1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
// SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
// SPDX-License-Identifier: GPL-2.0-or-later
import Foundation
import NextcloudFileProviderKit
import os
///
/// macOS keychain abstraction to fetch account passwords.
///
struct Keychain {
let logger: FileProviderLogger
init(log: any FileProviderLogging) {
self.logger = FileProviderLogger(category: "Keychain", log: log)
}
///
/// Lookup a generic password for the given account on the given server.
///
/// - Returns: `nil` in case of any error or the password not being found.
///
func getPassword(for account: String, on server: String) -> String? {
logger.debug("Looking for password of \"\(account)\" on \"\(server)\" in keychain...")
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: account,
kSecAttrServer as String: server,
kSecMatchLimit as String: kSecMatchLimitOne,
kSecReturnAttributes as String: true,
kSecReturnData as String: true
]
var item: CFTypeRef?
let status = SecItemCopyMatching(query as CFDictionary, &item)
guard status != errSecItemNotFound else {
logger.error("Item not found!")
return nil
}
guard status == errSecSuccess else {
logger.error("Keychain status: \(status)")
return nil
}
guard let existingItem = item as? [String : Any], let passwordData = existingItem[kSecValueData as String] as? Data, let password = String(data: passwordData, encoding: String.Encoding.utf8) else {
logger.error("Unexpected password data!")
return nil
}
logger.debug("Found \(password.isEmpty ? "empty" : "non-empty") password for \"\(account)\" on \"\(server)\" in keychain.")
return password
}
func savePassword(_ password: String, for account: String, on server: String) {
guard password.isEmpty == false else {
logger.error("Not saving password password for \"\(account)\" on \"\(server)\" because it is empty!")
return
}
logger.debug("Saving password for \"\(account)\" on \"\(server)\"...")
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: account,
kSecAttrServer as String: server
]
// First, check if an item already exists
let status = SecItemCopyMatching(query as CFDictionary, nil)
if status == errSecSuccess {
// Item exists, update it
let updateAttributes: [String: Any] = [
kSecValueData as String: password.data(using: .utf8)!
]
let updateStatus = SecItemUpdate(query as CFDictionary, updateAttributes as CFDictionary)
if updateStatus == errSecSuccess {
logger.debug("Succeeded to update password for \"\(account)\" on \"\(server)\" in keychain.")
} else {
logger.error("Failed to update password for \"\(account)\" on \"\(server)\" in keychain. Status: \(updateStatus)")
}
} else if status == errSecItemNotFound {
// Item doesn't exist, add a new one
let addQuery: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrAccount as String: account,
kSecAttrServer as String: server,
kSecValueData as String: password.data(using: .utf8)!
]
let addStatus = SecItemAdd(addQuery as CFDictionary, nil)
if addStatus == errSecSuccess {
logger.debug("Succeeded to add password for \"\(account)\" on \"\(server)\" in keychain.")
} else {
logger.error("Failed to add password for \"\(account)\" on \"\(server)\" in keychain. Status: \(addStatus)")
}
} else {
logger.error("Failed to check for existing password for \"\(account)\" on \"\(server)\" in keychain. Status: \(status)")
}
}
}
|
