Compare commits
No commits in common. "main" and "fix/issue-2" have entirely different histories.
main
...
fix/issue-
@ -71,8 +71,6 @@ func getUnlockerIDsCompletionFunc(fs afero.Fs, stateDir string) func(
|
||||
unlockersDir := filepath.Join(vaultDir, "unlockers.d")
|
||||
files, err := afero.ReadDir(fs, unlockersDir)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read unlockers directory during completion", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
@ -87,15 +85,11 @@ func getUnlockerIDsCompletionFunc(fs afero.Fs, stateDir string) func(
|
||||
// Check if this is the right unlocker by comparing metadata
|
||||
metadataBytes, err := afero.ReadFile(fs, metadataPath)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read unlocker metadata during completion", "path", metadataPath, "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
var diskMetadata secret.UnlockerMetadata
|
||||
if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
|
||||
secret.Warn("Could not parse unlocker metadata during completion", "path", metadataPath, "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
|
||||
@ -4,7 +4,6 @@ import (
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
"git.eeqj.de/sneak/secret/internal/secret"
|
||||
"github.com/spf13/afero"
|
||||
)
|
||||
|
||||
@ -29,8 +28,6 @@ func gatherVaultStats(
|
||||
// Count secrets in this vault
|
||||
secretEntries, err := afero.ReadDir(fs, secretsPath)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read secrets directory for vault", "vault", vaultEntry.Name(), "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
@ -46,8 +43,6 @@ func gatherVaultStats(
|
||||
versionsPath := filepath.Join(secretPath, "versions")
|
||||
versionEntries, err := afero.ReadDir(fs, versionsPath)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read versions directory for secret", "secret", secretEntry.Name(), "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
|
||||
@ -507,7 +507,7 @@ func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile str
|
||||
}
|
||||
defer func() {
|
||||
if err := file.Close(); err != nil {
|
||||
secret.Warn("Failed to close file", "error", err)
|
||||
secret.Debug("Failed to close file", "error", err)
|
||||
}
|
||||
}()
|
||||
|
||||
|
||||
@ -271,8 +271,6 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
|
||||
// Create unlocker instance to get the proper ID
|
||||
vaultDir, err := vlt.GetDirectory()
|
||||
if err != nil {
|
||||
secret.Warn("Could not get vault directory while listing unlockers", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
@ -280,8 +278,6 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
|
||||
unlockersDir := filepath.Join(vaultDir, "unlockers.d")
|
||||
files, err := afero.ReadDir(cli.fs, unlockersDir)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read unlockers directory", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
@ -297,16 +293,12 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
|
||||
// Check if this is the right unlocker by comparing metadata
|
||||
metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read unlocker metadata file", "path", metadataPath, "error", err)
|
||||
|
||||
continue
|
||||
continue // FIXME this error needs to be handled
|
||||
}
|
||||
|
||||
var diskMetadata secret.UnlockerMetadata
|
||||
if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
|
||||
secret.Warn("Could not parse unlocker metadata file", "path", metadataPath, "error", err)
|
||||
|
||||
continue
|
||||
continue // FIXME this error needs to be handled
|
||||
}
|
||||
|
||||
// Match by type and creation time
|
||||
@ -332,7 +324,6 @@ func (cli *Instance) UnlockersList(jsonOutput bool) error {
|
||||
} else {
|
||||
// Generate ID as fallback
|
||||
properID = fmt.Sprintf("%s-%s", metadata.CreatedAt.Format("2006-01-02.15.04"), metadata.Type)
|
||||
secret.Warn("Could not create unlocker instance, using fallback ID", "fallback_id", properID, "type", metadata.Type)
|
||||
}
|
||||
|
||||
unlockerInfo := UnlockerInfo{
|
||||
@ -599,16 +590,12 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
|
||||
// Get the list of unlockers and check if any match the ID
|
||||
unlockers, err := vlt.ListUnlockers()
|
||||
if err != nil {
|
||||
secret.Warn("Could not list unlockers during duplicate check", "error", err)
|
||||
|
||||
return nil // If we can't list unlockers, assume it doesn't exist
|
||||
}
|
||||
|
||||
// Get vault directory to construct unlocker instances
|
||||
vaultDir, err := vlt.GetDirectory()
|
||||
if err != nil {
|
||||
secret.Warn("Could not get vault directory during duplicate check", "error", err)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -618,8 +605,6 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
|
||||
unlockersDir := filepath.Join(vaultDir, "unlockers.d")
|
||||
files, err := afero.ReadDir(cli.fs, unlockersDir)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read unlockers directory during duplicate check", "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
@ -634,15 +619,11 @@ func (cli *Instance) checkUnlockerExists(vlt *vault.Vault, unlockerID string) er
|
||||
// Check if this matches our metadata
|
||||
metadataBytes, err := afero.ReadFile(cli.fs, metadataPath)
|
||||
if err != nil {
|
||||
secret.Warn("Could not read unlocker metadata during duplicate check", "path", metadataPath, "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
var diskMetadata secret.UnlockerMetadata
|
||||
if err := json.Unmarshal(metadataBytes, &diskMetadata); err != nil {
|
||||
secret.Warn("Could not parse unlocker metadata during duplicate check", "path", metadataPath, "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
|
||||
@ -164,7 +164,7 @@ func (cli *Instance) ListVersions(cmd *cobra.Command, secretName string) error {
|
||||
|
||||
// Load metadata
|
||||
if err := sv.LoadMetadata(ltIdentity); err != nil {
|
||||
secret.Warn("Failed to load version metadata", "version", version, "error", err)
|
||||
secret.Debug("Failed to load version metadata", "version", version, "error", err)
|
||||
// Display version with error
|
||||
status := "error"
|
||||
if version == currentVersion {
|
||||
|
||||
@ -58,16 +58,6 @@ func IsDebugEnabled() bool {
|
||||
return debugEnabled
|
||||
}
|
||||
|
||||
// Warn logs a warning message to stderr unconditionally (visible without --verbose or debug flags)
|
||||
func Warn(msg string, args ...any) {
|
||||
output := fmt.Sprintf("WARNING: %s", msg)
|
||||
for i := 0; i+1 < len(args); i += 2 {
|
||||
output += fmt.Sprintf(" %s=%v", args[i], args[i+1])
|
||||
}
|
||||
output += "\n"
|
||||
fmt.Fprint(os.Stderr, output)
|
||||
}
|
||||
|
||||
// Debug logs a debug message with optional attributes
|
||||
func Debug(msg string, args ...any) {
|
||||
if !debugEnabled {
|
||||
|
||||
@ -1,82 +0,0 @@
|
||||
package secret
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"git.eeqj.de/sneak/secret/pkg/agehd"
|
||||
"github.com/awnumar/memguard"
|
||||
"github.com/spf13/afero"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
// realVault is a minimal VaultInterface backed by a real afero filesystem,
|
||||
// using the same directory layout as vault.Vault.
|
||||
type realVault struct {
|
||||
name string
|
||||
stateDir string
|
||||
fs afero.Fs
|
||||
}
|
||||
|
||||
func (v *realVault) GetDirectory() (string, error) {
|
||||
return filepath.Join(v.stateDir, "vaults.d", v.name), nil
|
||||
}
|
||||
func (v *realVault) GetName() string { return v.name }
|
||||
func (v *realVault) GetFilesystem() afero.Fs { return v.fs }
|
||||
|
||||
// Unused by getLongTermPrivateKey — these satisfy VaultInterface.
|
||||
func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
|
||||
func (v *realVault) GetCurrentUnlocker() (Unlocker, error) { panic("not used") }
|
||||
func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
|
||||
panic("not used")
|
||||
}
|
||||
|
||||
// createRealVault sets up a complete vault directory structure on an in-memory
|
||||
// filesystem, identical to what vault.CreateVault produces.
|
||||
func createRealVault(t *testing.T, fs afero.Fs, stateDir, name string, derivationIndex uint32) *realVault {
|
||||
t.Helper()
|
||||
|
||||
vaultDir := filepath.Join(stateDir, "vaults.d", name)
|
||||
require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "secrets.d"), DirPerms))
|
||||
require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "unlockers.d"), DirPerms))
|
||||
|
||||
metadata := VaultMetadata{
|
||||
CreatedAt: time.Now(),
|
||||
DerivationIndex: derivationIndex,
|
||||
}
|
||||
metaBytes, err := json.Marshal(metadata)
|
||||
require.NoError(t, err)
|
||||
require.NoError(t, afero.WriteFile(fs, filepath.Join(vaultDir, "vault-metadata.json"), metaBytes, FilePerms))
|
||||
|
||||
return &realVault{name: name, stateDir: stateDir, fs: fs}
|
||||
}
|
||||
|
||||
func TestGetLongTermPrivateKeyUsesVaultDerivationIndex(t *testing.T) {
|
||||
const testMnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
|
||||
|
||||
// Derive expected keys at two different indices to prove they differ.
|
||||
key0, err := agehd.DeriveIdentity(testMnemonic, 0)
|
||||
require.NoError(t, err)
|
||||
key5, err := agehd.DeriveIdentity(testMnemonic, 5)
|
||||
require.NoError(t, err)
|
||||
require.NotEqual(t, key0.String(), key5.String(),
|
||||
"sanity check: different derivation indices must produce different keys")
|
||||
|
||||
// Build a real vault with DerivationIndex=5 on an in-memory filesystem.
|
||||
fs := afero.NewMemMapFs()
|
||||
vault := createRealVault(t, fs, "/state", "test-vault", 5)
|
||||
|
||||
t.Setenv(EnvMnemonic, testMnemonic)
|
||||
|
||||
result, err := getLongTermPrivateKey(fs, vault)
|
||||
require.NoError(t, err)
|
||||
defer result.Destroy()
|
||||
|
||||
assert.Equal(t, key5.String(), string(result.Bytes()),
|
||||
"getLongTermPrivateKey should derive at vault's DerivationIndex (5)")
|
||||
assert.NotEqual(t, key0.String(), string(result.Bytes()),
|
||||
"getLongTermPrivateKey must not use hardcoded index 0")
|
||||
}
|
||||
@ -53,10 +53,7 @@ func DetermineStateDir(customConfigDir string) (string, error) {
|
||||
return "", fmt.Errorf("unable to determine state directory: config dir: %w, home dir: %w", err, homeErr)
|
||||
}
|
||||
|
||||
fallbackDir := filepath.Join(homeDir, ".config", AppID)
|
||||
Warn("Could not determine user config directory, falling back to default", "fallback", fallbackDir, "error", err)
|
||||
|
||||
return fallbackDir, nil
|
||||
return filepath.Join(homeDir, ".config", AppID), nil
|
||||
}
|
||||
|
||||
return filepath.Join(configDir, AppID), nil
|
||||
|
||||
@ -251,25 +251,8 @@ func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedB
|
||||
// Check if mnemonic is available in environment variable
|
||||
envMnemonic := os.Getenv(EnvMnemonic)
|
||||
if envMnemonic != "" {
|
||||
// Read vault metadata to get the correct derivation index
|
||||
vaultDir, err := vault.GetDirectory()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get vault directory: %w", err)
|
||||
}
|
||||
|
||||
metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
|
||||
metadataBytes, err := afero.ReadFile(fs, metadataPath)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to read vault metadata: %w", err)
|
||||
}
|
||||
|
||||
var metadata VaultMetadata
|
||||
if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
|
||||
return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
|
||||
}
|
||||
|
||||
// Use mnemonic with the vault's actual derivation index
|
||||
ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
|
||||
// Use mnemonic directly to derive long-term key
|
||||
ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
|
||||
}
|
||||
|
||||
@ -102,8 +102,6 @@ func GenerateVersionName(fs afero.Fs, secretDir string) (string, error) {
|
||||
|
||||
var serial int
|
||||
if _, err := fmt.Sscanf(parts[1], "%03d", &serial); err != nil {
|
||||
Warn("Skipping malformed version directory name", "name", entry.Name(), "error", err)
|
||||
|
||||
continue
|
||||
}
|
||||
|
||||
|
||||
@ -213,9 +213,7 @@ func (v *Vault) ListUnlockers() ([]UnlockerMetadata, error) {
|
||||
return nil, fmt.Errorf("failed to check if metadata exists for unlocker %s: %w", file.Name(), err)
|
||||
}
|
||||
if !exists {
|
||||
secret.Warn("Skipping unlocker directory with missing metadata file", "directory", file.Name())
|
||||
|
||||
continue
|
||||
return nil, fmt.Errorf("unlocker directory %s is missing metadata file", file.Name())
|
||||
}
|
||||
|
||||
metadataBytes, err := afero.ReadFile(v.fs, metadataPath)
|
||||
|
||||
@ -243,57 +243,3 @@ func TestVaultOperations(t *testing.T) {
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestListUnlockers_SkipsMissingMetadata(t *testing.T) {
|
||||
// Set test environment variables
|
||||
testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
|
||||
t.Setenv(secret.EnvMnemonic, testMnemonic)
|
||||
t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
|
||||
|
||||
// Use in-memory filesystem
|
||||
fs := afero.NewMemMapFs()
|
||||
stateDir := "/test/state"
|
||||
|
||||
// Create vault
|
||||
vlt, err := CreateVault(fs, stateDir, "test-vault")
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to create vault: %v", err)
|
||||
}
|
||||
|
||||
// Create a passphrase unlocker so we have at least one valid unlocker
|
||||
passphraseBuffer := memguard.NewBufferFromBytes([]byte("test-passphrase"))
|
||||
defer passphraseBuffer.Destroy()
|
||||
_, err = vlt.CreatePassphraseUnlocker(passphraseBuffer)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to create passphrase unlocker: %v", err)
|
||||
}
|
||||
|
||||
// Create a bogus unlocker directory with no metadata file
|
||||
vaultDir, err := vlt.GetDirectory()
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to get vault directory: %v", err)
|
||||
}
|
||||
bogusDir := filepath.Join(vaultDir, "unlockers.d", "bogus-no-metadata")
|
||||
err = fs.MkdirAll(bogusDir, 0o700)
|
||||
if err != nil {
|
||||
t.Fatalf("Failed to create bogus directory: %v", err)
|
||||
}
|
||||
|
||||
// ListUnlockers should succeed, skipping the bogus directory
|
||||
unlockers, err := vlt.ListUnlockers()
|
||||
if err != nil {
|
||||
t.Fatalf("ListUnlockers returned error when it should have skipped bad directory: %v", err)
|
||||
}
|
||||
|
||||
// Should still have the valid passphrase unlocker
|
||||
if len(unlockers) == 0 {
|
||||
t.Errorf("Expected at least one unlocker, got none")
|
||||
}
|
||||
|
||||
// Verify we only got the valid unlocker(s), not the bogus one
|
||||
for _, u := range unlockers {
|
||||
if u.Type == "" {
|
||||
t.Errorf("Got unlocker with empty type, likely from bogus directory")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user