2 * macos_keychain.c: Mac OS keychain providers for SVN_AUTH_*
4 * ====================================================================
5 * Licensed to the Apache Software Foundation (ASF) under one
6 * or more contributor license agreements. See the NOTICE file
7 * distributed with this work for additional information
8 * regarding copyright ownership. The ASF licenses this file
9 * to you under the Apache License, Version 2.0 (the
10 * "License"); you may not use this file except in compliance
11 * with the License. You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing,
16 * software distributed under the License is distributed on an
17 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
18 * KIND, either express or implied. See the License for the
19 * specific language governing permissions and limitations
21 * ====================================================================
24 /* ==================================================================== */
28 #include <apr_pools.h>
30 #include "svn_error.h"
32 #include "svn_config.h"
36 #include "private/svn_auth_private.h"
38 #include "svn_private_config.h"
40 #ifdef SVN_HAVE_KEYCHAIN_SERVICES
42 #include <Security/Security.h>
44 /*-----------------------------------------------------------------------*/
45 /* keychain simple provider, puts passwords in the KeyChain */
46 /*-----------------------------------------------------------------------*/
49 * XXX (2005-12-07): If no GUI is available (e.g. over a SSH session),
50 * you won't be prompted for credentials with which to unlock your
51 * keychain. Apple recognizes lack of TTY prompting as a known
55 * XXX (2005-12-07): SecKeychainSetUserInteractionAllowed(FALSE) does
56 * not appear to actually prevent all user interaction. Specifically,
57 * if the executable changes (for example, if it is rebuilt), the
58 * system prompts the user to okay the use of the new executable.
60 * Worse than that, the interactivity setting is global per app (not
61 * process/thread), meaning that there is a race condition in the
62 * implementation below between calls to
63 * SecKeychainSetUserInteractionAllowed() when multiple instances of
64 * the same Subversion auth provider-based app run concurrently.
67 /* Implementation of svn_auth__password_set_t that stores
68 the password in the OS X KeyChain. */
70 keychain_password_set(svn_boolean_t *done,
72 const char *realmstring,
75 apr_hash_t *parameters,
76 svn_boolean_t non_interactive,
80 SecKeychainItemRef item;
83 SecKeychainSetUserInteractionAllowed(FALSE);
85 status = SecKeychainFindGenericPassword(NULL, (int) strlen(realmstring),
86 realmstring, username == NULL
88 : (int) strlen(username),
89 username, 0, NULL, &item);
92 if (status == errSecItemNotFound)
93 status = SecKeychainAddGenericPassword(NULL, (int) strlen(realmstring),
94 realmstring, username == NULL
96 : (int) strlen(username),
97 username, (int) strlen(password),
102 status = SecKeychainItemModifyAttributesAndData(item, NULL,
103 (int) strlen(password),
109 SecKeychainSetUserInteractionAllowed(TRUE);
111 *done = (status == 0);
116 /* Implementation of svn_auth__password_get_t that retrieves
117 the password from the OS X KeyChain. */
119 keychain_password_get(svn_boolean_t *done,
120 const char **password,
122 const char *realmstring,
123 const char *username,
124 apr_hash_t *parameters,
125 svn_boolean_t non_interactive,
135 SecKeychainSetUserInteractionAllowed(FALSE);
137 status = SecKeychainFindGenericPassword(NULL, (int) strlen(realmstring),
138 realmstring, username == NULL
140 : (int) strlen(username),
141 username, &length, &data, NULL);
144 SecKeychainSetUserInteractionAllowed(TRUE);
149 *password = apr_pstrmemdup(pool, data, length);
150 SecKeychainItemFreeContent(NULL, data);
155 /* Get cached encrypted credentials from the simple provider's cache. */
157 keychain_simple_first_creds(void **credentials,
159 void *provider_baton,
160 apr_hash_t *parameters,
161 const char *realmstring,
164 return svn_auth__simple_creds_cache_get(credentials,
169 keychain_password_get,
170 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
174 /* Save encrypted credentials to the simple provider's cache. */
176 keychain_simple_save_creds(svn_boolean_t *saved,
178 void *provider_baton,
179 apr_hash_t *parameters,
180 const char *realmstring,
183 return svn_auth__simple_creds_cache_set(saved, credentials,
187 keychain_password_set,
188 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
192 static const svn_auth_provider_t keychain_simple_provider = {
193 SVN_AUTH_CRED_SIMPLE,
194 keychain_simple_first_creds,
196 keychain_simple_save_creds
199 /* Get cached encrypted credentials from the ssl client cert password
202 keychain_ssl_client_cert_pw_first_creds(void **credentials,
204 void *provider_baton,
205 apr_hash_t *parameters,
206 const char *realmstring,
209 return svn_auth__ssl_client_cert_pw_cache_get(credentials,
210 iter_baton, provider_baton,
211 parameters, realmstring,
212 keychain_password_get,
213 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
217 /* Save encrypted credentials to the ssl client cert password provider's
220 keychain_ssl_client_cert_pw_save_creds(svn_boolean_t *saved,
222 void *provider_baton,
223 apr_hash_t *parameters,
224 const char *realmstring,
227 return svn_auth__ssl_client_cert_pw_cache_set(saved, credentials,
228 provider_baton, parameters,
230 keychain_password_set,
231 SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
235 static const svn_auth_provider_t keychain_ssl_client_cert_pw_provider = {
236 SVN_AUTH_CRED_SSL_CLIENT_CERT_PW,
237 keychain_ssl_client_cert_pw_first_creds,
239 keychain_ssl_client_cert_pw_save_creds
245 svn_auth__get_keychain_simple_provider(svn_auth_provider_object_t **provider,
248 svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
250 po->vtable = &keychain_simple_provider;
255 svn_auth__get_keychain_ssl_client_cert_pw_provider
256 (svn_auth_provider_object_t **provider,
259 svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
261 po->vtable = &keychain_ssl_client_cert_pw_provider;
264 #endif /* SVN_HAVE_KEYCHAIN_SERVICES */