Merge pull request #192 from passepartoutvpn/refactor-keychain-access

Refactor keychain access
This commit is contained in:
Davide De Rosa 2020-12-20 19:35:02 +01:00 committed by GitHub
commit 341e0e3ba8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 80 additions and 65 deletions

View File

@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Changed
- Update API to access current Wi-Fi SSID.
- Refactor access to keychain.
## 3.0.0 (2020-11-15)

View File

@ -45,45 +45,27 @@ public enum KeychainError: Error {
/// Item not found.
case notFound
/// Operation cancelled or unauthorized.
case userCancelled
// /// Unexpected item type returned.
// case typeMismatch
}
/// Wrapper for easy keychain access and modification.
public class Keychain {
private let service: String?
private let accessGroup: String?
/// :nodoc:
public init() {
service = Bundle.main.bundleIdentifier
accessGroup = nil
}
/**
Creates a keychain in an App Group.
Creates a keychain.
- Parameter group: The App Group.
- Precondition: Proper App Group entitlements.
- Parameter group: An optional App Group.
- Precondition: Proper App Group entitlements (if group is non-nil).
**/
public init(group: String) {
service = nil
public init(group: String?) {
accessGroup = group
}
/**
Creates a keychain in an App Group and a Team ID prefix.
- Parameter team: The Team ID prefix.
- Parameter group: The App Group.
- Precondition: Proper App Group entitlements.
**/
public init(team: String, group: String) {
service = nil
accessGroup = "\(team).\(group)"
}
// MARK: Password
/**
@ -91,33 +73,35 @@ public class Keychain {
- Parameter password: The password to set.
- Parameter username: The username to set the password for.
- Parameter label: An optional label.
- Parameter context: An optional context.
- Throws: `KeychainError.add` if unable to add the password to the keychain.
**/
public func set(password: String, for username: String, label: String? = nil) throws {
public func set(password: String, for username: String, context: String? = nil) throws {
do {
let currentPassword = try self.password(for: username)
let currentPassword = try self.password(for: username, context: context)
guard password != currentPassword else {
return
}
} catch {
// no pre-existing password
removePassword(for: username, context: context)
} catch let e as KeychainError {
// rethrow cancelation
if e == .userCancelled {
throw e
}
removePassword(for: username)
// otherwise, no pre-existing password
}
var query = [String: Any]()
setScope(query: &query)
setScope(query: &query, context: context)
query[kSecClass as String] = kSecClassGenericPassword
if let label = label {
query[kSecAttrLabel as String] = label
}
query[kSecAttrAccount as String] = username
query[kSecAttrAccessible as String] = kSecAttrAccessibleAfterFirstUnlock
query[kSecValueData as String] = password.data(using: .utf8)
let status = SecItemAdd(query as CFDictionary, nil)
guard (status == errSecSuccess) else {
guard status == errSecSuccess else {
throw KeychainError.add
}
}
@ -126,36 +110,44 @@ public class Keychain {
Removes a password.
- Parameter username: The username to remove the password for.
- Parameter context: An optional context.
- Returns: `true` if the password was successfully removed.
**/
@discardableResult public func removePassword(for username: String) -> Bool {
@discardableResult public func removePassword(for username: String, context: String? = nil) -> Bool {
var query = [String: Any]()
setScope(query: &query)
setScope(query: &query, context: context)
query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrAccount as String] = username
let status = SecItemDelete(query as CFDictionary)
return (status == errSecSuccess)
return status == errSecSuccess
}
/**
Gets a password.
- Parameter username: The username to get the password for.
- Parameter context: An optional context.
- Returns: The password for the input username.
- Throws: `KeychainError.notFound` if unable to find the password in the keychain.
**/
public func password(for username: String) throws -> String {
public func password(for username: String, context: String? = nil) throws -> String {
var query = [String: Any]()
setScope(query: &query)
setScope(query: &query, context: context)
query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrAccount as String] = username
query[kSecMatchLimit as String] = kSecMatchLimitOne
query[kSecReturnData as String] = true
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
guard (status == errSecSuccess) else {
switch SecItemCopyMatching(query as CFDictionary, &result) {
case errSecSuccess:
break
case errSecUserCanceled:
throw KeychainError.userCancelled
default:
throw KeychainError.notFound
}
guard let data = result as? Data else {
@ -171,20 +163,27 @@ public class Keychain {
Gets a password reference.
- Parameter username: The username to get the password for.
- Parameter context: An optional context.
- Returns: The password reference for the input username.
- Throws: `KeychainError.notFound` if unable to find the password in the keychain.
**/
public func passwordReference(for username: String) throws -> Data {
public func passwordReference(for username: String, context: String? = nil) throws -> Data {
var query = [String: Any]()
setScope(query: &query)
setScope(query: &query, context: context)
query[kSecClass as String] = kSecClassGenericPassword
query[kSecAttrAccount as String] = username
query[kSecMatchLimit as String] = kSecMatchLimitOne
query[kSecReturnPersistentRef as String] = true
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
guard (status == errSecSuccess) else {
switch SecItemCopyMatching(query as CFDictionary, &result) {
case errSecSuccess:
break
case errSecUserCanceled:
throw KeychainError.userCancelled
default:
throw KeychainError.notFound
}
guard let data = result as? Data else {
@ -198,19 +197,29 @@ public class Keychain {
- Parameter username: The username to get the password for.
- Parameter reference: The password reference.
- Parameter context: An optional context.
- Returns: The password for the input username and reference.
- Throws: `KeychainError.notFound` if unable to find the password in the keychain.
**/
public static func password(for username: String, reference: Data) throws -> String {
public static func password(for username: String, reference: Data, context: String? = nil) throws -> String {
var query = [String: Any]()
query[kSecClass as String] = kSecClassGenericPassword
if let context = context {
query[kSecAttrService as String] = context
}
query[kSecAttrAccount as String] = username
query[kSecMatchItemList as String] = [reference]
query[kSecReturnData as String] = true
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
guard (status == errSecSuccess) else {
switch SecItemCopyMatching(query as CFDictionary, &result) {
case errSecSuccess:
break
case errSecUserCanceled:
throw KeychainError.userCancelled
default:
throw KeychainError.notFound
}
guard let data = result as? Data else {
@ -246,7 +255,7 @@ public class Keychain {
query.removeValue(forKey: kSecAttrService as String)
let status = SecItemAdd(query as CFDictionary, nil)
guard (status == errSecSuccess) else {
guard status == errSecSuccess else {
throw KeychainError.add
}
return try publicKey(withIdentifier: identifier)
@ -271,8 +280,14 @@ public class Keychain {
query.removeValue(forKey: kSecAttrService as String)
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
guard (status == errSecSuccess) else {
switch SecItemCopyMatching(query as CFDictionary, &result) {
case errSecSuccess:
break
case errSecUserCanceled:
throw KeychainError.userCancelled
default:
throw KeychainError.notFound
}
// guard let key = result as? SecKey else {
@ -299,18 +314,17 @@ public class Keychain {
query.removeValue(forKey: kSecAttrService as String)
let status = SecItemDelete(query as CFDictionary)
return (status == errSecSuccess)
return status == errSecSuccess
}
// MARK: Helpers
private func setScope(query: inout [String: Any]) {
if let service = service {
query[kSecAttrService as String] = service
} else if let accessGroup = accessGroup {
private func setScope(query: inout [String: Any], context: String?) {
if let accessGroup = accessGroup {
query[kSecAttrAccessGroup as String] = accessGroup
} else {
fatalError("No service nor accessGroup set")
}
if let context = context {
query[kSecAttrService as String] = context
}
}
}

View File

@ -403,12 +403,12 @@ extension OpenVPNTunnelProvider {
if let username = credentials?.username, let password = credentials?.password {
let keychain = Keychain(group: appGroup)
do {
try keychain.set(password: password, for: username, label: Bundle.main.bundleIdentifier)
try keychain.set(password: password, for: username, context: bundleIdentifier)
} catch _ {
throw ProviderConfigurationError.credentials(details: "keychain.set()")
}
protocolConfiguration.username = username
protocolConfiguration.passwordReference = try? keychain.passwordReference(for: username)
protocolConfiguration.passwordReference = try? keychain.passwordReference(for: username, context: bundleIdentifier)
}
protocolConfiguration.providerConfiguration = generatedProviderConfiguration(appGroup: appGroup)