match Get() API in libsecret and keychain, and add tests #46
Conversation
|
Here is the thread I found on the status of KWallet: https://mail.kde.org/pipermail/plasma-devel/2016-July/055671.html The last link in that chain indicates maybe there's another thing, QtKeyChain, that replaces KWallet. 🤷 |
joemiller
changed the title
joemiller
force-pushed
the
libsecret-fix-get-api
branch
from
5f9e77d to
b9e0f8a
Compare
|
I'd be pretty open to removing the kwallet backend, frankly. I wonder if we can figure out how many folks are using it. |
joemiller
force-pushed
the
libsecret-fix-get-api
branch
3 times, most recently
from
15841a1 to
6089a4c
Compare
|
Added a for windows 10 Vagrant box to help with dev/test on the |
joemiller
force-pushed
the
libsecret-fix-get-api
branch
from
6089a4c to
7e20bfc
Compare
joemiller
changed the title
|
@lox I removed the ' |
keychain_test.go
Outdated
| } | ||
|
|
||
| _, err := k.Keys() | ||
| // TODO: we should consider making a generic package error like keyring.ErrNoKeyChain instead of letting |
There was a problem hiding this comment.
Perhaps with wrapping from https://godoc.org/github.com/pkg/errors? I guess type checking gets harder then. We could go for keychain.IsErrNoKeyChain()?
There was a problem hiding this comment.
Will do. I had a thought that perhaps something along the lines of BackendNotInitialized instead of 'NoKeyChain' since "not initialized" is more generic.
RE: pkg/errors. I don't follow. Can you provide an example? Using the existing pattern for no such key is easy to check for errors:
i, err := kr.Get(vaultAddr)
if err == keyring.ErrKeyNotFound {
...
}
There was a problem hiding this comment.
All good, ignore me for now, I think constant errors are fine here.
|
@lox While setting about implementing something like a new error I thought that perhaps the best thing to do for all of these cases is to return the existing current:
proposed:
(behaviors in bold would change) My rationale is that it is easier to reason about if all the read methods return a consistent error when the backend does not have any data yet. |
|
That makes sense to me too @joemiller |
|
@lox pushed a new ☝️ commit that implements the ErrKeyNotFound change |
joemiller
force-pushed
the
libsecret-fix-get-api
branch
2 times, most recently
from
5880c96 to
d46fdbc
Compare
This commit adds test cases covering the expected behavior of the libsecret backend based on the macos keychain implementation as the reference implementation. In particular this means the tests do not currently pass. The next commit will include API changes in libsecret.go to align the behavior to keychain backend, such as returning `ErrKeyNotFound` instead of a general libsecret error about a missing collection when `Get()`. NOTE: These tests are not runnable from a headless environment such as Docker or a CI pipeline due to the DBus "prompt" interface being called when creating and unlocking a keychain.
Adds coverage for Get/List/Remove when the keychain does not yet exist as well as when it does already exist, such as having called .Set() at least once. This is useful to help identify API behavior changes within the keychain backend as well as helping ensure consistent behavior across the other backends.
See `vagrant/README.md` for usage and details. Next: A Windows VM for wincred.go dev/test.
Add tests to assert the response from the Get/Remove/Keys API when the pass keyring has not been created yet.
…d secret collection
joemiller
force-pushed
the
libsecret-fix-get-api
branch
from
d46fdbc to
83f5f71
Compare
|
rebased from master and fixed a new unit test covering the pass backend that was breaking on travis |
joemiller
force-pushed
the
libsecret-fix-get-api
branch
from
83f5f71 to
7ba77b8
Compare
|
I realize this ended up being quite a large surface area to change when it started out as just the Get() implementation in libsecret.go. The changes make sense for the app I'm using but it's difficult for me to reason about how it make impact the other caller, aws-vault. I've never used aws-vault but I wonder if I could help test this PR against aws-vault. I may give that a shot. Any pointers on a test strategy would be appreciated. |
|
@joemiller I'm pretty close to merging this, as I 100% agree with your direction, but if you had the chance to test with aws-vault, it would rapidly increase that happening :) |
|
@lox I ran some tests to compare the output and exit codes of ## current keyring master branch:
$ aws-vault --backend=keychain --keychain="aws-vault-test" remove test1
Deleted credentials.
Deleted 0 sessions.
# (exit: 0)
## this PR #46
$ aws-vault --backend=pass --pass-prefix="aws-vault-test" remove test1
Deleted credentials.
aws-vault: error: The specified item could not be found in the keyring
# (exit: 1)The full output from my tests are in this gist: https://gist.github.com/joemiller/c26b1092a3d58ef09f5c65c692edbe6a There are 3 files. I included a diff because I can't think of a better way to do a side-by-side comparison of the differences. Hopefully the 2 test output files and the diff can help. I had a feeling that perhaps the best approach might be for the
I'm going to try this out and run the same series of tests and add to the gist |
|
Ok, I re-ran the suite of tests and I think that aligning all the backends to return The full diff is small enough to include here: @@ -37,7 +37,9 @@
# keychain
$ aws-vault --backend=keychain --keychain="aws-vault-test" list
-aws-vault: error: No such keychain (-25294)
+Profile Credentials Sessions
+======= =========== ========
+aws-vault: error: No credentials found
# (exit: 1)
$ aws-vault --backend=keychain --keychain="aws-vault-test" add test1
@@ -122,7 +124,9 @@
$ aws-vault --backend=secret-service list
-aws-vault: error: The collection "awsvault" does not exist. Please add a key first
+Profile Credentials Sessions
+======= =========== ========
+aws-vault: error: No credentials found
# (exit: 1)Another gist with 3 files here - https://gist.github.com/joemiller/b099b6043f19957fac4fdfacf400f656 |
|
Just went to rebuild my codebase with the latest keyring source, and it fails to build on windows due to lack of GetMetadata. Would rock to get this merged in. Additionally, it looks like the tagged release isn't getting picked up by |
|
fwiw, just released my own project that uses this lib - https://github.com/joemiller/vault-token-helper running off my fork of keyring for now but hoping to get back to upstream soon =) |
|
@akerl-unpriv In the meantime, if you need to use this fork with |
|
Hah, yup; I just did similarly with github.com/akerl/keyring 😄 |
|
Can I merge this @joemiller? |
|
Hey @joemiller I've made you a collaborator to this repo, fee free to merge |
|
@lox I feel pretty confident this is ready to merge. I tested this branch with |
|
🚢 and welcome as a collaborator! Thanks for such a thoughtful and well executed PR. |
This PR includes several commits that came out of my attempt to address #45
pass.gowhich was necessary to build or run tests on the package.wincred.gowhich was necessary to build or run tests on the package.libsecret_test.goto assert behavior of thesecret-servicebackend (NOTE: these tests can't be run in CI or a headless environment right now because they require an app providing the 'Prompt' service on DBus. I left some notes about this and future directions in the comments.)wincred_test.go,pass_test.go, andkeychain_test.goto assert behavior or get/remove/keys when the backing store is empty.vagrant/which contains GUI VM's for fedora and windows10 to provide a way to dev/test on the libsecret and wincred backends.libsecret.goAPI behavior around Get/Remove/Keys has changed. Get() now returnsErrKeyNotFoundjust like the keychain and wincred backends. I also added a new publicErrCollectionNotFoundthat is returned by Remove() and Keys() instead of the previous privatesecretsError.Current
masterbranch behavior of all backends when each of the API calls are made with an empty backing store (ie: before the first call toSet()occurs:After change to
libsecret.goin this PR. Changes are highlighted:I have not included any changes to
pass,kwallet, orfilein this PR.This doesn't address the API inconsistencies in the
kwallet.gobackend. I could probably take a crack at that in another PR but in my own application I'm considering not even supporting KWallet. I'm not a Linux desktop user and don't know the details behind it but it sounds like the project might be orphaned? And might have a replacement in KSecretsManager (or some such) that speaks the DBus Secrets API protocol like Gnome Keyring. If that's true then KDE users should be serviceable via thelibsecret.go/"secret-service" backend.