store/keychain: internalize store.ID mapping to attributes

Benehiko · Benehiko · commit eaf010a37bf5 · 2025-07-21T11:16:02.000+02:00
Signed-off-by: Alano Terblanche &lt;18033717+Benehiko@users.noreply.github.com&gt;
diff --git a/store/keychain/keychain.go b/store/keychain/keychain.go
@@ -71,3 +71,29 @@ func matchesFilter(filter, secretAttributes map[string]string) bool {
 	}
 	return true
 }
+
+// convertSecretID takes in a valid [store.ID] and converts it into a map
+// stored inside the secret attributes.
+// This allows partial ID matching.
+func convertSecretID(id store.ID) map[string]string {
+	attributes := make(map[string]string)
+	parts := strings.SplitSeq(id.String(), "/")
+	for p := range parts {
+		if p == "" {
+			continue
+		}
+		attributes["internal_secret_id_"+p] = p
+	}
+	return attributes
+}
+
+// cleanSecretAttributes strips any attributes mapped to the secret for
+// internal use
+func cleanSecretAttributes(attributes map[string]string) map[string]string {
+	for k := range attributes {
+		if strings.HasPrefix(k, "internal_secret_id_") {
+			delete(attributes, k)
+		}
+	}
+	return attributes
+}
diff --git a/store/keychain/keychain_darwin.go b/store/keychain/keychain_darwin.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"strings"
+	"maps"
 
 	kc "github.com/Benehiko/go-keychain/v2"
 
@@ -108,7 +108,7 @@ func (k *keychainStore[T]) Get(_ context.Context, id store.ID) (store.Secret, er
 	}
 
 	secret := k.factory()
-	if err := secret.SetMetadata(attr); err != nil {
+	if err := secret.SetMetadata(cleanSecretAttributes(attr)); err != nil {
 		return nil, err
 	}
 	if err := secret.Unmarshal(result.Data); err != nil {
@@ -141,7 +141,7 @@ func (k *keychainStore[T]) GetAll(context.Context) (map[store.ID]store.Secret, e
 			return nil, err
 		}
 		secret := k.factory()
-		if err := secret.SetMetadata(attr); err != nil {
+		if err := secret.SetMetadata(cleanSecretAttributes(attr)); err != nil {
 			return nil, err
 		}
 		creds[id] = secret
@@ -165,18 +165,9 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec
 	// https://developer.apple.com/documentation/security/ksecattrlabel
 	item.SetLabel(k.itemLabel(id))
 
-	metadata := make(map[string]any)
-	for k, v := range secret.Metadata() {
-		metadata[k] = v
-	}
-	parts := strings.SplitSeq(id.String(), "/")
-	for p := range parts {
-		if p == "" {
-			continue
-		}
-		metadata[p] = p
-	}
-
+	metadata := make(map[string]string)
+	maps.Copy(metadata, secret.Metadata())
+	maps.Copy(metadata, convertSecretID(id))
 	item.SetGenericMetadata(metadata)
 
 	return mapKeychainError(kc.AddItem(item))
@@ -202,9 +193,7 @@ func (k *keychainStore[T]) Filter(_ context.Context, id store.ID, filter map[str
 	if filter == nil {
 		filter = make(map[string]string)
 	}
-	for p := range strings.SplitSeq(id.String(), "/") {
-		filter[p] = p
-	}
+	maps.Copy(filter, convertSecretID(id))
 
 	creds := make(map[store.ID]store.Secret)
 	for _, result := range results {
@@ -228,7 +217,7 @@ func (k *keychainStore[T]) Filter(_ context.Context, id store.ID, filter map[str
 		}
 
 		secret := k.factory()
-		if err := secret.SetMetadata(attr); err != nil {
+		if err := secret.SetMetadata(cleanSecretAttributes(attr)); err != nil {
 			return nil, err
 		}
 		if err := secret.Unmarshal(i.Data); err != nil {
diff --git a/store/keychain/keychain_linux.go b/store/keychain/keychain_linux.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"maps"
 	"slices"
-	"strings"
 
 	kc "github.com/Benehiko/go-keychain/v2/secretservice"
 	dbus "github.com/godbus/dbus/v5"
@@ -203,7 +202,7 @@ func (k *keychainStore[T]) Get(_ context.Context, id store.ID) (store.Secret, er
 	}
 
 	secret := k.factory()
-	if err := secret.SetMetadata(attributes); err != nil {
+	if err := secret.SetMetadata(cleanSecretAttributes(attributes)); err != nil {
 		return nil, err
 	}
 	if err := secret.Unmarshal(value); err != nil {
@@ -268,7 +267,7 @@ func (k *keychainStore[T]) GetAll(context.Context) (map[store.ID]store.Secret, e
 		}
 
 		secret := k.factory()
-		if err := secret.SetMetadata(attributes); err != nil {
+		if err := secret.SetMetadata(cleanSecretAttributes(attributes)); err != nil {
 			return nil, err
 		}
 		credentials[secretID] = secret
@@ -319,16 +318,8 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec
 	}
 
 	attributes := newItemAttributes(id.String(), k)
-
-	parts := strings.SplitSeq(id.String(), "/")
-	for p := range parts {
-		if p == "" {
-			continue
-		}
-		attributes[p] = p
-	}
-
 	maps.Copy(attributes, secret.Metadata())
+	maps.Copy(attributes, convertSecretID(id))
 
 	label := k.itemLabel(id)
 	properties := kc.NewSecretProperties(label, attributes)
@@ -370,16 +361,8 @@ func (k *keychainStore[T]) Filter(_ context.Context, id store.ID, attributes map
 	}
 
 	itemAttr := newItemAttributes("", k)
-
 	maps.Copy(itemAttr, attributes)
-
-	parts := strings.SplitSeq(id.String(), "/")
-	for p := range parts {
-		if p == "" {
-			continue
-		}
-		itemAttr[p] = p
-	}
+	maps.Copy(itemAttr, convertSecretID(id))
 
 	itemPaths, err := service.SearchCollection(objectPath, itemAttr)
 	if err != nil {
@@ -390,35 +373,36 @@ func (k *keychainStore[T]) Filter(_ context.Context, id store.ID, attributes map
 		return nil, store.ErrCredentialNotFound
 	}
 
-	credentials := make(map[store.ID]store.Secret, len(itemPaths))
+	credentials := make(map[store.ID]store.Secret)
 	for _, itemPath := range itemPaths {
-		value, err := service.GetSecret(itemPath, *session)
-		if err != nil {
-			return nil, err
-		}
-
 		attributes, err := service.GetAttributes(itemPath)
 		if err != nil {
 			return nil, err
 		}
 
 		attrID, ok := attributes["id"]
 		if !ok {
-			return nil, errors.New("secret attributes does not contain `id` field")
+			continue
+		}
+
+		secretID, err := store.ParseID(attrID)
+		if err != nil {
+			continue
+		}
+
+		value, err := service.GetSecret(itemPath, *session)
+		if err != nil {
+			return nil, err
 		}
 
 		secret := k.factory()
-		if err := secret.SetMetadata(attributes); err != nil {
+		if err := secret.SetMetadata(cleanSecretAttributes(attributes)); err != nil {
 			return nil, err
 		}
 		if err := secret.Unmarshal(value); err != nil {
 			return nil, err
 		}
 
-		secretID, err := store.ParseID(attrID)
-		if err != nil {
-			return nil, err
-		}
 		credentials[secretID] = secret
 	}
 
diff --git a/store/keychain/keychain_test.go b/store/keychain/keychain_test.go
@@ -348,3 +348,25 @@ func TestMatchesFilter(t *testing.T) {
 		})
 	}
 }
+
+func TestConvertID(t *testing.T) {
+	id := store.ID("com.test.test/application/username")
+	attributes := convertSecretID(id)
+	assert.EqualValues(t, map[string]string{
+		"internal_secret_id_com.test.test": "com.test.test",
+		"internal_secret_id_application":   "application",
+		"internal_secret_id_username":      "username",
+	}, attributes)
+}
+
+func TestCleanAttributes(t *testing.T) {
+	attributes := map[string]string{
+		"internal_secret_id_com.test.test": "com.test.test",
+		"internal_secret_id_application":   "application",
+		"internal_secret_id_username":      "username",
+		"color":                            "green",
+	}
+	assert.EqualValues(t, map[string]string{
+		"color": "green",
+	}, cleanSecretAttributes(attributes))
+}
diff --git a/store/keychain/keychain_windows.go b/store/keychain/keychain_windows.go
@@ -51,6 +51,25 @@ func decodeSecret(blob []byte, secret store.Secret) error {
 	return secret.Unmarshal(val)
 }
 
+func mapToWindowsAttributes(attributes map[string]string) []wincred.CredentialAttribute {
+	winAttrs := make([]wincred.CredentialAttribute, 0, len(attributes))
+	for k, v := range attributes {
+		winAttrs = append(winAttrs, wincred.CredentialAttribute{
+			Keyword: k,
+			Value:   []byte(v),
+		})
+	}
+	return winAttrs
+}
+
+func mapFromWindowsAttributes(winAttrs []wincred.CredentialAttribute) map[string]string {
+	attributes := make(map[string]string, len(winAttrs))
+	for _, attr := range winAttrs {
+		attributes[attr.Keyword] = string(attr.Value)
+	}
+	return attributes
+}
+
 func (k *keychainStore[T]) Delete(_ context.Context, id store.ID) error {
 	if err := id.Valid(); err != nil {
 		return err
@@ -74,10 +93,7 @@ func (k *keychainStore[T]) Get(_ context.Context, id store.ID) (store.Secret, er
 		return nil, mapWindowsCredentialError(err)
 	}
 
-	attributes := make(map[string]string)
-	for _, attr := range gc.Attributes {
-		attributes[attr.Keyword] = string(attr.Value)
-	}
+	attributes := cleanSecretAttributes(mapFromWindowsAttributes(gc.Attributes))
 
 	secret := k.factory()
 	if err := secret.SetMetadata(attributes); err != nil {
@@ -148,12 +164,9 @@ func (k *keychainStore[T]) GetAll(context.Context) (map[store.ID]store.Secret, e
 			continue
 		}
 
-		secretAttr := make(map[string]string, len(cred.Attributes))
-		for _, attr := range cred.Attributes {
-			secretAttr[attr.Keyword] = string(attr.Value)
-		}
+		attributes := cleanSecretAttributes(mapFromWindowsAttributes(cred.Attributes))
 		secret := k.factory()
-		if err := secret.SetMetadata(secretAttr); err != nil {
+		if err := secret.SetMetadata(attributes); err != nil {
 			return nil, err
 		}
 		secrets[id] = secret
@@ -172,44 +185,19 @@ func (k *keychainStore[T]) Save(_ context.Context, id store.ID, secret store.Sec
 		return err
 	}
 
-	attributes := []wincred.CredentialAttribute{}
-	parts := strings.SplitSeq(id.String(), "/")
-	for p := range parts {
-		if p == "" {
-			continue
-		}
-		attributes = append(attributes, wincred.CredentialAttribute{
-			Keyword: p,
-			Value:   []byte(p),
-		})
-	}
-	for k, v := range secret.Metadata() {
-		attributes = append(attributes, wincred.CredentialAttribute{
-			Keyword: k,
-			Value:   []byte(v),
-		})
-	}
+	attributes := make(map[string]string)
+	maps.Copy(attributes, secret.Metadata())
+	maps.Copy(attributes, convertSecretID(id))
 
-	attributes = append(attributes,
-		wincred.CredentialAttribute{
-			Keyword: "id",
-			Value:   []byte(id.String()),
-		},
-		wincred.CredentialAttribute{
-			Keyword: "service:group",
-			Value:   []byte(k.serviceGroup),
-		},
-		wincred.CredentialAttribute{
-			Keyword: "service:name",
-			Value:   []byte(k.serviceName),
-		},
-	)
+	attributes["id"] = id.String()
+	attributes["service:group"] = k.serviceGroup
+	attributes["service:name"] = k.serviceName
 
 	g := wincred.NewGenericCredential(k.itemLabel(id))
 	g.UserName = id.String()
 	g.CredentialBlob = blob
 	g.Persist = wincred.PersistLocalMachine
-	g.Attributes = attributes
+	g.Attributes = mapToWindowsAttributes(attributes)
 	return mapWindowsCredentialError(g.Write())
 }
 
@@ -223,16 +211,9 @@ func (k *keychainStore[T]) Filter(_ context.Context, id store.ID, attributes map
 
 	attrs := make(map[string]string)
 	maps.Copy(attrs, attributes)
+	maps.Copy(attrs, convertSecretID(id))
 
-	parts := strings.SplitSeq(id.String(), "/")
-	for p := range parts {
-		if p == "" {
-			continue
-		}
-		attrs[p] = p
-	}
-
-	secrets := make(map[store.ID]store.Secret, len(credentials))
+	secrets := make(map[store.ID]store.Secret)
 	for cred := range findServiceCredentials(k, attrs, credentials) {
 		id, err := store.ParseID(strings.ReplaceAll(cred.TargetName, onlyLabelPrefix, ""))
 		if err != nil {
@@ -250,13 +231,10 @@ func (k *keychainStore[T]) Filter(_ context.Context, id store.ID, attributes map
 			return nil, err
 		}
 
-		gcAttr := make(map[string]string)
-		for _, attr := range gc.Attributes {
-			gcAttr[attr.Keyword] = string(attr.Value)
-		}
+		gcAttributes := cleanSecretAttributes(mapFromWindowsAttributes(gc.Attributes))
 
 		secret := k.factory()
-		if err := secret.SetMetadata(gcAttr); err != nil {
+		if err := secret.SetMetadata(gcAttributes); err != nil {
 			return nil, err
 		}
 		if err := secret.Unmarshal(blob); err != nil {
