Remove SinglePromptSecureEnclaveValet from tvOS targets

[diogot]

LAContext is not available in tvOS, but for some reason it was compiling in older Xcode versions.

[CLAassistant]

All committers have signed the CLA.

[NickEntin]

I'm assuming omitting the authentication context won't change any behavior. Presumably this never worked on tvOS, but I don't know if the presence of the key affects behavior. cc @dfed

[dfed]

So I think we need to make the entire SinglePromptSecureEnclaveValet unavailable on tvOS.

The approach taken here will make this type behave like the SecureEnclaveValet, which isn't what we want.

The more I think about this, the more I think we make this a breaking change and roll a major version. We may also need a way to let folk on tvOS using this type migrate to SecureEnclaveValet, but given that no one has told us this wasn't working I kinda doubt anyone tried to use it that way... so maybe we don't build that until someone asks for it.

Taking the route of making SinglePromptSecureEnclaveValet unavailable on tvOS will also force us to solve #270, which is kinda a nice bonus.

[diogot]

I agree, I'll update the PR to make SinglePromptSecureEnclaveValet unavailable on tvOS.

[codecov-commenter]

Codecov Report

Merging #284 (ac8235f) into master (53f25b8) will decrease coverage by 0.10%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master     #284      +/-   ##
==========================================
- Coverage   86.81%   86.71%   -0.11%     
==========================================
  Files          16       16              
  Lines         986      986              
==========================================
- Hits          856      855       -1     
- Misses        130      131       +1     

Impacted Files	Coverage Δ
Sources/Valet/SinglePromptSecureEnclaveValet.swift	75.75% <ø> (ø)
Sources/Valet/Valet.swift	94.05% <0.00%> (-0.50%)	⬇️

[dfed]

This is a good start! To get CI passing you'll likely need to update the availability checks in Tests/ValetIntegrationTests/SinglePromptSecureEnclaveIntegrationTests.Swift

[diogot]

Just marking as SinglePromptSecureEnclaveValet as @available(tvOS, unavailable) is not enough to compile the project with Xcode 13.4.1, we still need the other checks as the first version.
So to make it compile with 13.4.1 and 14 I might need to keep all the checks.

[diogot]

New approach, remove the classes from tvOS using #if !os(tvOS).
Not it compiles fine in Xcode 13 and 14.
All tests pass with Xcode 14, but a few in SecureEnclaveIntegrationTests fail in Xcode 13 and I don't know why.
I may need some help to fix that.

[diogot]

They are failing with KeychainError status: errSecAuthFailed

[dfed]

New approach, remove the classes from tvOS using #if !os(tvOS).
Not it compiles fine in Xcode 13 and 14.
All tests pass with Xcode 14, but a few in SecureEnclaveIntegrationTests fail in Xcode 13 and I don't know why.
I may need some help to fix that.

Which tests are failing for you? Are these tests failing for you on master as well, or is the failure new to your branch? Getting the test setup right locally can be relatively tricky given the code-signing requirements. Are you running these tests on a simulator, iOS device, or Mac? What OS version is the test target running on?

Good news is CI is passing, but there are some tests we don't run in CI because CI can't properly test some keychain interactions without some manual intervention 😬

[dfed]

This is looking really good! Some suggestions below. Let's figure out these test failures you are seeing locally, but I think we're darned close.

[dfed]

so good to be able to get rid of these!

[dfed]

"Fun" fact: Marking a test as @available does not prevent that test from being run on unavailable OS versions 😬, hence the need for all of these guards

[diogot]

I figure that out, hehe

[dfed]

Holy moly this is nicer!

[diogot]

The tests are also failing in master, tvOS and iOS 15.5 simulators :

• test_secureEnclaveValetsWithEqualConfiguration_canAccessSameData
• test_secureEnclaveValetsWithDifferingAccessControl_canNotAccessSameData
• test_migrateObjectsFromValet_migratesSuccessfullyToSecureEnclave
• test_migrateObjectsFromValet_migratesSuccessfullyAfterCanAccessKeychainCalls

[dfed]

The tests are also failing in master, tvOS and iOS 15.5 simulators :

• test_secureEnclaveValetsWithEqualConfiguration_canAccessSameData
• test_secureEnclaveValetsWithDifferingAccessControl_canNotAccessSameData
• test_migrateObjectsFromValet_migratesSuccessfullyToSecureEnclave
• test_migrateObjectsFromValet_migratesSuccessfullyAfterCanAccessKeychainCalls

That makes sense. I think this method needs to be updated to include later OS versions:

Valet/Tests/ValetIntegrationTests/ValetIntegrationTests.swift

Lines 39 to 52 in 53f25b8

	func testEnvironmentSupportsWhenPasscodeSet() -> Bool {
	if let simulatorVersionInfo = ProcessInfo.processInfo.environment["SIMULATOR_VERSION_INFO"],
	simulatorVersionInfo.contains("iOS 13") || simulatorVersionInfo.contains("tvOS 13")
	{
	// iOS and tvOS 13 simulators fail to store items in a Valet that has a
	// kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly flag. The documentation for this flag says:
	// "No items can be stored in this class on devices without a passcode". I currently do not
	// understand why prior simulators work with this flag, given that no simulators have a passcode.
	return false
	} else {
	return true
	}
	}

Note that these tests are failing on my iOS 15 simulator as well. The good news is it works on device. I'll put up a PR to fix this. In the interim, I think this PR is good to merge!

[diogot]

Thanks!!