fix: add cross-process lock around cache.New to prevent macOS keychain race (#744)

* fix: add cross-process lock around cache.New to prevent macOS keychain race (#740)

When multiple kubelogin processes start concurrently, the upstream
azidentity/cache package's storage test uses a non-atomic check-then-add
pattern on the macOS keychain, causing 'The specified item already exists
in the keychain' (-25299) errors.

This adds a file lock (syscall.Flock on Unix, no-op on Windows) around
cache.New(nil) calls to serialize the storage test across processes.
The lock is best-effort: if it cannot be acquired, execution proceeds
without it to avoid breaking existing behavior.

* fix: address golangci-lint errcheck and gocritic findings

* refactor: use x/sys/unix and os.UserCacheDir() for lock file

Address PR review feedback:
- Switch from syscall to golang.org/x/sys/unix for consistency with
  project conventions (already used in pkg/internal/pop/cache/linux.go)
- Use os.UserCacheDir() instead of os.TempDir() for lock file path to
  avoid unnecessary cross-user contention (macOS keychain is per-user)
- Add os.MkdirAll to ensure the cache directory exists before creating
  the lock file, with fallback to os.TempDir() on any error

* Use user-scoped subdirectory for lock file path

Place the lock file under os.UserCacheDir()/kubelogin/ instead of
directly in the cache directory. In the os.TempDir() fallback,
incorporate the UID (kubelogin-<uid>) so the lock remains per-user
even in a world-writable directory.

This addresses review feedback about cross-user contention and
symlink risks when the lock file falls back to /tmp.

Author: weinong

pkg/internal/token/azurepipelinescredential.go

@@ -8,7 +8,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
 	"k8s.io/klog/v2"
 
 	"github.com/Azure/kubelogin/pkg/internal/env"
@@ -31,7 +30,7 @@ func newAzurePipelinesCredential(opts *Options) (CredentialProvider, error) {
 		err error
 	)
 	if opts.UsePersistentCache {
-		c, err = cache.New(nil)
+		c, err = newPersistentCache()
 		if err != nil {
 			klog.V(5).Infof("failed to create cache: %v", err)
 		}

pkg/internal/token/clientcertcredential.go

@@ -12,7 +12,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
 	"golang.org/x/crypto/pkcs12"
 	"k8s.io/klog/v2"
 )
@@ -38,7 +37,7 @@ func newClientCertificateCredential(opts *Options) (CredentialProvider, error) {
 		err error
 	)
 	if opts.UsePersistentCache {
-		c, err = cache.New(nil)
+		c, err = newPersistentCache()
 		if err != nil {
 			klog.V(5).Infof("failed to create cache: %v", err)
 		}

pkg/internal/token/clientsecretcredential.go

@@ -7,7 +7,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
 	"k8s.io/klog/v2"
 )
 
@@ -32,7 +31,7 @@ func newClientSecretCredential(opts *Options) (CredentialProvider, error) {
 		err error
 	)
 	if opts.UsePersistentCache {
-		c, err = cache.New(nil)
+		c, err = newPersistentCache()
 		if err != nil {
 			klog.V(5).Infof("failed to create cache: %v", err)
 		}

pkg/internal/token/devicecodecredential.go

@@ -8,7 +8,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
 	"k8s.io/klog/v2"
 )
 
@@ -30,7 +29,7 @@ func newDeviceCodeCredential(opts *Options, record azidentity.AuthenticationReco
 		err error
 	)
 	if opts.UsePersistentCache {
-		c, err = cache.New(nil)
+		c, err = newPersistentCache()
 		if err != nil {
 			klog.V(5).Infof("failed to create cache: %v", err)
 		}

pkg/internal/token/interactivebrowsercredential.go

@@ -7,7 +7,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
 	"k8s.io/klog/v2"
 )
 
@@ -29,7 +28,7 @@ func newInteractiveBrowserCredential(opts *Options, record azidentity.Authentica
 		err error
 	)
 	if opts.UsePersistentCache {
-		c, err = cache.New(nil)
+		c, err = newPersistentCache()
 		if err != nil {
 			klog.V(5).Infof("failed to create cache: %v", err)
 		}

pkg/internal/token/persistentcache.go

@@ -0,0 +1,56 @@
+package token
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
+)
+
+// cacheNewFunc is the function used to create a new persistent cache.
+// It is a variable to allow overriding in tests.
+var cacheNewFunc = cache.New
+
+// newPersistentCache creates a persistent token cache with cross-process
+// synchronization to prevent a race condition when multiple kubelogin
+// processes start concurrently. The upstream azidentity/cache package
+// tests storage availability using a non-atomic check-then-add pattern
+// on macOS keychain, which fails with "The specified item already exists
+// in the keychain" (-25299) when two processes race.
+//
+// This function uses a file lock to serialize the storage test across
+// processes. If the lock cannot be acquired, it proceeds without locking
+// (best-effort) to avoid breaking existing behavior.
+//
+// See https://github.com/Azure/kubelogin/issues/740
+func newPersistentCache() (azidentity.Cache, error) {
+	lockDir := lockFileDir()
+	lockPath := filepath.Join(lockDir, "cache-test.lock")
+	unlock := acquireProcessLock(lockPath)
+	defer unlock()
+	return cacheNewFunc(nil)
+}
+
+// lockFileDir returns a user-scoped directory for the lock file.
+// It prefers os.UserCacheDir()/kubelogin and falls back to
+// os.TempDir()/kubelogin-<uid> so that the lock file is never
+// placed directly in a shared, world-writable directory.
+func lockFileDir() string {
+	if cacheDir, err := os.UserCacheDir(); err == nil {
+		dir := filepath.Join(cacheDir, "kubelogin")
+		if err := os.MkdirAll(dir, 0700); err == nil {
+			return dir
+		}
+	}
+	// Fallback: use a UID-scoped subdirectory under the temp dir
+	// so the lock file is not directly in a world-writable location.
+	dir := filepath.Join(os.TempDir(), fmt.Sprintf("kubelogin-%d", os.Getuid()))
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		// Last resort: use temp dir directly. The lock is best-effort,
+		// so this is acceptable.
+		return os.TempDir()
+	}
+	return dir
+}

pkg/internal/token/persistentcache_test.go

@@ -0,0 +1,90 @@
+package token
+
+import (
+	"fmt"
+	"path/filepath"
+	"sync"
+	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewPersistentCache_Success(t *testing.T) {
+	original := cacheNewFunc
+	defer func() { cacheNewFunc = original }()
+
+	called := false
+	cacheNewFunc = func(opts *cache.Options) (azidentity.Cache, error) {
+		called = true
+		assert.Nil(t, opts)
+		return azidentity.Cache{}, nil
+	}
+
+	c, err := newPersistentCache()
+	assert.NoError(t, err)
+	assert.Equal(t, azidentity.Cache{}, c)
+	assert.True(t, called)
+}
+
+func TestNewPersistentCache_Error(t *testing.T) {
+	original := cacheNewFunc
+	defer func() { cacheNewFunc = original }()
+
+	expectedErr := fmt.Errorf("test error")
+	cacheNewFunc = func(opts *cache.Options) (azidentity.Cache, error) {
+		return azidentity.Cache{}, expectedErr
+	}
+
+	c, err := newPersistentCache()
+	assert.ErrorIs(t, err, expectedErr)
+	assert.Equal(t, azidentity.Cache{}, c)
+}
+
+func TestNewPersistentCache_ConcurrentAccess(t *testing.T) {
+	original := cacheNewFunc
+	defer func() { cacheNewFunc = original }()
+
+	var mu sync.Mutex
+	callCount := 0
+	cacheNewFunc = func(opts *cache.Options) (azidentity.Cache, error) {
+		mu.Lock()
+		callCount++
+		mu.Unlock()
+		return azidentity.Cache{}, nil
+	}
+
+	var wg sync.WaitGroup
+	const goroutines = 10
+	for i := 0; i < goroutines; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			_, err := newPersistentCache()
+			assert.NoError(t, err)
+		}()
+	}
+	wg.Wait()
+	assert.Equal(t, goroutines, callCount)
+}
+
+func TestAcquireProcessLock_ReturnsUnlockFunc(t *testing.T) {
+	lockPath := filepath.Join(t.TempDir(), "test.lock")
+	unlock := acquireProcessLock(lockPath)
+	require.NotNil(t, unlock)
+
+	// Release the lock — should not panic
+	unlock()
+}
+
+func TestAcquireProcessLock_InvalidPath(t *testing.T) {
+	// Use a path in a non-existent directory
+	lockPath := filepath.Join(t.TempDir(), "nonexistent", "subdir", "test.lock")
+	unlock := acquireProcessLock(lockPath)
+	require.NotNil(t, unlock)
+
+	// Should be a no-op function, calling it should not panic
+	unlock()
+}

pkg/internal/token/persistentcache_unix.go

@@ -0,0 +1,32 @@
+//go:build unix
+
+package token
+
+import (
+	"os"
+
+	"golang.org/x/sys/unix"
+	"k8s.io/klog/v2"
+)
+
+// acquireProcessLock attempts to acquire an exclusive file lock at the given path.
+// It returns a function that releases the lock. If the lock cannot be acquired,
+// it returns a no-op function so callers always get a valid unlock function.
+func acquireProcessLock(path string) func() {
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, 0600)
+	if err != nil {
+		klog.V(5).Infof("failed to open lock file %s: %v", path, err)
+		return func() {}
+	}
+	if err := unix.Flock(int(f.Fd()), unix.LOCK_EX); err != nil {
+		klog.V(5).Infof("failed to acquire lock on %s: %v", path, err)
+		f.Close()
+		return func() {}
+	}
+	return func() {
+		if err := unix.Flock(int(f.Fd()), unix.LOCK_UN); err != nil {
+			klog.V(5).Infof("failed to release lock on %s: %v", path, err)
+		}
+		f.Close()
+	}
+}

pkg/internal/token/persistentcache_windows.go

@@ -0,0 +1,9 @@
+//go:build windows
+
+package token
+
+// acquireProcessLock is a no-op on Windows because the macOS keychain
+// race condition (issue #740) does not apply. Returns a no-op unlock function.
+func acquireProcessLock(_ string) func() {
+	return func() {}
+}

pkg/internal/token/usernamepasswordcredential.go

@@ -7,7 +7,6 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
-	"github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache"
 	"k8s.io/klog/v2"
 )
 
@@ -35,7 +34,7 @@ func newUsernamePasswordCredential(opts *Options, record azidentity.Authenticati
 		err error
 	)
 	if opts.UsePersistentCache {
-		c, err = cache.New(nil)
+		c, err = newPersistentCache()
 		if err != nil {
 			klog.V(5).Infof("failed to create cache: %v", err)
 		}