fix(auth): Migrate keychain to the current accessibility setting (aws…

…-amplify#4516)
duyenlv · Jan 25, 2023 · 1a882b3 · 1a882b3
1 parent 09a7235
commit 1a882b3
Show file tree

Hide file tree

Showing 9 changed files with 62 additions and 3 deletions.
diff --git a/AWSAuthSDK/Sources/AWSMobileClient/AWSMobileClient.swift b/AWSAuthSDK/Sources/AWSMobileClient/AWSMobileClient.swift
@@ -177,7 +177,7 @@ final public class AWSMobileClient: _AWSMobileClient {
     public func initialize(_ completionHandler: @escaping (UserState?, Error?) -> Void) {
         // Read awsconfiguration.json and set the credentials provider here
         initializationQueue.sync {
-
+            self.keychain.migrateToCurrentAccessibility()
             if (isInitialized) {
                 completionHandler(self.currentUserState, nil)
                 return

diff --git a/AWSCognitoAuth/AWSCognitoAuth.m b/AWSCognitoAuth/AWSCognitoAuth.m
@@ -200,6 +200,7 @@ - (instancetype)initWithConfiguration:(AWSCognitoAuthConfiguration *)authConfigu
         _useSFAuthenticationSession = authConfiguration.isSFAuthenticationSessionEnabled;
         _sfAuthenticationSessionAvailable = NO;
         _keychain = [AWSCognitoAuthUICKeyChainStore keyChainStoreWithService:[NSString stringWithFormat:@"%@.%@", [NSBundle mainBundle].bundleIdentifier, @"AWSCognitoIdentityUserPool"]];  //Consistent with AWSCognitoIdentityUserPool
+        [_keychain migrateToCurrentAccessibility];
     }
     return self;
 }

diff --git a/AWSCognitoAuth/Internal/UICKeyChainStore/AWSCognitoAuthUICKeyChainStore.h b/AWSCognitoAuth/Internal/UICKeyChainStore/AWSCognitoAuthUICKeyChainStore.h
@@ -199,6 +199,12 @@ __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
 + (void)requestSharedWebCredentialForDomain:(nullable NSString *)domain account:(nullable NSString *)account completion:(nullable void (^)(NSArray UIC_CREDENTIAL_TYPE *credentials, NSError * __nullable error))completion;
 
 + (NSString *)generatePassword;
+
+/// Migrate the existing items in keychain to the current accessibility
+///
+/// Invoke this method if you have changed the keychain accessibility but there are already existing keychain items
+/// stored with a different accessibility setting.
+- (void)migrateToCurrentAccessibility;
 #endif
 
 @end

diff --git a/AWSCognitoAuth/Internal/UICKeyChainStore/AWSCognitoAuthUICKeyChainStore.m b/AWSCognitoAuth/Internal/UICKeyChainStore/AWSCognitoAuthUICKeyChainStore.m
@@ -933,6 +933,26 @@ + (NSArray *)prettify:(CFTypeRef)itemClass items:(NSArray *)items
 
 #pragma mark -
 
+- (void)migrateToCurrentAccessibility {
+    NSArray *items = [self allItems];
+    for (NSDictionary *item in items) {
+        CFComparisonResult result = CFStringCompare((CFStringRef)item[@"accessibility"],
+                                                    [self accessibilityObject], 0);
+        if (result == kCFCompareEqualTo) {
+            continue;
+        }
+        NSString *key = item[@"key"];
+        NSObject *value = item[@"value"];
+        if ([value isKindOfClass:[NSString class]]) {
+            [self setString: (NSString *)value forKey:key];
+        } else if ([value isKindOfClass:[NSData class]]) {
+            [self setData: (NSData *)value forKey:key];
+        }
+    }
+}
+
+#pragma mark -
+
 - (void)setSynchronizable:(BOOL)synchronizable
 {
     _synchronizable = synchronizable;

diff --git a/AWSCognitoIdentityProvider/AWSCognitoIdentityUserPool.m b/AWSCognitoIdentityProvider/AWSCognitoIdentityUserPool.m
@@ -171,7 +171,7 @@ - (instancetype)initWithConfiguration:(AWSServiceConfiguration *)configuration
         _userPoolConfiguration = userPoolConfiguration;
 
         _keychain = [AWSUICKeyChainStore keyChainStoreWithService:[NSString stringWithFormat:@"%@.%@", [NSBundle mainBundle].bundleIdentifier, [AWSCognitoIdentityUserPool class]]];
-
+        [_keychain migrateToCurrentAccessibility];
 
         //If Pinpoint is setup, get the endpoint or create one.
         if(userPoolConfiguration.pinpointAppId) {

diff --git a/AWSCore/Authentication/AWSCredentialsProvider.m b/AWSCore/Authentication/AWSCredentialsProvider.m
@@ -417,7 +417,8 @@ - (void)setUpWithRegionType:(AWSRegionType)regionType
 
     // initialize keychain - name spaced by app bundle and identity pool id
     _keychain = [AWSUICKeyChainStore keyChainStoreWithService:[NSString stringWithFormat:@"%@.%@.%@", [NSBundle mainBundle].bundleIdentifier, [AWSCognitoCredentialsProvider class], identityProvider.identityPoolId]];
-
+    [_keychain migrateToCurrentAccessibility];
+
     // If the identity provider has an identity id, use it
     if (identityProvider.identityId) {
         _keychain[AWSCredentialsProviderKeychainIdentityId] = identityProvider.identityId;

diff --git a/AWSCore/UICKeyChainStore/AWSUICKeyChainStore.h b/AWSCore/UICKeyChainStore/AWSUICKeyChainStore.h
@@ -199,8 +199,15 @@ __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0);
 + (void)requestSharedWebCredentialForDomain:(nullable NSString *)domain account:(nullable NSString *)account completion:(nullable void (^)(NSArray UIC_CREDENTIAL_TYPE *credentials, NSError * __nullable error))completion;
 
 + (NSString *)generatePassword;
+
 #endif
 
+/// Migrate the existing items in keychain to the current accessibility
+///
+/// Invoke this method if you have changed the keychain accessibility but there are already existing keychain items
+/// stored with a different accessibility setting.
+- (void)migrateToCurrentAccessibility;
+
 @end
 
 @interface AWSUICKeyChainStore (ErrorHandling)

diff --git a/AWSCore/UICKeyChainStore/AWSUICKeyChainStore.m b/AWSCore/UICKeyChainStore/AWSUICKeyChainStore.m
@@ -935,6 +935,26 @@ + (NSArray *)prettify:(CFTypeRef)itemClass items:(NSArray *)items
 
 #pragma mark -
 
+- (void)migrateToCurrentAccessibility {
+    NSArray *items = [self allItems];
+    for (NSDictionary *item in items) {
+        CFComparisonResult result = CFStringCompare((CFStringRef)item[@"accessibility"],
+                                                    [self accessibilityObject], 0);
+        if (result == kCFCompareEqualTo) {
+            continue;
+        }
+        NSString *key = item[@"key"];
+        NSObject *value = item[@"value"];
+        if ([value isKindOfClass: [NSString class]]) {
+            [self setString: (NSString *)value forKey:key];
+        } else if ([value isKindOfClass: [NSData class]]) {
+            [self setData: (NSData *)value forKey:key];
+        }
+    }
+}
+
+#pragma mark -
+
 - (void)setSynchronizable:(BOOL)synchronizable
 {
     _synchronizable = synchronizable;

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,10 @@
 
 ### Misc. Updates
 
+- **Auth**
+  - Added migration of keychain to the current accessibility level set for different Auth SDK. This will enabled keychain items that are stored in different accessibility level to get fixed to the current accessibility. (See [PR #4516](https://github.com/aws-amplify/aws-sdk-ios/pull/4516))
+
+
 - Model updates for the following services
   -AWSCloudWatchLogs
   -AWSConnect