Network Payload Capture

[NachoEmbrace]

This is a new feature that allows the users of the SDK to create rules through the admin dashboard to capture data from their app's http requests. The SDK receives these rules through the remote configuration and applies them when necessary.

The data is encrypted in the SDK before being converted to OpenTelemetry logs. This implementation uses hybrid encryption to secure the data. For this the users will also need to provide an asymmetrical public key for each rule.

Some details:

• Each rule can only be triggered once per session
• Rules must have an expiration date
• Rules can use regular expressions to match certain urls
• Rules can filter requests by http method and response status codes

Technical details:

• This feature was implemented inside the URLSessionCaptureService. Didn't make sense to swizzle all the URLSession stuff in 2 places.
• A new NetworkPayloadCaptureRule struct was added to EmbraceConfigInternal that is used to decode the remote configuration object.
• URLSessionTaskCaptureRule is the actual implementation of the rules that has an underlying NetworkPayloadCaptureRule from the remote config.
• NetworkPayloadCaptureHandler is the new class that handles all the logic and lives inside URLSessionTaskHandler.
• EncryptedNetworkPayload is the struct that handles the format for the encrypted payload that is included in the OTel logs.
• All the encryption logic also lives inside EncryptedNetworkPayload.
• It encrypts the entire payload by generating a 256 bits symmetrical key and using the aes-256-cbc encryption method provided by CommonCrypto.
• This symmetrical key is then encrypted using RSA.PKCS1 and the public key provided by the user.
• The OTel log contains attributes that defines they type of encryption used for both the payload and the key.

[github-actions[bot]]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Manifest Files

[github-actions[bot]]

	Warnings
:warning:	No CHANGELOG entry added.
:warning:	**Sources/EmbraceCore/Capture/Network/NetworkPayloadCapture/EncryptedNetworkPayload.swift#L83** - Prefer using UTF-8 encoded strings when converting between `String` and `Data` (`non_optional_string_data_conversion`)
:warning:	**Sources/EmbraceCore/Capture/Network/NetworkPayloadCapture/EncryptedNetworkPayload.swift#L94** - Prefer using UTF-8 encoded strings when converting between `String` and `Data` (`non_optional_string_data_conversion`)
:warning:	**Tests/EmbraceCoreTests/Capture/Network/NetworkPayloadCapture/EncryptedNetworkPayloadTests.swift#L40** - Prefer using UTF-8 encoded strings when converting between `String` and `Data` (`non_optional_string_data_conversion`)
:warning:	**Tests/EmbraceCoreTests/Capture/Network/NetworkPayloadCapture/EncryptedNetworkPayloadTests.swift#L58** - Prefer using UTF-8 encoded strings when converting between `String` and `Data` (`non_optional_string_data_conversion`)
:warning:	**Tests/TestSupport/TestConstants.swift#L13** - Prefer using UTF-8 encoded strings when converting between `String` and `Data` (`non_optional_string_data_conversion`)

Generated by :no_entry_sign: Danger Swift against 3ac2a510c4231887a544c8751c67c83469620b99

[codecov[bot]]

Codecov Report

Attention: Patch coverage is 95.66327% with 34 lines in your changes missing coverage. Please review.

Project coverage is 91.68%. Comparing base (5097a6f) to head (3ac2a51). Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
...twork/NetworkPayloadCapture/EncryptionHelper.swift	87.62%	12 Missing :warning:
...etworkPayloadCapture/EncryptedNetworkPayload.swift	87.30%	8 Missing :warning:
...workPayloadCapture/URLSessionTaskCaptureRule.swift	87.93%	7 Missing :warning:
...kPayloadCapture/NetworkPayloadCaptureHandler.swift	94.04%	5 Missing :warning:
...ts/EmbraceOTelInternalTests/EmbraceOTelTests.swift	0.00%	2 Missing :warning:

Additional details and impacted files

[](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io) ```diff @@ Coverage Diff @@ ## main #43 +/- ## ========================================== - Coverage 92.06% 91.68% -0.38% ========================================== Files 392 404 +12 Lines 18867 19794 +927 ========================================== + Hits 17369 18149 +780 - Misses 1498 1645 +147 ``` | [Files with missing lines](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?dropdown=coverage&src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io) | Coverage Δ | | |---|---|---| | [Sources/EmbraceConfigInternal/EmbraceConfig.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Sources%2FEmbraceConfigInternal%2FEmbraceConfig.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-U291cmNlcy9FbWJyYWNlQ29uZmlnSW50ZXJuYWwvRW1icmFjZUNvbmZpZy5zd2lmdA==) | `95.58% <100.00%> (-1.39%)` | :arrow_down: | | [...raceConfigInternal/NetworkPayloadCaptureRule.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Sources%2FEmbraceConfigInternal%2FNetworkPayloadCaptureRule.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-U291cmNlcy9FbWJyYWNlQ29uZmlnSW50ZXJuYWwvTmV0d29ya1BheWxvYWRDYXB0dXJlUnVsZS5zd2lmdA==) | `100.00% <100.00%> (ø)` | | | [...es/EmbraceConfigInternal/RemoteConfigPayload.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Sources%2FEmbraceConfigInternal%2FRemoteConfigPayload.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-U291cmNlcy9FbWJyYWNlQ29uZmlnSW50ZXJuYWwvUmVtb3RlQ29uZmlnUGF5bG9hZC5zd2lmdA==) | `100.00% <100.00%> (ø)` | | | [...ore/Capture/Network/URLSessionTask+Extension.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Sources%2FEmbraceCore%2FCapture%2FNetwork%2FURLSessionTask%2BExtension.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-U291cmNlcy9FbWJyYWNlQ29yZS9DYXB0dXJlL05ldHdvcmsvVVJMU2Vzc2lvblRhc2srRXh0ZW5zaW9uLnN3aWZ0) | `100.00% <100.00%> (ø)` | | | [...ceCore/Capture/Network/URLSessionTaskHandler.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Sources%2FEmbraceCore%2FCapture%2FNetwork%2FURLSessionTaskHandler.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-U291cmNlcy9FbWJyYWNlQ29yZS9DYXB0dXJlL05ldHdvcmsvVVJMU2Vzc2lvblRhc2tIYW5kbGVyLnN3aWZ0) | `97.58% <100.00%> (+0.41%)` | :arrow_up: | | [...mbraceConfigInternalTests/EmbraceConfigTests.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Tests%2FEmbraceConfigInternalTests%2FEmbraceConfigTests.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-VGVzdHMvRW1icmFjZUNvbmZpZ0ludGVybmFsVGVzdHMvRW1icmFjZUNvbmZpZ1Rlc3RzLnN3aWZ0) | `99.61% <100.00%> (+0.05%)` | :arrow_up: | | [...ConfigInternalTests/RemoteConfigPayloadTests.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Tests%2FEmbraceConfigInternalTests%2FRemoteConfigPayloadTests.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-VGVzdHMvRW1icmFjZUNvbmZpZ0ludGVybmFsVGVzdHMvUmVtb3RlQ29uZmlnUGF5bG9hZFRlc3RzLnN3aWZ0) | `100.00% <100.00%> (ø)` | | | [...kPayloadCapture/EncryptedNetworkPayloadTests.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Tests%2FEmbraceCoreTests%2FCapture%2FNetwork%2FNetworkPayloadCapture%2FEncryptedNetworkPayloadTests.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-VGVzdHMvRW1icmFjZUNvcmVUZXN0cy9DYXB0dXJlL05ldHdvcmsvTmV0d29ya1BheWxvYWRDYXB0dXJlL0VuY3J5cHRlZE5ldHdvcmtQYXlsb2FkVGVzdHMuc3dpZnQ=) | `100.00% <100.00%> (ø)` | | | [.../NetworkPayloadCapture/EncryptionHelperTests.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Tests%2FEmbraceCoreTests%2FCapture%2FNetwork%2FNetworkPayloadCapture%2FEncryptionHelperTests.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-VGVzdHMvRW1icmFjZUNvcmVUZXN0cy9DYXB0dXJlL05ldHdvcmsvTmV0d29ya1BheWxvYWRDYXB0dXJlL0VuY3J5cHRpb25IZWxwZXJUZXN0cy5zd2lmdA==) | `100.00% <100.00%> (ø)` | | | [...oadCapture/NetworkPayloadCaptureHandlerTests.swift](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree&filepath=Tests%2FEmbraceCoreTests%2FCapture%2FNetwork%2FNetworkPayloadCapture%2FNetworkPayloadCaptureHandlerTests.swift&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io#diff-VGVzdHMvRW1icmFjZUNvcmVUZXN0cy9DYXB0dXJlL05ldHdvcmsvTmV0d29ya1BheWxvYWRDYXB0dXJlL05ldHdvcmtQYXlsb2FkQ2FwdHVyZUhhbmRsZXJUZXN0cy5zd2lmdA==) | `100.00% <100.00%> (ø)` | | | ... and [10 more](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io) | | ... and [11 files with indirect coverage changes](https://app.codecov.io/gh/embrace-io/embrace-apple-sdk/pull/43/indirect-changes?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=embrace-io)

[NachoEmbrace]

PR LGTM. One observation is that I would document specific parts of the code as we might forget about the inner details of this feature in the future. In particular, related to the encryption mechanisms. For example the expected values & formats on EncryptedPayloadResult (e.g. iv in hex), the expected format of the public key RSA.createKey(for publicKey: String), the usage of the hybrid key as mechanism, etc.

Comment added in EncryptedNetworkPayload.