Merge pull request 'Remove redundant longterm.age encryption in Init command (closes #6)' (#11) from clawbot/secret:fix/issue-6 into main

Reviewed-on: sneak/secret#11

internal/cli/init.go

@@ -7,12 +7,10 @@ import (
 	"path/filepath"
 	"strings"
 
-	"filippo.io/age"
 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"git.eeqj.de/sneak/secret/pkg/agehd"
 	"github.com/awnumar/memguard"
-	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/tyler-smith/go-bip39"
 )
@@ -154,35 +152,8 @@ func (cli *Instance) Init(cmd *cobra.Command) error {
 		return fmt.Errorf("failed to create unlocker: %w", err)
 	}
 
-	// Encrypt long-term private key to the unlocker
+	// Note: CreatePassphraseUnlocker already encrypts and writes the long-term
-	unlockerDir := passphraseUnlocker.GetDirectory()
+	// private key to longterm.age, so no need to do it again here.
-
-	// Read unlocker public key
-	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
-	if err != nil {
-		return fmt.Errorf("failed to read unlocker public key: %w", err)
-	}
-
-	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
-	if err != nil {
-		return fmt.Errorf("failed to parse unlocker public key: %w", err)
-	}
-
-	// Encrypt long-term private key to unlocker
-	// Use memguard to protect the private key in memory
-	ltPrivKeyBuffer := memguard.NewBufferFromBytes([]byte(ltIdentity.String()))
-	defer ltPrivKeyBuffer.Destroy()
-
-	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyBuffer, unlockerRecipient)
-	if err != nil {
-		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
-	}
-
-	// Write encrypted long-term private key
-	ltPrivKeyPath := filepath.Join(unlockerDir, "longterm.age")
-	if err := afero.WriteFile(cli.fs, ltPrivKeyPath, encryptedLtPrivKey, secret.FilePerms); err != nil {
-		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
-	}
 
 	if cmd != nil {
 		cmd.Printf("\nDefault vault created and configured\n")

internal/secret/crypto.go

@@ -68,6 +68,11 @@ func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBu
 	// Create a secure buffer for the decrypted data
 	resultBuffer := memguard.NewBufferFromBytes(result)
 
+	// Zero out the original slice to prevent plaintext from lingering in unprotected memory
+	for i := range result {
+		result[i] = 0
+	}
+
 	return resultBuffer, nil
 }
 

internal/secret/keychainunlocker_stub.go

@@ -4,6 +4,8 @@
 package secret
 
 import (
+	"fmt"
+
 	"filippo.io/age"
 	"github.com/awnumar/memguard"
 	"github.com/spf13/afero"
@@ -22,52 +24,59 @@ type KeychainUnlocker struct {
 	fs        afero.Fs
 }
 
-// GetIdentity panics on non-Darwin platforms
+var errKeychainNotSupported = fmt.Errorf("keychain unlockers are only supported on macOS")
+
+// GetIdentity returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) GetIdentity() (*age.X25519Identity, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return nil, errKeychainNotSupported
 }
 
-// GetType panics on non-Darwin platforms
+// GetType returns the unlocker type
 func (k *KeychainUnlocker) GetType() string {
-	panic("keychain unlockers are only supported on macOS")
+	return "keychain"
 }
 
-// GetMetadata panics on non-Darwin platforms
+// GetMetadata returns the unlocker metadata
 func (k *KeychainUnlocker) GetMetadata() UnlockerMetadata {
-	panic("keychain unlockers are only supported on macOS")
+	return k.Metadata
 }
 
-// GetDirectory panics on non-Darwin platforms
+// GetDirectory returns the unlocker directory
 func (k *KeychainUnlocker) GetDirectory() string {
-	panic("keychain unlockers are only supported on macOS")
+	return k.Directory
 }
 
 // GetID returns the unlocker ID
 func (k *KeychainUnlocker) GetID() string {
-	panic("keychain unlockers are only supported on macOS")
+	return fmt.Sprintf("%s-keychain", k.Metadata.CreatedAt.Format("2006-01-02.15.04"))
 }
 
-// GetKeychainItemName panics on non-Darwin platforms
+// GetKeychainItemName returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) GetKeychainItemName() (string, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return "", errKeychainNotSupported
 }
 
-// Remove panics on non-Darwin platforms
+// Remove returns an error on non-Darwin platforms
 func (k *KeychainUnlocker) Remove() error {
-	panic("keychain unlockers are only supported on macOS")
+	return errKeychainNotSupported
 }
 
-// NewKeychainUnlocker panics on non-Darwin platforms
+// NewKeychainUnlocker creates a stub KeychainUnlocker on non-Darwin platforms.
+// The returned instance's methods that require macOS functionality will return errors.
 func NewKeychainUnlocker(fs afero.Fs, directory string, metadata UnlockerMetadata) *KeychainUnlocker {
-	panic("keychain unlockers are only supported on macOS")
+	return &KeychainUnlocker{
+		Directory: directory,
+		Metadata:  metadata,
+		fs:        fs,
+	}
 }
 
-// CreateKeychainUnlocker panics on non-Darwin platforms
+// CreateKeychainUnlocker returns an error on non-Darwin platforms
-func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, error) {
+func CreateKeychainUnlocker(_ afero.Fs, _ string) (*KeychainUnlocker, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return nil, errKeychainNotSupported
 }
 
-// getLongTermPrivateKey panics on non-Darwin platforms
+// getLongTermPrivateKey returns an error on non-Darwin platforms
-func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedBuffer, error) {
+func getLongTermPrivateKey(_ afero.Fs, _ VaultInterface) (*memguard.LockedBuffer, error) {
-	panic("keychain unlockers are only supported on macOS")
+	return nil, errKeychainNotSupported
 }

internal/vault/vault.go

@@ -227,27 +227,23 @@ func (v *Vault) NumSecrets() (int, error) {
 		return 0, fmt.Errorf("failed to read secrets directory: %w", err)
 	}
 
-	// Count only directories that contain at least one version file
+	// Count only directories that have a "current" version pointer file
 	count := 0
 	for _, entry := range entries {
 		if !entry.IsDir() {
 			continue
 		}
 
-		// Check if this secret directory contains any version files
+		// A valid secret has a "current" file pointing to the active version
 		secretDir := filepath.Join(secretsDir, entry.Name())
-		versionFiles, err := afero.ReadDir(v.fs, secretDir)
+		currentFile := filepath.Join(secretDir, "current")
+		exists, err := afero.Exists(v.fs, currentFile)
 		if err != nil {
 			continue // Skip directories we can't read
 		}
 
-		// Look for at least one version file (excluding "current" symlink)
+		if exists {
-		for _, vFile := range versionFiles {
-			if !vFile.IsDir() && vFile.Name() != "current" {
 			count++
-
-				break // Found at least one version, count this secret
-			}
 		}
 	}
 

internal/vault/vault_test.go

@@ -162,6 +162,24 @@ func TestVaultOperations(t *testing.T) {
 		}
 	})
 
+	// Test NumSecrets
+	t.Run("NumSecrets", func(t *testing.T) {
+		vlt, err := GetCurrentVault(fs, stateDir)
+		if err != nil {
+			t.Fatalf("Failed to get current vault: %v", err)
+		}
+
+		numSecrets, err := vlt.NumSecrets()
+		if err != nil {
+			t.Fatalf("Failed to count secrets: %v", err)
+		}
+
+		// We added one secret in SecretOperations
+		if numSecrets != 1 {
+			t.Errorf("Expected 1 secret, got %d", numSecrets)
+		}
+	})
+
 	// Test unlocker operations
 	t.Run("UnlockerOperations", func(t *testing.T) {
 		vlt, err := GetCurrentVault(fs, stateDir)