feat: Store tokens from authentication in system keystore

Cargo.toml

@@ -63,6 +63,27 @@ self_update = { version = "0.43.1", features = [
 ] }
 md5 = "0.8.0"
 ulid = "1.2.1"
+keyring-core = {version = "1.0.0", features = ["sample"]}
+users = "0.11"
+
+# [target.'cfg(target_os = "windows")'.dependencies]
+windows-native-keyring-store = "1.1.0"
+
+
+# [target.'cfg(not(any(target_os = "ios", target_os = "android")))'.dependencies]
+db-keystore = { version = "0.4.3" }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+apple-native-keyring-store = { version = "1.0.0", features = ["keychain"] }
+
+[target.'cfg(target_os = "linux")'.dependencies]
+linux-keyutils-keyring-store = { version = "1.0.0" }
+
+[target.'cfg(any(target_os = "linux", target_os = "freebsd"))'.dependencies]
+#dbus-secret-service-keyring-store = { version = "1.0.0", features = ["crypto-rust", "vendored"] }
+zbus-secret-service-keyring-store = { version = "1.0.0", features = ["crypto-rust"] }
+
+
 
 [features]
 default = ["reqwest/default-tls"] # link against system library

flake.nix

@@ -198,6 +198,8 @@
           tokio-console
           fenixToolChain.rust-analyzer
           fenixToolChain.rustfmt
+#          keyutils
+#          gnome-keyring
         ];
       };
     })

src/cli.rs

@@ -29,6 +29,7 @@ pub async fn execute_cmd(opts: MainOpts) -> Result<(), CmdError> {
 
         SubCommand::Dataset(input) => input.exec(ctx).await?,
         SubCommand::Job(input) => input.exec(ctx).await?,
+        SubCommand::Logout(input) => input.exec(&ctx).await?,
     };
     Ok(())
 }

src/cli/cmd.rs

@@ -1,6 +1,7 @@
 pub mod dataset;
 pub mod job;
 pub mod login;
+pub mod logout;
 pub mod project;
 pub mod update;
 #[cfg(feature = "user-doc")]
@@ -71,6 +72,9 @@ pub enum CmdError {
 
     #[snafu(display("Job - {}", source))]
     Job { source: job::Error },
+
+    #[snafu(display("Logout - {}", source))]
+    Logout { source: logout::Error },
 }
 
 impl From<job::Error> for CmdError {
@@ -109,6 +113,12 @@ impl From<login::Error> for CmdError {
     }
 }
 
+impl From<logout::Error> for CmdError {
+    fn from(source: logout::Error) -> Self {
+        CmdError::Logout { source }
+    }
+}
+
 impl From<dataset::Error> for CmdError {
     fn from(source: dataset::Error) -> Self {
         CmdError::Dataset { source }

src/cli/cmd/logout.rs

@@ -0,0 +1,32 @@
+use super::Context;
+use crate::httpclient::Error as HttpError;
+use crate::{
+    cli::sink::Error as SinkError, data::simple_message::SimpleMessage,
+};
+use clap::Parser;
+use snafu::{ResultExt, Snafu};
+
+/// Performs a logout by removing the stored token from the keystore.
+///
+#[derive(Parser, Debug, PartialEq)]
+pub struct Input {}
+
+#[derive(Debug, Snafu)]
+pub enum Error {
+    #[snafu(display("An http error occurred: {}", source))]
+    HttpClient { source: HttpError },
+
+    #[snafu(display("Error writing data: {}", source))]
+    WriteResult { source: SinkError },
+}
+
+impl Input {
+    pub async fn exec(&self, ctx: &Context) -> Result<(), Error> {
+        ctx.client.clear_token().await.context(HttpClientSnafu)?;
+        let message = "Logout complete.".to_string();
+        ctx.write_result(&SimpleMessage { message })
+            .await
+            .context(WriteResultSnafu)?;
+        Ok(())
+    }
+}

src/cli/opts.rs

@@ -144,6 +144,9 @@ pub enum SubCommand {
 
     #[command()]
     Job(job::Input),
+
+    #[command()]
+    Logout(logout::Input),
 }
 
 /// This is the command line interface to the Renku platform. Main

src/httpclient.rs

@@ -25,15 +25,16 @@
 //! TODO
 
 pub mod auth;
-mod cache;
 pub mod data;
+pub mod keystore;
 pub mod proxy;
 
 use crate::data::project_id::ProjectId;
 use crate::data::renku_url::RenkuUrl;
 
 use self::data::*;
 use auth::{Response, UserCode};
+use keystore::{KeyringStore, Keystore};
 use openidconnect::OAuth2TokenResponse;
 use regex::Regex;
 use reqwest::{Certificate, ClientBuilder, IntoUrl, RequestBuilder, Url};
@@ -56,6 +57,9 @@ fn display_bad_response(em: &Option<ErrorResponse>, body: &String) -> String {
 #[derive(Debug, Snafu)]
 #[snafu(visibility(pub(crate)))]
 pub enum Error {
+    #[snafu(display("Keystore error: {}", source))]
+    Keystore { source: keystore::Error },
+
     #[snafu(display("An error was received from {}: {}", url, source))]
     Http { source: reqwest::Error, url: String },
 
@@ -91,11 +95,9 @@ pub enum Error {
 
     #[snafu(display("Error parsing url: {}", reason))]
     ProjectUrlParse { reason: String },
-    #[snafu(transparent)]
-    Auth { source: auth::AuthError },
 
     #[snafu(transparent)]
-    Cache { source: cache::Error },
+    Auth { source: auth::AuthError },
 }
 
 /// The renku http client.
@@ -106,6 +108,7 @@ pub struct Client {
     client: reqwest::Client,
     settings: Settings,
     access_token: Option<String>,
+    keystore: KeyringStore,
 }
 
 #[derive(Debug)]
@@ -151,8 +154,12 @@ impl Client {
             }
         }
 
-        let auth_data = access_token
-            .or(cache::read_auth_token()?.map(|r| r.response.access_token().secret().clone()));
+        let keystore = keystore::KeyringStore::create(renku_url.clone()).context(KeystoreSnafu)?;
+
+        let auth_data = access_token.or(keystore
+            .read_token()
+            .context(KeystoreSnafu)?
+            .map(|r| r.response.access_token().secret().clone()));
         let client = client_builder.build().context(ClientCreateSnafu)?;
         Ok(Client {
             client,
@@ -163,6 +170,7 @@ impl Client {
                 accept_invalid_certs,
                 base_url: renku_url,
             },
+            keystore,
         })
     }
 
@@ -420,7 +428,7 @@ impl Client {
 
     pub async fn complete_login_flow(&self, code: UserCode) -> Result<Response, Error> {
         let r = auth::poll_tokens(code).await?;
-        cache::write_auth_token(&r).await?;
+        self.keystore.write_token(&r).context(KeystoreSnafu)?;
         Ok(r)
     }
 
@@ -429,4 +437,8 @@ impl Client {
         let result = self.json_get::<Vec<SessionLauncher>>(path).await?;
         Ok(result)
     }
+
+    pub async fn clear_token(&self) -> Result<(), Error> {
+        self.keystore.clear().context(KeystoreSnafu)
+    }
 }