Android alignment

Sources/SpeziLocalStorage/LocalStorage.swift

@@ -38,7 +38,7 @@ import SpeziSecureStorage
 /// - ``delete(storageKey:)``
 public final class LocalStorage: Module, DefaultInitializable, EnvironmentAccessible, @unchecked Sendable {
     private let encryptionAlgorithm: SecKeyAlgorithm = .eciesEncryptionCofactorX963SHA256AESGCM
-    @Dependency private var secureStorage = SecureStorage()
+    @Dependency private var keyStorage = KeyStorage()
 
 
     private var localStorageDirectory: URL {
@@ -145,7 +145,7 @@ public final class LocalStorage: Module, DefaultInitializable, EnvironmentAccess
 
 
         // Determine if the data should be encrypted or not:
-        guard let keys = try settings.keys(from: secureStorage) else {
+        guard let keys = try settings.keys(from: keyStorage) else {
             // No encryption:
             try data.write(to: fileURL)
             try setResourceValues()
@@ -225,7 +225,7 @@ public final class LocalStorage: Module, DefaultInitializable, EnvironmentAccess
         let data = try Data(contentsOf: fileURL)
 
         // Determine if the data should be decrypted or not:
-        guard let keys = try settings.keys(from: secureStorage) else {
+        guard let keys = try settings.keys(from: keyStorage) else {
             return try decoding(data)
         }
 

Sources/SpeziLocalStorage/LocalStorageSetting.swift

@@ -16,17 +16,16 @@ public enum LocalStorageSetting {
     /// Unencrypted
     case unencrypted(excludedFromBackup: Bool = true)
     /// Encrypted using a `eciesEncryptionCofactorX963SHA256AESGCM` key: private key for encryption and a public key for decryption.
-    case encrypted(privateKey: SecKey, publicKey: SecKey, excludedFromBackup: Bool = true)
+    case encrypted(keys: SecKeyPair, excludedFromBackup: Bool = true)
     /// Encrypted using a `eciesEncryptionCofactorX963SHA256AESGCM` key stored in the Secure Enclave.
     case encryptedUsingSecureEnclave(userPresence: Bool = false)
     /// Encrypted using a `eciesEncryptionCofactorX963SHA256AESGCM` key stored in the Keychain.
     case encryptedUsingKeyChain(userPresence: Bool = false, excludedFromBackup: Bool = true)
 
-
     var excludedFromBackup: Bool {
         switch self {
         case let .unencrypted(excludedFromBackup),
-             let .encrypted(_, _, excludedFromBackup),
+             let .encrypted(_, excludedFromBackup),
              let .encryptedUsingKeyChain(_, excludedFromBackup):
             return excludedFromBackup
         case .encryptedUsingSecureEnclave:
@@ -35,31 +34,29 @@ public enum LocalStorageSetting {
     }
 
 
-    func keys(from secureStorage: SecureStorage) throws -> (privateKey: SecKey, publicKey: SecKey)? {
+    func keys(from keyStorage: KeyStorage) throws -> SecKeyPair? {
         let secureStorageScope: SecureStorageScope
         switch self {
         case .unencrypted:
             return nil
-        case let .encrypted(privateKey, publicKey, _):
-            return (privateKey, publicKey)
+        case let .encrypted(keys, _):
+            return keys
         case let .encryptedUsingSecureEnclave(userPresence):
             secureStorageScope = .secureEnclave(userPresence: userPresence)
         case let .encryptedUsingKeyChain(userPresence, _):
             secureStorageScope = .keychain(userPresence: userPresence)
         }
 
         let tag = "LocalStorage.\(secureStorageScope.id)"
-
-        if let privateKey = try? secureStorage.retrievePrivateKey(forTag: tag),
-           let publicKey = try? secureStorage.retrievePublicKey(forTag: tag) {
-            return (privateKey, publicKey)
-        }
-
-        let privateKey = try secureStorage.createKey(tag)
-        guard let publicKey = try secureStorage.retrievePublicKey(forTag: tag) else {
-            throw LocalStorageError.encryptionNotPossible
-        }
-
-        return (privateKey, publicKey)
+        return try (try? keyStorage.retrieveKeyPair(forTag: tag))
+            ?? keyStorage.create(tag)
+    }
+}
+
+extension LocalStorageSetting {
+    /// Encrypted using a `eciesEncryptionCofactorX963SHA256AESGCM` key: private key for encryption and a public key for decryption.
+    @available(*, deprecated, renamed: "encrypted(keys:excludedFromBackup:)")
+    public static func encrypted(privateKey: SecKey, publicKey: SecKey, excludedFromBackup: Bool = true) -> LocalStorageSetting {
+        .encrypted(keys: (privateKey, publicKey), excludedFromBackup: excludedFromBackup)
     }
 }

Sources/SpeziSecureStorage/Credentials.swift → Sources/SpeziSecureStorage/Credentials/Credential.swift

@@ -6,9 +6,12 @@
 // SPDX-License-Identifier: MIT
 //
 
+/// A user's credential containing username and password.
+@available(*, deprecated, renamed: "Credential")
+public typealias Credentials = Credential
 
-/// A pair of username and password credentials.
-public struct Credentials: Equatable, Identifiable {
+/// A user's credential containing username and password.
+public struct Credential: Equatable, Identifiable {
     /// The username.
     public var username: String
     /// The password.
@@ -21,7 +24,7 @@ public struct Credentials: Equatable, Identifiable {
     }
 
 
-    /// Create new credentials.
+    /// Create new credential.
     /// - Parameters:
     ///   - username: The username.
     ///   - password: The password.
@@ -32,4 +35,4 @@ public struct Credentials: Equatable, Identifiable {
 }
 
 
-extension Credentials: Sendable {}
+extension Credential: Sendable {}

Sources/SpeziSecureStorage/Credentials/CredentialStorage.swift

@@ -0,0 +1,255 @@
+//
+// This source file is part of the Stanford Spezi open-source project
+//
+// SPDX-FileCopyrightText: 2022 Stanford University and the project authors (see CONTRIBUTORS.md)
+//
+// SPDX-License-Identifier: MIT
+//
+
+import Foundation
+import Spezi
+
+public final class CredentialStorage: Module, DefaultInitializable, EnvironmentAccessible, Sendable {
+    public required init() {}
+
+    /// Stores credentials in the Keychain.
+    ///
+    /// ```swift
+    /// do {
+    ///     let serverCredentials = Credentials(
+    ///         username: "user",
+    ///         password: "password"
+    ///     )
+    ///     try secureStorage.store(
+    ///         credentials: serverCredentials,
+    ///         server: "stanford.edu",
+    ///         storageScope: .keychainSynchronizable
+    ///     )
+    ///
+    ///     // ...
+    ///
+    /// } catch {
+    ///     // Handle creation error here.
+    ///     // ...
+    /// }
+    /// ```
+    ///
+    /// - Parameters:
+    ///   - credentials: The ``Credentials`` stored in the Keychain.
+    ///   - server: The server associated with the credentials.
+    ///   - removeDuplicate: A flag indicating if any existing key for the `username` and `server`
+    ///                      combination should be overwritten when storing the credentials.
+    ///   - storageScope: The ``SecureStorageScope`` of the stored credentials.
+    ///                   The ``SecureStorageScope/secureEnclave(userPresence:)`` option is not supported for credentials.
+    public func store(
+        _ credential: Credential,
+        server: String? = nil,
+        removeDuplicate: Bool = true,
+        storageScope: SecureStorageScope = .keychain
+    ) throws {
+        // This method uses code provided by the Apple Developer documentation at
+        // https://developer.apple.com/documentation/security/keychain_services/keychain_items/adding_a_password_to_the_keychain.
+
+        assert(!(.secureEnclave ~= storageScope), "Storing of keys in the secure enclave is not supported by Apple.")
+
+        var query = queryFor(credential.username, server: server, accessGroup: storageScope.accessGroup)
+        query[kSecValueData as String] = Data(credential.password.utf8)
+
+        if case .keychainSynchronizable = storageScope {
+            query[kSecAttrSynchronizable as String] = true
+        } else if let accessControl = try storageScope.accessControl {
+            query[kSecAttrAccessControl as String] = accessControl
+        }
+
+        do {
+            try SecureStorageError.execute(SecItemAdd(query as CFDictionary, nil))
+        } catch let SecureStorageError.keychainError(status) where status == -25299 && removeDuplicate {
+            try delete(credential.username, server: server)
+            try store(credential, server: server, removeDuplicate: false)
+        }
+    }
+
+    /// Delete existing credentials stored in the Keychain.
+    ///
+    /// ```swift
+    /// do {
+    ///     try secureStorage.deleteCredentials(
+    ///         "user",
+    ///         server: "spezi.stanford.edu"
+    ///     )
+    /// } catch {
+    ///     // Handle deletion error here.
+    ///     // ...
+    /// }
+    /// ```
+    ///
+    /// Use to ``deleteAllCredentials(itemTypes:accessGroup:)`` delete all existing credentials stored in the Keychain.
+    ///
+    /// - Parameters:
+    ///   - username: The username associated with the credentials.
+    ///   - server: The server associated with the credentials.
+    ///   - accessGroup: The access group associated with the credentials.
+    public func delete(_ username: String, server: String? = nil, accessGroup: String? = nil) throws {
+        let query = queryFor(username, server: server, accessGroup: accessGroup)
+
+        try SecureStorageError.execute(SecItemDelete(query as CFDictionary))
+    }
+
+    /// Delete all existing credentials stored in the Keychain.
+    /// - Parameters:
+    ///   - itemTypes: The types of items.
+    ///   - accessGroup: The access group associated with the credentials.
+    public func deleteAll(types itemTypes: SecureStorageItemTypes = .all, accessGroup: String? = nil) throws {
+        for kSecClassType in itemTypes.kSecClass {
+            do {
+                var query: [String: Any] = [kSecClass as String: kSecClassType]
+                // Only append the accessGroup attribute if the `CredentialsStore` is configured to use KeyChain access groups
+                if let accessGroup {
+                    query[kSecAttrAccessGroup as String] = accessGroup
+                }
+
+                // Use Data protection keychain on macOS
+                #if os(macOS)
+                query[kSecUseDataProtectionKeychain as String] = true
+                #endif
+
+                try SecureStorageError.execute(SecItemDelete(query as CFDictionary))
+            } catch SecureStorageError.notFound {
+                // We are fine it no keychain items have been found and therefore non had been deleted.
+                continue
+            } catch {
+                print(error)
+            }
+        }
+    }
+
+    /// Update existing credentials found in the Keychain.
+    ///
+    /// ```swift
+    /// do {
+    ///     let newCredentials = Credentials(
+    ///         username: "user",
+    ///         password: "newPassword"
+    ///     )
+    ///     try secureStorage.updateCredentials(
+    ///         "user",
+    ///         server: "stanford.edu",
+    ///         newCredentials: newCredentials,
+    ///         newServer: "spezi.stanford.edu"
+    ///     )
+    /// } catch {
+    ///     // Handle update error here.
+    ///     // ...
+    /// }
+    /// ```
+    ///
+    /// - Parameters:
+    ///   - username: The username associated with the old credentials.
+    ///   - server: The server associated with the old credentials.
+    ///   - newCredentials: The new ``Credentials`` that should be stored in the Keychain.
+    ///   - newServer: The server associated with the new credentials.
+    ///   - removeDuplicate: A flag indicating if any existing key for the `username` of the new credentials and `newServer`
+    ///                      combination should be overwritten when storing the credentials.
+    ///   - storageScope: The ``SecureStorageScope`` of the newly stored credentials.
+    public func update( // swiftlint:disable:this function_default_parameter_at_end
+        // The server parameter belongs to the `username` and therefore should be located next to the `username`.
+        _ username: String,
+        server: String? = nil,
+        newCredential: Credential,
+        newServer: String? = nil,
+        removeDuplicate: Bool = true,
+        storageScope: SecureStorageScope = .keychain
+    ) throws {
+        try delete(username, server: server)
+        try store(newCredential, server: newServer, removeDuplicate: removeDuplicate, storageScope: storageScope)
+    }
+
+    /// Retrieve existing credentials stored in the Keychain.
+    ///
+    /// ```swift
+    /// guard let serverCredentials = secureStorage.retrieveCredentials("user", server: "stanford.edu") else {
+    ///     // Handle errors here.
+    /// }
+    ///
+    /// // Use the credentials
+    /// ```
+    ///
+    /// Use ``retrieveAllCredentials(forServer:accessGroup:)`` to retrieve all existing credentials stored in the Keychain for a specific server.
+    ///
+    /// - Parameters:
+    ///   - username: The username associated with the credentials.
+    ///   - server: The server associated with the credentials.
+    ///   - accessGroup: The access group associated with the credentials.
+    /// - Returns: Returns the credentials stored in the Keychain identified by the `username`, `server`, and `accessGroup`.
+    public func retrieve(_ username: String, server: String? = nil, accessGroup: String? = nil) throws -> Credential? {
+        try retrieveAll(forServer: server, accessGroup: accessGroup)
+            .first { $0.username == username }
+    }
+
+    /// Retrieve all existing credentials stored in the Keychain for a specific server.
+    /// - Parameters:
+    ///   - server: The server associated with the credentials.
+    ///   - accessGroup: The access group associated with the credentials.
+    /// - Returns: Returns all existing credentials stored in the Keychain identified by the `server` and `accessGroup`.
+    public func retrieveAll(forServer server: String? = nil, accessGroup: String? = nil) throws -> [Credential] {
+        // This method uses code provided by the Apple Developer documentation at
+        // https://developer.apple.com/documentation/security/keychain_services/keychain_items/searching_for_keychain_items
+
+        var query: [String: Any] = queryFor(nil, server: server, accessGroup: accessGroup)
+        query[kSecMatchLimit as String] = kSecMatchLimitAll
+        query[kSecReturnAttributes as String] = true
+        query[kSecReturnData as String] = true
+
+        var item: CFTypeRef?
+        do {
+            try SecureStorageError.execute(SecItemCopyMatching(query as CFDictionary, &item))
+        } catch SecureStorageError.notFound {
+            return []
+        }
+
+        guard let existingItems = item as? [[String: Any]] else {
+            throw SecureStorageError.unexpectedCredentialsData
+        }
+
+        return existingItems.compactMap { existingItem in
+            guard let passwordData = existingItem[kSecValueData as String] as? Data,
+                  let password = String(data: passwordData, encoding: String.Encoding.utf8),
+                  let account = existingItem[kSecAttrAccount as String] as? String else {
+                return nil
+            }
+
+            return Credential(username: account, password: password)
+        }
+    }
+
+    private func queryFor(_ account: String?, server: String?, accessGroup: String?) -> [String: Any] {
+        // This method uses code provided by the Apple Developer documentation at
+        // https://developer.apple.com/documentation/security/keychain_services/keychain_items/using_the_keychain_to_manage_user_secrets
+
+        var query: [String: Any] = [:]
+        if let account {
+            query[kSecAttrAccount as String] = account
+        }
+
+        // Only append the accessGroup attribute if the `CredentialsStore` is configured to use KeyChain access groups
+        if let accessGroup {
+            query[kSecAttrAccessGroup as String] = accessGroup
+        }
+
+        // Use Data protection keychain on macOS
+        #if os(macOS)
+        query[kSecUseDataProtectionKeychain as String] = true
+        #endif
+
+        // If the user provided us with a server associated with the credentials we assume it is an internet password.
+        if server == nil {
+            query[kSecClass as String] = kSecClassGenericPassword
+        } else {
+            query[kSecClass as String] = kSecClassInternetPassword
+            // Only append the server attribute if we assume the credentials to be an internet password.
+            query[kSecAttrServer as String] = server
+        }
+
+        return query
+    }
+}