feat: switchable keychain

internal/app/base/base.go

@@ -51,6 +51,7 @@ import (
 	"github.com/ProtonMail/proton-bridge/internal/updater"
 	"github.com/ProtonMail/proton-bridge/internal/users/credentials"
 	"github.com/ProtonMail/proton-bridge/internal/versioner"
+	"github.com/ProtonMail/proton-bridge/pkg/keychain"
 	"github.com/ProtonMail/proton-bridge/pkg/listener"
 	"github.com/ProtonMail/proton-bridge/pkg/pmapi"
 	"github.com/ProtonMail/proton-bridge/pkg/sentry"
@@ -142,12 +143,12 @@ func New( // nolint[funlen]
 	listener := listener.New()
 	events.SetupEvents(listener)
 
-	// NOTE: If we can't load the credentials for whatever reason,
+	// If we can't load the keychain for whatever reason,
-	// do we really want to error out? Need to signal to frontend.
+	// we signal to frontend and supply a dummy keychain that always returns errors.
-	creds, err := credentials.NewStore(keychainName)
+	kc, err := keychain.NewKeychain(settingsObj, keychainName)
 	if err != nil {
-		logrus.WithError(err).Error("Could not get credentials store")
 		listener.Emit(events.CredentialsErrorEvent, err.Error())
+		kc = keychain.NewMissingKeychain()
 	}
 
 	jar, err := cookies.NewCookieJar(settingsObj)
@@ -158,7 +159,6 @@ func New( // nolint[funlen]
 	cm := pmapi.NewClientManager(pmapi.GetAPIConfig(configName, constants.Version))
 	cm.SetRoundTripper(pmapi.GetRoundTripper(cm, listener))
 	cm.SetCookieJar(jar)
-
 	sentryReporter.SetUserAgentProvider(cm)
 
 	key, err := crypto.NewKeyFromArmored(updater.DefaultPublicKey)
@@ -188,8 +188,6 @@ func New( // nolint[funlen]
 		runtime.GOOS,
 	)
 
-	tls := tls.New(settingsPath)
-
 	exe, err := os.Executable()
 	if err != nil {
 		return nil, err
@@ -208,12 +206,12 @@ func New( // nolint[funlen]
 		Lock:         lock,
 		Cache:        cache,
 		Listener:     listener,
-		Creds:        creds,
+		Creds:        credentials.NewStore(kc),
 		CM:           cm,
 		CookieJar:    jar,
 		Updater:      updater,
 		Versioner:    versioner,
-		TLS:          tls,
+		TLS:          tls.New(settingsPath),
 		Autostart:    autostart,
 
 		Name:  appName,

internal/config/settings/settings.go

@@ -42,6 +42,7 @@ const (
 	LastVersionKey         = "last_used_version"
 	UpdateChannelKey       = "update_channel"
 	RolloutKey             = "rollout"
+	PreferredKeychainKey   = "preferred_keychain"
 )
 
 type Settings struct {
@@ -78,6 +79,7 @@ func (s *Settings) setDefaultValues() {
 	s.setDefault(LastVersionKey, "")
 	s.setDefault(UpdateChannelKey, "")
 	s.setDefault(RolloutKey, fmt.Sprintf("%v", rand.Float64()))
+	s.setDefault(PreferredKeychainKey, "")
 
 	s.setDefault(APIPortKey, DefaultAPIPort)
 	s.setDefault(IMAPPortKey, DefaultIMAPPort)

internal/frontend/qt-common/accounts.go

@@ -137,7 +137,7 @@ func (a *Accounts) ClearKeychain() {
 	for _, user := range a.um.GetUsers() {
 		if err := a.um.DeleteUser(user.ID(), false); err != nil {
 			log.Error("While deleting user: ", err)
-			if err == keychain.ErrNoKeychainInstalled { // Probably not needed anymore.
+			if err == keychain.ErrNoKeychain { // Probably not needed anymore.
 				a.qml.NotifyHasNoKeychain()
 			}
 		}
@@ -249,7 +249,7 @@ func (a *Accounts) DeleteAccount(iAccount int, removePreferences bool) {
 	userID := a.Model.get(iAccount).UserID()
 	if err := a.um.DeleteUser(userID, removePreferences); err != nil {
 		log.Warn("deleteUser: cannot remove user: ", err)
-		if err == keychain.ErrNoKeychainInstalled {
+		if err == keychain.ErrNoKeychain {
 			a.qml.NotifyHasNoKeychain()
 			return
 		}

internal/frontend/qt/accounts.go

@@ -94,7 +94,7 @@ func (s *FrontendQt) clearKeychain() {
 	for _, user := range s.bridge.GetUsers() {
 		if err := s.bridge.DeleteUser(user.ID(), false); err != nil {
 			log.Error("While deleting user: ", err)
-			if err == keychain.ErrNoKeychainInstalled { // Probably not needed anymore.
+			if err == keychain.ErrNoKeychain { // Probably not needed anymore.
 				s.Qml.NotifyHasNoKeychain()
 			}
 		}
@@ -203,7 +203,7 @@ func (s *FrontendQt) deleteAccount(iAccount int, removePreferences bool) {
 	userID := s.Accounts.get(iAccount).UserID()
 	if err := s.bridge.DeleteUser(userID, removePreferences); err != nil {
 		log.Warn("deleteUser: cannot remove user: ", err)
-		if err == keychain.ErrNoKeychainInstalled {
+		if err == keychain.ErrNoKeychain {
 			s.Qml.NotifyHasNoKeychain()
 			return
 		}

internal/users/credentials/store.go

@@ -31,15 +31,12 @@ var storeLocker = sync.RWMutex{} //nolint[gochecknoglobals]
 
 // Store is an encrypted credentials store.
 type Store struct {
-	secrets *keychain.Access
+	secrets *keychain.Keychain
 }
 
 // NewStore creates a new encrypted credentials store.
-func NewStore(appName string) (*Store, error) {
+func NewStore(keychain *keychain.Keychain) *Store {
-	secrets, err := keychain.NewAccess(appName)
+	return &Store{secrets: keychain}
-	return &Store{
-		secrets: secrets,
-	}, err
 }
 
 func (s *Store) Add(userID, userName, apiToken, mailboxPassword string, emails []string) (creds *Credentials, err error) {
@@ -52,10 +49,6 @@ func (s *Store) Add(userID, userName, apiToken, mailboxPassword string, emails [
 		"emails":   emails,
 	}).Trace("Adding new credentials")
 
-	if err = s.checkKeychain(); err != nil {
-		return
-	}
-
 	creds = &Credentials{
 		UserID:          userID,
 		Name:            userName,
@@ -164,10 +157,6 @@ func (s *Store) List() (userIDs []string, err error) {
 
 	log.Trace("Listing credentials in credentials store")
 
-	if err = s.checkKeychain(); err != nil {
-		return
-	}
-
 	var allUserIDs []string
 	if allUserIDs, err = s.secrets.List(); err != nil {
 		log.WithError(err).Error("Could not list credentials")
@@ -242,11 +231,7 @@ func (s *Store) Get(userID string) (creds *Credentials, err error) {
 func (s *Store) get(userID string) (creds *Credentials, err error) {
 	log := log.WithField("user", userID)
 
-	if err = s.checkKeychain(); err != nil {
+	_, secret, err := s.secrets.Get(userID)
-		return
-	}
-
-	secret, err := s.secrets.Get(userID)
 	if err != nil {
 		log.WithError(err).Error("Could not get credentials from native keychain")
 		return
@@ -265,32 +250,15 @@ func (s *Store) get(userID string) (creds *Credentials, err error) {
 
 // saveCredentials encrypts and saves password to the keychain store.
 func (s *Store) saveCredentials(credentials *Credentials) (err error) {
-	if err = s.checkKeychain(); err != nil {
+	credentials.Version = keychain.Version
-		return
-	}
-
-	credentials.Version = keychain.KeychainVersion
 
 	return s.secrets.Put(credentials.UserID, credentials.Marshal())
 }
 
-func (s *Store) checkKeychain() (err error) {
-	if s.secrets == nil {
-		err = keychain.ErrNoKeychainInstalled
-		log.WithError(err).Error("Store is unusable")
-	}
-
-	return
-}
-
 // Delete removes credentials from the store.
 func (s *Store) Delete(userID string) (err error) {
 	storeLocker.Lock()
 	defer storeLocker.Unlock()
 
-	if err = s.checkKeychain(); err != nil {
-		return
-	}
-
 	return s.secrets.Delete(userID)
 }

pkg/keychain/helper_darwin.go

@@ -0,0 +1,145 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package keychain
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/keybase/go-keychain"
+)
+
+const (
+	MacOSKeychain = "macos-keychain"
+)
+
+func init() { // nolint[noinit]
+	Helpers = make(map[string]helper)
+
+	// MacOS always provides a keychain.
+	Helpers[MacOSKeychain] = newMacOSHelper
+}
+
+func newMacOSHelper(url string) (credentials.Helper, error) {
+	return &macOSHelper{url: url}, nil
+}
+
+type macOSHelper struct {
+	url string
+}
+
+func newQuery(service, account string) keychain.Item {
+	query := keychain.NewItem()
+	query.SetSecClass(keychain.SecClassGenericPassword)
+	query.SetService(service)
+	query.SetAccount(account)
+	return query
+}
+
+func (h *macOSHelper) Add(creds *credentials.Credentials) error {
+	secrets, err := h.List()
+	if err != nil {
+		return err
+	}
+
+	// Adding a secret that already exists results in an error so we first delete the secret.
+	if _, ok := secrets[creds.ServerURL]; ok {
+		if err := h.Delete(creds.ServerURL); err != nil {
+			return err
+		}
+	}
+
+	hostURL, userID, err := splitSecretURL(creds.ServerURL)
+	if err != nil {
+		return err
+	}
+
+	query := newQuery(hostURL, userID)
+	query.SetData([]byte(creds.Secret))
+	return keychain.AddItem(query)
+}
+
+func (h *macOSHelper) Delete(secretURL string) error {
+	hostURL, userID, err := splitSecretURL(secretURL)
+	if err != nil {
+		return err
+	}
+
+	query := newQuery(hostURL, userID)
+	if err := keychain.DeleteItem(query); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (h *macOSHelper) Get(secretURL string) (string, string, error) {
+	hostURL, userID, err := splitSecretURL(secretURL)
+	if err != nil {
+		return "", "", err
+	}
+
+	query := newQuery(hostURL, userID)
+	query.SetMatchLimit(keychain.MatchLimitOne)
+	query.SetReturnData(true)
+
+	results, err := keychain.QueryItem(query)
+	if err != nil {
+		return "", "", err
+	}
+
+	if len(results) != 1 {
+		return "", "", errors.New("ambiguous results")
+	}
+
+	return userID, string(results[0].Data), nil
+}
+
+func (h *macOSHelper) List() (map[string]string, error) {
+	userIDByURL := make(map[string]string)
+
+	userIDs, err := keychain.GetGenericPasswordAccounts(h.url)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, userID := range userIDs {
+		userIDByURL[h.secretURL(userID)] = userID
+	}
+
+	return userIDByURL, nil
+}
+
+// secretURL returns the URL referring to a userID's secrets.
+// NOTE: This is the same as the implementation in type `Keychain`.
+// I didn't want to make this type depend on `Keychain` but I also don't like duplicate methods...
+func (h *macOSHelper) secretURL(userID string) string {
+	return fmt.Sprintf("%v/%v", h.url, userID)
+}
+
+func splitSecretURL(secretURL string) (string, string, error) {
+	split := strings.Split(secretURL, "/")
+
+	if len(split) < 2 {
+		return "", "", errors.New("malformed secret")
+	}
+
+	return strings.Join(split[:len(split)-1], "/"), split[len(split)-1], nil
+}

pkg/keychain/helper_linux.go

@@ -0,0 +1,51 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+package keychain
+
+import (
+	"os/exec"
+
+	"github.com/docker/docker-credential-helpers/credentials"
+	"github.com/docker/docker-credential-helpers/pass"
+	"github.com/docker/docker-credential-helpers/secretservice"
+)
+
+const (
+	Pass         = "pass-app"
+	GnomeKeyring = "gnome-keyring"
+)
+
+func init() { // nolint[noinit]
+	Helpers = make(map[string]helper)
+
+	if _, err := exec.LookPath("pass"); err == nil {
+		Helpers[Pass] = newPassHelper
+	}
+
+	if _, err := exec.LookPath("gnome-keyring"); err == nil {
+		Helpers[GnomeKeyring] = newGnomeKeyringHelper
+	}
+}
+
+func newPassHelper(string) (credentials.Helper, error) {
+	return &pass.Pass{}, nil
+}
+
+func newGnomeKeyringHelper(string) (credentials.Helper, error) {
+	return &secretservice.Secretservice{}, nil
+}

pkg/keychain/helper_windows.go

@@ -22,19 +22,15 @@ import (
 	"github.com/docker/docker-credential-helpers/wincred"
 )
 
-func newKeychain() (credentials.Helper, error) {
+const WindowsCredentials = "windows-credentials"
-	log.Debug("Creating wincred")
+
+func init() { // nolint[noinit]
+	Helpers = make(map[string]helper)
+
+	// Windows always provides a keychain.
+	Helpers[WindowsCredentials] = newWinCredHelper
+}
+
+func newWinCredHelper(string) (credentials.Helper, error) {
 	return &wincred.Wincred{}, nil
 }
-
-func (s *Access) KeychainName(userID string) string {
-	return s.KeychainURL + "/" + userID
-}
-
-func (s *Access) KeychainOldName(userID string) string {
-	return s.KeychainOldURL + "/" + userID
-}
-
-func (s *Access) ListKeychain() (map[string]string, error) {
-	return s.helper.List()
-}

pkg/keychain/keychain.go

@@ -20,112 +20,114 @@ package keychain
 
 import (
 	"errors"
-	"strings"
+	"fmt"
+	"reflect"
 	"sync"
 
+	"github.com/ProtonMail/proton-bridge/internal/config/settings"
 	"github.com/docker/docker-credential-helpers/credentials"
-	"github.com/sirupsen/logrus"
 )
 
-const (
+// helper constructs a keychain helper.
-	KeychainVersion = "k11" //nolint[golint]
+type helper func(string) (credentials.Helper, error)
-)
+
+// Version is the keychain data version.
+const Version = "k11"
 
 var (
-	log = logrus.WithField("pkg", "bridgeUtils/keychain") //nolint[gochecknoglobals]
+	// ErrNoKeychain indicates that no suitable keychain implementation could be loaded.
+	ErrNoKeychain = errors.New("no keychain") // nolint[noglobals]
 
-	ErrWrongKeychainURL    = errors.New("wrong keychain base URL")
+	// Helpers holds all discovered keychain helpers. It is populated in init().
-	ErrMacKeychainRebuild  = errors.New("keychain error -25293")
+	Helpers map[string]helper // nolint[noglobals]
-	ErrMacKeychainList     = errors.New("function `osxkeychain.List()` is not valid function for mac keychain. Use `Access.ListKeychain()` instead")
-	ErrNoKeychainInstalled = errors.New("no keychain management installed on this system")
-	accessLocker           = &sync.Mutex{} //nolint[gochecknoglobals]
 )
 
-// NewAccess creates a new native keychain.
+// NewKeychain creates a new native keychain.
-func NewAccess(appName string) (*Access, error) {
+func NewKeychain(s *settings.Settings, keychainName string) (*Keychain, error) {
-	newHelper, err := newKeychain()
+	// There must be at least one keychain helper available.
+	if len(Helpers) < 1 {
+		return nil, ErrNoKeychain
+	}
+
+	// hostURL uniquely identifies the app's keychain items within the system keychain.
+	hostURL := fmt.Sprintf("protonmail/%v/users", keychainName)
+
+	// If the preferred keychain is unsupported, set a default one.
+	if _, ok := Helpers[s.Get(settings.PreferredKeychainKey)]; !ok {
+		s.Set(settings.PreferredKeychainKey, reflect.ValueOf(Helpers).MapKeys()[0].Interface().(string))
+	}
+
+	// Load the user's preferred keychain helper.
+	helper, err := Helpers[s.Get(settings.PreferredKeychainKey)](hostURL)
 	if err != nil {
 		return nil, err
 	}
-	return &Access{
+
-		helper:            newHelper,
+	return newKeychain(helper, hostURL), nil
-		KeychainURL:       "protonmail/" + appName + "/users",
-		KeychainOldURL:    "protonmail/users",
-		KeychainMacURL:    "ProtonMail" + strings.Title(appName) + "Service",
-		KeychainOldMacURL: "ProtonMailService",
-	}, nil
 }
 
-type Access struct {
+func newKeychain(helper credentials.Helper, url string) *Keychain {
+	return &Keychain{
+		helper: helper,
+		url:    url,
+		locker: &sync.Mutex{},
+	}
+}
+
+type Keychain struct {
 	helper credentials.Helper
-	KeychainURL,
+	url    string
-	KeychainOldURL,
+	locker sync.Locker
-	KeychainMacURL,
-	KeychainOldMacURL string
 }
 
-func (s *Access) List() (userIDs []string, err error) {
+func (kc *Keychain) List() ([]string, error) {
-	accessLocker.Lock()
+	kc.locker.Lock()
-	defer accessLocker.Unlock()
+	defer kc.locker.Unlock()
-
-	var userIDByURL map[string]string
-	userIDByURL, err = s.ListKeychain()
 
+	userIDsByURL, err := kc.helper.List()
 	if err != nil {
-		return
+		return nil, err
+	}
+
+	var userIDs []string // nolint[prealloc]
+
+	for url, userID := range userIDsByURL {
+		if url != kc.secretURL(userID) {
+			continue
 		}
 
-	for itemURL, userID := range userIDByURL {
-		if itemURL == s.KeychainName(userID) {
 		userIDs = append(userIDs, userID)
 	}
 
-		// Clean up old keychain name.
+	return userIDs, nil
-		if itemURL == s.KeychainOldName(userID) {
-			_ = s.helper.Delete(s.KeychainOldName(userID))
-		}
 }
 
-	return
+func (kc *Keychain) Delete(userID string) (err error) {
+	kc.locker.Lock()
+	defer kc.locker.Unlock()
+
+	return kc.helper.Delete(kc.secretURL(userID))
 }
 
-func (s *Access) Delete(userID string) (err error) {
+func (kc *Keychain) Get(userID string) (string, string, error) {
-	accessLocker.Lock()
+	kc.locker.Lock()
-	defer accessLocker.Unlock()
+	defer kc.locker.Unlock()
-	return s.helper.Delete(s.KeychainName(userID))
+
+	return kc.helper.Get(kc.secretURL(userID))
 }
 
-func (s *Access) Get(userID string) (secret string, err error) {
+func (kc *Keychain) Put(userID, secret string) error {
-	accessLocker.Lock()
+	kc.locker.Lock()
-	defer accessLocker.Unlock()
+	defer kc.locker.Unlock()
-	_, secret, err = s.helper.Get(s.KeychainName(userID))
-	return
-}
 
-func (s *Access) Put(userID, secret string) error {
+	return kc.helper.Add(&credentials.Credentials{
-	accessLocker.Lock()
+		ServerURL: kc.secretURL(userID),
-	defer accessLocker.Unlock()
-
-	// On macOS, adding a credential that already exists does not update it and returns an error.
-	// So let's remove it first.
-	_ = s.helper.Delete(s.KeychainName(userID))
-
-	cred := &credentials.Credentials{
-		ServerURL: s.KeychainName(userID),
 		Username:  userID,
 		Secret:    secret,
+	})
 }
 
-	return s.helper.Add(cred)
+// secretURL returns the URL referring to a userID's secrets.
-}
+func (kc *Keychain) secretURL(userID string) string {
-
+	return fmt.Sprintf("%v/%v", kc.url, userID)
-func splitServiceAndID(keychainName string) (serviceName string, userID string, err error) { //nolint[unused]
-	splitted := strings.FieldsFunc(keychainName, func(c rune) bool { return c == '/' })
-	n := len(splitted)
-	if n <= 1 {
-		return "", "", ErrWrongKeychainURL
-	}
-	userID = splitted[len(splitted)-1]
-	serviceName = strings.Join(splitted[:len(splitted)-1], "/")
-	return
 }

pkg/keychain/keychain_darwin.go

@@ -1,140 +0,0 @@
-// Copyright (c) 2021 Proton Technologies AG
-//
-// This file is part of ProtonMail Bridge.
-//
-// ProtonMail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// ProtonMail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
-
-package keychain
-
-import (
-	"strings"
-
-	"github.com/docker/docker-credential-helpers/credentials"
-	mackeychain "github.com/keybase/go-keychain"
-)
-
-func (s *Access) KeychainName(userID string) string {
-	return s.KeychainMacURL + "/" + userID
-}
-
-func (s *Access) KeychainOldName(userID string) string {
-	return s.KeychainOldMacURL + "/" + userID
-}
-
-type osxkeychain struct {
-}
-
-func newKeychain() (credentials.Helper, error) {
-	log.Debug("Creating osckeychain")
-	return &osxkeychain{}, nil
-}
-
-func newQuery(serviceName, username string) mackeychain.Item {
-	query := mackeychain.NewItem()
-	query.SetSecClass(mackeychain.SecClassGenericPassword)
-	query.SetService(serviceName)
-	query.SetAccount(username)
-	return query
-}
-
-func parseError(original error) error {
-	if original != nil && strings.Contains(original.Error(), "25293") {
-		return ErrMacKeychainRebuild
-	}
-	return original
-}
-
-// Add appends credentials to the store (assuming old record with same ID is already deleted).
-func (s *osxkeychain) Add(cred *credentials.Credentials) error {
-	serviceName, userID, err := splitServiceAndID(cred.ServerURL)
-	if err != nil {
-		return err
-	}
-
-	query := newQuery(serviceName, userID)
-	query.SetData([]byte(cred.Secret))
-	err = mackeychain.AddItem(query)
-	return parseError(err)
-}
-
-// Delete removes credentials from the store.
-func (s *osxkeychain) Delete(serverURL string) error {
-	serviceName, userID, err := splitServiceAndID(serverURL)
-	if err != nil {
-		return err
-	}
-
-	query := newQuery(serviceName, userID)
-	err = mackeychain.DeleteItem(query)
-	if err != nil && !strings.Contains(err.Error(), "25300") { // Missing item is not error.
-		return err
-	}
-	return nil
-}
-
-// Get retrieves credentials from the store.
-// It returns username and secret as strings.
-func (s *osxkeychain) Get(serverURL string) (userID string, secret string, err error) {
-	serviceName, userID, err := splitServiceAndID(serverURL)
-	if err != nil {
-		return
-	}
-
-	query := newQuery(serviceName, userID)
-	query.SetMatchLimit(mackeychain.MatchLimitOne)
-	query.SetReturnData(true)
-	results, err := mackeychain.QueryItem(query)
-	if err != nil {
-		return "", "", parseError(err)
-	}
-
-	if len(results) == 1 {
-		secret = string(results[0].Data)
-	}
-
-	return
-}
-
-// ListKeychain lists items in our services.
-func (s *Access) ListKeychain() (userIDByURL map[string]string, err error) {
-	// Pick up correct service name and trim '/'.
-	serviceName, _, err := splitServiceAndID(s.KeychainOldName("not-id"))
-	if err != nil {
-		return
-	}
-
-	userIDByURL = make(map[string]string)
-
-	if oldIDs, err := mackeychain.GetGenericPasswordAccounts(serviceName); err == nil {
-		for _, userIDold := range oldIDs {
-			userIDByURL[s.KeychainOldName(userIDold)] = userIDold
-		}
-	}
-
-	serviceName, _, _ = splitServiceAndID(s.KeychainName("not-id"))
-	if userIDs, err := mackeychain.GetGenericPasswordAccounts(serviceName); err == nil {
-		for _, userID := range userIDs {
-			userIDByURL[s.KeychainName(userID)] = userID
-		}
-	}
-
-	return
-}
-
-// List returns the stored serverURLs and their associated usernames.
-// NOTE: This is not valid for go-keychain. Use ListKeychain instead.
-func (s *osxkeychain) List() (userIDByURL map[string]string, err error) {
-	err = ErrMacKeychainList
-	return
-}

pkg/keychain/keychain_default.go

@@ -0,0 +1,48 @@
+// Copyright (c) 2021 Proton Technologies AG
+//
+// This file is part of ProtonMail Bridge.
+//
+// ProtonMail Bridge is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// ProtonMail Bridge is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
+
+// Package keychain implements a native secure password store for each platform.
+package keychain
+
+import (
+	"github.com/docker/docker-credential-helpers/credentials"
+)
+
+// NewMissingKeychain returns a new keychain that always returns an error.
+func NewMissingKeychain() *Keychain {
+	return newKeychain(&missingHelper{}, "")
+}
+
+// missingHelper is a helper which is used when no other helper is available.
+// It always returns ErrNoKeychain.
+type missingHelper struct{}
+
+func (h *missingHelper) Add(*credentials.Credentials) error {
+	return ErrNoKeychain
+}
+
+func (h *missingHelper) Delete(string) error {
+	return ErrNoKeychain
+}
+
+func (h *missingHelper) Get(string) (string, string, error) {
+	return "", "", ErrNoKeychain
+}
+
+func (h *missingHelper) List() (map[string]string, error) {
+	return nil, ErrNoKeychain
+}

pkg/keychain/keychain_linux.go

@@ -1,73 +0,0 @@
-// Copyright (c) 2021 Proton Technologies AG
-//
-// This file is part of ProtonMail Bridge.
-//
-// ProtonMail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// ProtonMail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
-
-package keychain
-
-import (
-	"github.com/docker/docker-credential-helpers/credentials"
-	"github.com/docker/docker-credential-helpers/pass"
-	"github.com/docker/docker-credential-helpers/secretservice"
-)
-
-func newKeychain() (credentials.Helper, error) {
-	log.Debug("Creating pass")
-	passHelper := &pass.Pass{}
-	passErr := checkPassIsUsable(passHelper)
-	if passErr == nil {
-		return passHelper, nil
-	}
-
-	log.Debug("Creating secretservice")
-	sserviceHelper := &secretservice.Secretservice{}
-	_, sserviceErr := sserviceHelper.List()
-	if sserviceErr == nil {
-		return sserviceHelper, nil
-	}
-
-	log.Error("No keychain! Pass: ", passErr, ", secretService: ", sserviceErr)
-	return nil, ErrNoKeychainInstalled
-}
-
-func checkPassIsUsable(passHelper *pass.Pass) (err error) {
-	creds := &credentials.Credentials{
-		ServerURL: "initCheck/pass",
-		Username:  "pass",
-		Secret:    "pass",
-	}
-
-	if err = passHelper.Add(creds); err != nil {
-		return
-	}
-	// Pass is not asked about unlock until you try to decrypt.
-	if _, _, err = passHelper.Get(creds.ServerURL); err != nil {
-		return
-	}
-	_ = passHelper.Delete(creds.ServerURL) // Doesn't matter if you are able to clear.
-	return
-}
-
-func (s *Access) KeychainName(userID string) string {
-	return s.KeychainURL + "/" + userID
-}
-
-func (s *Access) KeychainOldName(userID string) string {
-	return s.KeychainOldURL + "/" + userID
-}
-
-func (s *Access) ListKeychain() (map[string]string, error) {
-	return s.helper.List()
-}

pkg/keychain/keychain_test.go

@@ -1,152 +0,0 @@
-// Copyright (c) 2021 Proton Technologies AG
-//
-// This file is part of ProtonMail Bridge.
-//
-// ProtonMail Bridge is free software: you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation, either version 3 of the License, or
-// (at your option) any later version.
-//
-// ProtonMail Bridge is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with ProtonMail Bridge.  If not, see <https://www.gnu.org/licenses/>.
-
-package keychain
-
-import (
-	"encoding/base64"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-var suffix = []byte("\x00avoidFix\x00\x00\x00\x00\x00\x00\x00") //nolint[gochecknoglobals]
-
-var testData = map[string]string{ //nolint[gochecknoglobals]
-	"user1": base64.StdEncoding.EncodeToString(append([]byte("data1"), suffix...)),
-	"user2": base64.StdEncoding.EncodeToString(append([]byte("data2"), suffix...)),
-}
-
-func TestSplitServiceAndID(t *testing.T) {
-	acc, err := NewAccess("bridge")
-	require.NoError(t, err)
-	expectedUserID := "user"
-
-	acc.KeychainURL = "Something/With/Several/Slashes/"
-	acc.KeychainMacURL = acc.KeychainURL
-	expectedServiceName := acc.KeychainURL
-	serviceName, userID, err := splitServiceAndID(acc.KeychainName(expectedUserID))
-	require.NoError(t, err)
-	require.Equal(t, expectedUserID, userID)
-	require.Equal(t, expectedServiceName, serviceName+"/")
-
-	acc.KeychainURL = "SomethingWithoutSlash"
-	acc.KeychainMacURL = acc.KeychainURL
-	expectedServiceName = acc.KeychainURL
-	serviceName, userID, err = splitServiceAndID(acc.KeychainName(expectedUserID))
-	require.NoError(t, err)
-	require.Equal(t, expectedUserID, userID)
-	require.Equal(t, expectedServiceName, serviceName)
-}
-
-func TestInsertReadRemove(t *testing.T) { // nolint[funlen]
-	if testing.Short() {
-		t.Skip("skipping test in short mode.")
-	}
-
-	access, err := NewAccess("bridge")
-	require.NoError(t, err)
-	access.KeychainURL = "protonmail/testchain/users"
-	access.KeychainMacURL = "ProtonMailTestChainService"
-
-	// Clear before test.
-	for id := range testData {
-		// Keychain can be empty.
-		_ = access.Delete(id)
-	}
-
-	for id, secret := range testData {
-		expectedList, _ := access.List()
-		// Add expected secrets.
-		expectedSecret := secret
-		require.NoError(t, access.Put(id, expectedSecret))
-
-		// Check list.
-		actualList, err := access.List()
-		require.NoError(t, err)
-		expectedList = append(expectedList, id)
-		require.ElementsMatch(t, expectedList, actualList)
-
-		// Get and check what was inserted.
-		actualSecret, err := access.Get(id)
-		require.NoError(t, err)
-		require.Equal(t, expectedSecret, actualSecret)
-
-		// Put what changed.
-
-		expectedSecret = "edited_" + id
-		expectedSecret = base64.StdEncoding.EncodeToString(append([]byte(expectedSecret), suffix...))
-
-		nJobs := 100
-		nWorkers := 3
-		jobs := make(chan interface{}, nJobs)
-		done := make(chan interface{})
-		for i := 0; i < nWorkers; i++ {
-			go func() {
-				for {
-					_, more := <-jobs
-					if more {
-						require.NoError(t, access.Put(id, expectedSecret))
-					} else {
-						done <- nil
-						return
-					}
-				}
-			}()
-		}
-
-		for i := 0; i < nJobs; i++ {
-			jobs <- nil
-		}
-		close(jobs)
-		for i := 0; i < nWorkers; i++ {
-			<-done
-		}
-
-		// Check list.
-		actualList, err = access.List()
-		require.NoError(t, err)
-		require.ElementsMatch(t, expectedList, actualList)
-
-		// Get and check what changed.
-		actualSecret, err = access.Get(id)
-		require.NoError(t, err)
-		require.Equal(t, expectedSecret, actualSecret)
-
-		if id != "user1" {
-			// Remove.
-			err = access.Delete(id)
-			require.NoError(t, err)
-
-			// Check removed.
-			actualList, err = access.List()
-			require.NoError(t, err)
-			expectedList = expectedList[:len(expectedList)-1]
-			require.ElementsMatch(t, expectedList, actualList)
-		}
-	}
-
-	// Clear first.
-	err = access.Delete("user1")
-	require.NoError(t, err)
-
-	actualList, err := access.List()
-	require.NoError(t, err)
-	for id := range testData {
-		require.NotContains(t, actualList, id)
-	}
-}