Merge pull request #16 from docker/keychain

store/keychain: cross-platform test cli and more tests

Author: Benehiko

store/go.mod

@@ -9,16 +9,19 @@ require (
 	github.com/docker/secrets-engine v0.0.0-00010101000000-000000000000
 	github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a
 	github.com/keybase/go-keychain v0.0.1
+	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/sys v0.29.0
 	golang.org/x/text v0.21.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

store/go.sum

@@ -1,8 +1,11 @@
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
 github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a h1:K0EAzgzEQHW4Y5lxrmvPMltmlRDzlhLfGmots9EHUTI=
 github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a/go.mod h1:YPNKjjE7Ubp9dTbnWvsP3HT+hYnY6TfXzubYTBeUxc8=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
@@ -15,6 +18,11 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWb
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=

store/keychain/README.md

@@ -30,3 +30,15 @@ func main() {
 The `keychain` assumes that any secret stored would conform to the `store.Secret`
 interface. This allows the `keychain` to store secrets of any type and leaves
 it up to the implementer to decide how they would like their secret parsed.
+
+## Example CLI
+
+The `keychain` package also contains an example CLI tool to test out how a real
+application might interact with the host keychain.
+
+You can build the CLI by running `go build` inside the `store/` root directory.
+
+```console
+$ go build -o keychain-cli ./keychain/cmd/
+$ ./keychain-cli
+```

store/keychain/cmd/main.go

@@ -0,0 +1,126 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"path"
+
+	"github.com/docker/secrets-engine/store"
+	"github.com/docker/secrets-engine/store/keychain"
+	"github.com/docker/secrets-engine/store/mocks"
+	"github.com/spf13/cobra"
+)
+
+// newCommand creates an example CLI that uses the keychain library
+// It supports windows, linux and macOS.
+func newCommand() (*cobra.Command, error) {
+	kc, err := keychain.New(
+		"io.docker.Secrets",
+		"docker-example-cli",
+		func() *mocks.MockCredential {
+			return &mocks.MockCredential{}
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+	list := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			secrets, err := kc.GetAll(cmd.Context())
+			if errors.Is(err, store.ErrCredentialNotFound) {
+				fmt.Println("No Secrets found")
+				return nil
+			}
+			if err != nil {
+				return err
+			}
+
+			var e error
+			for k, v := range secrets {
+				vv, err := v.Marshal()
+				if err != nil {
+					e = errors.Join(e, err)
+				}
+				fmt.Printf("\nID: %s\nValue: %s\n", k, vv)
+			}
+			return e
+		},
+	}
+
+	var (
+		username string
+		password string
+	)
+	save := &cobra.Command{
+		Use:     "store",
+		Aliases: []string{"set", "save"},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			id, err := store.ParseID(path.Join("keystore-cli", username))
+			if err != nil {
+				return err
+			}
+			creds := &mocks.MockCredential{
+				Username: username,
+				Password: password,
+			}
+			return kc.Save(cmd.Context(), id, creds)
+		},
+	}
+	save.PersistentFlags().StringVar(&username, "username", "", "The secret key")
+	save.PersistentFlags().StringVar(&password, "password", "", "The secret value")
+	save.MarkFlagsRequiredTogether("username", "password")
+
+	get := &cobra.Command{
+		Use:  "get",
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			id, err := store.ParseID(path.Join("keystore-cli", args[0]))
+			if err != nil {
+				return err
+			}
+			secret, err := kc.Get(cmd.Context(), id)
+			if err != nil {
+				return err
+			}
+			val, err := secret.Marshal()
+			if err != nil {
+				return err
+			}
+			fmt.Printf("Secret:\nID:%s\nValue:%s\n", id.String(), val)
+			return nil
+		},
+	}
+
+	erase := &cobra.Command{
+		Use:     "delete",
+		Args:    cobra.ExactArgs(1),
+		Aliases: []string{"rm", "remove"},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			id, err := store.ParseID(path.Join("keystore-cli", args[0]))
+			if err != nil {
+				return err
+			}
+			return kc.Delete(cmd.Context(), id)
+		},
+	}
+	root := &cobra.Command{}
+	root.AddCommand(list, save, get, erase)
+
+	return root, nil
+}
+
+func main() {
+	ctx := context.Background()
+	cmd, err := newCommand()
+	if err != nil {
+		log.Fatalf("could not create CLI: %v", err)
+	}
+	cmd.SetContext(ctx)
+	if err := cmd.Execute(); err != nil {
+		log.Fatal(err)
+	}
+}

store/keychain/keychain_test.go

@@ -1,50 +1,96 @@
 package keychain
 
 import (
-	"maps"
+	"errors"
 	"testing"
 
 	"github.com/docker/secrets-engine/store"
 	"github.com/docker/secrets-engine/store/mocks"
 	"github.com/stretchr/testify/require"
 )
 
-func TestKeychain(t *testing.T) {
-	ks, err := New("com.test.test", "test",
-		func() *mocks.MockCredential {
+type mustMarshalError struct{}
+
+var _ store.Secret = &mustMarshalError{}
+
+func (m *mustMarshalError) Marshal() ([]byte, error) {
+	return nil, errors.New("i am failing on purpose")
+}
+
+func (m *mustMarshalError) Unmarshal(data []byte) error {
+	return nil
+}
+
+type mustUnmarshalError struct{}
+
+var _ store.Secret = &mustUnmarshalError{}
+
+func (m *mustUnmarshalError) Marshal() ([]byte, error) {
+	return []byte("eeyyy"), nil
+}
+
+func (m *mustUnmarshalError) Unmarshal(data []byte) error {
+	return errors.New("i am failing on purpose")
+}
+
+func setupKeychain(t *testing.T, secretFactory func() store.Secret) store.Store {
+	t.Helper()
+	if secretFactory == nil {
+		secretFactory = func() store.Secret {
 			return &mocks.MockCredential{}
-		},
-	)
+		}
+	}
+
+	ks, err := New("com.test.test", "test", secretFactory)
 	require.NoError(t, err)
+	return ks
+}
 
+func TestKeychain(t *testing.T) {
 	t.Run("save credentials", func(t *testing.T) {
+		ks := setupKeychain(t, nil)
 		id := store.ID("com.test.test/test/bob")
 		require.NoError(t, id.Valid())
 		creds := &mocks.MockCredential{
 			Username: "bob",
 			Password: "bob-password",
 		}
+		t.Cleanup(func() {
+			require.NoError(t, ks.Delete(t.Context(), id))
+		})
 		require.NoError(t, ks.Save(t.Context(), id, creds))
 	})
 
 	t.Run("get credential", func(t *testing.T) {
+		ks := setupKeychain(t, nil)
 		id := store.ID("com.test.test/test/bob")
+		creds := &mocks.MockCredential{
+			Username: "bob",
+			Password: "bob-password",
+		}
+		t.Cleanup(func() {
+			require.NoError(t, ks.Delete(t.Context(), id))
+		})
+		require.NoError(t, ks.Save(t.Context(), id, creds))
 		require.NoError(t, id.Valid())
 		secret, err := ks.Get(t.Context(), id)
 		require.NoError(t, err)
 
 		actual, ok := secret.(*mocks.MockCredential)
 		require.True(t, ok)
 
-		expected := &mocks.MockCredential{
-			Username: "bob",
-			Password: "bob-password",
-		}
+		expected := creds
 		require.EqualValues(t, expected, actual)
 	})
 
 	t.Run("list all credentials", func(t *testing.T) {
+		ks := setupKeychain(t, nil)
+
 		moreCreds := map[store.ID]*mocks.MockCredential{
+			"com.test.test/test/bob": {
+				Username: "bob",
+				Password: "bob-password",
+			},
 			"com.test.test/test/jeff": {
 				Username: "jeff",
 				Password: "jeff-password",
@@ -54,6 +100,11 @@ func TestKeychain(t *testing.T) {
 				Password: "pete-password",
 			},
 		}
+		t.Cleanup(func() {
+			for id := range moreCreds {
+				require.NoError(t, ks.Delete(t.Context(), id))
+			}
+		})
 
 		for id, anotherCred := range moreCreds {
 			require.NoError(t, ks.Save(t.Context(), id, anotherCred))
@@ -67,22 +118,85 @@ func TestKeychain(t *testing.T) {
 		}
 		require.Len(t, actual, 3)
 
-		expected := map[store.ID]*mocks.MockCredential{
-			"com.test.test/test/bob": {
-				Username: "bob",
-				Password: "bob-password",
-			},
-		}
-		maps.Copy(expected, moreCreds)
-		require.Len(t, expected, 3)
+		expected := moreCreds
 		require.Equal(t, expected, actual)
 	})
 
 	t.Run("delete credential", func(t *testing.T) {
+		ks := setupKeychain(t, nil)
 		id := store.ID("com.test.test/test/bob")
 		require.NoError(t, id.Valid())
+		creds := &mocks.MockCredential{
+			Username: "bob",
+			Password: "bob-password",
+		}
+		require.NoError(t, ks.Save(t.Context(), id, creds))
 		require.NoError(t, ks.Delete(t.Context(), id))
 		_, err := ks.Get(t.Context(), id)
 		require.ErrorIs(t, err, store.ErrCredentialNotFound)
 	})
+
+	t.Run("delete non-existent credential", func(t *testing.T) {
+		ks := setupKeychain(t, nil)
+		id := store.ID("com.test.test/test/does-not-exist")
+		require.NoError(t, id.Valid())
+		require.NoError(t, ks.Delete(t.Context(), id))
+	})
+
+	t.Run("invalid ID", func(t *testing.T) {
+		id := store.ID("completely*&@#$@invalid")
+		kc := setupKeychain(t, nil)
+
+		operations := []string{"save", "get", "delete"}
+
+		for _, op := range operations {
+			t.Run(op, func(t *testing.T) {
+				var err error
+				switch op {
+				case "save":
+					err = kc.Save(t.Context(), id, nil)
+				case "delete":
+					err = kc.Delete(t.Context(), id)
+				case "get":
+					_, err = kc.Get(t.Context(), id)
+				}
+				require.ErrorContains(t, err, "invalid identifier")
+			})
+		}
+	})
+
+	t.Run("marshal error on save", func(t *testing.T) {
+		kc := setupKeychain(t, nil)
+		id, err := store.ParseID("something/will/fail")
+		require.NoError(t, err)
+		require.ErrorContains(t, kc.Save(t.Context(), id, &mustMarshalError{}), "i am failing on purpose")
+	})
+
+	t.Run("unmarshal error on get", func(t *testing.T) {
+		kc := setupKeychain(t, func() store.Secret {
+			return &mustUnmarshalError{}
+		})
+		id, err := store.ParseID("something/will/fail")
+		require.NoError(t, err)
+		t.Cleanup(func() {
+			require.NoError(t, kc.Delete(t.Context(), id))
+		})
+		require.NoError(t, kc.Save(t.Context(), id, &mustUnmarshalError{}))
+		_, err = kc.Get(t.Context(), id)
+		require.ErrorContains(t, err, "i am failing on purpose")
+	})
+
+	t.Run("unmarshal error on getAll", func(t *testing.T) {
+		kc := setupKeychain(t, func() store.Secret {
+			return &mustUnmarshalError{}
+		})
+		id, err := store.ParseID("something/will/fail")
+		require.NoError(t, err)
+		t.Cleanup(func() {
+			require.NoError(t, kc.Delete(t.Context(), id))
+		})
+		require.NoError(t, kc.Save(t.Context(), id, &mustUnmarshalError{}))
+		_, err = kc.GetAll(t.Context())
+		require.ErrorContains(t, err, "i am failing on purpose")
+	})
 }