fix(auth): store machine account private key on disk

scotwells · claude · scotwells · commit d28ab6ffecac · 2026-04-10T16:30:33.000-05:00
The macOS Keychain has a per-item size limit (~4 KB). Machine account sessions exceeded it because StoredCredentials embedded a full PEM-encoded RSA private key alongside the access token, pushing the blob to ~5 KB. Logins would authenticate successfully but then fail with "data passed to Set was too big" when writing to the keyring, leaving no usable session behind. Store the PEM private key in a 0600 file under the user config directory and keep only a PrivateKeyPath pointer in the keyring blob. The access token continues to live in the OS keyring. Token refresh reads the PEM from disk on demand; logout removes the file alongside the keyring entry. Existing Linux sessions (where the PEM fit in the keyring inline) continue to work without migration: if PrivateKey is still set in the blob, it is used as-is; otherwise PrivateKeyPath is consulted. Fixes #146 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/internal/authutil/credentials.go b/internal/authutil/credentials.go
@@ -36,9 +36,14 @@ type MachineAccountState struct {
 	ClientEmail  string `json:"client_email"`
 	ClientID     string `json:"client_id"`
 	PrivateKeyID string `json:"private_key_id"`
-	PrivateKey   string `json:"private_key"`
+	PrivateKey   string `json:"private_key,omitempty"`
 	TokenURI     string `json:"token_uri"`
 	Scope        string `json:"scope,omitempty"`
+	// PrivateKeyPath is the path to an on-disk file containing the PEM-encoded
+	// private key. Used when the key is too large to store in the keyring (e.g.
+	// on macOS where the Keychain has a per-item size limit). If non-empty, the
+	// token source reads the key from this path instead of PrivateKey.
+	PrivateKeyPath string `json:"private_key_path,omitempty"`
 }
 
 // StoredCredentials holds all necessary information for a single authenticated session.
diff --git a/internal/authutil/machine_account_keyfile.go b/internal/authutil/machine_account_keyfile.go
@@ -0,0 +1,85 @@
+package authutil
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
+// machineAccountKeyDir returns the directory used to store machine account PEM key files.
+// It does not create the directory.
+func machineAccountKeyDir() (string, error) {
+	configDir, err := os.UserConfigDir()
+	if err != nil {
+		return "", fmt.Errorf("failed to determine user config directory: %w", err)
+	}
+	return filepath.Join(configDir, "datumctl", "machine-accounts"), nil
+}
+
+// MachineAccountKeyFilePath returns the on-disk path where the PEM key for
+// the given userKey is stored. It does not create the directory.
+func MachineAccountKeyFilePath(userKey string) (string, error) {
+	dir, err := machineAccountKeyDir()
+	if err != nil {
+		return "", err
+	}
+	sum := sha256.Sum256([]byte(userKey))
+	filename := hex.EncodeToString(sum[:]) + ".pem"
+	return filepath.Join(dir, filename), nil
+}
+
+// WriteMachineAccountKeyFile atomically writes the PEM key to disk for the
+// given userKey and returns the absolute path. Creates the parent directory
+// with mode 0700 if needed. The file is written with mode 0600.
+func WriteMachineAccountKeyFile(userKey, pemKey string) (string, error) {
+	dir, err := machineAccountKeyDir()
+	if err != nil {
+		return "", err
+	}
+
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		return "", fmt.Errorf("failed to create machine account key directory %s: %w", dir, err)
+	}
+
+	destPath, err := MachineAccountKeyFilePath(userKey)
+	if err != nil {
+		return "", err
+	}
+
+	tmpPath := destPath + ".tmp"
+	if err := os.WriteFile(tmpPath, []byte(pemKey), 0600); err != nil {
+		return "", fmt.Errorf("failed to write machine account key to %s: %w", tmpPath, err)
+	}
+
+	if err := os.Rename(tmpPath, destPath); err != nil {
+		// Best-effort cleanup of the temp file on rename failure.
+		_ = os.Remove(tmpPath)
+		return "", fmt.Errorf("failed to move machine account key to %s: %w", destPath, err)
+	}
+
+	return destPath, nil
+}
+
+// ReadMachineAccountKeyFile reads a PEM key from the given path.
+func ReadMachineAccountKeyFile(path string) (string, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return "", fmt.Errorf("failed to read machine account key file %s: %w", path, err)
+	}
+	return string(data), nil
+}
+
+// RemoveMachineAccountKeyFile deletes the PEM key file for the given userKey.
+// Returns nil if the file does not exist.
+func RemoveMachineAccountKeyFile(userKey string) error {
+	path, err := MachineAccountKeyFilePath(userKey)
+	if err != nil {
+		return err
+	}
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove machine account key file %s: %w", path, err)
+	}
+	return nil
+}
diff --git a/internal/authutil/machineaccount.go b/internal/authutil/machineaccount.go
@@ -194,7 +194,23 @@ func (m *machineAccountTokenSource) Token() (*oauth2.Token, error) {
 	}
 
 	ma := m.creds.MachineAccount
-	signedJWT, err := MintJWT(ma.ClientID, ma.PrivateKeyID, ma.PrivateKey, ma.TokenURI)
+
+	// Resolve the PEM key. New sessions store the key on disk (PrivateKeyPath)
+	// to stay within the macOS Keychain per-item size limit; older sessions
+	// (Linux, pre-fix) may still have the key inline in PrivateKey.
+	pemKey := ma.PrivateKey
+	if pemKey == "" && ma.PrivateKeyPath != "" {
+		var readErr error
+		pemKey, readErr = ReadMachineAccountKeyFile(ma.PrivateKeyPath)
+		if readErr != nil {
+			return nil, fmt.Errorf("failed to read machine account private key from %s: %w (try logging in again with 'datumctl auth login --credentials')", ma.PrivateKeyPath, readErr)
+		}
+	}
+	if pemKey == "" {
+		return nil, fmt.Errorf("machine account session is missing its private key; log in again with 'datumctl auth login --credentials'")
+	}
+
+	signedJWT, err := MintJWT(ma.ClientID, ma.PrivateKeyID, pemKey, ma.TokenURI)
 	if err != nil {
 		return nil, customerrors.WrapUserErrorWithHint(
 			"Failed to mint JWT for machine account authentication.",
diff --git a/internal/cmd/auth/logout.go b/internal/cmd/auth/logout.go
@@ -100,6 +100,14 @@ func logoutSingleUser(userKeyToLogout string) error {
 		fmt.Printf("Warning: failed to delete credentials for user '%s' from keyring: %v\n", userKeyToLogout, err)
 	}
 
+	// Remove the on-disk PEM key file for machine account sessions.
+	// This is a best-effort cleanup: ignore "not found" (interactive sessions
+	// never write a file) and only warn on other errors since the keyring entry
+	// is already gone.
+	if removeErr := authutil.RemoveMachineAccountKeyFile(userKeyToLogout); removeErr != nil {
+		fmt.Printf("Warning: failed to remove machine account key file for '%s': %v\n", userKeyToLogout, removeErr)
+	}
+
 	// 4. Update and save the known users list
 	updatedJSON, err := json.Marshal(updatedKnownUsers)
 	if err != nil {
@@ -164,6 +172,11 @@ func logoutAllUsers() error {
 			fmt.Printf("Warning: failed to delete credentials for user '%s' from keyring: %v\n", userKey, err)
 			logoutErrors = true // Mark that at least one error occurred
 		}
+
+		// Remove the on-disk PEM key file for machine account sessions (best-effort).
+		if removeErr := authutil.RemoveMachineAccountKeyFile(userKey); removeErr != nil {
+			fmt.Printf("Warning: failed to remove machine account key file for '%s': %v\n", userKey, removeErr)
+		}
 	}
 
 	// 3. Delete the known users list itself
diff --git a/internal/cmd/auth/machine_account_login.go b/internal/cmd/auth/machine_account_login.go
@@ -115,6 +115,20 @@ func runMachineAccountLogin(ctx context.Context, credentialsPath, hostname, apiH
 		displayName = creds.ClientID
 	}
 
+	// Use client_email as the keyring key when available; fall back to client_id.
+	userKey := creds.ClientEmail
+	if userKey == "" {
+		userKey = creds.ClientID
+	}
+
+	// Write the PEM private key to disk to keep the keyring blob small.
+	// On macOS the Keychain has a per-item size limit (~4 KB); embedding the
+	// PEM (~2.5 KB) alongside the access token pushes the blob over the limit.
+	keyFilePath, err := authutil.WriteMachineAccountKeyFile(userKey, creds.PrivateKey)
+	if err != nil {
+		return fmt.Errorf("failed to write machine account private key to disk: %w", err)
+	}
+
 	stored := authutil.StoredCredentials{
 		Hostname:         hostname,
 		APIHostname:      finalAPIHostname,
@@ -129,7 +143,9 @@ func runMachineAccountLogin(ctx context.Context, credentialsPath, hostname, apiH
 			ClientEmail:  creds.ClientEmail,
 			ClientID:     creds.ClientID,
 			PrivateKeyID: creds.PrivateKeyID,
-			PrivateKey:   creds.PrivateKey,
+			// PrivateKey is intentionally left empty; the key lives on disk at
+			// PrivateKeyPath so the keyring blob stays under the macOS size limit.
+			PrivateKeyPath: keyFilePath,
 			// Store the discovered token URI and resolved scope so that the
 			// machineAccountTokenSource can refresh tokens without re-reading
 			// the credentials file.
@@ -138,12 +154,6 @@ func runMachineAccountLogin(ctx context.Context, credentialsPath, hostname, apiH
 		},
 	}
 
-	// Use client_email as the keyring key when available; fall back to client_id.
-	userKey := creds.ClientEmail
-	if userKey == "" {
-		userKey = creds.ClientID
-	}
-
 	credsJSON, err := json.Marshal(stored)
 	if err != nil {
 		return fmt.Errorf("failed to serialize credentials: %w", err)
