Add support for multiple Valets within the same access group #297
Conversation
efirestone
force-pushed
the
firestone/valet-group-with-id
branch
from
6dda0ec to
d1b4537
Compare
There was a problem hiding this comment.
Overall this seems reasonable to me. We're taking on a bit more complexity, but it's not too shabby. I'd love to better understand the use case for this, and why we're only adding this functionality to shared access Valets: is the use case specific to shared access Valets or is your current need currently scoped to shared access Valets?
Also: thoughts on updating the README to document this new API?
| @@ -317,6 +318,19 @@ class ValetIntegrationTests: XCTestCase | |||
| } | |||
| } | |||
|
|
|||
| func test_stringForKey_withDifferingIdentifierInSameAccessGroup_throwsItemNotFound() throws | |||
There was a problem hiding this comment.
Should we add the opposite as well: same identifier, different shared access group identifier?
| XCTAssertEqual(error as? KeychainError, .itemNotFound) | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
It might be nice to add a test that migrating between two different valets with different identifiers works as expected. (I know the test matrix is big + annoying but the more tests we have the more confident we are that this stuff actually works)
There was a problem hiding this comment.
The migration matrix doesn't seem to care about the types of the Valets that are involved in the migration, and more about the variations and keys and values. For example, there's nothing testing the migration of iCloud Valets to group access Valets to local Valets, etc. And I think that makes sense given that the migration uses the standard get/set/remove methods in all cases, and those are tested separately for each type.
Happy to add something here, but not entirely sure which tests of value are missing.
There was a problem hiding this comment.
Eh that's fair. I was going off memory. If we don't have similar tests then we're good to go here. I would, however, like to see test coverage improve (based on the code of comment), but I'm currently in mobile so I haven't checked details. Let me know if I can help offer possible tests to up coverage.
There was a problem hiding this comment.
The Codecov report says The diff coverage is 100.00%., so I think all the new content is covered. It went down overall, but I'm not sure how that's calculated.
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #297 +/- ##
==========================================
- Coverage 86.81% 82.52% -4.30%
==========================================
Files 16 16
Lines 986 990 +4
==========================================
- Hits 856 817 -39
- Misses 130 173 +43
|
Our use case is only for shared group access Valets. The same thing could easily be extended to iCloud and other shared Valets as well, but I figured I'd start here to scope it down. Happy to add the other cases in this PR or a follow up too though.
Yup, good call. On it. |
These changes happened automatically as a result of using a newer Xcode version
efirestone
force-pushed
the
firestone/valet-group-with-id
branch
2 times, most recently
from
b03bd08 to
bb3f87a
Compare
Updated the README and added the ability to add uniqueness identifiers to the other shared types (iCloud, SecureEnclave, SinglePromptSecureEnclave). |
README.md
Outdated
| It is possible to create multiple Valets within the same shared access group be specifying the same group identifier but different unique identifiers, like so: | ||
|
|
||
| ``` | ||
| let valet1 = Valet.sharedGroupValet(with: groupID, identifier: Identifier(nonEmpty: "valet1")!, accessibility: accessibility) | ||
| let valet2 = Valet.sharedGroupValet(with: groupID, identifier: Identifier(nonEmpty: "valet2")!, accessibility: accessibility) | ||
| ``` | ||
|
|
||
| These two Valets cannot access each others data, but they are both accessible from all applications or extensions which have access to the given `groupID`. The `identifier` (but not the `groupIdentifier`) is optional on shared Valets. All Valets created within the same group using the default `identifier` can access the same data. | ||
|
|
There was a problem hiding this comment.
let's move this blurb up to the Valet section and then replace this with:
| It is possible to create multiple Valets within the same shared access group be specifying the same group identifier but different unique identifiers, like so: | |
| ``` | |
| let valet1 = Valet.sharedGroupValet(with: groupID, identifier: Identifier(nonEmpty: "valet1")!, accessibility: accessibility) | |
| let valet2 = Valet.sharedGroupValet(with: groupID, identifier: Identifier(nonEmpty: "valet2")!, accessibility: accessibility) | |
| ``` | |
| These two Valets cannot access each others data, but they are both accessible from all applications or extensions which have access to the given `groupID`. The `identifier` (but not the `groupIdentifier`) is optional on shared Valets. All Valets created within the same group using the default `identifier` can access the same data. | |
| As with Valets, shared iCloud Valets can be created with an additional identifier, allowing multiple independently sandboxed keychains to exist within the same shared group. | |
There was a problem hiding this comment.
@efirestone we still want this blurb but we want it further up in the README 😉
There was a problem hiding this comment.
@dfed can you merge this? I don't have permissions 🙏
@efirestone can we address this comment first? Happy to merge once addressed.
There was a problem hiding this comment.
I'm not sure I'm following what you're suggesting (and now the review recommendation can't be committed). Are you saying put this blurb in the Valet section:
As with Valets, shared iCloud Valets can be created with an additional identifier, allowing multiple independently sandboxed keychains to exist within the same shared group.
or to leave that blurb in the "Sharing Secrets" section, and then put the original text up in the Valet section?
There was a problem hiding this comment.
Ah! Okay I see where I failed to read here. It's the additional in additional identifier that threw me.
The additional is referring to iCloud Valets, whereas Valets have a primary identifier.
I think we should just remove the "As with Valets" preamble and this'll make more sense to me.
efirestone
force-pushed
the
firestone/valet-group-with-id
branch
2 times, most recently
from
608dfff to
1f058ad
Compare
|
@dfed can you merge this? I don't have permissions 🙏 |
Sources/Valet/Valet.swift
Outdated
| /// - accessibility: The desired accessibility for the Valet. | ||
| /// - identifier: An optional additional uniqueness identifier. Using this identifier allows for the creation of separate, sandboxed Valets within the same shared access group. |
There was a problem hiding this comment.
nit: Reorder these to match the parameter order.
| @@ -317,6 +318,19 @@ class ValetIntegrationTests: XCTestCase | |||
| } | |||
| } | |||
|
|
|||
| func test_stringForKey_withDifferingIdentifierInSameAccessGroup_throwsItemNotFound() throws | |||
There was a problem hiding this comment.
Should we add the opposite as well: same identifier, different shared access group identifier?
efirestone
force-pushed
the
firestone/valet-group-with-id
branch
from
1f058ad to
90de005
Compare
Previously, the shared access group identifier was used for both the access group itself, as well as the uniqueness identifier for the given Valet. This adds an optional additional `identifier` parameter that can be specified when creating a shared access group Valet. The identifier adds an additional element of uniqueness, so two Valets with the same shared access group can exist, and their data will not overlap, so long as they have different identifiers. The default for this value is `nil`, which keeps the existing behavior for full backward compatibility.
efirestone
force-pushed
the
firestone/valet-group-with-id
branch
from
90de005 to
7bfe6ae
Compare
|
"As with Valets" prefix removed in the README, so should be good to go. The iOS 13 + iOS 14 builds aren't finishing anymore, I'm guessing due to a GitHub change. It looks like |
Thanks for addressing! Re Xcode 12.4: can you file an issue on https://github.com/actions/runner-images? I've had success there in the past when there was a runner configuration issue. |
|
Just filed an issue for what we're seeing with CI: actions/runner-images#7687 |
|
Just merged latest into this branch. Should turn green, at which point merge at will @efirestone. Let me know if you want help publishing the feature version update. |
|
Just released this as 4.2.0 |
Previously, the shared access group identifier was used for both the access group itself, as well as the uniqueness identifier for the given Valet. This adds an optional additional
identifierparameter that can be specified when creating a shared access group Valet. The identifier adds an additional element of uniqueness, so two Valets with the same shared access group can exist, and their data will not overlap, so long as they have different identifiers.The default for this value is
nil, which keeps the existing behavior for full backward compatibility.