store/keychain: refactor linux keychain

Benehiko · Benehiko · commit 7363f4b8de9c · 2025-06-25T11:44:24.000+02:00
Signed-off-by: Alano Terblanche &lt;18033717+Benehiko@users.noreply.github.com&gt;
diff --git a/store/keychain/keychain_linux.go b/store/keychain/keychain_linux.go
@@ -19,7 +19,11 @@ const (
 	loginKeychainObjectPath = dbus.ObjectPath("/org/freedesktop/secrets/collection/login")
 )
 
-func (k *keychainStore[T]) itemAttributes(id store.ID) map[string]string {
+// newItemAttributes configures the default attributes for each item in the keychain
+//
+// It sets the `service:group` and `service:name` attributes as well as the
+// secret id.
+func newItemAttributes[T store.Secret](id store.ID, k *keychainStore[T]) map[string]string {
 	attributes := map[string]string{
 		"service:group": k.serviceGroup,
 		"service:name":  k.serviceName,
@@ -38,7 +42,7 @@ func (k *keychainStore[T]) itemAttributes(id store.ID) map[string]string {
 // As a fallback it queries the secret service for the default collection.
 // It is possible that the host does not have a collection set up, in that case
 // the only option is to error.
-func (k *keychainStore[T]) getDefaultCollection(service *kc.SecretService) (dbus.ObjectPath, error) {
+func getDefaultCollection(service *kc.SecretService) (dbus.ObjectPath, error) {
 	variant, err := service.ServiceObj().GetProperty("org.freedesktop.Secret.Service.Collections")
 	if err != nil {
 		return "", err
@@ -73,7 +77,7 @@ var errCollectionLocked = errors.New("collection is locked")
 //
 // It returns the errCollectionLocked error by default if the collection is locked.
 // On any other error, it returns the underlying error instead.
-func (k *keychainStore[T]) isCollectionLocked(service *kc.SecretService) error {
+func isCollectionLocked(service *kc.SecretService) error {
 	variant, err := service.ServiceObj().GetProperty("org.freedesktop.Secret.Collection.Locked")
 	if err != nil {
 		return err
@@ -96,12 +100,12 @@ func (k *keychainStore[T]) Delete(ctx context.Context, id store.ID) error {
 	}
 	defer service.CloseSession(session)
 
-	objectPath, err := k.getDefaultCollection(service)
+	objectPath, err := getDefaultCollection(service)
 	if err != nil {
 		return err
 	}
 
-	err = k.isCollectionLocked(service)
+	err = isCollectionLocked(service)
 	if err != nil && !errors.Is(err, errCollectionLocked) {
 		return err
 	}
@@ -111,7 +115,7 @@ func (k *keychainStore[T]) Delete(ctx context.Context, id store.ID) error {
 		}
 	}
 
-	attributes := k.itemAttributes(id)
+	attributes := newItemAttributes(id, k)
 	items, err := service.SearchCollection(objectPath, attributes)
 	if err != nil {
 		return err
@@ -136,12 +140,12 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,
 	}
 	defer service.CloseSession(session)
 
-	objectPath, err := k.getDefaultCollection(service)
+	objectPath, err := getDefaultCollection(service)
 	if err != nil {
 		return nil, err
 	}
 
-	err = k.isCollectionLocked(service)
+	err = isCollectionLocked(service)
 	if err != nil && !errors.Is(err, errCollectionLocked) {
 		return nil, err
 	}
@@ -151,7 +155,7 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,
 		}
 	}
 
-	attributes := k.itemAttributes(id)
+	attributes := newItemAttributes(id, k)
 	items, err := service.SearchCollection(objectPath, attributes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to search collection: %w", err)
@@ -186,12 +190,12 @@ func (k *keychainStore[T]) GetAll(ctx context.Context) (map[store.ID]store.Secre
 	}
 	defer service.CloseSession(session)
 
-	objectPath, err := k.getDefaultCollection(service)
+	objectPath, err := getDefaultCollection(service)
 	if err != nil {
 		return nil, err
 	}
 
-	err = k.isCollectionLocked(service)
+	err = isCollectionLocked(service)
 	if err != nil && !errors.Is(err, errCollectionLocked) {
 		return nil, err
 	}
@@ -201,7 +205,7 @@ func (k *keychainStore[T]) GetAll(ctx context.Context) (map[store.ID]store.Secre
 		}
 	}
 
-	attributes := k.itemAttributes(store.ID(""))
+	attributes := newItemAttributes("", k)
 	itemPaths, err := service.SearchCollection(objectPath, attributes)
 	if err != nil {
 		return nil, fmt.Errorf("failed to search collection: %w", err)
@@ -254,12 +258,12 @@ func (k *keychainStore[T]) Save(ctx context.Context, id store.ID, secret store.S
 	}
 	defer service.CloseSession(session)
 
-	objectPath, err := k.getDefaultCollection(service)
+	objectPath, err := getDefaultCollection(service)
 	if err != nil {
 		return err
 	}
 
-	err = k.isCollectionLocked(service)
+	err = isCollectionLocked(service)
 	if err != nil && !errors.Is(err, errCollectionLocked) {
 		return err
 	}
@@ -279,7 +283,7 @@ func (k *keychainStore[T]) Save(ctx context.Context, id store.ID, secret store.S
 		return err
 	}
 
-	attributes := k.itemAttributes(id)
+	attributes := newItemAttributes(id, k)
 	label := k.itemLabel(id)
 	properties := kc.NewSecretProperties(label, attributes)
 

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,11 @@ const (`
`19`	`19`	`loginKeychainObjectPath = dbus.ObjectPath("/org/freedesktop/secrets/collection/login")`
`20`	`20`	`)`
`21`	`21`
`22`		`-func (k *keychainStore[T]) itemAttributes(id store.ID) map[string]string {`
	`22`	`+// newItemAttributes configures the default attributes for each item in the keychain`
	`23`	`+//`
	`24`	+// It sets the `service:group` and `service:name` attributes as well as the
	`25`	`+// secret id.`
	`26`	`+func newItemAttributes[T store.Secret](id store.ID, k *keychainStore[T]) map[string]string {`
`23`	`27`	`attributes := map[string]string{`
`24`	`28`	`"service:group": k.serviceGroup,`
`25`	`29`	`"service:name": k.serviceName,`
`@@ -38,7 +42,7 @@ func (k *keychainStore[T]) itemAttributes(id store.ID) map[string]string {`
`38`	`42`	`// As a fallback it queries the secret service for the default collection.`
`39`	`43`	`// It is possible that the host does not have a collection set up, in that case`
`40`	`44`	`// the only option is to error.`
`41`		`-func (k keychainStore[T]) getDefaultCollection(service kc.SecretService) (dbus.ObjectPath, error) {`
	`45`	`+func getDefaultCollection(service *kc.SecretService) (dbus.ObjectPath, error) {`
`42`	`46`	`variant, err := service.ServiceObj().GetProperty("org.freedesktop.Secret.Service.Collections")`
`43`	`47`	`if err != nil {`
`44`	`48`	`return "", err`
`@@ -73,7 +77,7 @@ var errCollectionLocked = errors.New("collection is locked")`
`73`	`77`	`//`
`74`	`78`	`// It returns the errCollectionLocked error by default if the collection is locked.`
`75`	`79`	`// On any other error, it returns the underlying error instead.`
`76`		`-func (k keychainStore[T]) isCollectionLocked(service kc.SecretService) error {`
	`80`	`+func isCollectionLocked(service *kc.SecretService) error {`
`77`	`81`	`variant, err := service.ServiceObj().GetProperty("org.freedesktop.Secret.Collection.Locked")`
`78`	`82`	`if err != nil {`
`79`	`83`	`return err`
`@@ -96,12 +100,12 @@ func (k *keychainStore[T]) Delete(ctx context.Context, id store.ID) error {`
`96`	`100`	`}`
`97`	`101`	`defer service.CloseSession(session)`
`98`	`102`
`99`		`- objectPath, err := k.getDefaultCollection(service)`
	`103`	`+ objectPath, err := getDefaultCollection(service)`
`100`	`104`	`if err != nil {`
`101`	`105`	`return err`
`102`	`106`	`}`
`103`	`107`
`104`		`- err = k.isCollectionLocked(service)`
	`108`	`+ err = isCollectionLocked(service)`
`105`	`109`	`if err != nil && !errors.Is(err, errCollectionLocked) {`
`106`	`110`	`return err`
`107`	`111`	`}`
`@@ -111,7 +115,7 @@ func (k *keychainStore[T]) Delete(ctx context.Context, id store.ID) error {`
`111`	`115`	`}`
`112`	`116`	`}`
`113`	`117`
`114`		`- attributes := k.itemAttributes(id)`
	`118`	`+ attributes := newItemAttributes(id, k)`
`115`	`119`	`items, err := service.SearchCollection(objectPath, attributes)`
`116`	`120`	`if err != nil {`
`117`	`121`	`return err`
`@@ -136,12 +140,12 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,`
`136`	`140`	`}`
`137`	`141`	`defer service.CloseSession(session)`
`138`	`142`
`139`		`- objectPath, err := k.getDefaultCollection(service)`
	`143`	`+ objectPath, err := getDefaultCollection(service)`
`140`	`144`	`if err != nil {`
`141`	`145`	`return nil, err`
`142`	`146`	`}`
`143`	`147`
`144`		`- err = k.isCollectionLocked(service)`
	`148`	`+ err = isCollectionLocked(service)`
`145`	`149`	`if err != nil && !errors.Is(err, errCollectionLocked) {`
`146`	`150`	`return nil, err`
`147`	`151`	`}`
`@@ -151,7 +155,7 @@ func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret,`
`151`	`155`	`}`
`152`	`156`	`}`
`153`	`157`
`154`		`- attributes := k.itemAttributes(id)`
	`158`	`+ attributes := newItemAttributes(id, k)`
`155`	`159`	`items, err := service.SearchCollection(objectPath, attributes)`
`156`	`160`	`if err != nil {`
`157`	`161`	`return nil, fmt.Errorf("failed to search collection: %w", err)`
`@@ -186,12 +190,12 @@ func (k *keychainStore[T]) GetAll(ctx context.Context) (map[store.ID]store.Secre`
`186`	`190`	`}`
`187`	`191`	`defer service.CloseSession(session)`
`188`	`192`
`189`		`- objectPath, err := k.getDefaultCollection(service)`
	`193`	`+ objectPath, err := getDefaultCollection(service)`
`190`	`194`	`if err != nil {`
`191`	`195`	`return nil, err`
`192`	`196`	`}`
`193`	`197`
`194`		`- err = k.isCollectionLocked(service)`
	`198`	`+ err = isCollectionLocked(service)`
`195`	`199`	`if err != nil && !errors.Is(err, errCollectionLocked) {`
`196`	`200`	`return nil, err`
`197`	`201`	`}`
`@@ -201,7 +205,7 @@ func (k *keychainStore[T]) GetAll(ctx context.Context) (map[store.ID]store.Secre`
`201`	`205`	`}`
`202`	`206`	`}`
`203`	`207`
`204`		`- attributes := k.itemAttributes(store.ID(""))`
	`208`	`+ attributes := newItemAttributes("", k)`
`205`	`209`	`itemPaths, err := service.SearchCollection(objectPath, attributes)`
`206`	`210`	`if err != nil {`
`207`	`211`	`return nil, fmt.Errorf("failed to search collection: %w", err)`
`@@ -254,12 +258,12 @@ func (k *keychainStore[T]) Save(ctx context.Context, id store.ID, secret store.S`
`254`	`258`	`}`
`255`	`259`	`defer service.CloseSession(session)`
`256`	`260`
`257`		`- objectPath, err := k.getDefaultCollection(service)`
	`261`	`+ objectPath, err := getDefaultCollection(service)`
`258`	`262`	`if err != nil {`
`259`	`263`	`return err`
`260`	`264`	`}`
`261`	`265`
`262`		`- err = k.isCollectionLocked(service)`
	`266`	`+ err = isCollectionLocked(service)`
`263`	`267`	`if err != nil && !errors.Is(err, errCollectionLocked) {`
`264`	`268`	`return err`
`265`	`269`	`}`
`@@ -279,7 +283,7 @@ func (k *keychainStore[T]) Save(ctx context.Context, id store.ID, secret store.S`
`279`	`283`	`return err`
`280`	`284`	`}`
`281`	`285`
`282`		`- attributes := k.itemAttributes(id)`
	`286`	`+ attributes := newItemAttributes(id, k)`
`283`	`287`	`label := k.itemLabel(id)`
`284`	`288`	`properties := kc.NewSecretProperties(label, attributes)`
`285`	`289`