feat: Add ListUsers method to retrieve usernames for a service (#133)

Signed-off-by: Ayoub Abidi <mrayoubabidi@gmail.com>

Author: ayoub3bidi

keyring.go

@@ -27,6 +27,8 @@ type Keyring interface {
 	Delete(service, user string) error
 	// DeleteAll deletes all secrets for a given service
 	DeleteAll(service string) error
+	// ListUsers returns a list of all users for a given service
+	ListUsers(service string) ([]string, error)
 }
 
 // Set password in keyring for user.
@@ -48,3 +50,8 @@ func Delete(service, user string) error {
 func DeleteAll(service string) error {
 	return provider.DeleteAll(service)
 }
+
+// ListUsers returns a list of all users for a given service
+func ListUsers(service string) ([]string, error) {
+	return provider.ListUsers(service)
+}

keyring_darwin.go

@@ -135,6 +135,57 @@ func (k macOSXKeychain) DeleteAll(service string) error {
 
 }
 
+// ListUsers returns a list of all users for a given service
+func (k macOSXKeychain) ListUsers(service string) ([]string, error) {
+	if service == "" {
+		return []string{}, nil
+	}
+
+	out, err := exec.Command(execPathKeychain, "dump-keyring").CombinedOutput()
+	if err != nil {
+		return nil, err
+	}
+
+	var users []string
+	seenUsers := make(map[string]bool)
+	lines := strings.Split(string(out), "\n")
+	
+	// Parse dump-keyring output looking for generic passwords matching our service
+	// Format: keychain: "/Users/username/Library/Keychains/login.keychain-db"
+	//         class: "genp"
+	//         attributes:
+	//             "svce"<blob>="service-name"
+	//             "acct"<blob>="account-name"
+	for i := 0; i < len(lines); i++ {
+		line := strings.TrimSpace(lines[i])
+		
+		// Look for service attribute matching our service
+		if strings.Contains(line, `"svce"`) && strings.Contains(line, `="`+service+`"`) {
+			// Found a matching service, now look for the account attribute
+			// It should be nearby in the attributes section
+			for j := i - 10; j < i+10 && j < len(lines) && j >= 0; j++ {
+				acctLine := strings.TrimSpace(lines[j])
+				if strings.Contains(acctLine, `"acct"`) {
+					// Extract account name from: "acct"<blob>="username"
+					if idx := strings.Index(acctLine, `="`); idx != -1 {
+						start := idx + 2
+						if end := strings.Index(acctLine[start:], `"`); end != -1 {
+							username := acctLine[start : start+end]
+							if !seenUsers[username] {
+								seenUsers[username] = true
+								users = append(users, username)
+							}
+							break
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return users, nil
+}
+
 func init() {
 	provider = macOSXKeychain{}
 }

keyring_fallback.go

@@ -25,3 +25,7 @@ func (fallbackServiceProvider) Delete(service, user string) error {
 func (fallbackServiceProvider) DeleteAll(service string) error {
 	return ErrUnsupportedPlatform
 }
+
+func (fallbackServiceProvider) ListUsers(service string) ([]string, error) {
+	return nil, ErrUnsupportedPlatform
+}

keyring_mock.go

@@ -59,6 +59,20 @@ func (m *mockProvider) DeleteAll(service string) error {
 	return nil
 }
 
+// ListUsers returns a list of all users for a given service
+func (m *mockProvider) ListUsers(service string) ([]string, error) {
+	if m.mockError != nil {
+		return nil, m.mockError
+	}
+	users := []string{}
+	if m.mockStore != nil && m.mockStore[service] != nil {
+		for user := range m.mockStore[service] {
+			users = append(users, user)
+		}
+	}
+	return users, nil
+}
+
 // MockInit sets the provider to a mocked memory store
 func MockInit() {
 	provider = &mockProvider{}

keyring_test.go

@@ -181,3 +181,137 @@ func TestDeleteAllEmptyService(t *testing.T) {
 		t.Errorf("Should not have deleted secret from another service")
 	}
 }
+
+// TestListUsers tests listing all users for a service.
+func TestListUsers(t *testing.T) {
+	// Set up multiple secrets for the same service
+	const service2 = "test-service-list"
+	err := Set(service2, "user1", "password1")
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	err = Set(service2, "user2", "password2")
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	err = Set(service2, "user3", "password3")
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	// List all users for the service
+	users, err := ListUsers(service2)
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	// Verify we got all three users
+	if len(users) != 3 {
+		t.Errorf("Expected 3 users, got %d", len(users))
+	}
+
+	// Verify the users are correct (order doesn't matter)
+	expectedUsers := map[string]bool{"user1": true, "user2": true, "user3": true}
+	for _, user := range users {
+		if !expectedUsers[user] {
+			t.Errorf("Unexpected user: %s", user)
+		}
+		delete(expectedUsers, user)
+	}
+
+	if len(expectedUsers) > 0 {
+		t.Errorf("Missing users: %v", expectedUsers)
+	}
+
+	// Clean up
+	_ = DeleteAll(service2)
+}
+
+// TestListUsersEmpty tests listing users for a service with no secrets.
+func TestListUsersEmpty(t *testing.T) {
+	const nonExistentService = "non-existent-service-12345"
+	users, err := ListUsers(nonExistentService)
+	if err != nil {
+		t.Errorf("Should not fail on empty service, got: %s", err)
+	}
+
+	if len(users) != 0 {
+		t.Errorf("Expected 0 users for non-existent service, got %d", len(users))
+	}
+}
+
+// TestListUsersSingleUser tests listing users for a service with a single user.
+func TestListUsersSingleUser(t *testing.T) {
+	const service3 = "test-service-single"
+	err := Set(service3, "single-user", "password")
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	users, err := ListUsers(service3)
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	if len(users) != 1 {
+		t.Errorf("Expected 1 user, got %d", len(users))
+	}
+
+	if users[0] != "single-user" {
+		t.Errorf("Expected user 'single-user', got '%s'", users[0])
+	}
+
+	// Clean up
+	_ = Delete(service3, "single-user")
+}
+
+// TestListUsersMultipleServices tests that ListUsers only returns users for the specified service.
+func TestListUsersMultipleServices(t *testing.T) {
+	const serviceA = "service-a"
+	const serviceB = "service-b"
+
+	// Set up users for service A
+	_ = Set(serviceA, "userA1", "passwordA1")
+	_ = Set(serviceA, "userA2", "passwordA2")
+
+	// Set up users for service B
+	_ = Set(serviceB, "userB1", "passwordB1")
+
+	// List users for service A
+	usersA, err := ListUsers(serviceA)
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	if len(usersA) != 2 {
+		t.Errorf("Expected 2 users for service A, got %d", len(usersA))
+	}
+
+	// Verify service A users don't include service B users
+	for _, user := range usersA {
+		if user == "userB1" {
+			t.Errorf("Service A should not include users from service B")
+		}
+	}
+
+	// List users for service B
+	usersB, err := ListUsers(serviceB)
+	if err != nil {
+		t.Errorf("Should not fail, got: %s", err)
+	}
+
+	if len(usersB) != 1 {
+		t.Errorf("Expected 1 user for service B, got %d", len(usersB))
+	}
+
+	if usersB[0] != "userB1" {
+		t.Errorf("Expected user 'userB1', got '%s'", usersB[0])
+	}
+
+	// Clean up
+	_ = DeleteAll(serviceA)
+	_ = DeleteAll(serviceB)
+}
+

keyring_unix.go

@@ -177,6 +177,50 @@ func (s secretServiceProvider) DeleteAll(service string) error {
 	return nil
 }
 
+// ListUsers returns a list of all users for a given service
+func (s secretServiceProvider) ListUsers(service string) ([]string, error) {
+	if service == "" {
+		return []string{}, nil
+	}
+
+	svc, err := ss.NewSecretService()
+	if err != nil {
+		return nil, err
+	}
+
+	// Find all items for the service
+	items, err := s.findServiceItems(svc, service)
+	if err != nil {
+		// If service has no items, return empty list instead of error
+		if err == ErrNotFound {
+			return []string{}, nil
+		}
+		return nil, err
+	}
+
+	// Extract usernames from items
+	var users []string
+	seenUsers := make(map[string]bool)
+
+	for _, item := range items {
+		// Get item attributes
+		attrs, err := svc.GetItemAttributes(item)
+		if err != nil {
+			continue // Skip items we can't read
+		}
+
+		// Extract username from attributes
+		if username, ok := attrs["username"]; ok {
+			if !seenUsers[username] {
+				seenUsers[username] = true
+				users = append(users, username)
+			}
+		}
+	}
+
+	return users, nil
+}
+
 func init() {
 	provider = secretServiceProvider{}
 }

keyring_windows.go

@@ -93,6 +93,35 @@ func (k windowsKeychain) DeleteAll(service string) error {
 	return nil
 }
 
+// ListUsers returns a list of all users for a given service
+func (k windowsKeychain) ListUsers(service string) ([]string, error) {
+	if service == "" {
+		return []string{}, nil
+	}
+
+	creds, err := wincred.List()
+	if err != nil {
+		return nil, err
+	}
+
+	prefix := k.credName(service, "")
+	var users []string
+	seenUsers := make(map[string]bool)
+
+	for _, cred := range creds {
+		if strings.HasPrefix(cred.TargetName, prefix) {
+			// Extract username from "service:username" format
+			username := strings.TrimPrefix(cred.TargetName, prefix)
+			if username != "" && !seenUsers[username] {
+				seenUsers[username] = true
+				users = append(users, username)
+			}
+		}
+	}
+
+	return users, nil
+}
+
 // credName combines service and username to a single string.
 func (k windowsKeychain) credName(service, username string) string {
 	return service + ":" + username

secret_service/secret_service.go

@@ -240,6 +240,22 @@ func (s *SecretService) GetSecret(itemPath dbus.ObjectPath, session dbus.ObjectP
 	return &secret, nil
 }
 
+// GetItemAttributes gets the attributes of an item.
+func (s *SecretService) GetItemAttributes(itemPath dbus.ObjectPath) (map[string]string, error) {
+	obj := s.Object(serviceName, itemPath)
+	variant, err := obj.GetProperty(itemInterface + ".Attributes")
+	if err != nil {
+		return nil, err
+	}
+	
+	attrs, ok := variant.Value().(map[string]string)
+	if !ok {
+		return nil, fmt.Errorf("failed to parse attributes")
+	}
+	
+	return attrs, nil
+}
+
 // Delete deletes an item from the collection.
 func (s *SecretService) Delete(itemPath dbus.ObjectPath) error {
 	var prompt dbus.ObjectPath