santactl/doctor: Add checks for syncing, update MOLAuth logs (#448)

russellhancox · web-flow · commit f2fd2676fc23 · 2025-06-19T19:03:05.000-04:00
diff --git a/Source/common/MOLAuthenticatingURLSession.m b/Source/common/MOLAuthenticatingURLSession.m
@@ -131,7 +131,7 @@ - (void)URLSession:(NSURLSession *)session
       completionHandler(NSURLSessionAuthChallengeUseCredential, cred);
       return;
     } else {
-      [self log:@"Server asked for client authentication but no usable client certificate found."];
+      [self log:@"[Client Trust] Server asked for authentication but no usable certificate found."];
       completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
       return;
     }
@@ -141,7 +141,7 @@ - (void)URLSession:(NSURLSession *)session
       completionHandler(NSURLSessionAuthChallengeUseCredential, cred);
       return;
     } else {
-      [self log:@"Unable to verify server identity."];
+      [self log:@"[Server Trust] Unable to verify server identity."];
       completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil);
       return;
     }
@@ -203,6 +203,7 @@ - (NSURLCredential *)clientCredentialForProtectionSpace:(NSURLProtectionSpace *)
 
   NSArray *allCerts;
   if (self.clientCertFile) {
+    [self log:@"[Client Trust] Using certificate from file: %@", self.clientCertFile];
     foundIdentity = [self identityFromFile:self.clientCertFile password:self.clientCertPassword];
   } else {
     CFArrayRef cfResults = NULL;
@@ -217,27 +218,34 @@ - (NSURLCredential *)clientCredentialForProtectionSpace:(NSURLProtectionSpace *)
     allCerts = [MOLCertificate certificatesFromArray:results];
 
     if (self.clientCertCommonName) {
+      [self log:@"[Client Trust] Looking for certificate with common name: %@",
+                self.clientCertCommonName];
       foundIdentity = [self identityByFilteringArray:allCerts
                                           commonName:self.clientCertCommonName
                                     issuerCommonName:nil
                                    issuerCountryName:nil
                                        issuerOrgName:nil
                                        issuerOrgUnit:nil];
     } else if (self.clientCertIssuerCn) {
+      [self log:@"[Client Trust] Looking for certificate with issuer common name: %@",
+                self.clientCertIssuerCn];
       foundIdentity = [self identityByFilteringArray:allCerts
                                           commonName:nil
                                     issuerCommonName:self.clientCertIssuerCn
                                    issuerCountryName:nil
                                        issuerOrgName:nil
                                        issuerOrgUnit:nil];
     } else {
+      [self log:@"[Client Trust] Looking for certificate with server-provided CA names"];
       for (NSData *allowedIssuer in protectionSpace.distinguishedNames) {
         MOLDERDecoder *decoder = [[MOLDERDecoder alloc] initWithData:allowedIssuer];
 
         if (!decoder) {
           continue;
         }
 
+        [self log:@"[Client Trust] Allowed issuer: %@", decoder];
+
         foundIdentity = [self identityByFilteringArray:allCerts
                                             commonName:nil
                                       issuerCommonName:decoder.commonName
@@ -254,7 +262,7 @@ - (NSURLCredential *)clientCredentialForProtectionSpace:(NSURLProtectionSpace *)
     SecIdentityCopyCertificate(foundIdentity, &certificate);
     MOLCertificate *clientCert = [[MOLCertificate alloc] initWithSecCertificateRef:certificate];
     if (certificate) CFRelease(certificate);
-    if (clientCert) [self log:@"Client Trust: %@", clientCert];
+    if (clientCert) [self log:@"[Client Trust] Certificate: %@", clientCert];
 
     NSArray *intermediates = [self locateIntermediatesForCertificate:clientCert inArray:allCerts];
 
@@ -283,7 +291,7 @@ - (NSURLCredential *)clientCredentialForProtectionSpace:(NSURLProtectionSpace *)
 ///
 - (NSURLCredential *)serverCredentialForProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
   if (protectionSpace.serverTrust == NULL) {
-    [self log:@"Server Trust: No server trust information available"];
+    [self log:@"[Server Trust] No trust information available"];
     return nil;
   }
 
@@ -294,7 +302,7 @@ - (NSURLCredential *)serverCredentialForProtectionSpace:(NSURLProtectionSpace *)
     err = SecTrustSetAnchorCertificates(protectionSpace.serverTrust,
                                         (__bridge CFArrayRef)self.anchors);
     if (err != errSecSuccess) {
-      [self log:@"Server Trust: Could not set anchor certificates: %d", err];
+      [self log:@"[Server Trust] Could not set anchor certificates: %d", err];
       return nil;
     }
   }
@@ -304,7 +312,7 @@ - (NSURLCredential *)serverCredentialForProtectionSpace:(NSURLProtectionSpace *)
   if (certChain.firstObject) {
     MOLCertificate *cert = [[MOLCertificate alloc]
         initWithSecCertificateRef:(__bridge SecCertificateRef)certChain.firstObject];
-    [self log:@"Server Trust: %@", cert];
+    [self log:@"[Server Trust] Certificate: %@", cert];
   }
 
   // Evaluate the server's cert chain.
@@ -314,7 +322,7 @@ - (NSURLCredential *)serverCredentialForProtectionSpace:(NSURLProtectionSpace *)
     NSError *underlyingError = errRef.userInfo[NSUnderlyingErrorKey];
     NSString *errMsg =
         CFBridgingRelease(SecCopyErrorMessageString((OSStatus)underlyingError.code, NULL));
-    [self log:@"Server Trust: Unable to evaluate certificate chain for server: %@ (%d)", errMsg,
+    [self log:@"[Server Trust] Unable to evaluate certificate chain for server: %@ (%d)", errMsg,
               underlyingError.code];
     return nil;
   }
@@ -407,7 +415,7 @@ - (SecIdentityRef)identityFromFile:(NSString *)file password:(NSString *)passwor
   NSError *error;
   NSData *data = [NSData dataWithContentsOfFile:file options:0 error:&error];
   if (error) {
-    [self log:@"Client Trust: Couldn't open client certificate %@: %@", self.clientCertFile,
+    [self log:@"[Client Trust] Couldn't open client certificate %@: %@", self.clientCertFile,
               [error localizedDescription]];
     return nil;
   }
@@ -419,7 +427,7 @@ - (SecIdentityRef)identityFromFile:(NSString *)file password:(NSString *)passwor
   NSArray *identities = CFBridgingRelease(cfIdentities);
 
   if (err != errSecSuccess) {
-    [self log:@"Client Trust: Couldn't load client certificate %@: %d", self.clientCertFile, err];
+    [self log:@"[Client Trust] Couldn't load client certificate %@: %d", self.clientCertFile, err];
     return nil;
   }
 
@@ -437,7 +445,7 @@ - (NSArray *)locateIntermediatesForCertificate:(MOLCertificate *)leafCert
   OSStatus res = SecTrustCreateWithCertificates(leafCert.certRef, NULL, &t);
   if (res != errSecSuccess) {
     NSString *errMsg = CFBridgingRelease(SecCopyErrorMessageString(res, NULL));
-    [self log:@"Failed to create trust for locating intermediate certs: %@", errMsg];
+    [self log:@"[Client Trust] Failed to create trust for locating intermediate certs: %@", errMsg];
     return nil;
   }
 
diff --git a/Source/santactl/BUILD b/Source/santactl/BUILD
@@ -85,6 +85,7 @@ objc_library(
         ":SNTCommandTelemetry",
         ":santactl_cmd",
         "//Source/common:CertificateHelpers",
+        "//Source/common:MOLAuthenticatingURLSession",
         "//Source/common:MOLCertificate",
         "//Source/common:MOLCodesignChecker",
         "//Source/common:MOLXPCConnection",
@@ -108,6 +109,7 @@ objc_library(
         "//Source/common:StoredEventHelpers",
         "//Source/common:SystemResources",
         "@FMDB",
+        "@abseil-cpp//absl/cleanup:cleanup",
     ],
 )
 
diff --git a/Source/santactl/Commands/SNTCommandDoctor.mm b/Source/santactl/Commands/SNTCommandDoctor.mm
@@ -20,6 +20,9 @@
 #include <optional>
 #include <vector>
 
+#include "absl/cleanup/cleanup.h"
+
+#import "Source/common/MOLAuthenticatingURLSession.h"
 #import "Source/common/SNTConfigurator.h"
 #import "Source/common/SNTLogging.h"
 #import "Source/common/SystemResources.h"
@@ -77,6 +80,7 @@ - (void)runWithArguments:(NSArray *)arguments {
   BOOL err = NO;
   err |= [self validateProcesses];
   err |= [self validateConfiguration];
+  err |= [self validateSync];
   exit(err);
 }
 
@@ -126,6 +130,7 @@ - (BOOL)validateConfiguration {
   NSArray *errors = [[SNTConfigurator configurator] validateConfiguration];
   if (!errors.count) {
     print(@"[+] No configuration errors detected");
+    print(@"");
     return NO;
   }
 
@@ -137,4 +142,80 @@ - (BOOL)validateConfiguration {
   return YES;
 }
 
+- (BOOL)validateSync {
+  print(@"=> Validating sync...");
+
+  SNTConfigurator *config = [SNTConfigurator configurator];
+
+  NSURL *syncBaseURL = config.syncBaseURL;
+  if (!syncBaseURL) {
+    print(@"[+] Sync is disabled");
+    print(@"");
+    // Don't treat this as an error.
+    return YES;
+  }
+  print(@"[+] Sync is enabled");
+
+  if (![syncBaseURL.scheme isEqualToString:@"https"]) {
+    print(@"[-] Sync is not using HTTPS");
+  } else {
+    print(@"[+] Sync is using HTTPS");
+  }
+
+  NSURLSessionConfiguration *sessConfig = [NSURLSessionConfiguration defaultSessionConfiguration];
+  sessConfig.connectionProxyDictionary = [[SNTConfigurator configurator] syncProxyConfig];
+
+  MOLAuthenticatingURLSession *authURLSession =
+      [[MOLAuthenticatingURLSession alloc] initWithSessionConfiguration:sessConfig];
+  authURLSession.userAgent = @"santactl-sync/";
+  NSString *santactlVersion = [[NSBundle mainBundle] objectForInfoDictionaryKey:@"CFBundleVersion"];
+  if (santactlVersion) {
+    authURLSession.userAgent = [authURLSession.userAgent stringByAppendingString:santactlVersion];
+  }
+  authURLSession.refusesRedirects = YES;
+  authURLSession.serverHostname = syncBaseURL.host;
+  authURLSession.loggingBlock = ^(NSString *line) {
+    print(@"%s", [line UTF8String]);
+  };
+
+  // Configure server auth
+  if ([config syncServerAuthRootsFile]) {
+    authURLSession.serverRootsPemFile = [config syncServerAuthRootsFile];
+  } else if ([config syncServerAuthRootsData]) {
+    authURLSession.serverRootsPemData = [config syncServerAuthRootsData];
+  }
+
+  // Configure client auth
+  if ([config syncClientAuthCertificateFile]) {
+    NSString *certFile = [config syncClientAuthCertificateFile];
+    authURLSession.clientCertFile = certFile;
+    authURLSession.clientCertPassword = [config syncClientAuthCertificatePassword];
+  } else if ([config syncClientAuthCertificateCn]) {
+    authURLSession.clientCertCommonName = [config syncClientAuthCertificateCn];
+  } else if ([config syncClientAuthCertificateIssuer]) {
+    authURLSession.clientCertIssuerCn = [config syncClientAuthCertificateIssuer];
+  }
+
+  dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
+  NSURLSessionDataTask *task = [[authURLSession session]
+        dataTaskWithURL:[syncBaseURL URLByAppendingPathComponent:@"/preflight/santactl-doctor-test"]
+      completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+        absl::Cleanup cleanup = ^{
+          dispatch_semaphore_signal(semaphore);
+        };
+
+        if (error) {
+          print(@"[-] Failed to retrieve preflight data");
+          return;
+        }
+        print(@"[+] Preflight request succeeded");
+      }];
+  [task resume];
+  dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER);
+
+  print(@"");
+
+  return NO;
+}
+
 @end
