feat(security): integrate @push.rocks/smartsecret for keychain-based token storage

Connection tokens are now stored in OS keychain (or encrypted file fallback) instead of plaintext JSON. Existing plaintext tokens auto-migrate on first load.
2026-02-24 16:37:13 +00:00
parent 6889b81159
commit 06f447459e
6 changed files with 59 additions and 8 deletions
--- a/deno.json
+++ b/deno.json
@@ -19,7 +19,8 @@
    "@apiclient.xyz/gitea": "npm:@apiclient.xyz/gitea@^1.0.3",
    "@apiclient.xyz/gitlab": "npm:@apiclient.xyz/gitlab@^2.0.3",
    "@push.rocks/smartmongo": "npm:@push.rocks/smartmongo@^5.1.0",
-    "@push.rocks/smartdata": "npm:@push.rocks/smartdata@^7.0.15"
+    "@push.rocks/smartdata": "npm:@push.rocks/smartdata@^7.0.15",
+    "@push.rocks/smartsecret": "npm:@push.rocks/smartsecret@^1.0.1"
  },
  "compilerOptions": {
    "lib": [
--- a/test/test.basic_test.ts
+++ b/test/test.basic_test.ts
@@ -3,6 +3,7 @@ import { BaseProvider, GiteaProvider, GitLabProvider } from '../ts/providers/ind
 import { ConnectionManager } from '../ts/classes/connectionmanager.ts';
 import { GitopsApp } from '../ts/classes/gitopsapp.ts';
 import { StorageManager } from '../ts/storage/index.ts';
+import * as smartsecret from '@push.rocks/smartsecret';

 Deno.test('GiteaProvider instantiates correctly', () => {
  const provider = new GiteaProvider('test-id', 'https://gitea.example.com', 'test-token');
@@ -20,7 +21,8 @@ Deno.test('GitLabProvider instantiates correctly', () => {

 Deno.test('ConnectionManager instantiates correctly', () => {
  const storage = new StorageManager({ backend: 'memory' });
-  const manager = new ConnectionManager(storage);
+  const secret = new smartsecret.SmartSecret({ service: 'gitops-test' });
+  const manager = new ConnectionManager(storage, secret);
  assertExists(manager);
 });

@@ -28,6 +30,7 @@ Deno.test('GitopsApp instantiates correctly', () => {
  const app = new GitopsApp();
  assertExists(app);
  assertExists(app.storageManager);
+  assertExists(app.smartSecret);
  assertExists(app.connectionManager);
  assertExists(app.opsServer);
 });
--- a/test/test.storage_test.ts
+++ b/test/test.storage_test.ts
@@ -1,5 +1,6 @@
 import { assertEquals, assertExists } from 'https://deno.land/std@0.208.0/assert/mod.ts';
 import { StorageManager } from '../ts/storage/index.ts';
+import * as smartsecret from '@push.rocks/smartsecret';

 Deno.test('StorageManager memory: set and get', async () => {
  const sm = new StorageManager({ backend: 'memory' });
@@ -114,7 +115,8 @@ Deno.test('StorageManager filesystem: list keys', async () => {
 Deno.test('ConnectionManager with StorageManager: create and load', async () => {
  const { ConnectionManager } = await import('../ts/classes/connectionmanager.ts');
  const sm = new StorageManager({ backend: 'memory' });
-  const cm = new ConnectionManager(sm);
+  const secret = new smartsecret.SmartSecret({ service: 'gitops-test' });
+  const cm = new ConnectionManager(sm, secret);
  await cm.init();

  // Create a connection
@@ -129,7 +131,7 @@ Deno.test('ConnectionManager with StorageManager: create and load', async () =>
  assertEquals(stored.id, conn.id);

  // Create a new ConnectionManager and verify it loads the connection
-  const cm2 = new ConnectionManager(sm);
+  const cm2 = new ConnectionManager(sm, secret);
  await cm2.init();
  const conns = cm2.getConnections();
  assertEquals(conns.length, 1);
--- a/ts/classes/connectionmanager.ts
+++ b/ts/classes/connectionmanager.ts
@@ -6,17 +6,21 @@ import type { StorageManager } from '../storage/index.ts';

 const LEGACY_CONNECTIONS_FILE = './.nogit/connections.json';
 const CONNECTIONS_PREFIX = '/connections/';
+const KEYCHAIN_PREFIX = 'keychain:';

 /**
 * Manages provider connections — persists each connection as an
- * individual JSON file via StorageManager.
+ * individual JSON file via StorageManager. Tokens are stored in
+ * the OS keychain (or encrypted file fallback) via SmartSecret.
 */
 export class ConnectionManager {
  private connections: interfaces.data.IProviderConnection[] = [];
  private storageManager: StorageManager;
+  private smartSecret: plugins.smartsecret.SmartSecret;

-  constructor(storageManager: StorageManager) {
+  constructor(storageManager: StorageManager, smartSecret: plugins.smartsecret.SmartSecret) {
    this.storageManager = storageManager;
+    this.smartSecret = smartSecret;
  }

  async init(): Promise<void> {
@@ -51,6 +55,18 @@ export class ConnectionManager {
    for (const key of keys) {
      const conn = await this.storageManager.getJSON<interfaces.data.IProviderConnection>(key);
      if (conn) {
+        if (conn.token.startsWith(KEYCHAIN_PREFIX)) {
+          // Token is in keychain — retrieve it
+          const realToken = await this.smartSecret.getSecret(conn.id);
+          if (realToken) {
+            conn.token = realToken;
+          } else {
+            logger.warn(`Could not retrieve token for connection ${conn.id} from keychain`);
+          }
+        } else if (conn.token && conn.token !== '***') {
+          // Plaintext token found — auto-migrate to keychain
+          await this.migrateTokenToKeychain(conn);
+        }
        this.connections.push(conn);
      }
    }
@@ -61,11 +77,33 @@ export class ConnectionManager {
    }
  }

+  /**
+   * Migrates a plaintext token to keychain storage.
+   */
+  private async migrateTokenToKeychain(
+    conn: interfaces.data.IProviderConnection,
+  ): Promise<void> {
+    try {
+      await this.smartSecret.setSecret(conn.id, conn.token);
+      // Save sentinel to JSON file
+      const jsonConn = { ...conn, token: `${KEYCHAIN_PREFIX}${conn.id}` };
+      await this.storageManager.setJSON(`${CONNECTIONS_PREFIX}${conn.id}.json`, jsonConn);
+      logger.info(`Migrated token for connection "${conn.name}" to keychain`);
+    } catch (err) {
+      logger.warn(`Failed to migrate token for ${conn.id} to keychain: ${err}`);
+    }
+  }
+
  private async persistConnection(conn: interfaces.data.IProviderConnection): Promise<void> {
-    await this.storageManager.setJSON(`${CONNECTIONS_PREFIX}${conn.id}.json`, conn);
+    // Store real token in keychain
+    await this.smartSecret.setSecret(conn.id, conn.token);
+    // Save JSON with sentinel value
+    const jsonConn = { ...conn, token: `${KEYCHAIN_PREFIX}${conn.id}` };
+    await this.storageManager.setJSON(`${CONNECTIONS_PREFIX}${conn.id}.json`, jsonConn);
  }

  private async removeConnection(id: string): Promise<void> {
+    await this.smartSecret.deleteSecret(id);
    await this.storageManager.delete(`${CONNECTIONS_PREFIX}${id}.json`);
  }

--- a/ts/classes/gitopsapp.ts
+++ b/ts/classes/gitopsapp.ts
@@ -1,3 +1,4 @@
+import * as plugins from '../plugins.ts';
 import { logger } from '../logging.ts';
 import { ConnectionManager } from './connectionmanager.ts';
 import { OpsServer } from '../opsserver/index.ts';
@@ -10,6 +11,7 @@ import { resolvePaths } from '../paths.ts';
 */
 export class GitopsApp {
  public storageManager: StorageManager;
+  public smartSecret: plugins.smartsecret.SmartSecret;
  public connectionManager: ConnectionManager;
  public opsServer: OpsServer;
  public cacheDb: CacheDb;
@@ -21,7 +23,8 @@ export class GitopsApp {
      backend: 'filesystem',
      fsPath: paths.defaultStoragePath,
    });
-    this.connectionManager = new ConnectionManager(this.storageManager);
+    this.smartSecret = new plugins.smartsecret.SmartSecret({ service: 'gitops' });
+    this.connectionManager = new ConnectionManager(this.storageManager, this.smartSecret);

    this.cacheDb = CacheDb.getInstance({
      storagePath: paths.defaultTsmDbPath,
--- a/ts/plugins.ts
+++ b/ts/plugins.ts
@@ -28,3 +28,7 @@ export { giteaClient, gitlabClient };
 import * as smartmongo from '@push.rocks/smartmongo';
 import * as smartdata from '@push.rocks/smartdata';
 export { smartmongo, smartdata };
+
+// Secrets
+import * as smartsecret from '@push.rocks/smartsecret';
+export { smartsecret };