Skip to content

Commit 4d10f32

Browse files
charlotteliangcharlotteliang
authored
update keychain access level (#4172)
1 parent 48a2a9e commit 4d10f32

9 files changed

+109
-137
lines changed

Example/InstanceID/Tests/FIRInstanceIDAuthKeyChainTest.m

Lines changed: 92 additions & 102 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,6 @@ - (void)testKeyChainNoCorruptionWithUniqueAccount {
8080
__weak FIRInstanceIDAuthKeychain *weakKeychain = keychain;
8181
[keychain setData:tokenInfoData1
8282
forService:service
83-
accessibility:NULL
8483
account:account1
8584
handler:^(NSError *error) {
8685
XCTAssertNil(error);
@@ -90,49 +89,47 @@ - (void)testKeyChainNoCorruptionWithUniqueAccount {
9089
scope:kScope
9190
token:kToken2];
9291
[weakKeychain
93-
setData:tokenInfoData2
94-
forService:service
95-
accessibility:NULL
96-
account:account2
97-
handler:^(NSError *error) {
98-
XCTAssertNil(error);
99-
// Now query the token and compare, they should not corrupt
100-
// each other.
101-
NSData *data1 = [weakKeychain dataForService:service account:account1];
92+
setData:tokenInfoData2
93+
forService:service
94+
account:account2
95+
handler:^(NSError *error) {
96+
XCTAssertNil(error);
97+
// Now query the token and compare, they should not corrupt
98+
// each other.
99+
NSData *data1 = [weakKeychain dataForService:service account:account1];
102100
#pragma clang diagnostic push
103101
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
104-
FIRInstanceIDTokenInfo *tokenInfo1 =
105-
[NSKeyedUnarchiver unarchiveObjectWithData:data1];
106-
XCTAssertEqualObjects(kToken1, tokenInfo1.token);
102+
FIRInstanceIDTokenInfo *tokenInfo1 =
103+
[NSKeyedUnarchiver unarchiveObjectWithData:data1];
104+
XCTAssertEqualObjects(kToken1, tokenInfo1.token);
107105

108-
NSData *data2 = [weakKeychain dataForService:service account:account2];
109-
FIRInstanceIDTokenInfo *tokenInfo2 =
110-
[NSKeyedUnarchiver unarchiveObjectWithData:data2];
106+
NSData *data2 = [weakKeychain dataForService:service account:account2];
107+
FIRInstanceIDTokenInfo *tokenInfo2 =
108+
[NSKeyedUnarchiver unarchiveObjectWithData:data2];
111109
#pragma clang diagnostic pop
112-
XCTAssertEqualObjects(kToken2, tokenInfo2.token);
113-
// Also check the cache data.
114-
XCTAssertEqual(weakKeychain.cachedKeychainData.count, 1);
115-
XCTAssertEqual(weakKeychain.cachedKeychainData[service].count, 2);
116-
XCTAssertEqualObjects(
117-
weakKeychain.cachedKeychainData[service][account1].firstObject,
118-
tokenInfoData1);
119-
XCTAssertEqualObjects(
120-
weakKeychain.cachedKeychainData[service][account2].firstObject,
121-
tokenInfoData2);
122-
123-
// Check wildcard query
124-
NSArray *results = [weakKeychain itemsMatchingService:service
125-
account:@"*"];
126-
XCTAssertEqual(results.count, 2);
127-
128-
// Clean up keychain at the end
129-
[weakKeychain removeItemsMatchingService:service
130-
account:@"*"
131-
handler:^(NSError *_Nonnull error) {
132-
XCTAssertNil(error);
133-
[noCurruptionExpectation fulfill];
134-
}];
135-
}];
110+
XCTAssertEqualObjects(kToken2, tokenInfo2.token);
111+
// Also check the cache data.
112+
XCTAssertEqual(weakKeychain.cachedKeychainData.count, 1);
113+
XCTAssertEqual(weakKeychain.cachedKeychainData[service].count, 2);
114+
XCTAssertEqualObjects(
115+
weakKeychain.cachedKeychainData[service][account1].firstObject,
116+
tokenInfoData1);
117+
XCTAssertEqualObjects(
118+
weakKeychain.cachedKeychainData[service][account2].firstObject,
119+
tokenInfoData2);
120+
121+
// Check wildcard query
122+
NSArray *results = [weakKeychain itemsMatchingService:service account:@"*"];
123+
XCTAssertEqual(results.count, 2);
124+
125+
// Clean up keychain at the end
126+
[weakKeychain removeItemsMatchingService:service
127+
account:@"*"
128+
handler:^(NSError *_Nonnull error) {
129+
XCTAssertNil(error);
130+
[noCurruptionExpectation fulfill];
131+
}];
132+
}];
136133
}];
137134
[self waitForExpectationsWithTimeout:1.0 handler:NULL];
138135
#endif
@@ -151,67 +148,64 @@ - (void)testKeyChainNoCorruptionWithUniqueService {
151148
FIRInstanceIDAuthKeychain *keychain =
152149
[[FIRInstanceIDAuthKeychain alloc] initWithIdentifier:kFIRInstanceIDTestKeychainId];
153150
__weak FIRInstanceIDAuthKeychain *weakKeychain = keychain;
154-
[keychain setData:tokenData
155-
forService:service1
156-
accessibility:NULL
157-
account:account
158-
handler:^(NSError *error) {
159-
XCTAssertNil(error);
160-
// Store a checkin info using the same keychain account, but different service.
161-
NSString *service2 = @"com.google.iid.checkin";
162-
FIRInstanceIDCheckinPreferences *preferences =
163-
[[FIRInstanceIDCheckinPreferences alloc] initWithDeviceID:kAuthID
164-
secretToken:kSecret];
165-
NSString *checkinKeychainContent = [preferences checkinKeychainContent];
166-
NSData *checkinData = [checkinKeychainContent dataUsingEncoding:NSUTF8StringEncoding];
167-
168-
[weakKeychain
169-
setData:checkinData
170-
forService:service2
171-
accessibility:NULL
172-
account:account
173-
handler:^(NSError *error) {
174-
XCTAssertNil(error);
175-
// Now query the token and compare, they should not corrupt
176-
// each other.
177-
NSData *data1 = [weakKeychain dataForService:service1 account:account];
151+
[keychain
152+
setData:tokenData
153+
forService:service1
154+
account:account
155+
handler:^(NSError *error) {
156+
XCTAssertNil(error);
157+
// Store a checkin info using the same keychain account, but different service.
158+
NSString *service2 = @"com.google.iid.checkin";
159+
FIRInstanceIDCheckinPreferences *preferences =
160+
[[FIRInstanceIDCheckinPreferences alloc] initWithDeviceID:kAuthID
161+
secretToken:kSecret];
162+
NSString *checkinKeychainContent = [preferences checkinKeychainContent];
163+
NSData *checkinData = [checkinKeychainContent dataUsingEncoding:NSUTF8StringEncoding];
164+
165+
[weakKeychain
166+
setData:checkinData
167+
forService:service2
168+
account:account
169+
handler:^(NSError *error) {
170+
XCTAssertNil(error);
171+
// Now query the token and compare, they should not corrupt
172+
// each other.
173+
NSData *data1 = [weakKeychain dataForService:service1 account:account];
178174
#pragma clang diagnostic push
179175
#pragma clang diagnostic ignored "-Wdeprecated-declarations"
180-
FIRInstanceIDTokenInfo *tokenInfo1 =
181-
[NSKeyedUnarchiver unarchiveObjectWithData:data1];
176+
FIRInstanceIDTokenInfo *tokenInfo1 =
177+
[NSKeyedUnarchiver unarchiveObjectWithData:data1];
182178
#pragma clang diagnostic pop
183-
XCTAssertEqualObjects(kToken1, tokenInfo1.token);
184-
185-
NSData *data2 = [weakKeychain dataForService:service2 account:account];
186-
NSString *checkinKeychainContent =
187-
[[NSString alloc] initWithData:data2 encoding:NSUTF8StringEncoding];
188-
FIRInstanceIDCheckinPreferences *checkinPreferences =
189-
[FIRInstanceIDCheckinPreferences
190-
preferencesFromKeychainContents:checkinKeychainContent];
191-
XCTAssertEqualObjects(checkinPreferences.secretToken, kSecret);
192-
XCTAssertEqualObjects(checkinPreferences.deviceID, kAuthID);
193-
194-
NSArray *results = [weakKeychain itemsMatchingService:@"*"
195-
account:account];
196-
XCTAssertEqual(results.count, 2);
197-
// Also check the cache data.
198-
XCTAssertEqual(weakKeychain.cachedKeychainData.count, 2);
199-
XCTAssertEqualObjects(
200-
weakKeychain.cachedKeychainData[service1][account].firstObject,
201-
tokenData);
202-
XCTAssertEqualObjects(
203-
weakKeychain.cachedKeychainData[service2][account].firstObject,
204-
checkinData);
205-
206-
// Clean up keychain at the end
207-
[weakKeychain removeItemsMatchingService:@"*"
208-
account:@"*"
209-
handler:^(NSError *_Nonnull error) {
210-
XCTAssertNil(error);
211-
[noCurruptionExpectation fulfill];
212-
}];
213-
}];
214-
}];
179+
XCTAssertEqualObjects(kToken1, tokenInfo1.token);
180+
181+
NSData *data2 = [weakKeychain dataForService:service2 account:account];
182+
NSString *checkinKeychainContent =
183+
[[NSString alloc] initWithData:data2 encoding:NSUTF8StringEncoding];
184+
FIRInstanceIDCheckinPreferences *checkinPreferences =
185+
[FIRInstanceIDCheckinPreferences
186+
preferencesFromKeychainContents:checkinKeychainContent];
187+
XCTAssertEqualObjects(checkinPreferences.secretToken, kSecret);
188+
XCTAssertEqualObjects(checkinPreferences.deviceID, kAuthID);
189+
190+
NSArray *results = [weakKeychain itemsMatchingService:@"*" account:account];
191+
XCTAssertEqual(results.count, 2);
192+
// Also check the cache data.
193+
XCTAssertEqual(weakKeychain.cachedKeychainData.count, 2);
194+
XCTAssertEqualObjects(
195+
weakKeychain.cachedKeychainData[service1][account].firstObject, tokenData);
196+
XCTAssertEqualObjects(
197+
weakKeychain.cachedKeychainData[service2][account].firstObject,
198+
checkinData);
199+
200+
// Clean up keychain at the end
201+
[weakKeychain removeItemsMatchingService:@"*"
202+
account:@"*"
203+
handler:^(NSError *_Nonnull error) {
204+
XCTAssertNil(error);
205+
[noCurruptionExpectation fulfill];
206+
}];
207+
}];
208+
}];
215209
[self waitForExpectationsWithTimeout:1.0 handler:NULL];
216210
#endif
217211
}
@@ -237,7 +231,6 @@ - (void)testQueryCachedKeychainItems {
237231
__weak id weakKeychainMock = keychainMock;
238232
[keychain setData:tokenData
239233
forService:service
240-
accessibility:NULL
241234
account:account
242235
handler:^(NSError *error) {
243236
XCTAssertNil(error);
@@ -299,7 +292,6 @@ - (void)testCachedKeychainOverwrite {
299292
__weak FIRInstanceIDAuthKeychain *weakKeychain = keychain;
300293
[keychain setData:tokenData
301294
forService:service
302-
accessibility:NULL
303295
account:account
304296
handler:^(NSError *error) {
305297
XCTAssertNil(error);
@@ -344,7 +336,6 @@ - (void)testSetKeychainItemShouldDeleteOldEntry {
344336
__weak FIRInstanceIDAuthKeychain *weakKeychain = keychain;
345337
[keychain setData:tokenData
346338
forService:service
347-
accessibility:NULL
348339
account:account
349340
handler:^(NSError *error) {
350341
XCTAssertNil(error);
@@ -374,7 +365,6 @@ - (void)testInvalidQuery {
374365
NSData *data = [[NSData alloc] init];
375366
[keychain setData:data
376367
forService:@"*"
377-
accessibility:NULL
378368
account:@"*"
379369
handler:^(NSError *error) {
380370
XCTAssertNotNil(error);

Example/InstanceID/Tests/FIRInstanceIDCheckinStoreTest.m

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -213,7 +213,6 @@ - (void)testCheckinMigrationMovesToNewLocationInKeychain {
213213
NSData *data = [checkinKeychainContent dataUsingEncoding:NSUTF8StringEncoding];
214214
[fakeKeychain setData:data
215215
forService:kFIRInstanceIDLegacyCheckinKeychainService
216-
accessibility:nil
217216
account:kFIRInstanceIDLegacyCheckinKeychainAccount
218217
handler:^(NSError *error) {
219218
XCTAssertNil(error);

Example/InstanceID/Tests/FIRInstanceIDFakeKeychain.m

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -90,10 +90,9 @@ - (void)removeItemsMatchingService:(NSString *)service
9090
}
9191

9292
- (void)setData:(NSData *)data
93-
forService:(NSString *)service
94-
accessibility:(nullable CFTypeRef)accessibility
95-
account:(NSString *)account
96-
handler:(void (^)(NSError *error))handler {
93+
forService:(NSString *)service
94+
account:(NSString *)account
95+
handler:(void (^)(NSError *error))handler {
9796
if (self.cannotWriteToKeychain) {
9897
if (handler) {
9998
handler([NSError errorWithDomain:kFakeKeychainErrorDomain code:1001 userInfo:nil]);

Firebase/InstanceID/FIRInstanceIDAuthKeyChain.h

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -73,25 +73,22 @@ NS_ASSUME_NONNULL_BEGIN
7373
handler:(nullable void (^)(NSError *error))handler;
7474

7575
/**
76-
* Set the data for a given service and account with a specific accessibility. If
77-
* accessibility is NULL we use `kSecAttrAccessibleAlwaysThisDeviceOnly` which
76+
* Set the data for a given service and account.
77+
* We use `kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly` which
7878
* prevents backup and restore to iCloud, and works for app extension that can
7979
* execute right after a device is restarted (and not unlocked).
8080
*
8181
* @param data The data to save.
8282
* @param service The `kSecAttrService` used to save the password.
83-
* @param accessibility The `kSecAttrAccessibility` used to save the password. If NULL
84-
* set this to `kSecAttrAccessibleAlwaysThisDeviceOnly`.
8583
* @param account The `kSecAttrAccount` used to save the password.
8684
* @param handler The callback handler which is invoked when the add operation is complete,
8785
* with an error if there is any.
8886
*
8987
*/
9088
- (void)setData:(NSData *)data
91-
forService:(NSString *)service
92-
accessibility:(nullable CFTypeRef)accessibility
93-
account:(NSString *)account
94-
handler:(nullable void (^)(NSError *))handler;
89+
forService:(NSString *)service
90+
account:(NSString *)account
91+
handler:(nullable void (^)(NSError *))handler;
9592

9693
@end
9794

Firebase/InstanceID/FIRInstanceIDAuthKeyChain.m

Lines changed: 5 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -167,10 +167,9 @@ - (void)removeItemsMatchingService:(NSString *)service
167167
}
168168

169169
- (void)setData:(NSData *)data
170-
forService:(NSString *)service
171-
accessibility:(CFTypeRef)accessibility
172-
account:(NSString *)account
173-
handler:(void (^)(NSError *))handler {
170+
forService:(NSString *)service
171+
account:(NSString *)account
172+
handler:(void (^)(NSError *))handler {
174173
if ([service isEqualToString:kFIRInstanceIDKeychainWildcardIdentifier] ||
175174
[account isEqualToString:kFIRInstanceIDKeychainWildcardIdentifier]) {
176175
if (handler) {
@@ -194,14 +193,8 @@ - (void)setData:(NSData *)data
194193
[self keychainQueryForService:service account:account];
195194
keychainQuery[(__bridge id)kSecValueData] = data;
196195

197-
if (accessibility != NULL) {
198-
keychainQuery[(__bridge id)kSecAttrAccessible] =
199-
(__bridge id)accessibility;
200-
} else {
201-
// Defaults to No backup
202-
keychainQuery[(__bridge id)kSecAttrAccessible] =
203-
(__bridge id)kSecAttrAccessibleAlwaysThisDeviceOnly;
204-
}
196+
keychainQuery[(__bridge id)kSecAttrAccessible] =
197+
(__bridge id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
205198
[[FIRInstanceIDKeychain sharedInstance]
206199
addItemWithQuery:keychainQuery
207200
handler:handler];

Firebase/InstanceID/FIRInstanceIDCheckinStore.m

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -130,7 +130,6 @@ - (void)saveCheckinPreferences:(FIRInstanceIDCheckinPreferences *)preferences
130130
NSData *data = [checkinKeychainContent dataUsingEncoding:NSUTF8StringEncoding];
131131
[self.keychain setData:data
132132
forService:kFIRInstanceIDCheckinKeychainService
133-
accessibility:nil
134133
account:self.bundleIdentifierForKeychainAccount
135134
handler:^(NSError *error) {
136135
if (error) {
@@ -225,7 +224,6 @@ - (void)migrateCheckinItemIfNeeded {
225224
// Save to new location
226225
[self.keychain setData:dataInOldLocation
227226
forService:kFIRInstanceIDCheckinKeychainService
228-
accessibility:NULL
229227
account:self.bundleIdentifierForKeychainAccount
230228
handler:nil];
231229
// Remove from old location

Firebase/InstanceID/FIRInstanceIDKeyPairStore.m

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -416,7 +416,7 @@ - (void)updateKeyRef:(SecKeyRef)keyRef
416416
(__bridge id)kSecAttrApplicationTag : updatedTagData,
417417
(__bridge id)kSecClass : (__bridge id)kSecClassKey,
418418
(__bridge id)kSecValueRef : (__bridge id)keyRef,
419-
(__bridge id)kSecAttrAccessible : (__bridge id)kSecAttrAccessibleAlwaysThisDeviceOnly,
419+
(__bridge id)kSecAttrAccessible : (__bridge id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
420420
};
421421
[[FIRInstanceIDKeychain sharedInstance] addItemWithQuery:addQuery
422422
handler:^(NSError *addError) {

0 commit comments

Comments
 (0)