SMB: Backend for borrowing Finder's saved password (#2, backend half)

Lets Cmdr read the SMB password macOS/Finder already saved in the login keychain, so a yellow os-mount volume can go green (direct smb2) without the user retyping it. Backend only; the FE affordance lands next.

- `secrets/system_keychain_smb.rs` (macOS): silent attribute probe (`account_for_any`, no consent) and consent-gated data read (`read_password`) of Finder's `kSecClassInternetPassword` smb item, via `SecItemCopyMatching`. Tries `server_query_candidates` (the name forms the item might be keyed under) and skips the "No user account" guest sentinel. Spike confirmed the read works on a real NAS.
- `smb_upgrade::system_keychain_aliases`: gathers the mDNS-service-name / hostname forms for a server from the discovery state (Finder keys by the service name; we mount by IP).
- Commands: `system_has_saved_smb_password` (prompt-free probe, drives whether to offer the affordance) and `upgrade_to_smb_volume_using_saved_password` (consent read → direct smb2 → copy the password into Cmdr's own store so future reconnects are silent → fall back to `CredentialsNeeded` if absent/denied). User-initiated only, never at startup.
- Adds `security-framework-sys` (already in the lockfile) for the FFI constants + `SecItemCopyMatching`. macOS-only; non-macOS arms + stubs return false / unsupported.
- Pure helpers unit-tested (candidate ordering, account sentinel, alias gathering).

Author: vdavid

Cargo.lock

@@ -222,6 +222,10 @@ objc2-app-kit = { version = "0.3", features = [
 objc2-quick-look-ui = { version = "0.3.2", features = ["QLPreviewPanel", "QLPreviewItem", "objc2-app-kit"] }
 block2 = "0.6"
 security-framework = "3.2"
+# Raw `SecItemCopyMatching` + keychain query constants, for reading SMB passwords that
+# Finder/macOS saved (internet-password items the high-level crate can't filter by
+# server/protocol). Already in the lockfile as a transitive dep of `security-framework`.
+security-framework-sys = "2.17"
 # Drive indexing: macOS FSEvents watcher with event IDs and sinceWhen replay
 cmdr-fsevent-stream = { path = "../../../crates/fsevent-stream" }
 # Custom updater: signature verification, tarball extraction, version comparison

apps/desktop/src-tauri/Cargo.toml

@@ -8,7 +8,7 @@ use crate::network::{
 
 use crate::network::smb_upgrade::{
     UpgradeError, UpgradeResult, friendly_server_name, get_keychain_password, register_smb_volume,
-    resolve_ip_to_hostname_with_wait, try_smb_upgrade,
+    resolve_ip_to_hostname_with_wait, system_keychain_aliases, try_smb_upgrade,
 };
 
 /// Gets all currently discovered network hosts.
@@ -536,6 +536,150 @@ pub async fn upgrade_to_smb_volume_with_credentials(
     }
 }
 
+/// Does the system (login) keychain hold an SMB password another app (Finder) saved for
+/// this volume's server? Attributes-only probe — **never triggers the consent dialog** —
+/// so the frontend can decide whether to offer the "Use the password macOS saved"
+/// affordance. macOS-only; returns `false` everywhere else.
+#[cfg(target_os = "macos")]
+#[tauri::command]
+#[specta::specta]
+pub async fn system_has_saved_smb_password(volume_id: String) -> Result<bool, String> {
+    use crate::file_system::get_volume_manager;
+    use crate::secrets::system_keychain_smb;
+    use crate::volumes::get_smb_mount_info;
+
+    let manager = get_volume_manager();
+    let Some(volume) = manager.get(&volume_id) else {
+        return Ok(false);
+    };
+    let mount_path = volume.root().to_string_lossy().to_string();
+    let Some(info) = get_smb_mount_info(&mount_path) else {
+        return Ok(false);
+    };
+
+    // Use whatever the discovery state already knows (don't warm mDNS just to probe).
+    let aliases = system_keychain_aliases(&info.server);
+    let candidates = system_keychain_smb::server_query_candidates(&info.server, None, &aliases);
+
+    // Attribute read is fast and prompt-free, but still FFI — keep it off the async worker.
+    Ok(
+        tokio::task::spawn_blocking(move || system_keychain_smb::account_for_any(&candidates).is_some())
+            .await
+            .unwrap_or(false),
+    )
+}
+
+#[cfg(not(target_os = "macos"))]
+#[tauri::command]
+#[specta::specta]
+pub async fn system_has_saved_smb_password(_volume_id: String) -> Result<bool, String> {
+    Ok(false)
+}
+
+/// Upgrades an OS-mounted SMB volume to a direct smb2 connection using the password that
+/// another app (Finder/macOS) already saved in the login keychain — so the user doesn't
+/// retype it. Reading the password triggers the macOS consent dialog (the frontend primes
+/// the user first; we can't customize the system dialog's text). On success, the password
+/// is also copied into Cmdr's own store so future reconnects are silent. If nothing is
+/// saved or the user denies access, returns `CredentialsNeeded` so the frontend falls back
+/// to its login form. **User-initiated only** — never call this at startup.
+#[cfg(target_os = "macos")]
+#[tauri::command]
+#[specta::specta]
+pub async fn upgrade_to_smb_volume_using_saved_password(
+    volume_id: String,
+    app_handle: tauri::AppHandle,
+) -> Result<UpgradeResult, String> {
+    use crate::file_system::get_volume_manager;
+    use crate::secrets::system_keychain_smb;
+    use crate::volumes::get_smb_mount_info;
+
+    let manager = get_volume_manager();
+    let volume = manager.get(&volume_id).ok_or("Volume not found")?;
+    let mount_path = volume.root().to_string_lossy().to_string();
+
+    if volume.smb_connection_state().is_some() {
+        return Ok(UpgradeResult::Success);
+    }
+
+    let info = get_smb_mount_info(&mount_path).ok_or_else(|| {
+        format!(
+            "Can't determine SMB server info for {}. Is this an SMB mount?",
+            mount_path
+        )
+    })?;
+
+    // Warm mDNS so the alias set (Finder keys by the mDNS service name) is populated.
+    crate::network::ensure_mdns_started(app_handle);
+    let hostname = resolve_ip_to_hostname_with_wait(&info.server, std::time::Duration::from_millis(1500)).await;
+    let display_name = friendly_server_name(&info.server);
+
+    let aliases = system_keychain_aliases(&info.server);
+    let candidates = system_keychain_smb::server_query_candidates(&info.server, hostname.as_deref(), &aliases);
+
+    // The data read triggers the consent dialog and blocks on the user — keep it off the
+    // async worker pool.
+    let creds = tokio::task::spawn_blocking(move || system_keychain_smb::read_password(&candidates))
+        .await
+        .ok()
+        .flatten();
+
+    let Some(creds) = creds else {
+        // Nothing readable, or the user denied access → fall back to the login form.
+        return Ok(UpgradeResult::CredentialsNeeded {
+            server: info.server,
+            share: info.share,
+            port: info.port,
+            display_name,
+            username_hint: info.username,
+            message: None,
+        });
+    };
+
+    let result = try_smb_upgrade(
+        &info.server,
+        &info.share,
+        &mount_path,
+        Some(&creds.username),
+        Some(&creds.password),
+        info.port,
+        &volume_id,
+    )
+    .await;
+
+    match result {
+        Ok(()) => {
+            // Copy the borrowed password into Cmdr's own store so the next reconnect is
+            // silent (no consent dialog). Keyed by hostname when known, else the server.
+            let server_key = hostname.as_deref().unwrap_or(&info.server);
+            if let Err(e) = keychain::save_credentials(server_key, Some(&info.share), &creds.username, &creds.password)
+            {
+                log::warn!("Couldn't copy borrowed credentials into Cmdr's store: {}", e);
+            }
+            Ok(UpgradeResult::Success)
+        }
+        Err(UpgradeError::Auth) => Ok(UpgradeResult::CredentialsNeeded {
+            server: info.server,
+            share: info.share,
+            port: info.port,
+            display_name,
+            username_hint: Some(creds.username),
+            message: Some("The saved password didn't work".to_string()),
+        }),
+        Err(UpgradeError::Network(msg)) => Ok(UpgradeResult::NetworkError { message: msg }),
+    }
+}
+
+#[cfg(not(target_os = "macos"))]
+#[tauri::command]
+#[specta::specta]
+pub async fn upgrade_to_smb_volume_using_saved_password(
+    _volume_id: String,
+    _app_handle: tauri::AppHandle,
+) -> Result<UpgradeResult, String> {
+    Err("Reading saved SMB passwords is only supported on macOS".to_string())
+}
+
 // --- Disconnect Command ---
 
 /// Unmounts all SMB shares mounted from a given server.

apps/desktop/src-tauri/src/commands/network.rs

@@ -311,6 +311,10 @@ pub fn builder() -> Builder<tauri::Wry> {
         #[cfg(any(target_os = "macos", target_os = "linux"))]
         crate::commands::network::upgrade_to_smb_volume_with_credentials,
         #[cfg(any(target_os = "macos", target_os = "linux"))]
+        crate::commands::network::system_has_saved_smb_password,
+        #[cfg(any(target_os = "macos", target_os = "linux"))]
+        crate::commands::network::upgrade_to_smb_volume_using_saved_password,
+        #[cfg(any(target_os = "macos", target_os = "linux"))]
         crate::commands::network::reconnect_smb_volume,
         #[cfg(any(target_os = "macos", target_os = "linux"))]
         crate::commands::network::reconnect_smb_volume_with_credentials,
@@ -372,6 +376,10 @@ pub fn builder() -> Builder<tauri::Wry> {
         #[cfg(not(any(target_os = "macos", target_os = "linux")))]
         crate::stubs::network::upgrade_to_smb_volume_with_credentials,
         #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+        crate::stubs::network::system_has_saved_smb_password,
+        #[cfg(not(any(target_os = "macos", target_os = "linux")))]
+        crate::stubs::network::upgrade_to_smb_volume_using_saved_password,
+        #[cfg(not(any(target_os = "macos", target_os = "linux")))]
         crate::stubs::network::reconnect_smb_volume,
         #[cfg(not(any(target_os = "macos", target_os = "linux")))]
         crate::stubs::network::reconnect_smb_volume_with_credentials,

apps/desktop/src-tauri/src/ipc.rs

@@ -352,6 +352,8 @@ pub(super) fn collect_network_types(types: &mut Types) -> Vec<Function> {
         crate::commands::network::mount_network_share,
         crate::commands::network::upgrade_to_smb_volume,
         crate::commands::network::upgrade_to_smb_volume_with_credentials,
+        crate::commands::network::system_has_saved_smb_password,
+        crate::commands::network::upgrade_to_smb_volume_using_saved_password,
         crate::commands::network::reconnect_smb_volume,
         crate::commands::network::reconnect_smb_volume_with_credentials,
         crate::commands::network::disconnect_smb_volume,
@@ -389,6 +391,8 @@ pub(super) fn collect_network_types(types: &mut Types) -> Vec<Function> {
         crate::stubs::network::mount_network_share,
         crate::stubs::network::upgrade_to_smb_volume,
         crate::stubs::network::upgrade_to_smb_volume_with_credentials,
+        crate::stubs::network::system_has_saved_smb_password,
+        crate::stubs::network::upgrade_to_smb_volume_using_saved_password,
         crate::stubs::network::reconnect_smb_volume,
         crate::stubs::network::reconnect_smb_volume_with_credentials,
         crate::stubs::network::disconnect_smb_volume,

apps/desktop/src-tauri/src/ipc_collectors.rs

@@ -351,6 +351,34 @@ pub(crate) fn friendly_server_name(server: &str) -> String {
     resolve_ip_to_hostname(server).unwrap_or_else(|| server.to_string())
 }
 
+/// The server-name forms another app (Finder) might have keyed an SMB password under for
+/// this server, gathered from the discovery state. Finder typically uses the full mDNS
+/// service name (`Naspolya._smb._tcp.local`), while we mount by IP — so for each
+/// discovered host that's the same identity as `server`, we contribute its advertised
+/// name, its `.local` hostname, and the synthesized `{name}._smb._tcp.local` service form.
+/// Pure over `hosts` for testability; the live wrapper feeds `get_discovered_hosts()`.
+pub(crate) fn system_keychain_aliases(server: &str) -> Vec<String> {
+    system_keychain_aliases_from(server, &get_discovered_hosts())
+}
+
+fn system_keychain_aliases_from(server: &str, hosts: &[crate::network::NetworkHost]) -> Vec<String> {
+    use crate::network::server_identity::same_server;
+    let mut out = Vec::new();
+    for h in hosts {
+        let matches = same_server(&h.name, server, hosts)
+            || h.hostname.as_deref().is_some_and(|hn| same_server(hn, server, hosts))
+            || h.ip_address.as_deref() == Some(server);
+        if matches {
+            out.push(h.name.clone());
+            out.push(format!("{}._smb._tcp.local", h.name));
+            if let Some(hn) = &h.hostname {
+                out.push(hn.clone());
+            }
+        }
+    }
+    out
+}
+
 /// Tries to retrieve SMB credentials from the Keychain.
 ///
 /// Tries multiple keys: by IP (from statfs), by hostname (from mDNS discovery),
@@ -400,6 +428,33 @@ mod tests {
     use super::*;
     use std::time::Duration;
 
+    #[test]
+    fn system_keychain_aliases_include_the_mdns_service_form_for_an_ip() {
+        use crate::network::{HostSource, NetworkHost};
+        let hosts = [NetworkHost {
+            id: "naspolya".into(),
+            name: "Naspolya".into(),
+            hostname: Some("Naspolya.local".into()),
+            ip_address: Some("192.168.1.111".into()),
+            port: 445,
+            source: HostSource::Discovered,
+        }];
+        // We mount by IP; Finder keyed its password by the mDNS service name. The alias
+        // set must include that form so the keychain lookup can find it.
+        let aliases = system_keychain_aliases_from("192.168.1.111", &hosts);
+        assert!(
+            aliases.contains(&"Naspolya._smb._tcp.local".to_string()),
+            "got {aliases:?}"
+        );
+        assert!(aliases.contains(&"Naspolya.local".to_string()));
+        assert!(aliases.contains(&"Naspolya".to_string()));
+    }
+
+    #[test]
+    fn system_keychain_aliases_empty_for_an_unknown_server() {
+        assert!(system_keychain_aliases_from("10.9.9.9", &[]).is_empty());
+    }
+
     #[test]
     fn is_private_ipv4_recognizes_rfc1918_and_link_local() {
         assert!(is_private_ipv4("10.0.0.1"));

apps/desktop/src-tauri/src/network/smb_upgrade.rs

@@ -14,6 +14,10 @@ use std::sync::LazyLock;
 #[cfg(target_os = "macos")]
 mod keychain_macos;
 
+/// Reading SMB passwords other apps (Finder/macOS) saved in the login keychain. macOS-only.
+#[cfg(target_os = "macos")]
+pub mod system_keychain_smb;
+
 #[cfg(target_os = "linux")]
 mod keyring_linux;