Add storage context system for credential isolation

Refactor storage layer to support multiple independent storage contexts,
enabling CLI and API (Terraform Provider/SDK) credentials to be stored
separately. This allows users to authenticate with different accounts
for CLI operations vs. SDK/Terraform usage.

Key changes:
- Add StorageContext enum (StorageContextCLI, StorageContextAPI)
- Add *WithContext() variants for all storage functions
- Support context-specific keyring service names and file paths
- Maintain backward compatibility with existing storage functions
- Add comprehensive tests for storage context isolation

Storage locations:
- CLI: stackit-cli keyring, ~/.stackit/cli-auth-storage.txt
- API: stackit-cli-api keyring, ~/.stackit/cli-api-auth-storage.txt

Author: franklouwers

internal/pkg/auth/storage.go

@@ -10,22 +10,52 @@ import (
 
 	"github.com/stackitcloud/stackit-cli/internal/pkg/config"
 	pkgErrors "github.com/stackitcloud/stackit-cli/internal/pkg/errors"
+	"github.com/stackitcloud/stackit-cli/internal/pkg/print"
 
 	"github.com/zalando/go-keyring"
 )
 
+// Package-level printer for debug logging in storage operations
+var storagePrinter = print.NewPrinter()
+
+// SetStoragePrinter sets the printer used for storage debug logging
+// This should be called with the main command's printer to ensure consistent verbosity
+func SetStoragePrinter(p *print.Printer) {
+	if p != nil {
+		storagePrinter = p
+	}
+}
+
 // Name of an auth-related field
 type authFieldKey string
 
 // Possible values of authentication flows
 type AuthFlow string
 
+// StorageContext represents the context in which credentials are stored
+// CLI context is for the CLI's own authentication
+// API context is for Terraform Provider and SDK authentication
+type StorageContext string
+
 const (
-	keyringService     = "stackit-cli"
-	textFileName       = "cli-auth-storage.txt"
+	StorageContextCLI StorageContext = "cli"
+	StorageContextAPI StorageContext = "api"
+)
+
+const (
+	keyringServiceCLI = "stackit-cli"
+	keyringServiceAPI = "stackit-cli-api"
+	textFileNameCLI   = "cli-auth-storage.txt"
+	textFileNameAPI   = "cli-api-auth-storage.txt"
 	envAccessTokenName = "STACKIT_ACCESS_TOKEN"
 )
 
+// Legacy constants for backward compatibility
+const (
+	keyringService = keyringServiceCLI
+	textFileName   = textFileNameCLI
+)
+
 const (
 	SESSION_EXPIRES_AT_UNIX authFieldKey = "session_expires_at_unix"
 	ACCESS_TOKEN            authFieldKey = "access_token"
@@ -70,10 +100,40 @@ var loginAuthFieldKeys = []authFieldKey{
 	USER_EMAIL,
 }
 
+// getKeyringServiceName returns the keyring service name for the given context and profile
+func getKeyringServiceName(context StorageContext, profile string) string {
+	var baseService string
+	switch context {
+	case StorageContextAPI:
+		baseService = keyringServiceAPI
+	default:
+		baseService = keyringServiceCLI
+	}
+
+	if profile != config.DefaultProfileName {
+		return filepath.Join(baseService, profile)
+	}
+	return baseService
+}
+
+// getTextFileName returns the text file name for the given context
+func getTextFileName(context StorageContext) string {
+	switch context {
+	case StorageContextAPI:
+		return textFileNameAPI
+	default:
+		return textFileNameCLI
+	}
+}
+
 func SetAuthFlow(value AuthFlow) error {
 	return SetAuthField(authFlowType, string(value))
 }
 
+func SetAuthFlowWithContext(context StorageContext, value AuthFlow) error {
+	return SetAuthFieldWithContext(context, authFlowType, string(value))
+}
+
 // Sets the values in the auth storage according to the given map
 func SetAuthFieldMap(keyMap map[authFieldKey]string) error {
 	for key, value := range keyMap {
@@ -85,19 +145,39 @@ func SetAuthFieldMap(keyMap map[authFieldKey]string) error {
 	return nil
 }
 
+// SetAuthFieldMapWithContext sets the values in the auth storage according to the given map for a specific context
+func SetAuthFieldMapWithContext(context StorageContext, keyMap map[authFieldKey]string) error {
+	for key, value := range keyMap {
+		err := SetAuthFieldWithContext(context, key, value)
+		if err != nil {
+			return fmt.Errorf("set auth field \"%s\": %w", key, err)
+		}
+	}
+	return nil
+}
+
 func SetAuthField(key authFieldKey, value string) error {
+	return SetAuthFieldWithContext(StorageContextCLI, key, value)
+}
+
+// SetAuthFieldWithContext sets an auth field for a specific storage context
+func SetAuthFieldWithContext(context StorageContext, key authFieldKey, value string) error {
 	activeProfile, err := config.GetProfile()
 	if err != nil {
 		return fmt.Errorf("get profile: %w", err)
 	}
 
-	return setAuthFieldWithProfile(activeProfile, key, value)
+	return setAuthFieldWithProfileAndContext(context, activeProfile, key, value)
 }
 
 func setAuthFieldWithProfile(profile string, key authFieldKey, value string) error {
-	err := setAuthFieldInKeyring(profile, key, value)
+	return setAuthFieldWithProfileAndContext(StorageContextCLI, profile, key, value)
+}
+
+func setAuthFieldWithProfileAndContext(context StorageContext, profile string, key authFieldKey, value string) error {
+	err := setAuthFieldInKeyringWithContext(context, profile, key, value)
 	if err != nil {
-		errFallback := setAuthFieldInEncodedTextFile(profile, key, value)
+		errFallback := setAuthFieldInEncodedTextFileWithContext(context, profile, key, value)
 		if errFallback != nil {
 			return fmt.Errorf("write to keyring failed (%w), try writing to encoded text file: %w", err, errFallback)
 		}
@@ -106,27 +186,37 @@ func setAuthFieldWithProfile(profile string, key authFieldKey, value string) err
 }
 
 func setAuthFieldInKeyring(activeProfile string, key authFieldKey, value string) error {
-	if activeProfile != config.DefaultProfileName {
-		activeProfileKeyring := filepath.Join(keyringService, activeProfile)
-		return keyring.Set(activeProfileKeyring, string(key), value)
-	}
-	return keyring.Set(keyringService, string(key), value)
+	return setAuthFieldInKeyringWithContext(StorageContextCLI, activeProfile, key, value)
+}
+
+func setAuthFieldInKeyringWithContext(context StorageContext, activeProfile string, key authFieldKey, value string) error {
+	keyringServiceName := getKeyringServiceName(context, activeProfile)
+	return keyring.Set(keyringServiceName, string(key), value)
 }
 
 func DeleteAuthField(key authFieldKey) error {
+	return DeleteAuthFieldWithContext(StorageContextCLI, key)
+}
+
+// DeleteAuthFieldWithContext deletes an auth field for a specific storage context
+func DeleteAuthFieldWithContext(context StorageContext, key authFieldKey) error {
 	activeProfile, err := config.GetProfile()
 	if err != nil {
 		return fmt.Errorf("get profile: %w", err)
 	}
-	return deleteAuthFieldWithProfile(activeProfile, key)
+	return deleteAuthFieldWithProfileAndContext(context, activeProfile, key)
 }
 
 func deleteAuthFieldWithProfile(profile string, key authFieldKey) error {
-	err := deleteAuthFieldInKeyring(profile, key)
+	return deleteAuthFieldWithProfileAndContext(StorageContextCLI, profile, key)
+}
+
+func deleteAuthFieldWithProfileAndContext(context StorageContext, profile string, key authFieldKey) error {
+	err := deleteAuthFieldInKeyringWithContext(context, profile, key)
 	if err != nil {
 		// if the key is not found, we can ignore the error
 		if !errors.Is(err, keyring.ErrNotFound) {
-			errFallback := deleteAuthFieldInEncodedTextFile(profile, key)
+			errFallback := deleteAuthFieldInEncodedTextFileWithContext(context, profile, key)
 			if errFallback != nil {
 				return fmt.Errorf("delete from keyring failed (%w), try deleting from encoded text file: %w", err, errFallback)
 			}
@@ -136,13 +226,18 @@ func deleteAuthFieldWithProfile(profile string, key authFieldKey) error {
 }
 
 func deleteAuthFieldInEncodedTextFile(activeProfile string, key authFieldKey) error {
-	err := createEncodedTextFile(activeProfile)
+	return deleteAuthFieldInEncodedTextFileWithContext(StorageContextCLI, activeProfile, key)
+}
+
+func deleteAuthFieldInEncodedTextFileWithContext(context StorageContext, activeProfile string, key authFieldKey) error {
+	err := createEncodedTextFileWithContext(context, activeProfile)
 	if err != nil {
 		return err
 	}
 
 	textFileDir := config.GetProfileFolderPath(activeProfile)
-	textFilePath := filepath.Join(textFileDir, textFileName)
+	fileName := getTextFileName(context)
+	textFilePath := filepath.Join(textFileDir, fileName)
 
 	contentEncoded, err := os.ReadFile(textFilePath)
 	if err != nil {
@@ -173,21 +268,27 @@ func deleteAuthFieldInEncodedTextFile(activeProfile string, key authFieldKey) er
 }
 
 func deleteAuthFieldInKeyring(activeProfile string, key authFieldKey) error {
-	keyringServiceLocal := keyringService
-	if activeProfile != config.DefaultProfileName {
-		keyringServiceLocal = filepath.Join(keyringService, activeProfile)
-	}
+	return deleteAuthFieldInKeyringWithContext(StorageContextCLI, activeProfile, key)
+}
 
-	return keyring.Delete(keyringServiceLocal, string(key))
+func deleteAuthFieldInKeyringWithContext(context StorageContext, activeProfile string, key authFieldKey) error {
+	keyringServiceName := getKeyringServiceName(context, activeProfile)
+	return keyring.Delete(keyringServiceName, string(key))
 }
 
 func setAuthFieldInEncodedTextFile(activeProfile string, key authFieldKey, value string) error {
-	err := createEncodedTextFile(activeProfile)
+	return setAuthFieldInEncodedTextFileWithContext(StorageContextCLI, activeProfile, key, value)
+}
+
+func setAuthFieldInEncodedTextFileWithContext(context StorageContext, activeProfile string, key authFieldKey, value string) error {
+	textFileDir := config.GetProfileFolderPath(activeProfile)
+	fileName := getTextFileName(context)
+	textFilePath := filepath.Join(textFileDir, fileName)
+
+	err := createEncodedTextFileWithContext(context, activeProfile)
 	if err != nil {
 		return err
 	}
-	textFileDir := config.GetProfileFolderPath(activeProfile)
-	textFilePath := filepath.Join(textFileDir, textFileName)
 
 	contentEncoded, err := os.ReadFile(textFilePath)
 	if err != nil {
@@ -219,8 +320,13 @@ func setAuthFieldInEncodedTextFile(activeProfile string, key authFieldKey, value
 
 // Populates the values in the given map according to the auth storage
 func GetAuthFieldMap(keyMap map[authFieldKey]string) error {
+	return GetAuthFieldMapWithContext(StorageContextCLI, keyMap)
+}
+
+// GetAuthFieldMapWithContext populates the values in the given map according to the auth storage for a specific context
+func GetAuthFieldMapWithContext(context StorageContext, keyMap map[authFieldKey]string) error {
 	for key := range keyMap {
-		value, err := GetAuthField(key)
+		value, err := GetAuthFieldWithContext(context, key)
 		if err != nil {
 			return fmt.Errorf("get auth field \"%s\": %w", key, err)
 		}
@@ -230,23 +336,36 @@ func GetAuthFieldMap(keyMap map[authFieldKey]string) error {
 }
 
 func GetAuthFlow() (AuthFlow, error) {
-	value, err := GetAuthField(authFlowType)
+	return GetAuthFlowWithContext(StorageContextCLI)
+}
+
+func GetAuthFlowWithContext(context StorageContext) (AuthFlow, error) {
+	value, err := GetAuthFieldWithContext(context, authFlowType)
 	return AuthFlow(value), err
 }
 
 func GetAuthField(key authFieldKey) (string, error) {
+	return GetAuthFieldWithContext(StorageContextCLI, key)
+}
+
+// GetAuthFieldWithContext retrieves an auth field for a specific storage context
+func GetAuthFieldWithContext(context StorageContext, key authFieldKey) (string, error) {
 	activeProfile, err := config.GetProfile()
 	if err != nil {
 		return "", fmt.Errorf("get profile: %w", err)
 	}
-	return getAuthFieldWithProfile(activeProfile, key)
+	return getAuthFieldWithProfileAndContext(context, activeProfile, key)
 }
 
 func getAuthFieldWithProfile(profile string, key authFieldKey) (string, error) {
-	value, err := getAuthFieldFromKeyring(profile, key)
+	return getAuthFieldWithProfileAndContext(StorageContextCLI, profile, key)
+}
+
+func getAuthFieldWithProfileAndContext(context StorageContext, profile string, key authFieldKey) (string, error) {
+	value, err := getAuthFieldFromKeyringWithContext(context, profile, key)
 	if err != nil {
 		var errFallback error
-		value, errFallback = getAuthFieldFromEncodedTextFile(profile, key)
+		value, errFallback = getAuthFieldFromEncodedTextFileWithContext(context, profile, key)
 		if errFallback != nil {
 			return "", fmt.Errorf("read from keyring: %w, read from encoded file as fallback: %w", err, errFallback)
 		}
@@ -255,21 +374,27 @@ func getAuthFieldWithProfile(profile string, key authFieldKey) (string, error) {
 }
 
 func getAuthFieldFromKeyring(activeProfile string, key authFieldKey) (string, error) {
-	if activeProfile != config.DefaultProfileName {
-		activeProfileKeyring := filepath.Join(keyringService, activeProfile)
-		return keyring.Get(activeProfileKeyring, string(key))
-	}
-	return keyring.Get(keyringService, string(key))
+	return getAuthFieldFromKeyringWithContext(StorageContextCLI, activeProfile, key)
+}
+
+func getAuthFieldFromKeyringWithContext(context StorageContext, activeProfile string, key authFieldKey) (string, error) {
+	keyringServiceName := getKeyringServiceName(context, activeProfile)
+	return keyring.Get(keyringServiceName, string(key))
 }
 
 func getAuthFieldFromEncodedTextFile(activeProfile string, key authFieldKey) (string, error) {
-	err := createEncodedTextFile(activeProfile)
+	return getAuthFieldFromEncodedTextFileWithContext(StorageContextCLI, activeProfile, key)
+}
+
+func getAuthFieldFromEncodedTextFileWithContext(context StorageContext, activeProfile string, key authFieldKey) (string, error) {
+	err := createEncodedTextFileWithContext(context, activeProfile)
 	if err != nil {
 		return "", err
 	}
 
 	textFileDir := config.GetProfileFolderPath(activeProfile)
-	textFilePath := filepath.Join(textFileDir, textFileName)
+	fileName := getTextFileName(context)
+	textFilePath := filepath.Join(textFileDir, fileName)
 
 	contentEncoded, err := os.ReadFile(textFilePath)
 	if err != nil {
@@ -295,8 +420,13 @@ func getAuthFieldFromEncodedTextFile(activeProfile string, key authFieldKey) (st
 // If it doesn't, creates it with the content "{}" encoded.
 // If it does, does nothing (and returns nil).
 func createEncodedTextFile(activeProfile string) error {
+	return createEncodedTextFileWithContext(StorageContextCLI, activeProfile)
+}
+
+func createEncodedTextFileWithContext(context StorageContext, activeProfile string) error {
 	textFileDir := config.GetProfileFolderPath(activeProfile)
-	textFilePath := filepath.Join(textFileDir, textFileName)
+	fileName := getTextFileName(context)
+	textFilePath := filepath.Join(textFileDir, fileName)
 
 	err := os.MkdirAll(textFileDir, 0o750)
 	if err != nil {
@@ -364,23 +494,33 @@ func GetAuthEmail() (string, error) {
 }
 
 func LoginUser(email, accessToken, refreshToken, sessionExpiresAtUnix string) error {
+	return LoginUserWithContext(StorageContextCLI, email, accessToken, refreshToken, sessionExpiresAtUnix)
+}
+
+// LoginUserWithContext stores user login credentials for a specific storage context
+func LoginUserWithContext(context StorageContext, email, accessToken, refreshToken, sessionExpiresAtUnix string) error {
 	authFields := map[authFieldKey]string{
 		SESSION_EXPIRES_AT_UNIX: sessionExpiresAtUnix,
 		ACCESS_TOKEN:            accessToken,
 		REFRESH_TOKEN:           refreshToken,
 		USER_EMAIL:              email,
 	}
 
-	err := SetAuthFieldMap(authFields)
+	err := SetAuthFieldMapWithContext(context, authFields)
 	if err != nil {
 		return fmt.Errorf("set auth fields: %w", err)
 	}
 	return nil
 }
 
 func LogoutUser() error {
+	return LogoutUserWithContext(StorageContextCLI)
+}
+
+// LogoutUserWithContext removes user authentication for a specific storage context
+func LogoutUserWithContext(context StorageContext) error {
 	for _, key := range loginAuthFieldKeys {
-		err := DeleteAuthField(key)
+		err := DeleteAuthFieldWithContext(context, key)
 		if err != nil {
 			return fmt.Errorf("delete auth field \"%s\": %w", key, err)
 		}