Added key cache via OS keyring

int128 · Aug 25, 2023 · 7ee1122 · 7ee1122
1 parent 9151f23
commit 7ee1122
Show file tree

Hide file tree

Showing 9 changed files with 192 additions and 68 deletions.
diff --git a/go.mod b/go.mod
@@ -15,6 +15,7 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
+	github.com/zalando/go-keyring v0.2.3
 	golang.org/x/net v0.14.0
 	golang.org/x/oauth2 v0.11.0
 	golang.org/x/sync v0.3.0
@@ -26,14 +27,17 @@ require (
 )
 
 require (
+	github.com/alessio/shellescape v1.4.2 // indirect
 	github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89 // indirect
 	github.com/chromedp/sysutil v1.0.0 // indirect
+	github.com/danieljoos/wincred v1.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
 	github.com/gobwas/ws v1.2.1 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect

diff --git a/go.sum b/go.sum
@@ -33,6 +33,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/alessio/shellescape v1.4.2 h1:MHPfaU+ddJ0/bYWpgIeUnQUqKrlJ1S7BfEYPM4uEoM0=
+github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/alexflint/go-filemutex v1.2.0 h1:1v0TJPDtlhgpW4nJ+GvxCLSlUDC3+gW0CQQvlmfDR/s=
 github.com/alexflint/go-filemutex v1.2.0/go.mod h1:mYyQSWvw9Tx2/H2n9qXPb52tTYfE0pZAWcBq5mK025c=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -50,6 +52,8 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/coreos/go-oidc/v3 v3.6.0 h1:AKVxfYw1Gmkn/w96z0DbT/B/xFnzTd3MkZvWLjF4n/o=
 github.com/coreos/go-oidc/v3 v3.6.0/go.mod h1:ZpHUsHBucTUj6WOkrP4E20UPynbLZzhTQ1XKCXkxyPc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE=
+github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -75,6 +79,8 @@ github.com/gobwas/pool v0.2.1 h1:xfeeEhW7pwmX8nuLVlqbzVc7udMDrwetjEv+TZIz1og=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1 h1:F2aeBZrm2NDsc7vbovKrWSogd4wvfAxg0FQ89/iqOTk=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
@@ -204,6 +210,8 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms=
+github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=

diff --git a/pkg/cmd/get_token.go b/pkg/cmd/get_token.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/int128/kubelogin/pkg/infrastructure/logger"
 	"github.com/int128/kubelogin/pkg/oidc"
+	"github.com/int128/kubelogin/pkg/tokencache"
 	"github.com/int128/kubelogin/pkg/usecases/credentialplugin"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -22,6 +23,8 @@ type getTokenOptions struct {
 	tlsOptions            tlsOptions
 	authenticationOptions authenticationOptions
 	ForceRefresh          bool
+	ForceKeyring          bool
+	NoKeyring             bool
 }
 
 func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
@@ -32,6 +35,8 @@ func (o *getTokenOptions) addFlags(f *pflag.FlagSet) {
 	f.BoolVar(&o.UsePKCE, "oidc-use-pkce", false, "Force PKCE usage")
 	f.StringVar(&o.TokenCacheDir, "token-cache-dir", defaultTokenCacheDir, "Path to a directory for token cache")
 	f.BoolVar(&o.ForceRefresh, "force-refresh", false, "If set, refresh the ID token regardless of its expiration time")
+	f.BoolVar(&o.ForceKeyring, "force-keyring", false, "If set, cached tokens will be stored in the OS keyring")
+	f.BoolVar(&o.NoKeyring, "no-keyring", false, "If set, cached tokens will be stored on disk")
 	o.tlsOptions.addFlags(f)
 	o.authenticationOptions.addFlags(f)
 }
@@ -73,6 +78,13 @@ func (cmd *GetToken) New() *cobra.Command {
 			if err != nil {
 				return fmt.Errorf("get-token: %w", err)
 			}
+			tokenStorage := tokencache.StorageAuto
+			switch {
+			case o.ForceKeyring:
+				tokenStorage = tokencache.StorageKeyring
+			case o.NoKeyring:
+				tokenStorage = tokencache.StorageDisk
+			}
 			in := credentialplugin.Input{
 				Provider: oidc.Provider{
 					IssuerURL:    o.IssuerURL,
@@ -81,10 +93,11 @@ func (cmd *GetToken) New() *cobra.Command {
 					UsePKCE:      o.UsePKCE,
 					ExtraScopes:  o.ExtraScopes,
 				},
-				TokenCacheDir:   o.TokenCacheDir,
-				GrantOptionSet:  grantOptionSet,
-				TLSClientConfig: o.tlsOptions.tlsClientConfig(),
-				ForceRefresh:    o.ForceRefresh,
+				TokenCacheDir:     o.TokenCacheDir,
+				TokenCacheStorage: tokenStorage,
+				GrantOptionSet:    grantOptionSet,
+				TLSClientConfig:   o.tlsOptions.tlsClientConfig(),
+				ForceRefresh:      o.ForceRefresh,
 			}
 			if err := cmd.GetToken.Do(c.Context(), in); err != nil {
 				return fmt.Errorf("get-token: %w", err)

diff --git a/pkg/tokencache/repository/mock_Interface.go b/pkg/tokencache/repository/mock_Interface.go
diff --git a/pkg/tokencache/repository/repository.go b/pkg/tokencache/repository/repository.go
@@ -5,13 +5,15 @@ import (
 	"encoding/gob"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 
 	"github.com/google/wire"
 	"github.com/int128/kubelogin/pkg/oidc"
 	"github.com/int128/kubelogin/pkg/tokencache"
+	"github.com/zalando/go-keyring"
 )
 
 // Set provides an implementation and interface for Kubeconfig.
@@ -21,8 +23,8 @@ var Set = wire.NewSet(
 )
 
 type Interface interface {
-	FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error)
-	Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error
+	FindByKey(dir string, storage tokencache.Storage, key tokencache.Key) (*oidc.TokenSet, error)
+	Save(dir string, storage tokencache.Storage, key tokencache.Key, tokenSet oidc.TokenSet) error
 }
 
 type entity struct {
@@ -34,53 +36,136 @@ type entity struct {
 // Filename of a token cache is sha256 digest of the issuer, zero-character and client ID.
 type Repository struct{}
 
-func (r *Repository) FindByKey(dir string, key tokencache.Key) (*oidc.TokenSet, error) {
-	filename, err := computeFilename(key)
+// keyringService is used to namespace the keyring access.
+// Some implementations may also display this string when prompting the user
+// for allowing access.
+const keyringService = "kubelogin"
+
+// keyringItemPrefix is used as the prefix in the keyring items.
+const keyringItemPrefix = "kubelogin/tokencache/"
+
+func (r *Repository) FindByKey(dir string, storage tokencache.Storage, key tokencache.Key) (*oidc.TokenSet, error) {
+	checksum, err := computeChecksum(key)
 	if err != nil {
 		return nil, fmt.Errorf("could not compute the key: %w", err)
 	}
-	p := filepath.Join(dir, filename)
-	f, err := os.Open(p)
+	switch storage {
+	case tokencache.StorageAuto:
+		t, err := readFromKeyring(checksum)
+		if errors.Is(keyring.ErrUnsupportedPlatform, err) ||
+			errors.Is(keyring.ErrNotFound, err) {
+			return readFromFile(dir, checksum)
+		}
+		if err != nil {
+			return nil, err
+		}
+		return t, nil
+	case tokencache.StorageDisk:
+		return readFromFile(dir, checksum)
+	case tokencache.StorageKeyring:
+		return readFromKeyring(checksum)
+	default:
+		return nil, fmt.Errorf("unknown storage mode: %v", storage)
+	}
+}
+
+func readFromFile(dir, checksum string) (*oidc.TokenSet, error) {
+	p := filepath.Join(dir, checksum)
+	b, err := os.ReadFile(p)
 	if err != nil {
 		return nil, fmt.Errorf("could not open file %s: %w", p, err)
 	}
-	defer f.Close()
-	d := json.NewDecoder(f)
+	t, err := decodeKey(b)
+	if err != nil {
+		return nil, fmt.Errorf("file %s: %w", p, err)
+	}
+	return t, nil
+}
+
+func readFromKeyring(checksum string) (*oidc.TokenSet, error) {
+	p := keyringItemPrefix + checksum
+	s, err := keyring.Get(keyringService, p)
+	if err != nil {
+		return nil, fmt.Errorf("could not get keyring secret %s: %w", p, err)
+	}
+	t, err := decodeKey([]byte(s))
+	if err != nil {
+		return nil, fmt.Errorf("keyring %s: %w", p, err)
+	}
+	return t, nil
+}
+
+func decodeKey(b []byte) (*oidc.TokenSet, error) {
 	var e entity
-	if err := d.Decode(&e); err != nil {
-		return nil, fmt.Errorf("invalid json file %s: %w", p, err)
+	err := json.Unmarshal(b, &e)
+	if err != nil {
+		return nil, fmt.Errorf("invalid token cache json: %w", err)
 	}
 	return &oidc.TokenSet{
 		IDToken:      e.IDToken,
 		RefreshToken: e.RefreshToken,
 	}, nil
 }
 
-func (r *Repository) Save(dir string, key tokencache.Key, tokenSet oidc.TokenSet) error {
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		return fmt.Errorf("could not create directory %s: %w", dir, err)
-	}
-	filename, err := computeFilename(key)
+func (r *Repository) Save(dir string, storage tokencache.Storage, key tokencache.Key, tokenSet oidc.TokenSet) error {
+	checksum, err := computeChecksum(key)
 	if err != nil {
 		return fmt.Errorf("could not compute the key: %w", err)
 	}
-	p := filepath.Join(dir, filename)
-	f, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	switch storage {
+	case tokencache.StorageAuto:
+		if err := writeToKeyring(checksum, tokenSet); err != nil {
+			if errors.Is(keyring.ErrUnsupportedPlatform, err) {
+				return writeToFile(dir, checksum, tokenSet)
+			}
+			return err
+		}
+		return nil
+	case tokencache.StorageDisk:
+		return writeToFile(dir, checksum, tokenSet)
+	case tokencache.StorageKeyring:
+		return writeToKeyring(checksum, tokenSet)
+	default:
+		return fmt.Errorf("unknown storage mode: %v", storage)
+	}
+}
+
+func writeToFile(dir, checksum string, tokenSet oidc.TokenSet) error {
+	p := filepath.Join(dir, checksum)
+	b, err := encodeKey(tokenSet)
 	if err != nil {
+		return fmt.Errorf("file %s: %w", p, err)
+	}
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return fmt.Errorf("could not create directory %s: %w", dir, err)
+	}
+	if err := os.WriteFile(p, b, 0600); err != nil {
 		return fmt.Errorf("could not create file %s: %w", p, err)
 	}
-	defer f.Close()
+	return nil
+}
+
+func writeToKeyring(checksum string, tokenSet oidc.TokenSet) error {
+	p := keyringItemPrefix + checksum
+	b, err := encodeKey(tokenSet)
+	if err != nil {
+		return fmt.Errorf("keyring %s: %w", p, err)
+	}
+	if err := keyring.Set(keyringService, p, string(b)); err != nil {
+		return fmt.Errorf("keyring write %s: %w", p, err)
+	}
+	return nil
+}
+
+func encodeKey(tokenSet oidc.TokenSet) ([]byte, error) {
 	e := entity{
 		IDToken:      tokenSet.IDToken,
 		RefreshToken: tokenSet.RefreshToken,
 	}
-	if err := json.NewEncoder(f).Encode(&e); err != nil {
-		return fmt.Errorf("json encode error: %w", err)
-	}
-	return nil
+	return json.Marshal(&e)
 }
 
-func computeFilename(key tokencache.Key) (string, error) {
+func computeChecksum(key tokencache.Key) (string, error) {
 	s := sha256.New()
 	e := gob.NewEncoder(s)
 	if err := e.Encode(&key); err != nil {