add secrets package to manage secrets

- Add secret store that supports different backends
- We use a registry map for a few secrets and the registry gets
  persisted as one secret to the keyring. We don't waant to create a
  keyring secret for every different secret
- Store is opened once to load the registry.

Author: burmudar

internal/keyring/keyring.go internal/secrets/keyring.gointernal/keyring/keyring.go renamed to internal/secrets/keyring.go

@@ -1,5 +1,4 @@
-// Package keyring provides secure credential storage using the system keychain.
-package keyring
+package secrets
 
 import (
 	"github.com/99designs/keyring"
@@ -8,13 +7,13 @@ import (
 
 const serviceName = "sourcegraph-cli"
 
-// Store provides secure credential storage operations.
-type Store struct {
+// keyringStore provides secure credential storage operations.
+type keyringStore struct {
 	ring keyring.Keyring
 }
 
-// Open opens the system keyring for the Sourcegraph CLI.
-func Open() (*Store, error) {
+// open opens the system keyring for the Sourcegraph CLI.
+func openKeyring() (*keyringStore, error) {
 	ring, err := keyring.Open(keyring.Config{
 		ServiceName:              serviceName,
 		KeychainName:             "login", // This is the default name for the keychain where MacOS puts all login passwords
@@ -23,12 +22,12 @@ func Open() (*Store, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "opening keyring")
 	}
-	return &Store{ring: ring}, nil
+	return &keyringStore{ring: ring}, nil
 }
 
 // Set stores a key-value pair in the keyring.
-func (s *Store) Set(key string, data []byte) error {
-	err := s.ring.Set(keyring.Item{
+func (k *keyringStore) Put(key string, data []byte) error {
+	err := k.ring.Set(keyring.Item{
 		Key:   key,
 		Data:  data,
 		Label: key,
@@ -41,20 +40,20 @@ func (s *Store) Set(key string, data []byte) error {
 
 // Get retrieves a value by key from the keyring.
 // Returns nil, nil if the key is not found.
-func (s *Store) Get(key string) ([]byte, error) {
-	item, err := s.ring.Get(key)
+func (k *keyringStore) Get(key string) ([]byte, error) {
+	item, err := k.ring.Get(key)
 	if err != nil {
 		if err == keyring.ErrKeyNotFound {
-			return nil, nil
+			return nil, ErrSecretNotFound
 		}
 		return nil, errors.Wrap(err, "getting item from keyring")
 	}
 	return item.Data, nil
 }
 
 // Delete removes a key from the keyring.
-func (s *Store) Delete(key string) error {
-	err := s.ring.Remove(key)
+func (k *keyringStore) Delete(key string) error {
+	err := k.ring.Remove(key)
 	if err != nil && err != keyring.ErrKeyNotFound {
 		return errors.Wrap(err, "removing item from keyring")
 	}

internal/secrets/store.go

@@ -0,0 +1,104 @@
+package secrets
+
+import (
+	"encoding/json"
+	"sync"
+
+	"github.com/sourcegraph/sourcegraph/lib/errors"
+)
+
+const keyRegistry = "secret-registry"
+
+var ErrSecretNotFound = errors.New("secret not found")
+
+var openOnce = sync.OnceValues(Open)
+
+type SecretStorage interface {
+	Get(key string) ([]byte, error)
+	Put(key string, data []byte) error
+	Delete(key string) error
+}
+
+type store struct {
+	backend  SecretStorage
+	registry map[string][]byte
+
+	mu sync.Mutex
+}
+
+func Store() (SecretStorage, error) {
+	return openOnce()
+}
+
+func Open() (SecretStorage, error) {
+	keyring, err := openKeyring()
+	if err != nil {
+		return nil, err
+	}
+
+	registry, err := getRegistry(keyring)
+	if err != nil {
+		return nil, err
+	}
+	s := &store{
+		backend:  keyring,
+		registry: registry,
+	}
+
+	return s, nil
+}
+
+func getRegistry(s SecretStorage) (map[string][]byte, error) {
+	data, err := s.Get(keyRegistry)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to load registry from backing store")
+	}
+
+	var registry map[string][]byte
+	if err := json.Unmarshal(data, &registry); err != nil {
+		return nil, errors.Wrap(err, "failed to decode registry from backing store")
+	}
+
+	return registry, nil
+}
+
+func saveRegistry(s SecretStorage, registry map[string][]byte) error {
+	data, err := json.Marshal(&registry)
+	if err != nil {
+		return errors.Wrap(err, "registry encoding failure")
+	}
+
+	if err = s.Put(keyRegistry, data); err != nil {
+		return errors.Wrap(err, "failed to persist registry to backing store")
+	}
+
+	return nil
+}
+
+func (s *store) Get(key string) ([]byte, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	v, ok := s.registry[key]
+	if !ok {
+		return nil, ErrSecretNotFound
+	}
+
+	return v, nil
+}
+
+func (s *store) Put(key string, data []byte) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.registry[key] = data
+
+	return saveRegistry(s.backend, s.registry)
+}
+
+func (s *store) Delete(key string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	delete(s.registry, key)
+	return saveRegistry(s.backend, s.registry)
+}