Fix: add label to keyring entry (#34)

Author: carole-lavillonniere

internal/auth/auth.go

@@ -12,26 +12,26 @@ import (
 )
 
 type Auth struct {
-	keyring      Keyring
+	tokenStorage AuthTokenStorage
 	browserLogin LoginProvider
 	sink         output.Sink
 }
 
 func New(sink output.Sink, platformClient api.PlatformAPI) (*Auth, error) {
-	kr, err := newSystemKeyring()
+	storage, err := newAuthTokenStorage()
 	if err != nil {
 		return nil, err
 	}
 	return &Auth{
-		keyring:      kr,
+		tokenStorage: storage,
 		browserLogin: newBrowserLogin(sink, platformClient),
 		sink:         sink,
 	}, nil
 }
 
 // GetToken tries in order: 1) keyring 2) LOCALSTACK_AUTH_TOKEN env var 3) browser login
 func (a *Auth) GetToken(ctx context.Context) (string, error) {
-	if token, err := a.keyring.Get(keyringService, keyringUser); err == nil && token != "" {
+	if token, err := a.tokenStorage.GetAuthToken(); err == nil && token != "" {
 		return token, nil
 	}
 
@@ -46,7 +46,7 @@ func (a *Auth) GetToken(ctx context.Context) (string, error) {
 		return "", err
 	}
 
-	if err := a.keyring.Set(keyringService, keyringUser, token); err != nil {
+	if err := a.tokenStorage.SetAuthToken(token); err != nil {
 		output.EmitWarning(a.sink, fmt.Sprintf("could not store token in keyring: %v", err))
 	}
 
@@ -56,7 +56,7 @@ func (a *Auth) GetToken(ctx context.Context) (string, error) {
 
 // Logout removes the stored auth token from the keyring
 func (a *Auth) Logout() error {
-	err := a.keyring.Delete(keyringService, keyringUser)
+	err := a.tokenStorage.DeleteAuthToken()
 	if errors.Is(err, keyring.ErrKeyNotFound) {
 		return nil
 	}

internal/auth/auth_test.go

@@ -21,7 +21,7 @@ func TestMain(m *testing.M) {
 // we log a warning but still return the token obtained from login.
 func TestGetToken_ReturnsTokenWhenKeyringStoreFails(t *testing.T) {
 	ctrl := gomock.NewController(t)
-	mockKeyring := NewMockKeyring(ctrl)
+	mockStorage := NewMockAuthTokenStorage(ctrl)
 	mockLogin := NewMockLoginProvider(ctrl)
 
 	var events []any
@@ -30,17 +30,17 @@ func TestGetToken_ReturnsTokenWhenKeyringStoreFails(t *testing.T) {
 	})
 
 	auth := &Auth{
-		keyring:      mockKeyring,
+		tokenStorage: mockStorage,
 		browserLogin: mockLogin,
 		sink:         sink,
 	}
 
 	// Keyring returns empty (no stored token)
-	mockKeyring.EXPECT().Get(keyringService, keyringUser).Return("", errors.New("not found"))
+	mockStorage.EXPECT().GetAuthToken().Return("", errors.New("not found"))
 	// Login succeeds
 	mockLogin.EXPECT().Login(gomock.Any()).Return("test-token", nil)
 	// Setting token in keyring fails
-	mockKeyring.EXPECT().Set(keyringService, keyringUser, "test-token").Return(errors.New("keyring unavailable"))
+	mockStorage.EXPECT().SetAuthToken("test-token").Return(errors.New("keyring unavailable"))
 
 	token, err := auth.GetToken(context.Background())
 

internal/auth/mock_keyring_test.go

@@ -1,6 +1,6 @@
 package auth
 
-//go:generate mockgen -source=keyring.go -destination=mock_keyring_test.go -package=auth
+//go:generate mockgen -source=token_storage.go -destination=mock_token_storage_test.go -package=auth
 
 import (
 	"errors"
@@ -13,31 +13,34 @@ import (
 )
 
 const (
-	keyringService = "localstack"
-	keyringUser    = "auth-token"
+	keyringService        = "lstk"
+	keyringAuthTokenKey   = "lstk.auth-token"
+	keyringPassword       = "lstk-keyring"
+	keyringFilename       = "keyring"
+	keyringAuthTokenLabel = "lstk auth token"
 )
 
-type Keyring interface {
-	Get(service, user string) (string, error)
-	Set(service, user, password string) error
-	Delete(service, user string) error
+type AuthTokenStorage interface {
+	GetAuthToken() (string, error)
+	SetAuthToken(token string) error
+	DeleteAuthToken() error
 }
 
-type systemKeyring struct {
+type authTokenStorage struct {
 	ring keyring.Keyring
 }
 
-func newSystemKeyring() (*systemKeyring, error) {
+func newAuthTokenStorage() (*authTokenStorage, error) {
 	configDir, err := config.ConfigDir()
 	if err != nil {
 		return nil, err
 	}
 
 	keyringConfig := keyring.Config{
 		ServiceName: keyringService,
-		FileDir:     filepath.Join(configDir, "keyring"),
+		FileDir:     filepath.Join(configDir, keyringFilename),
 		FilePasswordFunc: func(prompt string) (string, error) {
-			return "localstack-keyring", nil
+			return keyringPassword, nil
 		},
 	}
 
@@ -55,11 +58,11 @@ func newSystemKeyring() (*systemKeyring, error) {
 		}
 	}
 
-	return &systemKeyring{ring: ring}, nil
+	return &authTokenStorage{ring: ring}, nil
 }
 
-func (k *systemKeyring) Get(service, user string) (string, error) {
-	item, err := k.ring.Get(k.makeKey(service, user))
+func (s *authTokenStorage) GetAuthToken() (string, error) {
+	item, err := s.ring.Get(keyringAuthTokenKey)
 	if err != nil {
 		if errors.Is(err, keyring.ErrKeyNotFound) {
 			return "", fmt.Errorf("credential not found")
@@ -69,21 +72,18 @@ func (k *systemKeyring) Get(service, user string) (string, error) {
 	return string(item.Data), nil
 }
 
-func (k *systemKeyring) Set(service, user, password string) error {
-	return k.ring.Set(keyring.Item{
-		Key:  k.makeKey(service, user),
-		Data: []byte(password),
+func (s *authTokenStorage) SetAuthToken(token string) error {
+	return s.ring.Set(keyring.Item{
+		Key:   keyringAuthTokenKey,
+		Data:  []byte(token),
+		Label: keyringAuthTokenLabel,
 	})
 }
 
-func (k *systemKeyring) Delete(service, user string) error {
-	err := k.ring.Remove(k.makeKey(service, user))
+func (s *authTokenStorage) DeleteAuthToken() error {
+	err := s.ring.Remove(keyringAuthTokenKey)
 	if errors.Is(err, keyring.ErrKeyNotFound) || os.IsNotExist(err) {
 		return nil
 	}
 	return err
 }
-
-func (k *systemKeyring) makeKey(service, user string) string {
-	return fmt.Sprintf("%s/%s", service, user)
-}

internal/auth/mock_token_storage_test.go

@@ -70,7 +70,7 @@ func TestBrowserFlowStoresToken(t *testing.T) {
 	assert.Contains(t, string(out), "Login successful")
 
 	// Verify token was stored in keyring
-	storedToken, err := keyringGet(keyringService, keyringUser)
+	storedToken, err := GetAuthTokenFromKeyring()
 	require.NoError(t, err, "token should be stored in keyring")
 	assert.Equal(t, "mock-token", storedToken)
 }

internal/auth/keyring.go internal/auth/token_storage.gointernal/auth/keyring.go renamed to internal/auth/token_storage.go

@@ -116,7 +116,7 @@ func TestDeviceFlowSuccess(t *testing.T) {
 		assert.Contains(t, output, "Login successful")
 
 		// Verify token was stored in keyring
-		storedToken, err := keyringGet(keyringService, keyringUser)
+		storedToken, err := GetAuthTokenFromKeyring()
 		require.NoError(t, err)
 		assert.Equal(t, licenseToken, storedToken)
 
@@ -171,7 +171,7 @@ func TestDeviceFlowFailure_RequestNotConfirmed(t *testing.T) {
 		assert.Contains(t, output, "auth request not confirmed")
 
 		// Verify no token was stored in keyring
-		_, err := keyringGet(keyringService, keyringUser)
+		_, err := GetAuthTokenFromKeyring()
 		assert.Error(t, err, "no token should be stored when login fails")
 
 	case <-time.After(10 * time.Second):