Merge pull request #660 from cjuega/main

fix(#659): allow client to request credentials in each call via envvar

Author: Peefy

pkg/client/client.go

@@ -77,6 +77,11 @@ func (c *KpmClient) SetNoSumCheck(noSumCheck bool) {
 
 // GetCredsClient will return the credential client.
 func (c *KpmClient) GetCredsClient() (*downloader.CredClient, error) {
+	reloadCreds, _ := c.settings.ForceReloadCredsPerUse()
+	if reloadCreds {
+		return downloader.LoadCredentialFile(c.settings.CredentialsFile)
+	}
+
 	if c.credsClient == nil {
 		credCli, err := downloader.LoadCredentialFile(c.settings.CredentialsFile)
 		if err != nil {

pkg/client/client_test.go

@@ -2783,3 +2783,43 @@ func TestUpdateGitNewLocalStorage(t *testing.T) {
 	}
 	RunTestWithGlobalLockAndKpmCli(t, []TestSuite{{Name: "TestUpdateGitNewLocalStorage", TestFunc: testFunc}})
 }
+
+func TestGetCredsClientReloadBehavior(t *testing.T) {
+	// preserve and restore env
+	orig := os.Getenv("KPM_RELOAD_CREDS")
+	defer os.Setenv("KPM_RELOAD_CREDS", orig)
+
+	// Prepare a temporary credentials file path
+	tmpDir := t.TempDir()
+	credsPath := filepath.Join(tmpDir, "config.json")
+	// Create an empty file; the oras docker auth client tolerates empty store for constructing client
+	_ = os.WriteFile(credsPath, []byte("{}"), 0644)
+
+	// Helper to build client with injected settings path
+	newClientWithCredsPath := func() *KpmClient {
+		cli, err := NewKpmClient()
+		assert.Nil(t, err)
+		// overwrite settings to point to our temp creds file and reload env
+		cli.settings.CredentialsFile = credsPath
+		_, _ = cli.settings.LoadSettingsFromEnv()
+		return cli
+	}
+
+	// OFF (default) -> cached; repeated calls should return the same pointer
+	_ = os.Setenv("KPM_RELOAD_CREDS", "off")
+	c := newClientWithCredsPath()
+	cc1, err := c.GetCredsClient()
+	assert.Nil(t, err)
+	cc2, err := c.GetCredsClient()
+	assert.Nil(t, err)
+	assert.Equal(t, cc1, cc2)
+
+	// ON -> reload each time; repeated calls should return different pointers
+	_ = os.Setenv("KPM_RELOAD_CREDS", "on")
+	c = newClientWithCredsPath()
+	cc3, err := c.GetCredsClient()
+	assert.Nil(t, err)
+	cc4, err := c.GetCredsClient()
+	assert.Nil(t, err)
+	assert.NotEqual(t, cc3, cc4)
+}

pkg/settings/settings.go

@@ -31,6 +31,7 @@ type KpmConf struct {
 	DefaultOciRegistry  string
 	DefaultOciRepo      string
 	DefaultOciPlainHttp *bool `json:",omitempty"`
+	ReloadCredsPerUse   *bool `json:",omitempty"`
 }
 
 const ON = "on"
@@ -41,6 +42,7 @@ const DEFAULT_OCI_PLAIN_HTTP = ON
 const DEFAULT_REGISTRY_ENV = "KPM_REG"
 const DEFAULT_REPO_ENV = "KPM_REPO"
 const DEFAULT_OCI_PLAIN_HTTP_ENV = "OCI_REG_PLAIN_HTTP"
+const DEFAULT_RELOAD_CREDS_ENV = "KPM_RELOAD_CREDS"
 
 // This is a singleton that loads kpm settings from 'kpm.json'
 // and is only initialized on the first call by 'Init()' or 'GetSettings()'
@@ -53,6 +55,7 @@ func DefaultKpmConf() KpmConf {
 		DefaultOciRegistry:  DEFAULT_REGISTRY,
 		DefaultOciRepo:      DEFAULT_REPO,
 		DefaultOciPlainHttp: nil,
+		ReloadCredsPerUse:   nil,
 	}
 }
 
@@ -153,6 +156,14 @@ func (settings *Settings) ForceOciPlainHttp() (bool, bool) {
 	return *settings.Conf.DefaultOciPlainHttp, true
 }
 
+// ForceReloadCredsPerUse returns whether reloading credentials per use is forced.
+func (settings *Settings) ForceReloadCredsPerUse() (bool, bool) {
+	if settings.Conf.ReloadCredsPerUse == nil {
+		return false, false
+	}
+	return *settings.Conf.ReloadCredsPerUse, true
+}
+
 // DefaultOciRef return the default OCI ref 'ghcr.io/kcl-lang'.
 func (settings *Settings) DefaultOciRef() string {
 	return utils.JoinPath(settings.Conf.DefaultOciRegistry, settings.Conf.DefaultOciRepo)
@@ -184,6 +195,20 @@ func (settings *Settings) LoadSettingsFromEnv() (*Settings, *reporter.KpmEvent)
 			)
 		}
 	}
+
+	// Load the env KPM_RELOAD_CREDS (ON/OFF)
+	reloadCreds := os.Getenv(DEFAULT_RELOAD_CREDS_ENV)
+	if len(reloadCreds) > 0 {
+		shouldReload, err := isOn(reloadCreds)
+		settings.Conf.ReloadCredsPerUse = &shouldReload
+		if err != nil {
+			return settings, reporter.NewErrorEvent(
+				reporter.UnknownEnv,
+				err,
+				fmt.Sprintf("unknown environment variable '%s=%s'", DEFAULT_RELOAD_CREDS_ENV, reloadCreds),
+			)
+		}
+	}
 	return settings, nil
 }
 

pkg/settings/settings_test.go

@@ -187,3 +187,34 @@ func TestSettingEnv(t *testing.T) {
 	settings = GetSettings()
 	assert.Equal(t, settings.DefaultOciPlainHttp(), false)
 }
+
+func TestReloadCredsEnvParsing(t *testing.T) {
+	// preserve and restore env
+	orig := os.Getenv("KPM_RELOAD_CREDS")
+	defer os.Setenv("KPM_RELOAD_CREDS", orig)
+
+	// invalid value -> UnknownEnv error
+	_ = os.Setenv("KPM_RELOAD_CREDS", "true")
+	s := &Settings{Conf: DefaultKpmConf()}
+	_, evt := s.LoadSettingsFromEnv()
+	assert.NotNil(t, evt)
+	assert.Equal(t, reporter.UnknownEnv, evt.Type())
+
+	// ON -> true
+	_ = os.Setenv("KPM_RELOAD_CREDS", "on")
+	s = &Settings{Conf: DefaultKpmConf()}
+	_, evt = s.LoadSettingsFromEnv()
+	assert.Nil(t, evt)
+	reload, force := s.ForceReloadCredsPerUse()
+	assert.True(t, force)
+	assert.True(t, reload)
+
+	// OFF -> false
+	_ = os.Setenv("KPM_RELOAD_CREDS", "off")
+	s = &Settings{Conf: DefaultKpmConf()}
+	_, evt = s.LoadSettingsFromEnv()
+	assert.Nil(t, evt)
+	reload, force = s.ForceReloadCredsPerUse()
+	assert.True(t, force)
+	assert.False(t, reload)
+}