REC-110: don't use keyring when an unencrypted file token is present #60
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1b05012 to
5eef9d2
Compare
375dee2 to
7232d46
Compare
rogerhu
reviewed
Nov 27, 2024
internal/oauthtoken/fake.go
Outdated
| @@ -28,6 +28,7 @@ import ( | |||
| type FakeTokenStore struct { | |||
| Tokens map[string]*oauth2.Token | |||
| LoadErr, StoreErr, DeleteErr error | |||
| PanicValue any | |||
There was a problem hiding this comment.
What's this for?
Edit: I see it. Any reason it's an any type?
There was a problem hiding this comment.
Added comments.
For added context that shouldn't be in the fake: the real version can hang indefinitely, so I wanted to test that it's not called. I'd rather not simulate the hang-forever behavior in a test, so it seemed better to panic loudly.
panic accepts an any rather than an error, so that's the value I used. any is a builtin type alias for interface{}.
rogerhu
approved these changes
Nov 27, 2024
5eef9d2 to
91d3303
Compare
On Linux, the keyring library can prompt the user for a password if it's not automatically unlocked. This causes engflow_auth to hang when invoked as a credential helper because neither stdin nor stdout are connected to a terminal. With this change, the get command (and anything else that calls loadToken) now checks for a token created with -store=file first, then falls back to the keyring library if that's not present. This reverses the previous order. When storing a token into the keyring, storeToken now deletes the token created with -store=file, if present, preventing it from taking precedence. Together, these changes that mean when -store=file is used, the keyring library should only be used by the logout command, which attempts to delete both tokens.
7232d46 to
693c53e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
On Linux, the keyring library can prompt the user for a password if it's not automatically unlocked. This causes engflow_auth to hang when invoked as a credential helper because neither stdin nor stdout are connected to a terminal.
With this change, the get command (and anything else that calls loadToken) now checks for a token created with -store=file first, then falls back to the keyring library if that's not present. This reverses the previous order.
When storing a token into the keyring, storeToken now deletes the token created with -store=file, if present, preventing it from taking precedence.
Together, these changes that mean when -store=file is used, the keyring library should only be used by the logout command, which attempts to delete both tokens.