Statically load whether or not a key requires authentication before use (#357)

* Add protocol requirements * Load auth settings. * Updates. * Update preview store * Add lock icon
2026-03-13 04:57:23 +01:00 · 2022-02-24 22:59:35 -08:00
parent ae7394f771
commit a1009d0dac
18 changed files with 129 additions and 58 deletions
--- a/Sources/Packages/Sources/SecretKit/Documentation.docc/Documentation.md
+++ b/Sources/Packages/Sources/SecretKit/Documentation.docc/Documentation.md
@@ -27,5 +27,8 @@ SecretKit is a collection of protocols describing secrets and stores.

 ### Signing Process

- ``SignedData``
 - ``SigningRequestProvenance``
+
+### Authentication Persistence
+
+- ``PersistedAuthenticationContext``
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecret.swift
@@ -9,6 +9,7 @@ public struct AnySecret: Secret {
    private let _name: () -> String
    private let _algorithm: () -> Algorithm
    private let _keySize: () -> Int
+    private let _requiresAuthentication: () -> Bool
    private let _publicKey: () -> Data

    public init<T>(_ secret: T) where T: Secret {
@@ -19,6 +20,7 @@ public struct AnySecret: Secret {
            _name = secret._name
            _algorithm = secret._algorithm
            _keySize = secret._keySize
+            _requiresAuthentication = secret._requiresAuthentication
            _publicKey = secret._publicKey
        } else {
            base = secret as Any
@@ -27,6 +29,7 @@ public struct AnySecret: Secret {
            _name = { secret.name }
            _algorithm = { secret.algorithm }
            _keySize = { secret.keySize }
+            _requiresAuthentication = { secret.requiresAuthentication }
            _publicKey = { secret.publicKey }
        }
    }
@@ -47,6 +50,10 @@ public struct AnySecret: Secret {
        _keySize()
    }

+    public var requiresAuthentication: Bool {
+        _requiresAuthentication()
+    }
+
    public var publicKey: Data {
        _publicKey()
    }
--- a/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Erasers/AnySecretStore.swift
@@ -9,7 +9,8 @@ public class AnySecretStore: SecretStore {
    private let _id: () -> UUID
    private let _name: () -> String
    private let _secrets: () -> [AnySecret]
-    private let _sign: (Data, AnySecret, SigningRequestProvenance) throws -> SignedData
+    private let _sign: (Data, AnySecret, SigningRequestProvenance) throws -> Data
+    private let _existingPersistedAuthenticationContext: (AnySecret) -> PersistedAuthenticationContext?
    private let _persistAuthentication: (AnySecret, TimeInterval) throws -> Void

    private var sink: AnyCancellable?
@@ -21,6 +22,7 @@ public class AnySecretStore: SecretStore {
        _id = { secretStore.id }
        _secrets = { secretStore.secrets.map { AnySecret($0) } }
        _sign = { try secretStore.sign(data: $0, with: $1.base as! SecretStoreType.SecretType, for: $2) }
+        _existingPersistedAuthenticationContext = { secretStore.existingPersistedAuthenticationContext(secret: $0.base as! SecretStoreType.SecretType) }
        _persistAuthentication = { try secretStore.persistAuthentication(secret: $0.base as! SecretStoreType.SecretType, forDuration: $1) }
        sink = secretStore.objectWillChange.sink { _ in
            self.objectWillChange.send()
@@ -43,10 +45,14 @@ public class AnySecretStore: SecretStore {
        return _secrets()
    }

-    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance) throws -> SignedData {
+    public func sign(data: Data, with secret: AnySecret, for provenance: SigningRequestProvenance) throws -> Data {
        try _sign(data, secret, provenance)
    }

+    public func existingPersistedAuthenticationContext(secret: AnySecret) -> PersistedAuthenticationContext? {
+        _existingPersistedAuthenticationContext(secret)
+    }
+
    public func persistAuthentication(secret: AnySecret, forDuration duration: TimeInterval) throws {
        try _persistAuthentication(secret, duration)
    }
--- a/Sources/Packages/Sources/SecretKit/Types/PersistedAuthenticationContext.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/PersistedAuthenticationContext.swift
@@ -0,0 +1,9 @@
+import Foundation
+
+/// Protocol describing a persisted authentication context. This is an authorization that can be reused for multiple access to a secret that requires authentication for a specific period of time.
+public protocol PersistedAuthenticationContext {
+    /// Whether the context remains valid.
+    var valid: Bool { get }
+    /// The date at which the authorization expires and the context becomes invalid.
+    var expiration: Date { get }
+}
--- a/Sources/Packages/Sources/SecretKit/Types/Secret.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/Secret.swift
@@ -9,6 +9,8 @@ public protocol Secret: Identifiable, Hashable {
    var algorithm: Algorithm { get }
    /// The key size for the secret.
    var keySize: Int { get }
+    /// Whether the secret requires authentication before use.
+    var requiresAuthentication: Bool { get }
    /// The public key data for the secret.
    var publicKey: Data { get }

--- a/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
@@ -20,8 +20,14 @@ public protocol SecretStore: ObservableObject, Identifiable {
    ///   - data: The data to sign.
    ///   - secret: The ``Secret`` to sign with.
    ///   - provenance: A ``SigningRequestProvenance`` describing where the request came from.
-    /// - Returns: A ``SignedData`` object, containing the signature and metadata about the signature process.
-    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData
+    /// - Returns: The signed data.
+    func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> Data
+
+    /// Checks to see if there is currently a valid persisted authentication for a given secret.
+    /// - Parameters:
+    ///   - secret: The ``Secret`` to check if there is a persisted authentication for.
+    /// - Returns: A persisted authentication context, if a valid one exists.
+    func existingPersistedAuthenticationContext(secret: SecretType) -> PersistedAuthenticationContext?

    /// Persists user authorization for access to a secret.
    /// - Parameters:
--- a/Sources/Packages/Sources/SecretKit/Types/SignedData.swift
+++ b/Sources/Packages/Sources/SecretKit/Types/SignedData.swift
@@ -1,20 +0,0 @@
-import Foundation
-
-/// Describes the output of a sign request.
-public struct SignedData {
-
-    /// The signed data.
-    public let data: Data
-    /// A boolean describing whether authentication was required during the signature process.
-    public let requiredAuthentication: Bool
-
-    /// Initializes a new SignedData.
-    /// - Parameters:
-    ///   - data: The signed data.
-    ///   - requiredAuthentication: A boolean describing whether authentication was required during the signature process.
-    public init(data: Data, requiredAuthentication: Bool) {
-        self.data = data
-        self.requiredAuthentication = requiredAuthentication
-    }
-
-}