From fba76db03863c30dfc65b9dd9f433080d7475abb Mon Sep 17 00:00:00 2001 From: Rodrigo Reis Date: Wed, 4 Oct 2017 15:53:22 -0700 Subject: [PATCH 1/3] [iOS] MAS credentials should be stored in the keychain as device only --- .../services/access/MASAccessService.m | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/MASFoundation/Classes/_private_/services/access/MASAccessService.m b/MASFoundation/Classes/_private_/services/access/MASAccessService.m index 441a2d23..6674cade 100644 --- a/MASFoundation/Classes/_private_/services/access/MASAccessService.m +++ b/MASFoundation/Classes/_private_/services/access/MASAccessService.m @@ -102,36 +102,32 @@ - (void)serviceWillStart // _gatewayIdentifier = [MASConfiguration currentConfiguration].gatewayUrl.absoluteString; - _localStorageServiceName = [NSString stringWithFormat:@"%@.%@", _gatewayIdentifier, kMASAccessLocalStorageServiceName]; _sharedStorageServiceName = [NSString stringWithFormat:@"%@.%@", _gatewayIdentifier, kMASAccessSharedStorageServiceName]; + // + // Local storage + // + MASIKeyChainStore *localStorage = [MASIKeyChainStore keyChainStoreWithService:_localStorageServiceName]; + localStorage.synchronizable = FALSE; + localStorage.accessibility = MASIKeyChainStoreAccessibilityAfterFirstUnlockThisDeviceOnly; + if ([MASConfiguration currentConfiguration].ssoEnabled && [self isAccessGroupAccessible]) { - - // - // Local storage - // - MASIKeyChainStore *localStorage = [MASIKeyChainStore keyChainStoreWithService:_localStorageServiceName]; - // // Shared storage // MASIKeyChainStore *sharedStorage = [MASIKeyChainStore keyChainStoreWithService:_sharedStorageServiceName accessGroup:self.accessGroup]; - + sharedStorage.synchronizable = FALSE; + sharedStorage.accessibility = MASIKeyChainStoreAccessibilityAfterFirstUnlockThisDeviceOnly; + // // storage dictionary property // _storages = [NSDictionary dictionaryWithObjectsAndKeys:localStorage, kMASAccessLocalStorageKey, sharedStorage, kMASAccessSharedStorageKey, nil]; } else { - - // - // Local storage - // - MASIKeyChainStore *localStorage = [MASIKeyChainStore keyChainStoreWithService:_localStorageServiceName]; - // // storage dictionary property // From b87f3ed586574c35d1d4c3cddd57ce9eb35adafd Mon Sep 17 00:00:00 2001 From: Rodrigo Reis Date: Thu, 5 Oct 2017 10:36:37 -0700 Subject: [PATCH 2/3] Performed changes requested by James on his review. --- .../Classes/_private_/services/access/MASAccessService.m | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MASFoundation/Classes/_private_/services/access/MASAccessService.m b/MASFoundation/Classes/_private_/services/access/MASAccessService.m index 6674cade..1ee01a8e 100644 --- a/MASFoundation/Classes/_private_/services/access/MASAccessService.m +++ b/MASFoundation/Classes/_private_/services/access/MASAccessService.m @@ -110,7 +110,7 @@ - (void)serviceWillStart // Local storage // MASIKeyChainStore *localStorage = [MASIKeyChainStore keyChainStoreWithService:_localStorageServiceName]; - localStorage.synchronizable = FALSE; + localStorage.synchronizable = NO; localStorage.accessibility = MASIKeyChainStoreAccessibilityAfterFirstUnlockThisDeviceOnly; if ([MASConfiguration currentConfiguration].ssoEnabled && [self isAccessGroupAccessible]) @@ -119,7 +119,7 @@ - (void)serviceWillStart // Shared storage // MASIKeyChainStore *sharedStorage = [MASIKeyChainStore keyChainStoreWithService:_sharedStorageServiceName accessGroup:self.accessGroup]; - sharedStorage.synchronizable = FALSE; + sharedStorage.synchronizable = NO; sharedStorage.accessibility = MASIKeyChainStoreAccessibilityAfterFirstUnlockThisDeviceOnly; // From b0b92c46b821629dc6b6da7f0fef1991a4cf4318 Mon Sep 17 00:00:00 2001 From: Rodrigo Reis Date: Fri, 6 Oct 2017 09:09:34 -0700 Subject: [PATCH 3/3] Exposed methods to allow developer set Keychain Synchronizable property, by default, the Keychain will not be synchronized through iCloud. --- MASFoundation/Classes/MAS.h | 20 +++++++++++++++++++ MASFoundation/Classes/MAS.m | 12 +++++++++++ .../services/access/MASAccessService.h | 18 +++++++++++++++++ .../services/access/MASAccessService.m | 19 ++++++++++++++---- 4 files changed, 65 insertions(+), 4 deletions(-) diff --git a/MASFoundation/Classes/MAS.h b/MASFoundation/Classes/MAS.h index c4431e1a..84741825 100644 --- a/MASFoundation/Classes/MAS.h +++ b/MASFoundation/Classes/MAS.h @@ -148,6 +148,26 @@ +/** + * Sets BOOL indicator whether the Keychain is synchronized through iCloud. + * By default, the Keychain is not synchronized through iCloud. + * + * @param enabled BOOL YES to enable synchroniztion, NO to disable it. + */ ++ (void)setKeychainSynchronizable:(BOOL)enabled; + + + +/** + * Gets BOOL indicator of Keychain sincronization enabled or not. + * By default, the Keychain is not synchronized through iCloud. + * + * @return return BOOL value indicating Keychain sincronization is enabled or not + */ ++ (BOOL)isKeychainSynchronizable; + + + ///-------------------------------------- /// @name Start & Stop ///-------------------------------------- diff --git a/MASFoundation/Classes/MAS.m b/MASFoundation/Classes/MAS.m index d1981d96..a633832a 100644 --- a/MASFoundation/Classes/MAS.m +++ b/MASFoundation/Classes/MAS.m @@ -98,6 +98,18 @@ + (void)setGatewayMonitor:(MASGatewayMonitorStatusBlock)monitor } ++ (void)setKeychainSynchronizable:(BOOL)enabled +{ + [MASAccessService setKeychainSynchronizable:enabled]; +} + + ++ (BOOL)isKeychainSynchronizable +{ + return [MASAccessService isKeychainSynchronizable]; +} + + + (MASState)MASState { // diff --git a/MASFoundation/Classes/_private_/services/access/MASAccessService.h b/MASFoundation/Classes/_private_/services/access/MASAccessService.h index 64dc044b..7ab122e0 100644 --- a/MASFoundation/Classes/_private_/services/access/MASAccessService.h +++ b/MASFoundation/Classes/_private_/services/access/MASAccessService.h @@ -99,6 +99,24 @@ typedef NS_ENUM(NSInteger, MASAccessValueType) +/** + * Static boolean property indicating Keychain sincronization is enabled or not. + * + * @return return BOOL value indicating Keychain sincronization is enabled or not + */ ++ (BOOL)isKeychainSynchronizable; + + + +/** + * Setter of static boolean property indicating Keychain sincronization is enabled or not. + * + * @param enable BOOL value indicating Keychain sincronization is enabled or not + */ ++ (void)setKeychainSynchronizable:(BOOL)enable; + + + ///-------------------------------------- /// @name Shared Service ///-------------------------------------- diff --git a/MASFoundation/Classes/_private_/services/access/MASAccessService.m b/MASFoundation/Classes/_private_/services/access/MASAccessService.m index 1ee01a8e..efdb6e80 100644 --- a/MASFoundation/Classes/_private_/services/access/MASAccessService.m +++ b/MASFoundation/Classes/_private_/services/access/MASAccessService.m @@ -49,6 +49,7 @@ @implementation MASAccessService static BOOL _isPKCEEnabled_ = YES; +static BOOL _isKeychainSynchronizable_ = NO; # pragma mark - Properties @@ -64,6 +65,18 @@ + (void)enablePKCE:(BOOL)enable } ++ (BOOL)isKeychainSynchronizable +{ + return _isKeychainSynchronizable_; +} + + ++ (void)setKeychainSynchronizable:(BOOL)enable +{ + _isKeychainSynchronizable_ = enable; +} + + # pragma mark - Shared Service + (instancetype)sharedService @@ -110,8 +123,7 @@ - (void)serviceWillStart // Local storage // MASIKeyChainStore *localStorage = [MASIKeyChainStore keyChainStoreWithService:_localStorageServiceName]; - localStorage.synchronizable = NO; - localStorage.accessibility = MASIKeyChainStoreAccessibilityAfterFirstUnlockThisDeviceOnly; + localStorage.synchronizable = _isKeychainSynchronizable_; if ([MASConfiguration currentConfiguration].ssoEnabled && [self isAccessGroupAccessible]) { @@ -119,8 +131,7 @@ - (void)serviceWillStart // Shared storage // MASIKeyChainStore *sharedStorage = [MASIKeyChainStore keyChainStoreWithService:_sharedStorageServiceName accessGroup:self.accessGroup]; - sharedStorage.synchronizable = NO; - sharedStorage.accessibility = MASIKeyChainStoreAccessibilityAfterFirstUnlockThisDeviceOnly; + sharedStorage.synchronizable = _isKeychainSynchronizable_; // // storage dictionary property