store/keychain(ci): linux default keychain collection

Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>

Author: Benehiko

.github/workflows/keychain.yml

@@ -9,31 +9,77 @@ on:
     paths:
       - 'store/**'
 jobs:
-  tests:
-    name: KeychainTests
+  linux-keychain:
+    permissions:
+      id-token: write
+      contents: read
+    name: LinuxKeychainTests
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        subtest:
+          - fedora-43-gnome-keyring
+          # - fedora-43-kdewallet
+          - ubuntu-24-gnome-keyring
+          # - ubuntu-24-kdewallet
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Hub login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERBUILDBOT_USERNAME }}
+          password: ${{ secrets.DOCKERBUILDBOT_WRITE_PAT }}
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "docker/secrets-engine"
+          install: true
+      - name: Test
+        run: DOCKER_TARGET=${{ matrix.subtest }} make keychain-linux-unit-tests
+  # tests-windows:
+  #   permissions:
+  #     id-token: write
+  #     contents: read
+  #   name: WindowsKeychainTests
+  #   runs-on: ${{ matrix.os }}
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       os:
+  #         - windows-2022
+  #         - windows-2025
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v4
+  #     - name: Setup Go
+  #       uses: actions/setup-go@v5
+  #       with:
+  #         go-version-file: ./store/go.mod
+  #     - name: Test keychain
+  #       run: make keychain-unit-tests
+  tests-macos:
+    permissions:
+      id-token: write
+      contents: read
+    name: MacOSKeychainTests
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os:
-          - ubuntu-24.04
-          - ubuntu-22.04
           - macOS-15
           - macOS-14
           - macOS-13
-          - windows-2022
-          - windows-2025
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version-file: ./store/go.mod
-      - name: Install deps (ubuntu)
-        if: startsWith(matrix.os, 'ubuntu-')
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y dbus-x11 gnome-keyring
       - name: Test keychain
         run: make keychain-unit-tests

Makefile

@@ -28,7 +28,8 @@ DOCKER_BUILD_ARGS := --build-arg GO_VERSION \
           			--build-arg GOLANGCI_LINT_VERSION \
           			--build-arg NRI_PLUGIN_BINARY \
           			--build-arg BUF_VERSION \
-          			--build-arg GIT_TAG
+          			--build-arg GIT_TAG \
+					--build-arg MAIN_MODULE_PATH
 
 GO_TEST := go test
 ifneq ($(shell sh -c "which gotestsum 2> /dev/null"),)
@@ -54,8 +55,11 @@ clean: ## remove built binaries and packages
 unit-tests:
 	CGO_ENABLED=0 go test -v -tags="gen" $$(go list ./... | grep -v /store/)
 
+keychain-linux-unit-tests:
+	@docker buildx build $(DOCKER_BUILD_ARGS) --target=$(DOCKER_TARGET) --file store/Dockerfile .
+
 keychain-unit-tests:
-	$(MAKE) -C store/ unit-tests
+	CGO_ENABLED=1 go test -v $$(go list ./store/keychain/...)
 
 nri-plugin:
 	CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -trimpath -ldflags "-s -w ${GO_LDFLAGS}" -o ./dist/$(NRI_PLUGIN_BINARY)$(EXTENSION) ./cmd/nri-plugin
@@ -81,4 +85,4 @@ help: ## Show this help
 	@echo Please specify a build target. The choices are:
 	@grep -E '^[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(INFO_COLOR)%-30s$(NO_COLOR) %s\n", $$1, $$2}'
 
-.PHONY: run bin format lint unit-tests cross x-package clean help generate docker-mcp
+.PHONY: run bin format lint unit-tests cross x-package clean help generate docker-mcp keychain-linux-unit-tests keychain-unit-tests

store/Dockerfile

@@ -0,0 +1,61 @@
+ARG GO_VERSION=latest
+
+FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS go-base
+
+FROM --platform=${BUILDPLATFORM} fedora:43 AS fedora43
+RUN dnf install -y gnome-keyring kf6-kwallet dbus-daemon
+COPY --from=go-base /usr/local/go /usr/local/go
+ENV PATH="/usr/local/go/bin:${PATH}"
+RUN useradd -ms /bin/bash user
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=.
+
+FROM --platform=${BUILDPLATFORM} ubuntu:24.04 AS ubuntu24
+RUN apt update && apt install -y --no-install-recommends libglib2.0-bin dbus gnome-keyring kwalletmanager
+COPY --from=go-base /usr/local/go /usr/local/go
+ENV PATH="/usr/local/go/bin:${PATH}"
+RUN useradd -ms /bin/bash user
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=.
+
+FROM fedora43 AS fedora-43-gnome-keyring
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/gnome-keyring \
+    go test -v ./store/keychain/...
+
+FROM fedora43 AS fedora-43-kdewallet
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/kdewallet \
+    go test -v ./store/keychain/...
+
+FROM ubuntu24 AS ubuntu-24-gnome-keyring
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/gnome-keyring \
+    go test -v ./store/keychain/...
+
+FROM ubuntu24 AS ubuntu-24-kdewallet
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/kdewallet \
+    go test -v ./store/keychain/...

store/Makefile

@@ -0,0 +1,39 @@
+#!/bin/sh
+
+set -eux pipefail
+
+if test -z $(command -v gnome-keyring-daemon); then
+    echo "gnome-keyring-daemon is not installed"
+    exit 1
+fi
+
+if test -z $(command -v busctl); then
+    echo "busctl is not installed"
+    exit 1
+fi
+
+if test -z $(command -v dbus-daemon); then
+    echo "dbus-daemon is not installed"
+    exit 1
+fi
+
+mkdir -p ~/.local/share/keyrings
+touch ~/.local/share/keyrings/login.keyring
+
+# Start D-Bus session (dbus must be installed)
+export DBUS_SESSION_BUS_ADDRESS=$(dbus-daemon --session --print-address --fork)
+
+# create fake passwordless 'login' keyring
+echo '[keyring]
+display-name=login
+ctime=1750965549
+mtime=0
+lock-on-idle=false
+lock-after=false' > ~/.local/share/keyrings/login.keyring
+
+gnome-keyring-daemon --start --components=secrets
+
+if [[ $(busctl --user status org.freedesktop.secrets | grep -E 'Exe') != *gnome-keyring-daemon* ]]; then
+    echo "dbus org.freedesktop.secrets is not using gnome-keyring-daemon"
+    exit 1
+fi

store/scripts/gnome-keyring

@@ -0,0 +1,89 @@
+#!/bin/sh
+
+set -eux pipefail
+
+kwalletd=$(command -v kwalletd5 || command -v kwalletd6)
+
+if test -z "$kwalletd"; then
+    echo "kwalletd5 or kwalletd6 is not installed"
+    exit 1
+fi
+
+if test -z $(command -v busctl); then
+    echo "busctl is not installed"
+    exit 1
+fi
+
+if test -z $(command -v dbus-daemon); then
+    echo "dbus-daemon is not installed"
+    exit 1
+fi
+
+mkdir -p ~/.local/share/dbus-1/services
+touch ~/.local/share/dbus-1/services/org.freedesktop.secrets.service
+
+echo "[D-BUS Service]
+Name=org.freedesktop.secrets
+Exec=${kwalletd}" > ~/.local/share/dbus-1/services/org.freedesktop.secrets.service
+
+
+mkdir -p ~/.local/share/kwalletd
+mkdir ~/.config
+
+echo -e "[Wallet]\nFirst Use=false\nDefault Wallet=kwallet" > ~/.config/kwalletrc
+echo -e "[Wallet]\nVersion=1" > ~/.local/share/kwalletd/kwallet.kwl
+
+export QT_QPA_PLATFORM=minimal
+
+# Start D-Bus session (dbus must be installed)
+export DBUS_SESSION_BUS_ADDRESS=$(dbus-daemon --session --print-address --fork)
+
+"$kwalletd" &
+
+# Wait up to 5 seconds for org.freedesktop.secrets to appear on D-Bus
+timeout=5000
+interval=100
+elapsed=0
+
+while ! gdbus call --session \
+  --dest org.freedesktop.DBus \
+  --object-path /org/freedesktop/DBus \
+  --method org.freedesktop.DBus.GetNameOwner \
+  org.freedesktop.secrets >/dev/null 2>&1; do 
+
+    sleep 0.1
+    elapsed=$((elapsed + interval))
+    if (( elapsed >= timeout )); then
+        echo "❌ Timeout waiting for kwalletd to register org.freedesktop.secrets"
+        exit 1
+    fi
+done
+
+owner=$(gdbus call --session \
+  --dest org.freedesktop.DBus \
+  --object-path /org/freedesktop/DBus \
+  --method org.freedesktop.DBus.GetNameOwner \
+  org.freedesktop.secrets | awk -F"'" '{print $2}')
+
+if test -v $owner; then
+    echo "there is no owner of the org.freedesktop.secrets API"
+    exit 1
+fi
+
+pid=$(gdbus call --session \
+  --dest org.freedesktop.DBus \
+  --object-path /org/freedesktop/DBus \
+  --method org.freedesktop.DBus.GetConnectionUnixProcessID \
+  "$owner" | awk '{print $2}' | tr -d ',)')
+
+if test -v $pid; then
+    echo "there is no registered org.freedesktop.secrets daemon"
+    exit 1
+fi
+
+exe=$(readlink -f /proc/$pid/exe)
+
+if [[ "$exe" != "/usr/bin/ksecretd" ]]; then
+    echo "dbus org.freedesktop.secrets is not using ${kwalletd}"
+    exit 1
+fi