Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

switch keychain Set() to update existing items instead of delete/add #43

Merged
merged 1 commit into from
Jul 4, 2019

Conversation

joemiller
Copy link
Contributor

This switches the macos keychain's Set() implementation to use the go-keychain UpdateItem() API instead of doing a delete/re-add of the item.

Practically speaking this does not have much current impact to the library itself because it is not possible to retrieve this metadata through the current API, however, it sets the stage for improved metadata visibility like that being worked on in #29

example:

key                                      Created             LastModified
---------------------------------------- ------------------- -------------------
foo                                      2019-05-29 07:09:47 2019-05-29 07:27:21

@joemiller joemiller force-pushed the update-keychain-items branch from e5c490c to 5ccc1cd Compare May 29, 2019 15:08
@joemiller joemiller force-pushed the update-keychain-items branch from 5ccc1cd to 31bda6d Compare May 29, 2019 15:10
}

debugf("Adding item again")
return gokeychain.AddItem(kcItem)
// Don't call SetAccess() as this will cause multiple prompts on update, even when we are not updating the AccessList
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We nil out the ACL here before calling update. If we don't do this, macOS will prompt a number of times and say incorrectly that we are changing ownership and changing ACLs even if the access list is identical to the currently stored item.

@lox
Copy link
Collaborator

lox commented May 30, 2019

This seems like a super sensible idea! I wonder why we didn't do this initially? 🤔 I dimly recall there was a reason we deleted and re-added, I'll see if I can figure out what it was and if it's still relevant.

@joemiller
Copy link
Contributor Author

@lox It might be due to the inclusion of an accesslist in the UpdateItem call. It seems to cause macos-keychain to throw several prompts with text such as "the wants to change ownership of an item" and "the wants to change permissions of an item". This occurs even if the accesslist is identical to previous calls to Set(). To avoid this we need to call UpdateItem without an accesslist attached.

So with the code as-is, I think there is a tradeoff. You wouldn't be able to change the ACL on subsequent Set() calls after an item is initially created. You would need to remove and re-add in that case. I had a look at some of apple's docs and the keybase/go-keychain lib and I don't think there is a way to query for the ACL implemented in the go-keychain lib right now. It does not look like we get ACLs returned with QueryItem(). I think apple has separate calls to query item ACLs.

Still thinking about this a bit, but some ideas so far:

  1. look into extending keybase/keychain lib to support reading ACLs from Items, then update Set() api in this lib to first check the item's existing ACL before deciding whether to call UpdateItem() with or without an ACL attached.
  2. Extend the API in this lib to include additional funcs.. maybe Update() that only updates content but not ACL. That might be confusing with Set() though.

@lox
Copy link
Collaborator

lox commented Jun 7, 2019

So with the code as-is, I think there is a tradeoff. You wouldn't be able to change the ACL on subsequent Set() calls after an item is initially created.

Have you tried this change with aws-vault to see if it has any impact?

@joemiller
Copy link
Contributor Author

joemiller commented Jun 7, 2019 via email

@lox
Copy link
Collaborator

lox commented Jun 7, 2019

Ah, gotcha! I'll check it out then. Apologies, I assumed. I forget there are a lots of folks that use this dependency outside of aws-vault. That was after all why we decided to extract it 😅

@joemiller
Copy link
Contributor Author

joemiller commented Jun 9, 2019 via email

@mtibben
Copy link
Member

mtibben commented Jul 4, 2019

I've tested this with aws-vault and setting is working as expected with new and existing keychain items

@mtibben mtibben merged commit d7447af into 99designs:master Jul 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants