New secret service KeychainAccess (#125)

Also deprecate GnomeKeyringKeychainAccess, KDEWalletKeychainAccess 

---------

Co-authored-by: Armin Schrenk <armin.schrenk@skymatic.de>

Author: purejava

pom.xml

@@ -44,6 +44,7 @@
 		<jackson.version>2.20.1</jackson.version>
 		<secret-service.version>2.0.1-alpha</secret-service.version>
 		<kdewallet.version>1.4.0</kdewallet.version>
+		<secret-service-02.version>1.1.0</secret-service-02.version>
 		<flatpakupdateportal.version>1.1.1</flatpakupdateportal.version>
 		<appindicator.version>1.4.2</appindicator.version>
 
@@ -103,6 +104,11 @@
 			<artifactId>kdewallet</artifactId>
 			<version>${kdewallet.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>org.purejava</groupId>
+			<artifactId>secret-service</artifactId>
+			<version>${secret-service-02.version}</version>
+		</dependency>
 		<!-- Java bindings for appindicator -->
 		<dependency>
 			<groupId>org.purejava</groupId>

src/main/java/module-info.java

@@ -7,6 +7,7 @@
 import org.cryptomator.linux.autostart.FreedesktopAutoStartService;
 import org.cryptomator.linux.keychain.GnomeKeyringKeychainAccess;
 import org.cryptomator.linux.keychain.KDEWalletKeychainAccess;
+import org.cryptomator.linux.keychain.SecretServiceKeychainAccess;
 import org.cryptomator.linux.quickaccess.DolphinPlaces;
 import org.cryptomator.linux.quickaccess.NautilusBookmarks;
 import org.cryptomator.linux.revealpath.DBusSendRevealPathService;
@@ -21,12 +22,13 @@
 	requires org.purejava.kwallet;
 	requires org.purejava.portal;
 	requires de.swiesend.secretservice;
+	requires org.purejava.secret;
 	requires java.xml;
 	requires java.net.http;
 	requires com.fasterxml.jackson.databind;
 
 	provides AutoStartProvider with FreedesktopAutoStartService;
-	provides KeychainAccessProvider with GnomeKeyringKeychainAccess, KDEWalletKeychainAccess;
+	provides KeychainAccessProvider with SecretServiceKeychainAccess, GnomeKeyringKeychainAccess, KDEWalletKeychainAccess;
 	provides RevealPathService with DBusSendRevealPathService;
 	provides TrayMenuController with AppindicatorTrayMenuController;
 	provides QuickAccessService with NautilusBookmarks, DolphinPlaces;

src/main/java/org/cryptomator/linux/keychain/GnomeKeyringKeychainAccess.java

@@ -13,9 +13,13 @@
 import java.util.List;
 import java.util.Map;
 
+/**
+ * @deprecated Cryptomator has Secret Service as the successor of KDE Wallet and GNOME keyring as a keychain backend since version 1.19.0
+ */
 @Priority(900)
 @OperatingSystem(OperatingSystem.Value.LINUX)
 @DisplayName("GNOME Keyring")
+@Deprecated(since = "1.7.0")
 public class GnomeKeyringKeychainAccess implements KeychainAccessProvider {
 
 	private static final Logger LOG = LoggerFactory.getLogger(GnomeKeyringKeychainAccess.class);

src/main/java/org/cryptomator/linux/keychain/KDEWalletKeychainAccess.java

@@ -19,9 +19,13 @@
 
 import java.util.Optional;
 
+/**
+ * @deprecated Cryptomator has Secret Service as the successor of KDE Wallet and GNOME keyring as a keychain backend since version 1.19.0
+ */
 @Priority(900)
 @OperatingSystem(OperatingSystem.Value.LINUX)
 @DisplayName("KDE Wallet")
+@Deprecated(since = "1.7.0")
 public class KDEWalletKeychainAccess implements KeychainAccessProvider {
 
 	private static final Logger LOG = LoggerFactory.getLogger(KDEWalletKeychainAccess.class);
@@ -193,3 +197,4 @@ private boolean walletIsOpen() throws KeychainAccessException {
 
 	}
 }
+

src/main/java/org/cryptomator/linux/keychain/SecretServiceKeychainAccess.java

@@ -0,0 +1,169 @@
+package org.cryptomator.linux.keychain;
+
+import org.cryptomator.integrations.common.DisplayName;
+import org.cryptomator.integrations.common.OperatingSystem;
+import org.cryptomator.integrations.common.Priority;
+import org.cryptomator.integrations.keychain.KeychainAccessException;
+import org.cryptomator.integrations.keychain.KeychainAccessProvider;
+import org.freedesktop.dbus.DBusPath;
+import org.purejava.secret.api.Collection;
+import org.purejava.secret.api.EncryptedSession;
+import org.purejava.secret.api.Item;
+import org.purejava.secret.api.Static;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+
+@Priority(1100)
+@OperatingSystem(OperatingSystem.Value.LINUX)
+@DisplayName("Secret Service")
+public class SecretServiceKeychainAccess implements KeychainAccessProvider {
+
+	private static final Logger LOG = LoggerFactory.getLogger(SecretServiceKeychainAccess.class);
+	private static final String LABEL_FOR_SECRET_IN_KEYRING = "Cryptomator";
+	private static final String ID_KEY = "Vault";
+	private static final String NAME_KEY = "Name";
+	private final EncryptedSession session = new EncryptedSession();
+	private final Collection collection = new Collection(new DBusPath(Static.DBusPath.DEFAULT_COLLECTION));
+
+	public SecretServiceKeychainAccess() {
+		session.getService().addCollectionChangedHandler(collection -> LOG.debug("Collection {} changed", collection.getPath()));
+		session.getService().addCollectionCreatedHandler(collection -> LOG.debug("Collection {} created", collection.getPath()));
+		session.getService().addCollectionDeletedHandler(collection -> LOG.debug("Collection {} deleted", collection.getPath()));
+		var getAlias = session.getService().readAlias("default");
+		if (getAlias.isSuccess() && "/".equals(getAlias.value().getPath())) {
+			// default alias is not set; set it to the login keyring
+			session.getService().setAlias("default", new DBusPath(Static.DBusPath.LOGIN_COLLECTION));
+		}
+		collection.addItemChangedHandler(item -> LOG.debug("Item {} changed", item.getPath()));
+		collection.addItemCreatedHandler(item -> LOG.debug("Item {} created", item.getPath()));
+		collection.addItemDeletedHandler(item -> LOG.debug("Item {} deleted", item.getPath()));
+
+	}
+
+	@Override
+	public void storePassphrase(String key, String displayName, CharSequence passphrase) throws KeychainAccessException {
+		try {
+			var call = collection.searchItems(withKey(key));
+			if (call.isSuccess()) {
+				if (call.value().isEmpty()) {
+					List<DBusPath> lockable = new ArrayList<>();
+					lockable.add(new DBusPath(collection.getDBusPath()));
+					session.getService().unlock(lockable);
+					var itemProps = Item.createProperties(LABEL_FOR_SECRET_IN_KEYRING, withKeyAndName(key, displayName));
+					var secret = session.encrypt(passphrase);
+					var created = collection.createItem(itemProps, secret, false);
+					if (!created.isSuccess()) {
+						throw new KeychainAccessException("Storing password failed", created.error());
+					}
+				} else {
+					changePassphrase(key, displayName, passphrase);
+				}
+			} else {
+				throw new KeychainAccessException("Storing password failed", call.error());
+			}
+		} catch (Exception e) {
+			throw new KeychainAccessException("Storing password failed.", e);
+		}
+	}
+
+	@Override
+	public char[] loadPassphrase(String key) throws KeychainAccessException {
+		try {
+			var call = collection.searchItems(withKey(key));
+			if (call.isSuccess()) {
+				if (!call.value().isEmpty()) {
+					var path = call.value().getFirst();
+					session.getService().ensureUnlocked(path);
+					var secret = new Item(path).getSecret(session.getSession());
+					return session.decrypt(secret);
+				} else {
+					return null;
+				}
+			} else {
+				throw new KeychainAccessException("Loading password failed", call.error());
+			}
+		} catch (Exception e) {
+			throw new KeychainAccessException("Loading password failed.", e);
+		}
+	}
+
+	@Override
+	public void deletePassphrase(String key) throws KeychainAccessException {
+		try {
+			var call = collection.searchItems(withKey(key));
+			if (call.isSuccess()) {
+				if (!call.value().isEmpty()) {
+					var path = call.value().getFirst();
+					session.getService().ensureUnlocked(path);
+					var item = new Item(path);
+					var deleted = item.delete();
+					if (!deleted.isSuccess()) {
+						throw new KeychainAccessException("Deleting password failed", deleted.error());
+					}
+				} else {
+					LOG.debug("Deleting entry with {}={} failed: No such item found", ID_KEY, key);
+				}
+			} else {
+				throw new KeychainAccessException("Deleting password failed", call.error());
+			}
+		} catch (Exception e) {
+			throw new KeychainAccessException("Deleting password failed", e);
+		}
+	}
+
+	@Override
+	public void changePassphrase(String key, String displayName, CharSequence passphrase) throws KeychainAccessException {
+		try {
+			var call = collection.searchItems(withKey(key));
+			if (call.isSuccess()) {
+				if (!call.value().isEmpty()) {
+					session.getService().ensureUnlocked(call.value().getFirst());
+					var secret = session.encrypt(passphrase);
+					var itemProps = Item.createProperties(LABEL_FOR_SECRET_IN_KEYRING, withKeyAndName(key, displayName));
+					var updated = collection.createItem(itemProps, secret, true);
+					if (!updated.isSuccess()) {
+						throw new KeychainAccessException("Updating password failed", updated.error());
+					}
+				} else {
+					var msg = "Vault " + key + " not found, updating failed";
+					throw new KeychainAccessException(msg);
+				}
+			} else {
+				throw new KeychainAccessException("Updating password failed", call.error());
+			}
+		} catch (Exception e) {
+			throw new KeychainAccessException("Updating password failed", e);
+		}
+	}
+
+	@Override
+	public boolean isSupported() {
+		return session.setupEncryptedSession() &&
+				session.getService().hasDefaultCollection();
+	}
+
+	@Override
+	public boolean isLocked() {
+		var call = collection.isLocked();
+		return !call.isSuccess() || call.value();
+	}
+
+	private Map<String, String> withKey(String key) {
+		if (key == null) {
+			throw new IllegalArgumentException("Arguments must not be null");
+		}
+		return Map.of(ID_KEY, key);
+	}
+
+	private Map<String, String> withKeyAndName(String key, String name) {
+		if (key == null) {
+			throw new IllegalArgumentException("Arguments must not be null");
+		}
+		return Map.of(ID_KEY, key, NAME_KEY, Objects.requireNonNullElse(name, ""));
+	}
+}

src/main/resources/META-INF/services/org.cryptomator.integrations.keychain.KeychainAccessProvider

@@ -1,2 +1,3 @@
+org.cryptomator.linux.keychain.SecretServiceKeychainAccess
 org.cryptomator.linux.keychain.KDEWalletKeychainAccess
 org.cryptomator.linux.keychain.GnomeKeyringKeychainAccess

src/test/java/org/cryptomator/linux/keychain/GnomeKeyringKeychainAccessTest.java

@@ -87,4 +87,4 @@ public static boolean gnomeKeyringAvailableAndUnlocked() {
 		}
 	}
 
-}
+}

src/test/java/org/cryptomator/linux/keychain/SecretServiceKeychainAccessTest.java

@@ -0,0 +1,91 @@
+package org.cryptomator.linux.keychain;
+
+import org.cryptomator.integrations.keychain.KeychainAccessException;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.MethodOrderer;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Order;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestMethodOrder;
+import org.junit.jupiter.api.condition.EnabledIf;
+import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.UUID;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * Unit tests for Secret Service access via Dbus.
+ */
+@EnabledIfEnvironmentVariable(named = "DBUS_SESSION_BUS_ADDRESS", matches = ".*")
+public class SecretServiceKeychainAccessTest {
+
+	private static boolean isInstalled;
+
+	@BeforeAll
+	public static void checkSystemAndSetup() throws IOException {
+		ProcessBuilder dbusSend = new ProcessBuilder("dbus-send", "--print-reply", "--dest=org.freedesktop.DBus", "/org/freedesktop/DBus", "org.freedesktop.DBus.ListNames");
+		ProcessBuilder grep = new ProcessBuilder("grep", "-q", "org.freedesktop.secrets");
+		try {
+			Process end = ProcessBuilder.startPipeline(List.of(dbusSend, grep)).get(1);
+			if (end.waitFor(1000, TimeUnit.MILLISECONDS)) {
+				isInstalled = end.exitValue() == 0;
+			} else {
+				isInstalled = false;
+			}
+		} catch (InterruptedException e) {
+			Thread.currentThread().interrupt();
+		}
+	}
+
+	@Test
+	public void testIsSupported() {
+		var service = new SecretServiceKeychainAccess();
+		Assertions.assertEquals(isInstalled, service.isSupported());
+	}
+
+	@Nested
+	@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
+	@EnabledIf("serviceAvailableAndUnlocked")
+	class FunctionalTests {
+
+		static final String KEY_ID = "cryptomator-test-" + UUID.randomUUID();
+		final static SecretServiceKeychainAccess KEYRING = new SecretServiceKeychainAccess();
+
+		@Test
+		@Order(1)
+		public void testStore() throws KeychainAccessException {
+			KEYRING.isSupported(); // ensure encrypted session
+			KEYRING.storePassphrase(KEY_ID, "cryptomator-test", "p0ssw0rd");
+		}
+
+		@Test
+		@Order(2)
+		public void testLoad() throws KeychainAccessException {
+			var passphrase = KEYRING.loadPassphrase(KEY_ID);
+			Assertions.assertNotNull(passphrase);
+			Assertions.assertEquals("p0ssw0rd", String.copyValueOf(passphrase));
+		}
+
+		@Test
+		@Order(3)
+		public void testDelete() throws KeychainAccessException {
+			KEYRING.deletePassphrase(KEY_ID);
+		}
+
+		@Test
+		@Order(4)
+		public void testLoadNotExisting() throws KeychainAccessException {
+			var result = KEYRING.loadPassphrase(KEY_ID);
+			Assertions.assertNull(result);
+		}
+
+		public static boolean serviceAvailableAndUnlocked() {
+			var service = new SecretServiceKeychainAccess();
+			return service.isSupported() && !service.isLocked();
+		}
+	}
+
+}