation(validateHost: true)

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }
}

// MARK: -

class ServerTrustPolicyPinCertificatesTestCase: ServerTrustPolicyTestCase {

    // MARK: Without Host Validation

    func testThatPinnedLeafCertificatePassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinnedIntermediateCertificatePassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinnedRootCertificatePassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningLeafCertificateNotInCertificateChainFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.LeafSignedByCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningIntermediateCertificateNotInCertificateChainFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.IntermediateCA1]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningExpiredLeafCertificateFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let certificates = [TestCertificates.LeafExpired]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningIntermediateCertificateWithExpiredLeafCertificateFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let certificates = [TestCertificates.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: false)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    // MARK: With Host Validation

    func testThatPinnedLeafCertificatePassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinnedIntermediateCertificatePassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinnedRootCertificatePassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningLeafCertificateNotInCertificateChainFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.LeafSignedByCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningIntermediateCertificateNotInCertificateChainFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let certificates = [TestCertificates.IntermediateCA1]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningExpiredLeafCertificateFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let certificates = [TestCertificates.LeafExpired]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningIntermediateCertificateWithExpiredLeafCertificateFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let certificates = [TestCertificates.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinCertificates(certificates: certificates, validateHost: true)

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }
}

// MARK: -

class ServerTrustPolicyPinPublicKeysTestCase: ServerTrustPolicyTestCase {

    // MARK: Require Valid Certificate Chain Without Host Validation

    func testThatPinningLeafKeyPassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningIntermediateKeyPassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningRootKeyPassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningKeyNotInCertificateChainFailsEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.LeafSignedByCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningBackupKeyPassesEvaluationWithoutHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.LeafSignedByCA1, TestPublicKeys.IntermediateCA1, TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    // MARK: Require Valid Certificate Chain With Host Validation

    func testThatPinningLeafKeyPassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: true,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningIntermediateKeyPassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: true,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningRootKeyPassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: true,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningKeyNotInCertificateChainFailsEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.LeafSignedByCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: true,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningBackupKeyPassesEvaluationWithHostValidation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let publicKeys = [TestPublicKeys.LeafSignedByCA1, TestPublicKeys.IntermediateCA1, TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: true,
            allowInvalidCertificates: false
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    // MARK: Allow Invalid Certificate Chain

    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithMissingIntermediateCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: true
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningRootKeyWhileAllowingInvalidCertificatesFailsEvaluationWithMissingIntermediateCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: true
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }

    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithIncorrectIntermediateCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameWithIncorrectIntermediate.trust
        let publicKeys = [TestPublicKeys.LeafValidDNSName]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: true
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningLeafKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let publicKeys = [TestPublicKeys.LeafExpired]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: true
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningIntermediateKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let publicKeys = [TestPublicKeys.IntermediateCA2]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: true
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatPinningRootKeyWhileAllowingInvalidCertificatesPassesEvaluationWithExpiredLeafCertificate() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let publicKeys = [TestPublicKeys.RootCA]
        let serverTrustPolicy = ServerTrustPolicy.PinPublicKeys(
            publicKeys: publicKeys,
            validateHost: false,
            allowInvalidCertificates: true
        )

        // When
        setRootCertificateAsLoneAnchorCertificateForTrust(serverTrust)
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }
}

// MARK: -

class ServerTrustPolicyDisableEvaluationTestCase: ServerTrustPolicyTestCase {
    func testThatCertificateChainMissingIntermediateCertificatePassesEvaluation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSNameMissingIntermediate.trust
        let serverTrustPolicy = ServerTrustPolicy.DisableEvaluation

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatExpiredLeafCertificatePassesEvaluation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafExpired.trust
        let serverTrustPolicy = ServerTrustPolicy.DisableEvaluation

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }
}

// MARK: -

class ServerTrustPolicyCustomEvaluationTestCase: ServerTrustPolicyTestCase {
    func testThatReturningTrueFromClosurePassesEvaluation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let serverTrustPolicy = ServerTrustPolicy.CustomEvaluation { _, _ in
            return true
        }

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertTrue(serverTrustIsValid, "server trust should pass evaluation")
    }

    func testThatReturningFalseFromClosurePassesEvaluation() {
        // Given
        let host = "test.alamofire.org"
        let serverTrust = TestTrusts.LeafValidDNSName.trust
        let serverTrustPolicy = ServerTrustPolicy.CustomEvaluation { _, _ in
            return false
        }

        // When
        let serverTrustIsValid = serverTrustPolicy.evaluateServerTrust(serverTrust, isValidForHost: host)

        // Then
        XCTAssertFalse(serverTrustIsValid, "server trust should not pass evaluation")
    }
}