Use separate Keychain for each app (#224)

* Use separate Keychain for each app

* Fix macOS and Linux tests

* Allow macOS app keychain to upgrade

Author: cbaker6

CHANGELOG.md

@@ -1,9 +1,15 @@
 # Parse-Swift Changelog
 
 ### main
-[Full Changelog](https://github.com/parse-community/Parse-Swift/compare/1.9.7...main)
+[Full Changelog](https://github.com/parse-community/Parse-Swift/compare/1.9.8...main)
 * _Contributing to this repo? Add info about your change here to be included in the next release_
 
+### 1.9.8
+[Full Changelog](https://github.com/parse-community/Parse-Swift/compare/1.9.7...1.9.8)
+
+__Fixes__
+- Use a seperate Keychain for each app bundleId. This only effects macOS apps as their Keychain is handled by the OS differently. For macOS app developers only, the user who logged in last to your app will have their Keychain upgraded to the patched version. Other users/apps will either need to login again or logout then login again ([#224](https://github.com/parse-community/Parse-Swift/pull/224)), thanks to [Corey Baker](https://github.com/cbaker6).
+
 ### 1.9.7
 [Full Changelog](https://github.com/parse-community/Parse-Swift/compare/1.9.6...1.9.7)
 

Sources/ParseSwift/Parse.swift

@@ -138,9 +138,18 @@ public struct ParseSwift {
         do {
             let previousSDKVersion = try ParseVersion(ParseVersion.current)
             let currentSDKVersion = try ParseVersion(ParseConstants.version)
+            let oneNineEightSDKVersion = try ParseVersion("1.9.8")
 
             // All migrations from previous versions to current should occur here:
-
+            #if !os(Linux) && !os(Android)
+            if previousSDKVersion < oneNineEightSDKVersion {
+                // Old macOS Keychain can't be used because it's global to all apps.
+                _ = KeychainStore.old
+                KeychainStore.shared.copy(keychain: KeychainStore.old)
+                // Need to delete the old Keychain because a new one is created with bundleId.
+                try? KeychainStore.old.deleteAll()
+            }
+            #endif
             if currentSDKVersion > previousSDKVersion {
                 ParseVersion.current = currentSDKVersion.string
             }

Sources/ParseSwift/ParseConstants.swift

@@ -10,7 +10,7 @@ import Foundation
 
 enum ParseConstants {
     static let sdk = "swift"
-    static let version = "1.9.7"
+    static let version = "1.9.8"
     static let fileManagementDirectory = "parse/"
     static let fileManagementPrivateDocumentsDirectory = "Private Documents/"
     static let fileManagementLibraryDirectory = "Library/"

Sources/ParseSwift/Storage/KeychainStore.swift

@@ -31,16 +31,43 @@ func getKeychainQueryTemplate(forService service: String) -> [String: String] {
 struct KeychainStore: SecureStorage {
     let synchronizationQueue: DispatchQueue
     private let keychainQueryTemplate: [String: String]
-
-    public static var shared = KeychainStore(service: "shared")
-
-    init(service: String) {
-        synchronizationQueue = DispatchQueue(label: "com.parse.keychain.\(service)",
+    static var shared = KeychainStore()
+    // This Keychain was used by SDK <= 1.9.7
+    static var old = KeychainStore(service: "shared")
+
+    init(service: String? = nil) {
+        var keychainService = ".parseSwift.sdk"
+        if let service = service {
+            keychainService = service
+        } else if let identifier = Bundle.main.bundleIdentifier {
+            keychainService = "\(identifier)\(keychainService)"
+        } else {
+            keychainService = "com\(keychainService)"
+        }
+        synchronizationQueue = DispatchQueue(label: "\(keychainService).keychain",
                                              qos: .default,
                                              attributes: .concurrent,
                                              autoreleaseFrequency: .inherit,
                                              target: nil)
-        keychainQueryTemplate = getKeychainQueryTemplate(forService: service)
+        keychainQueryTemplate = getKeychainQueryTemplate(forService: keychainService)
+    }
+
+    func copy(keychain: KeychainStore) {
+        if let user = keychain.data(forKey: ParseStorage.Keys.currentUser) {
+            _ = try? set(user, forKey: ParseStorage.Keys.currentUser)
+        }
+        if let installation = keychain.data(forKey: ParseStorage.Keys.currentInstallation) {
+            _ = try? set(installation, forKey: ParseStorage.Keys.currentInstallation)
+        }
+        if let version = keychain.data(forKey: ParseStorage.Keys.currentVersion) {
+            _ = try? set(version, forKey: ParseStorage.Keys.currentVersion)
+        }
+        if let config = keychain.data(forKey: ParseStorage.Keys.currentConfig) {
+            _ = try? set(config, forKey: ParseStorage.Keys.currentConfig)
+        }
+        if let acl = keychain.data(forKey: ParseStorage.Keys.defaultACL) {
+            _ = try? set(acl, forKey: ParseStorage.Keys.defaultACL)
+        }
     }
 
     private func keychainQuery(forKey key: String) -> [String: Any] {
@@ -69,20 +96,7 @@ struct KeychainStore: SecureStorage {
         }
         do {
             let data = try ParseCoding.jsonEncoder().encode(object)
-            let query = keychainQuery(forKey: key)
-            let update = [
-                kSecValueData as String: data
-            ]
-
-            let status = synchronizationQueue.sync(flags: .barrier) { () -> OSStatus in
-                if self.data(forKey: key) != nil {
-                    return SecItemUpdate(query as CFDictionary, update as CFDictionary)
-                }
-                let mergedQuery = query.merging(update) { (_, otherValue) -> Any in otherValue }
-                return SecItemAdd(mergedQuery as CFDictionary, nil)
-            }
-
-            return status == errSecSuccess
+            return try set(data, forKey: key)
         } catch {
             return false
         }
@@ -145,13 +159,31 @@ struct KeychainStore: SecureStorage {
         return data
     }
 
+    private func set(_ data: Data, forKey key: String) throws -> Bool {
+        let query = keychainQuery(forKey: key)
+        let update = [
+            kSecValueData as String: data
+        ]
+
+        let status = synchronizationQueue.sync(flags: .barrier) { () -> OSStatus in
+            if self.data(forKey: key) != nil {
+                return SecItemUpdate(query as CFDictionary, update as CFDictionary)
+            }
+            let mergedQuery = query.merging(update) { (_, otherValue) -> Any in otherValue }
+            return SecItemAdd(mergedQuery as CFDictionary, nil)
+        }
+
+        return status == errSecSuccess
+    }
+
     private func removeObject(forKeyUnsafe key: String) -> Bool {
         dispatchPrecondition(condition: .onQueue(synchronizationQueue))
         return SecItemDelete(keychainQuery(forKey: key) as CFDictionary) == errSecSuccess
     }
 }
 
-extension KeychainStore /* TypedSubscript */ {
+// MARK: TypedSubscript
+extension KeychainStore {
     subscript(string key: String) -> String? {
         get {
             return object(forKey: key)

Sources/ParseSwift/Storage/SecureStorage.swift

@@ -9,7 +9,7 @@
 import Foundation
 
 protocol SecureStorage {
-    init(service: String)
+    init(service: String?)
     func object<T>(forKey key: String) -> T? where T: Decodable
     func set<T>(object: T?, forKey: String) -> Bool where T: Encodable
     subscript <T>(key: String) -> T? where T: Codable { get }

Sources/ParseSwift/Types/ParseVersion.swift

@@ -22,7 +22,13 @@ public struct ParseVersion: Encodable {
                     guard let versionFromKeyChain: String =
                         try? KeychainStore.shared.get(valueFor: ParseStorage.Keys.currentVersion)
                          else {
-                        return nil
+                        guard let versionFromKeyChain: String =
+                            try? KeychainStore.old.get(valueFor: ParseStorage.Keys.currentVersion)
+                             else {
+                            return nil
+                        }
+                        try? KeychainStore.shared.set(versionFromKeyChain, for: ParseStorage.Keys.currentVersion)
+                        return versionFromKeyChain
                     }
                     return versionFromKeyChain
                 #else

Tests/ParseSwiftTests/InitializeSDKTests.swift

@@ -30,6 +30,11 @@ class InitializeSDKTests: XCTestCase {
         var customKey: String?
     }
 
+    struct Config: ParseConfig {
+        var welcomeMessage: String?
+        var winningNumber: Int?
+    }
+
     override func setUpWithError() throws {
         try super.setUpWithError()
     }
@@ -250,6 +255,55 @@ class InitializeSDKTests: XCTestCase {
     }
 
     #if !os(Linux) && !os(Android)
+    func testMigrateOldKeychainToNew() throws {
+        var user = BaseParseUser()
+        user.objectId = "wow"
+        var userContainer = CurrentUserContainer<BaseParseUser>()
+        userContainer.currentUser = user
+        userContainer.sessionToken = "session"
+        var installation = Installation()
+        installation.objectId = "now"
+        var installationContainer = CurrentInstallationContainer<Installation>()
+        installationContainer.currentInstallation = installation
+        installationContainer.installationId = "id"
+        let config = Config(welcomeMessage: "hello", winningNumber: 5)
+        var configContainer = CurrentConfigContainer<Config>()
+        configContainer.currentConfig = config
+        var acl = ParseACL()
+        acl.setReadAccess(objectId: "hello", value: true)
+        acl.setReadAccess(objectId: "wow", value: true)
+        acl.setWriteAccess(objectId: "wow", value: true)
+        let aclContainer = DefaultACL(defaultACL: acl,
+                                      lastCurrentUserObjectId: user.objectId,
+                                      useCurrentUser: true)
+        let version = "1.9.7"
+        try? KeychainStore.old.set(version, for: ParseStorage.Keys.currentVersion)
+        try? KeychainStore.old.set(userContainer, for: ParseStorage.Keys.currentUser)
+        try? KeychainStore.old.set(installationContainer, for: ParseStorage.Keys.currentInstallation)
+        try? KeychainStore.old.set(configContainer, for: ParseStorage.Keys.currentConfig)
+        try? KeychainStore.old.set(aclContainer, for: ParseStorage.Keys.defaultACL)
+        let expectation1 = XCTestExpectation(description: "Wait")
+        DispatchQueue.main.asyncAfter(deadline: .now() + 2) {
+            guard let url = URL(string: "http://localhost:1337/1") else {
+                XCTFail("Should create valid URL")
+                return
+            }
+            ParseSwift.initialize(applicationId: "applicationId",
+                                  clientKey: "clientKey",
+                                  masterKey: "masterKey",
+                                  serverURL: url)
+            XCTAssertEqual(ParseVersion.current, ParseConstants.version)
+            XCTAssertEqual(BaseParseUser.current, user)
+            XCTAssertEqual(Installation.current, installation)
+            XCTAssertEqual(Config.current?.welcomeMessage, config.welcomeMessage)
+            XCTAssertEqual(Config.current?.winningNumber, config.winningNumber)
+            let defaultACL = try? ParseACL.defaultACL()
+            XCTAssertEqual(defaultACL, acl)
+            expectation1.fulfill()
+        }
+        wait(for: [expectation1], timeout: 10.0)
+    }
+
     func testMigrateObjcSDK() {
 
         //Set keychain the way objc sets keychain