Keychain: Use app group when dereferencing a password reference

Co-authored-by: Davide De Rosa <keeshux@gmail.com> Better retain access group every time keychain is written to or read from, there is no good reason to omit it. Requires Keychain method to be reverted to non-static. Partially revert 4490f0c116, based on wrong assumptions about password references.
2021-02-08 00:50:11 +05:30 · 2021-02-08 00:50:11 +05:30 · 2b3eb5412c
parent 4114605520
commit 2b3eb5412c
2 changed files with 8 additions and 7 deletions
--- a/TunnelKit/Sources/AppExtension/Keychain.swift
+++ b/TunnelKit/Sources/AppExtension/Keychain.swift
@ -201,12 +201,10 @@ public class Keychain {
     - Returns: The password for the input username and reference.
     - Throws: `KeychainError.notFound` if unable to find the password in the keychain.
     **/
-    public static func password(for username: String, reference: Data, context: String? = nil) throws -> String {
+    public func password(for username: String, reference: Data, context: String? = nil) throws -> String {
        var query = [String: Any]()
+        setScope(query: &query, context: context)
        query[kSecClass as String] = kSecClassGenericPassword
-        if let context = context {
-            query[kSecAttrService as String] = context
-        }
        query[kSecAttrAccount as String] = username
        query[kSecMatchItemList as String] = [reference]
        query[kSecReturnData as String] = true
--- a/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift
+++ b/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift
@ -212,9 +212,12 @@ open class OpenVPNTunnelProvider: NEPacketTunnelProvider {

        // optional credentials
        let credentials: OpenVPN.Credentials?
-        if let username = protocolConfiguration.username, let passwordReference = protocolConfiguration.passwordReference,
-            let password = try? Keychain.password(for: username, reference: passwordReference) {
-
+        if let username = protocolConfiguration.username, let passwordReference = protocolConfiguration.passwordReference {
+            let keychain = Keychain(group: appGroup)
+            guard let password = try? keychain.password(for: username, reference: passwordReference) else {
+                completionHandler(ProviderConfigurationError.credentials(details: "keychain.password(for:, reference:)"))
+                return
+            }
            credentials = OpenVPN.Credentials(username, password)
        } else {
            credentials = nil