flow_security/

credentials.rs

//! Credential storage abstraction.
//!
//! Two implementations:
//! - [`KeyringCredentialStore`] - production-grade, OS-native (macOS Keychain,
//!   Windows Credential Manager, libsecret on Linux). Uses the `keyring` crate.
//! - [`InMemoryCredentialStore`] - for unit tests; thread-safe via `parking_lot`.
//!
//! The [`CredentialStore`] trait is the seam. [`CredentialResolver`] composes a
//! store with environment-variable fallback so existing env-var users keep
//! working during the keyring migration.

use parking_lot::RwLock;
use std::collections::{BTreeSet, HashMap};
use std::path::PathBuf;
use std::sync::Arc;
use thiserror::Error;

/// Service name registered with the OS keyring. All Flow Studio credentials
/// live under this service so `security find-generic-password` (macOS) or
/// equivalents on other platforms can list them in one place.
pub const SERVICE_NAME: &str = "flow-studio";

#[derive(Debug, Error)]
pub enum CredentialError {
    #[error("credential not found for service '{service}' / account '{account}'")]
    NotFound { service: String, account: String },
    #[error("keyring error: {0}")]
    Keyring(String),
    #[error("invalid credential identifier: {0}")]
    Invalid(String),
}

/// Discriminator for the kinds of credentials Flow Studio stores. Used as the
/// account-name prefix so different secret kinds don't collide on the same
/// service entry.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum CredentialKind {
    /// Cloud-AI provider API key.
    CloudAiKey,
    /// Zowe profile credentials (future M3.3b).
    ZoweProfile,
    /// Service-node connection secret (API key, token, basic `user:pass`, or an
    /// OAuth2 token bundle serialized as JSON). Keyed by the service catalog slug.
    Service,
}

impl CredentialKind {
    pub fn account_for(self, key: &str) -> String {
        match self {
            CredentialKind::CloudAiKey => format!("cloud-ai:{key}"),
            CredentialKind::ZoweProfile => format!("zowe:{key}"),
            CredentialKind::Service => format!("service:{key}"),
        }
    }
}

/// The seam between Flow code and the OS keyring (or a test double).
pub trait CredentialStore: Send + Sync {
    fn set(&self, account: &str, secret: &str) -> Result<(), CredentialError>;
    fn get(&self, account: &str) -> Result<String, CredentialError>;
    fn delete(&self, account: &str) -> Result<(), CredentialError>;
    /// Returns true if a credential exists for this account, without revealing
    /// the value. Useful for UI status displays.
    fn exists(&self, account: &str) -> bool {
        self.get(account).is_ok()
    }
}

/// Sidecar index of which credential accounts have been written to the OS
/// keyring. Stores account *names only*, never secrets - used to answer
/// "does this credential exist?" without triggering a keychain prompt on
/// macOS (each `get_password` call on an unsigned dev build re-prompts the
/// user even after "Always Allow"). The index file lives next to the app's
/// other on-disk state in `~/flow-studio/`.
///
/// Losing the file is non-catastrophic: it just means the UI shows
/// "credential missing" until the user re-saves the value. The keychain
/// item itself is still there.
struct CredentialIndex {
    path: Option<PathBuf>,
    cache: RwLock<BTreeSet<String>>,
}

impl CredentialIndex {
    fn open(path: Option<PathBuf>) -> Self {
        let cache = match path.as_ref() {
            Some(p) if p.exists() => std::fs::read_to_string(p)
                .ok()
                .and_then(|s| serde_json::from_str::<BTreeSet<String>>(&s).ok())
                .unwrap_or_default(),
            _ => BTreeSet::new(),
        };
        Self {
            path,
            cache: RwLock::new(cache),
        }
    }

    fn contains(&self, account: &str) -> bool {
        self.cache.read().contains(account)
    }

    fn insert(&self, account: &str) {
        let mut guard = self.cache.write();
        if guard.insert(account.to_string()) {
            self.persist(&guard);
        }
    }

    fn remove(&self, account: &str) {
        let mut guard = self.cache.write();
        if guard.remove(account) {
            self.persist(&guard);
        }
    }

    fn persist(&self, contents: &BTreeSet<String>) {
        let Some(path) = self.path.as_ref() else {
            return;
        };
        if let Some(parent) = path.parent() {
            let _ = std::fs::create_dir_all(parent);
        }
        if let Ok(body) = serde_json::to_string_pretty(contents) {
            let _ = std::fs::write(path, body);
        }
    }
}

/// Production credential store backed by the OS keyring, with an
/// auxiliary sidecar index that answers `exists()` queries without
/// touching the keychain.
pub struct KeyringCredentialStore {
    service: String,
    index: CredentialIndex,
}

impl KeyringCredentialStore {
    pub fn new() -> Self {
        Self {
            service: SERVICE_NAME.to_string(),
            index: CredentialIndex::open(None),
        }
    }

    /// Construct with the sidecar index persisted at `index_path`. Pass
    /// `~/flow-studio/credential_index.json` in production.
    pub fn with_index(index_path: PathBuf) -> Self {
        Self {
            service: SERVICE_NAME.to_string(),
            index: CredentialIndex::open(Some(index_path)),
        }
    }

    pub fn with_service(service: impl Into<String>) -> Self {
        Self {
            service: service.into(),
            index: CredentialIndex::open(None),
        }
    }

    fn entry(&self, account: &str) -> Result<keyring::Entry, CredentialError> {
        keyring::Entry::new(&self.service, account)
            .map_err(|e| CredentialError::Keyring(e.to_string()))
    }
}

impl Default for KeyringCredentialStore {
    fn default() -> Self {
        Self::new()
    }
}

impl CredentialStore for KeyringCredentialStore {
    fn set(&self, account: &str, secret: &str) -> Result<(), CredentialError> {
        if account.is_empty() {
            return Err(CredentialError::Invalid("account is empty".into()));
        }
        self.entry(account)?
            .set_password(secret)
            .map_err(|e| CredentialError::Keyring(e.to_string()))?;
        self.index.insert(account);
        Ok(())
    }

    fn get(&self, account: &str) -> Result<String, CredentialError> {
        self.entry(account)?.get_password().map_err(|e| match e {
            keyring::Error::NoEntry => {
                // The sidecar may be stale - drop the entry so subsequent
                // `exists()` calls answer correctly.
                self.index.remove(account);
                CredentialError::NotFound {
                    service: self.service.clone(),
                    account: account.to_string(),
                }
            }
            other => CredentialError::Keyring(other.to_string()),
        })
    }

    fn delete(&self, account: &str) -> Result<(), CredentialError> {
        let result = self.entry(account)?.delete_credential().map_err(|e| match e {
            keyring::Error::NoEntry => CredentialError::NotFound {
                service: self.service.clone(),
                account: account.to_string(),
            },
            other => CredentialError::Keyring(other.to_string()),
        });
        // Remove from the sidecar regardless of whether the keychain knew
        // about it - if it's gone, the index should reflect that too.
        self.index.remove(account);
        result
    }

    /// Answers from the sidecar index without touching the keychain. The
    /// trait's default would call `get()` which on macOS triggers a
    /// keychain prompt per call - and the prompt fires every startup on
    /// unsigned dev builds because "Always Allow" is tied to the binary's
    /// code signature, which changes on every rebuild.
    fn exists(&self, account: &str) -> bool {
        self.index.contains(account)
    }
}

/// Thread-safe in-memory store for tests.
#[derive(Default)]
pub struct InMemoryCredentialStore {
    inner: RwLock<HashMap<String, String>>,
}

impl InMemoryCredentialStore {
    pub fn new() -> Self {
        Self::default()
    }
}

impl CredentialStore for InMemoryCredentialStore {
    fn set(&self, account: &str, secret: &str) -> Result<(), CredentialError> {
        if account.is_empty() {
            return Err(CredentialError::Invalid("account is empty".into()));
        }
        self.inner
            .write()
            .insert(account.to_string(), secret.to_string());
        Ok(())
    }

    fn get(&self, account: &str) -> Result<String, CredentialError> {
        self.inner
            .read()
            .get(account)
            .cloned()
            .ok_or_else(|| CredentialError::NotFound {
                service: SERVICE_NAME.into(),
                account: account.to_string(),
            })
    }

    fn delete(&self, account: &str) -> Result<(), CredentialError> {
        if self.inner.write().remove(account).is_some() {
            Ok(())
        } else {
            Err(CredentialError::NotFound {
                service: SERVICE_NAME.into(),
                account: account.to_string(),
            })
        }
    }
}

/// Resolves a credential by trying the configured store first, then falling
/// back to an environment variable. This preserves the v1 cloud-AI experience
/// (env-var-only keys) while letting users migrate to the keyring at their own
/// pace.
pub trait CredentialResolver: Send + Sync {
    /// Resolve the API key for a cloud-AI provider, given the canonical
    /// provider name and the env-var name to fall back to.
    fn resolve_cloud_ai_key(
        &self,
        provider: &str,
        env_var: &str,
    ) -> Result<String, CredentialError>;
}

pub struct EnvFallbackResolver {
    pub store: Arc<dyn CredentialStore>,
}

impl EnvFallbackResolver {
    pub fn new(store: Arc<dyn CredentialStore>) -> Self {
        Self { store }
    }
}

impl CredentialResolver for EnvFallbackResolver {
    fn resolve_cloud_ai_key(
        &self,
        provider: &str,
        env_var: &str,
    ) -> Result<String, CredentialError> {
        let account = CredentialKind::CloudAiKey.account_for(provider);
        match self.store.get(&account) {
            Ok(secret) => Ok(secret),
            Err(CredentialError::NotFound { .. }) => match std::env::var(env_var) {
                Ok(v) if !v.is_empty() => Ok(v),
                _ => Err(CredentialError::NotFound {
                    service: SERVICE_NAME.into(),
                    account,
                }),
            },
            Err(other) => Err(other),
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn account_naming_is_kind_prefixed() {
        assert_eq!(
            CredentialKind::CloudAiKey.account_for("claude"),
            "cloud-ai:claude"
        );
        assert_eq!(
            CredentialKind::ZoweProfile.account_for("PRD01"),
            "zowe:PRD01"
        );
    }

    #[test]
    fn in_memory_set_get_round_trip() {
        let store = InMemoryCredentialStore::new();
        store.set("cloud-ai:claude", "sk-test").unwrap();
        assert_eq!(store.get("cloud-ai:claude").unwrap(), "sk-test");
        assert!(store.exists("cloud-ai:claude"));
    }

    #[test]
    fn in_memory_get_missing_is_not_found() {
        let store = InMemoryCredentialStore::new();
        assert!(matches!(
            store.get("cloud-ai:claude"),
            Err(CredentialError::NotFound { .. })
        ));
    }

    #[test]
    fn in_memory_delete_removes() {
        let store = InMemoryCredentialStore::new();
        store.set("cloud-ai:openai", "sk-test").unwrap();
        store.delete("cloud-ai:openai").unwrap();
        assert!(!store.exists("cloud-ai:openai"));
    }

    #[test]
    fn in_memory_set_empty_account_is_invalid() {
        let store = InMemoryCredentialStore::new();
        assert!(matches!(
            store.set("", "x"),
            Err(CredentialError::Invalid(_))
        ));
    }

    #[test]
    fn resolver_prefers_keyring_over_env() {
        let store: Arc<dyn CredentialStore> = Arc::new(InMemoryCredentialStore::new());
        store.set("cloud-ai:claude", "from-keyring").unwrap();
        // Set env var to something else; the resolver should still pick keyring.
        std::env::set_var("FLOW_TEST_RESOLVER_ENV", "from-env");
        let resolver = EnvFallbackResolver::new(store);
        let key = resolver
            .resolve_cloud_ai_key("claude", "FLOW_TEST_RESOLVER_ENV")
            .unwrap();
        assert_eq!(key, "from-keyring");
        std::env::remove_var("FLOW_TEST_RESOLVER_ENV");
    }

    #[test]
    fn resolver_falls_back_to_env_when_keyring_empty() {
        let store: Arc<dyn CredentialStore> = Arc::new(InMemoryCredentialStore::new());
        std::env::set_var("FLOW_TEST_RESOLVER_FALLBACK", "from-env");
        let resolver = EnvFallbackResolver::new(store);
        let key = resolver
            .resolve_cloud_ai_key("openai", "FLOW_TEST_RESOLVER_FALLBACK")
            .unwrap();
        assert_eq!(key, "from-env");
        std::env::remove_var("FLOW_TEST_RESOLVER_FALLBACK");
    }

    #[test]
    fn resolver_returns_not_found_when_neither_present() {
        let store: Arc<dyn CredentialStore> = Arc::new(InMemoryCredentialStore::new());
        let resolver = EnvFallbackResolver::new(store);
        assert!(matches!(
            resolver.resolve_cloud_ai_key("gemini", "FLOW_TEST_RESOLVER_MISSING_ENV"),
            Err(CredentialError::NotFound { .. })
        ));
    }
}