feat: store plugin secure fields in Keychain, add DynamoDB tests

Author: datlechin

Plugins/DynamoDBDriverPlugin/DynamoDBPlugin.swift

@@ -90,7 +90,6 @@ final class DynamoDBPlugin: NSObject, TableProPlugin, DriverPlugin {
             placeholder: "AKIA...",
             section: .authentication
         ),
-        // TODO: .secure fields stored in additionalFields (plain JSON), not Keychain — needs migration
         ConnectionField(
             id: "awsSecretAccessKey",
             label: String(localized: "Secret Access Key"),

TablePro/AppDelegate.swift

@@ -65,6 +65,7 @@ class AppDelegate: NSObject, NSApplicationDelegate {
             }
         }
         PluginManager.shared.loadPlugins()
+        ConnectionStorage.shared.migratePluginSecureFieldsIfNeeded()
 
         Task { @MainActor in
             LicenseManager.shared.startPeriodicValidation()

TablePro/Core/Database/DatabaseDriver.swift

@@ -378,6 +378,18 @@ enum DatabaseDriverFactory {
             fields[key] = value
         }
 
+        let secureFields = PluginManager.shared.additionalConnectionFields(for: connection.type)
+            .filter(\.isSecure)
+        for field in secureFields {
+            if fields[field.id] == nil || fields[field.id]?.isEmpty == true {
+                if let secureValue = ConnectionStorage.shared.loadPluginSecureField(
+                    fieldId: field.id, for: connection.id
+                ) {
+                    fields[field.id] = secureValue
+                }
+            }
+        }
+
         switch connection.type {
         case .mongodb:
             fields["sslCACertPath"] = ssl.caCertificatePath

TablePro/Core/Plugins/PluginMetadataRegistry+RegistryDefaults.swift

@@ -1118,9 +1118,6 @@ extension PluginMetadataRegistry {
                             placeholder: "AKIA...",
                             section: .authentication
                         ),
-                        // TODO: awsSecretAccessKey and awsSessionToken use .secure fieldType but are stored
-                        // in additionalFields (plain JSON), not Keychain. Needs Keychain migration for
-                        // plugin .secure fields via ConnectionStorage.
                         ConnectionField(
                             id: "awsSecretAccessKey",
                             label: String(localized: "Secret Access Key"),

TablePro/Core/Storage/ConnectionStorage.swift

@@ -7,6 +7,7 @@
 
 import Foundation
 import os
+import TableProPluginKit
 
 /// Service for persisting database connections
 final class ConnectionStorage {
@@ -101,6 +102,9 @@ final class ConnectionStorage {
         deleteSSHPassword(for: connection.id)
         deleteKeyPassphrase(for: connection.id)
         deleteTOTPSecret(for: connection.id)
+
+        let secureFieldIds = Self.secureFieldIds(for: connection.type)
+        deleteAllPluginSecureFields(for: connection.id, fieldIds: secureFieldIds)
     }
 
     /// Duplicate a connection with a new UUID and "(Copy)" suffix
@@ -150,6 +154,13 @@ final class ConnectionStorage {
             saveTOTPSecret(totpSecret, for: newId)
         }
 
+        let secureFieldIds = Self.secureFieldIds(for: connection.type)
+        for fieldId in secureFieldIds {
+            if let value = loadPluginSecureField(fieldId: fieldId, for: connection.id) {
+                savePluginSecureField(value, fieldId: fieldId, for: newId)
+            }
+        }
+
         return duplicate
     }
 
@@ -211,6 +222,29 @@ final class ConnectionStorage {
         KeychainHelper.shared.delete(key: key)
     }
 
+    // MARK: - Plugin Secure Field Storage
+
+    func savePluginSecureField(_ value: String, fieldId: String, for connectionId: UUID) {
+        let key = "com.TablePro.plugin.\(fieldId).\(connectionId.uuidString)"
+        KeychainHelper.shared.saveString(value, forKey: key)
+    }
+
+    func loadPluginSecureField(fieldId: String, for connectionId: UUID) -> String? {
+        let key = "com.TablePro.plugin.\(fieldId).\(connectionId.uuidString)"
+        return KeychainHelper.shared.loadString(forKey: key)
+    }
+
+    func deletePluginSecureField(fieldId: String, for connectionId: UUID) {
+        let key = "com.TablePro.plugin.\(fieldId).\(connectionId.uuidString)"
+        KeychainHelper.shared.delete(key: key)
+    }
+
+    func deleteAllPluginSecureFields(for connectionId: UUID, fieldIds: [String]) {
+        for fieldId in fieldIds {
+            deletePluginSecureField(fieldId: fieldId, for: connectionId)
+        }
+    }
+
     // MARK: - TOTP Secret Storage
 
     func saveTOTPSecret(_ secret: String, for connectionId: UUID) {
@@ -227,6 +261,41 @@ final class ConnectionStorage {
         let key = "com.TablePro.totpsecret.\(connectionId.uuidString)"
         KeychainHelper.shared.delete(key: key)
     }
+
+    // MARK: - Plugin Secure Field Migration
+
+    private static func secureFieldIds(for databaseType: DatabaseType) -> [String] {
+        (PluginMetadataRegistry.shared.snapshot(forTypeId: databaseType.pluginTypeId)?
+            .connection.additionalConnectionFields ?? [])
+            .filter(\.isSecure).map(\.id)
+    }
+
+    func migratePluginSecureFieldsIfNeeded() {
+        let migrationKey = "com.TablePro.pluginSecureFieldsMigrated"
+        guard !UserDefaults.standard.bool(forKey: migrationKey) else { return }
+        defer { UserDefaults.standard.set(true, forKey: migrationKey) }
+
+        var connections = loadConnections()
+        var changed = false
+
+        for index in connections.indices {
+            let secureFields = (PluginMetadataRegistry.shared
+                .snapshot(forTypeId: connections[index].type.pluginTypeId)?
+                .connection.additionalConnectionFields ?? [])
+                .filter(\.isSecure)
+            for field in secureFields {
+                if let value = connections[index].additionalFields[field.id], !value.isEmpty {
+                    savePluginSecureField(value, fieldId: field.id, for: connections[index].id)
+                    connections[index].additionalFields.removeValue(forKey: field.id)
+                    changed = true
+                }
+            }
+        }
+
+        if changed {
+            saveConnections(connections)
+        }
+    }
 }
 
 // MARK: - Stored Connection (Codable wrapper)

TablePro/Views/Connection/ConnectionFormView.swift

@@ -1070,6 +1070,13 @@ struct ConnectionFormView: View { // swiftlint:disable:this type_body_length
                 }
             }
 
+            for field in PluginManager.shared.additionalConnectionFields(for: existing.type)
+                where field.isSecure {
+                if let secureValue = storage.loadPluginSecureField(fieldId: field.id, for: existing.id) {
+                    additionalFieldValues[field.id] = secureValue
+                }
+            }
+
             // Load startup commands
             startupCommands = existing.startupCommands ?? ""
             preConnectScript = existing.preConnectScript ?? ""
@@ -1124,6 +1131,8 @@ struct ConnectionFormView: View { // swiftlint:disable:this type_body_length
             trimmedUsername.isEmpty && PluginManager.shared.requiresAuthentication(for: type)
                 ? "root" : trimmedUsername
 
+        let finalId = connectionId ?? UUID()
+
         var finalAdditionalFields = additionalFieldValues
         let trimmedScript = preConnectScript.trimmingCharacters(in: .whitespacesAndNewlines)
         if !trimmedScript.isEmpty {
@@ -1132,8 +1141,18 @@ struct ConnectionFormView: View { // swiftlint:disable:this type_body_length
             finalAdditionalFields.removeValue(forKey: "preConnectScript")
         }
 
+        let secureFields = PluginManager.shared.additionalConnectionFields(for: type).filter(\.isSecure)
+        for field in secureFields {
+            if let value = finalAdditionalFields[field.id], !value.isEmpty {
+                storage.savePluginSecureField(value, fieldId: field.id, for: finalId)
+            } else {
+                storage.deletePluginSecureField(fieldId: field.id, for: finalId)
+            }
+            finalAdditionalFields.removeValue(forKey: field.id)
+        }
+
         let connectionToSave = DatabaseConnection(
-            id: connectionId ?? UUID(),
+            id: finalId,
             name: name,
             host: finalHost,
             port: finalPort,
@@ -1345,6 +1364,15 @@ struct ConnectionFormView: View { // swiftlint:disable:this type_body_length
                     }
                 }
 
+                for field in PluginManager.shared.additionalConnectionFields(for: type)
+                    where field.isSecure {
+                    if let value = additionalFieldValues[field.id], !value.isEmpty {
+                        ConnectionStorage.shared.savePluginSecureField(
+                            value, fieldId: field.id, for: testConn.id
+                        )
+                    }
+                }
+
                 let sshPasswordForTest = sshProfileId == nil ? sshPassword : nil
                 let success = try await DatabaseManager.shared.testConnection(
                     testConn, sshPassword: sshPasswordForTest)
@@ -1398,6 +1426,9 @@ struct ConnectionFormView: View { // swiftlint:disable:this type_body_length
         ConnectionStorage.shared.deleteSSHPassword(for: testId)
         ConnectionStorage.shared.deleteKeyPassphrase(for: testId)
         ConnectionStorage.shared.deleteTOTPSecret(for: testId)
+        let secureFieldIds = PluginManager.shared.additionalConnectionFields(for: type)
+            .filter(\.isSecure).map(\.id)
+        ConnectionStorage.shared.deleteAllPluginSecureFields(for: testId, fieldIds: secureFieldIds)
     }
 
     private func browseForPrivateKey() {

TableProTests/PluginTestSources/DynamoDBQueryBuilder.swift

@@ -0,0 +1 @@
+../../Plugins/DynamoDBDriverPlugin/DynamoDBQueryBuilder.swift

TableProTests/PluginTestSources/DynamoDBStatementGenerator.swift

@@ -0,0 +1 @@
+../../Plugins/DynamoDBDriverPlugin/DynamoDBStatementGenerator.swift