Persist auth information to the iOS keychain (#5460)

* Add initial code hash generation implementation

* Adding auth state to iOS keychain

* Cleanup logging and error handling for initial auth persistence implementation (#5413)

* Cleanup logging and error handling for initial auth persistence implementation

* Update Nullability of error fields and reformat

* Move the error domain and enum into the AuthPersistence file

* Format Mach files

* Externalize handling of nullable error and greedily return on error

* Add initial code hash generation implementation

* Adding auth state to iOS keychain

* Cleanup logging and error handling for initial auth persistence implementation (#5413)

* Cleanup logging and error handling for initial auth persistence implementation

* Update Nullability of error fields and reformat

* Move the error domain and enum into the AuthPersistence file

* Format Mach files

* Externalize handling of nullable error and greedily return on error

* Add unittests for AppDistribution auth persistence

* Split out the keychain calls from control flow and error handling

* Add mocking and tests for auth persistence tests

* Remove debug logging

* Update styling

* Re-add resources to podspec and break out block for readability

Co-authored-by: Jeremy Durham <[email protected]>
Co-authored-by: Pranav Rajgopal <[email protected]>

Author: 3 people

FirebaseAppDistribution.podspec

@@ -36,8 +36,9 @@ iOS SDK for App Distribution for Firebase.
   }
 
   s.test_spec 'unit' do |unit_tests|
-    unit_tests.source_files = 'FirebaseAppDistribution/Tests/Unit*/*.[mh]'
-    unit_tests.resources = 'FirebaseAppDistribution/Tests/Unit/Resources/*'
+   unit_tests.source_files = 'FirebaseAppDistribution/Tests/Unit*/*.[mh]'
+   unit_tests.resources = 'FirebaseAppDistribution/Tests/Unit/Resources/*'
+   unit_tests.dependency 'OCMock'
   end
 
   # end

FirebaseAppDistribution/Sources/FIRAppDistribution.m

@@ -13,6 +13,7 @@
 // limitations under the License.
 
 #import "FIRAppDistribution+Private.h"
+#import "FIRAppDistributionAuthPersistence+Private.h"
 #import "FIRAppDistributionMachO+Private.h"
 #import "FIRAppDistributionRelease+Private.h"
 
@@ -60,8 +61,15 @@ - (instancetype)initWithApp:(FIRApp *)app appInfo:(NSDictionary *)appInfo {
     [GULAppDelegateSwizzler registerAppDelegateInterceptor:interceptor];
   }
 
-  // TODO: Lookup keychain to load auth state on init
+  NSError *authRetrievalError;
+  self.authState = [FIRAppDistributionAuthPersistence retrieveAuthState:&authRetrievalError];
+  // TODO (schnecle): replace NSLog statement with FIRLogger log statement
+  if (authRetrievalError) {
+    NSLog(@"Error retrieving token from keychain: %@", [authRetrievalError localizedDescription]);
+  }
+
   self.isTesterSignedIn = self.authState ? YES : NO;
+
   return self;
 }
 
@@ -128,50 +136,70 @@ - (void)signInTesterWithCompletion:(void (^)(NSError *_Nullable error))completio
 }
 
 - (void)signOutTester {
+  NSError *error;
+  BOOL didClearAuthState = [FIRAppDistributionAuthPersistence clearAuthState:&error];
+  // TODO (schnecle): Add in FIRLogger to report when we have failed to clear auth state
+  if (!didClearAuthState) {
+    NSLog(@"Error clearing token from keychain: %@", [error localizedDescription]);
+  }
+
   self.authState = nil;
   self.isTesterSignedIn = false;
 }
 
 - (void)fetchReleases:(FIRAppDistributionUpdateCheckCompletion)completion {
-  NSURLSession *URLSession = [NSURLSession sharedSession];
-  NSMutableURLRequest *request = [[NSMutableURLRequest alloc] init];
-  NSString *URLString =
-      [NSString stringWithFormat:kReleasesEndpointURL, [[FIRApp defaultApp] options].googleAppID];
-  [request setURL:[NSURL URLWithString:URLString]];
-  [request setHTTPMethod:@"GET"];
-  [request setValue:[NSString
-                        stringWithFormat:@"Bearer %@", self.authState.lastTokenResponse.accessToken]
-      forHTTPHeaderField:@"Authorization"];
-
-  NSURLSessionDataTask *listReleasesDataTask = [URLSession
-      dataTaskWithRequest:request
-        completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
-          if (error) {
-            // TODO: Reformat error into error code
-            completion(nil, error);
-            return;
-          }
-
-          NSHTTPURLResponse *HTTPResponse = (NSHTTPURLResponse *)response;
-
-          if (HTTPResponse.statusCode == 200) {
-            [self handleReleasesAPIResponseWithData:data completion:completion];
-          } else {
-            // TODO: Handle non-200 http response
-            @throw([NSException exceptionWithName:@"NotImplementedException"
-                                           reason:@"This code path is not implemented yet"
-                                         userInfo:nil]);
-          }
-        }];
-
-  [listReleasesDataTask resume];
+  [self.authState performActionWithFreshTokens:^(NSString *_Nonnull accessToken,
+                                                 NSString *_Nonnull idToken,
+                                                 NSError *_Nullable error) {
+    if (error) {
+      // TODO (schnecle): Add in FIRLogger log statement
+      NSLog(@"Error fetching fresh tokens: %@", [error localizedDescription]);
+      [self signOutTester];
+      return;
+    }
+
+    // perform your API request using the tokens
+    NSURLSession *URLSession = [NSURLSession sharedSession];
+    NSMutableURLRequest *request = [[NSMutableURLRequest alloc] init];
+    NSString *URLString =
+        [NSString stringWithFormat:kReleasesEndpointURL, [[FIRApp defaultApp] options].googleAppID];
+    [request setURL:[NSURL URLWithString:URLString]];
+    [request setHTTPMethod:@"GET"];
+    [request setValue:[NSString stringWithFormat:@"Bearer %@", accessToken]
+        forHTTPHeaderField:@"Authorization"];
+
+    NSURLSessionDataTask *listReleasesDataTask = [URLSession
+        dataTaskWithRequest:request
+          completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
+            if (error) {
+              // TODO: Reformat error into error code
+              completion(nil, error);
+              return;
+            }
+
+            NSHTTPURLResponse *HTTPResponse = (NSHTTPURLResponse *)response;
+
+            if (HTTPResponse.statusCode == 200) {
+              [self handleReleasesAPIResponseWithData:data completion:completion];
+            } else {
+              // TODO: Handle non-200 http response
+              NSLog(@"ERROR - Non 200 service response - %@", HTTPResponse);
+              @throw([NSException exceptionWithName:@"NotImplementedException"
+                                             reason:@"This code path is not implemented yet"
+                                           userInfo:nil]);
+            }
+          }];
+
+    [listReleasesDataTask resume];
+  }];
 }
 
 - (void)handleOauthDiscoveryCompletion:(OIDServiceConfiguration *_Nullable)configuration
                                  error:(NSError *_Nullable)error
        appDistributionSignInCompletion:(void (^)(NSError *_Nullable error))completion {
   if (!configuration) {
     // TODO: Handle when we cannot get configuration
+    NSLog(@"ERROR - Cannot discover oauth config");
     @throw([NSException exceptionWithName:@"NotImplementedException"
                                    reason:@"This code path is not implemented yet"
                                  userInfo:nil]);
@@ -191,19 +219,32 @@ - (void)handleOauthDiscoveryCompletion:(OIDServiceConfiguration *_Nullable)confi
        additionalParameters:nil];
 
   [self setupUIWindowForLogin];
+
+  void (^processAuthState)(OIDAuthState *_Nullable authState, NSError *_Nullable error) = ^void(
+      OIDAuthState *_Nullable authState, NSError *_Nullable error) {
+    self.authState = authState;
+
+    // Capture errors in persistence but do not bubble them
+    // up
+    NSError *authPersistenceError;
+    if (authState) {
+      [FIRAppDistributionAuthPersistence persistAuthState:authState error:&authPersistenceError];
+    }
+
+    // TODO (schnecle): Log errors in persistence using
+    // FIRLogger
+    if (authPersistenceError) {
+      NSLog(@"Error persisting token to keychain: %@", [error localizedDescription]);
+    }
+    self.isTesterSignedIn = self.authState ? YES : NO;
+    completion(error);
+  };
+
   // performs authentication request
   [FIRAppDistributionAppDelegatorInterceptor sharedInstance].currentAuthorizationFlow =
       [OIDAuthState authStateByPresentingAuthorizationRequest:request
                                      presentingViewController:self.safariHostingViewController
-                                                     callback:^(OIDAuthState *_Nullable authState,
-                                                                NSError *_Nullable error) {
-                                                       [self cleanupUIWindow];
-
-                                                       self.authState = authState;
-                                                       self.isTesterSignedIn =
-                                                           self.authState ? YES : NO;
-                                                       completion(error);
-                                                     }];
+                                                     callback:processAuthState];
 }
 
 - (void)setupUIWindowForLogin {

FirebaseAppDistribution/Sources/FIRAppDistributionAuthPersistence.m

@@ -0,0 +1,122 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#import "FIRAppDistributionAuthPersistence+Private.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+NSString *const kFIRAppDistributionAuthPersistenceErrorDomain =
+    @"com.firebase.app_distribution.auth_persistence";
+
+@implementation FIRAppDistributionAuthPersistence
+
++ (void)handleAuthStateError:(NSError **_Nullable)error
+                 description:(NSString *)description
+                        code:(FIRAppDistributionKeychainError)code {
+  if (error) {
+    NSDictionary *userInfo = @{NSLocalizedDescriptionKey : description};
+    *error = [NSError errorWithDomain:kFIRAppDistributionAuthPersistenceErrorDomain
+                                 code:code
+                             userInfo:userInfo];
+  }
+}
+
++ (BOOL)clearAuthState:(NSError **_Nullable)error {
+  NSMutableDictionary *keychainQuery = [self getKeyChainQuery];
+  BOOL success = [FIRAppDistributionKeychainUtility deleteKeychainItem:keychainQuery];
+
+  if (!success) {
+    NSString *description = NSLocalizedString(
+        @"Failed to clear auth state from keychain. Tester will overwrite data on sign in.",
+        @"Error message for failure to retrieve auth state from keychain");
+    [self handleAuthStateError:error
+                   description:description
+                          code:FIRAppDistributionErrorTokenDeletionFailure];
+    return NO;
+  }
+
+  return YES;
+}
+
++ (OIDAuthState *)retrieveAuthState:(NSError **_Nullable)error {
+  NSMutableDictionary *keychainQuery = [self getKeyChainQuery];
+  [keychainQuery setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnData];
+  [keychainQuery setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit];
+  NSData *passwordData = [FIRAppDistributionKeychainUtility fetchKeychainItemMatching:keychainQuery
+                                                                                error:NULL];
+  NSData *result = nil;
+
+  if (!passwordData) {
+    NSString *description = NSLocalizedString(
+        @"Failed to retrieve auth state from keychain. Tester will have to sign in again.",
+        @"Error message for failure to retrieve auth state from keychain");
+    [self handleAuthStateError:error
+                   description:description
+                          code:FIRAppDistributionErrorTokenRetrievalFailure];
+    return nil;
+  }
+
+  result = [passwordData copy];
+
+  if (!result) {
+    NSString *description =
+        NSLocalizedString(@"Failed to unarchive auth state. Tester will have to sign in again.",
+                          @"Error message for failure to retrieve auth state from keychain");
+    [self handleAuthStateError:error
+                   description:description
+                          code:FIRAppDistributionErrorTokenRetrievalFailure];
+    return nil;
+  }
+
+  OIDAuthState *authState = [FIRAppDistributionKeychainUtility unarchiveKeychainResult:result];
+
+  return authState;
+}
+
++ (BOOL)persistAuthState:(OIDAuthState *)authState error:(NSError **_Nullable)error {
+  NSData *authorizationData = [FIRAppDistributionKeychainUtility archiveDataForKeychain:authState];
+  NSMutableDictionary *keychainQuery = [self getKeyChainQuery];
+  BOOL success = NO;
+  BOOL hasAuthState = [self retrieveAuthState:NULL];
+  if (hasAuthState) {
+    success = [FIRAppDistributionKeychainUtility updateKeychainItem:keychainQuery
+                                                 withDataDictionary:authorizationData];
+  } else {
+    success = [FIRAppDistributionKeychainUtility addKeychainItem:keychainQuery
+                                              withDataDictionary:authorizationData];
+  }
+
+  if (!success) {
+    NSString *description = NSLocalizedString(
+        @"Failed to persist auth state. Tester will have to sign in again after app close.",
+        @"Error message for failure to persist auth state to keychain");
+    [self handleAuthStateError:error
+                   description:description
+                          code:FIRAppDistributionErrorTokenPersistenceFailure];
+    return NO;
+  }
+
+  return YES;
+}
+
++ (NSMutableDictionary *)getKeyChainQuery {
+  NSMutableDictionary *keychainQuery = [NSMutableDictionary
+      dictionaryWithObjectsAndKeys:(id)kSecClassGenericPassword, (id)kSecClass, @"OAuth",
+                                   (id)kSecAttrGeneric, @"OAuth", (id)kSecAttrAccount,
+                                   @"fire-fad-auth", (id)kSecAttrService, nil];
+  return keychainQuery;
+}
+
+@end
+
+NS_ASSUME_NONNULL_END

FirebaseAppDistribution/Sources/FIRAppDistributionKeychainUtility.m

@@ -0,0 +1,79 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#import <AppAuth/AppAuth.h>
+#import "FIRAppDistributionKeychainUtility+Private.h"
+
+NSString *const kFIRAppDistributionKeychainErrorDomain = @"com.firebase.app_distribution.keychain";
+
+@implementation FIRAppDistributionKeychainUtility
+
++ (void)handleAuthStateError:(NSError **_Nullable)error
+                 description:(NSString *)description
+                        code:(int)code {
+  if (error) {
+    NSDictionary *userInfo = @{NSLocalizedDescriptionKey : description};
+    *error = [NSError errorWithDomain:kFIRAppDistributionKeychainErrorDomain
+                                 code:code
+                             userInfo:userInfo];
+  }
+}
+
++ (BOOL)addKeychainItem:(nonnull NSMutableDictionary *)keychainQuery
+     withDataDictionary:(nonnull NSData *)data {
+  [keychainQuery setObject:data forKey:(id)kSecValueData];
+  OSStatus status = SecItemAdd((CFDictionaryRef)keychainQuery, NULL);
+
+  return status == noErr ? YES : NO;
+}
+
++ (BOOL)updateKeychainItem:(nonnull NSMutableDictionary *)keychainQuery
+        withDataDictionary:(nonnull NSData *)data {
+  OSStatus status =
+      SecItemUpdate((CFDictionaryRef)keychainQuery, (CFDictionaryRef) @{(id)kSecValueData : data});
+  return status == noErr ? YES : NO;
+}
+
++ (BOOL)deleteKeychainItem:(nonnull NSMutableDictionary *)keychainQuery {
+  OSStatus status = SecItemDelete((CFDictionaryRef)keychainQuery);
+
+  return status != errSecSuccess && status != errSecItemNotFound ? NO : YES;
+}
+
++ (NSData *)fetchKeychainItemMatching:(nonnull NSMutableDictionary *)keychainQuery
+                                error:(NSError **_Nullable)error {
+  NSData *keychainItem;
+  OSStatus status = SecItemCopyMatching((CFDictionaryRef)keychainQuery, (void *)&keychainItem);
+
+  if (status != noErr || 0 == [keychainItem length]) {
+    if (error) {
+      NSString *description =
+          NSLocalizedString(@"Failed to fetch keychain item.",
+                            @"Error message for failure to retrieve auth state from keychain");
+      [self handleAuthStateError:error description:description code:0];
+      return nil;
+    }
+  }
+
+  return keychainItem;
+}
+
++ (OIDAuthState *)unarchiveKeychainResult:(NSData *)result {
+  return (OIDAuthState *)[NSKeyedUnarchiver unarchiveObjectWithData:result];
+}
+
++ (NSData *)archiveDataForKeychain:(OIDAuthState *)data {
+  return [NSKeyedArchiver archivedDataWithRootObject:data];
+}
+
+@end

FirebaseAppDistribution/Sources/FIRAppDistributionMachO.m

@@ -36,7 +36,6 @@ - (instancetype)initWithPath:(NSString*)path {
     _slices = [NSMutableArray new];
     [self extractSlices];
   }
-
   return self;
 }