metatext-app-ios-iphone-ipad/Secrets/Sources/Secrets/Secrets.swift

// Copyright © 2020 Metabolist. All rights reserved.

import Base16
import Foundation
import Keychain

public protocol SecretsStorable {
    var dataStoredInSecrets: Data { get }
    static func fromDataStoredInSecrets(_ data: Data) throws -> Self
}

enum SecretsStorableError: Error {
    case conversionFromDataStoredInSecrets(Data)
}

public struct Secrets {
    public let identityID: UUID
    private let keychain: Keychain.Type

    public init(identityID: UUID, keychain: Keychain.Type) {
        self.identityID = identityID
        self.keychain = keychain
    }
}

public extension Secrets {
    enum Item: String, CaseIterable {
        case clientID
        case clientSecret
        case accessToken
        case pushKey
        case pushAuth
        case databaseKey
    }
}

enum SecretsError: Error {
    case itemAbsent
}

extension Secrets.Item {
    enum Kind {
        case genericPassword
        case key
    }

    // Note `databaseKey` is a generic password and not a key
    var kind: Kind {
        switch self {
        case .pushKey: return .key
        default: return .genericPassword
        }
    }
}

public extension Secrets {
    // https://www.zetetic.net/sqlcipher/sqlcipher-api/#key
    static func databaseKey(identityID: UUID?, keychain: Keychain.Type) throws -> String {
        let passphraseData: Data
        let scopedSecrets: Secrets?

        if let identityID = identityID {
            scopedSecrets = Secrets(identityID: identityID, keychain: keychain)
        } else {
            scopedSecrets = nil
        }

        do {
            passphraseData = try scopedSecrets?.item(.databaseKey)
                ?? unscopedItem(.databaseKey, keychain: keychain)
        } catch SecretsError.itemAbsent {
            var bytes = [UInt8](repeating: 0, count: databaseKeyLength)
            let status = SecRandomCopyBytes(kSecRandomDefault, databaseKeyLength, &bytes)

            if status == errSecSuccess {
                passphraseData = Data(bytes)

                if let scopedSecrets = scopedSecrets {
                    try scopedSecrets.set(passphraseData, forItem: .databaseKey)
                } else {
                    try setUnscoped(passphraseData, forItem: .databaseKey, keychain: keychain)
                }
            } else {
                throw NSError(status: status)
            }
        }

        return "x'\(passphraseData.base16EncodedString(options: [.uppercase]))'"
    }

    func deleteAllItems() throws {
        for item in Secrets.Item.allCases {
            switch item.kind {
            case .genericPassword:
                try keychain.deleteGenericPassword(
                    account: scopedKey(item: item),
                    service: Self.keychainServiceName)
            case .key:
                try keychain.deleteKey(applicationTag: scopedKey(item: item))
            }
        }
    }

    func getClientID() throws -> String {
        try item(.clientID)
    }

    func setClientID(_ clientID: String) throws {
        try set(clientID, forItem: .clientID)
    }

    func getClientSecret() throws -> String {
        try item(.clientSecret)
    }

    func setClientSecret(_ clientSecret: String) throws {
        try set(clientSecret, forItem: .clientSecret)
    }

    func getAccessToken() throws -> String {
        try item(.accessToken)
    }

    func setAccessToken(_ accessToken: String) throws {
        try set(accessToken, forItem: .accessToken)
    }

    func generatePushKeyAndReturnPublicKey() throws -> Data {
        try keychain.generateKeyAndReturnPublicKey(
            applicationTag: scopedKey(item: .pushKey),
            attributes: PushKey.attributes)
    }

    func getPushKey() throws -> Data? {
        try keychain.getPrivateKey(
            applicationTag: scopedKey(item: .pushKey),
            attributes: PushKey.attributes)
    }

    func generatePushAuth() throws -> Data {
        var bytes = [UInt8](repeating: 0, count: PushKey.authLength)
        let status = SecRandomCopyBytes(kSecRandomDefault, PushKey.authLength, &bytes)

        if status == errSecSuccess {
            let pushAuth = Data(bytes)

            try set(pushAuth, forItem: .pushAuth)

            return pushAuth
        } else {
            throw NSError(status: status)
        }
    }

    func getPushAuth() throws -> Data? {
        try item(.pushAuth)
    }
}

private extension Secrets {
    static let keychainServiceName = "com.metabolist.metatext"
    static let databaseKeyLength = 32

    private static func set(_ data: SecretsStorable, forAccount account: String, keychain: Keychain.Type) throws {
        try keychain.setGenericPassword(
            data: data.dataStoredInSecrets,
            forAccount: account,
            service: keychainServiceName)
    }

    private static func get<T: SecretsStorable>(account: String, keychain: Keychain.Type) throws -> T {
        guard let data = try keychain.getGenericPassword(
                account: account,
                service: keychainServiceName) else {
            throw SecretsError.itemAbsent
        }

        return try T.fromDataStoredInSecrets(data)
    }

    static func setUnscoped(_ data: SecretsStorable, forItem item: Item, keychain: Keychain.Type) throws {
        try set(data, forAccount: item.rawValue, keychain: keychain)
    }

    static func unscopedItem<T: SecretsStorable>(_ item: Item, keychain: Keychain.Type) throws -> T {
        try get(account: item.rawValue, keychain: keychain)
    }

    func scopedKey(item: Item) -> String {
        identityID.uuidString + "." + item.rawValue
    }

    func set(_ data: SecretsStorable, forItem item: Item) throws {
        try Self.set(data, forAccount: scopedKey(item: item), keychain: keychain)
    }

    func item<T: SecretsStorable>(_ item: Item) throws -> T {
        try Self.get(account: scopedKey(item: item), keychain: keychain)
    }
}

extension Data: SecretsStorable {
    public var dataStoredInSecrets: Data { self }

    public static func fromDataStoredInSecrets(_ data: Data) throws -> Data {
        data
    }
}

extension String: SecretsStorable {
    public var dataStoredInSecrets: Data { Data(utf8) }

    public static func fromDataStoredInSecrets(_ data: Data) throws -> String {
        guard let string = String(data: data, encoding: .utf8) else {
            throw SecretsStorableError.conversionFromDataStoredInSecrets(data)
        }

        return string
    }
}

private struct PushKey {
    static let authLength = 16
    static let sizeInBits = 256
    static let attributes: [String: Any] = [
        kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
        kSecAttrKeySizeInBits as String: sizeInBits]
}
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`// Copyright © 2020 Metabolist. All rights reserved.`

Modularize base16 encoding 2020-09-06 23:37:54 +02:00			`import Base16`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`import Foundation`
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`import Keychain`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00
wip 2020-08-31 12:21:01 +02:00			`public protocol SecretsStorable {`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`var dataStoredInSecrets: Data { get }`
			`static func fromDataStoredInSecrets(_ data: Data) throws -> Self`
			`}`

			`enum SecretsStorableError: Error {`
			`case conversionFromDataStoredInSecrets(Data)`
			`}`

Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`public struct Secrets {`
wip 2020-08-31 12:21:01 +02:00			`public let identityID: UUID`
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`private let keychain: Keychain.Type`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`public init(identityID: UUID, keychain: Keychain.Type) {`
Refactoring 2020-08-09 04:52:41 +02:00			`self.identityID = identityID`
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`self.keychain = keychain`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`}`
			`}`

Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`public extension Secrets {`
Refactoring 2020-08-09 04:52:41 +02:00			`enum Item: String, CaseIterable {`
Push notifications 2020-08-12 09:24:39 +02:00			`case clientID`
			`case clientSecret`
			`case accessToken`
			`case pushKey`
			`case pushAuth`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`case databaseKey`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`}`
			`}`

Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`enum SecretsError: Error {`
Revoke access token when removing account 2020-08-14 05:40:46 +02:00			`case itemAbsent`
			`}`

Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`extension Secrets.Item {`
Refactoring 2020-08-14 03:59:17 +02:00			`enum Kind {`
			`case genericPassword`
			`case key`
			`}`

Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			// Note `databaseKey` is a generic password and not a key
Refactoring 2020-08-14 03:59:17 +02:00			`var kind: Kind {`
			`switch self {`
			`case .pushKey: return .key`
			`default: return .genericPassword`
			`}`
			`}`
			`}`

Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`public extension Secrets {`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`// https://www.zetetic.net/sqlcipher/sqlcipher-api/#key`
			`static func databaseKey(identityID: UUID?, keychain: Keychain.Type) throws -> String {`
			`let passphraseData: Data`
Refactoring 2020-09-04 08:44:04 +02:00			`let scopedSecrets: Secrets?`
Encrypt local databases 2020-09-04 08:12:06 +02:00
Refactoring 2020-09-04 08:44:04 +02:00			`if let identityID = identityID {`
			`scopedSecrets = Secrets(identityID: identityID, keychain: keychain)`
			`} else {`
			`scopedSecrets = nil`
Encrypt local databases 2020-09-04 08:12:06 +02:00			`}`

Refactoring 2020-09-04 08:44:04 +02:00			`do {`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`passphraseData = try scopedSecrets?.item(.databaseKey)`
			`?? unscopedItem(.databaseKey, keychain: keychain)`
Refactoring 2020-09-04 08:44:04 +02:00			`} catch SecretsError.itemAbsent {`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`var bytes = [UInt8](repeating: 0, count: databaseKeyLength)`
			`let status = SecRandomCopyBytes(kSecRandomDefault, databaseKeyLength, &bytes)`
Encrypt local databases 2020-09-04 08:12:06 +02:00
Refactoring 2020-09-04 08:44:04 +02:00			`if status == errSecSuccess {`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`passphraseData = Data(bytes)`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00
Refactoring 2020-09-04 08:44:04 +02:00			`if let scopedSecrets = scopedSecrets {`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`try scopedSecrets.set(passphraseData, forItem: .databaseKey)`
Refactoring 2020-09-04 08:44:04 +02:00			`} else {`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`try setUnscoped(passphraseData, forItem: .databaseKey, keychain: keychain)`
Refactoring 2020-09-04 08:44:04 +02:00			`}`
			`} else {`
			`throw NSError(status: status)`
			`}`
			`}`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00
Modularize base16 encoding 2020-09-06 23:37:54 +02:00			`return "x'\(passphraseData.base16EncodedString(options: [.uppercase]))'"`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`}`

Refactoring 2020-08-09 04:52:41 +02:00			`func deleteAllItems() throws {`
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`for item in Secrets.Item.allCases {`
Refactoring 2020-08-14 03:59:17 +02:00			`switch item.kind {`
			`case .genericPassword:`
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`try keychain.deleteGenericPassword(`
Encrypt local databases 2020-09-04 08:12:06 +02:00			`account: scopedKey(item: item),`
Refactoring 2020-08-14 03:59:17 +02:00			`service: Self.keychainServiceName)`
			`case .key:`
Encrypt local databases 2020-09-04 08:12:06 +02:00			`try keychain.deleteKey(applicationTag: scopedKey(item: item))`
Refactoring 2020-08-14 03:59:17 +02:00			`}`
Refactoring 2020-08-09 04:52:41 +02:00			`}`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`}`
Push notifications 2020-08-12 09:24:39 +02:00
Refactoring 2020-09-04 08:44:04 +02:00			`func getClientID() throws -> String {`
			`try item(.clientID)`
			`}`

			`func setClientID(_ clientID: String) throws {`
			`try set(clientID, forItem: .clientID)`
			`}`

			`func getClientSecret() throws -> String {`
			`try item(.clientSecret)`
			`}`

			`func setClientSecret(_ clientSecret: String) throws {`
			`try set(clientSecret, forItem: .clientSecret)`
			`}`

			`func getAccessToken() throws -> String {`
			`try item(.accessToken)`
			`}`

			`func setAccessToken(_ accessToken: String) throws {`
			`try set(accessToken, forItem: .accessToken)`
			`}`

Push notifications 2020-08-12 09:24:39 +02:00			`func generatePushKeyAndReturnPublicKey() throws -> Data {`
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`try keychain.generateKeyAndReturnPublicKey(`
Encrypt local databases 2020-09-04 08:12:06 +02:00			`applicationTag: scopedKey(item: .pushKey),`
Add push notification service extension 2020-08-13 12:18:21 +02:00			`attributes: PushKey.attributes)`
Push notifications 2020-08-12 09:24:39 +02:00			`}`

			`func getPushKey() throws -> Data? {`
Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`try keychain.getPrivateKey(`
Encrypt local databases 2020-09-04 08:12:06 +02:00			`applicationTag: scopedKey(item: .pushKey),`
Add push notification service extension 2020-08-13 12:18:21 +02:00			`attributes: PushKey.attributes)`
Push notifications 2020-08-12 09:24:39 +02:00			`}`

			`func generatePushAuth() throws -> Data {`
Add push notification service extension 2020-08-13 12:18:21 +02:00			`var bytes = [UInt8](repeating: 0, count: PushKey.authLength)`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`let status = SecRandomCopyBytes(kSecRandomDefault, PushKey.authLength, &bytes)`
Push notifications 2020-08-12 09:24:39 +02:00
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`if status == errSecSuccess {`
			`let pushAuth = Data(bytes)`
Push notifications 2020-08-12 09:24:39 +02:00
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`try set(pushAuth, forItem: .pushAuth)`
Push notifications 2020-08-12 09:24:39 +02:00
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`return pushAuth`
			`} else {`
			`throw NSError(status: status)`
			`}`
Push notifications 2020-08-12 09:24:39 +02:00			`}`

			`func getPushAuth() throws -> Data? {`
			`try item(.pushAuth)`
			`}`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`}`

Modularize Keychain and Secrets 2020-09-04 02:54:05 +02:00			`private extension Secrets {`
Push notifications 2020-08-12 09:24:39 +02:00			`static let keychainServiceName = "com.metabolist.metatext"`
Better SQLCipher key logic 2020-09-04 11:44:25 +02:00			`static let databaseKeyLength = 32`
Refactoring 2020-09-04 08:44:04 +02:00
			`private static func set(_ data: SecretsStorable, forAccount account: String, keychain: Keychain.Type) throws {`
			`try keychain.setGenericPassword(`
			`data: data.dataStoredInSecrets,`
			`forAccount: account,`
			`service: keychainServiceName)`
			`}`

			`private static func get<T: SecretsStorable>(account: String, keychain: Keychain.Type) throws -> T {`
			`guard let data = try keychain.getGenericPassword(`
			`account: account,`
			`service: keychainServiceName) else {`
			`throw SecretsError.itemAbsent`
			`}`

			`return try T.fromDataStoredInSecrets(data)`
			`}`

			`static func setUnscoped(_ data: SecretsStorable, forItem item: Item, keychain: Keychain.Type) throws {`
			`try set(data, forAccount: item.rawValue, keychain: keychain)`
			`}`

			`static func unscopedItem<T: SecretsStorable>(_ item: Item, keychain: Keychain.Type) throws -> T {`
			`try get(account: item.rawValue, keychain: keychain)`
			`}`
Push notifications 2020-08-12 09:24:39 +02:00
Encrypt local databases 2020-09-04 08:12:06 +02:00			`func scopedKey(item: Item) -> String {`
Use UUID instead of string for identity id 2020-08-08 01:19:13 +02:00			`identityID.uuidString + "." + item.rawValue`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`}`
Refactoring 2020-09-04 08:44:04 +02:00
			`func set(_ data: SecretsStorable, forItem item: Item) throws {`
			`try Self.set(data, forAccount: scopedKey(item: item), keychain: keychain)`
			`}`

			`func item<T: SecretsStorable>(_ item: Item) throws -> T {`
			`try Self.get(account: scopedKey(item: item), keychain: keychain)`
			`}`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`}`

			`extension Data: SecretsStorable {`
wip 2020-08-31 12:21:01 +02:00			`public var dataStoredInSecrets: Data { self }`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00
wip 2020-08-31 12:21:01 +02:00			`public static func fromDataStoredInSecrets(_ data: Data) throws -> Data {`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`data`
			`}`
			`}`

			`extension String: SecretsStorable {`
wip 2020-08-31 12:21:01 +02:00			`public var dataStoredInSecrets: Data { Data(utf8) }`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00
wip 2020-08-31 12:21:01 +02:00			`public static func fromDataStoredInSecrets(_ data: Data) throws -> String {`
Import and refactor stuff from old UIKit project 2020-07-30 01:50:30 +02:00			`guard let string = String(data: data, encoding: .utf8) else {`
			`throw SecretsStorableError.conversionFromDataStoredInSecrets(data)`
			`}`

			`return string`
			`}`
			`}`
Add push notification service extension 2020-08-13 12:18:21 +02:00
wip 2020-08-31 12:21:01 +02:00			`private struct PushKey {`
Add push notification service extension 2020-08-13 12:18:21 +02:00			`static let authLength = 16`
			`static let sizeInBits = 256`
			`static let attributes: [String: Any] = [`
			`kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,`
			`kSecAttrKeySizeInBits as String: sizeInBits]`
			`}`