Mac OS FIS: use Firebase App ID as a suffix to Keychain service name …

…Mac OS (#5603) * FIS: use bundle ID as a prefix to Keychain service name on Mac OS * Remove "storage" from var name * Run ./scripts/style.sh * Use Firebase App ID as a suffix to Keychain service name on Mac OS
firebase · May 15, 2020 · de3b856 · de3b856
1 parent 39fb03c
commit de3b856
Showing 1 changed file with 24 additions and 3 deletions.
diff --git a/...baseInstallations/Source/Library/InstallationsIDController/FIRInstallationsIDController.m b/...baseInstallations/Source/Library/InstallationsIDController/FIRInstallationsIDController.m
@@ -44,6 +44,8 @@
 
 NSTimeInterval const kFIRInstallationsTokenExpirationThreshold = 60 * 60;  // 1 hour.
 
+static NSString *const kKeychainService = @"com.firebase.FIRInstallations.installations";
+
 @interface FIRInstallationsIDController ()
 @property(nonatomic, readonly) NSString *appID;
 @property(nonatomic, readonly) NSString *appName;
@@ -71,9 +73,9 @@ - (instancetype)initWithGoogleAppID:(NSString *)appID
                              APIKey:(NSString *)APIKey
                           projectID:(NSString *)projectID
                         GCMSenderID:(NSString *)GCMSenderID
-                        accessGroup:(NSString *)accessGroup {
-  GULKeychainStorage *secureStorage =
-      [[GULKeychainStorage alloc] initWithService:@"com.firebase.FIRInstallations.installations"];
+                        accessGroup:(nullable NSString *)accessGroup {
+  NSString *serviceName = [FIRInstallationsIDController keychainServiceWithAppID:appID];
+  GULKeychainStorage *secureStorage = [[GULKeychainStorage alloc] initWithService:serviceName];
   FIRInstallationsStore *installationsStore =
       [[FIRInstallationsStore alloc] initWithSecureStorage:secureStorage accessGroup:accessGroup];
 
@@ -456,4 +458,23 @@ - (BOOL)isDefaultApp {
   return [self.appName isEqualToString:kFIRDefaultAppName];
 }
 
+#pragma mark - Keychain
+
++ (NSString *)keychainServiceWithAppID:(NSString *)appID {
+#if TARGET_OS_MACCATALYST || TARGET_OS_OSX
+  // We need to keep service name unique per application on macOS.
+  // Applications on macOS may request access to Keychain items stored by other applications. It
+  // means that when the app looks up for a relevant Keychain item in the service scope it will
+  // request user password to grant access to the Keychain if there are other Keychain items from
+  // other applications stored under the same Keychain Service.
+  return [kKeychainService stringByAppendingFormat:@".%@", appID];
+#else
+  // Use a constant Keychain service for non-macOS because:
+  // 1. Keychain items cannot be shared between apps until configured specifically so the service
+  // name collisions are not a concern
+  // 2. We don't want to change the service name to avoid doing a migration.
+  return kKeychainService;
+#endif
+}
+
 @end