Merge pull request #23 from auths-dev/feat/wire-keychain-passphrase-cache

feat: wire OS keychain passphrase cache into signing flow

Author: bordumb

crates/auths-cli/src/bin/sign.rs

@@ -31,9 +31,10 @@ use clap::Parser;
 
 use auths_cli::core::pubkey_cache::get_cached_pubkey;
 use auths_cli::factories::build_agent_provider;
-use auths_core::config::EnvironmentConfig;
-use auths_core::signing::{CachedPassphraseProvider, PassphraseProvider};
+use auths_core::config::{EnvironmentConfig, load_config};
+use auths_core::signing::{KeychainPassphraseProvider, PassphraseProvider};
 use auths_core::storage::keychain::get_platform_keychain;
+use auths_core::storage::passphrase_cache::{get_passphrase_cache, parse_duration_str};
 use auths_sdk::workflows::signing::{
     CommitSigningContext, CommitSigningParams, CommitSigningWorkflow,
 };
@@ -101,7 +102,7 @@ fn parse_key_identifier(key_file: &str) -> Result<String> {
     }
 }
 
-fn build_signing_context() -> Result<CommitSigningContext> {
+fn build_signing_context(alias: &str) -> Result<CommitSigningContext> {
     let env_config = EnvironmentConfig::from_env();
 
     let keychain =
@@ -111,10 +112,20 @@ fn build_signing_context() -> Result<CommitSigningContext> {
         if let Some(passphrase) = env_config.keychain.passphrase.clone() {
             Arc::new(auths_core::PrefilledPassphraseProvider::new(&passphrase))
         } else {
+            let config = load_config();
+            let cache = get_passphrase_cache(config.passphrase.biometric);
+            let ttl_secs = config
+                .passphrase
+                .duration
+                .as_deref()
+                .and_then(parse_duration_str);
             let inner = Arc::new(auths_cli::core::provider::CliPassphraseProvider::new());
-            Arc::new(CachedPassphraseProvider::new(
+            Arc::new(KeychainPassphraseProvider::new(
                 inner,
-                std::time::Duration::from_secs(3600),
+                cache,
+                alias.to_string(),
+                config.passphrase.cache,
+                ttl_secs,
             ))
         };
 
@@ -243,7 +254,7 @@ fn run_sign(args: &Args) -> Result<()> {
 
     let repo_path = auths_id::storage::layout::resolve_repo_path(None).ok();
 
-    let ctx = build_signing_context()?;
+    let ctx = build_signing_context(&alias)?;
     let mut params = CommitSigningParams::new(&alias, namespace, data).with_pubkey(pubkey);
     if let Some(path) = repo_path {
         params = params.with_repo_path(path);

crates/auths-core/src/config.rs

@@ -217,8 +217,8 @@ fn default_biometric() -> bool {
 impl Default for PassphraseConfig {
     fn default() -> Self {
         Self {
-            cache: PassphraseCachePolicy::default(),
-            duration: None,
+            cache: PassphraseCachePolicy::Duration,
+            duration: Some("1h".to_string()),
             biometric: default_biometric(),
         }
     }

crates/auths-core/src/lib.rs

@@ -82,4 +82,4 @@ pub use agent::{
 };
 pub use crypto::{EncryptionAlgorithm, SignerKey};
 pub use error::{AgentError, AuthsErrorInfo};
-pub use signing::PrefilledPassphraseProvider;
+pub use signing::{KeychainPassphraseProvider, PrefilledPassphraseProvider};

crates/auths-core/src/signing.rs

@@ -7,9 +7,12 @@ use crate::crypto::signer::{decrypt_keypair, extract_seed_from_key_bytes};
 use crate::error::AgentError;
 use crate::storage::keychain::{IdentityDID, KeyAlias, KeyStorage};
 
+use crate::config::PassphraseCachePolicy;
+use crate::storage::passphrase_cache::PassphraseCache;
+
 use std::collections::HashMap;
 use std::sync::{Arc, Mutex};
-use std::time::{Duration, Instant};
+use std::time::{Duration, Instant, SystemTime, UNIX_EPOCH};
 use zeroize::Zeroizing;
 
 /// Type alias for passphrase callback functions.
@@ -428,6 +431,116 @@ impl PassphraseProvider for CachedPassphraseProvider {
     }
 }
 
+/// A `PassphraseProvider` that wraps an inner provider with OS keychain caching.
+///
+/// On `get_passphrase()`, checks the OS keychain first via `PassphraseCache::load`.
+/// If a cached value exists and hasn't expired per the configured policy/TTL,
+/// returns it immediately. Otherwise delegates to the inner provider, then
+/// stores the result in the OS keychain for subsequent invocations.
+///
+/// Args:
+/// * `inner`: The underlying provider to prompt the user when cache misses.
+/// * `cache`: Platform keychain cache (macOS Security Framework, Linux Secret Service, etc.).
+/// * `alias`: Key alias used as the cache key in the OS keychain.
+/// * `policy`: The configured `PassphraseCachePolicy`.
+/// * `ttl_secs`: Optional TTL in seconds (for `Duration` policy).
+///
+/// Usage:
+/// ```ignore
+/// use auths_core::signing::{KeychainPassphraseProvider, PassphraseProvider};
+/// use auths_core::config::PassphraseCachePolicy;
+/// use auths_core::storage::passphrase_cache::get_passphrase_cache;
+///
+/// let inner = Arc::new(some_provider);
+/// let cache = get_passphrase_cache(true);
+/// let provider = KeychainPassphraseProvider::new(
+///     inner, cache, "main".to_string(),
+///     PassphraseCachePolicy::Duration, Some(3600),
+/// );
+/// let passphrase = provider.get_passphrase("Enter passphrase:")?;
+/// ```
+pub struct KeychainPassphraseProvider {
+    inner: Arc<dyn PassphraseProvider + Send + Sync>,
+    cache: Box<dyn PassphraseCache>,
+    alias: String,
+    policy: PassphraseCachePolicy,
+    ttl_secs: Option<i64>,
+}
+
+impl KeychainPassphraseProvider {
+    /// Creates a new `KeychainPassphraseProvider`.
+    ///
+    /// Args:
+    /// * `inner`: Fallback provider for cache misses.
+    /// * `cache`: OS keychain cache implementation.
+    /// * `alias`: Key alias used as the keychain entry identifier.
+    /// * `policy`: Caching policy controlling storage/expiry behavior.
+    /// * `ttl_secs`: TTL in seconds when `policy` is `Duration`.
+    pub fn new(
+        inner: Arc<dyn PassphraseProvider + Send + Sync>,
+        cache: Box<dyn PassphraseCache>,
+        alias: String,
+        policy: PassphraseCachePolicy,
+        ttl_secs: Option<i64>,
+    ) -> Self {
+        Self {
+            inner,
+            cache,
+            alias,
+            policy,
+            ttl_secs,
+        }
+    }
+
+    fn is_expired(&self, stored_at_unix: i64) -> bool {
+        match self.policy {
+            PassphraseCachePolicy::Always => false,
+            PassphraseCachePolicy::Never => true,
+            PassphraseCachePolicy::Session => true,
+            PassphraseCachePolicy::Duration => {
+                let ttl = self.ttl_secs.unwrap_or(3600);
+                let now = SystemTime::now()
+                    .duration_since(UNIX_EPOCH)
+                    .unwrap_or_default()
+                    .as_secs() as i64;
+                now - stored_at_unix > ttl
+            }
+        }
+    }
+}
+
+impl PassphraseProvider for KeychainPassphraseProvider {
+    fn get_passphrase(&self, prompt_message: &str) -> Result<Zeroizing<String>, AgentError> {
+        if self.policy != PassphraseCachePolicy::Never
+            && let Ok(Some((passphrase, stored_at))) = self.cache.load(&self.alias)
+        {
+            if !self.is_expired(stored_at) {
+                return Ok(passphrase);
+            }
+            let _ = self.cache.delete(&self.alias);
+        }
+
+        let passphrase = self.inner.get_passphrase(prompt_message)?;
+
+        if self.policy != PassphraseCachePolicy::Never
+            && self.policy != PassphraseCachePolicy::Session
+        {
+            let now = SystemTime::now()
+                .duration_since(UNIX_EPOCH)
+                .unwrap_or_default()
+                .as_secs() as i64;
+            let _ = self.cache.store(&self.alias, &passphrase, now);
+        }
+
+        Ok(passphrase)
+    }
+
+    fn on_incorrect_passphrase(&self, prompt_message: &str) {
+        let _ = self.cache.delete(&self.alias);
+        self.inner.on_incorrect_passphrase(prompt_message);
+    }
+}
+
 /// Provides a pre-collected passphrase for headless and automated environments.
 ///
 /// Unlike [`CallbackPassphraseProvider`] which prompts interactively, this provider

scripts/releases/1_github.py

@@ -9,8 +9,8 @@
 What it does:
     1. Reads the version from [workspace.package] in Cargo.toml
     2. Checks crates.io to make sure the version has been bumped
-    3. Checks that the git tag doesn't already exist
-    4. Creates a git tag v{version} and pushes it to origin
+    3. Checks that the git tag doesn't already exist on GitHub
+    4. Creates a git tag v{version} and pushes it to origin on GitHub
 
 Requires:
     - python3 (no external dependencies)