Universal auth v1 and v2 NetworkProtection

Sources/NetworkProtection/Diagnostics/NetworkProtectionServerStatusMonitor.swift

@@ -49,13 +49,13 @@ public actor NetworkProtectionServerStatusMonitor {
     }
 
     private let networkClient: NetworkProtectionClient
-    private let tokenStore: NetworkProtectionTokenStore
+    private let tokenHandler: any SubscriptionTokenHandling
 
     // MARK: - Init & deinit
 
-    init(networkClient: NetworkProtectionClient, tokenStore: NetworkProtectionTokenStore) {
+    init(networkClient: NetworkProtectionClient, tokenHandler: any SubscriptionTokenHandling) {
         self.networkClient = networkClient
-        self.tokenStore = tokenStore
+        self.tokenHandler = tokenHandler
 
         Logger.networkProtectionMemory.debug("[+] \(String(describing: self), privacy: .public)")
     }
@@ -99,11 +99,11 @@ public actor NetworkProtectionServerStatusMonitor {
     // MARK: - Server Status Check
 
     private func checkServerStatus(for serverName: String) async -> Result<NetworkProtectionServerStatus, NetworkProtectionClientError> {
-        guard let accessToken = try? tokenStore.fetchToken() else {
+        guard let accessToken = try? await VPNAuthTokenBuilder.getVPNAuthToken(from: tokenHandler) else {
+            Logger.networkProtection.fault("Failed to check server status due to lack of access token")
             assertionFailure("Failed to check server status due to lack of access token")
             return .failure(.invalidAuthToken)
         }
-
         return await networkClient.getServerStatus(authToken: accessToken, serverName: serverName)
     }
 

Sources/NetworkProtection/KeyManagement/NetworkProtectionKeyStore.swift

@@ -222,6 +222,8 @@ public final class NetworkProtectionKeychainKeyStore: NetworkProtectionKeyStore
     // MARK: - EventMapping
 
     private func handle(_ error: Error) {
+        Logger.networkProtectionKeyManagement.error("Failed to perform operation: \(error, privacy: .public)")
+
         guard let error = error as? NetworkProtectionKeychainStoreError else {
             assertionFailure("Failed to cast Network Protection Keychain store error")
             errorEvents?.fire(NetworkProtectionError.unhandledError(function: #function, line: #line, error: error))

Sources/NetworkProtection/KeyManagement/NetworkProtectionKeychainStore.swift

@@ -39,14 +39,14 @@ enum NetworkProtectionKeychainStoreError: Error, NetworkProtectionErrorConvertib
 }
 
 /// General Keychain access helper class for the NetworkProtection module. Should be used for specific KeychainStore types.
-final class NetworkProtectionKeychainStore {
+public final class NetworkProtectionKeychainStore {
     private let label: String
     private let serviceName: String
     private let keychainType: KeychainType
 
-    init(label: String,
-         serviceName: String,
-         keychainType: KeychainType) {
+    public init(label: String,
+                serviceName: String,
+                keychainType: KeychainType) {
 
         self.label = label
         self.serviceName = serviceName
@@ -55,7 +55,8 @@ final class NetworkProtectionKeychainStore {
 
     // MARK: - Keychain Interaction
 
-    func readData(named name: String) throws -> Data? {
+    public func readData(named name: String) throws -> Data? {
+        Logger.networkProtectionKeyManagement.debug("Reading key \(name, privacy: .public) from keychain")
         var query = defaultAttributes()
         query[kSecAttrAccount] = name
         query[kSecReturnData] = true
@@ -78,7 +79,8 @@ final class NetworkProtectionKeychainStore {
         }
     }
 
-    func writeData(_ data: Data, named name: String) throws {
+    public func writeData(_ data: Data, named name: String) throws {
+        Logger.networkProtectionKeyManagement.debug("Writing key \(name, privacy: .public) to keychain")
         var query = defaultAttributes()
         query[kSecAttrAccount] = name
         query[kSecAttrAccessible] = kSecAttrAccessibleAfterFirstUnlock
@@ -101,18 +103,20 @@ final class NetworkProtectionKeychainStore {
     }
 
     private func updateData(_ data: Data, named name: String) -> OSStatus {
+        Logger.networkProtectionKeyManagement.debug("Updating key \(name, privacy: .public) in keychain")
         var query = defaultAttributes()
         query[kSecAttrAccount] = name
 
         let newAttributes = [
-          kSecValueData: data,
-          kSecAttrAccessible: kSecAttrAccessibleAfterFirstUnlock
+            kSecValueData: data,
+            kSecAttrAccessible: kSecAttrAccessibleAfterFirstUnlock
         ] as [CFString: Any]
 
         return SecItemUpdate(query as CFDictionary, newAttributes as CFDictionary)
     }
 
-    func deleteAll() throws {
+    public func deleteAll() throws {
+        Logger.networkProtectionKeyManagement.debug("Deleting all keys from keychain")
         var query = defaultAttributes()
 #if os(macOS)
         // This line causes the delete to error with status -50 on iOS. Needs investigation but, for now, just delete the first item
@@ -125,6 +129,7 @@ final class NetworkProtectionKeychainStore {
         case errSecItemNotFound, errSecSuccess:
             break
         default:
+            Logger.networkProtectionKeyManagement.error("🔴 Failed to delete all keys, SecItemDelete status \(String(describing: status), privacy: .public)")
             throw NetworkProtectionKeychainStoreError.keychainDeleteError(status: status)
         }
     }

Sources/NetworkProtection/KeyManagement/NetworkProtectionKeychainTokenStore+LegacyAuthTokenStoring.swift

@@ -0,0 +1,45 @@
+//
+//  NetworkProtectionKeychainTokenStore+LegacyAuthTokenStoring.swift
+//
+//  Copyright © 2025 DuckDuckGo. All rights reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+//
+
+import Foundation
+import Networking
+
+extension NetworkProtectionKeychainTokenStore: LegacyAuthTokenStoring {
+
+    public var token: String? {
+        get {
+            do {
+                return try fetchToken()
+            } catch {
+                assertionFailure("Failed to retrieve auth token: \(error)")
+            }
+            return nil
+        }
+        set(newValue) {
+            do {
+                guard let newValue else {
+                    try deleteToken()
+                    return
+                }
+                try store(newValue)
+            } catch {
+                assertionFailure("Failed set token: \(error)")
+            }
+        }
+    }
+}

Sources/NetworkProtection/Logger+NetworkProtection.swift

@@ -36,4 +36,5 @@ public extension Logger {
     static var networkProtectionStatusReporter = { Logger(subsystem: Logger.subsystem, category: "Status Reporter") }()
     static var networkProtectionSleep = { Logger(subsystem: Logger.subsystem, category: "Sleep and Wake") }()
     static var networkProtectionEntitlement = { Logger(subsystem: Logger.subsystem, category: "Entitlement Monitor") }()
+    static var networkProtectionWireGuard = { Logger(subsystem: Logger.subsystem, category: "WireGuardAdapter") }()
 }

Sources/NetworkProtection/NetworkProtectionDeviceManager.swift

@@ -73,27 +73,27 @@ public protocol NetworkProtectionDeviceManagement {
 
 public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
     private let networkClient: NetworkProtectionClient
-    private let tokenStore: NetworkProtectionTokenStore
+    private let tokenHandler: any SubscriptionTokenHandling
     private let keyStore: NetworkProtectionKeyStore
 
     private let errorEvents: EventMapping<NetworkProtectionError>?
 
     public init(environment: VPNSettings.SelectedEnvironment,
-                tokenStore: NetworkProtectionTokenStore,
+                tokenHandler: any SubscriptionTokenHandling,
                 keyStore: NetworkProtectionKeyStore,
                 errorEvents: EventMapping<NetworkProtectionError>?) {
         self.init(networkClient: NetworkProtectionBackendClient(environment: environment),
-                  tokenStore: tokenStore,
+                  tokenHandler: tokenHandler,
                   keyStore: keyStore,
                   errorEvents: errorEvents)
     }
 
     init(networkClient: NetworkProtectionClient,
-         tokenStore: NetworkProtectionTokenStore,
+         tokenHandler: any SubscriptionTokenHandling,
          keyStore: NetworkProtectionKeyStore,
          errorEvents: EventMapping<NetworkProtectionError>?) {
         self.networkClient = networkClient
-        self.tokenStore = tokenStore
+        self.tokenHandler = tokenHandler
         self.keyStore = keyStore
         self.errorEvents = errorEvents
     }
@@ -102,17 +102,18 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
     /// This method will return the remote server list if available, or the local server list if there was a problem with the service call.
     ///
     public func refreshServerList() async throws -> [NetworkProtectionServer] {
-        guard let token = try? tokenStore.fetchToken() else {
+        guard let token = try? await VPNAuthTokenBuilder.getVPNAuthToken(from: tokenHandler) else {
             throw NetworkProtectionError.noAuthTokenFound
         }
+
         let result = await networkClient.getServers(authToken: token)
         let completeServerList: [NetworkProtectionServer]
 
         switch result {
         case .success(let serverList):
             completeServerList = serverList
         case .failure(let failure):
-            handle(clientError: failure)
+            await handle(clientError: failure)
             throw failure
         }
 
@@ -188,8 +189,9 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
     private func register(keyPair: KeyPair,
                           selectionMethod: NetworkProtectionServerSelectionMethod) async throws -> (server: NetworkProtectionServer,
                                                                                                     newExpiration: Date?) {
-
-        guard let token = try? tokenStore.fetchToken() else { throw NetworkProtectionError.noAuthTokenFound }
+        guard let token = try? await VPNAuthTokenBuilder.getVPNAuthToken(from: tokenHandler) else {
+            throw NetworkProtectionError.noAuthTokenFound
+        }
 
         let serverSelection: RegisterServerSelection
         let excludedServerName: String?
@@ -231,7 +233,7 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
             selectedServer = registeredServer
             return (selectedServer, selectedServer.expirationDate)
         case .failure(let error):
-            handle(clientError: error)
+            await handle(clientError: error)
             try handleAccessRevoked(error)
             throw error
         }
@@ -312,12 +314,12 @@ public actor NetworkProtectionDeviceManager: NetworkProtectionDeviceManagement {
         return peerConfiguration
     }
 
-    private func handle(clientError: NetworkProtectionClientError) {
-#if os(macOS)
+    private func handle(clientError: NetworkProtectionClientError) async {
+ #if os(macOS)
         if case .invalidAuthToken = clientError {
-            try? tokenStore.deleteToken()
+            try? await tokenHandler.removeToken()
         }
-#endif
+ #endif
         errorEvents?.fire(clientError.networkProtectionError)
     }
 

Sources/NetworkProtection/NetworkProtectionOptionKey.swift

@@ -26,6 +26,7 @@ public enum NetworkProtectionOptionKey {
     public static let dnsSettings = "dnsSettings"
     public static let excludeLocalNetworks = "excludeLocalNetworks"
     public static let authToken = "authToken"
+    public static let tokenContainer = "tokenContainer"
     public static let isOnDemand = "is-on-demand"
     public static let activationAttemptId = "activationAttemptId"
     public static let tunnelFailureSimulation = "tunnelFailureSimulation"

Sources/NetworkProtection/Networking/NetworkProtectionClient.swift

@@ -89,6 +89,26 @@ public enum NetworkProtectionClientError: CustomNSError, NetworkProtectionErrorC
             return [:]
         }
     }
+
+    public var errorDescription: String? {
+        switch self {
+        case .failedToFetchLocationList: return "Failed to fetch location list"
+        case .failedToParseLocationListResponse: return "Failed to parse location list response"
+        case .failedToFetchServerList: return "Failed to fetch server list"
+        case .failedToParseServerListResponse: return "Failed to parse server list response"
+        case .failedToEncodeRegisterKeyRequest: return "Failed to encode register key request"
+        case .failedToFetchServerStatus(let error):
+            return "Failed to fetch server status: \(error)"
+        case .failedToParseServerStatusResponse(let error):
+            return "Failed to parse server status response: \(error)"
+        case .failedToFetchRegisteredServers(let error):
+            return "Failed to fetch registered servers: \(error)"
+        case .failedToParseRegisteredServersResponse(let error):
+            return "Failed to parse registered servers response: \(error)"
+        case .invalidAuthToken: return "Invalid auth token"
+        case .accessDenied: return "Access denied"
+        }
+    }
 }
 
 struct RegisterKeyRequestBody: Encodable {