feat(auth): integrate system keyring for secure token storage with fallback options

Author: tiulpin

go.mod

@@ -25,10 +25,12 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/testcontainers/testcontainers-go v0.40.0
 	github.com/tiulpin/instill v0.0.0-20260213180125-bfc25c314930
+	github.com/zalando/go-keyring v0.2.6
 	golang.org/x/term v0.39.0
 )
 
 require (
+	al.essio.dev/pkg/shellescape v1.5.1 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
@@ -45,6 +47,7 @@ require (
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
+	github.com/danieljoos/wincred v1.2.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
@@ -57,6 +60,7 @@ require (
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect

go.sum

@@ -1,3 +1,5 @@
+al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho=
+al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
@@ -56,6 +58,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6N
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
+github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -91,9 +95,13 @@ github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
+github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
@@ -220,6 +228,8 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJu
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
+github.com/zalando/go-keyring v0.2.6 h1:r7Yc3+H+Ux0+M72zacZoItR3UDxeWfKTcabvkI8ua9s=
+github.com/zalando/go-keyring v0.2.6/go.mod h1:2TCrxYrbUNYfNS/Kgy/LSrkSQzZ5UPVH85RwfczwvcI=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=

internal/cmd/auth.go

@@ -32,6 +32,7 @@ func newAuthCmd() *cobra.Command {
 func newAuthLoginCmd() *cobra.Command {
 	var serverURL string
 	var token string
+	var insecureStorage bool
 
 	cmd := &cobra.Command{
 		Use:   "login",
@@ -43,24 +44,29 @@ This will:
 2. Open your browser to generate an access token
 3. Validate and store the token securely
 
+The token is stored in your system keyring (macOS Keychain, GNOME Keyring,
+Windows Credential Manager) when available. Use --insecure-storage to store
+the token in plain text in the config file instead.
+
 For CI/CD, use environment variables instead:
   export TEAMCITY_URL="https://teamcity.example.com"
   export TEAMCITY_TOKEN="your-access-token"
 
 When running inside a TeamCity build, authentication is automatic using
 build-level credentials from the build properties file.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runAuthLogin(serverURL, token)
+			return runAuthLogin(serverURL, token, insecureStorage)
 		},
 	}
 
 	cmd.Flags().StringVarP(&serverURL, "server", "s", "", "TeamCity server URL")
 	cmd.Flags().StringVarP(&token, "token", "t", "", "Access token")
+	cmd.Flags().BoolVar(&insecureStorage, "insecure-storage", false, "Store token in plain text config file instead of system keyring")
 
 	return cmd
 }
 
-func runAuthLogin(serverURL, token string) error {
+func runAuthLogin(serverURL, token string, insecureStorage bool) error {
 	isInteractive := !NoInput && output.IsStdinTerminal()
 
 	if serverURL == "" {
@@ -130,12 +136,17 @@ func runAuthLogin(serverURL, token string) error {
 
 	output.Info("%s", output.Green("✓"))
 
-	if err := config.SetServer(serverURL, token, user.Username); err != nil {
+	insecureFallback, err := config.SetServerWithKeyring(serverURL, token, user.Username, insecureStorage)
+	if err != nil {
 		return fmt.Errorf("failed to save configuration: %w", err)
 	}
 
 	output.Success("Logged in as %s", output.Cyan(user.Name))
-	output.Info("\nConfiguration saved to %s", config.ConfigPath())
+	if insecureFallback {
+		fmt.Printf("%s Token stored in plain text at %s\n", output.Yellow("!"), config.ConfigPath())
+	} else {
+		fmt.Printf("%s Token stored in system keyring\n", output.Green("✓"))
+	}
 
 	return nil
 }
@@ -180,10 +191,10 @@ func newAuthStatusCmd() *cobra.Command {
 
 func runAuthStatus() error {
 	serverURL := config.GetServerURL()
-	token := config.GetToken()
+	token, tokenSource := config.GetTokenWithSource()
 
 	if serverURL != "" && token != "" {
-		return showExplicitAuthStatus(serverURL, token)
+		return showExplicitAuthStatus(serverURL, token, tokenSource)
 	}
 
 	if buildAuth, ok := config.GetBuildAuth(); ok {
@@ -198,7 +209,20 @@ func runAuthStatus() error {
 	return nil
 }
 
-func showExplicitAuthStatus(serverURL, token string) error {
+func tokenSourceLabel(source string) string {
+	switch source {
+	case "env":
+		return "environment variable"
+	case "keyring":
+		return "system keyring"
+	case "config":
+		return config.ConfigPath()
+	default:
+		return "unknown"
+	}
+}
+
+func showExplicitAuthStatus(serverURL, token, tokenSource string) error {
 	client := api.NewClient(serverURL, token)
 	user, err := client.GetCurrentUser()
 	if err != nil {
@@ -208,7 +232,7 @@ func showExplicitAuthStatus(serverURL, token string) error {
 	}
 
 	fmt.Printf("%s Logged in to %s\n", output.Green("✓"), output.Cyan(serverURL))
-	fmt.Printf("  User: %s (%s)\n", user.Name, user.Username)
+	fmt.Printf("  User: %s (%s) · %s\n", user.Name, user.Username, tokenSourceLabel(tokenSource))
 
 	server, err := client.ServerVersion()
 	if err == nil {

internal/config/config.go

@@ -101,6 +101,10 @@ func normalizeURL(u string) string {
 	return u
 }
 
+func keyringService(serverURL string) string {
+	return "tc:" + serverURL
+}
+
 func GetServerURL() string {
 	if url := os.Getenv(EnvServerURL); url != "" {
 		return normalizeURL(url)
@@ -114,19 +118,31 @@ func GetServerURL() string {
 }
 
 func GetToken() string {
+	token, _ := GetTokenWithSource()
+	return token
+}
+
+func GetTokenWithSource() (token, source string) {
 	if token := os.Getenv(EnvToken); token != "" {
-		return token
+		return token, "env"
 	}
 
 	serverURL := GetServerURL()
 	if serverURL == "" {
-		return ""
+		return "", ""
 	}
 
-	if server, ok := cfg.Servers[serverURL]; ok {
-		return server.Token
+	server, ok := cfg.Servers[serverURL]
+	if ok && server.User != "" {
+		if t, err := keyringGet(keyringService(serverURL), server.User); err == nil && t != "" {
+			return t, "keyring"
+		}
 	}
-	return ""
+
+	if ok && server.Token != "" {
+		return server.Token, "config"
+	}
+	return "", ""
 }
 
 // GetCurrentUser returns the current user from config
@@ -143,23 +159,42 @@ func GetCurrentUser() string {
 }
 
 func SetServer(serverURL, token, user string) error {
+	_, err := SetServerWithKeyring(serverURL, token, user, false)
+	return err
+}
+
+func SetServerWithKeyring(serverURL, token, user string, insecureStorage bool) (insecureFallback bool, err error) {
 	cfg.DefaultServer = serverURL
-	cfg.Servers[serverURL] = ServerConfig{
-		Token: token,
-		User:  user,
+
+	if !insecureStorage {
+		if krErr := keyringSet(keyringService(serverURL), user, token); krErr == nil {
+			cfg.Servers[serverURL] = ServerConfig{User: user}
+			return false, writeConfig()
+		}
 	}
 
-	viper.Set("default_server", serverURL)
+	cfg.Servers[serverURL] = ServerConfig{Token: token, User: user}
+	return true, writeConfig()
+}
+
+func writeConfig() error {
+	viper.Set("default_server", cfg.DefaultServer)
 	viper.Set("servers", cfg.Servers)
 
 	if err := viper.WriteConfigAs(configPath); err != nil {
 		return fmt.Errorf("failed to write config: %w", err)
 	}
-
+	if err := os.Chmod(configPath, 0600); err != nil {
+		return fmt.Errorf("failed to set config permissions: %w", err)
+	}
 	return nil
 }
 
 func RemoveServer(serverURL string) error {
+	if server, ok := cfg.Servers[serverURL]; ok && server.User != "" {
+		_ = keyringDelete(keyringService(serverURL), server.User)
+	}
+
 	delete(cfg.Servers, serverURL)
 
 	if cfg.DefaultServer == serverURL {
@@ -170,14 +205,7 @@ func RemoveServer(serverURL string) error {
 		}
 	}
 
-	viper.Set("default_server", cfg.DefaultServer)
-	viper.Set("servers", cfg.Servers)
-
-	if err := viper.WriteConfigAs(configPath); err != nil {
-		return fmt.Errorf("failed to write config: %w", err)
-	}
-
-	return nil
+	return writeConfig()
 }
 
 func ConfigPath() string {

internal/config/config_test.go

@@ -15,10 +15,13 @@ import (
 // package-level state (cfg, configPath) and environment variables.
 
 // saveCfgState saves the current cfg state and restores it on cleanup.
+// Installs a mock keyring that errors by default so existing tests that
+// expect tokens in config continue to work.
 func saveCfgState(t *testing.T) {
 	t.Helper()
 	oldCfg := cfg
 	oldPath := configPath
+	keyringMockInitWithError(errors.New("keyring disabled in test"))
 	t.Cleanup(func() {
 		cfg = oldCfg
 		configPath = oldPath
@@ -642,3 +645,97 @@ func TestDetectServerFromDSLNoMatch(T *testing.T) {
 	got := DetectServerFromDSL()
 	assert.Empty(T, got)
 }
+
+func TestGetTokenPriority(T *testing.T) {
+	saveCfgState(T)
+	keyringMockInit()
+
+	serverURL := "https://tc.example.com"
+	require.NoError(T, keyringSet("tc:"+serverURL, "admin", "keyring-token"))
+
+	cfg = &Config{
+		DefaultServer: serverURL,
+		Servers: map[string]ServerConfig{
+			serverURL: {Token: "config-token", User: "admin"},
+		},
+	}
+
+	T.Run("env wins over keyring", func(t *testing.T) {
+		t.Setenv(EnvToken, "env-token")
+		t.Setenv(EnvServerURL, serverURL)
+
+		token, source := GetTokenWithSource()
+		assert.Equal(t, "env-token", token)
+		assert.Equal(t, "env", source)
+	})
+
+	T.Run("keyring wins over config", func(t *testing.T) {
+		t.Setenv(EnvToken, "")
+		t.Setenv(EnvServerURL, serverURL)
+
+		token, source := GetTokenWithSource()
+		assert.Equal(t, "keyring-token", token)
+		assert.Equal(t, "keyring", source)
+	})
+
+	T.Run("config used when keyring empty", func(t *testing.T) {
+		t.Setenv(EnvToken, "")
+		t.Setenv(EnvServerURL, serverURL)
+		require.NoError(t, keyringDelete("tc:"+serverURL, "admin"))
+
+		token, source := GetTokenWithSource()
+		assert.Equal(t, "config-token", token)
+		assert.Equal(t, "config", source)
+	})
+}
+
+func TestSetServerWithKeyring(T *testing.T) {
+	saveCfgState(T)
+	keyringMockInit()
+	tmpDir := T.TempDir()
+	configPath = tmpDir + "/config.yml"
+	cfg = &Config{Servers: make(map[string]ServerConfig)}
+
+	insecure, err := SetServerWithKeyring("https://tc.example.com", "my-token", "admin", false)
+	require.NoError(T, err)
+	assert.False(T, insecure)
+
+	// Token in keyring, not in config
+	assert.Empty(T, cfg.Servers["https://tc.example.com"].Token)
+	assert.Equal(T, "admin", cfg.Servers["https://tc.example.com"].User)
+	val, err := keyringGet("tc:https://tc.example.com", "admin")
+	require.NoError(T, err)
+	assert.Equal(T, "my-token", val)
+}
+
+func TestSetServerKeyringFallback(T *testing.T) {
+	saveCfgState(T)
+	tmpDir := T.TempDir()
+	configPath = tmpDir + "/config.yml"
+	cfg = &Config{Servers: make(map[string]ServerConfig)}
+
+	insecure, err := SetServerWithKeyring("https://tc.example.com", "my-token", "admin", false)
+	require.NoError(T, err)
+	assert.True(T, insecure)
+
+	assert.Equal(T, "my-token", cfg.Servers["https://tc.example.com"].Token)
+}
+
+func TestRemoveServerCleansKeyring(T *testing.T) {
+	saveCfgState(T)
+	keyringMockInit()
+	tmpDir := T.TempDir()
+	configPath = tmpDir + "/config.yml"
+	cfg = &Config{Servers: make(map[string]ServerConfig)}
+
+	_, err := SetServerWithKeyring("https://tc.example.com", "my-token", "admin", false)
+	require.NoError(T, err)
+
+	err = RemoveServer("https://tc.example.com")
+	require.NoError(T, err)
+
+	_, ok := cfg.Servers["https://tc.example.com"]
+	assert.False(T, ok)
+	_, err = keyringGet("tc:https://tc.example.com", "admin")
+	assert.ErrorIs(T, err, errKeyringNotFound)
+}