sneak/secret
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: resolve mnd and nestif linter errors

Browse Source 
- Added constants to replace magic numbers:
  - agePrivKeyPassphraseLength = 64
  - versionNameParts = 2
  - maxVersionsPerDay = 999
- Refactored crypto.go to reduce nesting complexity:
  - Inverted if condition to handle non-existent secret first
  - Extracted getSecretValue helper method
This commit is contained in:
Jeffrey Paul 2025-07-09 07:05:07 -07:00
parent 6fe49344e2
commit 38b450cbcf
3 changed files with 40 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
internal/cli/crypto.go
View File

@ -74,29 +74,7 @@ func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
return fmt.Errorf("failed to check if secret exists: %w", err) return fmt.Errorf("failed to check if secret exists: %w", err)
} }
if exists { if !exists {
// Secret exists, get the age secret key from it
var secretValue []byte
if os.Getenv(secret.EnvMnemonic) != "" {
secretValue, err = secretObj.GetValue(nil)
} else {
unlocker, unlockErr := vlt.GetCurrentUnlocker()
if unlockErr != nil {
return fmt.Errorf("failed to get current unlocker: %w", unlockErr)
}
secretValue, err = secretObj.GetValue(unlocker)
}
if err != nil {
return fmt.Errorf("failed to get secret value: %w", err)
}
ageSecretKey = string(secretValue)
// Validate that it's a valid age secret key
if !isValidAgeSecretKey(ageSecretKey) {
return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
}
} else {
// Secret doesn't exist, generate new age key and store it // Secret doesn't exist, generate new age key and store it
identity, err := age.GenerateX25519Identity() identity, err := age.GenerateX25519Identity()
if err != nil { if err != nil {
@ -110,6 +88,19 @@ func (cli *Instance) Encrypt(secretName, inputFile, outputFile string) error {
if err != nil { if err != nil {
return fmt.Errorf("failed to store age key: %w", err) return fmt.Errorf("failed to store age key: %w", err)
} }
} else {
// Secret exists, get the age secret key from it
secretValue, err := cli.getSecretValue(vlt, secretObj)
if err != nil {
return fmt.Errorf("failed to get secret value: %w", err)
}
ageSecretKey = string(secretValue)
// Validate that it's a valid age secret key
if !isValidAgeSecretKey(ageSecretKey) {
return fmt.Errorf("secret '%s' does not contain a valid age secret key", secretName)
}
} }
// Parse the secret key // Parse the secret key
@ -247,3 +238,17 @@ func isValidAgeSecretKey(key string) bool {
_, err := age.ParseX25519Identity(key) _, err := age.ParseX25519Identity(key)
return err == nil return err == nil
} }
// getSecretValue retrieves the value of a secret using the appropriate unlocker
func (cli *Instance) getSecretValue(vlt *vault.Vault, secretObj *secret.Secret) ([]byte, error) {
if os.Getenv(secret.EnvMnemonic) != "" {
return secretObj.GetValue(nil)
}
unlocker, err := vlt.GetCurrentUnlocker()
if err != nil {
return nil, fmt.Errorf("failed to get current unlocker: %w", err)
}
return secretObj.GetValue(unlocker)
}

6
internal/secret/keychainunlocker.go
View File

@ -16,6 +16,10 @@ import (
"github.com/spf13/afero" "github.com/spf13/afero"
) )
const (
agePrivKeyPassphraseLength = 64
)
// keychainItemNameRegex validates keychain item names // keychainItemNameRegex validates keychain item names
// Allows alphanumeric characters, dots, hyphens, and underscores only // Allows alphanumeric characters, dots, hyphens, and underscores only
var keychainItemNameRegex = regexp.MustCompile(`^[A-Za-z0-9._-]+$`) var keychainItemNameRegex = regexp.MustCompile(`^[A-Za-z0-9._-]+$`)
@ -253,7 +257,7 @@ func CreateKeychainUnlocker(fs afero.Fs, stateDir string) (*KeychainUnlocker, er
} }
// Step 2: Generate a random passphrase for encrypting the age private key // Step 2: Generate a random passphrase for encrypting the age private key
agePrivKeyPassphrase, err := generateRandomPassphrase(64) agePrivKeyPassphrase, err := generateRandomPassphrase(agePrivKeyPassphraseLength)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to generate age private key passphrase: %w", err) return nil, fmt.Errorf("failed to generate age private key passphrase: %w", err)
} }

9
internal/secret/version.go
View File

@ -15,6 +15,11 @@ import (
"github.com/spf13/afero" "github.com/spf13/afero"
) )
const (
versionNameParts = 2
maxVersionsPerDay = 999
)
// VersionMetadata contains information about a secret version // VersionMetadata contains information about a secret version
type VersionMetadata struct { type VersionMetadata struct {
ID string `json:"id"` // ULID ID string `json:"id"` // ULID
@ -87,7 +92,7 @@ func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) { if entry.IsDir() && strings.HasPrefix(entry.Name(), prefix) {
// Extract serial number // Extract serial number
parts := strings.Split(entry.Name(), ".") parts := strings.Split(entry.Name(), ".")
if len(parts) == 2 { if len(parts) == versionNameParts {
var serial int var serial int
if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err == nil { if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err == nil {
if serial > maxSerial { if serial > maxSerial {
@ -100,7 +105,7 @@ func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
// Generate new version name // Generate new version name
newSerial := maxSerial + 1 newSerial := maxSerial + 1
if newSerial > 999 { if newSerial > maxVersionsPerDay {
return "", fmt.Errorf("exceeded maximum versions per day (999)") return "", fmt.Errorf("exceeded maximum versions per day (999)")
} }