Skip to content

fix(cli): remove defaulting to keyring when --global-config set #20943

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zedkipp merged 4 commits into from
Nov 26, 2025
Merged

fix(cli): remove defaulting to keyring when --global-config set #20943

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
20db0f0
fix(cli): don't default to keyring when --global-config set
zedkipp Nov 26, 2025
8c173bd
fix: comment typo
zedkipp Nov 26, 2025
785982d
clarify --use-keyring ignored when --global-config set
zedkipp Nov 26, 2025
c21ebd2
remove testing.Testing() usage and add test coverage
zedkipp Nov 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions cli/clitest/clitest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,10 @@ func NewWithCommand(
t testing.TB, cmd *serpent.Command, args ...string,
) (*serpent.Invocation, config.Root) {
configDir := config.Root(t.TempDir())
// Keyring usage is disabled here because many existing tests expect the session token
// to be stored on disk and is not properly instrumented for parallel testing against
// the actual operating system keyring.
invArgs := append([]string{"--global-config", string(configDir), "--use-keyring=false"}, args...)
// Keyring usage is disabled here when --global-config is set because many existing
// tests expect the session token to be stored on disk and is not properly instrumented
// for parallel testing against the actual operating system keyring.
invArgs := append([]string{"--global-config", string(configDir)}, args...)
return setupInvocation(t, cmd, invArgs...), configDir
}

Expand Down
2 changes: 2 additions & 0 deletions cli/keyring_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ func setupKeyringTestEnv(t *testing.T, clientURL string, args ...string) keyring

serviceName := keyringTestServiceName(t)
root.WithKeyringServiceName(serviceName)
root.UseKeyringWithGlobalConfig()

inv, cfg := clitest.NewWithDefaultKeyringCommand(t, cmd, args...)

Expand Down Expand Up @@ -169,6 +170,7 @@ func TestUseKeyring(t *testing.T) {
logoutCmd, err := logoutRoot.Command(logoutRoot.AGPL())
require.NoError(t, err)
logoutRoot.WithKeyringServiceName(env.serviceName)
logoutRoot.UseKeyringWithGlobalConfig()

logoutInv, _ := clitest.NewWithDefaultKeyringCommand(t, logoutCmd,
"logout",
Expand Down
32 changes: 23 additions & 9 deletions cli/root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,9 +483,9 @@ func (r *RootCmd) Command(subcommands []*serpent.Command) (*serpent.Command, err
Flag: varUseKeyring,
Env: envUseKeyring,
Description: "Store and retrieve session tokens using the operating system " +
"keyring. Enabled by default. If the keyring is not supported on the " +
"current platform, file-based storage is used automatically. Set to " +
"false to force file-based storage.",
"keyring. This flag is ignored and file-based storage is used when " +
"--global-config is set or keyring usage is not supported on the current " +
"platform. Set to false to force file-based storage on supported platforms.",
Default: "true",
Value: serpent.BoolOf(&r.useKeyring),
Group: globalGroup,
Expand Down Expand Up @@ -536,11 +536,12 @@ type RootCmd struct {
disableDirect bool
debugHTTP bool

disableNetworkTelemetry bool
noVersionCheck bool
noFeatureWarning bool
useKeyring bool
keyringServiceName string
disableNetworkTelemetry bool
noVersionCheck bool
noFeatureWarning bool
useKeyring bool
keyringServiceName string
useKeyringWithGlobalConfig bool
}

// InitClient creates and configures a new client with authentication, telemetry,
Expand Down Expand Up @@ -721,8 +722,14 @@ func (r *RootCmd) createUnauthenticatedClient(ctx context.Context, serverURL *ur
// flag.
func (r *RootCmd) ensureTokenBackend() sessionstore.Backend {
if r.tokenBackend == nil {
// Checking for the --global-config directory being set is a bit wonky but necessary
// to allow extensions that invoke the CLI with this flag (e.g. VS code) to continue
// working without modification. In the future we should modify these extensions to
// either access the credential in the keyring (like Coder Desktop) or some other
// approach that doesn't rely on the session token being stored on disk.
assumeExtensionInUse := r.globalConfig != config.DefaultDir() && !r.useKeyringWithGlobalConfig
keyringSupported := runtime.GOOS == "windows" || runtime.GOOS == "darwin"
if r.useKeyring && keyringSupported {
if r.useKeyring && !assumeExtensionInUse && keyringSupported {
serviceName := sessionstore.DefaultServiceName
if r.keyringServiceName != "" {
serviceName = r.keyringServiceName
Expand All @@ -742,6 +749,13 @@ func (r *RootCmd) WithKeyringServiceName(serviceName string) {
r.keyringServiceName = serviceName
}

// UseKeyringWithGlobalConfig enables the use of the keyring storage backend
// when the --global-config directory is set. This is only intended as an override
// for tests, which require specifying the global config directory for test isolation.
func (r *RootCmd) UseKeyringWithGlobalConfig() {
r.useKeyringWithGlobalConfig = true
}

type AgentAuth struct {
// Agent Client config
agentToken string
Expand Down
7 changes: 4 additions & 3 deletions cli/testdata/coder_--help.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,9 +111,10 @@ variables or flags.

--use-keyring bool, $CODER_USE_KEYRING (default: true)
Store and retrieve session tokens using the operating system keyring.
Enabled by default. If the keyring is not supported on the current
platform, file-based storage is used automatically. Set to false to
force file-based storage.
This flag is ignored and file-based storage is used when
--global-config is set or keyring usage is not supported on the
current platform. Set to false to force file-based storage on
supported platforms.

-v, --verbose bool, $CODER_VERBOSE
Enable verbose output.
Expand Down
2 changes: 1 addition & 1 deletion docs/reference/cli/index.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 4 additions & 3 deletions enterprise/cli/testdata/coder_--help.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,10 @@ variables or flags.

--use-keyring bool, $CODER_USE_KEYRING (default: true)
Store and retrieve session tokens using the operating system keyring.
Enabled by default. If the keyring is not supported on the current
platform, file-based storage is used automatically. Set to false to
force file-based storage.
This flag is ignored and file-based storage is used when
--global-config is set or keyring usage is not supported on the
current platform. Set to false to force file-based storage on
supported platforms.

-v, --verbose bool, $CODER_VERBOSE
Enable verbose output.
Expand Down
Loading