Files
2026-07-13 12:22:33 +08:00

129 lines
4.4 KiB
Swift

import CodexBarCore
import Foundation
import Security
protocol KimiK2TokenStoring: Sendable {
func loadToken() throws -> String?
func storeToken(_ token: String?) throws
}
enum KimiK2TokenStoreError: LocalizedError {
case keychainStatus(OSStatus)
case invalidData
var errorDescription: String? {
switch self {
case let .keychainStatus(status):
"Keychain error: \(status)"
case .invalidData:
"Keychain returned invalid data."
}
}
}
struct KeychainKimiK2TokenStore: KimiK2TokenStoring {
private static let log = CodexBarLog.logger(LogCategories.kimiK2TokenStore)
private let service = "com.steipete.CodexBar"
private let account = "kimi-k2-api-token"
func loadToken() throws -> String? {
guard !KeychainAccessGate.isDisabled else {
Self.log.debug("Keychain access disabled; skipping token load")
return nil
}
var result: CFTypeRef?
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: self.service,
kSecAttrAccount as String: self.account,
kSecMatchLimit as String: kSecMatchLimitOne,
kSecReturnData as String: true,
]
if case .interactionRequired = KeychainAccessPreflight
.checkGenericPassword(service: self.service, account: self.account)
{
KeychainPromptHandler.handler?(KeychainPromptContext(
kind: .kimiK2Token,
service: self.service,
account: self.account))
}
let status = KeychainSecurity.copyMatching(query as CFDictionary, &result)
if status == errSecItemNotFound {
return nil
}
guard status == errSecSuccess else {
Self.log.error("Keychain read failed: \(status)")
throw KimiK2TokenStoreError.keychainStatus(status)
}
guard let data = result as? Data else {
throw KimiK2TokenStoreError.invalidData
}
let token = String(data: data, encoding: .utf8)?.trimmingCharacters(in: .whitespacesAndNewlines)
if let token, !token.isEmpty {
return token
}
return nil
}
func storeToken(_ token: String?) throws {
guard !KeychainAccessGate.isDisabled else {
Self.log.debug("Keychain access disabled; skipping token store")
return
}
let cleaned = token?.trimmingCharacters(in: .whitespacesAndNewlines)
if cleaned == nil || cleaned?.isEmpty == true {
try self.deleteTokenIfPresent()
return
}
let data = cleaned!.data(using: .utf8)!
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: self.service,
kSecAttrAccount as String: self.account,
]
let attributes: [String: Any] = [
kSecValueData as String: data,
kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
]
let updateStatus = KeychainSecurity.update(query as CFDictionary, attributes as CFDictionary)
if updateStatus == errSecSuccess {
return
}
if updateStatus != errSecItemNotFound {
Self.log.error("Keychain update failed: \(updateStatus)")
throw KimiK2TokenStoreError.keychainStatus(updateStatus)
}
var addQuery = query
for (key, value) in attributes {
addQuery[key] = value
}
let addStatus = KeychainSecurity.add(addQuery as CFDictionary, nil)
guard addStatus == errSecSuccess else {
Self.log.error("Keychain add failed: \(addStatus)")
throw KimiK2TokenStoreError.keychainStatus(addStatus)
}
}
private func deleteTokenIfPresent() throws {
guard !KeychainAccessGate.isDisabled else { return }
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: self.service,
kSecAttrAccount as String: self.account,
]
let status = KeychainSecurity.delete(query as CFDictionary)
if status == errSecSuccess || status == errSecItemNotFound {
return
}
Self.log.error("Keychain delete failed: \(status)")
throw KimiK2TokenStoreError.keychainStatus(status)
}
}