docker
diff --git a/‎.github/workflows/keychain.yml‎
Lines changed: 85 additions & 0 deletions b/‎.github/workflows/keychain.yml‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 8 additions & 2 deletions b/‎Makefile‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎go.work‎
Lines changed: 1 addition & 0 deletions b/‎go.work‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎store/Dockerfile‎
Lines changed: 61 additions & 0 deletions b/‎store/Dockerfile‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎store/go.mod‎
Lines changed: 3 additions & 0 deletions b/‎store/go.mod‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎store/go.sum‎
Lines changed: 3 additions & 1 deletion b/‎store/go.sum‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎store/keychain/keychain_test.go‎
Lines changed: 88 additions & 0 deletions b/‎store/keychain/keychain_test.go‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎store/scripts/gnome-keyring‎
Lines changed: 77 additions & 0 deletions b/‎store/scripts/gnome-keyring‎
Lines changed: 77 additions & 0 deletions
@@ -0,0 +1,85 @@
+name: Keychain
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    paths:
+      - 'store/**'
+jobs:
+  linux-keychain:
+    permissions:
+      id-token: write
+      contents: read
+    name: LinuxKeychainTests
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        subtest:
+          - fedora-43-gnome-keyring
+          - fedora-43-kdewallet
+          - ubuntu-24-gnome-keyring
+          - ubuntu-24-kdewallet
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Hub login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERBUILDBOT_USERNAME }}
+          password: ${{ secrets.DOCKERBUILDBOT_WRITE_PAT }}
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: cloud
+          endpoint: "docker/secrets-engine"
+          install: true
+      - name: Test
+        run: DOCKER_TARGET=${{ matrix.subtest }} make keychain-linux-unit-tests
+  # tests-windows:
+  #   permissions:
+  #     id-token: write
+  #     contents: read
+  #   name: WindowsKeychainTests
+  #   runs-on: ${{ matrix.os }}
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       os:
+  #         - windows-2022
+  #         - windows-2025
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v4
+  #     - name: Setup Go
+  #       uses: actions/setup-go@v5
+  #       with:
+  #         go-version-file: ./store/go.mod
+  #     - name: Test keychain
+  #       run: make keychain-unit-tests
+  tests-macos:
+    permissions:
+      id-token: write
+      contents: read
+    name: MacOSKeychainTests
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - macOS-15
+          - macOS-14
+          - macOS-13
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: ./store/go.mod
+      - name: Test keychain
+        run: make keychain-unit-tests
@@ -52,7 +52,13 @@ clean: ## remove built binaries and packages
 	@sh -c "rm -rf bin dist"
 
 unit-tests:
-	CGO_ENABLED=0 go test -v -tags="gen" ./...
+	CGO_ENABLED=0 go test -v -tags="gen" $$(go list ./... | grep -v /store/)
+
+keychain-linux-unit-tests:
+	@docker buildx build $(DOCKER_BUILD_ARGS) --target=$(DOCKER_TARGET) --file store/Dockerfile .
+
+keychain-unit-tests:
+	CGO_ENABLED=1 go test -v $$(go list ./store/keychain/...)
 
 nri-plugin:
 	CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -trimpath -ldflags "-s -w ${GO_LDFLAGS}" -o ./dist/$(NRI_PLUGIN_BINARY)$(EXTENSION) ./cmd/nri-plugin
@@ -78,4 +84,4 @@ help: ## Show this help
 	@echo Please specify a build target. The choices are:
 	@grep -E '^[0-9a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "$(INFO_COLOR)%-30s$(NO_COLOR) %s\n", $$1, $$2}'
 
-.PHONY: run bin format lint unit-tests cross x-package clean help generate docker-mcp
+.PHONY: run bin format lint unit-tests cross x-package clean help generate docker-mcp keychain-linux-unit-tests keychain-unit-tests
@@ -3,4 +3,5 @@ go 1.24.3
 use (
 	.
 	./plugin
+	./store
 )
@@ -0,0 +1,61 @@
+ARG GO_VERSION=latest
+
+FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS go-base
+
+FROM --platform=${BUILDPLATFORM} fedora:43 AS fedora43
+RUN dnf install -y gnome-keyring kf6-kwallet dbus-daemon
+COPY --from=go-base /usr/local/go /usr/local/go
+ENV PATH="/usr/local/go/bin:${PATH}"
+RUN useradd -ms /bin/bash user
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=.
+
+FROM --platform=${BUILDPLATFORM} ubuntu:24.04 AS ubuntu24
+RUN apt update && apt install -y --no-install-recommends libglib2.0-bin dbus gnome-keyring kwalletmanager
+COPY --from=go-base /usr/local/go /usr/local/go
+ENV PATH="/usr/local/go/bin:${PATH}"
+RUN useradd -ms /bin/bash user
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=.
+
+FROM fedora43 AS fedora-43-gnome-keyring
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/gnome-keyring \
+    go test -v ./store/keychain/...
+
+FROM fedora43 AS fedora-43-kdewallet
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/kdewallet \
+    go test -v ./store/keychain/...
+
+FROM ubuntu24 AS ubuntu-24-gnome-keyring
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/gnome-keyring \
+    go test -v ./store/keychain/...
+
+FROM ubuntu24 AS ubuntu-24-kdewallet
+ENV CGO_ENABLED=0
+USER user
+WORKDIR /app
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    /app/store/scripts/kdewallet \
+    go test -v ./store/keychain/...
@@ -15,8 +15,11 @@ require (
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/kr/text v0.2.0 // indirect
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	golang.org/x/crypto v0.32.0 // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
@@ -7,6 +7,8 @@ github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a h1:K0EAzgzEQHW4Y5lxrm
 github.com/keybase/dbus v0.0.0-20220506165403-5aa21ea2c23a/go.mod h1:YPNKjjE7Ubp9dTbnWvsP3HT+hYnY6TfXzubYTBeUxc8=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -18,7 +20,7 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -0,0 +1,88 @@
+package keychain
+
+import (
+	"maps"
+	"testing"
+
+	"github.com/docker/secrets-engine/store"
+	"github.com/docker/secrets-engine/store/mocks"
+	"github.com/stretchr/testify/require"
+)
+
+func TestKeychain(t *testing.T) {
+	ks, err := New("com.test.test", "test",
+		func() *mocks.MockCredential {
+			return &mocks.MockCredential{}
+		},
+	)
+	require.NoError(t, err)
+
+	t.Run("save credentials", func(t *testing.T) {
+		id := store.ID("com.test.test/test/bob")
+		require.NoError(t, id.Valid())
+		creds := &mocks.MockCredential{
+			Username: "bob",
+			Password: "bob-password",
+		}
+		require.NoError(t, ks.Save(t.Context(), id, creds))
+	})
+
+	t.Run("get credential", func(t *testing.T) {
+		id := store.ID("com.test.test/test/bob")
+		require.NoError(t, id.Valid())
+		secret, err := ks.Get(t.Context(), id)
+		require.NoError(t, err)
+
+		actual, ok := secret.(*mocks.MockCredential)
+		require.True(t, ok)
+
+		expected := &mocks.MockCredential{
+			Username: "bob",
+			Password: "bob-password",
+		}
+		require.EqualValues(t, expected, actual)
+	})
+
+	t.Run("list all credentials", func(t *testing.T) {
+		moreCreds := map[store.ID]*mocks.MockCredential{
+			"com.test.test/test/jeff": {
+				Username: "jeff",
+				Password: "jeff-password",
+			},
+			"com.test.test/test/pete": {
+				Username: "pete",
+				Password: "pete-password",
+			},
+		}
+
+		for id, anotherCred := range moreCreds {
+			require.NoError(t, ks.Save(t.Context(), id, anotherCred))
+		}
+		secrets, err := ks.GetAll(t.Context())
+		require.NoError(t, err)
+
+		actual := make(map[store.ID]*mocks.MockCredential)
+		for id, s := range secrets {
+			actual[id] = s.(*mocks.MockCredential)
+		}
+		require.Len(t, actual, 3)
+
+		expected := map[store.ID]*mocks.MockCredential{
+			"com.test.test/test/bob": {
+				Username: "bob",
+				Password: "bob-password",
+			},
+		}
+		maps.Copy(expected, moreCreds)
+		require.Len(t, expected, 3)
+		require.Equal(t, expected, actual)
+	})
+
+	t.Run("delete credential", func(t *testing.T) {
+		id := store.ID("com.test.test/test/bob")
+		require.NoError(t, id.Valid())
+		require.NoError(t, ks.Delete(t.Context(), id))
+		_, err := ks.Get(t.Context(), id)
+		require.ErrorIs(t, err, store.ErrCredentialNotFound)
+	})
+}
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+set -eux pipefail
+
+if test -z $(command -v gnome-keyring-daemon); then
+    echo "gnome-keyring-daemon is not installed"
+    exit 1
+fi
+
+if test -z $(command -v dbus-daemon); then
+    echo "dbus-daemon is not installed"
+    exit 1
+fi
+
+mkdir -p ~/.local/share/keyrings
+touch ~/.local/share/keyrings/login.keyring
+
+# create fake passwordless 'login' keyring
+echo '[keyring]
+display-name=login
+ctime=1750965549
+mtime=0
+lock-on-idle=false
+lock-after=false' > ~/.local/share/keyrings/login.keyring
+
+# Start D-Bus session (dbus must be installed)
+export DBUS_SESSION_BUS_ADDRESS=$(dbus-daemon --session --print-address --fork)
+
+gnome-keyring-daemon --start --components=secrets
+
+# Wait up to 5 seconds for org.freedesktop.secrets to appear on D-Bus
+timeout=5000
+interval=100
+elapsed=0
+
+while ! gdbus call --session \
+  --dest org.freedesktop.DBus \
+  --object-path /org/freedesktop/DBus \
+  --method org.freedesktop.DBus.GetNameOwner \
+  org.freedesktop.secrets >/dev/null 2>&1; do 
+
+    sleep 0.1
+    elapsed=$((elapsed + interval))
+    if (( elapsed >= timeout )); then
+        echo "❌ Timeout waiting for gnome-keyring-daemon to register org.freedesktop.secrets"
+        exit 1
+    fi
+done
+
+owner=$(gdbus call --session \
+  --dest org.freedesktop.DBus \
+  --object-path /org/freedesktop/DBus \
+  --method org.freedesktop.DBus.GetNameOwner \
+  org.freedesktop.secrets | awk -F"'" '{print $2}')
+
+if test -v $owner; then
+    echo "there is no owner of the org.freedesktop.secrets API"
+    exit 1
+fi
+
+pid=$(gdbus call --session \
+  --dest org.freedesktop.DBus \
+  --object-path /org/freedesktop/DBus \
+  --method org.freedesktop.DBus.GetConnectionUnixProcessID \
+  "$owner" | awk '{print $2}' | tr -d ',)')
+
+if test -v $pid; then
+    echo "there is no registered org.freedesktop.secrets daemon"
+    exit 1
+fi
+
+exe=$(readlink -f /proc/$pid/exe)
+
+if [[ "$exe" != *gnome-keyring-daemon* ]]; then
+    echo "dbus org.freedesktop.secrets is not using gnome-keyring-daemon"
+    exit 1
+fi
Original file line number	Diff line number	Diff line change
`@@ -3,4 +3,5 @@ go 1.24.3`
`3`	`3`	`use (`
`4`	`4`	`.`
`5`	`5`	`./plugin`
	`6`	`+ ./store`
`6`	`7`	`)`