Merge pull request #147 from datum-cloud/fix/146-macos-keychain-size-limit

scotwells · web-flow · commit a5fab73ebc90 · 2026-04-10T18:05:59.000-04:00
fix: unbreak machine account login on macOS
diff --git a/internal/authutil/credentials.go b/internal/authutil/credentials.go
@@ -36,9 +36,14 @@ type MachineAccountState struct {
 	ClientEmail  string `json:"client_email"`
 	ClientID     string `json:"client_id"`
 	PrivateKeyID string `json:"private_key_id"`
-	PrivateKey   string `json:"private_key"`
+	PrivateKey   string `json:"private_key,omitempty"`
 	TokenURI     string `json:"token_uri"`
 	Scope        string `json:"scope,omitempty"`
+	// PrivateKeyPath is the path to an on-disk file containing the PEM-encoded
+	// private key. Used when the key is too large to store in the keyring (e.g.
+	// on macOS where the Keychain has a per-item size limit). If non-empty, the
+	// token source reads the key from this path instead of PrivateKey.
+	PrivateKeyPath string `json:"private_key_path,omitempty"`
 }
 
 // StoredCredentials holds all necessary information for a single authenticated session.
diff --git a/internal/authutil/machine_account_keyfile.go b/internal/authutil/machine_account_keyfile.go
@@ -0,0 +1,120 @@
+package authutil
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+// machineAccountKeyDir returns the directory used to store machine account PEM key files.
+// It does not create the directory.
+func machineAccountKeyDir() (string, error) {
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		return "", fmt.Errorf("failed to determine user config directory: %w", err)
+	}
+	return filepath.Join(configDir, "datumctl", "machine-accounts"), nil
+}
+
+// MachineAccountKeyFilePath returns the on-disk path where the PEM key for
+// the given userKey is stored. It does not create the directory.
+func MachineAccountKeyFilePath(userKey string) (string, error) {
+	dir, err := machineAccountKeyDir()
+	if err != nil {
+		return "", err
+	}
+	sum := sha256.Sum256([]byte(userKey))
+	filename := hex.EncodeToString(sum[:]) + ".pem"
+	return filepath.Join(dir, filename), nil
+}
+
+// WriteMachineAccountKeyFile atomically writes the PEM key to disk for the
+// given userKey and returns the absolute path. Creates the parent directory
+// with mode 0700 if needed. The file is written with mode 0600.
+func WriteMachineAccountKeyFile(userKey, pemKey string) (string, error) {
+	dir, err := machineAccountKeyDir()
+	if err != nil {
+		return "", err
+	}
+
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return "", fmt.Errorf("failed to create machine account key directory %s: %w", dir, err)
+	}
+
+	// Tighten perms on the directory even when it already existed with looser ones.
+	if err := os.Chmod(dir, 0700); err != nil && !errors.Is(err, os.ErrNotExist) {
+		return "", fmt.Errorf("failed to set permissions on machine account key directory %s: %w", dir, err)
+	}
+
+	destPath, err := MachineAccountKeyFilePath(userKey)
+	if err != nil {
+		return "", err
+	}
+
+	// Use a unique temp filename so concurrent logins for the same account
+	// do not race on the same .tmp path and corrupt each other's writes.
+	tmpFile, err := os.CreateTemp(dir, filepath.Base(destPath)+".tmp.*")
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp file for machine account key in %s: %w", dir, err)
+	}
+	tmpName := tmpFile.Name()
+
+	// Ensure the temp file is removed on any error path. After a successful
+	// Rename the file no longer exists at tmpName, so Remove is a no-op.
+	var writeErr error
+	defer func() {
+		if writeErr != nil {
+			_ = os.Remove(tmpName)
+		}
+	}()
+
+	// Be explicit about mode even though CreateTemp already uses 0600.
+	if writeErr = tmpFile.Chmod(0600); writeErr != nil {
+		_ = tmpFile.Close()
+		writeErr = fmt.Errorf("failed to set permissions on temp key file %s: %w", tmpName, writeErr)
+		return "", writeErr
+	}
+
+	if _, writeErr = tmpFile.Write([]byte(pemKey)); writeErr != nil {
+		_ = tmpFile.Close()
+		writeErr = fmt.Errorf("failed to write machine account key to %s: %w", tmpName, writeErr)
+		return "", writeErr
+	}
+
+	if writeErr = tmpFile.Close(); writeErr != nil {
+		writeErr = fmt.Errorf("failed to close temp key file %s: %w", tmpName, writeErr)
+		return "", writeErr
+	}
+
+	if writeErr = os.Rename(tmpName, destPath); writeErr != nil {
+		writeErr = fmt.Errorf("failed to move machine account key to %s: %w", destPath, writeErr)
+		return "", writeErr
+	}
+
+	return destPath, nil
+}
+
+// ReadMachineAccountKeyFile reads a PEM key from the given path.
+func ReadMachineAccountKeyFile(path string) (string, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return "", fmt.Errorf("failed to read machine account key file %s: %w", path, err)
+	}
+	return string(data), nil
+}
+
+// RemoveMachineAccountKeyFile deletes the PEM key file for the given userKey.
+// Returns nil if the file does not exist.
+func RemoveMachineAccountKeyFile(userKey string) error {
+	path, err := MachineAccountKeyFilePath(userKey)
+	if err != nil {
+		return err
+	}
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove machine account key file %s: %w", path, err)
+	}
+	return nil
+}
diff --git a/internal/authutil/machineaccount.go b/internal/authutil/machineaccount.go
@@ -194,7 +194,31 @@ func (m *machineAccountTokenSource) Token() (*oauth2.Token, error) {
 	}
 
 	ma := m.creds.MachineAccount
-	signedJWT, err := MintJWT(ma.ClientID, ma.PrivateKeyID, ma.PrivateKey, ma.TokenURI)
+
+	// Resolve the PEM key. New sessions store the key on disk (PrivateKeyPath)
+	// to stay within the macOS Keychain per-item size limit; older sessions
+	// (Linux, pre-fix) may still have the key inline in PrivateKey.
+	pemKey := ma.PrivateKey
+	if pemKey == "" && ma.PrivateKeyPath != "" {
+		var readErr error
+		pemKey, readErr = ReadMachineAccountKeyFile(ma.PrivateKeyPath)
+		if readErr != nil {
+			return nil, customerrors.WrapUserErrorWithHint(
+				"failed to read machine account private key from "+ma.PrivateKeyPath,
+				"re-run 'datumctl auth login --credentials <file>'; you may need to download a new machine account credentials file from the Datum portal if the original is no longer available",
+				readErr,
+			)
+		}
+	}
+	if pemKey == "" {
+		return nil, customerrors.WrapUserErrorWithHint(
+			"machine account session is missing its private key",
+			"re-run 'datumctl auth login --credentials <file>'; you may need to download a new machine account credentials file from the Datum portal if the original is no longer available",
+			nil,
+		)
+	}
+
+	signedJWT, err := MintJWT(ma.ClientID, ma.PrivateKeyID, pemKey, ma.TokenURI)
 	if err != nil {
 		return nil, customerrors.WrapUserErrorWithHint(
 			"Failed to mint JWT for machine account authentication.",
diff --git a/internal/cmd/auth/logout.go b/internal/cmd/auth/logout.go
@@ -91,6 +91,11 @@ func logoutSingleUser(userKeyToLogout string) error {
 		if err := keyring.Delete(authutil.ServiceName, userKeyToLogout); err != nil && !errors.Is(err, keyring.ErrNotFound) {
 			fmt.Printf("Warning: attempt to delete potential stray key for %s failed: %v\n", userKeyToLogout, err)
 		}
+		// Also remove any stray on-disk PEM file. This is the exact cleanup path
+		// users hit after a failed login left crypto material behind (issue #146).
+		if removeErr := authutil.RemoveMachineAccountKeyFile(userKeyToLogout); removeErr != nil {
+			fmt.Printf("Warning: failed to remove machine account key file for '%s': %v\n", userKeyToLogout, removeErr)
+		}
 		return nil
 	}
 
@@ -100,6 +105,14 @@ func logoutSingleUser(userKeyToLogout string) error {
 		fmt.Printf("Warning: failed to delete credentials for user '%s' from keyring: %v\n", userKeyToLogout, err)
 	}
 
+	// Remove the on-disk PEM key file for machine account sessions.
+	// This is a best-effort cleanup: ignore "not found" (interactive sessions
+	// never write a file) and only warn on other errors since the keyring entry
+	// is already gone.
+	if removeErr := authutil.RemoveMachineAccountKeyFile(userKeyToLogout); removeErr != nil {
+		fmt.Printf("Warning: failed to remove machine account key file for '%s': %v\n", userKeyToLogout, removeErr)
+	}
+
 	// 4. Update and save the known users list
 	updatedJSON, err := json.Marshal(updatedKnownUsers)
 	if err != nil {
@@ -164,6 +177,11 @@ func logoutAllUsers() error {
 			fmt.Printf("Warning: failed to delete credentials for user '%s' from keyring: %v\n", userKey, err)
 			logoutErrors = true // Mark that at least one error occurred
 		}
+
+		// Remove the on-disk PEM key file for machine account sessions (best-effort).
+		if removeErr := authutil.RemoveMachineAccountKeyFile(userKey); removeErr != nil {
+			fmt.Printf("Warning: failed to remove machine account key file for '%s': %v\n", userKey, removeErr)
+		}
 	}
 
 	// 3. Delete the known users list itself
diff --git a/internal/cmd/auth/machine_account_login.go b/internal/cmd/auth/machine_account_login.go
@@ -115,6 +115,20 @@ func runMachineAccountLogin(ctx context.Context, credentialsPath, hostname, apiH
 		displayName = creds.ClientID
 	}
 
+	// Use client_email as the keyring key when available; fall back to client_id.
+	userKey := creds.ClientEmail
+	if userKey == "" {
+		userKey = creds.ClientID
+	}
+
+	// Write the PEM private key to disk to keep the keyring blob small.
+	// On macOS the Keychain has a per-item size limit (~4 KB); embedding the
+	// PEM (~2.5 KB) alongside the access token pushes the blob over the limit.
+	keyFilePath, err := authutil.WriteMachineAccountKeyFile(userKey, creds.PrivateKey)
+	if err != nil {
+		return fmt.Errorf("failed to write machine account private key to disk: %w", err)
+	}
+
 	stored := authutil.StoredCredentials{
 		Hostname:         hostname,
 		APIHostname:      finalAPIHostname,
@@ -129,7 +143,9 @@ func runMachineAccountLogin(ctx context.Context, credentialsPath, hostname, apiH
 			ClientEmail:  creds.ClientEmail,
 			ClientID:     creds.ClientID,
 			PrivateKeyID: creds.PrivateKeyID,
-			PrivateKey:   creds.PrivateKey,
+			// PrivateKey is intentionally left empty; the key lives on disk at
+			// PrivateKeyPath so the keyring blob stays under the macOS size limit.
+			PrivateKeyPath: keyFilePath,
 			// Store the discovered token URI and resolved scope so that the
 			// machineAccountTokenSource can refresh tokens without re-reading
 			// the credentials file.
@@ -138,18 +154,17 @@ func runMachineAccountLogin(ctx context.Context, credentialsPath, hostname, apiH
 		},
 	}
 
-	// Use client_email as the keyring key when available; fall back to client_id.
-	userKey := creds.ClientEmail
-	if userKey == "" {
-		userKey = creds.ClientID
-	}
-
 	credsJSON, err := json.Marshal(stored)
 	if err != nil {
 		return fmt.Errorf("failed to serialize credentials: %w", err)
 	}
 
 	if err := keyring.Set(authutil.ServiceName, userKey, string(credsJSON)); err != nil {
+		// The PEM key was written to disk but the keyring write failed. Remove the
+		// key file as best-effort cleanup so we don't leave crypto material behind.
+		if cleanupErr := authutil.RemoveMachineAccountKeyFile(userKey); cleanupErr != nil {
+			fmt.Printf("Warning: failed to remove machine account key file after keyring error for %s: %v\n", userKey, cleanupErr)
+		}
 		return fmt.Errorf("failed to store credentials in keyring for %s: %w", userKey, err)
 	}
 
