diff --git a/.bingo/go.mod b/.bingo/go.mod index 610249af..6db5a774 100644 --- a/.bingo/go.mod +++ b/.bingo/go.mod @@ -1 +1,3 @@ -module _ // Fake go.mod auto-created by 'bingo' for go -moddir compatibility with non-Go projects. Commit this file, together with other .mod files. \ No newline at end of file +module _ // Fake go.mod auto-created by 'bingo' for go -moddir compatibility with non-Go projects. Commit this file, together with other .mod files. + +go 1.24.7 diff --git a/pkg/internal/pop/cache/darwin.go b/pkg/internal/pop/cache/darwin.go index 6632af0a..94e4a3bf 100644 --- a/pkg/internal/pop/cache/darwin.go +++ b/pkg/internal/pop/cache/darwin.go @@ -3,12 +3,19 @@ package cache import ( + "crypto/sha256" + "encoding/hex" + "github.com/AzureAD/microsoft-authentication-extensions-for-go/cache/accessor" ) // storage creates a platform-specific accessor for macOS func storage(cachePath string) (accessor.Accessor, error) { - // Use "kubelogin-pop" as the service name in macOS Keychain - // "MSALCache" becomes the account identifier within that service - return accessor.New("kubelogin-pop", accessor.WithAccount("MSALCache")) + // Use a hash of the full cache path as the account identifier to ensure uniqueness + // This prevents cache conflicts when multiple cache directories are used + // (e.g., different clusters with different --cache-dir settings) + // We use a hash because macOS Keychain has limitations on account name length + hash := sha256.Sum256([]byte(cachePath)) + account := hex.EncodeToString(hash[:16]) // Use first 16 bytes for reasonable uniqueness + return accessor.New("kubelogin-pop", accessor.WithAccount(account)) } diff --git a/pkg/internal/pop/cache/linux.go b/pkg/internal/pop/cache/linux.go index 11e4426d..a7260302 100644 --- a/pkg/internal/pop/cache/linux.go +++ b/pkg/internal/pop/cache/linux.go @@ -67,8 +67,9 @@ func newKeyring(p string) (*keyring, error) { if persistentRing, err := unix.KeyctlInt(unix.KEYCTL_GET_PERSISTENT, -1, ringID, 0, 0); err == nil { ringID = persistentRing } - // Use the actual filename as the keyring description to ensure each file has its own encryption key - description := filepath.Base(p) + // Use the full path as the keyring description to ensure each cache directory has its own encryption key + // This prevents cache conflicts when multiple cache directories are used (e.g., different clusters) + description := p return &keyring{description: description, file: p, ringID: ringID}, nil } diff --git a/pkg/internal/pop/cache/linux_test.go b/pkg/internal/pop/cache/linux_test.go index 95b72261..5540c0b0 100644 --- a/pkg/internal/pop/cache/linux_test.go +++ b/pkg/internal/pop/cache/linux_test.go @@ -140,9 +140,8 @@ func TestKeyringDescription(t *testing.T) { k, err := newKeyring(path) require.NoError(t, err) - // Verify description is the filename - expectedDesc := filepath.Base(path) - require.Equal(t, expectedDesc, k.description) + // Verify description is the full path (changed to prevent cache conflicts) + require.Equal(t, path, k.description) // Verify each path gets a unique description require.False(t, descriptions[k.description], "description %q should be unique", k.description)