From 2b3eb5412c96182e3a97b3e5c292ab4d639a5c84 Mon Sep 17 00:00:00 2001
From: Roopesh Chander <roop@roopc.net>
Date: Mon, 8 Feb 2021 00:50:11 +0530
Subject: [PATCH] Keychain: Use app group when dereferencing a password
 reference

Co-authored-by: Davide De Rosa <keeshux@gmail.com>

Better retain access group every time keychain is written to or
read from, there is no good reason to omit it. Requires Keychain
method to be reverted to non-static.

Partially revert 4490f0c116d64d1c79f3ce2a1d2b0fe67549f640, based
on wrong assumptions about password references.
---
 TunnelKit/Sources/AppExtension/Keychain.swift            | 6 ++----
 .../OpenVPN/AppExtension/OpenVPNTunnelProvider.swift     | 9 ++++++---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/TunnelKit/Sources/AppExtension/Keychain.swift b/TunnelKit/Sources/AppExtension/Keychain.swift
index 8ff99ed..fdeb254 100644
--- a/TunnelKit/Sources/AppExtension/Keychain.swift
+++ b/TunnelKit/Sources/AppExtension/Keychain.swift
@@ -201,12 +201,10 @@ public class Keychain {
      - Returns: The password for the input username and reference.
      - Throws: `KeychainError.notFound` if unable to find the password in the keychain.
      **/
-    public static func password(for username: String, reference: Data, context: String? = nil) throws -> String {
+    public func password(for username: String, reference: Data, context: String? = nil) throws -> String {
         var query = [String: Any]()
+        setScope(query: &query, context: context)
         query[kSecClass as String] = kSecClassGenericPassword
-        if let context = context {
-            query[kSecAttrService as String] = context
-        }
         query[kSecAttrAccount as String] = username
         query[kSecMatchItemList as String] = [reference]
         query[kSecReturnData as String] = true
diff --git a/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift b/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift
index 9095bdf..9aef1b1 100644
--- a/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift
+++ b/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift
@@ -212,9 +212,12 @@ open class OpenVPNTunnelProvider: NEPacketTunnelProvider {
 
         // optional credentials
         let credentials: OpenVPN.Credentials?
-        if let username = protocolConfiguration.username, let passwordReference = protocolConfiguration.passwordReference,
-            let password = try? Keychain.password(for: username, reference: passwordReference) {
-
+        if let username = protocolConfiguration.username, let passwordReference = protocolConfiguration.passwordReference {
+            let keychain = Keychain(group: appGroup)
+            guard let password = try? keychain.password(for: username, reference: passwordReference) else {
+                completionHandler(ProviderConfigurationError.credentials(details: "keychain.password(for:, reference:)"))
+                return
+            }
             credentials = OpenVPN.Credentials(username, password)
         } else {
             credentials = nil