Merge pull request #67 from docker/keychain-windows

store/keychain: windows support

Author: Benehiko

.github/workflows/keychain.yml

@@ -40,27 +40,27 @@ jobs:
           install: true
       - name: Test
         run: DOCKER_TARGET=${{ matrix.subtest }} make keychain-linux-unit-tests
-  # tests-windows:
-  #   permissions:
-  #     id-token: write
-  #     contents: read
-  #   name: WindowsKeychainTests
-  #   runs-on: ${{ matrix.os }}
-  #   strategy:
-  #     fail-fast: false
-  #     matrix:
-  #       os:
-  #         - windows-2022
-  #         - windows-2025
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v4
-  #     - name: Setup Go
-  #       uses: actions/setup-go@v5
-  #       with:
-  #         go-version-file: ./store/go.mod
-  #     - name: Test keychain
-  #       run: make keychain-unit-tests
+  tests-windows:
+    permissions:
+      id-token: write
+      contents: read
+    name: WindowsKeychainTests
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - windows-2022
+          - windows-2025
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ./store/go.mod
+      - name: Test keychain
+        run: make keychain-unit-tests
   tests-macos:
     permissions:
       id-token: write

store/go.mod

@@ -5,20 +5,20 @@ go 1.24.3
 replace github.com/docker/secrets-engine => ../
 
 require (
+	github.com/danieljoos/wincred v1.2.2
 	github.com/docker/secrets-engine v0.0.0-00010101000000-000000000000
 	github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a
 	github.com/keybase/go-keychain v0.0.1
-	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
+	golang.org/x/sys v0.29.0
+	golang.org/x/text v0.21.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

store/go.sum

@@ -1,26 +1,32 @@
-github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
-github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a h1:K0EAzgzEQHW4Y5lxrmvPMltmlRDzlhLfGmots9EHUTI=
 github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a/go.mod h1:YPNKjjE7Ubp9dTbnWvsP3HT+hYnY6TfXzubYTBeUxc8=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

store/keychain/keychain_windows.go

@@ -0,0 +1,198 @@
+package keychain
+
+import (
+	"context"
+	"errors"
+	"iter"
+	"strings"
+
+	"github.com/danieljoos/wincred"
+	"github.com/docker/secrets-engine/store"
+	"golang.org/x/sys/windows"
+	"golang.org/x/text/encoding/unicode"
+	"golang.org/x/text/transform"
+)
+
+var (
+	ErrCredentialBadUsername      = errors.New("credential username is invalid")
+	ErrInvalidCredentialFlags     = errors.New("an invalid flag was specified for the flags parameter")
+	ErrInvalidCredentialParameter = errors.New("protected field does not match provided value for an existing credential")
+	ErrNoLogonSession             = errors.New("logon session does not exist or there is no credential set associated with this logon session")
+	sysErrInvalidCredentialFlags  = windows.Errno(windows.ERROR_INVALID_FLAGS)
+	sysErrNoSuchLogonSession      = windows.Errno(windows.ERROR_NO_SUCH_LOGON_SESSION)
+)
+
+// encodeSecret marshals the secret into a slice of bytes in UTF16 format
+func encodeSecret(secret store.Secret) ([]byte, error) {
+	data, err := secret.Marshal()
+	if err != nil {
+		return nil, err
+	}
+
+	encoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewEncoder()
+	blob, _, err := transform.Bytes(encoder, data)
+	if err != nil {
+		return nil, err
+	}
+	return blob, nil
+}
+
+// decodeSecret unmarshals the secret from UTF16 format to UTF8
+// secret will contain the unmarshaled value.
+func decodeSecret(blob []byte, secret store.Secret) error {
+	decoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewDecoder()
+	val, _, err := transform.Bytes(decoder, blob)
+	if err != nil {
+		return err
+	}
+
+	return secret.Unmarshal(val)
+}
+
+func (k *keychainStore[T]) Delete(ctx context.Context, id store.ID) error {
+	if err := id.Valid(); err != nil {
+		return err
+	}
+
+	g := wincred.NewGenericCredential(k.itemLabel(id))
+	err := g.Delete()
+	if err != nil && !errors.Is(err, wincred.ErrElementNotFound) {
+		return mapWindowsCredentialError(err)
+	}
+	return nil
+}
+
+func (k *keychainStore[T]) Get(ctx context.Context, id store.ID) (store.Secret, error) {
+	if err := id.Valid(); err != nil {
+		return nil, err
+	}
+
+	gc, err := wincred.GetGenericCredential(k.itemLabel(id))
+	if err != nil {
+		return nil, mapWindowsCredentialError(err)
+	}
+
+	secret := k.factory()
+	if err := decodeSecret(gc.CredentialBlob, secret); err != nil {
+		return nil, err
+	}
+	return secret, nil
+}
+
+// isServiceCredential checks if a credential attribute contains the
+// `service:group` and `service:name` attribute.
+//
+// The keychainStore serviceGroup and serviceName should match what is stored
+// in the attributes.
+func isServiceCredential[T store.Secret](k *keychainStore[T], attrs []wincred.CredentialAttribute) bool {
+	// must have both serviceGroup and serviceName
+	var (
+		serviceName  string
+		serviceGroup string
+	)
+	for _, attr := range attrs {
+		switch attr.Keyword {
+		case "service:group":
+			serviceGroup = string(attr.Value)
+		case "service:name":
+			serviceName = string(attr.Value)
+		}
+	}
+	return strings.EqualFold(serviceGroup, k.serviceGroup) && strings.EqualFold(serviceName, k.serviceName)
+}
+
+// findServiceCredentials is an iterator that yields credentials that match the
+// service group and service name.
+func findServiceCredentials[T store.Secret](k *keychainStore[T], credentials []*wincred.Credential) iter.Seq[*wincred.Credential] {
+	return func(yield func(cred *wincred.Credential) bool) {
+		for _, c := range credentials {
+			if isServiceCredential(k, c.Attributes) {
+				if !yield(c) {
+					return
+				}
+			}
+		}
+	}
+}
+
+func (k *keychainStore[T]) GetAll(ctx context.Context) (map[store.ID]store.Secret, error) {
+	credentials, err := wincred.List()
+	if err != nil {
+		return nil, mapWindowsCredentialError(err)
+	}
+
+	onlyLabelPrefix := k.itemLabel(store.ID(""))
+
+	secrets := make(map[store.ID]store.Secret, len(credentials))
+	for cred := range findServiceCredentials(k, credentials) {
+		secret := k.factory()
+		id, err := store.ParseID(strings.ReplaceAll(cred.TargetName, onlyLabelPrefix, ""))
+		if err != nil {
+			return nil, err
+		}
+
+		gc, err := wincred.GetGenericCredential(cred.TargetName)
+		if err != nil {
+			return nil, mapWindowsCredentialError(err)
+		}
+
+		decoder := unicode.UTF16(unicode.LittleEndian, unicode.IgnoreBOM).NewDecoder()
+		blob, _, err := transform.Bytes(decoder, gc.CredentialBlob)
+		if err != nil {
+			return nil, err
+		}
+		if err := secret.Unmarshal(blob); err != nil {
+			return nil, err
+		}
+		secrets[id] = secret
+	}
+
+	return secrets, nil
+}
+
+func (k *keychainStore[T]) Save(ctx context.Context, id store.ID, secret store.Secret) error {
+	if err := id.Valid(); err != nil {
+		return err
+	}
+
+	blob, err := encodeSecret(secret)
+	if err != nil {
+		return err
+	}
+
+	g := wincred.NewGenericCredential(k.itemLabel(id))
+	g.UserName = id.String()
+	g.CredentialBlob = blob
+	g.Persist = wincred.PersistLocalMachine
+	g.Attributes = []wincred.CredentialAttribute{
+		{
+			Keyword: "id",
+			Value:   []byte(id.String()),
+		},
+		{
+			Keyword: "service:group",
+			Value:   []byte(k.serviceGroup),
+		},
+		{
+			Keyword: "service:name",
+			Value:   []byte(k.serviceName),
+		},
+	}
+	return mapWindowsCredentialError(g.Write())
+}
+
+func mapWindowsCredentialError(err error) error {
+	switch err {
+	case wincred.ErrElementNotFound:
+		return store.ErrCredentialNotFound
+	case wincred.ErrBadUsername:
+		return ErrCredentialBadUsername
+	case wincred.ErrInvalidParameter:
+		return ErrInvalidCredentialParameter
+	case sysErrInvalidCredentialFlags:
+		return ErrInvalidCredentialFlags
+	case sysErrNoSuchLogonSession:
+		return ErrNoLogonSession
+	}
+	return err
+}