add secret versioning support

internal/cli/root.go

@@ -40,6 +40,7 @@ func newRootCmd() *cobra.Command {
 	cmd.AddCommand(newImportCmd())
 	cmd.AddCommand(newEncryptCmd())
 	cmd.AddCommand(newDecryptCmd())
+	cmd.AddCommand(newVersionCmd())
 
 	secret.Debug("newRootCmd completed")
 	return cmd

internal/cli/secrets.go

@@ -35,15 +35,19 @@ func newAddCmd() *cobra.Command {
 }
 
 func newGetCmd() *cobra.Command {
-	return &cobra.Command{
+	cmd := &cobra.Command{
 		Use:   "get <secret-name>",
 		Short: "Retrieve a secret from the vault",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
+			version, _ := cmd.Flags().GetString("version")
 			cli := NewCLIInstance()
-			return cli.GetSecret(args[0])
+			return cli.GetSecretWithVersion(args[0], version)
 		},
 	}
+
+	cmd.Flags().StringP("version", "v", "", "Get a specific version (default: current)")
+	return cmd
 }
 
 func newListCmd() *cobra.Command {
@@ -132,6 +136,11 @@ func (cli *CLIInstance) AddSecret(secretName string, force bool) error {
 
 // GetSecret retrieves and prints a secret from the current vault
 func (cli *CLIInstance) GetSecret(secretName string) error {
+	return cli.GetSecretWithVersion(secretName, "")
+}
+
+// GetSecretWithVersion retrieves and prints a specific version of a secret
+func (cli *CLIInstance) GetSecretWithVersion(secretName string, version string) error {
 	// Get current vault
 	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
 	if err != nil {
@@ -139,7 +148,12 @@ func (cli *CLIInstance) GetSecret(secretName string) error {
 	}
 
 	// Get the secret value
-	value, err := vlt.GetSecret(secretName)
+	var value []byte
+	if version == "" {
+		value, err = vlt.GetSecret(secretName)
+	} else {
+		value, err = vlt.GetSecretVersion(secretName, version)
+	}
 	if err != nil {
 		return err
 	}

internal/cli/version.go

@@ -0,0 +1,203 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"text/tabwriter"
+
+	"git.eeqj.de/sneak/secret/internal/secret"
+	"git.eeqj.de/sneak/secret/internal/vault"
+	"github.com/spf13/afero"
+	"github.com/spf13/cobra"
+)
+
+// newVersionCmd returns the version management command
+func newVersionCmd() *cobra.Command {
+	cli := NewCLIInstance()
+	return VersionCommands(cli)
+}
+
+// VersionCommands returns the version management commands
+func VersionCommands(cli *CLIInstance) *cobra.Command {
+	versionCmd := &cobra.Command{
+		Use:   "version",
+		Short: "Manage secret versions",
+		Long:  "Commands for managing secret versions including listing, promoting, and retrieving specific versions",
+	}
+
+	// List versions command
+	listCmd := &cobra.Command{
+		Use:   "list <secret-name>",
+		Short: "List all versions of a secret",
+		Args:  cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cli.ListVersions(args[0])
+		},
+	}
+
+	// Promote version command
+	promoteCmd := &cobra.Command{
+		Use:   "promote <secret-name> <version>",
+		Short: "Promote a specific version to current",
+		Long:  "Updates the current symlink to point to the specified version without modifying timestamps",
+		Args:  cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cli.PromoteVersion(args[0], args[1])
+		},
+	}
+
+	versionCmd.AddCommand(listCmd, promoteCmd)
+	return versionCmd
+}
+
+// ListVersions lists all versions of a secret
+func (cli *CLIInstance) ListVersions(secretName string) error {
+	secret.Debug("Listing versions for secret", "secret_name", secretName)
+
+	// Get current vault
+	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return fmt.Errorf("failed to get current vault: %w", err)
+	}
+
+	// Get vault directory
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		return fmt.Errorf("failed to get vault directory: %w", err)
+	}
+
+	// Convert secret name to storage name
+	storageName := strings.ReplaceAll(secretName, "/", "%")
+	secretDir := filepath.Join(vaultDir, "secrets.d", storageName)
+
+	// Check if secret exists
+	exists, err := afero.DirExists(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if secret exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("secret %s not found", secretName)
+	}
+
+	// Get all versions
+	versions, err := secret.ListVersions(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to list versions: %w", err)
+	}
+
+	if len(versions) == 0 {
+		fmt.Println("No versions found")
+		return nil
+	}
+
+	// Get current version
+	currentVersion, err := secret.GetCurrentVersion(cli.fs, secretDir)
+	if err != nil {
+		secret.Debug("Failed to get current version", "error", err)
+		currentVersion = ""
+	}
+
+	// Get long-term key for decrypting metadata
+	ltIdentity, err := vlt.GetOrDeriveLongTermKey()
+	if err != nil {
+		return fmt.Errorf("failed to get long-term key: %w", err)
+	}
+
+	// Create table writer
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintln(w, "VERSION\tCREATED\tSTATUS\tNOT_BEFORE\tNOT_AFTER")
+
+	// Load and display each version's metadata
+	for _, version := range versions {
+		sv := secret.NewSecretVersion(vlt, secretName, version)
+
+		// Load metadata
+		if err := sv.LoadMetadata(ltIdentity); err != nil {
+			secret.Debug("Failed to load version metadata", "version", version, "error", err)
+			// Display version with error
+			status := "error"
+			if version == currentVersion {
+				status = "current (error)"
+			}
+			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, "-", status, "-", "-")
+			continue
+		}
+
+		// Determine status
+		status := "expired"
+		if version == currentVersion {
+			status = "current"
+		}
+
+		// Format timestamps
+		createdAt := "-"
+		if sv.Metadata.CreatedAt != nil {
+			createdAt = sv.Metadata.CreatedAt.Format("2006-01-02 15:04:05")
+		}
+
+		notBefore := "-"
+		if sv.Metadata.NotBefore != nil {
+			notBefore = sv.Metadata.NotBefore.Format("2006-01-02 15:04:05")
+		}
+
+		notAfter := "-"
+		if sv.Metadata.NotAfter != nil {
+			notAfter = sv.Metadata.NotAfter.Format("2006-01-02 15:04:05")
+		}
+
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", version, createdAt, status, notBefore, notAfter)
+	}
+
+	w.Flush()
+	return nil
+}
+
+// PromoteVersion promotes a specific version to current
+func (cli *CLIInstance) PromoteVersion(secretName string, version string) error {
+	secret.Debug("Promoting version", "secret_name", secretName, "version", version)
+
+	// Get current vault
+	vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
+	if err != nil {
+		return fmt.Errorf("failed to get current vault: %w", err)
+	}
+
+	// Get vault directory
+	vaultDir, err := vlt.GetDirectory()
+	if err != nil {
+		return fmt.Errorf("failed to get vault directory: %w", err)
+	}
+
+	// Convert secret name to storage name
+	storageName := strings.ReplaceAll(secretName, "/", "%")
+	secretDir := filepath.Join(vaultDir, "secrets.d", storageName)
+
+	// Check if secret exists
+	exists, err := afero.DirExists(cli.fs, secretDir)
+	if err != nil {
+		return fmt.Errorf("failed to check if secret exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("secret %s not found", secretName)
+	}
+
+	// Check if version exists
+	versionPath := filepath.Join(secretDir, "versions", version)
+	exists, err = afero.DirExists(cli.fs, versionPath)
+	if err != nil {
+		return fmt.Errorf("failed to check if version exists: %w", err)
+	}
+	if !exists {
+		return fmt.Errorf("version %s not found for secret %s", version, secretName)
+	}
+
+	// Update current symlink
+	if err := secret.SetCurrentVersion(cli.fs, secretDir, version); err != nil {
+		return fmt.Errorf("failed to promote version: %w", err)
+	}
+
+	fmt.Printf("Promoted version %s to current for secret '%s'\n", version, secretName)
+	return nil
+}

internal/cli/version_test.go

@@ -0,0 +1,288 @@
+package cli
+
+import (
+	"io"
+	"os"
+	"strings"
+	"testing"
+	"time"
+
+	"path/filepath"
+
+	"git.eeqj.de/sneak/secret/internal/secret"
+	"git.eeqj.de/sneak/secret/internal/vault"
+	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Helper function to set up a vault with long-term key
+func setupTestVault(t *testing.T, fs afero.Fs, stateDir string) {
+	// Set mnemonic for testing
+	t.Setenv(secret.EnvMnemonic, "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about")
+
+	// Create vault
+	vlt, err := vault.CreateVault(fs, stateDir, "default")
+	require.NoError(t, err)
+
+	// Derive and store long-term key from mnemonic
+	mnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+	ltIdentity, err := agehd.DeriveIdentity(mnemonic, 0)
+	require.NoError(t, err)
+
+	// Store long-term public key in vault
+	vaultDir, _ := vlt.GetDirectory()
+	ltPubKeyPath := filepath.Join(vaultDir, "pub.age")
+	err = afero.WriteFile(fs, ltPubKeyPath, []byte(ltIdentity.Recipient().String()), 0600)
+	require.NoError(t, err)
+
+	// Select vault
+	err = vault.SelectVault(fs, stateDir, "default")
+	require.NoError(t, err)
+}
+
+func TestListVersionsCommand(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+	cli := NewCLIInstanceWithStateDir(fs, stateDir)
+
+	// Set up vault with long-term key
+	setupTestVault(t, fs, stateDir)
+
+	// Add a secret with multiple versions
+	vlt, err := vault.GetCurrentVault(fs, stateDir)
+	require.NoError(t, err)
+
+	err = vlt.AddSecret("test/secret", []byte("version-1"), false)
+	require.NoError(t, err)
+
+	time.Sleep(10 * time.Millisecond)
+
+	err = vlt.AddSecret("test/secret", []byte("version-2"), true)
+	require.NoError(t, err)
+
+	// Capture output
+	oldStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	// List versions
+	err = cli.ListVersions("test/secret")
+	require.NoError(t, err)
+
+	// Restore stdout and read output
+	w.Close()
+	os.Stdout = oldStdout
+	output, _ := io.ReadAll(r)
+	outputStr := string(output)
+
+	// Verify output contains version headers
+	assert.Contains(t, outputStr, "VERSION")
+	assert.Contains(t, outputStr, "CREATED")
+	assert.Contains(t, outputStr, "STATUS")
+	assert.Contains(t, outputStr, "NOT_BEFORE")
+	assert.Contains(t, outputStr, "NOT_AFTER")
+
+	// Should have current status for latest version
+	assert.Contains(t, outputStr, "current")
+
+	// Should have two version entries
+	lines := strings.Split(outputStr, "\n")
+	versionLines := 0
+	for _, line := range lines {
+		if strings.Contains(line, ".001") || strings.Contains(line, ".002") {
+			versionLines++
+		}
+	}
+	assert.Equal(t, 2, versionLines)
+}
+
+func TestListVersionsNonExistentSecret(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+	cli := NewCLIInstanceWithStateDir(fs, stateDir)
+
+	// Set up vault with long-term key
+	setupTestVault(t, fs, stateDir)
+
+	// Try to list versions of non-existent secret
+	err := cli.ListVersions("nonexistent/secret")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "not found")
+}
+
+func TestPromoteVersionCommand(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+	cli := NewCLIInstanceWithStateDir(fs, stateDir)
+
+	// Set up vault with long-term key
+	setupTestVault(t, fs, stateDir)
+
+	// Add a secret with multiple versions
+	vlt, err := vault.GetCurrentVault(fs, stateDir)
+	require.NoError(t, err)
+
+	err = vlt.AddSecret("test/secret", []byte("version-1"), false)
+	require.NoError(t, err)
+
+	time.Sleep(10 * time.Millisecond)
+
+	err = vlt.AddSecret("test/secret", []byte("version-2"), true)
+	require.NoError(t, err)
+
+	// Get versions
+	vaultDir, _ := vlt.GetDirectory()
+	secretDir := vaultDir + "/secrets.d/test%secret"
+	versions, err := secret.ListVersions(fs, secretDir)
+	require.NoError(t, err)
+	require.Len(t, versions, 2)
+
+	// Current should be version-2
+	value, err := vlt.GetSecret("test/secret")
+	require.NoError(t, err)
+	assert.Equal(t, []byte("version-2"), value)
+
+	// Promote first version
+	firstVersion := versions[1] // Older version
+
+	// Capture output
+	oldStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	err = cli.PromoteVersion("test/secret", firstVersion)
+	require.NoError(t, err)
+
+	// Restore stdout and read output
+	w.Close()
+	os.Stdout = oldStdout
+	output, _ := io.ReadAll(r)
+	outputStr := string(output)
+
+	// Verify success message
+	assert.Contains(t, outputStr, "Promoted version")
+	assert.Contains(t, outputStr, firstVersion)
+
+	// Verify current is now version-1
+	value, err = vlt.GetSecret("test/secret")
+	require.NoError(t, err)
+	assert.Equal(t, []byte("version-1"), value)
+}
+
+func TestPromoteNonExistentVersion(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+	cli := NewCLIInstanceWithStateDir(fs, stateDir)
+
+	// Set up vault with long-term key
+	setupTestVault(t, fs, stateDir)
+
+	// Add a secret
+	vlt, err := vault.GetCurrentVault(fs, stateDir)
+	require.NoError(t, err)
+
+	err = vlt.AddSecret("test/secret", []byte("value"), false)
+	require.NoError(t, err)
+
+	// Try to promote non-existent version
+	err = cli.PromoteVersion("test/secret", "20991231.999")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "not found")
+}
+
+func TestGetSecretWithVersion(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+	cli := NewCLIInstanceWithStateDir(fs, stateDir)
+
+	// Set up vault with long-term key
+	setupTestVault(t, fs, stateDir)
+
+	// Add a secret with multiple versions
+	vlt, err := vault.GetCurrentVault(fs, stateDir)
+	require.NoError(t, err)
+
+	err = vlt.AddSecret("test/secret", []byte("version-1"), false)
+	require.NoError(t, err)
+
+	time.Sleep(10 * time.Millisecond)
+
+	err = vlt.AddSecret("test/secret", []byte("version-2"), true)
+	require.NoError(t, err)
+
+	// Get versions
+	vaultDir, _ := vlt.GetDirectory()
+	secretDir := vaultDir + "/secrets.d/test%secret"
+	versions, err := secret.ListVersions(fs, secretDir)
+	require.NoError(t, err)
+	require.Len(t, versions, 2)
+
+	// Test getting current version (empty version string)
+	oldStdout := os.Stdout
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+
+	err = cli.GetSecretWithVersion("test/secret", "")
+	require.NoError(t, err)
+
+	w.Close()
+	os.Stdout = oldStdout
+	output, _ := io.ReadAll(r)
+
+	assert.Equal(t, "version-2", string(output))
+
+	// Test getting specific version
+	r, w, _ = os.Pipe()
+	os.Stdout = w
+
+	firstVersion := versions[1] // Older version
+	err = cli.GetSecretWithVersion("test/secret", firstVersion)
+	require.NoError(t, err)
+
+	w.Close()
+	os.Stdout = oldStdout
+	output, _ = io.ReadAll(r)
+
+	assert.Equal(t, "version-1", string(output))
+}
+
+func TestVersionCommandStructure(t *testing.T) {
+	// Test that version commands are properly structured
+	cli := NewCLIInstance()
+	cmd := VersionCommands(cli)
+
+	assert.Equal(t, "version", cmd.Use)
+	assert.Equal(t, "Manage secret versions", cmd.Short)
+
+	// Check subcommands
+	listCmd := cmd.Commands()[0]
+	assert.Equal(t, "list <secret-name>", listCmd.Use)
+	assert.Equal(t, "List all versions of a secret", listCmd.Short)
+
+	promoteCmd := cmd.Commands()[1]
+	assert.Equal(t, "promote <secret-name> <version>", promoteCmd.Use)
+	assert.Equal(t, "Promote a specific version to current", promoteCmd.Short)
+}
+
+func TestListVersionsEmptyOutput(t *testing.T) {
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+	cli := NewCLIInstanceWithStateDir(fs, stateDir)
+
+	// Set up vault with long-term key
+	setupTestVault(t, fs, stateDir)
+
+	// Create a secret directory without versions (edge case)
+	vaultDir := stateDir + "/vaults.d/default"
+	secretDir := vaultDir + "/secrets.d/test%secret"
+	err := fs.MkdirAll(secretDir, 0755)
+	require.NoError(t, err)
+
+	// List versions - should show "No versions found"
+	err = cli.ListVersions("test/secret")
+
+	// Should succeed even with no versions
+	assert.NoError(t, err)
+}