Use the data protection keychain on macOS (google#127)

* Require GTMAppAuth >= 1.3.0.

* Use the data protection keychain on macOS.

* Update tests.

* Only perform migration for iOS.

* Improve comments.

* Use a BOOL value rather than OCMOCK_ANY.

Author: petea

GoogleSignIn.podspec

@@ -33,7 +33,7 @@ The Google Sign-In SDK allows users to sign in with their Google account from th
   s.ios.framework = 'UIKit'
   s.osx.framework = 'AppKit'
   s.dependency 'AppAuth', '~> 1.5'
-  s.dependency 'GTMAppAuth', '>= 1.2.3', '< 2.0'
+  s.dependency 'GTMAppAuth', '>= 1.3.0', '< 2.0'
   s.dependency 'GTMSessionFetcher/Core', '~> 1.1'
   s.resource_bundle = {
     'GoogleSignIn' => ['GoogleSignIn/Sources/{Resources,Strings}/*']

GoogleSignIn/Sources/GIDSignIn.m

@@ -26,7 +26,9 @@
 #import "GoogleSignIn/Sources/GIDCallbackQueue.h"
 #import "GoogleSignIn/Sources/GIDScopes.h"
 #import "GoogleSignIn/Sources/GIDSignInCallbackSchemes.h"
+#if TARGET_OS_IOS && !TARGET_OS_MACCATALYST
 #import "GoogleSignIn/Sources/GIDAuthStateMigration.h"
+#endif // TARGET_OS_IOS && !TARGET_OS_MACCATALYST
 #if TARGET_OS_IOS || TARGET_OS_MACCATALYST
 #import "GoogleSignIn/Sources/GIDEMMErrorHandler.h"
 #endif
@@ -493,11 +495,13 @@ - (id)initPrivate {
         initWithAuthorizationEndpoint:[NSURL URLWithString:authorizationEnpointURL]
                         tokenEndpoint:[NSURL URLWithString:tokenEndpointURL]];
 
-    // Perform migration of auth state from old versions of the SDK if needed.
+#if TARGET_OS_IOS && !TARGET_OS_MACCATALYST
+    // Perform migration of auth state from old (before 5.0) versions of the SDK if needed.
     [GIDAuthStateMigration migrateIfNeededWithTokenURL:_appAuthConfiguration.tokenEndpoint
                                           callbackPath:kBrowserCallbackPath
                                           keychainName:kGTMAppAuthKeychainName
                                         isFreshInstall:isFreshInstall];
+#endif // TARGET_OS_IOS && !TARGET_OS_MACCATALYST
   }
   return self;
 }
@@ -1010,19 +1014,22 @@ - (BOOL)isFreshInstall {
 }
 
 - (void)removeAllKeychainEntries {
-  [GTMAppAuthFetcherAuthorization removeAuthorizationFromKeychainForName:kGTMAppAuthKeychainName];
+  [GTMAppAuthFetcherAuthorization removeAuthorizationFromKeychainForName:kGTMAppAuthKeychainName
+                                               useDataProtectionKeychain:YES];
 }
 
 - (BOOL)saveAuthState:(OIDAuthState *)authState {
   GTMAppAuthFetcherAuthorization *authorization =
       [[GTMAppAuthFetcherAuthorization alloc] initWithAuthState:authState];
   return [GTMAppAuthFetcherAuthorization saveAuthorization:authorization
-                                         toKeychainForName:kGTMAppAuthKeychainName];
+                                         toKeychainForName:kGTMAppAuthKeychainName
+                                 useDataProtectionKeychain:YES];
 }
 
 - (OIDAuthState *)loadAuthState {
   GTMAppAuthFetcherAuthorization *authorization =
-      [GTMAppAuthFetcherAuthorization authorizationFromKeychainForName:kGTMAppAuthKeychainName];
+      [GTMAppAuthFetcherAuthorization authorizationFromKeychainForName:kGTMAppAuthKeychainName
+                                             useDataProtectionKeychain:YES];
   return authorization.authState;
 }
 

GoogleSignIn/Tests/Unit/GIDSignInTest.m

@@ -90,7 +90,7 @@
 static NSString * const kScope = @"FakeScope";
 static NSString * const kScope2 = @"FakeScope2";
 static NSString * const kAuthCode = @"FakeAuthCode";
-static NSString * const kFakeKeychainName = @"FakeKeychainName";
+static NSString * const kKeychainName = @"auth";
 static NSString * const kUserEmail = @"FakeUserEmail";
 static NSString * const kVerifier = @"FakeVerifier";
 static NSString * const kOpenIDRealm = @"FakeRealm";
@@ -300,15 +300,19 @@ - (void)setUp {
   _tokenResponse = OCMStrictClassMock([OIDTokenResponse class]);
   _tokenRequest = OCMStrictClassMock([OIDTokenRequest class]);
   _authorization = OCMStrictClassMock([GTMAppAuthFetcherAuthorization class]);
-  OCMStub([_authorization authorizationFromKeychainForName:OCMOCK_ANY]).andReturn(_authorization);
+  OCMStub([_authorization authorizationFromKeychainForName:OCMOCK_ANY
+                                 useDataProtectionKeychain:YES]).andReturn(_authorization);
   OCMStub([_authorization alloc]).andReturn(_authorization);
   OCMStub([_authorization initWithAuthState:OCMOCK_ANY]).andReturn(_authorization);
-  OCMStub([_authorization saveAuthorization:OCMOCK_ANY toKeychainForName:OCMOCK_ANY])
+  OCMStub([_authorization saveAuthorization:OCMOCK_ANY
+                          toKeychainForName:OCMOCK_ANY
+                  useDataProtectionKeychain:YES])
       .andDo(^(NSInvocation *invocation) {
         self->_keychainSaved = self->_saveAuthorizationReturnValue;
         [invocation setReturnValue:&self->_saveAuthorizationReturnValue];
       });
-  OCMStub([_authorization removeAuthorizationFromKeychainForName:OCMOCK_ANY])
+  OCMStub([_authorization removeAuthorizationFromKeychainForName:OCMOCK_ANY
+                                       useDataProtectionKeychain:YES])
       .andDo(^(NSInvocation *invocation) {
         self->_keychainRemoved = YES;
       });
@@ -718,6 +722,9 @@ - (void)testSignOut {
   XCTAssertTrue(_keychainRemoved, @"should remove keychain");
   XCTAssertTrue([_changedKeyPaths containsObject:NSStringFromSelector(@selector(currentUser))],
                 @"should notify observers that signed in user changed");
+
+  OCMVerify([_authorization removeAuthorizationFromKeychainForName:kKeychainName
+                                         useDataProtectionKeychain:YES]);
 }
 
 - (void)testNotHandleWrongScheme {
@@ -1394,6 +1401,14 @@ - (void)OAuthLoginWithAddScopesFlow:(BOOL)addScopesFlow
   [self waitForExpectationsWithTimeout:1 handler:nil];
   XCTAssertFalse(_keychainRemoved, @"should not remove keychain");
   XCTAssertFalse(_keychainSaved, @"should not save to keychain again");
+  
+  if (restoredSignIn) {
+    OCMVerify([_authorization authorizationFromKeychainForName:kKeychainName
+                                     useDataProtectionKeychain:YES]);
+    OCMVerify([_authorization saveAuthorization:OCMOCK_ANY
+                              toKeychainForName:kKeychainName
+                      useDataProtectionKeychain:YES]);
+  }
 }
 
 

Package.swift

@@ -48,7 +48,7 @@ let package = Package(
     .package(
       name: "GTMAppAuth",
       url: "https://github.com/google/GTMAppAuth.git",
-      "1.2.3" ..< "2.0.0"),
+      "1.3.0" ..< "2.0.0"),
     .package(
       name: "GTMSessionFetcher",
       url: "https://github.com/google/gtm-session-fetcher.git",