ske kubeconfig login: regularly rotate cache encryption key

MichaelEischer · MichaelEischer · commit 0b3de3959d0f · 2026-01-22T11:25:16.000+01:00
diff --git a/internal/pkg/auth/storage.go b/internal/pkg/auth/storage.go
@@ -27,17 +27,18 @@ const (
 )
 
 const (
-	SESSION_EXPIRES_AT_UNIX authFieldKey = "session_expires_at_unix"
-	ACCESS_TOKEN            authFieldKey = "access_token"
-	REFRESH_TOKEN           authFieldKey = "refresh_token"
-	SERVICE_ACCOUNT_TOKEN   authFieldKey = "service_account_token"
-	SERVICE_ACCOUNT_EMAIL   authFieldKey = "service_account_email"
-	USER_EMAIL              authFieldKey = "user_email"
-	SERVICE_ACCOUNT_KEY     authFieldKey = "service_account_key"
-	PRIVATE_KEY             authFieldKey = "private_key"
-	TOKEN_CUSTOM_ENDPOINT   authFieldKey = "token_custom_endpoint"
-	IDP_TOKEN_ENDPOINT      authFieldKey = "idp_token_endpoint" //nolint:gosec // linter false positive
-	CACHE_ENCRYPTION_KEY    authFieldKey = "cache_encryption_key"
+	SESSION_EXPIRES_AT_UNIX  authFieldKey = "session_expires_at_unix"
+	ACCESS_TOKEN             authFieldKey = "access_token"
+	REFRESH_TOKEN            authFieldKey = "refresh_token"
+	SERVICE_ACCOUNT_TOKEN    authFieldKey = "service_account_token"
+	SERVICE_ACCOUNT_EMAIL    authFieldKey = "service_account_email"
+	USER_EMAIL               authFieldKey = "user_email"
+	SERVICE_ACCOUNT_KEY      authFieldKey = "service_account_key"
+	PRIVATE_KEY              authFieldKey = "private_key"
+	TOKEN_CUSTOM_ENDPOINT    authFieldKey = "token_custom_endpoint"
+	IDP_TOKEN_ENDPOINT       authFieldKey = "idp_token_endpoint" //nolint:gosec // linter false positive
+	CACHE_ENCRYPTION_KEY     authFieldKey = "cache_encryption_key"
+	CACHE_ENCRYPTION_KEY_AGE authFieldKey = "cache_encryption_key_age"
 )
 
 const (
@@ -61,6 +62,7 @@ var authFieldKeys = []authFieldKey{
 	IDP_TOKEN_ENDPOINT,
 	authFlowType,
 	CACHE_ENCRYPTION_KEY,
+	CACHE_ENCRYPTION_KEY_AGE,
 }
 
 // All fields that are set when a user logs in
diff --git a/internal/pkg/cache/cache.go b/internal/pkg/cache/cache.go
@@ -10,6 +10,8 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strconv"
+	"time"
 
 	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
 )
@@ -22,16 +24,30 @@ var (
 	ErrorInvalidCacheIdentifier = fmt.Errorf("invalid cache identifier")
 )
 
+const (
+	cacheKeyMaxAge = 90 * 24 * time.Hour
+)
+
 func Init() error {
 	cacheDir, err := os.UserCacheDir()
 	if err != nil {
 		return fmt.Errorf("get user cache dir: %w", err)
 	}
 	cacheFolderPath = filepath.Join(cacheDir, "stackit")
 
+	// Encryption keys should only be used a limited number of times for aes-gcm.
+	// Thus, refresh the key periodically. This will invalidate all cached entries.
 	key, _ := auth.GetAuthField(auth.CACHE_ENCRYPTION_KEY)
+	age, _ := auth.GetAuthField(auth.CACHE_ENCRYPTION_KEY_AGE)
 	cacheEncryptionKey = nil
-	if key != "" {
+	var keyAge time.Time
+	if age != "" {
+		ageSeconds, err := strconv.ParseInt(age, 10, 64)
+		if err == nil {
+			keyAge = time.Unix(ageSeconds, 0)
+		}
+	}
+	if key != "" && keyAge.Add(cacheKeyMaxAge).After(time.Now()) {
 		cacheEncryptionKey, _ = base64.StdEncoding.DecodeString(key)
 		// invalid key length
 		if len(cacheEncryptionKey) != 32 {
@@ -45,7 +61,14 @@ func Init() error {
 			return fmt.Errorf("cache encryption key: %v", err)
 		}
 		key := base64.StdEncoding.EncodeToString(cacheEncryptionKey)
-		return auth.SetAuthField(auth.CACHE_ENCRYPTION_KEY, key)
+		err = auth.SetAuthField(auth.CACHE_ENCRYPTION_KEY, key)
+		if err != nil {
+			return fmt.Errorf("save cache encryption key: %v", err)
+		}
+		err = auth.SetAuthField(auth.CACHE_ENCRYPTION_KEY_AGE, fmt.Sprint(time.Now().Unix()))
+		if err != nil {
+			return fmt.Errorf("save cache encryption key age: %v", err)
+		}
 	}
 	return nil
 }
