Repo // Introduce SecurityAgentHelper.

2023-10-22 20:20:18 +08:00 · 2023-10-22 20:20:18 +08:00 · 9a0d0dc633
parent 5460217594
commit 9a0d0dc633
7 changed files with 99 additions and 0 deletions
--- a/Packages/vChewing_MainAssembly/Sources/MainAssembly/AppDelegate.swift
+++ b/Packages/vChewing_MainAssembly/Sources/MainAssembly/AppDelegate.swift
@ -66,6 +66,8 @@ public extension AppDelegate {

    PrefMgr.shared.fixOddPreferences()

+    SecurityAgentHelper.shared.timer?.fire()
+
    // 一旦發現與使用者半衰模組的觀察行為有關的崩潰標記被開啟：
    // 如果有開啟 Debug 模式的話，就將既有的半衰記憶資料檔案更名＋打上當時的時間戳。
    // 如果沒有開啟 Debug 模式的話，則將半衰記憶資料直接清空。
--- a/Packages/vChewing_MainAssembly/Sources/MainAssembly/SecurityAgentHelper.swift
+++ b/Packages/vChewing_MainAssembly/Sources/MainAssembly/SecurityAgentHelper.swift
@ -0,0 +1,82 @@
+// (c) 2023 and onwards The vChewing Project (MIT-NTL License).
+// ====================
+// This code is released under the MIT license (SPDX-License-Identifier: MIT)
+// ... with NTL restriction stating that:
+// No trademark license is granted to use the trade names, trademarks, service
+// marks, or product names of Contributor, except as required to fulfill notice
+// requirements defined in MIT License.
+
+import AppKit
+import Carbon
+import CocoaExtension
+import Shared
+
+public class SecurityAgentHelper {
+  public static let shared = SecurityAgentHelper()
+  private static var reportedPIDs: [Int32] = []
+
+  var timer: Timer?
+  let alertInstance = NSAlert()
+
+  private init() {
+    deployTimer()
+  }
+
+  deinit {
+    removeTimer()
+  }
+
+  public func deployTimer() {
+    timer = Timer.scheduledTimer(
+      timeInterval: 60, target: self, selector: #selector(checkAndHandle(_:)), userInfo: nil, repeats: true
+    )
+    timer?.tolerance = 600
+    timer?.fire()
+    vCLog("SecurityAgentHelper is online, scanning SecureEventInput abusers every 60 seconds.")
+  }
+
+  public func removeTimer() {
+    timer?.invalidate()
+    timer = nil
+  }
+
+  @objc public func checkAndHandle(_: Timer) {
+    var results = SecureEventInputSputnik.getRunningSecureInputApps(abusersOnly: true)
+    vCLog("SecurityAgentHelper scanned SecureEventInput abusers. \(results.count) targets found.")
+    guard !results.isEmpty else { return }
+    _ = DisableSecureEventInput()
+    Self.reportedPIDs.forEach { reportedPID in
+      results[reportedPID] = nil
+    }
+    guard !results.isEmpty else { return }
+    let messageTitle = "i18n:securityAgentHelper.warningMessage.title".localized
+    let messageHeader = "i18n:securityAgentHelper.warningMessage.header".localized
+    let messageFooter = "i18n:securityAgentHelper.warningMessage.footer".localized
+    var messageForEntries: [String] = [messageHeader]
+    results.forEach { matchedPID, matchedApp in
+      defer { Self.reportedPIDs.append(matchedPID) }
+      let strBuilder = NSMutableString(string: "[PID: \(matchedPID)]")
+      // 第一行
+      let bundleURL = matchedApp.bundleURL ?? matchedApp.executableURL
+      if let bundleURL = bundleURL {
+        strBuilder.append(" \(bundleURL.lastPathComponent)")
+        if let bundleIdentifier = matchedApp.bundleIdentifier {
+          strBuilder.append(" (\(bundleIdentifier))")
+        }
+      } else if let bundleIdentifier = matchedApp.bundleIdentifier {
+        strBuilder.append(" \(bundleIdentifier)")
+      }
+      // 第二行
+      if let bundleURL = bundleURL {
+        strBuilder.append("\n→ \(bundleURL.path)")
+      }
+      messageForEntries.append(strBuilder.description)
+    }
+    messageForEntries.append(messageFooter)
+    // 從這裡開始組裝訊息訊息內容。
+    alertInstance.messageText = messageTitle
+    alertInstance.informativeText = messageForEntries.joined(separator: "\n\n")
+    alertInstance.runModal()
+    NSApp.popup()
+  }
+}
--- a/Source/Resources/Base.lproj/Localizable.strings
+++ b/Source/Resources/Base.lproj/Localizable.strings
@ -7,6 +7,9 @@
 "i18n:aboutWindow.APP_NAME" = "vChewing for macOS";
 "i18n:aboutWindow.APP_DERIVED_FROM" = "Was derived from OpenVanilla McBopopmofo Project (MIT-License).";
 "i18n:aboutWindow.DEV_CREW" = "vChewing macOS Development: Shiki Suen, Isaac Xen, Hiraku Wang, etc.\nvChewing Phrase Database Maintained by Shiki Suen.\nWalking algorithm by Lukhnos Liu (from Gramambular 2, MIT-License).";
+"i18n:securityAgentHelper.warningMessage.title" = "SecureEventInput Abuse Detected";
+"i18n:securityAgentHelper.warningMessage.header" = "vChewing has detected that the following background processes are abusing the SecureEventInput, hindering all 3rd-party input methods from being able to switch to.\n\nIt is fine to use SecureEventInput for sensitive input fields. However, an app calling EnableSecureEventInput() is responsible to call DisableSecureEventInput() immediately right after the input field loses focus. This situation may also happen if an app is hanging in the background (or working as a helper application in the background) with its SecureEventInput left enabled.\n\nThe found processes are:";
+"i18n:securityAgentHelper.warningMessage.footer" = "When this message shows up, vChewing has already attempted to call DisableSecureEventInput() trying to make itself selectable in the input method menu again. Your suggested further steps:\n\n0. Keep a screenshot of this dialog (if you don't have one) for further purposes.\n\n1. If vChewing is still not selectable in the input method menu, you are suggested to manually terminate the processes listed above to force-release their SecureEventInput states. This will make vChewing available immediately.\n\n2. If the process belongs to an app from Mac App Store, please report its abuse of SecureEventInput to Apple. Apple may take actions to such apps if necessary, including pulling them off from the Mac App Store until the problem gets solved by the developers of such apps.\n\n3. Whether this process is from Mac App Store or not, you report this abuse to the related app vendor / developer. You may give them the screenshot of this alert message since it should have enough information to help the vendor / developer troubleshoot the issue.";

 "vChewing" = "vChewing";
 "This update will upgrade vChewing from Aqua Special Edition to Mainstream Release (recommended for your current OS version)." = "This update will upgrade vChewing from Aqua Special Edition to Mainstream Release (recommended for your current OS version).";
--- a/Source/Resources/en.lproj/Localizable.strings
+++ b/Source/Resources/en.lproj/Localizable.strings
@ -7,6 +7,9 @@
 "i18n:aboutWindow.APP_NAME" = "vChewing for macOS";
 "i18n:aboutWindow.APP_DERIVED_FROM" = "Was derived from OpenVanilla McBopopmofo Project (MIT-License).";
 "i18n:aboutWindow.DEV_CREW" = "vChewing macOS Development: Shiki Suen, Isaac Xen, Hiraku Wang, etc.\nvChewing Phrase Database Maintained by Shiki Suen.\nWalking algorithm by Lukhnos Liu (from Gramambular 2, MIT-License).";
+"i18n:securityAgentHelper.warningMessage.title" = "SecureEventInput Abuse Detected";
+"i18n:securityAgentHelper.warningMessage.header" = "vChewing has detected that the following background processes are abusing the SecureEventInput, hindering all 3rd-party input methods from being able to switch to.\n\nIt is fine to use SecureEventInput for sensitive input fields. However, an app calling EnableSecureEventInput() is responsible to call DisableSecureEventInput() immediately right after the input field loses focus. This situation may also happen if an app is hanging in the background (or working as a helper application in the background) with its SecureEventInput left enabled.\n\nThe found processes are:";
+"i18n:securityAgentHelper.warningMessage.footer" = "When this message shows up, vChewing has already attempted to call DisableSecureEventInput() trying to make itself selectable in the input method menu again. Your suggested further steps:\n\n0. Keep a screenshot of this dialog (if you don't have one) for further purposes.\n\n1. If vChewing is still not selectable in the input method menu, you are suggested to manually terminate the processes listed above to force-release their SecureEventInput states. This will make vChewing available immediately.\n\n2. If the process belongs to an app from Mac App Store, please report its abuse of SecureEventInput to Apple. Apple may take actions to such apps if necessary, including pulling them off from the Mac App Store until the problem gets solved by the developers of such apps.\n\n3. Whether this process is from Mac App Store or not, you report this abuse to the related app vendor / developer. You may give them the screenshot of this alert message since it should have enough information to help the vendor / developer troubleshoot the issue.";

 "vChewing" = "vChewing";
 "This update will upgrade vChewing from Aqua Special Edition to Mainstream Release (recommended for your current OS version)." = "This update will upgrade vChewing from Aqua Special Edition to Mainstream Release (recommended for your current OS version).";
--- a/Source/Resources/ja.lproj/Localizable.strings
+++ b/Source/Resources/ja.lproj/Localizable.strings
@ -7,6 +7,9 @@
 "i18n:aboutWindow.APP_NAME" = "vChewing for macOS";
 "i18n:aboutWindow.APP_DERIVED_FROM" = "曾て OpenVanilla 小麦注音プロジェクト (MIT-License) から派生。";
 "i18n:aboutWindow.DEV_CREW" = "macOS 版威注音の開発：Shiki Suen, Isaac Xen, Hiraku Wang, など。\n威注音語彙データの維持：Shiki Suen。\nウォーキング算法：Lukhnos Liu (Gramambular 2, MIT-License)。";
+"i18n:securityAgentHelper.warningMessage.title" = "SecureEventInput の不正利用が検出";
+"i18n:securityAgentHelper.warningMessage.header" = "威注音入力アプリ（略称「威注音」）は「他のバックグラウンド・プロセスがSecureEventInputを正しく利用していない」と検出しました。このような不正利用は「システム内蔵入力以外の全ての入力アプリがメニューで灰色状態で選べなくて使えない」の元凶です。\n\nセンシティブな資料の記入どころでSecureEventInputをEnableSecureEventInput()で使うのは当然ですが、「入力中」状態が終わった後必ずDisableSecureEventInput()で状態解消すべきだと義務です。いくつかヘルパーアプリも、あるいはSecureEventInputを呼び起こしてからすぐ固まったアプリも、この状態になりやすいです。特に、他のアプリの画面へ切り替えたとしても、固まったアプリのSecureEventInput状態は自動的に解消できません。\n\n検出した該当プロセスは：";
+"i18n:securityAgentHelper.warningMessage.footer" = "このメッセージが出た時に、威注音がすでに「DisableSecureEventInput()」を実行してみました。これで入力ソースメニューで威注音は利用できる状態になったかもしれませんが、下記のステップはおすすめです：\n\nイ）今のこのメッセージの画面のスクリーンショットを撮って置いてください。後ほど使えます。\n\nロ）もし、今でも入力ソースメニューで威注音は利用できぬ状態でしたら、上記のプロセスを（強制）中止してください。そうすれば、それぞれのSecureEventInput状態は解消できて、入力ソースメニューで威注音はすぐ利用できることになります。\n\nハ）もし、該当プロセスは Mac App Store のアプリからのものでしたら、該当アプリを Apple 社にご通報ください。状況と必要性次第、該当アプリは Mac App Store からしばらく取り下がて、支障解決まで Mac App Store 提供中止になるかもしれません。\n\nニ）該当プロセスは Mac App Store からダウンロードしたものか否か、それぞれの開発元にこの支障をご通報ください。今のこのメッセージの画面のスクリーンショットを該当開発元に送れば、必要なる情報は該当開発元に全部お知らせすることができます。";

 "vChewing" = "威注音入力アプリ";
 "This update will upgrade vChewing from Aqua Special Edition to Mainstream Release (recommended for your current OS version)." = "これで今のこのアプリを Aqua 特別版から主流発行版と置き換えます。主流発行版は今の時代の macOS のために最適化したものであり、おすすめです。";
--- a/Source/Resources/zh-Hans.lproj/Localizable.strings
+++ b/Source/Resources/zh-Hans.lproj/Localizable.strings
@ -7,6 +7,9 @@
 "i18n:aboutWindow.APP_NAME" = "vChewing for macOS";
 "i18n:aboutWindow.APP_DERIVED_FROM" = "该专案曾由 OpenVanilla 小麦注音专案 (MIT-License) 衍生而来。";
 "i18n:aboutWindow.DEV_CREW" = "威注音 macOS 程式研发：Shiki Suen, Isaac Xen, Hiraku Wang, 等。\n威注音词库维护：Shiki Suen。\n爬轨算法：Lukhnos Liu (Gramambular 2, MIT-License)。";
+"i18n:securityAgentHelper.warningMessage.title" = "检测到对 SecureEventInput 的滥用行为";
+"i18n:securityAgentHelper.warningMessage.header" = "威注音有检测到下述后台进程有在滥用 SecureEventInput。这种滥用会导致系统内的所有第三方输入法全都无法正常使用（在输入法选单内会变成灰色）。\n\n针对需要填写敏感数据的场合，使用 SecureEventInput 无可厚非。但是，用 EnableSecureEventInput() 开启该模式之后，就有义务在输入窗格失焦的那一刻呼叫 DisableSecureEventInput() 来结束这种状态。这种状态还常见于后台辅助 App 当中、或者某个 App 在叫出该模式之后失去响应（这样的话，哪怕被切换到后台，SecureEventInput 也不会自动解除）。\n\n被侦测到的进程如下：";
+"i18n:securityAgentHelper.warningMessage.footer" = "当这则讯息呈现出来的时候，威注音已经尝试呼叫 `DisableSecureEventInput()` 来试图解除这个状态。以下是威注音建议您采取的行动：\n\n0. 将这则讯息视窗留一份屏幕撷图、以备接下来的需要。\n\n1. 如果输入法选单内的威注音仍旧处于无法选取的状态（下文简称「灰色不可用状态」），则请考虑结束上述进程、以迫使其释放各自的 SecureEventInput 状态。这将立刻解除威注音的灰色不可用状态。\n\n2. 如果该进程所属的 App 来自于 Mac App Store 的话，请向 Apple 检举其对 SecureEventInput 的滥用。Apple 会在必要的情况下对这类 App 采取措施，比如：临时下架，直至软件开发者解决相关故障。\n\n3. 无论该进程是否来自于 Mac App Store，也都请您向相关的开发者/提供方提报该故障。您可以将这则讯息的屏幕撷图给他们看，因为里面已经包含了用以检测该故障的必要资讯。";

 "vChewing" = "威注音输入法";
 "This update will upgrade vChewing from Aqua Special Edition to Mainstream Release (recommended for your current OS version)." = "该更新会将您当前的输入法由 Aqua 特别版置换为针对当前系统设计的主流发行版。";
--- a/Source/Resources/zh-Hant.lproj/Localizable.strings
+++ b/Source/Resources/zh-Hant.lproj/Localizable.strings
@ -7,6 +7,9 @@
 "i18n:aboutWindow.APP_NAME" = "vChewing for macOS";
 "i18n:aboutWindow.APP_DERIVED_FROM" = "該專案曾由 OpenVanilla 小麥注音專案 (MIT-License) 衍生而來。";
 "i18n:aboutWindow.DEV_CREW" = "威注音 macOS 程式研發：Shiki Suen, Isaac Xen, Hiraku Wang, 等。\n威注音詞庫維護：Shiki Suen。\n爬軌算法：Lukhnos Liu (Gramambular 2, MIT-License)。";
+"i18n:securityAgentHelper.warningMessage.title" = "偵測到對 SecureEventInput 的濫用行為";
+"i18n:securityAgentHelper.warningMessage.header" = "威注音有偵測到下述後檯執行緒有在濫用 SecureEventInput。這種濫用會導致系統內的所有第三方輸入法全都無法正常使用（在輸入法選單內會變成灰色）。\n\n針對需要填寫敏感資料的場合，使用 SecureEventInput 無可厚非。但是，用 EnableSecureEventInput() 開啟該模式之後，就有義務在輸入窗格失焦的那一刻呼叫 DisableSecureEventInput() 來結束這種狀態。這種狀態還常見於後檯輔助 App 當中、或者某個 App 在叫出該模式之後失去回應（這樣的話，哪怕被切換到後檯，SecureEventInput 也不會自動解除）。\n\n被偵測到的執行緒如下：";
+"i18n:securityAgentHelper.warningMessage.footer" = "當這則訊息呈現出來的時候，威注音已經嘗試呼叫 `DisableSecureEventInput()` 來試圖解除這個狀態。以下是威注音建議您採取的行動：\n\n0. 將這則訊息視窗留一份螢幕擷圖、以備接下來的需要。\n\n1. 如果輸入法選單內的威注音仍舊處於無法選取的狀態（下文簡稱「灰色不可用狀態」），則請考慮結束上述執行緒、以迫使其釋放各自的 SecureEventInput 狀態。這將立刻解除威注音的灰色不可用狀態。\n\n2. 如果該執行緒所屬的 App 來自於 Mac App Store 的話，請向 Apple 檢舉其對 SecureEventInput 的濫用。Apple 會在必要的情況下對這類 App 採取措施，比如：臨時下架，直至軟體研發方解決相關故障。\n\n3. 無論該執行緒是否來自於 Mac App Store，也都請您向相關的研發方/提供方提報該故障。您可以將這則訊息的螢幕擷圖給他們看，因為裡面已經包含了用以偵測該故障的必要資訊。";

 "vChewing" = "威注音輸入法";
 "This update will upgrade vChewing from Aqua Special Edition to Mainstream Release (recommended for your current OS version)." = "該更新會將您當前的輸入法由 Aqua 特別版置換為針對當前系統設計的主流發行版。";