use seperate migration keys

camden-king · camden-king · commit 7a7483c0cbea · 2025-05-16T16:25:54.000-07:00
diff --git a/GoogleSignIn/Sources/GIDAuthStateMigration.m b/GoogleSignIn/Sources/GIDAuthStateMigration.m
@@ -26,8 +26,13 @@
 
 NS_ASSUME_NONNULL_BEGIN
 
-// User preference key to detect whether or not the migration check has been performed.
-static NSString *const kMigrationCheckPerformedKey = @"GID_MigrationCheckPerformed";
+// User preference key to detect whether or not the migration to GTMAppAuth has been performed.
+static NSString *const kGTMAppAuthMigrationCheckPerformedKey = @"GID_MigrationCheckPerformed";
+
+// User preference key to detect whether or not the data protected migration has been performed.
+static NSString *const kDataProtectedMigrationCheckPerformedKey =
+                                                      @"GID_DataProtectedMigrationCheckPerformed";
+
 
 // Keychain account used to store additional state in SDKs previous to v5, including GPPSignIn.
 static NSString *const kOldKeychainAccount = @"GooglePlus";
@@ -63,45 +68,85 @@ - (void)migrateIfNeededWithTokenURL:(NSURL *)tokenURL
                        callbackPath:(NSString *)callbackPath
                        keychainName:(NSString *)keychainName
                      isFreshInstall:(BOOL)isFreshInstall {
-  // See if we've performed the migration check previously.
-  NSUserDefaults* defaults = [NSUserDefaults standardUserDefaults];
-  if ([defaults boolForKey:kMigrationCheckPerformedKey]) {
+  // If this is a fresh install, take no action and mark the migration checks as having been
+  // performed.
+  if (isFreshInstall) {
+    NSUserDefaults* defaults = [NSUserDefaults standardUserDefaults];
+#if TARGET_OS_OSX || TARGET_OS_MACCATALYST
+    [defaults setBool:YES forKey:kDataProtectedMigrationCheckPerformedKey];
+#elif TARGET_OS_IOS
+    [defaults setBool:YES forKey:kGTMAppAuthMigrationCheckPerformedKey];
+#endif
     return;
   }
 
-  // If this is not a fresh install, attempt to migrate state.  If this is a fresh install, take no
-  // action and go on to mark the migration check as having been performed.
-  if (!isFreshInstall) {
-    GTMAuthSession *authSession = nil;
 #if TARGET_OS_OSX || TARGET_OS_MACCATALYST
-    // Migrate from the fileBasedKeychain to dataProtectedKeychain with GTMAppAuth 5.0.
-    GTMKeychainAttribute *fileBasedKeychain = [GTMKeychainAttribute useFileBasedKeychain];
-    NSSet *attributes = [NSSet setWithArray:@[fileBasedKeychain]];
-    GTMKeychainStore *keychainStoreLegacy =
-        [[GTMKeychainStore alloc] initWithItemName:self.keychainStore.itemName
-                                keychainAttributes:attributes];
-    authSession = [keychainStoreLegacy retrieveAuthSessionWithError:nil];
+  [self performDataProtectedMigrationIfNeeded];
 #elif TARGET_OS_IOS
-    // Migrate from GPPSignIn 1.x or GIDSignIn 1.0 - 4.x to the GTMAppAuth storage introduced in
-    // GIDSignIn 5.0.
-    authSession = [self extractAuthSessionWithTokenURL:tokenURL callbackPath:callbackPath];
+  [self performGIDMigrationIfNeededWithTokenURL:tokenURL
+                                   callbackPath:callbackPath
+                                   keychainName:keychainName]
 #endif
-    // If migration was successful, save our migrated state to the keychain.
-    if (authSession) {
-      NSError *err;
-      [self.keychainStore saveAuthSession:authSession error:&err];
-      // If we're unable to save to the keychain, return without marking migration performed.
-      if (err) {
-        return;
-      };
+}
+
 #if TARGET_OS_OSX || TARGET_OS_MACCATALYST
-      [keychainStoreLegacy removeAuthSessionWithError:nil];
-#endif
-    }
+// Migrate from the fileBasedKeychain to dataProtectedKeychain with GTMAppAuth 5.0.
+- (void)performDataProtectedMigrationIfNeeded {
+  // See if we've performed the migration check previously.
+  NSUserDefaults* defaults = [NSUserDefaults standardUserDefaults];
+  if ([defaults boolForKey:kDataProtectedMigrationCheckPerformedKey]) {
+    return;
+  }
+  // Migrate from the fileBasedKeychain to dataProtectedKeychain with GTMAppAuth 5.0.
+  GTMKeychainAttribute *fileBasedKeychain = [GTMKeychainAttribute useFileBasedKeychain];
+  NSSet *attributes = [NSSet setWithArray:@[fileBasedKeychain]];
+  GTMKeychainStore *keychainStoreLegacy =
+      [[GTMKeychainStore alloc] initWithItemName:self.keychainStore.itemName
+                              keychainAttributes:attributes];
+  GTMAuthSession *authSession = [keychainStoreLegacy retrieveAuthSessionWithError:nil];
+  // If migration was successful, save our migrated state to the keychain.
+  if (authSession) {
+    NSError *err;
+    [self.keychainStore saveAuthSession:authSession error:&err];
+    // If we're unable to save to the keychain, return without marking migration performed.
+    if (err) {
+      return;
+    };
+    [keychainStoreLegacy removeAuthSessionWithError:nil];
   }
 
   // Mark the migration check as having been performed.
-  [defaults setBool:YES forKey:kMigrationCheckPerformedKey];
+  [defaults setBool:YES forKey:kDataProtectgedMigrationCheckPerformedKey];
+}
+
+#elif TARGET_OS_IOS
+// Migrate from GPPSignIn 1.x or GIDSignIn 1.0 - 4.x to the GTMAppAuth storage introduced in
+// GIDSignIn 5.0.
+- (void)performGIDMigrationIfNeededWithTokenURL:(NSURL *)tokenURL
+                                   callbackPath:(NSString *)callbackPath
+                                   keychainName:(NSString *)keychainName {
+  // See if we've performed the migration check previously.
+  NSUserDefaults* defaults = [NSUserDefaults standardUserDefaults];
+  if ([defaults boolForKey:kGTMAppAuthMigrationCheckPerformedKey]) {
+    return;
+  }
+
+  // Attempt migration
+  GTMAuthSession *authSession =
+      [self extractAuthSessionWithTokenURL:tokenURL callbackPath:callbackPath];
+
+  // If migration was successful, save our migrated state to the keychain.
+  if (authSession) {
+    NSError *err;
+    [self.keychainStore saveAuthSession:authSession error:&err];
+    // If we're unable to save to the keychain, return without marking migration performed.
+    if (err) {
+      return;
+    };
+  }
+
+  // Mark the migration check as having been performed.
+  [defaults setBool:YES forKey:kGTMAppAuthMigrationCheckPerformedKey];
 }
 
 // Returns a |GTMAuthSession| object containing any old auth state or |nil| if none
@@ -202,6 +247,7 @@ + (nullable NSString *)passwordForService:(NSString *)service {
   NSString *password = [[NSString alloc] initWithData:passwordData encoding:NSUTF8StringEncoding];
   return password;
 }
+#endif
 
 @end
 
diff --git a/GoogleSignIn/Tests/Unit/GIDAuthStateMigrationTest.m b/GoogleSignIn/Tests/Unit/GIDAuthStateMigrationTest.m
@@ -52,7 +52,9 @@
 static NSString *const kRedirectURI =
     @"com.googleusercontent.apps.223520599684-kg64hfn0h950oureqacja2fltg00msv3:/callback/path";
 
-static NSString *const kMigrationCheckPerformedKey = @"GID_MigrationCheckPerformed";
+static NSString *const kGTMAppAuthMigrationCheckPerformedKey = @"GID_MigrationCheckPerformed";
+static NSString *const kDataProtectedMigrationCheckPerformedKey =
+                                                      @"GID_DataProtectedMigrationCheckPerformed";
 static NSString *const kFingerprintService = @"fingerprint";
 
 NS_ASSUME_NONNULL_BEGIN
@@ -132,39 +134,64 @@ - (void)tearDown {
 
 #pragma mark - Tests
 
-- (void)testMigrateIfNeeded_NoPreviousMigration {
+#if TARGET_OS_OSX || TARGET_OS_MACCATALYST
+- (void)testMigrateIfNeeded_NoPreviousMigration_DataProtectedMigration {
   [[[_mockUserDefaults stub] andReturn:_mockUserDefaults] standardUserDefaults];
-  [[[_mockUserDefaults expect] andReturnValue:@NO] boolForKey:kMigrationCheckPerformedKey];
-  [[_mockUserDefaults expect] setBool:YES forKey:kMigrationCheckPerformedKey];
+  [[[_mockUserDefaults expect] andReturnValue:@NO] boolForKey:kDataProtectedMigrationCheckPerformedKey];
+  [[_mockUserDefaults expect] setBool:YES forKey:kDataProtectedMigrationCheckPerformedKey];
 
   [[_mockGTMKeychainStore expect] saveAuthSession:OCMOCK_ANY error:OCMArg.anyObjectRef];
-
-#if TARGET_OS_OSX || TARGET_OS_MACCATALYST
   [[[_mockGTMKeychainStore expect] andReturn:kKeychainName] itemName];
+
+  // set the auth session that will be migrated
   OIDAuthState *authState = [OIDAuthState testInstance];
   GTMAuthSession *authSession = [[GTMAuthSession alloc] initWithAuthState:authState];
   NSError *err;
   [_realLegacyGTMKeychainStore saveAuthSession:authSession error:&err];
   XCTAssertNil(err);
-#else
-  [self setUpCommonExtractAuthorizationMocksWithFingerPrint:kSavedFingerprint];
-#endif
 
   GIDAuthStateMigration *migration =
       [[GIDAuthStateMigration alloc] initWithKeychainStore:_mockGTMKeychainStore];
   [migration migrateIfNeededWithTokenURL:[NSURL URLWithString:kTokenURL]
                             callbackPath:kCallbackPath
                             keychainName:kKeychainName
                           isFreshInstall:NO];
-#if TARGET_OS_OSX || TARGET_OS_MACCATALYST
+
+  // verify that the auth session was removed during migration
   XCTAssertNil([_realLegacyGTMKeychainStore retrieveAuthSessionWithError:nil]);
-#endif
 }
 
-- (void)testMigrateIfNeeded_HasPreviousMigration {
+- (void)testMigrateIfNeeded_KeychainFailure_DataProtectedMigration {
+  [[[_mockUserDefaults stub] andReturn:_mockUserDefaults] standardUserDefaults];
+  [[[_mockUserDefaults expect] andReturnValue:@NO] boolForKey:kDataProtectedMigrationCheckPerformedKey];
+
+  NSError *keychainSaveError = [NSError new];
+  OCMStub([_mockGTMKeychainStore saveAuthSession:OCMOCK_ANY error:[OCMArg setTo:keychainSaveError]]);
+
+  [[[_mockGTMKeychainStore expect] andReturn:kKeychainName] itemName];
+  OIDAuthState *authState = [OIDAuthState testInstance];
+  GTMAuthSession *authSession = [[GTMAuthSession alloc] initWithAuthState:authState];
+  NSError *err;
+  [_realLegacyGTMKeychainStore saveAuthSession:authSession error:&err];
+  XCTAssertNil(err);
+
+  GIDAuthStateMigration *migration =
+      [[GIDAuthStateMigration alloc] initWithKeychainStore:_mockGTMKeychainStore];
+  [migration migrateIfNeededWithTokenURL:[NSURL URLWithString:kTokenURL]
+                            callbackPath:kCallbackPath
+                            keychainName:kKeychainName
+                          isFreshInstall:NO];
+  XCTAssertNotNil([_realLegacyGTMKeychainStore retrieveAuthSessionWithError:nil]);
+}
+
+#else
+
+- (void)testMigrateIfNeeded_NoPreviousMigration_GTMAppAuthMigration {
   [[[_mockUserDefaults stub] andReturn:_mockUserDefaults] standardUserDefaults];
-  [[[_mockUserDefaults expect] andReturnValue:@YES] boolForKey:kMigrationCheckPerformedKey];
-  [[_mockUserDefaults reject] setBool:YES forKey:kMigrationCheckPerformedKey];
+  [[[_mockUserDefaults expect] andReturnValue:@NO] boolForKey:kMigrationCheckPerformedKey];
+  [[_mockUserDefaults expect] setBool:YES forKey:kMigrationCheckPerformedKey];
+
+  [[_mockGTMKeychainStore expect] saveAuthSession:OCMOCK_ANY error:OCMArg.anyObjectRef];
 
   GIDAuthStateMigration *migration =
       [[GIDAuthStateMigration alloc] initWithKeychainStore:_mockGTMKeychainStore];
@@ -174,33 +201,43 @@ - (void)testMigrateIfNeeded_HasPreviousMigration {
                           isFreshInstall:NO];
 }
 
-- (void)testMigrateIfNeeded_KeychainFailure {
+- (void)testMigrateIfNeeded_KeychainFailure_GTMAppAuthMigration {
   [[[_mockUserDefaults stub] andReturn:_mockUserDefaults] standardUserDefaults];
   [[[_mockUserDefaults expect] andReturnValue:@NO] boolForKey:kMigrationCheckPerformedKey];
 
   NSError *keychainSaveError = [NSError new];
   OCMStub([_mockGTMKeychainStore saveAuthSession:OCMOCK_ANY error:[OCMArg setTo:keychainSaveError]]);
 
-#if TARGET_OS_OSX || TARGET_OS_MACCATALYST
-  [[[_mockGTMKeychainStore expect] andReturn:kKeychainName] itemName];
-  OIDAuthState *authState = [OIDAuthState testInstance];
-  GTMAuthSession *authSession = [[GTMAuthSession alloc] initWithAuthState:authState];
-  NSError *err;
-  [_realLegacyGTMKeychainStore saveAuthSession:authSession error:&err];
-  XCTAssertNil(err);
-#else
   [self setUpCommonExtractAuthorizationMocksWithFingerPrint:kSavedFingerprint];
-#endif
 
   GIDAuthStateMigration *migration =
       [[GIDAuthStateMigration alloc] initWithKeychainStore:_mockGTMKeychainStore];
   [migration migrateIfNeededWithTokenURL:[NSURL URLWithString:kTokenURL]
                             callbackPath:kCallbackPath
                             keychainName:kKeychainName
                           isFreshInstall:NO];
+}
+
+#endif
+
+
+
+- (void)testMigrateIfNeeded_HasPreviousMigration {
+  [[[_mockUserDefaults stub] andReturn:_mockUserDefaults] standardUserDefaults];
 #if TARGET_OS_OSX || TARGET_OS_MACCATALYST
-  XCTAssertNotNil([_realLegacyGTMKeychainStore retrieveAuthSessionWithError:nil]);
+  [[[_mockUserDefaults expect] andReturnValue:@YES] boolForKey:kDataProtectedMigrationCheckPerformedKey];
+  [[_mockUserDefaults reject] setBool:YES forKey:kDataProtectedMigrationCheckPerformedKey];
+#else
+  [[[_mockUserDefaults expect] andReturnValue:@YES] boolForKey:kGTMAppAuthMigrationCheckPerformedKey];
+  [[_mockUserDefaults reject] setBool:YES forKey:kGTMAppAuthMigrationCheckPerformedKey];
 #endif
+
+  GIDAuthStateMigration *migration =
+      [[GIDAuthStateMigration alloc] initWithKeychainStore:_mockGTMKeychainStore];
+  [migration migrateIfNeededWithTokenURL:[NSURL URLWithString:kTokenURL]
+                            callbackPath:kCallbackPath
+                            keychainName:kKeychainName
+                          isFreshInstall:NO];
 }
 
 - (void)testMigrateIfNeeded_isFreshInstall {
