Restore lazy keychain reads for socket password (#589)

Add a cached lazy keychain fallback to SocketControlPasswordStore so that authentication paths in TerminalController can transparently read a legacy keychain password without blocking on every request. The keychain is read at most once and the result is cached behind an NSLock. File-based and environment passwords still take priority. Closes https://github.com/manaflow-ai/cmux/issues/579
2026-02-26 15:16:27 -08:00 · 2026-02-26 15:16:27 -08:00 · 847ce008ed
commit 847ce008ed
parent df119c75d5
3 changed files with 194 additions and 10 deletions
--- a/cmuxTests/SocketControlPasswordStoreTests.swift
+++ b/cmuxTests/SocketControlPasswordStoreTests.swift
@ -7,6 +7,16 @@ import XCTest
 #endif

 final class SocketControlPasswordStoreTests: XCTestCase {
+    override func setUp() {
+        super.setUp()
+        SocketControlPasswordStore.resetLazyKeychainFallbackCacheForTests()
+    }
+
+    override func tearDown() {
+        SocketControlPasswordStore.resetLazyKeychainFallbackCacheForTests()
+        super.tearDown()
+    }
+
    func testSaveLoadAndClearRoundTripUsesFileStorage() throws {
        let tempDir = FileManager.default.temporaryDirectory
            .appendingPathComponent("cmux-socket-password-tests-\(UUID().uuidString)", isDirectory: true)
@ -43,6 +53,127 @@ final class SocketControlPasswordStoreTests: XCTestCase {
        XCTAssertEqual(configured, "env-secret")
    }

+    func testConfiguredPasswordLazyKeychainFallbackReadsOnlyOnceAndCaches() {
+        var readCount = 0
+
+        let withoutFallback = SocketControlPasswordStore.configuredPassword(
+            environment: [:],
+            fileURL: nil,
+            allowLazyKeychainFallback: false,
+            loadKeychainPassword: {
+                readCount += 1
+                return "legacy-secret"
+            }
+        )
+        XCTAssertNil(withoutFallback)
+        XCTAssertEqual(readCount, 0)
+
+        let firstWithFallback = SocketControlPasswordStore.configuredPassword(
+            environment: [:],
+            fileURL: nil,
+            allowLazyKeychainFallback: true,
+            loadKeychainPassword: {
+                readCount += 1
+                return "legacy-secret"
+            }
+        )
+        XCTAssertEqual(firstWithFallback, "legacy-secret")
+        XCTAssertEqual(readCount, 1)
+
+        let secondWithFallback = SocketControlPasswordStore.configuredPassword(
+            environment: [:],
+            fileURL: nil,
+            allowLazyKeychainFallback: true,
+            loadKeychainPassword: {
+                readCount += 1
+                return "new-secret"
+            }
+        )
+        XCTAssertEqual(secondWithFallback, "legacy-secret")
+        XCTAssertEqual(readCount, 1)
+    }
+
+    func testConfiguredPasswordLazyKeychainFallbackCachesMissingValue() {
+        var readCount = 0
+
+        let first = SocketControlPasswordStore.configuredPassword(
+            environment: [:],
+            fileURL: nil,
+            allowLazyKeychainFallback: true,
+            loadKeychainPassword: {
+                readCount += 1
+                return nil
+            }
+        )
+        XCTAssertNil(first)
+        XCTAssertEqual(readCount, 1)
+
+        let second = SocketControlPasswordStore.configuredPassword(
+            environment: [:],
+            fileURL: nil,
+            allowLazyKeychainFallback: true,
+            loadKeychainPassword: {
+                readCount += 1
+                return "should-not-be-read"
+            }
+        )
+        XCTAssertNil(second)
+        XCTAssertEqual(readCount, 1)
+    }
+
+    func testConfiguredPasswordPrefersStoredFileOverLazyKeychainFallback() throws {
+        let tempDir = FileManager.default.temporaryDirectory
+            .appendingPathComponent("cmux-socket-password-tests-\(UUID().uuidString)", isDirectory: true)
+        try FileManager.default.createDirectory(at: tempDir, withIntermediateDirectories: true)
+        defer { try? FileManager.default.removeItem(at: tempDir) }
+
+        let fileURL = tempDir.appendingPathComponent("socket-password.txt", isDirectory: false)
+        try SocketControlPasswordStore.savePassword("stored-secret", fileURL: fileURL)
+
+        var readCount = 0
+        let configured = SocketControlPasswordStore.configuredPassword(
+            environment: [:],
+            fileURL: fileURL,
+            allowLazyKeychainFallback: true,
+            loadKeychainPassword: {
+                readCount += 1
+                return "legacy-secret"
+            }
+        )
+
+        XCTAssertEqual(configured, "stored-secret")
+        XCTAssertEqual(readCount, 0)
+    }
+
+    func testHasConfiguredAndVerifyReuseSingleLazyKeychainRead() {
+        var readCount = 0
+        let loader = {
+            readCount += 1
+            return "legacy-secret"
+        }
+
+        XCTAssertTrue(
+            SocketControlPasswordStore.hasConfiguredPassword(
+                environment: [:],
+                fileURL: nil,
+                allowLazyKeychainFallback: true,
+                loadKeychainPassword: loader
+            )
+        )
+        XCTAssertEqual(readCount, 1)
+
+        XCTAssertTrue(
+            SocketControlPasswordStore.verify(
+                password: "legacy-secret",
+                environment: [:],
+                fileURL: nil,
+                allowLazyKeychainFallback: true,
+                loadKeychainPassword: loader
+            )
+        )
+        XCTAssertEqual(readCount, 1)
+    }
+
    func testDefaultPasswordFileURLUsesCmuxAppSupportPath() throws {
        let tempDir = FileManager.default.temporaryDirectory
            .appendingPathComponent("cmux-socket-password-tests-\(UUID().uuidString)", isDirectory: true)