ske kubeconfig login: encrypt cache

MichaelEischer · MichaelEischer · commit 7157dad9794c · 2026-01-22T11:25:16.000+01:00
diff --git a/internal/pkg/auth/storage.go b/internal/pkg/auth/storage.go
@@ -37,6 +37,7 @@ const (
 	PRIVATE_KEY             authFieldKey = "private_key"
 	TOKEN_CUSTOM_ENDPOINT   authFieldKey = "token_custom_endpoint"
 	IDP_TOKEN_ENDPOINT      authFieldKey = "idp_token_endpoint" //nolint:gosec // linter false positive
+	CACHE_ENCRYPTION_KEY    authFieldKey = "cache_encryption_key"
 )
 
 const (
@@ -59,6 +60,7 @@ var authFieldKeys = []authFieldKey{
 	TOKEN_CUSTOM_ENDPOINT,
 	IDP_TOKEN_ENDPOINT,
 	authFlowType,
+	CACHE_ENCRYPTION_KEY,
 }
 
 // All fields that are set when a user logs in
diff --git a/internal/pkg/cache/cache.go b/internal/pkg/cache/cache.go
@@ -1,15 +1,22 @@
 package cache
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"regexp"
+
+	"github.com/stackitcloud/stackit-cli/internal/pkg/auth"
 )
 
 var (
-	cacheFolderPath string
+	cacheFolderPath    string
+	cacheEncryptionKey []byte
 
 	identifierRegex             = regexp.MustCompile("^[a-zA-Z0-9-]+$")
 	ErrorInvalidCacheIdentifier = fmt.Errorf("invalid cache identifier")
@@ -21,6 +28,25 @@ func Init() error {
 		return fmt.Errorf("get user cache dir: %w", err)
 	}
 	cacheFolderPath = filepath.Join(cacheDir, "stackit")
+
+	key, _ := auth.GetAuthField(auth.CACHE_ENCRYPTION_KEY)
+	cacheEncryptionKey = nil
+	if key != "" {
+		cacheEncryptionKey, _ = base64.StdEncoding.DecodeString(key)
+		// invalid key length
+		if len(cacheEncryptionKey) != 32 {
+			cacheEncryptionKey = nil
+		}
+	}
+	if len(cacheEncryptionKey) == 0 {
+		cacheEncryptionKey = make([]byte, 32)
+		_, err := rand.Read(cacheEncryptionKey)
+		if err != nil {
+			return fmt.Errorf("cache encryption key: %v", err)
+		}
+		key := base64.StdEncoding.EncodeToString(cacheEncryptionKey)
+		return auth.SetAuthField(auth.CACHE_ENCRYPTION_KEY, key)
+	}
 	return nil
 }
 
@@ -32,7 +58,21 @@ func GetObject(identifier string) ([]byte, error) {
 		return nil, ErrorInvalidCacheIdentifier
 	}
 
-	return os.ReadFile(filepath.Join(cacheFolderPath, identifier))
+	data, err := os.ReadFile(filepath.Join(cacheFolderPath, identifier))
+	if err != nil {
+		return nil, err
+	}
+
+	block, err := aes.NewCipher(cacheEncryptionKey)
+	if err != nil {
+		return nil, err
+	}
+	aead, err := cipher.NewGCMWithRandomNonce(block)
+	if err != nil {
+		return nil, err
+	}
+
+	return aead.Open(nil, nil, data, nil)
 }
 
 func PutObject(identifier string, data []byte) error {
@@ -48,7 +88,17 @@ func PutObject(identifier string, data []byte) error {
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(cacheFolderPath, identifier), data, 0o600)
+	block, err := aes.NewCipher(cacheEncryptionKey)
+	if err != nil {
+		return err
+	}
+	aead, err := cipher.NewGCMWithRandomNonce(block)
+	if err != nil {
+		return err
+	}
+	encrypted := aead.Seal(nil, nil, data, nil)
+
+	return os.WriteFile(filepath.Join(cacheFolderPath, identifier), encrypted, 0o600)
 }
 
 func DeleteObject(identifier string) error {
diff --git a/internal/pkg/cache/cache_test.go b/internal/pkg/cache/cache_test.go
@@ -6,10 +6,11 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/google/uuid"
 )
 
-func TestGetObject(t *testing.T) {
+func TestGetObjectErrors(t *testing.T) {
 	if err := Init(); err != nil {
 		t.Fatalf("cache init failed: %s", err)
 	}
@@ -20,12 +21,6 @@ func TestGetObject(t *testing.T) {
 		expectFile  bool
 		expectedErr error
 	}{
-		{
-			description: "identifier exists",
-			identifier:  "test-cache-get-exists",
-			expectFile:  true,
-			expectedErr: nil,
-		},
 		{
 			description: "identifier does not exist",
 			identifier:  "test-cache-get-not-exists",
@@ -205,3 +200,26 @@ func TestDeleteObject(t *testing.T) {
 		})
 	}
 }
+
+func TestWriteAndRead(t *testing.T) {
+	if err := Init(); err != nil {
+		t.Fatalf("cache init failed: %s", err)
+	}
+
+	id := "test-cycle-" + uuid.NewString()
+	data := []byte("test-data")
+	err := PutObject(id, data)
+	if err != nil {
+		t.Fatalf("putobject failed: %v", err)
+	}
+
+	readData, err := GetObject(id)
+	if err != nil {
+		t.Fatalf("getobject failed: %v", err)
+	}
+
+	diff := cmp.Diff(data, readData)
+	if diff != "" {
+		t.Fatalf("unexpected data diff: %v", diff)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ const (`
`37`	`37`	`PRIVATE_KEY authFieldKey = "private_key"`
`38`	`38`	`TOKEN_CUSTOM_ENDPOINT authFieldKey = "token_custom_endpoint"`
`39`	`39`	`IDP_TOKEN_ENDPOINT authFieldKey = "idp_token_endpoint" //nolint:gosec // linter false positive`
	`40`	`+ CACHE_ENCRYPTION_KEY authFieldKey = "cache_encryption_key"`
`40`	`41`	`)`
`41`	`42`
`42`	`43`	`const (`
`@@ -59,6 +60,7 @@ var authFieldKeys = []authFieldKey{`
`59`	`60`	`TOKEN_CUSTOM_ENDPOINT,`
`60`	`61`	`IDP_TOKEN_ENDPOINT,`
`61`	`62`	`authFlowType,`
	`63`	`+ CACHE_ENCRYPTION_KEY,`
`62`	`64`	`}`
`63`	`65`
`64`	`66`	`// All fields that are set when a user logs in`