|
| 1 | +package cliconfig |
| 2 | + |
| 3 | +// White-box tests for the headless/detached login token-persistence fix. |
| 4 | +// |
| 5 | +// Root cause being guarded: on a detached/headless box the OS keychain's |
| 6 | +// Available() probe is a false positive — Set() returns nil even though the |
| 7 | +// write lands in an ephemeral/locked session keyring the next process can't |
| 8 | +// read. Because Set didn't error, the old Save() never took the file-fallback |
| 9 | +// branch, so `instant login` printed "✓ Logged in" while persisting NOTHING |
| 10 | +// the next `instant whoami` could read. |
| 11 | +// |
| 12 | +// The fix verifies the keychain write with an immediate read-back and falls |
| 13 | +// back to the 0600 ~/.instant-config file when the value doesn't round-trip. |
| 14 | +// These tests inject the secretSet/secretGet seams to simulate that exact |
| 15 | +// silent-write failure WITHOUT touching the real OS keychain. |
| 16 | + |
| 17 | +import ( |
| 18 | + "errors" |
| 19 | + "os" |
| 20 | + "path/filepath" |
| 21 | + "testing" |
| 22 | + |
| 23 | + "github.com/stretchr/testify/assert" |
| 24 | + "github.com/stretchr/testify/require" |
| 25 | +) |
| 26 | + |
| 27 | +// withSecretSeams installs replacement secretSet/secretGet implementations for |
| 28 | +// the duration of one test and restores the originals on cleanup. |
| 29 | +func withSecretSeams(t *testing.T, set func(string) error, get func() (string, error)) { |
| 30 | + t.Helper() |
| 31 | + prevSet, prevGet := secretSet, secretGet |
| 32 | + secretSet, secretGet = set, get |
| 33 | + t.Cleanup(func() { secretSet, secretGet = prevSet, prevGet }) |
| 34 | +} |
| 35 | + |
| 36 | +// TestSave_SilentKeychainWriteFallsBackToFile is the core regression test for |
| 37 | +// the detached/headless login bug. The injected keychain ACCEPTS the write |
| 38 | +// (Set returns nil) but the read-back returns a DIFFERENT value (the |
| 39 | +// ephemeral/locked-session keyring the next process can't read). Save must |
| 40 | +// detect the non-durable write and persist the token to the 0600 file |
| 41 | +// fallback, and a fresh Load must return it — i.e. the next `instant whoami` |
| 42 | +// finds the token. |
| 43 | +func TestSave_SilentKeychainWriteFallsBackToFile(t *testing.T) { |
| 44 | + // Set "succeeds" but Get never returns what we wrote — the silent |
| 45 | + // detached-keychain failure mode. |
| 46 | + withSecretSeams(t, |
| 47 | + func(string) error { return nil }, // Set: false success |
| 48 | + func() (string, error) { return "", nil }, // Get: empty (write evaporated) |
| 49 | + ) |
| 50 | + |
| 51 | + dir := t.TempDir() |
| 52 | + t.Setenv("HOME", dir) |
| 53 | + path := filepath.Join(dir, ".instant-config") |
| 54 | + |
| 55 | + cfg := &Config{path: path, APIKey: "inst_live_headless_secret", Email: "agent@example.com"} |
| 56 | + require.NoError(t, cfg.Save()) |
| 57 | + |
| 58 | + // The token MUST have landed in the on-disk fallback field. |
| 59 | + data, err := os.ReadFile(path) |
| 60 | + require.NoError(t, err) |
| 61 | + body := string(data) |
| 62 | + assert.Contains(t, body, FallbackAPIKeyField, |
| 63 | + "silent keychain write must trigger the file fallback") |
| 64 | + assert.Contains(t, body, "inst_live_headless_secret", |
| 65 | + "token must be persisted to disk when the keychain write doesn't round-trip") |
| 66 | + |
| 67 | + info, err := os.Stat(path) |
| 68 | + require.NoError(t, err) |
| 69 | + assert.Equal(t, os.FileMode(0600), info.Mode().Perm(), |
| 70 | + "file fallback must stay mode 0600") |
| 71 | + |
| 72 | + // And the next invocation (whoami / authed call) must read it back. |
| 73 | + // Load consults secretstore first; our seam still returns empty there, so |
| 74 | + // the value can only come from the on-disk fallback — exactly the path |
| 75 | + // `instant whoami` exercises after a headless login. |
| 76 | + loaded, err := Load() |
| 77 | + require.NoError(t, err) |
| 78 | + assert.Equal(t, "inst_live_headless_secret", loaded.APIKey, |
| 79 | + "a file-persisted token must be found on the next load (no false 'Not logged in')") |
| 80 | + assert.True(t, loaded.IsAuthenticated()) |
| 81 | + assert.Equal(t, "file-fallback", loaded.SecretBackendName()) |
| 82 | +} |
| 83 | + |
| 84 | +// TestSave_KeychainSetErrorFallsBackToFile covers the OTHER headless mode: |
| 85 | +// Set itself errors (no DBus / locked collection / no active backend). The |
| 86 | +// file fallback must still capture the token. |
| 87 | +func TestSave_KeychainSetErrorFallsBackToFile(t *testing.T) { |
| 88 | + withSecretSeams(t, |
| 89 | + func(string) error { return errors.New("keychain set: dbus unavailable") }, |
| 90 | + func() (string, error) { return "", errors.New("unreachable") }, |
| 91 | + ) |
| 92 | + |
| 93 | + dir := t.TempDir() |
| 94 | + t.Setenv("HOME", dir) |
| 95 | + path := filepath.Join(dir, ".instant-config") |
| 96 | + |
| 97 | + cfg := &Config{path: path, APIKey: "inst_live_set_errored", Email: "ci@example.com"} |
| 98 | + require.NoError(t, cfg.Save()) |
| 99 | + |
| 100 | + loaded, err := Load() |
| 101 | + require.NoError(t, err) |
| 102 | + assert.Equal(t, "inst_live_set_errored", loaded.APIKey) |
| 103 | +} |
| 104 | + |
| 105 | +// TestSave_DurableKeychainWriteSkipsFileFallback is the happy-path guard: when |
| 106 | +// the keychain accepts the write AND it round-trips on read-back, the token |
| 107 | +// must NOT be written to disk (no plaintext leak — the T16 P1-1 property), and |
| 108 | +// persistSecret reports success. |
| 109 | +func TestSave_DurableKeychainWriteSkipsFileFallback(t *testing.T) { |
| 110 | + var stored string |
| 111 | + withSecretSeams(t, |
| 112 | + func(v string) error { stored = v; return nil }, |
| 113 | + func() (string, error) { return stored, nil }, // faithful round-trip |
| 114 | + ) |
| 115 | + |
| 116 | + dir := t.TempDir() |
| 117 | + t.Setenv("HOME", dir) |
| 118 | + path := filepath.Join(dir, ".instant-config") |
| 119 | + |
| 120 | + cfg := &Config{path: path, APIKey: "inst_live_durable", Email: "desktop@example.com"} |
| 121 | + require.NoError(t, cfg.Save()) |
| 122 | + |
| 123 | + data, err := os.ReadFile(path) |
| 124 | + require.NoError(t, err) |
| 125 | + body := string(data) |
| 126 | + assert.NotContains(t, body, FallbackAPIKeyField, |
| 127 | + "a durable keychain write must NOT write the file-fallback field") |
| 128 | + assert.NotContains(t, body, "inst_live_durable", |
| 129 | + "a durable keychain write must NOT leave the token in plaintext on disk") |
| 130 | + assert.Empty(t, cfg.FallbackAPIKey) |
| 131 | +} |
| 132 | + |
| 133 | +// TestPersistSecret_TableDrivenOutcomes exercises persistSecret's three |
| 134 | +// outcomes directly so each branch (Set error / readback mismatch / readback |
| 135 | +// error / durable success) is unambiguously covered. |
| 136 | +func TestPersistSecret_TableDrivenOutcomes(t *testing.T) { |
| 137 | + cases := []struct { |
| 138 | + name string |
| 139 | + set func(string) error |
| 140 | + get func() (string, error) |
| 141 | + want bool |
| 142 | + }{ |
| 143 | + { |
| 144 | + name: "set error -> not durable", |
| 145 | + set: func(string) error { return errors.New("boom") }, |
| 146 | + get: func() (string, error) { return "tok", nil }, |
| 147 | + want: false, |
| 148 | + }, |
| 149 | + { |
| 150 | + name: "readback mismatch -> not durable", |
| 151 | + set: func(string) error { return nil }, |
| 152 | + get: func() (string, error) { return "different", nil }, |
| 153 | + want: false, |
| 154 | + }, |
| 155 | + { |
| 156 | + name: "readback error -> not durable", |
| 157 | + set: func(string) error { return nil }, |
| 158 | + get: func() (string, error) { return "", errors.New("locked") }, |
| 159 | + want: false, |
| 160 | + }, |
| 161 | + { |
| 162 | + name: "faithful round-trip -> durable", |
| 163 | + set: func(string) error { return nil }, |
| 164 | + get: func() (string, error) { return "tok", nil }, |
| 165 | + want: true, |
| 166 | + }, |
| 167 | + } |
| 168 | + for _, tc := range cases { |
| 169 | + t.Run(tc.name, func(t *testing.T) { |
| 170 | + withSecretSeams(t, tc.set, tc.get) |
| 171 | + assert.Equal(t, tc.want, persistSecret("tok")) |
| 172 | + }) |
| 173 | + } |
| 174 | +} |
0 commit comments