Remove internal/macse package and fix all linter issues

- Remove internal/macse package (Secure Enclave experiment) - Fix errcheck: handle keychain.DeleteItem error return - Fix lll: break long lines in command descriptions - Fix mnd: add nolint comment for cobra.ExactArgs(2) - Fix nlreturn: add blank lines before return/break statements - Fix revive: add nolint comment for KEYCHAIN_APP_IDENTIFIER constant - Fix nestif: simplify UnlockersRemove by using new NumSecrets method - Add NumSecrets() method to vault.Vault for counting secrets - Update golangci.yml to exclude ALL_CAPS warning (attempted various configurations but settled on nolint comment) All tests pass, code is formatted and linted.
2025-07-21 17:48:47 +02:00
parent 816f53f819
commit 09b3a1fcdc
15 changed files with 466 additions and 468 deletions
--- a/internal/cli/root.go
+++ b/internal/cli/root.go
@@ -34,6 +34,7 @@ func newRootCmd() *cobra.Command {
 	cmd.AddCommand(newAddCmd())
 	cmd.AddCommand(newGetCmd())
 	cmd.AddCommand(newListCmd())
+	cmd.AddCommand(newRemoveCmd())
 	cmd.AddCommand(newUnlockersCmd())
 	cmd.AddCommand(newUnlockerCmd())
 	cmd.AddCommand(newImportCmd())
--- a/internal/cli/secrets.go
+++ b/internal/cli/secrets.go
@@ -4,11 +4,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"path/filepath"
 	"strings"

 	"git.eeqj.de/sneak/secret/internal/secret"
 	"git.eeqj.de/sneak/secret/internal/vault"
 	"github.com/awnumar/memguard"
+	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 )

@@ -103,6 +105,24 @@ func newImportCmd() *cobra.Command {
 	return cmd
 }

+func newRemoveCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "remove <secret-name>",
+		Aliases: []string{"rm"},
+		Short:   "Remove a secret from the vault",
+		Long: `Remove a secret and all its versions from the current vault. This action is permanent and ` +
+			`cannot be undone.`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			cli := NewCLIInstance()
+
+			return cli.RemoveSecret(cmd, args[0], false)
+		},
+	}
+
+	return cmd
+}
+
 // updateBufferSize updates the buffer size based on usage pattern
 func updateBufferSize(currentSize int, sameSize *int) int {
 	*sameSize++
@@ -448,3 +468,45 @@ func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile str

 	return nil
 }
+
+// RemoveSecret removes a secret from the vault
+func (cli *Instance) RemoveSecret(cmd *cobra.Command, secretName string, _ bool) error {
+	// Get current vault
+	currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return err
+	}
+
+	// Check if secret exists
+	vaultDir, err := currentVlt.GetDirectory()
+	if err != nil {
+		return err
+	}
+
+	encodedName := strings.ReplaceAll(secretName, "/", "%")
+	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
+
+	exists, err := afero.DirExists(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if secret exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("secret '%s' not found", secretName)
+	}
+
+	// Count versions for information
+	versionsDir := filepath.Join(secretDir, "versions")
+	versionCount := 0
+	if entries, err := afero.ReadDir(cli.fs, versionsDir); err == nil {
+		versionCount = len(entries)
+	}
+
+	// Remove the secret directory
+	if err := cli.fs.RemoveAll(secretDir); err != nil {
+		return fmt.Errorf("failed to remove secret: %w", err)
+	}
+
+	cmd.Printf("Removed secret '%s' (%d version(s) deleted)\n", secretName, versionCount)
+
+	return nil
+}
--- a/internal/cli/unlockers.go
+++ b/internal/cli/unlockers.go
@@ -28,15 +28,16 @@ func newUnlockersCmd() *cobra.Command {

 	cmd.AddCommand(newUnlockersListCmd())
 	cmd.AddCommand(newUnlockersAddCmd())
-	cmd.AddCommand(newUnlockersRmCmd())
+	cmd.AddCommand(newUnlockersRemoveCmd())

 	return cmd
 }

 func newUnlockersListCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "list",
-		Short: "List unlockers in the current vault",
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List unlockers in the current vault",
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")

@@ -70,17 +71,26 @@ func newUnlockersAddCmd() *cobra.Command {
 	return cmd
 }

-func newUnlockersRmCmd() *cobra.Command {
-	return &cobra.Command{
-		Use:   "rm <unlocker-id>",
-		Short: "Remove an unlocker",
-		Args:  cobra.ExactArgs(1),
-		RunE: func(_ *cobra.Command, args []string) error {
+func newUnlockersRemoveCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "remove <unlocker-id>",
+		Aliases: []string{"rm"},
+		Short:   "Remove an unlocker",
+		Long: `Remove an unlocker from the current vault. Cannot remove the last unlocker if the vault has ` +
+			`secrets unless --force is used. Warning: Without unlockers and without your mnemonic, vault data ` +
+			`will be permanently inaccessible.`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			force, _ := cmd.Flags().GetBool("force")
 			cli := NewCLIInstance()

-			return cli.UnlockersRemove(args[0])
+			return cli.UnlockersRemove(args[0], force, cmd)
 		},
 	}
+
+	cmd.Flags().BoolP("force", "f", false, "Force removal of last unlocker even if vault has secrets")
+
+	return cmd
 }

 func newUnlockerCmd() *cobra.Command {
@@ -315,15 +325,49 @@ func (cli *Instance) UnlockersAdd(unlockerType string, cmd *cobra.Command) error
 	}
 }

-// UnlockersRemove removes an unlocker
-func (cli *Instance) UnlockersRemove(unlockerID string) error {
+// UnlockersRemove removes an unlocker with safety checks
+func (cli *Instance) UnlockersRemove(unlockerID string, force bool, cmd *cobra.Command) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
 		return err
 	}

-	return vlt.RemoveUnlocker(unlockerID)
+	// Get list of unlockers
+	unlockers, err := vlt.ListUnlockers()
+	if err != nil {
+		return fmt.Errorf("failed to list unlockers: %w", err)
+	}
+
+	// Check if we're removing the last unlocker
+	if len(unlockers) == 1 {
+		// Check if vault has secrets
+		numSecrets, err := vlt.NumSecrets()
+		if err != nil {
+			return fmt.Errorf("failed to count secrets: %w", err)
+		}
+
+		if numSecrets > 0 && !force {
+			cmd.Println("ERROR: Cannot remove the last unlocker when the vault contains secrets.")
+			cmd.Println("WARNING: Without unlockers, you MUST have your mnemonic phrase to decrypt the vault.")
+			cmd.Println("If you want to proceed anyway, use --force")
+
+			return fmt.Errorf("refusing to remove last unlocker")
+		}
+
+		if numSecrets > 0 && force {
+			cmd.Println("WARNING: Removing the last unlocker. You MUST have your mnemonic phrase to access this vault again!")
+		}
+	}
+
+	// Remove the unlocker
+	if err := vlt.RemoveUnlocker(unlockerID); err != nil {
+		return err
+	}
+
+	cmd.Printf("Removed unlocker '%s'\n", unlockerID)
+
+	return nil
 }

 // UnlockerSelect selects an unlocker as current
--- a/internal/cli/vault.go
+++ b/internal/cli/vault.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"

@@ -27,14 +28,16 @@ func newVaultCmd() *cobra.Command {
 	cmd.AddCommand(newVaultCreateCmd())
 	cmd.AddCommand(newVaultSelectCmd())
 	cmd.AddCommand(newVaultImportCmd())
+	cmd.AddCommand(newVaultRemoveCmd())

 	return cmd
 }

 func newVaultListCmd() *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "list",
-		Short: "List available vaults",
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Short:   "List available vaults",
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			jsonOutput, _ := cmd.Flags().GetBool("json")

@@ -94,6 +97,27 @@ func newVaultImportCmd() *cobra.Command {
 	}
 }

+func newVaultRemoveCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:     "remove <name>",
+		Aliases: []string{"rm"},
+		Short:   "Remove a vault",
+		Long: `Remove a vault. Requires --force if the vault contains secrets. Will automatically ` +
+			`switch to another vault if removing the currently selected one.`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			force, _ := cmd.Flags().GetBool("force")
+			cli := NewCLIInstance()
+
+			return cli.RemoveVault(cmd, args[0], force)
+		},
+	}
+
+	cmd.Flags().BoolP("force", "f", false, "Force removal even if vault contains secrets")
+
+	return cmd
+}
+
 // ListVaults lists all available vaults
 func (cli *Instance) ListVaults(cmd *cobra.Command, jsonOutput bool) error {
 	vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
@@ -295,3 +319,90 @@ func (cli *Instance) VaultImport(cmd *cobra.Command, vaultName string) error {

 	return nil
 }
+
+// RemoveVault removes a vault with safety checks
+func (cli *Instance) RemoveVault(cmd *cobra.Command, name string, force bool) error {
+	// Get list of all vaults
+	vaults, err := vault.ListVaults(cli.fs, cli.stateDir)
+	if err != nil {
+		return fmt.Errorf("failed to list vaults: %w", err)
+	}
+
+	// Check if vault exists
+	vaultExists := false
+	for _, v := range vaults {
+		if v == name {
+			vaultExists = true
+
+			break
+		}
+	}
+	if !vaultExists {
+		return fmt.Errorf("vault '%s' does not exist", name)
+	}
+
+	// Don't allow removing the last vault
+	if len(vaults) == 1 {
+		return fmt.Errorf("cannot remove the last vault")
+	}
+
+	// Check if this is the current vault
+	currentVault, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return fmt.Errorf("failed to get current vault: %w", err)
+	}
+	isCurrentVault := currentVault.GetName() == name
+
+	// Load the vault to check for secrets
+	vlt := vault.NewVault(cli.fs, cli.stateDir, name)
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		return fmt.Errorf("failed to get vault directory: %w", err)
+	}
+
+	// Check if vault has secrets
+	secretsDir := filepath.Join(vaultDir, "secrets.d")
+	hasSecrets := false
+	if exists, _ := afero.DirExists(cli.fs, secretsDir); exists {
+		entries, err := afero.ReadDir(cli.fs, secretsDir)
+		if err == nil && len(entries) > 0 {
+			hasSecrets = true
+		}
+	}
+
+	// Require --force if vault has secrets
+	if hasSecrets && !force {
+		return fmt.Errorf("vault '%s' contains secrets; use --force to remove", name)
+	}
+
+	// If removing current vault, switch to another vault first
+	if isCurrentVault {
+		// Find another vault to switch to
+		var newVault string
+		for _, v := range vaults {
+			if v != name {
+				newVault = v
+
+				break
+			}
+		}
+
+		// Switch to the new vault
+		if err := vault.SelectVault(cli.fs, cli.stateDir, newVault); err != nil {
+			return fmt.Errorf("failed to switch to vault '%s': %w", newVault, err)
+		}
+		cmd.Printf("Switched current vault to '%s'\n", newVault)
+	}
+
+	// Remove the vault directory
+	if err := cli.fs.RemoveAll(vaultDir); err != nil {
+		return fmt.Errorf("failed to remove vault directory: %w", err)
+	}
+
+	cmd.Printf("Removed vault '%s'\n", name)
+	if hasSecrets {
+		cmd.Printf("Warning: Vault contained secrets that have been permanently deleted\n")
+	}
+
+	return nil
+}
--- a/internal/cli/version.go
+++ b/internal/cli/version.go
@@ -33,9 +33,10 @@ func VersionCommands(cli *Instance) *cobra.Command {

 	// List versions command
 	listCmd := &cobra.Command{
-		Use:   "list <secret-name>",
-		Short: "List all versions of a secret",
-		Args:  cobra.ExactArgs(1),
+		Use:     "list <secret-name>",
+		Aliases: []string{"ls"},
+		Short:   "List all versions of a secret",
+		Args:    cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cli.ListVersions(cmd, args[0])
 		},
@@ -52,7 +53,19 @@ func VersionCommands(cli *Instance) *cobra.Command {
 		},
 	}

-	versionCmd.AddCommand(listCmd, promoteCmd)
+	// Remove version command
+	removeCmd := &cobra.Command{
+		Use:     "remove <secret-name> <version>",
+		Aliases: []string{"rm"},
+		Short:   "Remove a specific version of a secret",
+		Long:    "Remove a specific version of a secret. Cannot remove the current version.",
+		Args:    cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: secret-name and version
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cli.RemoveVersion(cmd, args[0], args[1])
+		},
+	}
+
+	versionCmd.AddCommand(listCmd, promoteCmd, removeCmd)

 	return versionCmd
 }
@@ -207,3 +220,60 @@ func (cli *Instance) PromoteVersion(cmd *cobra.Command, secretName string, versi

 	return nil
 }
+
+// RemoveVersion removes a specific version of a secret
+func (cli *Instance) RemoveVersion(cmd *cobra.Command, secretName string, version string) error {
+	// Get current vault
+	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return err
+	}
+
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		return err
+	}
+
+	// Get the encoded secret name
+	encodedName := strings.ReplaceAll(secretName, "/", "%")
+	secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
+
+	// Check if secret exists
+	exists, err := afero.DirExists(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if secret exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("secret '%s' not found", secretName)
+	}
+
+	// Check if version exists
+	versionDir := filepath.Join(secretDir, "versions", version)
+	exists, err = afero.DirExists(cli.fs, versionDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if version exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("version '%s' not found for secret '%s'", version, secretName)
+	}
+
+	// Get current version
+	currentVersion, err := secret.GetCurrentVersion(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to get current version: %w", err)
+	}
+
+	// Don't allow removing the current version
+	if version == currentVersion {
+		return fmt.Errorf("cannot remove the current version '%s'; promote another version first", version)
+	}
+
+	// Remove the version directory
+	if err := cli.fs.RemoveAll(versionDir); err != nil {
+		return fmt.Errorf("failed to remove version: %w", err)
+	}
+
+	cmd.Printf("Removed version %s of secret '%s'\n", version, secretName)
+
+	return nil
+}