Split out libraries into SPM packages (#298)

2026-03-13 04:57:23 +01:00 · 2022-01-01 16:43:29 -08:00
parent f249932ff2
commit 3f34e91a2c
102 changed files with 1158 additions and 2520 deletions
--- a/Sources/Packages/Sources/SecretKit/BundleIDs.swift
+++ b/Sources/Packages/Sources/SecretKit/BundleIDs.swift
@@ -0,0 +1,7 @@
+import Foundation
+
+
+extension Bundle {
+    public var agentBundleID: String {(self.bundleIdentifier?.replacingOccurrences(of: "Host", with: "SecretAgent"))!}
+    public var hostBundleID: String {(self.bundleIdentifier?.replacingOccurrences(of: "SecretAgent", with: "Host"))!}
+}
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
@@ -0,0 +1,62 @@
+import Foundation
+
+public struct AnySecret: Secret {
+
+    let base: Any
+    private let hashable: AnyHashable
+    private let _id: () -> AnyHashable
+    private let _name: () -> String
+    private let _algorithm: () -> Algorithm
+    private let _keySize: () -> Int
+    private let _publicKey: () -> Data
+
+    public init<T>(_ secret: T) where T: Secret {
+        if let secret = secret as? AnySecret {
+            base = secret.base
+            hashable = secret.hashable
+            _id = secret._id
+            _name = secret._name
+            _algorithm = secret._algorithm
+            _keySize = secret._keySize
+            _publicKey = secret._publicKey
+        } else {
+            base = secret as Any
+            self.hashable = secret
+            _id = { secret.id as AnyHashable }
+            _name = { secret.name }
+            _algorithm = { secret.algorithm }
+            _keySize = { secret.keySize }
+            _publicKey = { secret.publicKey }
+        }
+    }
+
+    public var id: AnyHashable {
+        _id()
+    }
+
+    public var name: String {
+        _name()
+    }
+
+    public var algorithm: Algorithm {
+        _algorithm()
+    }
+
+    public var keySize: Int {
+        _keySize()
+    }
+
+    public var publicKey: Data {
+        _publicKey()
+    }
+
+    public static func == (lhs: AnySecret, rhs: AnySecret) -> Bool {
+        lhs.hashable == rhs.hashable
+    }
+
+    public func hash(into hasher: inout Hasher) {
+        hashable.hash(into: &hasher)
+    }
+
+}
+
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
@@ -0,0 +1,80 @@
+import Foundation
+import Combine
+
+public class AnySecretStore: SecretStore {
+
+    let base: Any
+    private let _isAvailable: () -> Bool
+    private let _id: () -> UUID
+    private let _name: () -> String
+    private let _secrets: () -> [AnySecret]
+    private let _sign: (Data, AnySecret, SigningRequestProvenance) throws -> SignedData
+    private let _persistAuthentication: (AnySecret, TimeInterval) throws -> Void
+
+    private var sink: AnyCancellable?
+
+    public init<SecretStoreType>(_ secretStore: SecretStoreType) where SecretStoreType: SecretStore {
+        base = secretStore
+        _isAvailable = { secretStore.isAvailable }
+        _name = { secretStore.name }
+        _id = { secretStore.id }
+        _secrets = { secretStore.secrets.map { AnySecret($0) } }
+        _sign = { try secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
+        _persistAuthentication = { try secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
+        sink = secretStore.objectWillChange.sink { _ in
+            self.objectWillChange.send()
+        }
+    }
+
+    public var isAvailable: Bool {
+        return _isAvailable()
+    }
+
+    public var id: UUID {
+        return _id()
+    }
+
+    public var name: String {
+        return _name()
+    }
+
+    public var secrets: [AnySecret] {
+        return _secrets()
+    }
+
+    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance) throws -> SignedData {
+        try _sign(data, secret, provenance)
+    }
+
+    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) throws {
+        try _persistAuthentication(secret, duration)
+    }
+
+}
+
+public class AnySecretStoreModifiable: AnySecretStore, SecretStoreModifiable {
+
+    private let _create: (String, Bool) throws -> Void
+    private let _delete: (AnySecret) throws -> Void
+    private let _update: (AnySecret, String) throws -> Void
+
+    public init<SecretStoreType>(modifiable secretStore: SecretStoreType) where SecretStoreType: SecretStoreModifiable {
+        _create = { try secretStore.create(name: $0, requiresAuthentication: $1) }
+        _delete = { try secretStore.delete(secret: $0.base as! SecretStoreType.SecretType) }
+        _update = { try secretStore.update(secret: $0.base as! SecretStoreType.SecretType, name: $1) }
+        super.init(secretStore)
+    }
+
+    public func create(name: String, requiresAuthentication: Bool) throws {
+        try _create(name, requiresAuthentication)
+    }
+
+    public func delete(secret: AnySecret) throws {
+        try _delete(secret)
+    }
+
+    public func update(secret: AnySecret, name: String) throws {
+        try _update(secret, name)
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHKeyWriter.swift
@@ -0,0 +1,59 @@
+import Foundation
+import CryptoKit
+
+// For the moment, only supports ecdsa-sha2-nistp256 and ecdsa-sha2-nistp386 keys
+public struct OpenSSHKeyWriter {
+
+    public init() {
+    }
+
+    public func data<SecretType: Secret>(secret: SecretType) -> Data {
+        lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+            lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
+            lengthAndData(of: secret.publicKey)
+    }
+
+    public func openSSHString<SecretType: Secret>(secret: SecretType, comment: String? = nil) -> String {
+        [curveType(for: secret.algorithm, length: secret.keySize), data(secret: secret).base64EncodedString(), comment]
+            .compactMap { $0 }
+            .joined(separator: " ")
+    }
+
+    public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
+        // OpenSSL format seems to strip the padding at the end.
+        let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
+        let paddingRange = base64.index(base64.endIndex, offsetBy: -2)..<base64.endIndex
+        let cleaned = base64.replacingOccurrences(of: "=", with: "", range: paddingRange)
+        return "SHA256:\(cleaned)"
+    }
+
+    public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
+        Insecure.MD5.hash(data: data(secret: secret))
+            .compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
+            .joined(separator: ":")
+    }
+
+}
+
+extension OpenSSHKeyWriter {
+
+    public func lengthAndData(of data: Data) -> Data {
+        let rawLength = UInt32(data.count)
+        var endian = rawLength.bigEndian
+        return Data(bytes: &endian, count: UInt32.bitWidth/8) + data
+    }
+
+    public func curveIdentifier(for algorithm: Algorithm, length: Int) -> String {
+        switch algorithm {
+        case .ellipticCurve:
+            return "nistp" + String(describing: length)
+        }
+    }
+
+    public func curveType(for algorithm: Algorithm, length: Int) -> String {
+        switch algorithm {
+        case .ellipticCurve:
+            return "ecdsa-sha2-nistp" + String(describing: length)
+        }
+    }
+}
--- a/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
+++ b/Sources/Packages/Sources/SecretKit/OpenSSH/OpenSSHReader.swift
@@ -0,0 +1,25 @@
+import Foundation
+
+public class OpenSSHReader {
+
+    var remaining: Data
+
+    public init(data: Data) {
+        remaining = Data(data)
+    }
+
+    public func readNextChunk() -> Data {
+        let lengthRange = 0..<(UInt32.bitWidth/8)
+        let lengthChunk = remaining[lengthRange]
+        remaining.removeSubrange(lengthRange)
+        let littleEndianLength = lengthChunk.withUnsafeBytes { pointer in
+            return pointer.load(as: UInt32.self)
+        }
+        let length = Int(littleEndianLength.bigEndian)
+        let dataRange = 0..<length
+        let ret = Data(remaining[dataRange])
+        remaining.removeSubrange(dataRange)
+        return ret
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/SecretStoreList.swift
+++ b/Sources/Packages/Sources/SecretKit/SecretStoreList.swift
@@ -0,0 +1,39 @@
+import Foundation
+import Combine
+
+public class SecretStoreList: ObservableObject {
+
+    @Published public var stores: [AnySecretStore] = []
+    @Published public var modifiableStore: AnySecretStoreModifiable?
+    private var sinks: [AnyCancellable] = []
+
+    public init() {
+    }
+
+    public func add<SecretStoreType: SecretStore>(store: SecretStoreType) {
+        addInternal(store: AnySecretStore(store))
+    }
+
+    public func add<SecretStoreType: SecretStoreModifiable>(store: SecretStoreType) {
+        let modifiable = AnySecretStoreModifiable(modifiable: store)
+        modifiableStore = modifiable
+        addInternal(store: modifiable)
+    }
+
+    public var anyAvailable: Bool {
+        stores.reduce(false, { $0 || $1.isAvailable })
+    }
+
+}
+
+extension SecretStoreList {
+
+    private func addInternal(store: AnySecretStore) {
+        stores.append(store)
+        let sink = store.objectWillChange.sink {
+            self.objectWillChange.send()
+        }
+        sinks.append(sink)
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/Types/Secret.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/Secret.swift
@@ -0,0 +1,23 @@
+import Foundation
+
+public protocol Secret: Identifiable, Hashable {
+
+    var name: String { get }
+    var algorithm: Algorithm { get }
+    var keySize: Int { get }
+    var publicKey: Data { get }
+
+}
+
+public enum Algorithm: Hashable {
+    case ellipticCurve
+    public init(secAttr: NSNumber) {
+        let secAttrString = secAttr.stringValue as CFString
+        switch secAttrString {
+        case kSecAttrKeyTypeEC:
+            self = .ellipticCurve
+        default:
+            fatalError()
+        }
+    }
+}
--- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
@@ -0,0 +1,31 @@
+import Foundation
+import Combine
+
+public protocol SecretStore: ObservableObject, Identifiable {
+
+    associatedtype SecretType: Secret
+
+    var isAvailable: Bool { get }
+    var id: UUID { get }
+    var name: String { get }
+    var secrets: [SecretType] { get }
+
+    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData
+
+    func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) throws
+
+}
+
+public protocol SecretStoreModifiable: SecretStore {
+
+    func create(name: String, requiresAuthentication: Bool) throws
+    func delete(secret: SecretType) throws
+    func update(secret: SecretType, name: String) throws
+
+}
+
+extension NSNotification.Name {
+
+    public static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
+
+}
--- a/Sources/Packages/Sources/SecretKit/Types/SignedData.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SignedData.swift
@@ -0,0 +1,13 @@
+import Foundation
+
+public struct SignedData {
+
+    public let data: Data
+    public let requiredAuthentication: Bool
+
+    public init(data: Data, requiredAuthentication: Bool) {
+        self.data = data
+        self.requiredAuthentication = requiredAuthentication
+    }
+
+}
--- a/Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SigningRequestProvenance.swift
@@ -0,0 +1,53 @@
+import Foundation
+import AppKit
+
+public struct SigningRequestProvenance: Equatable {
+
+    public var chain: [Process]
+    public init(root: Process) {
+        self.chain = [root]
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public var origin: Process {
+        chain.last!
+    }
+
+    public var intact: Bool {
+        chain.allSatisfy { $0.validSignature }
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public struct Process: Equatable {
+
+        public let pid: Int32
+        public let processName: String
+        public let appName: String?
+        public let iconURL: URL?
+        public let path: String
+        public let validSignature: Bool
+        public let parentPID: Int32?
+
+        public init(pid: Int32, processName: String, appName: String?, iconURL: URL?, path: String, validSignature: Bool, parentPID: Int32?) {
+            self.pid = pid
+            self.processName = processName
+            self.appName = appName
+            self.iconURL = iconURL
+            self.path = path
+            self.validSignature = validSignature
+            self.parentPID = parentPID
+        }
+
+        public var displayName: String {
+            appName ?? processName
+        }
+
+    }
+
+}