Tests

SecretAgentKit/Agent.swift

@@ -46,8 +46,9 @@ extension Agent {
                 response.append(identities())
                 os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)
             case .signRequest:
+                let provenance = requestTracer.provenance(from: reader)
                 response.append(SSHAgent.ResponseType.agentSignResponse.data)
-                response.append(try sign(data: data, from: reader.fileDescriptor))
+                response.append(try sign(data: data, provenance: provenance))
                 os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentSignResponse.debugDescription)
             }
         } catch {
@@ -81,7 +82,7 @@ extension Agent {
         return countData + keyData
     }
 
-    func sign(data: Data, from pid: Int32) throws -> Data {
+    func sign(data: Data, provenance: SigningRequestProvenance) throws -> Data {
         let reader = OpenSSHReader(data: data)
         let hash = reader.readNextChunk()
         guard let (store, secret) = secret(matching: hash) else {
@@ -89,7 +90,6 @@ extension Agent {
             throw AgentError.noMatchingKey
         }
 
-        let provenance = requestTracer.provenance(from: pid)
         if let witness = witness {
             try witness.speakNowOrForeverHoldYourPeace(forAccessTo: secret, by: provenance)
         }

SecretAgentKit/FileHandleProtocols.swift

@@ -4,6 +4,7 @@ public protocol FileHandleReader {
 
     var availableData: Data { get }
     var fileDescriptor: Int32 { get }
+    var pidOfConnectedProcess: Int32 { get }
 
 }
 
@@ -13,4 +14,13 @@ public protocol FileHandleWriter {
 
 }
 
-extension FileHandle: FileHandleReader, FileHandleWriter {}
+extension FileHandle: FileHandleReader, FileHandleWriter {
+
+    public var pidOfConnectedProcess: Int32 {
+        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: 4, alignment: 1)
+        var len = socklen_t(MemoryLayout<Int32>.size)
+        getsockopt(fileDescriptor, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
+        return pidPointer.load(as: Int32.self)
+    }
+
+}

SecretAgentKit/SigningRequestProvenance.swift

@@ -1,7 +1,7 @@
 import Foundation
 import AppKit
 
-public struct SigningRequestProvenance {
+public struct SigningRequestProvenance: Equatable {
 
     public var chain: [Process]
     public init(root: Process) {
@@ -24,7 +24,7 @@ extension SigningRequestProvenance {
 
 extension SigningRequestProvenance {
 
-    public struct Process {
+    public struct Process: Equatable {
 
         public let pid: Int32
         public let name: String

SecretAgentKit/SigningRequestTracer.swift

@@ -4,12 +4,8 @@ import Security
 
 struct SigningRequestTracer {
 
-    func provenance(from pid: Int32) -> SigningRequestProvenance {
-        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: 4, alignment: 1)
-        var len = socklen_t(MemoryLayout<Int32>.size)
-        getsockopt(pid, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
-        let pid = pidPointer.load(as: Int32.self)
-        let firstInfo = process(from: pid)
+    func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
+        let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
 
         var provenance = SigningRequestProvenance(root: firstInfo)
         while NSRunningApplication(processIdentifier: provenance.origin.pid) == nil && provenance.origin.parentPID != nil {