[Auth] Fixed macOS extension keychain access by adding recommended kS… (#9102)

kamilpowalowski · web-flow · commit 480178b08712 · 2021-12-20T18:11:33.000-05:00
* [Auth] Fixed macOS extension keychain access by adding recommended kSecUseDataProtectionKeychain key

* Refactored FIRAuthStoredUserManager to extract keychain query building to separated function.
diff --git a/FirebaseAuth/CHANGELOG.md b/FirebaseAuth/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Unreleased
 - [changed] Added a `X-Firebase-GMPID` header to network requests. (#9046)
 - [fixed] Added multi-tenancy support to generic OAuth providers. (#7990)
+- [fixed] macOS Extension access to Shared Keychain by adding kSecUseDataProtectionKeychain recommended key (#6876)
 
 # 8.9.0
 - [changed] Improved error logging. (#8704)
diff --git a/FirebaseAuth/Sources/SystemService/FIRAuthStoredUserManager.m b/FirebaseAuth/Sources/SystemService/FIRAuthStoredUserManager.m
@@ -75,16 +75,9 @@ - (FIRUser *)getStoredUserForAccessGroup:(NSString *)accessGroup
              shareAuthStateAcrossDevices:(BOOL)shareAuthStateAcrossDevices
                        projectIdentifier:(NSString *)projectIdentifier
                                    error:(NSError *_Nullable *_Nullable)outError {
-  NSMutableDictionary *query = [[NSMutableDictionary alloc] init];
-  query[(__bridge id)kSecClass] = (__bridge id)kSecClassGenericPassword;
-
-  query[(__bridge id)kSecAttrAccessGroup] = accessGroup;
-  query[(__bridge id)kSecAttrService] = projectIdentifier;
-  query[(__bridge id)kSecAttrAccount] = kSharedKeychainAccountValue;
-  if (shareAuthStateAcrossDevices) {
-    query[(__bridge id)kSecAttrSynchronizable] = (__bridge id)kCFBooleanTrue;
-  }
-
+  NSMutableDictionary *query = [self keychainQueryForAccessGroup:accessGroup
+                                     shareAuthStateAcrossDevices:shareAuthStateAcrossDevices
+                                               projectIdentifier:projectIdentifier];
   NSData *data = [self.keychainServices getItemWithQuery:query error:outError];
   // If there's an outError parameter and it's populated, or there's no data, return.
   if ((outError && *outError) || !data) {
@@ -113,22 +106,15 @@ - (BOOL)setStoredUser:(FIRUser *)user
     shareAuthStateAcrossDevices:(BOOL)shareAuthStateAcrossDevices
               projectIdentifier:(NSString *)projectIdentifier
                           error:(NSError *_Nullable *_Nullable)outError {
-  NSMutableDictionary *query = [[NSMutableDictionary alloc] init];
-  query[(__bridge id)kSecClass] = (__bridge id)kSecClassGenericPassword;
+  NSMutableDictionary *query = [self keychainQueryForAccessGroup:accessGroup
+                                     shareAuthStateAcrossDevices:shareAuthStateAcrossDevices
+                                               projectIdentifier:projectIdentifier];
   if (shareAuthStateAcrossDevices) {
     query[(__bridge id)kSecAttrAccessible] = (__bridge id)kSecAttrAccessibleAfterFirstUnlock;
   } else {
     query[(__bridge id)kSecAttrAccessible] =
         (__bridge id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
   }
-
-  query[(__bridge id)kSecAttrAccessGroup] = accessGroup;
-  query[(__bridge id)kSecAttrService] = projectIdentifier;
-  query[(__bridge id)kSecAttrAccount] = kSharedKeychainAccountValue;
-  if (shareAuthStateAcrossDevices) {
-    query[(__bridge id)kSecAttrSynchronizable] = (__bridge id)kCFBooleanTrue;
-  }
-
 #if TARGET_OS_WATCH
   NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initRequiringSecureCoding:false];
 #else
@@ -153,23 +139,44 @@ - (BOOL)removeStoredUserForAccessGroup:(NSString *)accessGroup
            shareAuthStateAcrossDevices:(BOOL)shareAuthStateAcrossDevices
                      projectIdentifier:(NSString *)projectIdentifier
                                  error:(NSError *_Nullable *_Nullable)outError {
-  NSMutableDictionary *query = [[NSMutableDictionary alloc] init];
-  query[(__bridge id)kSecClass] = (__bridge id)kSecClassGenericPassword;
+  NSMutableDictionary *query = [self keychainQueryForAccessGroup:accessGroup
+                                     shareAuthStateAcrossDevices:shareAuthStateAcrossDevices
+                                               projectIdentifier:projectIdentifier];
   if (shareAuthStateAcrossDevices) {
     query[(__bridge id)kSecAttrAccessible] = (__bridge id)kSecAttrAccessibleAfterFirstUnlock;
   } else {
     query[(__bridge id)kSecAttrAccessible] =
         (__bridge id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly;
   }
-  if (shareAuthStateAcrossDevices) {
-    query[(__bridge id)kSecAttrSynchronizable] = (__bridge id)kCFBooleanTrue;
-  }
+  return [self.keychainServices removeItemWithQuery:query error:outError];
+}
+
+#pragma mark - Internal Methods
 
+- (NSMutableDictionary *)keychainQueryForAccessGroup:(NSString *)accessGroup
+                         shareAuthStateAcrossDevices:(BOOL)shareAuthStateAcrossDevices
+                                   projectIdentifier:(NSString *)projectIdentifier {
+  NSMutableDictionary *query = [[NSMutableDictionary alloc] init];
+  query[(__bridge id)kSecClass] = (__bridge id)kSecClassGenericPassword;
   query[(__bridge id)kSecAttrAccessGroup] = accessGroup;
   query[(__bridge id)kSecAttrService] = projectIdentifier;
   query[(__bridge id)kSecAttrAccount] = kSharedKeychainAccountValue;
 
-  return [self.keychainServices removeItemWithQuery:query error:outError];
+  if (@available(iOS 13.0, macOS 10.15, macCatalyst 13.0, tvOS 13.0, watchOS 6.0, *)) {
+    /*
+      "The data protection key affects operations only in macOS.
+      Other platforms automatically behave as if the key is set to true,
+      and ignore the key in the query dictionary. You can safely use the key on all platforms."
+      [kSecUseDataProtectionKeychain](https://developer.apple.com/documentation/security/ksecusedataprotectionkeychain)
+    */
+    query[(__bridge id)kSecUseDataProtectionKeychain] = (__bridge id)kCFBooleanTrue;
+  }
+
+  if (shareAuthStateAcrossDevices) {
+    query[(__bridge id)kSecAttrSynchronizable] = (__bridge id)kCFBooleanTrue;
+  }
+
+  return query;
 }
 
 @end
