2 * macos_keychain.c: Mac OS keychain providers for SVN_AUTH_*
4 * ====================================================================
5 * Licensed to the Apache Software Foundation (ASF) under one
6 * or more contributor license agreements. See the NOTICE file
7 * distributed with this work for additional information
8 * regarding copyright ownership. The ASF licenses this file
9 * to you under the Apache License, Version 2.0 (the
10 * "License"); you may not use this file except in compliance
11 * with the License. You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing,
16 * software distributed under the License is distributed on an
17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18 * KIND, either express or implied. See the License for the
19 * specific language governing permissions and limitations
21 * ====================================================================
24 /* ==================================================================== */
28 #include <apr_pools.h>
30 #include "svn_error.h"
32 #include "svn_config.h"
35 #include "private/svn_auth_private.h"
37 #include "svn_private_config.h"
39 #ifdef SVN_HAVE_KEYCHAIN_SERVICES
41 #include <Security/Security.h>
43 /*-----------------------------------------------------------------------*/
44 /* keychain simple provider, puts passwords in the KeyChain */
45 /*-----------------------------------------------------------------------*/
48 * XXX (2005-12-07): If no GUI is available (e.g. over a SSH session),
49 * you won't be prompted for credentials with which to unlock your
50 * keychain. Apple recognizes lack of TTY prompting as a known
54 * XXX (2005-12-07): SecKeychainSetUserInteractionAllowed(FALSE) does
55 * not appear to actually prevent all user interaction. Specifically,
56 * if the executable changes (for example, if it is rebuilt), the
57 * system prompts the user to okay the use of the new executable.
59 * Worse than that, the interactivity setting is global per app (not
60 * process/thread), meaning that there is a race condition in the
61 * implementation below between calls to
62 * SecKeychainSetUserInteractionAllowed() when multiple instances of
63 * the same Subversion auth provider-based app run concurrently.
66 /* Implementation of svn_auth__password_set_t that stores
67 the password in the OS X KeyChain. */
69 keychain_password_set(svn_boolean_t *done,
71 const char *realmstring,
74 apr_hash_t *parameters,
75 svn_boolean_t non_interactive,
79 SecKeychainItemRef item;
82 SecKeychainSetUserInteractionAllowed(FALSE);
84 status = SecKeychainFindGenericPassword(NULL, (int) strlen(realmstring),
85 realmstring, username == NULL
87 : (int) strlen(username),
88 username, 0, NULL, &item);
91 if (status == errSecItemNotFound)
92 status = SecKeychainAddGenericPassword(NULL, (int) strlen(realmstring),
93 realmstring, username == NULL
95 : (int) strlen(username),
96 username, (int) strlen(password),
101 status = SecKeychainItemModifyAttributesAndData(item, NULL,
102 (int) strlen(password),
108 SecKeychainSetUserInteractionAllowed(TRUE);
110 *done = (status == 0);
115 /* Implementation of svn_auth__password_get_t that retrieves
116 the password from the OS X KeyChain. */
118 keychain_password_get(svn_boolean_t *done,
119 const char **password,
121 const char *realmstring,
122 const char *username,
123 apr_hash_t *parameters,
124 svn_boolean_t non_interactive,
134 SecKeychainSetUserInteractionAllowed(FALSE);
136 status = SecKeychainFindGenericPassword(NULL, (int) strlen(realmstring),
137 realmstring, username == NULL
139 : (int) strlen(username),
140 username, &length, &data, NULL);
143 SecKeychainSetUserInteractionAllowed(TRUE);
148 *password = apr_pstrmemdup(pool, data, length);
149 SecKeychainItemFreeContent(NULL, data);
154 /* Get cached encrypted credentials from the simple provider's cache. */
156 keychain_simple_first_creds(void **credentials,
158 void *provider_baton,
159 apr_hash_t *parameters,
160 const char *realmstring,
163 return svn_auth__simple_creds_cache_get(credentials,
168 keychain_password_get,
169 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
173 /* Save encrypted credentials to the simple provider's cache. */
175 keychain_simple_save_creds(svn_boolean_t *saved,
177 void *provider_baton,
178 apr_hash_t *parameters,
179 const char *realmstring,
182 return svn_auth__simple_creds_cache_set(saved, credentials,
186 keychain_password_set,
187 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
191 static const svn_auth_provider_t keychain_simple_provider = {
192 SVN_AUTH_CRED_SIMPLE,
193 keychain_simple_first_creds,
195 keychain_simple_save_creds
198 /* Get cached encrypted credentials from the ssl client cert password
201 keychain_ssl_client_cert_pw_first_creds(void **credentials,
203 void *provider_baton,
204 apr_hash_t *parameters,
205 const char *realmstring,
208 return svn_auth__ssl_client_cert_pw_cache_get(credentials,
209 iter_baton, provider_baton,
210 parameters, realmstring,
211 keychain_password_get,
212 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
216 /* Save encrypted credentials to the ssl client cert password provider's
219 keychain_ssl_client_cert_pw_save_creds(svn_boolean_t *saved,
221 void *provider_baton,
222 apr_hash_t *parameters,
223 const char *realmstring,
226 return svn_auth__ssl_client_cert_pw_cache_set(saved, credentials,
227 provider_baton, parameters,
229 keychain_password_set,
230 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
234 static const svn_auth_provider_t keychain_ssl_client_cert_pw_provider = {
235 SVN_AUTH_CRED_SSL_CLIENT_CERT_PW,
236 keychain_ssl_client_cert_pw_first_creds,
238 keychain_ssl_client_cert_pw_save_creds
244 svn_auth_get_keychain_simple_provider(svn_auth_provider_object_t **provider,
247 svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
249 po->vtable = &keychain_simple_provider;
254 svn_auth_get_keychain_ssl_client_cert_pw_provider
255 (svn_auth_provider_object_t **provider,
258 svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
260 po->vtable = &keychain_ssl_client_cert_pw_provider;
263 #endif /* SVN_HAVE_KEYCHAIN_SERVICES */