Merge pull request #58 from purejava/new-touch-id-provider

infeo · web-flow · commit 9d8fddb75195 · 2024-12-16T19:12:30.000+01:00
Add Touch ID provider
diff --git a/src/main/headers/org_cryptomator_macos_keychain_MacKeychain_Native.h b/src/main/headers/org_cryptomator_macos_keychain_MacKeychain_Native.h
diff --git a/src/main/java/module-info.java b/src/main/java/module-info.java
@@ -5,6 +5,7 @@
 import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
 import org.cryptomator.macos.autostart.MacAutoStartProvider;
 import org.cryptomator.macos.keychain.MacSystemKeychainAccess;
+import org.cryptomator.macos.keychain.TouchIdKeychainAccess;
 import org.cryptomator.macos.revealpath.OpenCmdRevealPathService;
 import org.cryptomator.macos.tray.MacTrayIntegrationProvider;
 import org.cryptomator.macos.uiappearance.MacUiAppearanceProvider;
@@ -14,7 +15,7 @@
 	requires org.slf4j;
 
 	provides AutoStartProvider with MacAutoStartProvider;
-	provides KeychainAccessProvider with MacSystemKeychainAccess;
+	provides KeychainAccessProvider with MacSystemKeychainAccess, TouchIdKeychainAccess;
 	provides RevealPathService with OpenCmdRevealPathService;
 	provides TrayIntegrationProvider with MacTrayIntegrationProvider;
 	provides UiAppearanceProvider with MacUiAppearanceProvider;
diff --git a/src/main/java/org/cryptomator/macos/keychain/MacKeychain.java b/src/main/java/org/cryptomator/macos/keychain/MacKeychain.java
@@ -104,6 +104,15 @@ public boolean deletePassword(String serviceName, String account) throws Keychai
 		}
 	}
 
+	/**
+	 * Tests whether biometric authentication via Touch ID is supported and allowed on the device
+	 *
+	 * @return <code>true</code> if biometric authentication is available, <code>false</code> otherwise
+	 */
+	public boolean isTouchIDavailable() {
+		return Native.INSTANCE.isTouchIDavailable();
+	}
+
 	// initialization-on-demand pattern, as loading the .dylib is an expensive operation
 	private static class Native {
 		static final Native INSTANCE = new Native();
@@ -117,6 +126,8 @@ private Native() {
 		public native byte[] loadPassword(byte[] service, byte[] account);
 
 		public native int deletePassword(byte[] service, byte[] account);
+
+		public native boolean isTouchIDavailable();
 	}
 
 }
diff --git a/src/main/java/org/cryptomator/macos/keychain/MacSystemKeychainAccess.java b/src/main/java/org/cryptomator/macos/keychain/MacSystemKeychainAccess.java
@@ -34,6 +34,11 @@ public String displayName() {
 		return Localization.get().getString("org.cryptomator.macos.keychain.displayName");
 	}
 
+	@Override
+	public void storePassphrase(String key, String displayName, CharSequence passphrase) throws KeychainAccessException {
+		keychain.storePassword(SERVICE_NAME, key, passphrase, false);
+	}
+
 	@Override
 	public void storePassphrase(String key, String displayName, CharSequence passphrase, boolean requireOsAuthentication) throws KeychainAccessException {
 		keychain.storePassword(SERVICE_NAME, key, passphrase, requireOsAuthentication);
diff --git a/src/main/java/org/cryptomator/macos/keychain/TouchIdKeychainAccess.java b/src/main/java/org/cryptomator/macos/keychain/TouchIdKeychainAccess.java
@@ -0,0 +1,75 @@
+package org.cryptomator.macos.keychain;
+
+import org.cryptomator.integrations.common.OperatingSystem;
+import org.cryptomator.integrations.common.Priority;
+import org.cryptomator.integrations.keychain.KeychainAccessException;
+import org.cryptomator.integrations.keychain.KeychainAccessProvider;
+import org.cryptomator.macos.common.Localization;
+
+/**
+ * Stores passwords in the macOS system keychain. Requires an authenticated user to do so.
+ * Authentication is done via TouchID or password as a fallback, when TouchID is not available.
+ * <p>
+ * Items are stored in the default keychain with the service name <code>Cryptomator</code>, unless configured otherwise
+ * using the system property <code>cryptomator.integrationsMac.keychainServiceName</code>.
+ */
+@Priority(1010)
+@OperatingSystem(OperatingSystem.Value.MAC)
+public class TouchIdKeychainAccess implements KeychainAccessProvider {
+
+	private static final String SERVICE_NAME = System.getProperty("cryptomator.integrationsMac.keychainServiceName", "Cryptomator");
+
+	private final MacKeychain keychain;
+
+	public TouchIdKeychainAccess() {
+		this(new MacKeychain());
+	}
+
+	// visible for testing
+	TouchIdKeychainAccess(MacKeychain keychain) {
+		this.keychain = keychain;
+	}
+
+	@Override
+	public String displayName() {
+		return Localization.get().getString("org.cryptomator.macos.keychain.touchIdDisplayName");
+	}
+
+	@Override
+	public void storePassphrase(String key, String displayName, CharSequence passphrase) throws KeychainAccessException {
+		keychain.storePassword(SERVICE_NAME, key, passphrase, true);
+	}
+
+	@Override
+	public void storePassphrase(String key, String displayName, CharSequence passphrase, boolean requireOsAuthentication) throws KeychainAccessException {
+		keychain.storePassword(SERVICE_NAME, key, passphrase, requireOsAuthentication);
+	}
+
+	@Override
+	public char[] loadPassphrase(String key) {
+		return keychain.loadPassword(SERVICE_NAME, key);
+	}
+
+	@Override
+	public boolean isSupported() {
+		return keychain.isTouchIDavailable();
+	}
+
+	@Override
+	public boolean isLocked() {
+		return false;
+	}
+
+	@Override
+	public void deletePassphrase(String key) throws KeychainAccessException {
+		keychain.deletePassword(SERVICE_NAME, key);
+	}
+
+	@Override
+	public void changePassphrase(String key, String displayName, CharSequence passphrase) throws KeychainAccessException {
+		if (keychain.deletePassword(SERVICE_NAME, key)) {
+			keychain.storePassword(SERVICE_NAME, key, passphrase, true);
+		}
+	}
+
+}
diff --git a/src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m b/src/main/native/org_cryptomator_macos_keychain_MacKeychain_Native.m
@@ -123,3 +123,14 @@ JNIEXPORT jint JNICALL Java_org_cryptomator_macos_keychain_MacKeychain_00024Nati
 	(*env)->ReleaseByteArrayElements(env, key, keyStr, JNI_ABORT);
 	return status;
 }
+
+JNIEXPORT jboolean JNICALL Java_org_cryptomator_macos_keychain_MacKeychain_00024Native_isTouchIDavailable(JNIEnv *env, jobject thisObj) {
+	NSError *error = nil;
+	LAContext *context = getSharedLAContext();
+	if ([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) {
+		return JNI_TRUE;
+	} else {
+		NSLog(@"Touch ID is not available: %@", error.localizedDescription);
+		return JNI_FALSE;
+	}
+}
diff --git a/src/main/resources/META-INF/services/org.cryptomator.integrations.keychain.KeychainAccessProvider b/src/main/resources/META-INF/services/org.cryptomator.integrations.keychain.KeychainAccessProvider
@@ -1 +1,2 @@
-org.cryptomator.macos.keychain.MacSystemKeychainAccess
+org.cryptomator.macos.keychain.MacSystemKeychainAccess
+org.cryptomator.macos.keychain.TouchIdKeychainAccess
diff --git a/src/main/resources/MacIntegrationsBundle.properties b/src/main/resources/MacIntegrationsBundle.properties
@@ -1 +1,2 @@
-org.cryptomator.macos.keychain.displayName=macOS Keychain
+org.cryptomator.macos.keychain.displayName=macOS Keychain
+org.cryptomator.macos.keychain.touchIdDisplayName=Touch ID
diff --git a/src/test/java/org/cryptomator/macos/keychain/KeychainAccessProviderTest.java b/src/test/java/org/cryptomator/macos/keychain/KeychainAccessProviderTest.java
@@ -12,7 +12,9 @@ public class KeychainAccessProviderTest {
 	public void testLoadMacSystemKeychainAccess() {
 		var provider = KeychainAccessProvider.get().findAny();
 		Assertions.assertTrue(provider.isPresent());
-		Assertions.assertInstanceOf(MacSystemKeychainAccess.class, provider.get());
+		Assertions.assertTrue(
+				provider.get() instanceof TouchIdKeychainAccess
+						|| provider.get() instanceof MacSystemKeychainAccess);
 	}
 
 }

Original file line number	Diff line number	Diff line change
`@@ -104,6 +104,15 @@ public boolean deletePassword(String serviceName, String account) throws Keychai`
`104`	`104`	`}`
`105`	`105`	`}`
`106`	`106`
	`107`	`+ /**`
	`108`	`+ * Tests whether biometric authentication via Touch ID is supported and allowed on the device`
	`109`	`+ *`
	`110`	`+ * @return <code>true</code> if biometric authentication is available, <code>false</code> otherwise`
	`111`	`+ */`
	`112`	`+ public boolean isTouchIDavailable() {`
	`113`	`+ return Native.INSTANCE.isTouchIDavailable();`
	`114`	`+ }`
	`115`	`+`
`107`	`116`	`// initialization-on-demand pattern, as loading the .dylib is an expensive operation`
`108`	`117`	`private static class Native {`
`109`	`118`	`static final Native INSTANCE = new Native();`
`@@ -117,6 +126,8 @@ private Native() {`
`117`	`126`	`public native byte[] loadPassword(byte[] service, byte[] account);`
`118`	`127`
`119`	`128`	`public native int deletePassword(byte[] service, byte[] account);`
	`129`	`+`
	`130`	`+ public native boolean isTouchIDavailable();`
`120`	`131`	`}`
`121`	`132`
`122`	`133`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-org.cryptomator.macos.keychain.MacSystemKeychainAccess`
	`1`	`+org.cryptomator.macos.keychain.MacSystemKeychainAccess`
	`2`	`+org.cryptomator.macos.keychain.TouchIdKeychainAccess`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-org.cryptomator.macos.keychain.displayName=macOS Keychain`
	`1`	`+org.cryptomator.macos.keychain.displayName=macOS Keychain`
	`2`	`+org.cryptomator.macos.keychain.touchIdDisplayName=Touch ID`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,9 @@ public class KeychainAccessProviderTest {`
`12`	`12`	`public void testLoadMacSystemKeychainAccess() {`
`13`	`13`	`var provider = KeychainAccessProvider.get().findAny();`
`14`	`14`	`Assertions.assertTrue(provider.isPresent());`
`15`		`- Assertions.assertInstanceOf(MacSystemKeychainAccess.class, provider.get());`
	`15`	`+ Assertions.assertTrue(`
	`16`	`+ provider.get() instanceof TouchIdKeychainAccess`
	`17`	`+ \|\| provider.get() instanceof MacSystemKeychainAccess);`
`16`	`18`	`}`
`17`	`19`
`18`	`20`	`}`