store/keychain: store and retrieve secret metadata

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Author: Benehiko

go.work.sum

@@ -1,35 +1,55 @@
+cloud.google.com/go/compute v1.19.1 h1:am86mquDUgjGNWxiGn+5PGLbmgiWXlE/yNWpIpNvuXY=
 cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE=
+cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe h1:QQ3GSy+MqSHxm/d8nCtnAiZdYFd45cYZPs8vOOIYKfk=
 github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
+github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k=
 github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/creack/pty v1.1.9 h1:uDmaGzcdjhF4i/plgjmEsriH11Y0o7RKapEf/LDaM3w=
+github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f h1:7T++XKzy4xg7PKy+bM+Sa9/oe1OC88yz2hXQUISoXfA=
 github.com/envoyproxy/go-control-plane v0.11.1-0.20230524094728-9239064ad72f/go.mod h1:sfYdkwUW4BA3PbKjySwjJy+O4Pu0h62rlqCMHNk+K+Q=
+github.com/envoyproxy/protoc-gen-validate v0.10.1 h1:c0g45+xCJhdgFGw7a5QAfdS4byAbud7miNWJ1WwEVf8=
 github.com/envoyproxy/protoc-gen-validate v0.10.1/go.mod h1:DRjgyB0I43LtJapqN6NiRwroiAU2PaFuvk/vjgh61ss=
+github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=
 github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a/go.mod h1:YPNKjjE7Ubp9dTbnWvsP3HT+hYnY6TfXzubYTBeUxc8=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kisielk/errcheck v1.5.0 h1:e8esj/e4R+SAOwFwN+n3zr0nYeCyeweozKfO23MvHzY=
+github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
+github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
+github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
+github.com/opencontainers/runtime-tools v0.9.0 h1:FYgwVsKRI/H9hU32MJ/4MLOzXWodKK5zsQavY8NPMkU=
 github.com/opencontainers/runtime-tools v0.9.0/go.mod h1:r3f7wjNzSs2extwzU3Y+6pKfobzPh+kKFJ3ofN+3nfs=
+github.com/planetscale/vtprotobuf v0.4.0 h1:NEI+g4woRaAZgeZ3sAvbtyvMBRjIv5kE7EWYQ8m4JwY=
 github.com/planetscale/vtprotobuf v0.4.0/go.mod h1:wm1N3qk9G/4+VM1WhpkLbvY/d8+0PbwYYpP5P5VhTks=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
+github.com/yuin/goldmark v1.2.1 h1:ruQGxdhGHe7FWOJPT0mKs5+pD2Xs1Bm/kdGlHO04FmM=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
 golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130 h1:Au6te5hbKUV8pIYWHqOUZ1pva5qK/rwbIhoXEUB9Lu8=
 google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
+google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9 h1:m8v1xLLLzMe1m5P+gCTF8nJB9epwZQUBERm20Oy1poQ=
 google.golang.org/genproto/googleapis/api v0.0.0-20230525234035-dd9d682886f9/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

store/examples/secret.go

@@ -10,7 +10,7 @@ import (
 type secret struct {
 	AccessToken  string
 	RefreshToken string
-	Attributes   map[string]string
+	Attributes   map[string]any
 }
 
 var _ secrets.Secret = &secret{}
@@ -29,6 +29,6 @@ func (s *secret) Unmarshal(data []byte) error {
 	return nil
 }
 
-func (s *secret) Metadata() map[string]string {
+func (s *secret) Metadata() map[string]any {
 	return s.Attributes
 }

store/go.mod

@@ -4,6 +4,8 @@ go 1.24.3
 
 replace github.com/docker/secrets-engine => ../
 
+replace github.com/keybase/go-keychain => ../../go-keychain/
+
 require (
 	github.com/danieljoos/wincred v1.2.2
 	github.com/docker/secrets-engine v0.0.0-00010101000000-000000000000

store/go.sum

@@ -8,8 +8,6 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a h1:K0EAzgzEQHW4Y5lxrmvPMltmlRDzlhLfGmots9EHUTI=
 github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a/go.mod h1:YPNKjjE7Ubp9dTbnWvsP3HT+hYnY6TfXzubYTBeUxc8=
-github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
-github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=

store/keychain/cmd/main.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"log"
 	"path"
+	"strings"
 
 	"github.com/spf13/cobra"
 
@@ -20,8 +21,10 @@ func newCommand() (*cobra.Command, error) {
 	kc, err := keychain.New(
 		"io.docker.Secrets",
 		"docker-example-cli",
-		func() *mocks.MockCredential {
-			return &mocks.MockCredential{}
+		func(metadata map[string]any) *mocks.MockCredential {
+			return &mocks.MockCredential{
+				Attributes: metadata,
+			}
 		},
 	)
 	if err != nil {
@@ -42,7 +45,8 @@ func newCommand() (*cobra.Command, error) {
 
 			var e error
 			for _, v := range secrets {
-				fmt.Printf("\nID: %s\n", v)
+				fmt.Printf("\nID: %s\n", v.ID)
+				fmt.Printf("\nMetadata: %+v", v.Metadata)
 			}
 			return e
 		},
@@ -51,6 +55,7 @@ func newCommand() (*cobra.Command, error) {
 	var (
 		username string
 		password string
+		metadata []string
 	)
 	save := &cobra.Command{
 		Use:     "store",
@@ -60,15 +65,25 @@ func newCommand() (*cobra.Command, error) {
 			if err != nil {
 				return err
 			}
+
+			secretMetadata := make(map[string]any)
+			for _, vals := range metadata {
+				vv := strings.Split(vals, ":")
+				if len(vv) == 2 && vv[0] != "" && vv[1] != "" {
+					secretMetadata[vv[0]] = vv[1]
+				}
+			}
 			creds := &mocks.MockCredential{
-				Username: username,
-				Password: password,
+				Username:   username,
+				Password:   password,
+				Attributes: secretMetadata,
 			}
 			return kc.Save(cmd.Context(), id, creds)
 		},
 	}
 	save.PersistentFlags().StringVar(&username, "username", "", "The secret key")
 	save.PersistentFlags().StringVar(&password, "password", "", "The secret value")
+	save.PersistentFlags().StringSliceVar(&metadata, "metadata", nil, "The secret metadata")
 	save.MarkFlagsRequiredTogether("username", "password")
 
 	get := &cobra.Command{
@@ -87,7 +102,9 @@ func newCommand() (*cobra.Command, error) {
 			if err != nil {
 				return err
 			}
-			fmt.Printf("Secret:\nID:%s\nValue:%s\n", id.String(), val)
+			fmt.Printf("Secret ID: %s\n", id.String())
+			fmt.Printf("Secret Val: %s\n", val)
+			fmt.Printf("Secret Metadata: %v\n", secret.Metadata())
 			return nil
 		},
 	}

store/keychain/keychain.go

@@ -9,12 +9,12 @@ import (
 type keychainStore[T store.Secret] struct {
 	serviceGroup string
 	serviceName  string
-	factory      func() T
+	factory      Factory[T]
 }
 
 var _ store.Store = &keychainStore[store.Secret]{}
 
-type Factory[T store.Secret] func() T
+type Factory[T store.Secret] func(metadata map[string]any) T
 
 // New creates a new keychain store.
 //

store/keychain/keychain_darwin.go

@@ -3,6 +3,11 @@ package keychain
 import (
 	"context"
 	"errors"
+	"fmt"
+	"maps"
+	"os"
+	"reflect"
+	"slices"
 	"strings"
 
 	kc "github.com/keybase/go-keychain"
@@ -88,14 +93,14 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,
 		return nil, err
 	}
 
-	secret := k.factory()
+	secret := k.factory(result.Attributes)
 	if err := secret.Unmarshal(result.Data); err != nil {
 		return nil, err
 	}
 	return secret, nil
 }
 
-func (k *keychainStore[T]) GetAll(ctx context.Context) ([]store.ID, error) {
+func (k *keychainStore[T]) GetAll(ctx context.Context) ([]store.SecretMetadata, error) {
 	item := newKeychainItem("", k)
 
 	// We use the MatchLimitAll attribute to query for multiple items from the
@@ -108,13 +113,16 @@ func (k *keychainStore[T]) GetAll(ctx context.Context) ([]store.ID, error) {
 		return nil, mapKeychainError(err)
 	}
 
-	creds := make([]store.ID, len(results))
-	for _, result := range results {
+	creds := make([]store.SecretMetadata, len(results))
+	for i, result := range results {
 		id, err := store.ParseID(result.Account)
 		if err != nil {
 			continue
 		}
-		creds = append(creds, id)
+		creds[i] = store.SecretMetadata{
+			ID:       id,
+			Metadata: result.Attributes,
+		}
 	}
 	return creds, nil
 }
@@ -135,40 +143,56 @@ func (k *keychainStore[T]) Save(ctx context.Context, id store.ID, secret store.S
 	// https://developer.apple.com/documentation/security/ksecattrlabel
 	item.SetLabel(k.itemLabel(id))
 
+	metadata := make(map[string]any)
+	maps.Copy(metadata, secret.Metadata())
 	parts := strings.SplitSeq(id.String(), "/")
 	for p := range parts {
 		if p == "" {
 			continue
 		}
-		item.SetString(p, p)
+		metadata[p] = p
 	}
 
-	for k, v := range secret.Metadata() {
-		item.SetString(k, v)
-	}
+	item.SetGenericMetadata(metadata)
 
 	return mapKeychainError(kc.AddItem(item))
 }
 
-func (k *keychainStore[T]) Filter(ctx context.Context, id store.ID, attributes map[string]string) (map[store.ID]store.Secret, error) {
+func hasAttribute(attributes map[string]any, result kc.QueryResult) bool {
+	if attributes == nil {
+		return true
+	}
+	fmt.Fprintf(os.Stdout, "Attributes: %v\n", result.Attributes)
+	allMatches := make([]bool, len(attributes))
+	var i int
+	for k, v := range result.Attributes {
+		if needle, ok := attributes[k]; ok && reflect.DeepEqual(needle, v) {
+			allMatches[i] = true
+			i++
+		}
+	}
+	return !slices.Contains(allMatches, false)
+}
+
+func (k *keychainStore[T]) Filter(ctx context.Context, id store.ID, attributes map[string]any) (map[store.ID]store.Secret, error) {
 	item := newKeychainItem("", k)
 
 	// We use the MatchLimitAll attribute to query for multiple items from the
 	// store. It cannot be used with item.SetReturnData.
 	// https://developer.apple.com/documentation/security/secitemcopymatching(_:_:)#Discussion
 	item.SetMatchLimit(kc.MatchLimitAll)
 
+	metadata := make(map[string]any)
+	maps.Copy(metadata, attributes)
 	parts := strings.SplitSeq(id.String(), "/")
 	for p := range parts {
 		if p == "" {
 			continue
 		}
-		item.SetString(p, p)
+		metadata[p] = p
 	}
 
-	for k, v := range attributes {
-		item.SetString(k, v)
-	}
+	item.SetGenericMetadata(metadata)
 
 	results, err := kc.QueryItem(item)
 	if err != nil {
@@ -182,12 +206,16 @@ func (k *keychainStore[T]) Filter(ctx context.Context, id store.ID, attributes m
 			continue
 		}
 
+		if !hasAttribute(attributes, result) {
+			continue
+		}
+
 		i, err := getItemWithData(id.String(), k)
 		if err != nil {
 			return nil, err
 		}
 
-		secret := k.factory()
+		secret := k.factory(i.Attributes)
 		if err := secret.Unmarshal(i.Data); err != nil {
 			return nil, err
 		}