Fix after review.

Author: lexbritvin

file.go

@@ -1,7 +1,9 @@
 package keyring
 
 import (
+	"errors"
 	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@@ -15,17 +17,22 @@ type CredentialsFile interface {
 	io.ReadWriteCloser
 	// Open opens a file in FS with flag open options and perm for file permissions if the file is new.
 	// See os.OpenFile for more info about flag and perm arguments.
-	Open(flag int, perm os.FileMode) error
+	Open(flag int, perm fs.FileMode) error
 	// Unlock decrypts a file if supported.
 	Unlock(askNew bool) error
 	// Lock makes it to request Unlock again.
 	Lock()
 	// Remove deletes a file from FS.
 	Remove() error
+	// Stat returns a [FileInfo] describing the named file.
+	// If there is an error, it will be of type [*PathError].
+	// See os.Stat().
+	Stat() (fs.FileInfo, error)
 }
 
 type nullFile struct{}
 
+func (nullFile) Stat() (fs.FileInfo, error)            { return nil, fs.ErrNotExist }
 func (nullFile) Open(_ int, _ os.FileMode) (err error) { return nil }
 func (nullFile) Unlock(_ bool) error                   { return nil }
 func (nullFile) Lock()                                 {}
@@ -42,11 +49,11 @@ type plainFile struct {
 // NewPlainFile creates a CredentialsFile to open a plain file.
 func NewPlainFile(fname string) CredentialsFile {
 	return &plainFile{
-		fname: fname + ".age",
+		fname: fname,
 	}
 }
 
-func (f *plainFile) Open(flag int, perm os.FileMode) (err error) {
+func (f *plainFile) Open(flag int, perm fs.FileMode) (err error) {
 	isCreate := flag&os.O_CREATE == os.O_CREATE
 	if isCreate {
 		err = launchr.EnsurePath(filepath.Dir(f.fname))
@@ -63,6 +70,7 @@ func (f *plainFile) Open(flag int, perm os.FileMode) (err error) {
 	return nil
 }
 
+func (f *plainFile) Stat() (fs.FileInfo, error)        { return os.Stat(f.fname) }
 func (f *plainFile) Unlock(bool) (err error)           { return nil }
 func (f *plainFile) Lock()                             {}
 func (f *plainFile) Read(p []byte) (n int, err error)  { return f.file.Read(p) }
@@ -77,7 +85,7 @@ func (f *plainFile) Remove() (err error) {
 }
 
 type ageFile struct {
-	file       *plainFile
+	*plainFile
 	askPass    AskPass
 	passphrase string // @todo make sure it's compatible with ACL in the future
 
@@ -88,16 +96,12 @@ type ageFile struct {
 // NewAgeFile creates a CredentialsFile to open a file encrypted with age.
 func NewAgeFile(fname string, askPass AskPass) CredentialsFile {
 	return &ageFile{
-		file: &plainFile{
-			fname: fname + ".age",
-		},
-		askPass: askPass,
+		plainFile: NewPlainFile(fname).(*plainFile),
+		askPass:   askPass,
 	}
 }
 
-func (f *ageFile) Open(flag int, perm os.FileMode) (err error) { return f.file.Open(flag, perm) }
-func (f *ageFile) Remove() error                               { return f.file.Remove() }
-func (f *ageFile) Lock()                                       { f.passphrase = "" }
+func (f *ageFile) Lock() { f.passphrase = "" }
 
 func (f *ageFile) Unlock(askNew bool) (err error) {
 	if f.passphrase != "" {
@@ -129,6 +133,8 @@ func (f *ageFile) Read(p []byte) (n int, err error) {
 			// The file is malformed, not age encrypted and can't be read.
 			if strings.Contains(err.Error(), "parsing age header:") {
 				return 0, ErrKeyringMalformed
+			} else if strings.Contains(err.Error(), "no identity matched any of the recipients") {
+				return 0, ErrIncorrectPass
 			}
 			return 0, err
 		}
@@ -152,8 +158,11 @@ func (f *ageFile) Write(p []byte) (n int, err error) {
 }
 
 func (f *ageFile) Close() error {
+	var err error
 	if f.w != nil {
-		_ = f.w.Close()
+		err = f.w.Close()
 	}
-	return f.file.Close()
+	f.w = nil
+	f.r = nil
+	return errors.Join(err, f.file.Close())
 }

keyring.go

@@ -11,10 +11,11 @@ const defaultFileYaml = "keyring.yaml"
 
 // Keyring errors.
 var (
-	ErrNotFound         = errors.New("item not found")            // ErrNotFound if an item was not found
-	ErrEmptyFields      = errors.New("item can't be empty")       // ErrEmptyFields if fields are empty
-	ErrEmptyPass        = errors.New("passphrase can't be empty") // ErrEmptyPass if a passphrase is empty
-	ErrKeyringMalformed = errors.New("the keyring is malformed")  // ErrKeyringMalformed when keyring can't be read.
+	ErrNotFound         = errors.New("item not found")                    // ErrNotFound if an item was not found
+	ErrEmptyFields      = errors.New("item can't be empty")               // ErrEmptyFields if fields are empty
+	ErrEmptyPass        = errors.New("passphrase can't be empty")         // ErrEmptyPass if a passphrase is empty
+	ErrKeyringMalformed = errors.New("the keyring is malformed")          // ErrKeyringMalformed when keyring can't be read.
+	ErrIncorrectPass    = errors.New("the given passphrase is incorrect") // ErrIncorrectPass if a passphrase is incorrect
 )
 
 // SecretItem is an interface that represents an item saved in a storage.
@@ -102,19 +103,22 @@ type DataStore interface {
 	Destroy() error
 }
 
+// dataStore is a type alias to embed it as a private property.
+type dataStore = DataStore
+
 // Keyring is a [launchr.Service] providing password store functionality.
 type Keyring = *keyringService
 
 type keyringService struct {
-	store DataStore
-	mask  *launchr.SensitiveMask
+	dataStore
+	mask *launchr.SensitiveMask
 }
 
 // NewService creates a new Keyring service.
 func NewService(store DataStore, mask *launchr.SensitiveMask) Keyring {
 	return &keyringService{
-		store: store,
-		mask:  mask,
+		dataStore: store,
+		mask:      mask,
 	}
 }
 
@@ -142,7 +146,7 @@ func (k *keyringService) ServiceCreate(svc *launchr.ServiceManager) launchr.Serv
 	// TODO: do not encrypt if the passphrase is not provided.
 	store := NewFileStore(
 		NewAgeFile(
-			cfg.Path(defaultFileYaml),
+			cfg.Path(defaultFileYaml+".age"),
 			AskPassFirstAvailable{
 				AskPassConst(passphrase.get),
 				AskPassWithTerminal{},
@@ -153,42 +157,9 @@ func (k *keyringService) ServiceCreate(svc *launchr.ServiceManager) launchr.Serv
 	return NewService(store, mask)
 }
 
-// ResetStorage cleans store for subsequent reload.
-func (k *keyringService) ResetStorage() {
-	k.store = nil
-}
-
-func (k *keyringService) defaultStore() (DataStore, error) {
-	return k.store, nil
-}
-
-// GetUrls implements DataStore interface. Uses service default store.
-func (k *keyringService) GetUrls() ([]string, error) {
-	s, err := k.defaultStore()
-	if err != nil {
-		return []string{}, err
-	}
-
-	return s.GetUrls()
-}
-
-// GetKeys implements DataStore interface. Uses service default store.
-func (k *keyringService) GetKeys() ([]string, error) {
-	s, err := k.defaultStore()
-	if err != nil {
-		return []string{}, err
-	}
-
-	return s.GetKeys()
-}
-
 // GetForURL implements DataStore interface. Uses service default store.
 func (k *keyringService) GetForURL(url string) (CredentialsItem, error) {
-	s, err := k.defaultStore()
-	if err != nil {
-		return CredentialsItem{}, err
-	}
-	item, err := s.GetForURL(url)
+	item, err := k.dataStore.GetForURL(url)
 	if err == nil {
 		k.maskItem(item)
 	}
@@ -197,11 +168,7 @@ func (k *keyringService) GetForURL(url string) (CredentialsItem, error) {
 
 // GetForKey implements DataStore interface. Uses service default store.
 func (k *keyringService) GetForKey(key string) (KeyValueItem, error) {
-	s, err := k.defaultStore()
-	if err != nil {
-		return KeyValueItem{}, err
-	}
-	item, err := s.GetForKey(key)
+	item, err := k.dataStore.GetForKey(key)
 	if err == nil {
 		k.maskItem(item)
 	}
@@ -210,18 +177,15 @@ func (k *keyringService) GetForKey(key string) (KeyValueItem, error) {
 
 // AddItem implements DataStore interface. Uses service default store.
 func (k *keyringService) AddItem(item SecretItem) error {
-	s, err := k.defaultStore()
-	if err != nil {
-		return err
-	}
-
 	k.maskItem(item)
-	return s.AddItem(item)
+	return k.dataStore.AddItem(item)
 }
 
 // MaskItem masks the item values
 func (k *keyringService) maskItem(item SecretItem) {
 	if k.mask == nil {
+		// Mask may be nil in unit tests for simplicity.
+		// Mask is checked in e2e tests.
 		return
 	}
 	switch dataItem := item.(type) {
@@ -234,57 +198,3 @@ func (k *keyringService) maskItem(item SecretItem) {
 	default:
 	}
 }
-
-// RemoveByURL implements DataStore interface. Uses service default store.
-func (k *keyringService) RemoveByURL(url string) error {
-	s, err := k.defaultStore()
-	if err != nil {
-		return err
-	}
-	return s.RemoveByURL(url)
-}
-
-// RemoveByKey implements DataStore interface. Uses service default store.
-func (k *keyringService) RemoveByKey(key string) error {
-	s, err := k.defaultStore()
-	if err != nil {
-		return err
-	}
-	return s.RemoveByKey(key)
-}
-
-// CleanStorage implements DataStore interface. Uses service default store.
-func (k *keyringService) CleanStorage(item SecretItem) error {
-	s, err := k.defaultStore()
-	if err != nil {
-		return err
-	}
-	return s.CleanStorage(item)
-}
-
-// Exists implements DataStore, checks if keyring exists in persistent storage.
-func (k *keyringService) Exists() bool {
-	s, err := k.defaultStore()
-	if err != nil {
-		return false
-	}
-	return s.Exists()
-}
-
-// Save implements DataStore interface. Uses service default store.
-func (k *keyringService) Save() error {
-	s, err := k.defaultStore()
-	if err != nil {
-		return err
-	}
-	return s.Save()
-}
-
-// Destroy implements DataStore interface. Uses service default store.
-func (k *keyringService) Destroy() error {
-	s, err := k.defaultStore()
-	if err != nil {
-		return err
-	}
-	return s.Destroy()
-}

plugin.go

@@ -114,8 +114,6 @@ func processGetByKey(value any, opts GetKeyValueProcessorOptions, ctx action.Val
 			return value, err
 		}
 
-		// Ensure keyring storage will be accessible after save.
-		defer k.ResetStorage()
 		err = k.Save()
 		if err != nil {
 			return value, err
@@ -438,7 +436,7 @@ func (p *persistentPassphrase) init() error {
 
 	defer func() {
 		// If the passphrase is set with user input or env variable, hide it.
-		if p.file == "" && p.pass != "" {
+		if p.mask != nil && p.file == "" && p.pass != "" {
 			p.mask.AddString(p.pass)
 		}
 		p.initialized = true

plugin_test.go

@@ -1,6 +1,7 @@
 package keyring
 
 import (
+	"path/filepath"
 	"testing"
 
 	"github.com/launchrctl/launchr"
@@ -162,3 +163,64 @@ func Test_KeyringTemplate(t *testing.T) {
 		})
 	}
 }
+
+func Test_KeyringSave(t *testing.T) {
+	type testCase struct {
+		name      string
+		dataStore func(string) DataStore
+	}
+	tt := []testCase{
+		{"plain file", func(dir string) DataStore {
+			return NewFileStore(
+				NewPlainFile(filepath.Join(dir, defaultFileYaml)),
+			)
+		}},
+		{"age file", func(dir string) DataStore {
+			testPass := persistentPassphrase{pass: "pass"}
+			return NewFileStore(
+				NewAgeFile(
+					filepath.Join(dir, defaultFileYaml+".age"),
+					AskPassConst(testPass.get),
+				),
+			)
+		}},
+	}
+	for _, tt := range tt {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			// Init test keyring service.
+			dir := t.TempDir()
+			keyring := NewService(tt.dataStore(dir), nil)
+
+			// Add an item and save.
+			err := keyring.AddItem(KeyValueItem{Key: "foo", Value: "bar"})
+			require.NoError(t, err)
+			err = keyring.Save()
+			require.NoError(t, err)
+
+			// Try adding another item after save.
+			err = keyring.AddItem(KeyValueItem{Key: "bar", Value: "buz"})
+			require.NoError(t, err)
+			err = keyring.Save()
+			require.NoError(t, err)
+
+			// Check the content of the keyring.
+			assertKeyringVals := func() {
+				val1, err := keyring.GetForKey("foo")
+				assert.NoError(t, err)
+				assert.Equal(t, "bar", val1.Value.(string))
+
+				val2, err := keyring.GetForKey("bar")
+				assert.NoError(t, err)
+				assert.Equal(t, "buz", val2.Value.(string))
+			}
+			assertKeyringVals()
+
+			// Try to recreate a service and make sure that the content is definitely loaded from the disk.
+			keyring = NewService(tt.dataStore(dir), nil)
+			// Check the content of the keyring.
+			assertKeyringVals()
+		})
+	}
+}