Merge
31
.github/workflows/release.yml
vendored
@ -20,9 +20,12 @@ jobs:
|
|||||||
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
|
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
|
||||||
run: ./.github/scripts/signing.sh
|
run: ./.github/scripts/signing.sh
|
||||||
- name: Set Environment
|
- name: Set Environment
|
||||||
run: sudo xcrun xcode-select -s /Applications/Xcode_13.1.app
|
run: sudo xcrun xcode-select -s /Applications/Xcode_13.2.1.app
|
||||||
- name: Test
|
- name: Test
|
||||||
run: xcrun xcodebuild test -project Secretive.xcodeproj -scheme Secretive
|
run: |
|
||||||
|
pushd Sources/Packages
|
||||||
|
swift test
|
||||||
|
popd
|
||||||
build:
|
build:
|
||||||
runs-on: macos-11.0
|
runs-on: macos-11.0
|
||||||
timeout-minutes: 10
|
timeout-minutes: 10
|
||||||
@ -38,18 +41,18 @@ jobs:
|
|||||||
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
|
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
|
||||||
run: ./.github/scripts/signing.sh
|
run: ./.github/scripts/signing.sh
|
||||||
- name: Set Environment
|
- name: Set Environment
|
||||||
run: sudo xcrun xcode-select -s /Applications/Xcode_13.1.app
|
run: sudo xcrun xcode-select -s /Applications/Xcode_13.2.1.app
|
||||||
- name: Update Build Number
|
- name: Update Build Number
|
||||||
env:
|
env:
|
||||||
TAG_NAME: ${{ github.ref }}
|
TAG_NAME: ${{ github.ref }}
|
||||||
RUN_ID: ${{ github.run_id }}
|
RUN_ID: ${{ github.run_id }}
|
||||||
run: |
|
run: |
|
||||||
export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
|
export CLEAN_TAG=$(echo $TAG_NAME | sed -e 's/refs\/tags\/v//')
|
||||||
sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Config/Config.xcconfig
|
sed -i '' -e "s/GITHUB_CI_VERSION/$CLEAN_TAG/g" Sources/Config/Config.xcconfig
|
||||||
sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Config/Config.xcconfig
|
sed -i '' -e "s/GITHUB_BUILD_NUMBER/1.$RUN_ID/g" Sources/Config/Config.xcconfig
|
||||||
sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Secretive/Credits.rtf
|
sed -i '' -e "s/GITHUB_BUILD_URL/https:\/\/github.com\/maxgoedjen\/secretive\/actions\/runs\/$RUN_ID/g" Sources/Secretive/Credits.rtf
|
||||||
- name: Build
|
- name: Build
|
||||||
run: xcrun xcodebuild -project Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
|
run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive -configuration Release -archivePath Archive.xcarchive archive
|
||||||
- name: Create ZIPs
|
- name: Create ZIPs
|
||||||
run: |
|
run: |
|
||||||
ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
|
ditto -c -k --sequesterRsrc --keepParent Archive.xcarchive/Products/Applications/Secretive.app ./Secretive.zip
|
||||||
@ -88,7 +91,7 @@ jobs:
|
|||||||
draft: true
|
draft: true
|
||||||
prerelease: false
|
prerelease: false
|
||||||
- name: Upload App to Release
|
- name: Upload App to Release
|
||||||
id: upload-release-asset
|
id: upload-release-asset-app
|
||||||
uses: actions/upload-release-asset@v1.0.1
|
uses: actions/upload-release-asset@v1.0.1
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
@ -97,13 +100,13 @@ jobs:
|
|||||||
asset_path: ./Secretive.zip
|
asset_path: ./Secretive.zip
|
||||||
asset_name: Secretive.zip
|
asset_name: Secretive.zip
|
||||||
asset_content_type: application/zip
|
asset_content_type: application/zip
|
||||||
- name: Upload Archive to Artifacts
|
- name: Upload App to Artifacts
|
||||||
uses: actions/upload-artifact@v1
|
|
||||||
with:
|
|
||||||
name: Archive.zip
|
|
||||||
path: Archive.zip
|
|
||||||
- name: Upload Archive to Artifacts
|
|
||||||
uses: actions/upload-artifact@v1
|
uses: actions/upload-artifact@v1
|
||||||
with:
|
with:
|
||||||
name: Secretive.zip
|
name: Secretive.zip
|
||||||
path: Secretive.zip
|
path: Secretive.zip
|
||||||
|
- name: Upload Archive to Artifacts
|
||||||
|
uses: actions/upload-artifact@v1
|
||||||
|
with:
|
||||||
|
name: Xcode_Archive.zip
|
||||||
|
path: Archive.zip
|
||||||
|
7
.github/workflows/test.yml
vendored
@ -8,6 +8,9 @@ jobs:
|
|||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v2
|
- uses: actions/checkout@v2
|
||||||
- name: Set Environment
|
- name: Set Environment
|
||||||
run: sudo xcrun xcode-select -s /Applications/Xcode_13.1.app
|
run: sudo xcrun xcode-select -s /Applications/Xcode_13.2.1.app
|
||||||
- name: Test
|
- name: Test
|
||||||
run: xcrun xcodebuild test -project Secretive.xcodeproj -scheme Secretive
|
run: |
|
||||||
|
pushd Sources/Packages
|
||||||
|
swift test
|
||||||
|
popd
|
||||||
|
1
.gitignore
vendored
@ -92,3 +92,4 @@ iOSInjectionProject/
|
|||||||
# Build script products
|
# Build script products
|
||||||
Archive.xcarchive
|
Archive.xcarchive
|
||||||
.DS_Store
|
.DS_Store
|
||||||
|
contents.xcworkspacedata
|
||||||
|
@ -1,19 +0,0 @@
|
|||||||
//
|
|
||||||
// Brief.h
|
|
||||||
// Brief
|
|
||||||
//
|
|
||||||
// Created by Max Goedjen on 3/21/20.
|
|
||||||
// Copyright © 2020 Max Goedjen. All rights reserved.
|
|
||||||
//
|
|
||||||
|
|
||||||
#import <Foundation/Foundation.h>
|
|
||||||
|
|
||||||
//! Project version number for Brief.
|
|
||||||
FOUNDATION_EXPORT double BriefVersionNumber;
|
|
||||||
|
|
||||||
//! Project version string for Brief.
|
|
||||||
FOUNDATION_EXPORT const unsigned char BriefVersionString[];
|
|
||||||
|
|
||||||
// In this header, you should import all the public headers of your framework using statements like #import <Brief/PublicHeader.h>
|
|
||||||
|
|
||||||
|
|
@ -1,24 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
||||||
<plist version="1.0">
|
|
||||||
<dict>
|
|
||||||
<key>CFBundleDevelopmentRegion</key>
|
|
||||||
<string>$(DEVELOPMENT_LANGUAGE)</string>
|
|
||||||
<key>CFBundleExecutable</key>
|
|
||||||
<string>$(EXECUTABLE_NAME)</string>
|
|
||||||
<key>CFBundleIdentifier</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
|
|
||||||
<key>CFBundleInfoDictionaryVersion</key>
|
|
||||||
<string>6.0</string>
|
|
||||||
<key>CFBundleName</key>
|
|
||||||
<string>$(PRODUCT_NAME)</string>
|
|
||||||
<key>CFBundlePackageType</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
|
|
||||||
<key>CFBundleShortVersionString</key>
|
|
||||||
<string>1.0</string>
|
|
||||||
<key>CFBundleVersion</key>
|
|
||||||
<string>$(CURRENT_PROJECT_VERSION)</string>
|
|
||||||
<key>NSHumanReadableCopyright</key>
|
|
||||||
<string>$(PRODUCT_NAME) is MIT Licensed.</string>
|
|
||||||
</dict>
|
|
||||||
</plist>
|
|
@ -1,178 +0,0 @@
|
|||||||
import Foundation
|
|
||||||
import Combine
|
|
||||||
|
|
||||||
public protocol UpdaterProtocol: ObservableObject {
|
|
||||||
|
|
||||||
var update: Release? { get }
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
public class Updater: ObservableObject, UpdaterProtocol {
|
|
||||||
|
|
||||||
@Published public var update: Release?
|
|
||||||
|
|
||||||
private let osVersion: SemVer
|
|
||||||
private let currentVersion: SemVer
|
|
||||||
|
|
||||||
public init(checkOnLaunch: Bool, osVersion: SemVer = SemVer(ProcessInfo.processInfo.operatingSystemVersion), currentVersion: SemVer = SemVer(Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "0.0.0")) {
|
|
||||||
self.osVersion = osVersion
|
|
||||||
self.currentVersion = currentVersion
|
|
||||||
if checkOnLaunch {
|
|
||||||
// Don't do a launch check if the user hasn't seen the setup prompt explaining updater yet.
|
|
||||||
checkForUpdates()
|
|
||||||
}
|
|
||||||
let timer = Timer.scheduledTimer(withTimeInterval: 60*60*24, repeats: true) { _ in
|
|
||||||
self.checkForUpdates()
|
|
||||||
}
|
|
||||||
timer.tolerance = 60*60
|
|
||||||
}
|
|
||||||
|
|
||||||
public func checkForUpdates() {
|
|
||||||
URLSession.shared.dataTask(with: Constants.updateURL) { data, _, _ in
|
|
||||||
guard let data = data else { return }
|
|
||||||
guard let releases = try? JSONDecoder().decode([Release].self, from: data) else { return }
|
|
||||||
self.evaluate(releases: releases)
|
|
||||||
}.resume()
|
|
||||||
}
|
|
||||||
|
|
||||||
public func ignore(release: Release) {
|
|
||||||
guard !release.critical else { return }
|
|
||||||
defaults.set(true, forKey: release.name)
|
|
||||||
DispatchQueue.main.async {
|
|
||||||
self.update = nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension Updater {
|
|
||||||
|
|
||||||
func evaluate(releases: [Release]) {
|
|
||||||
guard let release = releases
|
|
||||||
.sorted()
|
|
||||||
.reversed()
|
|
||||||
.filter({ !$0.prerelease })
|
|
||||||
.first(where: { $0.minimumOSVersion <= osVersion }) else { return }
|
|
||||||
guard !userIgnored(release: release) else { return }
|
|
||||||
guard !release.prerelease else { return }
|
|
||||||
let latestVersion = SemVer(release.name)
|
|
||||||
if latestVersion > currentVersion {
|
|
||||||
DispatchQueue.main.async {
|
|
||||||
self.update = release
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func userIgnored(release: Release) -> Bool {
|
|
||||||
guard !release.critical else { return false }
|
|
||||||
return defaults.bool(forKey: release.name)
|
|
||||||
}
|
|
||||||
|
|
||||||
var defaults: UserDefaults {
|
|
||||||
UserDefaults(suiteName: "com.maxgoedjen.Secretive.updater.ignorelist")!
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public struct SemVer {
|
|
||||||
|
|
||||||
let versionNumbers: [Int]
|
|
||||||
|
|
||||||
public init(_ version: String) {
|
|
||||||
// Betas have the format 1.2.3_beta1
|
|
||||||
let strippedBeta = version.split(separator: "_").first!
|
|
||||||
var split = strippedBeta.split(separator: ".").compactMap { Int($0) }
|
|
||||||
while split.count < 3 {
|
|
||||||
split.append(0)
|
|
||||||
}
|
|
||||||
versionNumbers = split
|
|
||||||
}
|
|
||||||
|
|
||||||
public init(_ version: OperatingSystemVersion) {
|
|
||||||
versionNumbers = [version.majorVersion, version.minorVersion, version.patchVersion]
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension SemVer: Comparable {
|
|
||||||
|
|
||||||
public static func < (lhs: SemVer, rhs: SemVer) -> Bool {
|
|
||||||
for (latest, current) in zip(lhs.versionNumbers, rhs.versionNumbers) {
|
|
||||||
if latest < current {
|
|
||||||
return true
|
|
||||||
} else if latest > current {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension Updater {
|
|
||||||
|
|
||||||
enum Constants {
|
|
||||||
static let updateURL = URL(string: "https://api.github.com/repos/maxgoedjen/secretive/releases")!
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
public struct Release: Codable {
|
|
||||||
|
|
||||||
public let name: String
|
|
||||||
public let prerelease: Bool
|
|
||||||
public let html_url: URL
|
|
||||||
public let body: String
|
|
||||||
|
|
||||||
public init(name: String, prerelease: Bool, html_url: URL, body: String) {
|
|
||||||
self.name = name
|
|
||||||
self.prerelease = prerelease
|
|
||||||
self.html_url = html_url
|
|
||||||
self.body = body
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension Release: Identifiable {
|
|
||||||
|
|
||||||
public var id: String {
|
|
||||||
html_url.absoluteString
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension Release: Comparable {
|
|
||||||
|
|
||||||
public static func < (lhs: Release, rhs: Release) -> Bool {
|
|
||||||
lhs.version < rhs.version
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension Release {
|
|
||||||
|
|
||||||
public var critical: Bool {
|
|
||||||
body.contains(Constants.securityContent)
|
|
||||||
}
|
|
||||||
|
|
||||||
public var version: SemVer {
|
|
||||||
SemVer(name)
|
|
||||||
}
|
|
||||||
|
|
||||||
public var minimumOSVersion: SemVer {
|
|
||||||
guard let range = body.range(of: "Minimum macOS Version"),
|
|
||||||
let numberStart = body.rangeOfCharacter(from: CharacterSet.decimalDigits, options: [], range: range.upperBound..<body.endIndex) else { return SemVer("11.0.0") }
|
|
||||||
let numbersEnd = body.rangeOfCharacter(from: CharacterSet.whitespacesAndNewlines, options: [], range: numberStart.upperBound..<body.endIndex)?.lowerBound ?? body.endIndex
|
|
||||||
let version = numberStart.lowerBound..<numbersEnd
|
|
||||||
return SemVer(String(body[version]))
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension Release {
|
|
||||||
|
|
||||||
enum Constants {
|
|
||||||
static let securityContent = "Critical Security Update"
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,50 +0,0 @@
|
|||||||
{
|
|
||||||
"configurations" : [
|
|
||||||
{
|
|
||||||
"id" : "5896AE5A-6D5A-48D3-837B-668B646A3273",
|
|
||||||
"name" : "Configuration 1",
|
|
||||||
"options" : {
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"defaultOptions" : {
|
|
||||||
|
|
||||||
},
|
|
||||||
"testTargets" : [
|
|
||||||
{
|
|
||||||
"parallelizable" : true,
|
|
||||||
"target" : {
|
|
||||||
"containerPath" : "container:Secretive.xcodeproj",
|
|
||||||
"identifier" : "50617DAF23FCE4AB0099B055",
|
|
||||||
"name" : "SecretKitTests"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"parallelizable" : true,
|
|
||||||
"target" : {
|
|
||||||
"containerPath" : "container:Secretive.xcodeproj",
|
|
||||||
"identifier" : "5099A073240242BA0062B6F2",
|
|
||||||
"name" : "SecretAgentKitTests"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"enabled" : false,
|
|
||||||
"parallelizable" : true,
|
|
||||||
"target" : {
|
|
||||||
"containerPath" : "container:Secretive.xcodeproj",
|
|
||||||
"identifier" : "50617D9323FCE48E0099B055",
|
|
||||||
"name" : "SecretiveTests"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"parallelizable" : true,
|
|
||||||
"target" : {
|
|
||||||
"containerPath" : "container:Secretive.xcodeproj",
|
|
||||||
"identifier" : "5091D31E2519D56D0049FD9B",
|
|
||||||
"name" : "BriefTests"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"version" : 1
|
|
||||||
}
|
|
3
DESIGN.md
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# Design
|
||||||
|
|
||||||
|
The art assets for the App Icon and GitHub image are located on [Sketch Cloud](https://www.sketch.com/s/574333cd-8ceb-40e1-a6d9-189da3f1e5dd).
|
BIN
Icon.sketch
@ -1,24 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
||||||
<plist version="1.0">
|
|
||||||
<dict>
|
|
||||||
<key>CFBundleDevelopmentRegion</key>
|
|
||||||
<string>$(DEVELOPMENT_LANGUAGE)</string>
|
|
||||||
<key>CFBundleExecutable</key>
|
|
||||||
<string>$(EXECUTABLE_NAME)</string>
|
|
||||||
<key>CFBundleIdentifier</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
|
|
||||||
<key>CFBundleInfoDictionaryVersion</key>
|
|
||||||
<string>6.0</string>
|
|
||||||
<key>CFBundleName</key>
|
|
||||||
<string>$(PRODUCT_NAME)</string>
|
|
||||||
<key>CFBundlePackageType</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
|
|
||||||
<key>CFBundleShortVersionString</key>
|
|
||||||
<string>$(CI_VERSION)</string>
|
|
||||||
<key>CFBundleVersion</key>
|
|
||||||
<string>$(CURRENT_PROJECT_VERSION)</string>
|
|
||||||
<key>NSHumanReadableCopyright</key>
|
|
||||||
<string>$(PRODUCT_NAME) is MIT Licensed.</string>
|
|
||||||
</dict>
|
|
||||||
</plist>
|
|
@ -1,9 +0,0 @@
|
|||||||
import Foundation
|
|
||||||
import SecretKit
|
|
||||||
|
|
||||||
public protocol SigningWitness {
|
|
||||||
|
|
||||||
func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) throws
|
|
||||||
func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, requiredAuthentication: Bool) throws
|
|
||||||
|
|
||||||
}
|
|
@ -1,22 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
||||||
<plist version="1.0">
|
|
||||||
<dict>
|
|
||||||
<key>CFBundleDevelopmentRegion</key>
|
|
||||||
<string>$(DEVELOPMENT_LANGUAGE)</string>
|
|
||||||
<key>CFBundleExecutable</key>
|
|
||||||
<string>$(EXECUTABLE_NAME)</string>
|
|
||||||
<key>CFBundleIdentifier</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
|
|
||||||
<key>CFBundleInfoDictionaryVersion</key>
|
|
||||||
<string>6.0</string>
|
|
||||||
<key>CFBundleName</key>
|
|
||||||
<string>$(PRODUCT_NAME)</string>
|
|
||||||
<key>CFBundlePackageType</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
|
|
||||||
<key>CFBundleShortVersionString</key>
|
|
||||||
<string>1.0</string>
|
|
||||||
<key>CFBundleVersion</key>
|
|
||||||
<string>1</string>
|
|
||||||
</dict>
|
|
||||||
</plist>
|
|
@ -1,30 +0,0 @@
|
|||||||
import Combine
|
|
||||||
|
|
||||||
public protocol SecretStore: ObservableObject, Identifiable {
|
|
||||||
|
|
||||||
associatedtype SecretType: Secret
|
|
||||||
|
|
||||||
var isAvailable: Bool { get }
|
|
||||||
var id: UUID { get }
|
|
||||||
var name: String { get }
|
|
||||||
var secrets: [SecretType] { get }
|
|
||||||
|
|
||||||
func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData
|
|
||||||
|
|
||||||
func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) throws
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
public protocol SecretStoreModifiable: SecretStore {
|
|
||||||
|
|
||||||
func create(name: String, requiresAuthentication: Bool) throws
|
|
||||||
func delete(secret: SecretType) throws
|
|
||||||
func update(secret: SecretType, name: String) throws
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension NSNotification.Name {
|
|
||||||
|
|
||||||
static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
|
|
||||||
|
|
||||||
}
|
|
@ -1,13 +0,0 @@
|
|||||||
import Foundation
|
|
||||||
|
|
||||||
public struct SignedData {
|
|
||||||
|
|
||||||
public let data: Data
|
|
||||||
public let requiredAuthentication: Bool
|
|
||||||
|
|
||||||
public init(data: Data, requiredAuthentication: Bool) {
|
|
||||||
self.data = data
|
|
||||||
self.requiredAuthentication = requiredAuthentication
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,53 +0,0 @@
|
|||||||
import Foundation
|
|
||||||
import AppKit
|
|
||||||
|
|
||||||
public struct SigningRequestProvenance: Equatable {
|
|
||||||
|
|
||||||
public var chain: [Process]
|
|
||||||
public init(root: Process) {
|
|
||||||
self.chain = [root]
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension SigningRequestProvenance {
|
|
||||||
|
|
||||||
public var origin: Process {
|
|
||||||
chain.last!
|
|
||||||
}
|
|
||||||
|
|
||||||
public var intact: Bool {
|
|
||||||
chain.allSatisfy { $0.validSignature }
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
extension SigningRequestProvenance {
|
|
||||||
|
|
||||||
public struct Process: Equatable {
|
|
||||||
|
|
||||||
public let pid: Int32
|
|
||||||
public let processName: String
|
|
||||||
public let appName: String?
|
|
||||||
public let iconURL: URL?
|
|
||||||
public let path: String
|
|
||||||
public let validSignature: Bool
|
|
||||||
public let parentPID: Int32?
|
|
||||||
|
|
||||||
public init(pid: Int32, processName: String, appName: String?, iconURL: URL?, path: String, validSignature: Bool, parentPID: Int32?) {
|
|
||||||
self.pid = pid
|
|
||||||
self.processName = processName
|
|
||||||
self.appName = appName
|
|
||||||
self.iconURL = iconURL
|
|
||||||
self.path = path
|
|
||||||
self.validSignature = validSignature
|
|
||||||
self.parentPID = parentPID
|
|
||||||
}
|
|
||||||
|
|
||||||
public var displayName: String {
|
|
||||||
appName ?? processName
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,24 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
||||||
<plist version="1.0">
|
|
||||||
<dict>
|
|
||||||
<key>CFBundleDevelopmentRegion</key>
|
|
||||||
<string>$(DEVELOPMENT_LANGUAGE)</string>
|
|
||||||
<key>CFBundleExecutable</key>
|
|
||||||
<string>$(EXECUTABLE_NAME)</string>
|
|
||||||
<key>CFBundleIdentifier</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
|
|
||||||
<key>CFBundleInfoDictionaryVersion</key>
|
|
||||||
<string>6.0</string>
|
|
||||||
<key>CFBundleName</key>
|
|
||||||
<string>$(PRODUCT_NAME)</string>
|
|
||||||
<key>CFBundlePackageType</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
|
|
||||||
<key>CFBundleShortVersionString</key>
|
|
||||||
<string>$(CI_VERSION)</string>
|
|
||||||
<key>CFBundleVersion</key>
|
|
||||||
<string>$(CURRENT_PROJECT_VERSION)</string>
|
|
||||||
<key>NSHumanReadableCopyright</key>
|
|
||||||
<string>$(PRODUCT_NAME) is MIT Licensed.</string>
|
|
||||||
</dict>
|
|
||||||
</plist>
|
|
@ -1,11 +0,0 @@
|
|||||||
#import <Foundation/Foundation.h>
|
|
||||||
|
|
||||||
//! Project version number for SecretKit.
|
|
||||||
FOUNDATION_EXPORT double SecretKitVersionNumber;
|
|
||||||
|
|
||||||
//! Project version string for SecretKit.
|
|
||||||
FOUNDATION_EXPORT const unsigned char SecretKitVersionString[];
|
|
||||||
|
|
||||||
// In this header, you should import all the public headers of your framework using statements like #import <SecretKit/PublicHeader.h>
|
|
||||||
|
|
||||||
|
|
@ -1 +0,0 @@
|
|||||||
public enum SecureEnclave {}
|
|
@ -1 +0,0 @@
|
|||||||
public enum SmartCard {}
|
|
@ -1,22 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
||||||
<plist version="1.0">
|
|
||||||
<dict>
|
|
||||||
<key>CFBundleDevelopmentRegion</key>
|
|
||||||
<string>$(DEVELOPMENT_LANGUAGE)</string>
|
|
||||||
<key>CFBundleExecutable</key>
|
|
||||||
<string>$(EXECUTABLE_NAME)</string>
|
|
||||||
<key>CFBundleIdentifier</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
|
|
||||||
<key>CFBundleInfoDictionaryVersion</key>
|
|
||||||
<string>6.0</string>
|
|
||||||
<key>CFBundleName</key>
|
|
||||||
<string>$(PRODUCT_NAME)</string>
|
|
||||||
<key>CFBundlePackageType</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
|
|
||||||
<key>CFBundleShortVersionString</key>
|
|
||||||
<string>1.0</string>
|
|
||||||
<key>CFBundleVersion</key>
|
|
||||||
<string>1</string>
|
|
||||||
</dict>
|
|
||||||
</plist>
|
|
@ -1,85 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<Scheme
|
|
||||||
LastUpgradeVersion = "1140"
|
|
||||||
version = "1.7">
|
|
||||||
<BuildAction
|
|
||||||
parallelizeBuildables = "YES"
|
|
||||||
buildImplicitDependencies = "YES">
|
|
||||||
<BuildActionEntries>
|
|
||||||
<BuildActionEntry
|
|
||||||
buildForTesting = "YES"
|
|
||||||
buildForRunning = "YES"
|
|
||||||
buildForProfiling = "YES"
|
|
||||||
buildForArchiving = "YES"
|
|
||||||
buildForAnalyzing = "YES">
|
|
||||||
<BuildableReference
|
|
||||||
BuildableIdentifier = "primary"
|
|
||||||
BlueprintIdentifier = "5099A06B240242BA0062B6F2"
|
|
||||||
BuildableName = "SecretAgentKit.framework"
|
|
||||||
BlueprintName = "SecretAgentKit"
|
|
||||||
ReferencedContainer = "container:Secretive.xcodeproj">
|
|
||||||
</BuildableReference>
|
|
||||||
</BuildActionEntry>
|
|
||||||
</BuildActionEntries>
|
|
||||||
</BuildAction>
|
|
||||||
<TestAction
|
|
||||||
buildConfiguration = "Test"
|
|
||||||
selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
|
|
||||||
selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
|
|
||||||
shouldUseLaunchSchemeArgsEnv = "YES">
|
|
||||||
<TestPlans>
|
|
||||||
<TestPlanReference
|
|
||||||
reference = "container:Config/Secretive.xctestplan"
|
|
||||||
default = "YES">
|
|
||||||
</TestPlanReference>
|
|
||||||
</TestPlans>
|
|
||||||
<Testables>
|
|
||||||
<TestableReference
|
|
||||||
skipped = "NO"
|
|
||||||
parallelizable = "YES"
|
|
||||||
testExecutionOrdering = "random">
|
|
||||||
<BuildableReference
|
|
||||||
BuildableIdentifier = "primary"
|
|
||||||
BlueprintIdentifier = "5099A073240242BA0062B6F2"
|
|
||||||
BuildableName = "SecretAgentKitTests.xctest"
|
|
||||||
BlueprintName = "SecretAgentKitTests"
|
|
||||||
ReferencedContainer = "container:Secretive.xcodeproj">
|
|
||||||
</BuildableReference>
|
|
||||||
</TestableReference>
|
|
||||||
</Testables>
|
|
||||||
</TestAction>
|
|
||||||
<LaunchAction
|
|
||||||
buildConfiguration = "Debug"
|
|
||||||
selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
|
|
||||||
selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
|
|
||||||
launchStyle = "0"
|
|
||||||
useCustomWorkingDirectory = "NO"
|
|
||||||
ignoresPersistentStateOnLaunch = "NO"
|
|
||||||
debugDocumentVersioning = "YES"
|
|
||||||
debugServiceExtension = "internal"
|
|
||||||
allowLocationSimulation = "YES">
|
|
||||||
</LaunchAction>
|
|
||||||
<ProfileAction
|
|
||||||
buildConfiguration = "Release"
|
|
||||||
shouldUseLaunchSchemeArgsEnv = "YES"
|
|
||||||
savedToolIdentifier = ""
|
|
||||||
useCustomWorkingDirectory = "NO"
|
|
||||||
debugDocumentVersioning = "YES">
|
|
||||||
<MacroExpansion>
|
|
||||||
<BuildableReference
|
|
||||||
BuildableIdentifier = "primary"
|
|
||||||
BlueprintIdentifier = "5099A06B240242BA0062B6F2"
|
|
||||||
BuildableName = "SecretAgentKit.framework"
|
|
||||||
BlueprintName = "SecretAgentKit"
|
|
||||||
ReferencedContainer = "container:Secretive.xcodeproj">
|
|
||||||
</BuildableReference>
|
|
||||||
</MacroExpansion>
|
|
||||||
</ProfileAction>
|
|
||||||
<AnalyzeAction
|
|
||||||
buildConfiguration = "Debug">
|
|
||||||
</AnalyzeAction>
|
|
||||||
<ArchiveAction
|
|
||||||
buildConfiguration = "Release"
|
|
||||||
revealArchiveInOrganizer = "YES">
|
|
||||||
</ArchiveAction>
|
|
||||||
</Scheme>
|
|
@ -1,71 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<Scheme
|
|
||||||
LastUpgradeVersion = "1140"
|
|
||||||
version = "1.7">
|
|
||||||
<BuildAction
|
|
||||||
parallelizeBuildables = "YES"
|
|
||||||
buildImplicitDependencies = "YES">
|
|
||||||
<BuildActionEntries>
|
|
||||||
<BuildActionEntry
|
|
||||||
buildForTesting = "YES"
|
|
||||||
buildForRunning = "YES"
|
|
||||||
buildForProfiling = "YES"
|
|
||||||
buildForArchiving = "YES"
|
|
||||||
buildForAnalyzing = "YES">
|
|
||||||
<BuildableReference
|
|
||||||
BuildableIdentifier = "primary"
|
|
||||||
BlueprintIdentifier = "50617DA723FCE4AB0099B055"
|
|
||||||
BuildableName = "SecretKit.framework"
|
|
||||||
BlueprintName = "SecretKit"
|
|
||||||
ReferencedContainer = "container:Secretive.xcodeproj">
|
|
||||||
</BuildableReference>
|
|
||||||
</BuildActionEntry>
|
|
||||||
</BuildActionEntries>
|
|
||||||
</BuildAction>
|
|
||||||
<TestAction
|
|
||||||
buildConfiguration = "Test"
|
|
||||||
selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
|
|
||||||
selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
|
|
||||||
shouldUseLaunchSchemeArgsEnv = "YES">
|
|
||||||
<TestPlans>
|
|
||||||
<TestPlanReference
|
|
||||||
reference = "container:Config/Secretive.xctestplan"
|
|
||||||
default = "YES">
|
|
||||||
</TestPlanReference>
|
|
||||||
</TestPlans>
|
|
||||||
</TestAction>
|
|
||||||
<LaunchAction
|
|
||||||
buildConfiguration = "Debug"
|
|
||||||
selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
|
|
||||||
selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
|
|
||||||
launchStyle = "0"
|
|
||||||
useCustomWorkingDirectory = "NO"
|
|
||||||
ignoresPersistentStateOnLaunch = "NO"
|
|
||||||
debugDocumentVersioning = "YES"
|
|
||||||
debugServiceExtension = "internal"
|
|
||||||
allowLocationSimulation = "YES">
|
|
||||||
</LaunchAction>
|
|
||||||
<ProfileAction
|
|
||||||
buildConfiguration = "Release"
|
|
||||||
shouldUseLaunchSchemeArgsEnv = "YES"
|
|
||||||
savedToolIdentifier = ""
|
|
||||||
useCustomWorkingDirectory = "NO"
|
|
||||||
debugDocumentVersioning = "YES">
|
|
||||||
<MacroExpansion>
|
|
||||||
<BuildableReference
|
|
||||||
BuildableIdentifier = "primary"
|
|
||||||
BlueprintIdentifier = "50617DA723FCE4AB0099B055"
|
|
||||||
BuildableName = "SecretKit.framework"
|
|
||||||
BlueprintName = "SecretKit"
|
|
||||||
ReferencedContainer = "container:Secretive.xcodeproj">
|
|
||||||
</BuildableReference>
|
|
||||||
</MacroExpansion>
|
|
||||||
</ProfileAction>
|
|
||||||
<AnalyzeAction
|
|
||||||
buildConfiguration = "Debug">
|
|
||||||
</AnalyzeAction>
|
|
||||||
<ArchiveAction
|
|
||||||
buildConfiguration = "Release"
|
|
||||||
revealArchiveInOrganizer = "YES">
|
|
||||||
</ArchiveAction>
|
|
||||||
</Scheme>
|
|
@ -1,22 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
|
||||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
|
||||||
<plist version="1.0">
|
|
||||||
<dict>
|
|
||||||
<key>CFBundleDevelopmentRegion</key>
|
|
||||||
<string>$(DEVELOPMENT_LANGUAGE)</string>
|
|
||||||
<key>CFBundleExecutable</key>
|
|
||||||
<string>$(EXECUTABLE_NAME)</string>
|
|
||||||
<key>CFBundleIdentifier</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
|
|
||||||
<key>CFBundleInfoDictionaryVersion</key>
|
|
||||||
<string>6.0</string>
|
|
||||||
<key>CFBundleName</key>
|
|
||||||
<string>$(PRODUCT_NAME)</string>
|
|
||||||
<key>CFBundlePackageType</key>
|
|
||||||
<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>
|
|
||||||
<key>CFBundleShortVersionString</key>
|
|
||||||
<string>1.0</string>
|
|
||||||
<key>CFBundleVersion</key>
|
|
||||||
<string>1</string>
|
|
||||||
</dict>
|
|
||||||
</plist>
|
|
26
Sources/Config/Secretive.xctestplan
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
{
|
||||||
|
"configurations" : [
|
||||||
|
{
|
||||||
|
"id" : "5896AE5A-6D5A-48D3-837B-668B646A3273",
|
||||||
|
"name" : "Configuration 1",
|
||||||
|
"options" : {
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"defaultOptions" : {
|
||||||
|
|
||||||
|
},
|
||||||
|
"testTargets" : [
|
||||||
|
{
|
||||||
|
"enabled" : false,
|
||||||
|
"parallelizable" : true,
|
||||||
|
"target" : {
|
||||||
|
"containerPath" : "container:Secretive.xcodeproj",
|
||||||
|
"identifier" : "50617D9323FCE48E0099B055",
|
||||||
|
"name" : "SecretiveTests"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"version" : 1
|
||||||
|
}
|
70
Sources/Packages/Package.swift
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
// swift-tools-version:5.5
|
||||||
|
// The swift-tools-version declares the minimum version of Swift required to build this package.
|
||||||
|
|
||||||
|
import PackageDescription
|
||||||
|
|
||||||
|
let package = Package(
|
||||||
|
name: "SecretivePackages",
|
||||||
|
platforms: [
|
||||||
|
.macOS(.v11)
|
||||||
|
],
|
||||||
|
products: [
|
||||||
|
.library(
|
||||||
|
name: "SecretKit",
|
||||||
|
targets: ["SecretKit"]),
|
||||||
|
.library(
|
||||||
|
name: "SecureEnclaveSecretKit",
|
||||||
|
targets: ["SecureEnclaveSecretKit"]),
|
||||||
|
.library(
|
||||||
|
name: "SmartCardSecretKit",
|
||||||
|
targets: ["SmartCardSecretKit"]),
|
||||||
|
.library(
|
||||||
|
name: "SecretAgentKit",
|
||||||
|
targets: ["SecretAgentKit"]),
|
||||||
|
.library(
|
||||||
|
name: "SecretAgentKitHeaders",
|
||||||
|
targets: ["SecretAgentKitHeaders"]),
|
||||||
|
.library(
|
||||||
|
name: "Brief",
|
||||||
|
targets: ["Brief"]),
|
||||||
|
],
|
||||||
|
dependencies: [
|
||||||
|
],
|
||||||
|
targets: [
|
||||||
|
.target(
|
||||||
|
name: "SecretKit",
|
||||||
|
dependencies: []
|
||||||
|
),
|
||||||
|
.testTarget(
|
||||||
|
name: "SecretKitTests",
|
||||||
|
dependencies: ["SecretKit", "SecureEnclaveSecretKit", "SmartCardSecretKit"]
|
||||||
|
),
|
||||||
|
.target(
|
||||||
|
name: "SecureEnclaveSecretKit",
|
||||||
|
dependencies: ["SecretKit"]
|
||||||
|
),
|
||||||
|
.target(
|
||||||
|
name: "SmartCardSecretKit",
|
||||||
|
dependencies: ["SecretKit"]
|
||||||
|
),
|
||||||
|
.target(
|
||||||
|
name: "SecretAgentKit",
|
||||||
|
dependencies: ["SecretKit", "SecretAgentKitHeaders"]
|
||||||
|
),
|
||||||
|
.systemLibrary(
|
||||||
|
name: "SecretAgentKitHeaders"
|
||||||
|
),
|
||||||
|
.testTarget(
|
||||||
|
name: "SecretAgentKitTests",
|
||||||
|
dependencies: ["SecretAgentKit"])
|
||||||
|
,
|
||||||
|
.target(
|
||||||
|
name: "Brief",
|
||||||
|
dependencies: []
|
||||||
|
),
|
||||||
|
.testTarget(
|
||||||
|
name: "BriefTests",
|
||||||
|
dependencies: ["Brief"]
|
||||||
|
),
|
||||||
|
]
|
||||||
|
)
|
@ -0,0 +1,15 @@
|
|||||||
|
# ``Brief``
|
||||||
|
|
||||||
|
Brief is a collection of protocols and concrete implmentation describing updates.
|
||||||
|
|
||||||
|
## Topics
|
||||||
|
|
||||||
|
### Versioning
|
||||||
|
|
||||||
|
- ``SemVer``
|
||||||
|
- ``Release``
|
||||||
|
|
||||||
|
### Updater
|
||||||
|
|
||||||
|
- ``UpdaterProtocol``
|
||||||
|
- ``Updater``
|
80
Sources/Packages/Sources/Brief/Release.swift
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
import Foundation
|
||||||
|
|
||||||
|
/// A release is a representation of a downloadable update.
|
||||||
|
public struct Release: Codable {
|
||||||
|
|
||||||
|
/// The user-facing name of the release. Typically "Secretive 1.2.3"
|
||||||
|
public let name: String
|
||||||
|
|
||||||
|
/// A boolean describing whether or not the release is a prerelase build.
|
||||||
|
public let prerelease: Bool
|
||||||
|
|
||||||
|
/// A URL pointing to the HTML page for the release.
|
||||||
|
public let html_url: URL
|
||||||
|
|
||||||
|
/// A user-facing description of the contents of the update.
|
||||||
|
public let body: String
|
||||||
|
|
||||||
|
/// Initializes a Release.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - name: The user-facing name of the release.
|
||||||
|
/// - prerelease: A boolean describing whether or not the release is a prerelase build.
|
||||||
|
/// - html_url: A URL pointing to the HTML page for the release.
|
||||||
|
/// - body: A user-facing description of the contents of the update.
|
||||||
|
public init(name: String, prerelease: Bool, html_url: URL, body: String) {
|
||||||
|
self.name = name
|
||||||
|
self.prerelease = prerelease
|
||||||
|
self.html_url = html_url
|
||||||
|
self.body = body
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension Release: Identifiable {
|
||||||
|
|
||||||
|
public var id: String {
|
||||||
|
html_url.absoluteString
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension Release: Comparable {
|
||||||
|
|
||||||
|
public static func < (lhs: Release, rhs: Release) -> Bool {
|
||||||
|
lhs.version < rhs.version
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension Release {
|
||||||
|
|
||||||
|
/// A boolean describing whether or not the release contains critical security content.
|
||||||
|
/// - Note: this is determined by the presence of the phrase "Critical Security Update" in the ``body``.
|
||||||
|
/// - Warning: If this property is true, the user will not be able to dismiss UI or reminders associated with the update.
|
||||||
|
public var critical: Bool {
|
||||||
|
body.contains(Constants.securityContent)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A ``SemVer`` representation of the version number of the release.
|
||||||
|
public var version: SemVer {
|
||||||
|
SemVer(name)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// The minimum macOS version required to run the update.
|
||||||
|
public var minimumOSVersion: SemVer {
|
||||||
|
guard let range = body.range(of: "Minimum macOS Version"),
|
||||||
|
let numberStart = body.rangeOfCharacter(from: CharacterSet.decimalDigits, options: [], range: range.upperBound..<body.endIndex) else { return SemVer("11.0.0") }
|
||||||
|
let numbersEnd = body.rangeOfCharacter(from: CharacterSet.whitespacesAndNewlines, options: [], range: numberStart.upperBound..<body.endIndex)?.lowerBound ?? body.endIndex
|
||||||
|
let version = numberStart.lowerBound..<numbersEnd
|
||||||
|
return SemVer(String(body[version]))
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension Release {
|
||||||
|
|
||||||
|
enum Constants {
|
||||||
|
static let securityContent = "Critical Security Update"
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
43
Sources/Packages/Sources/Brief/SemVer.swift
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
import Foundation
|
||||||
|
|
||||||
|
/// A representation of a Semantic Version.
|
||||||
|
public struct SemVer {
|
||||||
|
|
||||||
|
/// The SemVer broken into an array of integers.
|
||||||
|
let versionNumbers: [Int]
|
||||||
|
|
||||||
|
/// Initializes a SemVer from a string representation.
|
||||||
|
/// - Parameter version: A string representation of the SemVer, formatted as "major.minor.patch".
|
||||||
|
public init(_ version: String) {
|
||||||
|
// Betas have the format 1.2.3_beta1
|
||||||
|
let strippedBeta = version.split(separator: "_").first!
|
||||||
|
var split = strippedBeta.split(separator: ".").compactMap { Int($0) }
|
||||||
|
while split.count < 3 {
|
||||||
|
split.append(0)
|
||||||
|
}
|
||||||
|
versionNumbers = split
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Initializes a SemVer from an `OperatingSystemVersion` representation.
|
||||||
|
/// - Parameter version: An `OperatingSystemVersion` representation of the SemVer.
|
||||||
|
public init(_ version: OperatingSystemVersion) {
|
||||||
|
versionNumbers = [version.majorVersion, version.minorVersion, version.patchVersion]
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension SemVer: Comparable {
|
||||||
|
|
||||||
|
public static func < (lhs: SemVer, rhs: SemVer) -> Bool {
|
||||||
|
for (latest, current) in zip(lhs.versionNumbers, rhs.versionNumbers) {
|
||||||
|
if latest < current {
|
||||||
|
return true
|
||||||
|
} else if latest > current {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
97
Sources/Packages/Sources/Brief/Updater.swift
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
import Foundation
|
||||||
|
import Combine
|
||||||
|
|
||||||
|
/// A concrete implementation of ``UpdaterProtocol`` which considers the current release and OS version.
|
||||||
|
public class Updater: ObservableObject, UpdaterProtocol {
|
||||||
|
|
||||||
|
@Published public var update: Release?
|
||||||
|
public let testBuild: Bool
|
||||||
|
|
||||||
|
/// The current OS version.
|
||||||
|
private let osVersion: SemVer
|
||||||
|
/// The current version of the app that is running.
|
||||||
|
private let currentVersion: SemVer
|
||||||
|
|
||||||
|
/// Initializes an Updater.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - checkOnLaunch: A boolean describing whether the Updater should check for available updates on launch.
|
||||||
|
/// - checkFrequency: The interval at which the Updater should check for updates. Subject to a tolerance of 1 hour.
|
||||||
|
/// - osVersion: The current OS version.
|
||||||
|
/// - currentVersion: The current version of the app that is running.
|
||||||
|
public init(checkOnLaunch: Bool, checkFrequency: TimeInterval = Measurement(value: 24, unit: UnitDuration.hours).converted(to: .seconds).value, osVersion: SemVer = SemVer(ProcessInfo.processInfo.operatingSystemVersion), currentVersion: SemVer = SemVer(Bundle.main.infoDictionary?["CFBundleShortVersionString"] as? String ?? "0.0.0")) {
|
||||||
|
self.osVersion = osVersion
|
||||||
|
self.currentVersion = currentVersion
|
||||||
|
testBuild = currentVersion == SemVer("0.0.0")
|
||||||
|
if checkOnLaunch {
|
||||||
|
// Don't do a launch check if the user hasn't seen the setup prompt explaining updater yet.
|
||||||
|
checkForUpdates()
|
||||||
|
}
|
||||||
|
let timer = Timer.scheduledTimer(withTimeInterval: checkFrequency, repeats: true) { _ in
|
||||||
|
self.checkForUpdates()
|
||||||
|
}
|
||||||
|
timer.tolerance = 60*60
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Manually trigger an update check.
|
||||||
|
public func checkForUpdates() {
|
||||||
|
URLSession.shared.dataTask(with: Constants.updateURL) { data, _, _ in
|
||||||
|
guard let data = data else { return }
|
||||||
|
guard let releases = try? JSONDecoder().decode([Release].self, from: data) else { return }
|
||||||
|
self.evaluate(releases: releases)
|
||||||
|
}.resume()
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Ignores a specified release. `update` will be nil if the user has ignored the latest available release.
|
||||||
|
/// - Parameter release: The release to ignore.
|
||||||
|
public func ignore(release: Release) {
|
||||||
|
guard !release.critical else { return }
|
||||||
|
defaults.set(true, forKey: release.name)
|
||||||
|
DispatchQueue.main.async {
|
||||||
|
self.update = nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension Updater {
|
||||||
|
|
||||||
|
/// Evaluates the available downloadable releases, and selects the newest non-prerelease release that the user is able to run.
|
||||||
|
/// - Parameter releases: An array of ``Release`` objects.
|
||||||
|
func evaluate(releases: [Release]) {
|
||||||
|
guard let release = releases
|
||||||
|
.sorted()
|
||||||
|
.reversed()
|
||||||
|
.filter({ !$0.prerelease })
|
||||||
|
.first(where: { $0.minimumOSVersion <= osVersion }) else { return }
|
||||||
|
guard !userIgnored(release: release) else { return }
|
||||||
|
guard !release.prerelease else { return }
|
||||||
|
let latestVersion = SemVer(release.name)
|
||||||
|
if latestVersion > currentVersion {
|
||||||
|
DispatchQueue.main.async {
|
||||||
|
self.update = release
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Checks whether the user has ignored a release.
|
||||||
|
/// - Parameter release: The release to check.
|
||||||
|
/// - Returns: A boolean describing whether the user has ignored the release. Will always be false if the release is critical.
|
||||||
|
func userIgnored(release: Release) -> Bool {
|
||||||
|
guard !release.critical else { return false }
|
||||||
|
return defaults.bool(forKey: release.name)
|
||||||
|
}
|
||||||
|
|
||||||
|
/// The user defaults used to store user ignore state.
|
||||||
|
var defaults: UserDefaults {
|
||||||
|
UserDefaults(suiteName: "com.maxgoedjen.Secretive.updater.ignorelist")!
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension Updater {
|
||||||
|
|
||||||
|
enum Constants {
|
||||||
|
static let updateURL = URL(string: "https://api.github.com/repos/maxgoedjen/secretive/releases")!
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
12
Sources/Packages/Sources/Brief/UpdaterProtocol.swift
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
import Foundation
|
||||||
|
|
||||||
|
/// A protocol for retreiving the latest available version of an app.
|
||||||
|
public protocol UpdaterProtocol: ObservableObject {
|
||||||
|
|
||||||
|
/// The latest update
|
||||||
|
var update: Release? { get }
|
||||||
|
/// A boolean describing whether or not the current build of the app is a "test" build (ie, a debug build or otherwise special build)
|
||||||
|
var testBuild: Bool { get }
|
||||||
|
|
||||||
|
}
|
||||||
|
|
@ -4,6 +4,7 @@ import OSLog
|
|||||||
import SecretKit
|
import SecretKit
|
||||||
import AppKit
|
import AppKit
|
||||||
|
|
||||||
|
/// The `Agent` is an implementation of an SSH agent. It manages coordination and access between a socket, traces requests, notifies witnesses and passes requests to stores.
|
||||||
public class Agent {
|
public class Agent {
|
||||||
|
|
||||||
private let storeList: SecretStoreList
|
private let storeList: SecretStoreList
|
||||||
@ -11,6 +12,10 @@ public class Agent {
|
|||||||
private let writer = OpenSSHKeyWriter()
|
private let writer = OpenSSHKeyWriter()
|
||||||
private let requestTracer = SigningRequestTracer()
|
private let requestTracer = SigningRequestTracer()
|
||||||
|
|
||||||
|
/// Initializes an agent with a store list and a witness.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - storeList: The `SecretStoreList` to make available.
|
||||||
|
/// - witness: A witness to notify of requests.
|
||||||
public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
|
public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
|
||||||
Logger().debug("Agent is running")
|
Logger().debug("Agent is running")
|
||||||
self.storeList = storeList
|
self.storeList = storeList
|
||||||
@ -21,10 +26,14 @@ public class Agent {
|
|||||||
|
|
||||||
extension Agent {
|
extension Agent {
|
||||||
|
|
||||||
|
/// Handles an incoming request.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - reader: A ``FileHandleReader`` to read the content of the request.
|
||||||
|
/// - writer: A ``FileHandleWriter`` to write the response to.
|
||||||
public func handle(reader: FileHandleReader, writer: FileHandleWriter) {
|
public func handle(reader: FileHandleReader, writer: FileHandleWriter) {
|
||||||
Logger().debug("Agent handling new data")
|
Logger().debug("Agent handling new data")
|
||||||
let data = reader.availableData
|
let data = Data(reader.availableData)
|
||||||
guard !data.isEmpty else { return }
|
guard data.count > 4 else { return }
|
||||||
let requestTypeInt = data[4]
|
let requestTypeInt = data[4]
|
||||||
guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
|
guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
|
||||||
writer.write(OpenSSHKeyWriter().lengthAndData(of: SSHAgent.ResponseType.agentFailure.data))
|
writer.write(OpenSSHKeyWriter().lengthAndData(of: SSHAgent.ResponseType.agentFailure.data))
|
||||||
@ -64,6 +73,8 @@ extension Agent {
|
|||||||
|
|
||||||
extension Agent {
|
extension Agent {
|
||||||
|
|
||||||
|
/// Lists the identities available for signing operations
|
||||||
|
/// - Returns: An OpenSSH formatted Data payload listing the identities available for signing operations.
|
||||||
func identities() -> Data {
|
func identities() -> Data {
|
||||||
let secrets = storeList.stores.flatMap(\.secrets)
|
let secrets = storeList.stores.flatMap(\.secrets)
|
||||||
var count = UInt32(secrets.count).bigEndian
|
var count = UInt32(secrets.count).bigEndian
|
||||||
@ -80,6 +91,11 @@ extension Agent {
|
|||||||
return countData + keyData
|
return countData + keyData
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Notifies witnesses of a pending signature request, and performs the signing operation if none object.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - data: The data to sign.
|
||||||
|
/// - provenance: A ``SecretKit.SigningRequestProvenance`` object describing the origin of the request.
|
||||||
|
/// - Returns: An OpenSSH formatted Data payload containing the signed data response.
|
||||||
func sign(data: Data, provenance: SigningRequestProvenance) throws -> Data {
|
func sign(data: Data, provenance: SigningRequestProvenance) throws -> Data {
|
||||||
let reader = OpenSSHReader(data: data)
|
let reader = OpenSSHReader(data: data)
|
||||||
let hash = reader.readNextChunk()
|
let hash = reader.readNextChunk()
|
||||||
@ -147,6 +163,9 @@ extension Agent {
|
|||||||
|
|
||||||
extension Agent {
|
extension Agent {
|
||||||
|
|
||||||
|
/// Finds a ``Secret`` matching a specified hash whos signature was requested.
|
||||||
|
/// - Parameter hash: The hash to match against.
|
||||||
|
/// - Returns: A ``Secret`` and the ``SecretStore`` containing it, if a match is found.
|
||||||
func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
|
func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
|
||||||
storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
|
storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
|
||||||
let allMatching = store.secrets.filter { secret in
|
let allMatching = store.secrets.filter { secret in
|
||||||
@ -164,6 +183,7 @@ extension Agent {
|
|||||||
|
|
||||||
extension Agent {
|
extension Agent {
|
||||||
|
|
||||||
|
/// An error involving agent operations..
|
||||||
enum AgentError: Error {
|
enum AgentError: Error {
|
||||||
case unhandledType
|
case unhandledType
|
||||||
case noMatchingKey
|
case noMatchingKey
|
@ -0,0 +1,23 @@
|
|||||||
|
# ``SecretAgentKit``
|
||||||
|
|
||||||
|
SecretAgentKit is a collection of types that allow SecretAgent to conform to the SSH agent protocol.
|
||||||
|
|
||||||
|
## Topics
|
||||||
|
|
||||||
|
### Agent
|
||||||
|
|
||||||
|
- ``Agent``
|
||||||
|
|
||||||
|
### Protocol
|
||||||
|
|
||||||
|
- ``SSHAgent``
|
||||||
|
|
||||||
|
### Request Notification
|
||||||
|
|
||||||
|
- ``SigningWitness``
|
||||||
|
|
||||||
|
### Socket Operations
|
||||||
|
|
||||||
|
- ``SocketController``
|
||||||
|
- ``FileHandleReader``
|
||||||
|
- ``FileHandleWriter``
|
@ -1,15 +1,21 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
|
|
||||||
|
/// Protocol abstraction of the reading aspects of FileHandle.
|
||||||
public protocol FileHandleReader {
|
public protocol FileHandleReader {
|
||||||
|
|
||||||
|
/// Gets data that is available for reading.
|
||||||
var availableData: Data { get }
|
var availableData: Data { get }
|
||||||
|
/// A file descriptor of the handle.
|
||||||
var fileDescriptor: Int32 { get }
|
var fileDescriptor: Int32 { get }
|
||||||
|
/// The process ID of the process coonnected to the other end of the FileHandle.
|
||||||
var pidOfConnectedProcess: Int32 { get }
|
var pidOfConnectedProcess: Int32 { get }
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Protocol abstraction of the writing aspects of FileHandle.
|
||||||
public protocol FileHandleWriter {
|
public protocol FileHandleWriter {
|
||||||
|
|
||||||
|
/// Writes data to the handle.
|
||||||
func write(_ data: Data)
|
func write(_ data: Data)
|
||||||
|
|
||||||
}
|
}
|
@ -1,10 +1,13 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
|
|
||||||
|
/// A namespace for the SSH Agent Protocol, as described in https://tools.ietf.org/id/draft-miller-ssh-agent-01.html
|
||||||
public enum SSHAgent {}
|
public enum SSHAgent {}
|
||||||
|
|
||||||
extension SSHAgent {
|
extension SSHAgent {
|
||||||
|
|
||||||
|
/// The type of the SSH Agent Request, as described in https://tools.ietf.org/id/draft-miller-ssh-agent-01.html#rfc.section.5.1
|
||||||
public enum RequestType: UInt8, CustomDebugStringConvertible {
|
public enum RequestType: UInt8, CustomDebugStringConvertible {
|
||||||
|
|
||||||
case requestIdentities = 11
|
case requestIdentities = 11
|
||||||
case signRequest = 13
|
case signRequest = 13
|
||||||
|
|
||||||
@ -18,7 +21,9 @@ extension SSHAgent {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// The type of the SSH Agent Response, as described in https://tools.ietf.org/id/draft-miller-ssh-agent-01.html#rfc.section.5.1
|
||||||
public enum ResponseType: UInt8, CustomDebugStringConvertible {
|
public enum ResponseType: UInt8, CustomDebugStringConvertible {
|
||||||
|
|
||||||
case agentFailure = 5
|
case agentFailure = 5
|
||||||
case agentIdentitiesAnswer = 12
|
case agentIdentitiesAnswer = 12
|
||||||
case agentSignResponse = 14
|
case agentSignResponse = 14
|
@ -2,12 +2,17 @@ import Foundation
|
|||||||
import AppKit
|
import AppKit
|
||||||
import Security
|
import Security
|
||||||
import SecretKit
|
import SecretKit
|
||||||
|
import SecretAgentKitHeaders
|
||||||
|
|
||||||
|
/// An object responsible for generating ``SecretKit.SigningRequestProvenance`` objects.
|
||||||
struct SigningRequestTracer {
|
struct SigningRequestTracer {
|
||||||
}
|
}
|
||||||
|
|
||||||
extension SigningRequestTracer {
|
extension SigningRequestTracer {
|
||||||
|
|
||||||
|
/// Generates a ``SecretKit.SigningRequestProvenance`` from a ``FileHandleReader``.
|
||||||
|
/// - Parameter fileHandleReader: The reader involved in processing the request.
|
||||||
|
/// - Returns: A ``SecretKit.SigningRequestProvenance`` describing the origin of the request.
|
||||||
func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
|
func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
|
||||||
let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
|
let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
|
||||||
|
|
||||||
@ -18,6 +23,9 @@ extension SigningRequestTracer {
|
|||||||
return provenance
|
return provenance
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Generates a `kinfo_proc` representation of the provided process ID.
|
||||||
|
/// - Parameter pid: The process ID to look up.
|
||||||
|
/// - Returns: a `kinfo_proc` struct describing the process ID.
|
||||||
func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
|
func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
|
||||||
var len = MemoryLayout<kinfo_proc>.size
|
var len = MemoryLayout<kinfo_proc>.size
|
||||||
let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
|
let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
|
||||||
@ -26,6 +34,9 @@ extension SigningRequestTracer {
|
|||||||
return infoPointer.load(as: kinfo_proc.self)
|
return infoPointer.load(as: kinfo_proc.self)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Generates a ``SecretKit.SigningRequestProvenance.Process`` from a provided process ID.
|
||||||
|
/// - Parameter pid: The process ID to look up.
|
||||||
|
/// - Returns: A ``SecretKit.SigningRequestProvenance.Process`` describing the process.
|
||||||
func process(from pid: Int32) -> SigningRequestProvenance.Process {
|
func process(from pid: Int32) -> SigningRequestProvenance.Process {
|
||||||
var pidAndNameInfo = self.pidAndNameInfo(from: pid)
|
var pidAndNameInfo = self.pidAndNameInfo(from: pid)
|
||||||
let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
|
let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
|
||||||
@ -40,6 +51,9 @@ extension SigningRequestTracer {
|
|||||||
return SigningRequestProvenance.Process(pid: pid, processName: procName, appName: appName(for: pid), iconURL: iconURL(for: pid), path: path, validSignature: valid, parentPID: ppid)
|
return SigningRequestProvenance.Process(pid: pid, processName: procName, appName: appName(for: pid), iconURL: iconURL(for: pid), path: path, validSignature: valid, parentPID: ppid)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Looks up the URL for the icon of a process ID, if it has one.
|
||||||
|
/// - Parameter pid: The process ID to look up.
|
||||||
|
/// - Returns: A URL to the icon, if the process has one.
|
||||||
func iconURL(for pid: Int32) -> URL? {
|
func iconURL(for pid: Int32) -> URL? {
|
||||||
do {
|
do {
|
||||||
if let app = NSRunningApplication(processIdentifier: pid), let icon = app.icon?.tiffRepresentation {
|
if let app = NSRunningApplication(processIdentifier: pid), let icon = app.icon?.tiffRepresentation {
|
||||||
@ -53,6 +67,9 @@ extension SigningRequestTracer {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Looks up the application name of a process ID, if it has one.
|
||||||
|
/// - Parameter pid: The process ID to look up.
|
||||||
|
/// - Returns: The process's display name, if the process has one.
|
||||||
func appName(for pid: Int32) -> String? {
|
func appName(for pid: Int32) -> String? {
|
||||||
NSRunningApplication(processIdentifier: pid)?.localizedName
|
NSRunningApplication(processIdentifier: pid)?.localizedName
|
||||||
}
|
}
|
23
Sources/Packages/Sources/SecretAgentKit/SigningWitness.swift
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
import Foundation
|
||||||
|
import SecretKit
|
||||||
|
|
||||||
|
/// A protocol that allows conformers to be notified of access to secrets, and optionally prevent access.
|
||||||
|
public protocol SigningWitness {
|
||||||
|
|
||||||
|
/// A ridiculously named method that notifies the callee that a signing operation is about to be performed using a secret. The callee may `throw` an `Error` to prevent access from occurring.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - secret: The `Secret` that will be used to sign the request.
|
||||||
|
/// - store: The `Store` being asked to sign the request..
|
||||||
|
/// - provenance: A `SigningRequestProvenance` object describing the origin of the request.
|
||||||
|
/// - Note: This method being called does not imply that the requst has been authorized. If a secret requires authentication, authentication will still need to be performed by the user before the request will be performed. If the user declines or fails to authenticate, the request will fail.
|
||||||
|
func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) throws
|
||||||
|
|
||||||
|
/// Notifies the callee that a signing operation has been performed for a given secret.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - secret: The `Secret` that will was used to sign the request.
|
||||||
|
/// - store: The `Store` that signed the request..
|
||||||
|
/// - provenance: A `SigningRequestProvenance` object describing the origin of the request.
|
||||||
|
/// - requiredAuthentication: A boolean describing whether or not authentication was required for the request.
|
||||||
|
func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, requiredAuthentication: Bool) throws
|
||||||
|
|
||||||
|
}
|
@ -1,12 +1,16 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import OSLog
|
import OSLog
|
||||||
|
|
||||||
|
/// A controller that manages socket configuration and request dispatching.
|
||||||
public class SocketController {
|
public class SocketController {
|
||||||
|
|
||||||
|
/// The active FileHandle.
|
||||||
private var fileHandle: FileHandle?
|
private var fileHandle: FileHandle?
|
||||||
private var port: SocketPort?
|
/// A handler that will be notified when a new read/write handle is available.
|
||||||
public var handler: ((FileHandleReader, FileHandleWriter) -> Void)?
|
public var handler: ((FileHandleReader, FileHandleWriter) -> Void)?
|
||||||
|
|
||||||
|
/// Initializes a socket controller with a specified path.
|
||||||
|
/// - Parameter path: The path to use as a socket.
|
||||||
public init(path: String) {
|
public init(path: String) {
|
||||||
Logger().debug("Socket controller setting up at \(path)")
|
Logger().debug("Socket controller setting up at \(path)")
|
||||||
if let _ = try? FileManager.default.removeItem(atPath: path) {
|
if let _ = try? FileManager.default.removeItem(atPath: path) {
|
||||||
@ -15,19 +19,23 @@ public class SocketController {
|
|||||||
let exists = FileManager.default.fileExists(atPath: path)
|
let exists = FileManager.default.fileExists(atPath: path)
|
||||||
assert(!exists)
|
assert(!exists)
|
||||||
Logger().debug("Socket controller path is clear")
|
Logger().debug("Socket controller path is clear")
|
||||||
port = socketPort(at: path)
|
|
||||||
configureSocket(at: path)
|
configureSocket(at: path)
|
||||||
Logger().debug("Socket listening at \(path)")
|
Logger().debug("Socket listening at \(path)")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Configures the socket and a corresponding FileHandle.
|
||||||
|
/// - Parameter path: The path to use as a socket.
|
||||||
func configureSocket(at path: String) {
|
func configureSocket(at path: String) {
|
||||||
guard let port = port else { return }
|
let port = socketPort(at: path)
|
||||||
fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
|
fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
|
||||||
NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
|
NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
|
||||||
NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
|
NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
|
||||||
fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
|
fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Creates a SocketPort for a path.
|
||||||
|
/// - Parameter path: The path to use as a socket.
|
||||||
|
/// - Returns: A configured SocketPort.
|
||||||
func socketPort(at path: String) -> SocketPort {
|
func socketPort(at path: String) -> SocketPort {
|
||||||
var addr = sockaddr_un()
|
var addr = sockaddr_un()
|
||||||
addr.sun_family = sa_family_t(AF_UNIX)
|
addr.sun_family = sa_family_t(AF_UNIX)
|
||||||
@ -49,6 +57,8 @@ public class SocketController {
|
|||||||
return SocketPort(protocolFamily: AF_UNIX, socketType: SOCK_STREAM, protocol: 0, address: data)!
|
return SocketPort(protocolFamily: AF_UNIX, socketType: SOCK_STREAM, protocol: 0, address: data)!
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Handles a new connection being accepted, invokes the handler, and prepares to accept new connections.
|
||||||
|
/// - Parameter notification: A `Notification` that triggered the call.
|
||||||
@objc func handleConnectionAccept(notification: Notification) {
|
@objc func handleConnectionAccept(notification: Notification) {
|
||||||
Logger().debug("Socket controller accepted connection")
|
Logger().debug("Socket controller accepted connection")
|
||||||
guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
|
guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
|
||||||
@ -57,6 +67,8 @@ public class SocketController {
|
|||||||
fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
|
fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Handles a new connection providing data and invokes the handler callback.
|
||||||
|
/// - Parameter notification: A `Notification` that triggered the call.
|
||||||
@objc func handleConnectionDataAvailable(notification: Notification) {
|
@objc func handleConnectionDataAvailable(notification: Notification) {
|
||||||
Logger().debug("Socket controller has new data available")
|
Logger().debug("Socket controller has new data available")
|
||||||
guard let new = notification.object as? FileHandle else { return }
|
guard let new = notification.object as? FileHandle else { return }
|
@ -0,0 +1 @@
|
|||||||
|
|
@ -0,0 +1,4 @@
|
|||||||
|
module SecretAgentKitHeaders [system] {
|
||||||
|
header "include/SecretAgentKit.h"
|
||||||
|
export *
|
||||||
|
}
|
@ -0,0 +1,31 @@
|
|||||||
|
# ``SecretKit``
|
||||||
|
|
||||||
|
SecretKit is a collection of protocols describing secrets and stores.
|
||||||
|
|
||||||
|
## Topics
|
||||||
|
|
||||||
|
### Base Protocols
|
||||||
|
|
||||||
|
- ``Secret``
|
||||||
|
- ``SecretStore``
|
||||||
|
- ``SecretStoreModifiable``
|
||||||
|
|
||||||
|
### Store List
|
||||||
|
|
||||||
|
- ``SecretStoreList``
|
||||||
|
|
||||||
|
### Type Erasers
|
||||||
|
|
||||||
|
- ``AnySecret``
|
||||||
|
- ``AnySecretStore``
|
||||||
|
- ``AnySecretStoreModifiable``
|
||||||
|
|
||||||
|
### OpenSSH
|
||||||
|
|
||||||
|
- ``OpenSSHKeyWriter``
|
||||||
|
- ``OpenSSHReader``
|
||||||
|
|
||||||
|
### Signing Process
|
||||||
|
|
||||||
|
- ``SignedData``
|
||||||
|
- ``SigningRequestProvenance``
|
@ -1,5 +1,6 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
|
|
||||||
|
/// Type eraser for Secret.
|
||||||
public struct AnySecret: Secret {
|
public struct AnySecret: Secret {
|
||||||
|
|
||||||
let base: Any
|
let base: Any
|
@ -1,6 +1,7 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import Combine
|
import Combine
|
||||||
|
|
||||||
|
/// Type eraser for SecretStore.
|
||||||
public class AnySecretStore: SecretStore {
|
public class AnySecretStore: SecretStore {
|
||||||
|
|
||||||
let base: Any
|
let base: Any
|
@ -1,24 +1,31 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import CryptoKit
|
import CryptoKit
|
||||||
|
|
||||||
// For the moment, only supports ecdsa-sha2-nistp256 and ecdsa-sha2-nistp386 keys
|
/// Generates OpenSSH representations of Secrets.
|
||||||
public struct OpenSSHKeyWriter {
|
public struct OpenSSHKeyWriter {
|
||||||
|
|
||||||
|
/// Initializes the writer.
|
||||||
public init() {
|
public init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Generates an OpenSSH data payload identifying the secret.
|
||||||
|
/// - Returns: OpenSSH data payload identifying the secret.
|
||||||
public func data<SecretType: Secret>(secret: SecretType) -> Data {
|
public func data<SecretType: Secret>(secret: SecretType) -> Data {
|
||||||
lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
|
lengthAndData(of: curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
|
||||||
lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
|
lengthAndData(of: curveIdentifier(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!) +
|
||||||
lengthAndData(of: secret.publicKey)
|
lengthAndData(of: secret.publicKey)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Generates an OpenSSH string representation of the secret.
|
||||||
|
/// - Returns: OpenSSH string representation of the secret.
|
||||||
public func openSSHString<SecretType: Secret>(secret: SecretType, comment: String? = nil) -> String {
|
public func openSSHString<SecretType: Secret>(secret: SecretType, comment: String? = nil) -> String {
|
||||||
[curveType(for: secret.algorithm, length: secret.keySize), data(secret: secret).base64EncodedString(), comment]
|
[curveType(for: secret.algorithm, length: secret.keySize), data(secret: secret).base64EncodedString(), comment]
|
||||||
.compactMap { $0 }
|
.compactMap { $0 }
|
||||||
.joined(separator: " ")
|
.joined(separator: " ")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Generates an OpenSSH SHA256 fingerprint string.
|
||||||
|
/// - Returns: OpenSSH SHA256 fingerprint string.
|
||||||
public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
|
public func openSSHSHA256Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
|
||||||
// OpenSSL format seems to strip the padding at the end.
|
// OpenSSL format seems to strip the padding at the end.
|
||||||
let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
|
let base64 = Data(SHA256.hash(data: data(secret: secret))).base64EncodedString()
|
||||||
@ -27,6 +34,8 @@ public struct OpenSSHKeyWriter {
|
|||||||
return "SHA256:\(cleaned)"
|
return "SHA256:\(cleaned)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Generates an OpenSSH MD5 fingerprint string.
|
||||||
|
/// - Returns: OpenSSH MD5 fingerprint string.
|
||||||
public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
|
public func openSSHMD5Fingerprint<SecretType: Secret>(secret: SecretType) -> String {
|
||||||
Insecure.MD5.hash(data: data(secret: secret))
|
Insecure.MD5.hash(data: data(secret: secret))
|
||||||
.compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
|
.compactMap { ("0" + String($0, radix: 16, uppercase: false)).suffix(2) }
|
||||||
@ -37,23 +46,37 @@ public struct OpenSSHKeyWriter {
|
|||||||
|
|
||||||
extension OpenSSHKeyWriter {
|
extension OpenSSHKeyWriter {
|
||||||
|
|
||||||
|
/// Creates an OpenSSH protocol style data object, which has a length header, followed by the data payload.
|
||||||
|
/// - Parameter data: The data payload.
|
||||||
|
/// - Returns: OpenSSH data.
|
||||||
public func lengthAndData(of data: Data) -> Data {
|
public func lengthAndData(of data: Data) -> Data {
|
||||||
let rawLength = UInt32(data.count)
|
let rawLength = UInt32(data.count)
|
||||||
var endian = rawLength.bigEndian
|
var endian = rawLength.bigEndian
|
||||||
return Data(bytes: &endian, count: UInt32.bitWidth/8) + data
|
return Data(bytes: &endian, count: UInt32.bitWidth/8) + data
|
||||||
}
|
}
|
||||||
|
|
||||||
public func curveIdentifier(for algorithm: Algorithm, length: Int) -> String {
|
/// The fully qualified OpenSSH identifier for the algorithm.
|
||||||
switch algorithm {
|
/// - Parameters:
|
||||||
case .ellipticCurve:
|
/// - algorithm: The algorithm to identify.
|
||||||
return "nistp" + String(describing: length)
|
/// - length: The key length of the algorithm.
|
||||||
}
|
/// - Returns: The OpenSSH identifier for the algorithm.
|
||||||
}
|
|
||||||
|
|
||||||
public func curveType(for algorithm: Algorithm, length: Int) -> String {
|
public func curveType(for algorithm: Algorithm, length: Int) -> String {
|
||||||
switch algorithm {
|
switch algorithm {
|
||||||
case .ellipticCurve:
|
case .ellipticCurve:
|
||||||
return "ecdsa-sha2-nistp" + String(describing: length)
|
return "ecdsa-sha2-nistp" + String(describing: length)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// The OpenSSH identifier for an algorithm.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - algorithm: The algorithm to identify.
|
||||||
|
/// - length: The key length of the algorithm.
|
||||||
|
/// - Returns: The OpenSSH identifier for the algorithm.
|
||||||
|
private func curveIdentifier(for algorithm: Algorithm, length: Int) -> String {
|
||||||
|
switch algorithm {
|
||||||
|
case .ellipticCurve:
|
||||||
|
return "nistp" + String(describing: length)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -1,13 +1,18 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
|
|
||||||
|
/// Reads OpenSSH protocol data.
|
||||||
public class OpenSSHReader {
|
public class OpenSSHReader {
|
||||||
|
|
||||||
var remaining: Data
|
var remaining: Data
|
||||||
|
|
||||||
|
/// Initialize the reader with an OpenSSH data payload.
|
||||||
|
/// - Parameter data: The data to read.
|
||||||
public init(data: Data) {
|
public init(data: Data) {
|
||||||
remaining = Data(data)
|
remaining = Data(data)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Reads the next chunk of data from the playload.
|
||||||
|
/// - Returns: The next chunk of data.
|
||||||
public func readNextChunk() -> Data {
|
public func readNextChunk() -> Data {
|
||||||
let lengthRange = 0..<(UInt32.bitWidth/8)
|
let lengthRange = 0..<(UInt32.bitWidth/8)
|
||||||
let lengthChunk = remaining[lengthRange]
|
let lengthChunk = remaining[lengthRange]
|
@ -1,25 +1,32 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import Combine
|
import Combine
|
||||||
|
|
||||||
|
/// A "Store Store," which holds a list of type-erased stores.
|
||||||
public class SecretStoreList: ObservableObject {
|
public class SecretStoreList: ObservableObject {
|
||||||
|
|
||||||
|
/// The Stores managed by the SecretStoreList.
|
||||||
@Published public var stores: [AnySecretStore] = []
|
@Published public var stores: [AnySecretStore] = []
|
||||||
|
/// A modifiable store, if one is available.
|
||||||
@Published public var modifiableStore: AnySecretStoreModifiable?
|
@Published public var modifiableStore: AnySecretStoreModifiable?
|
||||||
private var sinks: [AnyCancellable] = []
|
private var sinks: [AnyCancellable] = []
|
||||||
|
|
||||||
|
/// Initializes a SecretStoreList.
|
||||||
public init() {
|
public init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Adds a non-type-erased SecretStore to the list.
|
||||||
public func add<SecretStoreType: SecretStore>(store: SecretStoreType) {
|
public func add<SecretStoreType: SecretStore>(store: SecretStoreType) {
|
||||||
addInternal(store: AnySecretStore(store))
|
addInternal(store: AnySecretStore(store))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Adds a non-type-erased modifiable SecretStore.
|
||||||
public func add<SecretStoreType: SecretStoreModifiable>(store: SecretStoreType) {
|
public func add<SecretStoreType: SecretStoreModifiable>(store: SecretStoreType) {
|
||||||
let modifiable = AnySecretStoreModifiable(modifiable: store)
|
let modifiable = AnySecretStoreModifiable(modifiable: store)
|
||||||
modifiableStore = modifiable
|
modifiableStore = modifiable
|
||||||
addInternal(store: modifiable)
|
addInternal(store: modifiable)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// A boolean describing whether there are any Stores available.
|
||||||
public var anyAvailable: Bool {
|
public var anyAvailable: Bool {
|
||||||
stores.reduce(false, { $0 || $1.isAvailable })
|
stores.reduce(false, { $0 || $1.isAvailable })
|
||||||
}
|
}
|
@ -1,14 +1,26 @@
|
|||||||
|
import Foundation
|
||||||
|
|
||||||
|
/// The base protocol for describing a Secret
|
||||||
public protocol Secret: Identifiable, Hashable {
|
public protocol Secret: Identifiable, Hashable {
|
||||||
|
|
||||||
|
/// A user-facing string identifying the Secret.
|
||||||
var name: String { get }
|
var name: String { get }
|
||||||
|
/// The algorithm this secret uses.
|
||||||
var algorithm: Algorithm { get }
|
var algorithm: Algorithm { get }
|
||||||
|
/// The key size for the secret.
|
||||||
var keySize: Int { get }
|
var keySize: Int { get }
|
||||||
|
/// The public key data for the secret.
|
||||||
var publicKey: Data { get }
|
var publicKey: Data { get }
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// The type of algorithm the Secret uses. Currently, only elliptic curve algorithms are supported.
|
||||||
public enum Algorithm: Hashable {
|
public enum Algorithm: Hashable {
|
||||||
|
|
||||||
case ellipticCurve
|
case ellipticCurve
|
||||||
|
|
||||||
|
/// Initializes the Algorithm with a secAttr representation of an algorithm.
|
||||||
|
/// - Parameter secAttr: the secAttr, represented as an NSNumber.
|
||||||
public init(secAttr: NSNumber) {
|
public init(secAttr: NSNumber) {
|
||||||
let secAttrString = secAttr.stringValue as CFString
|
let secAttrString = secAttr.stringValue as CFString
|
||||||
switch secAttrString {
|
switch secAttrString {
|
61
Sources/Packages/Sources/SecretKit/Types/SecretStore.swift
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
import Foundation
|
||||||
|
import Combine
|
||||||
|
|
||||||
|
/// Manages access to Secrets, and performs signature operations on data using those Secrets.
|
||||||
|
public protocol SecretStore: ObservableObject, Identifiable {
|
||||||
|
|
||||||
|
associatedtype SecretType: Secret
|
||||||
|
|
||||||
|
/// A boolean indicating whether or not the store is available.
|
||||||
|
var isAvailable: Bool { get }
|
||||||
|
/// A unique identifier for the store.
|
||||||
|
var id: UUID { get }
|
||||||
|
/// A user-facing name for the store.
|
||||||
|
var name: String { get }
|
||||||
|
/// The secrets the store manages.
|
||||||
|
var secrets: [SecretType] { get }
|
||||||
|
|
||||||
|
/// Signs a data payload with a specified Secret.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - data: The data to sign.
|
||||||
|
/// - secret: The ``Secret`` to sign with.
|
||||||
|
/// - provenance: A ``SigningRequestProvenance`` describing where the request came from.
|
||||||
|
/// - Returns: A ``SignedData`` object, containing the signature and metadata about the signature process.
|
||||||
|
func sign(data: Data, with secret: SecretType, for provenance: SigningRequestProvenance) throws -> SignedData
|
||||||
|
|
||||||
|
/// Persists user authorization for access to a secret.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - secret: The ``Secret`` to persist the authorization for.
|
||||||
|
/// - duration: The duration that the authorization should persist for.
|
||||||
|
/// - Note: This is used for temporarily unlocking access to a secret which would otherwise require authentication every single use. This is useful for situations where the user anticipates several rapid accesses to a authorization-guarded secret.
|
||||||
|
func persistAuthentication(secret: SecretType, forDuration duration: TimeInterval) throws
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A SecretStore that the Secretive admin app can modify.
|
||||||
|
public protocol SecretStoreModifiable: SecretStore {
|
||||||
|
|
||||||
|
/// Creates a new ``Secret`` in the store.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - name: The user-facing name for the ``Secret``.
|
||||||
|
/// - requiresAuthentication: A boolean indicating whether or not the user will be required to authenticate before performing signature operations with the secret.
|
||||||
|
func create(name: String, requiresAuthentication: Bool) throws
|
||||||
|
|
||||||
|
/// Deletes a Secret in the store.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - secret: The ``Secret`` to delete.
|
||||||
|
func delete(secret: SecretType) throws
|
||||||
|
|
||||||
|
/// Updates the name of a Secret in the store.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - secret: The ``Secret`` to update.
|
||||||
|
/// - name: The new name for the Secret.
|
||||||
|
func update(secret: SecretType, name: String) throws
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension NSNotification.Name {
|
||||||
|
|
||||||
|
public static let secretStoreUpdated = NSNotification.Name("com.maxgoedjen.Secretive.secretStore.updated")
|
||||||
|
|
||||||
|
}
|
20
Sources/Packages/Sources/SecretKit/Types/SignedData.swift
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
import Foundation
|
||||||
|
|
||||||
|
/// Describes the output of a sign request.
|
||||||
|
public struct SignedData {
|
||||||
|
|
||||||
|
/// The signed data.
|
||||||
|
public let data: Data
|
||||||
|
/// A boolean describing whether authentication was required during the signature process.
|
||||||
|
public let requiredAuthentication: Bool
|
||||||
|
|
||||||
|
/// Initializes a new SignedData.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - data: The signed data.
|
||||||
|
/// - requiredAuthentication: A boolean describing whether authentication was required during the signature process.
|
||||||
|
public init(data: Data, requiredAuthentication: Bool) {
|
||||||
|
self.data = data
|
||||||
|
self.requiredAuthentication = requiredAuthentication
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,76 @@
|
|||||||
|
import Foundation
|
||||||
|
import AppKit
|
||||||
|
|
||||||
|
/// Describes the chain of applications that requested a signature operation.
|
||||||
|
public struct SigningRequestProvenance: Equatable {
|
||||||
|
|
||||||
|
/// A list of processes involved in the request.
|
||||||
|
/// - Note: A chain will typically consist of many elements even for a simple request. For example, running `git fetch` in Terminal.app would generate a request chain of `ssh` -> `git` -> `zsh` -> `login` -> `Terminal.app`
|
||||||
|
public var chain: [Process]
|
||||||
|
public init(root: Process) {
|
||||||
|
self.chain = [root]
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension SigningRequestProvenance {
|
||||||
|
|
||||||
|
/// The `Process` which initiated the signing request.
|
||||||
|
public var origin: Process {
|
||||||
|
chain.last!
|
||||||
|
}
|
||||||
|
|
||||||
|
/// A boolean describing whether all processes in the request chain had a valid code signature.
|
||||||
|
public var intact: Bool {
|
||||||
|
chain.allSatisfy { $0.validSignature }
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
extension SigningRequestProvenance {
|
||||||
|
|
||||||
|
/// Describes a process in a `SigningRequestProvenance` chain.
|
||||||
|
public struct Process: Equatable {
|
||||||
|
|
||||||
|
/// The pid of the process.
|
||||||
|
public let pid: Int32
|
||||||
|
/// A user-facing name for the process.
|
||||||
|
public let processName: String
|
||||||
|
/// A user-facing name for the application, if one exists.
|
||||||
|
public let appName: String?
|
||||||
|
/// An icon representation of the application, if one exists.
|
||||||
|
public let iconURL: URL?
|
||||||
|
/// The path the process exists at.
|
||||||
|
public let path: String
|
||||||
|
/// A boolean describing whether or not the process has a valid code signature.
|
||||||
|
public let validSignature: Bool
|
||||||
|
/// The pid of the process's parent.
|
||||||
|
public let parentPID: Int32?
|
||||||
|
|
||||||
|
/// Initializes a Process.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - pid: The pid of the process.
|
||||||
|
/// - processName: A user-facing name for the process.
|
||||||
|
/// - appName: A user-facing name for the application, if one exists.
|
||||||
|
/// - iconURL: An icon representation of the application, if one exists.
|
||||||
|
/// - path: The path the process exists at.
|
||||||
|
/// - validSignature: A boolean describing whether or not the process has a valid code signature.
|
||||||
|
/// - parentPID: The pid of the process's parent.
|
||||||
|
public init(pid: Int32, processName: String, appName: String?, iconURL: URL?, path: String, validSignature: Bool, parentPID: Int32?) {
|
||||||
|
self.pid = pid
|
||||||
|
self.processName = processName
|
||||||
|
self.appName = appName
|
||||||
|
self.iconURL = iconURL
|
||||||
|
self.path = path
|
||||||
|
self.validSignature = validSignature
|
||||||
|
self.parentPID = parentPID
|
||||||
|
}
|
||||||
|
|
||||||
|
/// The best user-facing name to display for the process.
|
||||||
|
public var displayName: String {
|
||||||
|
appName ?? processName
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,3 @@
|
|||||||
|
# ``SecureEnclaveSecretKit``
|
||||||
|
|
||||||
|
SecureEnclaveSecretKit contains implementations of SecretKit protocols backed by the Secure Enclave.
|
@ -0,0 +1,14 @@
|
|||||||
|
# ``SecureEnclaveSecretKit/SecureEnclave``
|
||||||
|
|
||||||
|
## Topics
|
||||||
|
|
||||||
|
### Implementations
|
||||||
|
|
||||||
|
- ``Secret``
|
||||||
|
- ``Store``
|
||||||
|
|
||||||
|
### Errors
|
||||||
|
|
||||||
|
- ``KeychainError``
|
||||||
|
- ``SigningError``
|
||||||
|
- ``SecurityError``
|
@ -0,0 +1,2 @@
|
|||||||
|
/// Namespace for the Secure Enclave implementations.
|
||||||
|
public enum SecureEnclave {}
|
@ -1,8 +1,10 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import Combine
|
import Combine
|
||||||
|
import SecretKit
|
||||||
|
|
||||||
extension SecureEnclave {
|
extension SecureEnclave {
|
||||||
|
|
||||||
|
/// An implementation of Secret backed by the Secure Enclave.
|
||||||
public struct Secret: SecretKit.Secret {
|
public struct Secret: SecretKit.Secret {
|
||||||
|
|
||||||
public let id: Data
|
public let id: Data
|
@ -2,9 +2,11 @@ import Foundation
|
|||||||
import Security
|
import Security
|
||||||
import CryptoTokenKit
|
import CryptoTokenKit
|
||||||
import LocalAuthentication
|
import LocalAuthentication
|
||||||
|
import SecretKit
|
||||||
|
|
||||||
extension SecureEnclave {
|
extension SecureEnclave {
|
||||||
|
|
||||||
|
/// An implementation of Store backed by the Secure Enclave.
|
||||||
public class Store: SecretStoreModifiable {
|
public class Store: SecretStoreModifiable {
|
||||||
|
|
||||||
public var isAvailable: Bool {
|
public var isAvailable: Bool {
|
||||||
@ -19,6 +21,7 @@ extension SecureEnclave {
|
|||||||
|
|
||||||
private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
|
private var persistedAuthenticationContexts: [Secret: PersistentAuthenticationContext] = [:]
|
||||||
|
|
||||||
|
/// Initializes a Store.
|
||||||
public init() {
|
public init() {
|
||||||
DistributedNotificationCenter.default().addObserver(forName: .secretStoreUpdated, object: nil, queue: .main) { _ in
|
DistributedNotificationCenter.default().addObserver(forName: .secretStoreUpdated, object: nil, queue: .main) { _ in
|
||||||
self.reloadSecrets(notify: false)
|
self.reloadSecrets(notify: false)
|
||||||
@ -56,13 +59,15 @@ extension SecureEnclave {
|
|||||||
]
|
]
|
||||||
] as CFDictionary
|
] as CFDictionary
|
||||||
|
|
||||||
var privateKey: SecKey? = nil
|
var createKeyError: SecurityError?
|
||||||
var publicKey: SecKey? = nil
|
let keypair = SecKeyCreateRandomKey(attributes, &createKeyError)
|
||||||
let status = SecKeyGeneratePair(attributes, &publicKey, &privateKey)
|
if let error = createKeyError {
|
||||||
guard privateKey != nil, let pk = publicKey else {
|
throw error.takeRetainedValue() as Error
|
||||||
throw KeychainError(statusCode: status)
|
|
||||||
}
|
}
|
||||||
try savePublicKey(pk, name: name)
|
guard let keypair = keypair, let publicKey = SecKeyCopyPublicKey(keypair) else {
|
||||||
|
throw KeychainError(statusCode: nil)
|
||||||
|
}
|
||||||
|
try savePublicKey(publicKey, name: name)
|
||||||
reloadSecrets()
|
reloadSecrets()
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -140,6 +145,7 @@ extension SecureEnclave {
|
|||||||
|
|
||||||
public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) throws {
|
public func persistAuthentication(secret: Secret, forDuration duration: TimeInterval) throws {
|
||||||
let newContext = LAContext()
|
let newContext = LAContext()
|
||||||
|
newContext.touchIDAuthenticationAllowableReuseDuration = duration
|
||||||
newContext.localizedCancelTitle = "Deny"
|
newContext.localizedCancelTitle = "Deny"
|
||||||
|
|
||||||
let formatter = DateComponentsFormatter()
|
let formatter = DateComponentsFormatter()
|
||||||
@ -164,6 +170,8 @@ extension SecureEnclave {
|
|||||||
|
|
||||||
extension SecureEnclave.Store {
|
extension SecureEnclave.Store {
|
||||||
|
|
||||||
|
/// Reloads all secrets from the store.
|
||||||
|
/// - Parameter notify: A boolean indicating whether a distributed notification should be posted, notifying other processes (ie, the SecretAgent) to reload their stores as well.
|
||||||
private func reloadSecrets(notify: Bool = true) {
|
private func reloadSecrets(notify: Bool = true) {
|
||||||
secrets.removeAll()
|
secrets.removeAll()
|
||||||
loadSecrets()
|
loadSecrets()
|
||||||
@ -172,6 +180,7 @@ extension SecureEnclave.Store {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Loads all secrets from the store.
|
||||||
private func loadSecrets() {
|
private func loadSecrets() {
|
||||||
let attributes = [
|
let attributes = [
|
||||||
kSecClass: kSecClassKey,
|
kSecClass: kSecClassKey,
|
||||||
@ -196,6 +205,10 @@ extension SecureEnclave.Store {
|
|||||||
secrets.append(contentsOf: wrapped)
|
secrets.append(contentsOf: wrapped)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Saves a public key.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - publicKey: The public key to save.
|
||||||
|
/// - name: A user-facing name for the key.
|
||||||
private func savePublicKey(_ publicKey: SecKey, name: String) throws {
|
private func savePublicKey(_ publicKey: SecKey, name: String) throws {
|
||||||
let attributes = [
|
let attributes = [
|
||||||
kSecClass: kSecClassKey,
|
kSecClass: kSecClassKey,
|
||||||
@ -217,11 +230,15 @@ extension SecureEnclave.Store {
|
|||||||
|
|
||||||
extension SecureEnclave {
|
extension SecureEnclave {
|
||||||
|
|
||||||
|
/// A wrapper around an error code reported by a Keychain API.
|
||||||
public struct KeychainError: Error {
|
public struct KeychainError: Error {
|
||||||
public let statusCode: OSStatus
|
/// The status code involved, if one was reported.
|
||||||
|
public let statusCode: OSStatus?
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// A signing-related error.
|
||||||
public struct SigningError: Error {
|
public struct SigningError: Error {
|
||||||
|
/// The underlying error reported by the API, if one was returned.
|
||||||
public let error: SecurityError?
|
public let error: SecurityError?
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -245,13 +262,22 @@ extension SecureEnclave {
|
|||||||
|
|
||||||
extension SecureEnclave {
|
extension SecureEnclave {
|
||||||
|
|
||||||
|
/// A context describing a persisted authentication.
|
||||||
private struct PersistentAuthenticationContext {
|
private struct PersistentAuthenticationContext {
|
||||||
|
|
||||||
|
/// The Secret to persist authentication for.
|
||||||
let secret: Secret
|
let secret: Secret
|
||||||
|
/// The LAContext used to authorize the persistent context.
|
||||||
let context: LAContext
|
let context: LAContext
|
||||||
// Monotonic time instead of Date() to prevent people setting the clock back.
|
/// An expiration date for the context.
|
||||||
|
/// - Note - Monotonic time instead of Date() to prevent people setting the clock back.
|
||||||
let expiration: UInt64
|
let expiration: UInt64
|
||||||
|
|
||||||
|
/// Initializes a context.
|
||||||
|
/// - Parameters:
|
||||||
|
/// - secret: The Secret to persist authentication for.
|
||||||
|
/// - context: The LAContext used to authorize the persistent context.
|
||||||
|
/// - duration: The duration of the authorization context, in seconds.
|
||||||
init(secret: Secret, context: LAContext, duration: TimeInterval) {
|
init(secret: Secret, context: LAContext, duration: TimeInterval) {
|
||||||
self.secret = secret
|
self.secret = secret
|
||||||
self.context = context
|
self.context = context
|
||||||
@ -259,6 +285,7 @@ extension SecureEnclave {
|
|||||||
self.expiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
|
self.expiration = clock_gettime_nsec_np(CLOCK_MONOTONIC) + UInt64(durationInNanoSeconds)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// A boolean describing whether or not the context is still valid.
|
||||||
var valid: Bool {
|
var valid: Bool {
|
||||||
clock_gettime_nsec_np(CLOCK_MONOTONIC) < expiration
|
clock_gettime_nsec_np(CLOCK_MONOTONIC) < expiration
|
||||||
}
|
}
|
@ -0,0 +1,3 @@
|
|||||||
|
# ``SmartCardSecretKit``
|
||||||
|
|
||||||
|
SmartCardSecretKit contains implementations of SecretKit protocols backed by a Smart Card.
|
@ -0,0 +1,14 @@
|
|||||||
|
# ``SmartCardSecretKit/SmartCard``
|
||||||
|
|
||||||
|
## Topics
|
||||||
|
|
||||||
|
### Implementations
|
||||||
|
|
||||||
|
- ``Secret``
|
||||||
|
- ``Store``
|
||||||
|
|
||||||
|
### Errors
|
||||||
|
|
||||||
|
- ``KeychainError``
|
||||||
|
- ``SigningError``
|
||||||
|
- ``SecurityError``
|
@ -0,0 +1,2 @@
|
|||||||
|
/// Namespace for the Smart Card implementations.
|
||||||
|
public enum SmartCard {}
|
@ -1,8 +1,10 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import Combine
|
import Combine
|
||||||
|
import SecretKit
|
||||||
|
|
||||||
extension SmartCard {
|
extension SmartCard {
|
||||||
|
|
||||||
|
/// An implementation of Secret backed by a Smart Card.
|
||||||
public struct Secret: SecretKit.Secret {
|
public struct Secret: SecretKit.Secret {
|
||||||
|
|
||||||
public let id: Data
|
public let id: Data
|
@ -2,11 +2,13 @@ import Foundation
|
|||||||
import Security
|
import Security
|
||||||
import CryptoTokenKit
|
import CryptoTokenKit
|
||||||
import LocalAuthentication
|
import LocalAuthentication
|
||||||
|
import SecretKit
|
||||||
|
|
||||||
// TODO: Might need to split this up into "sub-stores?"
|
// TODO: Might need to split this up into "sub-stores?"
|
||||||
// ie, each token has its own Store.
|
// ie, each token has its own Store.
|
||||||
extension SmartCard {
|
extension SmartCard {
|
||||||
|
|
||||||
|
/// An implementation of Store backed by a Smart Card.
|
||||||
public class Store: SecretStore {
|
public class Store: SecretStore {
|
||||||
|
|
||||||
@Published public var isAvailable: Bool = false
|
@Published public var isAvailable: Bool = false
|
||||||
@ -16,6 +18,7 @@ extension SmartCard {
|
|||||||
private let watcher = TKTokenWatcher()
|
private let watcher = TKTokenWatcher()
|
||||||
private var tokenID: String?
|
private var tokenID: String?
|
||||||
|
|
||||||
|
/// Initializes a Store.
|
||||||
public init() {
|
public init() {
|
||||||
tokenID = watcher.nonSecureEnclaveTokens.first
|
tokenID = watcher.nonSecureEnclaveTokens.first
|
||||||
watcher.setInsertionHandler { string in
|
watcher.setInsertionHandler { string in
|
||||||
@ -90,11 +93,14 @@ extension SmartCard {
|
|||||||
|
|
||||||
extension SmartCard.Store {
|
extension SmartCard.Store {
|
||||||
|
|
||||||
|
/// Resets the token ID and reloads secrets.
|
||||||
|
/// - Parameter tokenID: The ID of the token that was removed.
|
||||||
private func smartcardRemoved(for tokenID: String? = nil) {
|
private func smartcardRemoved(for tokenID: String? = nil) {
|
||||||
self.tokenID = nil
|
self.tokenID = nil
|
||||||
reloadSecrets()
|
reloadSecrets()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Reloads all secrets from the store.
|
||||||
private func reloadSecrets() {
|
private func reloadSecrets() {
|
||||||
DispatchQueue.main.async {
|
DispatchQueue.main.async {
|
||||||
self.isAvailable = self.tokenID != nil
|
self.isAvailable = self.tokenID != nil
|
||||||
@ -103,6 +109,7 @@ extension SmartCard.Store {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Loads all secrets from the store.
|
||||||
private func loadSecrets() {
|
private func loadSecrets() {
|
||||||
guard let tokenID = tokenID else { return }
|
guard let tokenID = tokenID else { return }
|
||||||
|
|
||||||
@ -152,6 +159,7 @@ extension SmartCard.Store {
|
|||||||
|
|
||||||
extension TKTokenWatcher {
|
extension TKTokenWatcher {
|
||||||
|
|
||||||
|
/// All available tokens, excluding the Secure Enclave.
|
||||||
fileprivate var nonSecureEnclaveTokens: [String] {
|
fileprivate var nonSecureEnclaveTokens: [String] {
|
||||||
tokenIDs.filter { !$0.contains("setoken") }
|
tokenIDs.filter { !$0.contains("setoken") }
|
||||||
}
|
}
|
||||||
@ -160,11 +168,15 @@ extension TKTokenWatcher {
|
|||||||
|
|
||||||
extension SmartCard {
|
extension SmartCard {
|
||||||
|
|
||||||
|
/// A wrapper around an error code reported by a Keychain API.
|
||||||
public struct KeychainError: Error {
|
public struct KeychainError: Error {
|
||||||
|
/// The status code involved.
|
||||||
public let statusCode: OSStatus
|
public let statusCode: OSStatus
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// A signing-related error.
|
||||||
public struct SigningError: Error {
|
public struct SigningError: Error {
|
||||||
|
/// The underlying error reported by the API, if one was returned.
|
||||||
public let error: SecurityError?
|
public let error: SecurityError?
|
||||||
}
|
}
|
||||||
|
|
@ -1,3 +1,4 @@
|
|||||||
|
import Foundation
|
||||||
import SecretAgentKit
|
import SecretAgentKit
|
||||||
|
|
||||||
class StubFileHandleWriter: FileHandleWriter {
|
class StubFileHandleWriter: FileHandleWriter {
|
@ -1,3 +1,4 @@
|
|||||||
|
import Foundation
|
||||||
import SecretKit
|
import SecretKit
|
||||||
import CryptoKit
|
import CryptoKit
|
||||||
|
|
@ -1,6 +1,8 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import XCTest
|
import XCTest
|
||||||
@testable import SecretKit
|
@testable import SecretKit
|
||||||
|
@testable import SecureEnclaveSecretKit
|
||||||
|
@testable import SmartCardSecretKit
|
||||||
|
|
||||||
class AnySecretTests: XCTestCase {
|
class AnySecretTests: XCTestCase {
|
||||||
|
|
@ -1,6 +1,8 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import XCTest
|
import XCTest
|
||||||
@testable import SecretKit
|
@testable import SecretKit
|
||||||
|
@testable import SecureEnclaveSecretKit
|
||||||
|
@testable import SmartCardSecretKit
|
||||||
|
|
||||||
class OpenSSHReaderTests: XCTestCase {
|
class OpenSSHReaderTests: XCTestCase {
|
||||||
|
|
@ -1,6 +1,8 @@
|
|||||||
import Foundation
|
import Foundation
|
||||||
import XCTest
|
import XCTest
|
||||||
@testable import SecretKit
|
@testable import SecretKit
|
||||||
|
@testable import SecureEnclaveSecretKit
|
||||||
|
@testable import SmartCardSecretKit
|
||||||
|
|
||||||
class OpenSSHWriterTests: XCTestCase {
|
class OpenSSHWriterTests: XCTestCase {
|
||||||
|
|
@ -2,6 +2,8 @@ import Cocoa
|
|||||||
import OSLog
|
import OSLog
|
||||||
import Combine
|
import Combine
|
||||||
import SecretKit
|
import SecretKit
|
||||||
|
import SecureEnclaveSecretKit
|
||||||
|
import SmartCardSecretKit
|
||||||
import SecretAgentKit
|
import SecretAgentKit
|
||||||
import Brief
|
import Brief
|
||||||
|
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 16 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
1027
Sources/Secretive.xcodeproj/project.pbxproj
Normal file
@ -1,6 +1,6 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<Scheme
|
<Scheme
|
||||||
LastUpgradeVersion = "1140"
|
LastUpgradeVersion = "1320"
|
||||||
version = "1.7">
|
version = "1.7">
|
||||||
<BuildAction
|
<BuildAction
|
||||||
parallelizeBuildables = "YES"
|
parallelizeBuildables = "YES"
|
@ -1,6 +1,6 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<Scheme
|
<Scheme
|
||||||
LastUpgradeVersion = "1140"
|
LastUpgradeVersion = "1320"
|
||||||
version = "1.7">
|
version = "1.7">
|
||||||
<BuildAction
|
<BuildAction
|
||||||
parallelizeBuildables = "YES"
|
parallelizeBuildables = "YES"
|
@ -1,6 +1,8 @@
|
|||||||
import Cocoa
|
import Cocoa
|
||||||
import SwiftUI
|
import SwiftUI
|
||||||
import SecretKit
|
import SecretKit
|
||||||
|
import SecureEnclaveSecretKit
|
||||||
|
import SmartCardSecretKit
|
||||||
import Brief
|
import Brief
|
||||||
|
|
||||||
@main
|
@main
|
||||||
@ -36,7 +38,7 @@ struct Secretive: App {
|
|||||||
if agentStatusChecker.running && justUpdatedChecker.justUpdated {
|
if agentStatusChecker.running && justUpdatedChecker.justUpdated {
|
||||||
// Relaunch the agent, since it'll be running from earlier update still
|
// Relaunch the agent, since it'll be running from earlier update still
|
||||||
reinstallAgent()
|
reinstallAgent()
|
||||||
} else if !agentStatusChecker.running {
|
} else if !agentStatusChecker.running && !agentStatusChecker.developmentBuild {
|
||||||
forceLaunchAgent()
|
forceLaunchAgent()
|
||||||
}
|
}
|
||||||
}
|
}
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 16 KiB |
Before Width: | Height: | Size: 40 KiB After Width: | Height: | Size: 40 KiB |
@ -5,6 +5,7 @@ import SecretKit
|
|||||||
|
|
||||||
protocol AgentStatusCheckerProtocol: ObservableObject {
|
protocol AgentStatusCheckerProtocol: ObservableObject {
|
||||||
var running: Bool { get }
|
var running: Bool { get }
|
||||||
|
var developmentBuild: Bool { get }
|
||||||
}
|
}
|
||||||
|
|
||||||
class AgentStatusChecker: ObservableObject, AgentStatusCheckerProtocol {
|
class AgentStatusChecker: ObservableObject, AgentStatusCheckerProtocol {
|
||||||
@ -36,6 +37,12 @@ class AgentStatusChecker: ObservableObject, AgentStatusCheckerProtocol {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// Whether Secretive is being run in an Xcode environment.
|
||||||
|
var developmentBuild: Bool {
|
||||||
|
Bundle.main.bundleURL.absoluteString.contains("/Library/Developer/Xcode")
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -29,7 +29,7 @@ struct ShellConfigurationController {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
func addToShell(shellInstructions: ShellConfigInstruction) -> Bool {
|
@MainActor func addToShell(shellInstructions: ShellConfigInstruction) -> Bool {
|
||||||
let openPanel = NSOpenPanel()
|
let openPanel = NSOpenPanel()
|
||||||
// This is sync, so no need to strongly retain
|
// This is sync, so no need to strongly retain
|
||||||
let delegate = Delegate(name: shellInstructions.shellConfigFilename)
|
let delegate = Delegate(name: shellInstructions.shellConfigFilename)
|