[Auth] Add 'kSecUseDataProtectionKeychain' flag to keychain access (#10759)

* [Auth] Add 'kSecUseDataProtectionKeychain' flag to keychain access

* Add CHANGELOG entry

* [skip ci] Update CHANGELOG

* [skip ci] Update CHANGELOG (1)

Author: ncooke3

FirebaseAuth.podspec

@@ -98,6 +98,13 @@ supports email and password accounts, as well as several 3rd party authenticatio
       unit_tests.requires_app_host = true
       unit_tests.dependency 'OCMock'
       unit_tests.dependency 'HeartbeatLoggingTestUtils'
+
+      # This pre-processor directive is used to selectively disable keychain
+      # related code that blocks unit testing on macOS.
+      s.osx.pod_target_xcconfig = {
+        'GCC_PREPROCESSOR_DEFINITIONS' => 'FIREBASE_AUTH_MACOS_TESTING=1'
+      }
+
     end
   end
 end

FirebaseAuth/CHANGELOG.md

@@ -1,3 +1,9 @@
+# 10.5.0
+- [fixed] Prevent keychain pop-up when accessing Auth keychain in a Mac
+   app. Note that using Firebase Auth in a Mac app requires that the app
+   is signed with a provisioning profile that has the Keychain Sharing
+   capability enabled (see Firebase 9.6.0 release notes). (#10582)
+
 # 10.4.0
 - [fixed] Fix secure coding bugs in MFA. (#10632)
 - [fixed] Added handling of error returned from a blocking cloud function. (#10628)

FirebaseAuth/Sources/Storage/FIRAuthKeychainServices.m

@@ -226,11 +226,28 @@ - (void)deleteLegacyItemWithKey:(NSString *)key {
     @param key The key for the value being manipulated, used as the account field in the query.
  */
 - (NSDictionary *)genericPasswordQueryWithKey:(NSString *)key {
-  return @{
+  NSMutableDictionary *query = @{
     (__bridge id)kSecClass : (__bridge id)kSecClassGenericPassword,
     (__bridge id)kSecAttrAccount : [kAccountPrefix stringByAppendingString:key],
     (__bridge id)kSecAttrService : _service,
-  };
+  }
+                                   .mutableCopy;
+
+  // TODO(ncooke3): Refactor Auth to provide a user defaults based
+  // implementation for unit testing purposes on macOS.
+#ifndef FIREBASE_AUTH_MACOS_TESTING
+  // The below key prevents keychain popups from appearing on the client. It
+  // requires a configured provisioing profile to function properly–– which
+  // cannot be checked into the repo. Rather than disable most of the Auth
+  // testing suite on macOS, the key is omitted. Paired with the
+  // `scripts/configure_test_keychain.sh` script, the popups do not block CI.
+  // See go/firebase-macos-keychain-popups for more details.
+  if (@available(iOS 13.0, macOS 10.15, macCatalyst 13.0, tvOS 13.0, watchOS 6.0, *)) {
+    query[(__bridge id)kSecUseDataProtectionKeychain] = (__bridge id)kCFBooleanTrue;
+  }
+#endif  // FIREBASE_AUTH_MACOS_TESTING
+
+  return [query copy];
 }
 
 /** @fn legacyGenericPasswordQueryWithKey: