Add encrypted caching support for PoP token flow (#676)

* draft of pop caching

* draft of pop caching

* update

* rebase

* pop token + ropc

* update remaiing interfaces

* fix UTs

* pop token + ropc

* pop token + ropc

* address comments

* address comments

* add missing UTs

* fix UTs

* fix build & nit comments

* fix build

* fix styling

* use a separate file to cache msal token

* update caching structure

* adapt azidentity implementation for kubelogin pop token caching

* fix build

* resole comments

* resolve comments

* resolve comments

* changes to use same rsa key across runs, refactor & UT updates

* make popkey a parameter for token acquisition methods

* update UTs

* use secure accessor for storing pop keys

---------

Co-authored-by: vithumma <vithumma@microsoft.com>

Author: vineeth-thumma

.github/workflows/build.yml

@@ -76,14 +76,14 @@ jobs:
           GOARCH: arm
           GOARM: "7"
           CGO_ENABLED: 0
-      
+
       - name: Build Windows AMD64
         run: make
         env:
           GOOS: windows
           GOARCH: amd64
           CGO_ENABLED: 0
-  
+
       - name: Build Windows ARM64
         run: make
         env:

CHANGELOG.md

@@ -438,4 +438,4 @@
 - ignore docs and readme on some workflows by @weinong in https://github.com/Azure/kubelogin/pull/248
 - Add reference to a context. by @Tatsinnit in https://github.com/Azure/kubelogin/pull/253
 - How to install kubelogin with asdf tool manager by @daveneeley in https://github.com/Azure/kubelogin/pull/256
-- Update devicecode.md by @madhurgupta03 in https://github.com/Azu
+- Update devicecode.md by @madhurgupta03 in https://github.com/Azure/kubelogin/pull/266

CODE_OF_CONDUCT.md

@@ -1,9 +1,9 @@
-# Microsoft Open Source Code of Conduct
-
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-
-Resources:
-
-- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
-- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
-- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+# Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns

README.md

@@ -1,33 +1,33 @@
-# kubelogin
-
-[![Go Report Card](https://goreportcard.com/badge/github.com/Azure/kubelogin)](https://goreportcard.com/report/github.com/Azure/kubelogin)
-[![golangci-lint](https://github.com/Azure/kubelogin/actions/workflows/golangci-lint.yml/badge.svg)](https://github.com/Azure/kubelogin/actions/workflows/golangci-lint.yml)
-[![Build on Push](https://github.com/Azure/kubelogin/actions/workflows/build.yml/badge.svg)](https://github.com/Azure/kubelogin/actions/workflows/build.yml)
-[![Go Reference](https://pkg.go.dev/badge/github.com/Azure/kubelogin.svg)](https://pkg.go.dev/github.com/Azure/kubelogin)
-[![codecov](https://codecov.io/gh/Azure/kubelogin/branch/main/graph/badge.svg?token=02PZRX59VM)](https://codecov.io/gh/Azure/kubelogin)
-
-This is a [client-go credential (exec) plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) implementing azure authentication. This plugin provides features that are not available in kubectl. It is supported on kubectl v1.11+
-
-Check out [the official doc page](https://azure.github.io/kubelogin/index.html) for more details
-
-## Installation
-
-https://azure.github.io/kubelogin/install.html
-
-## Quick Start
-
-https://azure.github.io/kubelogin/quick-start.html
-
-## Contributing
-
-This project welcomes contributions and suggestions. Most contributions require you to agree to a
-Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
-the rights to use your contribution. For details, visit <https://cla.opensource.microsoft.com>.
-
-When you submit a pull request, a CLA bot will automatically determine whether you need to provide
-a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
-provided by the bot. You will only need to do this once across all repos using our CLA.
-
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
-contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+# kubelogin
+
+[![Go Report Card](https://goreportcard.com/badge/github.com/Azure/kubelogin)](https://goreportcard.com/report/github.com/Azure/kubelogin)
+[![golangci-lint](https://github.com/Azure/kubelogin/actions/workflows/golangci-lint.yml/badge.svg)](https://github.com/Azure/kubelogin/actions/workflows/golangci-lint.yml)
+[![Build on Push](https://github.com/Azure/kubelogin/actions/workflows/build.yml/badge.svg)](https://github.com/Azure/kubelogin/actions/workflows/build.yml)
+[![Go Reference](https://pkg.go.dev/badge/github.com/Azure/kubelogin.svg)](https://pkg.go.dev/github.com/Azure/kubelogin)
+[![codecov](https://codecov.io/gh/Azure/kubelogin/branch/main/graph/badge.svg?token=02PZRX59VM)](https://codecov.io/gh/Azure/kubelogin)
+
+This is a [client-go credential (exec) plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) implementing azure authentication. This plugin provides features that are not available in kubectl. It is supported on kubectl v1.11+
+
+Check out [the official doc page](https://azure.github.io/kubelogin/index.html) for more details
+
+## Installation
+
+https://azure.github.io/kubelogin/install.html
+
+## Quick Start
+
+https://azure.github.io/kubelogin/quick-start.html
+
+## Contributing
+
+This project welcomes contributions and suggestions. Most contributions require you to agree to a
+Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us
+the rights to use your contribution. For details, visit <https://cla.opensource.microsoft.com>.
+
+When you submit a pull request, a CLA bot will automatically determine whether you need to provide
+a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions
+provided by the bot. You will only need to do this once across all repos using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or
+contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.

SECURITY.md

@@ -1,41 +1,41 @@
-<!-- BEGIN MICROSOFT SECURITY.MD V0.0.4 BLOCK -->
-
-## Security
-
-Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
-
-If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below.
-
-## Reporting Security Issues
-
-**Please do not report security vulnerabilities through public GitHub issues.**
-
-Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report).
-
-If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
-
-You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
-
-Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
-
-  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
-  * Full paths of source file(s) related to the manifestation of the issue
-  * The location of the affected source code (tag/branch/commit or direct URL)
-  * Any special configuration required to reproduce the issue
-  * Step-by-step instructions to reproduce the issue
-  * Proof-of-concept or exploit code (if possible)
-  * Impact of the issue, including how an attacker might exploit the issue
-
-This information will help us triage your report more quickly.
-
-If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs.
-
-## Preferred Languages
-
-We prefer all communications to be in English.
-
-## Policy
-
-Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
-
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.4 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets Microsoft's [Microsoft's definition of a security vulnerability](https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10)) of a security vulnerability, please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://msrc.microsoft.com/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://microsoft.com/msrc/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
+
 <!-- END MICROSOFT SECURITY.MD BLOCK -->

docs/book/src/README.md

@@ -1,14 +1,14 @@
-# Introduction
-
-`kubelogin` is a [client-go credential (exec) plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) implementing azure authentication. This plugin provides features that are not available in kubectl. It is supported on kubectl v1.11+
-
-## Features
-
-- [interactive device code login](./concepts/login-modes/devicecode.md)
-- [interactive web browser login](./concepts/login-modes/interactive.md)
-- [non-interactive service principal login](./concepts/login-modes/sp.md)
-- [non-interactive user principal login](./concepts/login-modes/ropc.md) using [Resource owner login flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc)
-- [non-interactive managed service identity login](./concepts/login-modes/msi.md)
-- [non-interactive Azure CLI token login (AKS only)](./concepts/login-modes/azurecli.md)
-- [non-interactive Azure Developer CLI token login (AKS only)](./concepts/login-modes/azd.md)
-- [non-interactive workload identity login](./concepts/login-modes/workloadidentity.md)
+# Introduction
+
+`kubelogin` is a [client-go credential (exec) plugin](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) implementing azure authentication. This plugin provides features that are not available in kubectl. It is supported on kubectl v1.11+
+
+## Features
+
+- [interactive device code login](./concepts/login-modes/devicecode.md)
+- [interactive web browser login](./concepts/login-modes/interactive.md)
+- [non-interactive service principal login](./concepts/login-modes/sp.md)
+- [non-interactive user principal login](./concepts/login-modes/ropc.md) using [Resource owner login flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc)
+- [non-interactive managed service identity login](./concepts/login-modes/msi.md)
+- [non-interactive Azure CLI token login (AKS only)](./concepts/login-modes/azurecli.md)
+- [non-interactive Azure Developer CLI token login (AKS only)](./concepts/login-modes/azd.md)
+- [non-interactive workload identity login](./concepts/login-modes/workloadidentity.md)

docs/book/src/code-of-conduct.md

@@ -1,9 +1,9 @@
-# Microsoft Open Source Code of Conduct
-
-This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
-
-Resources:
-
-- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
-- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
-- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+# Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns

docs/book/src/concepts/login-modes/interactive.md

@@ -1,6 +1,6 @@
 # Web Browser Interactive
 
-This login mode will automatically open a browser to login the user. 
+This login mode will automatically open a browser to login the user.
 Once authenticated, the browser will redirect back to a local web server with access token.
 The redirect URL can be set via `--redirect-url`.
 This login mode complies with Conditional Access policy.
@@ -56,4 +56,4 @@ kubelogin remove-cache-dir
 
 ## References
 
-- https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.interactivebrowsercredential?view=azure-python
+- https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.interactivebrowsercredential?view=azure-python

docs/book/src/development.md

@@ -1 +1,46 @@
 # Development
+
+## Prerequisites
+
+### System Dependencies
+
+kubelogin uses secure token storage that requires platform-specific libraries:
+
+#### Linux (Ubuntu/Debian)
+```bash
+sudo apt update
+sudo apt install libsecret-1-0 libsecret-1-dev
+```
+
+#### Linux (CentOS/RHEL/Fedora)
+```bash
+# CentOS/RHEL
+sudo yum install libsecret-devel
+
+# Fedora
+sudo dnf install libsecret-devel
+```
+
+#### macOS
+No additional dependencies required (uses Keychain)
+
+#### Windows
+No additional dependencies required (uses Windows Credential Manager)
+
+### Go Dependencies
+- Go 1.23 or later
+- Make
+
+## Building
+
+```bash
+make build
+```
+
+## Testing
+
+```bash
+make test
+```
+
+**Note**: Tests require the system dependencies listed above. If you encounter errors related to `libsecret-1.so` or "encrypted storage isn't possible", ensure the libsecret library is installed.

docs/book/src/install.md

@@ -101,4 +101,4 @@ if(-Not($oldPathArray -Contains "$targetDir")) {
     [System.Environment]::SetEnvironmentVariable("Path",$newPath,"User")
     $env:Path = [System.Environment]::GetEnvironmentVariable("Path","User"),[System.Environment]::GetEnvironmentVariable("Path","Machine") -join ";"
 }
-```
+```