package vault import ( "encoding/json" "fmt" "log/slog" "path/filepath" "regexp" "strings" "time" "filippo.io/age" "git.eeqj.de/sneak/secret/internal/secret" "github.com/spf13/afero" ) // ListSecrets returns a list of secret names in this vault func (v *Vault) ListSecrets() ([]string, error) { secret.DebugWith("Listing secrets in vault", slog.String("vault_name", v.Name)) vaultDir, err := v.GetDirectory() if err != nil { secret.Debug("Failed to get vault directory for secret listing", "error", err, "vault_name", v.Name) return nil, err } secretsDir := filepath.Join(vaultDir, "secrets.d") // Check if secrets directory exists exists, err := afero.DirExists(v.fs, secretsDir) if err != nil { secret.Debug("Failed to check secrets directory", "error", err, "secrets_dir", secretsDir) return nil, fmt.Errorf("failed to check if secrets directory exists: %w", err) } if !exists { secret.Debug("Secrets directory does not exist", "secrets_dir", secretsDir, "vault_name", v.Name) return []string{}, nil } // List directories in secrets.d files, err := afero.ReadDir(v.fs, secretsDir) if err != nil { secret.Debug("Failed to read secrets directory", "error", err, "secrets_dir", secretsDir) return nil, fmt.Errorf("failed to read secrets directory: %w", err) } var secrets []string for _, file := range files { if file.IsDir() { // Convert storage name back to secret name secretName := strings.ReplaceAll(file.Name(), "%", "/") secrets = append(secrets, secretName) } } secret.DebugWith("Found secrets in vault", slog.String("vault_name", v.Name), slog.Int("secret_count", len(secrets)), slog.Any("secret_names", secrets), ) return secrets, nil } // isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+ func isValidSecretName(name string) bool { if name == "" { return false } matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name) return matched } // AddSecret adds a secret to this vault func (v *Vault) AddSecret(name string, value []byte, force bool) error { secret.DebugWith("Adding secret to vault", slog.String("vault_name", v.Name), slog.String("secret_name", name), slog.Int("value_length", len(value)), slog.Bool("force", force), ) // Validate secret name if !isValidSecretName(name) { secret.Debug("Invalid secret name provided", "secret_name", name) return fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name) } secret.Debug("Secret name validation passed", "secret_name", name) secret.Debug("Getting vault directory") vaultDir, err := v.GetDirectory() if err != nil { secret.Debug("Failed to get vault directory for secret addition", "error", err, "vault_name", v.Name) return err } secret.Debug("Got vault directory", "vault_dir", vaultDir) // Convert slashes to percent signs for storage storageName := strings.ReplaceAll(name, "/", "%") secretDir := filepath.Join(vaultDir, "secrets.d", storageName) secret.DebugWith("Secret storage details", slog.String("storage_name", storageName), slog.String("secret_dir", secretDir), ) // Check if secret already exists secret.Debug("Checking if secret already exists", "secret_dir", secretDir) exists, err := afero.DirExists(v.fs, secretDir) if err != nil { secret.Debug("Failed to check if secret exists", "error", err, "secret_dir", secretDir) return fmt.Errorf("failed to check if secret exists: %w", err) } secret.Debug("Secret existence check complete", "exists", exists) if exists && !force { secret.Debug("Secret already exists and force not specified", "secret_name", name, "secret_dir", secretDir) return fmt.Errorf("secret %s already exists (use --force to overwrite)", name) } // Create secret directory secret.Debug("Creating secret directory", "secret_dir", secretDir) if err := v.fs.MkdirAll(secretDir, secret.DirPerms); err != nil { secret.Debug("Failed to create secret directory", "error", err, "secret_dir", secretDir) return fmt.Errorf("failed to create secret directory: %w", err) } secret.Debug("Created secret directory successfully") // Step 1: Generate a new keypair for this secret secret.Debug("Generating secret-specific keypair", "secret_name", name) secretIdentity, err := age.GenerateX25519Identity() if err != nil { secret.Debug("Failed to generate secret keypair", "error", err, "secret_name", name) return fmt.Errorf("failed to generate secret keypair: %w", err) } secretPublicKey := secretIdentity.Recipient().String() secretPrivateKey := secretIdentity.String() secret.DebugWith("Generated secret keypair", slog.String("secret_name", name), slog.String("public_key", secretPublicKey), ) // Step 2: Store the secret's public key pubKeyPath := filepath.Join(secretDir, "pub.age") secret.Debug("Writing secret public key", "path", pubKeyPath) if err := afero.WriteFile(v.fs, pubKeyPath, []byte(secretPublicKey), secret.FilePerms); err != nil { secret.Debug("Failed to write secret public key", "error", err, "path", pubKeyPath) return fmt.Errorf("failed to write secret public key: %w", err) } secret.Debug("Wrote secret public key successfully") // Step 3: Encrypt the secret value to the secret's public key secret.Debug("Encrypting secret value to secret's public key", "secret_name", name) encryptedValue, err := secret.EncryptToRecipient(value, secretIdentity.Recipient()) if err != nil { secret.Debug("Failed to encrypt secret value", "error", err, "secret_name", name) return fmt.Errorf("failed to encrypt secret value: %w", err) } secret.DebugWith("Secret value encrypted", slog.String("secret_name", name), slog.Int("encrypted_length", len(encryptedValue)), ) // Step 4: Store the encrypted secret value as value.age valuePath := filepath.Join(secretDir, "value.age") secret.Debug("Writing encrypted secret value", "path", valuePath) if err := afero.WriteFile(v.fs, valuePath, encryptedValue, secret.FilePerms); err != nil { secret.Debug("Failed to write encrypted secret value", "error", err, "path", valuePath) return fmt.Errorf("failed to write encrypted secret value: %w", err) } secret.Debug("Wrote encrypted secret value successfully") // Step 5: Get long-term public key for encrypting the secret's private key ltPubKeyPath := filepath.Join(vaultDir, "pub.age") secret.Debug("Reading long-term public key", "path", ltPubKeyPath) ltPubKeyData, err := afero.ReadFile(v.fs, ltPubKeyPath) if err != nil { secret.Debug("Failed to read long-term public key", "error", err, "path", ltPubKeyPath) return fmt.Errorf("failed to read long-term public key: %w", err) } secret.Debug("Read long-term public key successfully", "key_length", len(ltPubKeyData)) secret.Debug("Parsing long-term public key") ltRecipient, err := age.ParseX25519Recipient(string(ltPubKeyData)) if err != nil { secret.Debug("Failed to parse long-term public key", "error", err) return fmt.Errorf("failed to parse long-term public key: %w", err) } secret.DebugWith("Parsed long-term public key", slog.String("recipient", ltRecipient.String())) // Step 6: Encrypt the secret's private key to the long-term public key secret.Debug("Encrypting secret private key to long-term public key", "secret_name", name) encryptedPrivKey, err := secret.EncryptToRecipient([]byte(secretPrivateKey), ltRecipient) if err != nil { secret.Debug("Failed to encrypt secret private key", "error", err, "secret_name", name) return fmt.Errorf("failed to encrypt secret private key: %w", err) } secret.DebugWith("Secret private key encrypted", slog.String("secret_name", name), slog.Int("encrypted_length", len(encryptedPrivKey)), ) // Step 7: Store the encrypted secret private key as priv.age privKeyPath := filepath.Join(secretDir, "priv.age") secret.Debug("Writing encrypted secret private key", "path", privKeyPath) if err := afero.WriteFile(v.fs, privKeyPath, encryptedPrivKey, secret.FilePerms); err != nil { secret.Debug("Failed to write encrypted secret private key", "error", err, "path", privKeyPath) return fmt.Errorf("failed to write encrypted secret private key: %w", err) } secret.Debug("Wrote encrypted secret private key successfully") // Step 8: Create and write metadata secret.Debug("Creating secret metadata") now := time.Now() metadata := SecretMetadata{ Name: name, CreatedAt: now, UpdatedAt: now, } secret.DebugWith("Creating secret metadata", slog.String("secret_name", metadata.Name), slog.Time("created_at", metadata.CreatedAt), slog.Time("updated_at", metadata.UpdatedAt), ) secret.Debug("Marshaling secret metadata") metadataBytes, err := json.MarshalIndent(metadata, "", " ") if err != nil { secret.Debug("Failed to marshal secret metadata", "error", err) return fmt.Errorf("failed to marshal secret metadata: %w", err) } secret.Debug("Marshaled secret metadata successfully") metadataPath := filepath.Join(secretDir, "secret-metadata.json") secret.Debug("Writing secret metadata", "path", metadataPath) if err := afero.WriteFile(v.fs, metadataPath, metadataBytes, secret.FilePerms); err != nil { secret.Debug("Failed to write secret metadata", "error", err, "path", metadataPath) return fmt.Errorf("failed to write secret metadata: %w", err) } secret.Debug("Wrote secret metadata successfully") secret.Debug("Successfully added secret to vault with per-secret key architecture", "secret_name", name, "vault_name", v.Name) return nil } // GetSecret retrieves a secret from this vault func (v *Vault) GetSecret(name string) ([]byte, error) { secret.DebugWith("Getting secret from vault", slog.String("vault_name", v.Name), slog.String("secret_name", name), ) // Create a secret object to handle file access secretObj := secret.NewSecret(v, name) // Check if secret exists exists, err := secretObj.Exists() if err != nil { secret.Debug("Failed to check if secret exists", "error", err, "secret_name", name) return nil, fmt.Errorf("failed to check if secret exists: %w", err) } if !exists { secret.Debug("Secret not found in vault", "secret_name", name, "vault_name", v.Name) return nil, fmt.Errorf("secret %s not found", name) } secret.Debug("Secret exists, proceeding with vault unlock and decryption", "secret_name", name) // Step 1: Unlock the vault (get long-term key in memory) longTermIdentity, err := v.UnlockVault() if err != nil { secret.Debug("Failed to unlock vault", "error", err, "vault_name", v.Name) return nil, fmt.Errorf("failed to unlock vault: %w", err) } secret.DebugWith("Successfully unlocked vault", slog.String("vault_name", v.Name), slog.String("secret_name", name), slog.String("long_term_public_key", longTermIdentity.Recipient().String()), ) // Step 2: Use the unlocked vault to decrypt the secret decryptedValue, err := v.decryptSecretWithLongTermKey(name, longTermIdentity) if err != nil { secret.Debug("Failed to decrypt secret with long-term key", "error", err, "secret_name", name) return nil, fmt.Errorf("failed to decrypt secret: %w", err) } secret.DebugWith("Successfully decrypted secret with per-secret key architecture", slog.String("secret_name", name), slog.String("vault_name", v.Name), slog.Int("decrypted_length", len(decryptedValue)), ) return decryptedValue, nil } // UnlockVault unlocks the vault and returns the long-term private key func (v *Vault) UnlockVault() (*age.X25519Identity, error) { secret.Debug("Unlocking vault", "vault_name", v.Name) // If vault is already unlocked, return the cached key if !v.Locked() { secret.Debug("Vault already unlocked, returning cached long-term key", "vault_name", v.Name) return v.longTermKey, nil } // Get or derive the long-term key (but don't store it yet) longTermIdentity, err := v.GetOrDeriveLongTermKey() if err != nil { secret.Debug("Failed to get or derive long-term key", "error", err, "vault_name", v.Name) return nil, fmt.Errorf("failed to get long-term key: %w", err) } // Now unlock the vault by storing the key in memory v.Unlock(longTermIdentity) secret.DebugWith("Successfully unlocked vault", slog.String("vault_name", v.Name), slog.String("public_key", longTermIdentity.Recipient().String()), ) return longTermIdentity, nil } // decryptSecretWithLongTermKey decrypts a secret using the provided long-term key func (v *Vault) decryptSecretWithLongTermKey(name string, longTermIdentity *age.X25519Identity) ([]byte, error) { secret.DebugWith("Decrypting secret with long-term key", slog.String("secret_name", name), slog.String("vault_name", v.Name), ) // Get vault and secret directories vaultDir, err := v.GetDirectory() if err != nil { secret.Debug("Failed to get vault directory", "error", err, "vault_name", v.Name) return nil, err } storageName := strings.ReplaceAll(name, "/", "%") secretDir := filepath.Join(vaultDir, "secrets.d", storageName) // Step 1: Read the encrypted secret private key from priv.age encryptedSecretPrivKeyPath := filepath.Join(secretDir, "priv.age") secret.Debug("Reading encrypted secret private key", "path", encryptedSecretPrivKeyPath) encryptedSecretPrivKey, err := afero.ReadFile(v.fs, encryptedSecretPrivKeyPath) if err != nil { secret.Debug("Failed to read encrypted secret private key", "error", err, "path", encryptedSecretPrivKeyPath) return nil, fmt.Errorf("failed to read encrypted secret private key: %w", err) } secret.DebugWith("Read encrypted secret private key", slog.String("secret_name", name), slog.Int("encrypted_length", len(encryptedSecretPrivKey)), ) // Step 2: Decrypt the secret's private key using the long-term private key secret.Debug("Decrypting secret private key with long-term key", "secret_name", name) secretPrivKeyData, err := secret.DecryptWithIdentity(encryptedSecretPrivKey, longTermIdentity) if err != nil { secret.Debug("Failed to decrypt secret private key", "error", err, "secret_name", name) return nil, fmt.Errorf("failed to decrypt secret private key: %w", err) } // Step 3: Parse the secret's private key secret.Debug("Parsing secret private key", "secret_name", name) secretIdentity, err := age.ParseX25519Identity(string(secretPrivKeyData)) if err != nil { secret.Debug("Failed to parse secret private key", "error", err, "secret_name", name) return nil, fmt.Errorf("failed to parse secret private key: %w", err) } secret.DebugWith("Successfully parsed secret identity", slog.String("secret_name", name), slog.String("public_key", secretIdentity.Recipient().String()), ) // Step 4: Read the encrypted secret value from value.age encryptedValuePath := filepath.Join(secretDir, "value.age") secret.Debug("Reading encrypted secret value", "path", encryptedValuePath) encryptedValue, err := afero.ReadFile(v.fs, encryptedValuePath) if err != nil { secret.Debug("Failed to read encrypted secret value", "error", err, "path", encryptedValuePath) return nil, fmt.Errorf("failed to read encrypted secret value: %w", err) } secret.DebugWith("Read encrypted secret value", slog.String("secret_name", name), slog.Int("encrypted_length", len(encryptedValue)), ) // Step 5: Decrypt the secret value using the secret's private key secret.Debug("Decrypting secret value with secret's private key", "secret_name", name) decryptedValue, err := secret.DecryptWithIdentity(encryptedValue, secretIdentity) if err != nil { secret.Debug("Failed to decrypt secret value", "error", err, "secret_name", name) return nil, fmt.Errorf("failed to decrypt secret value: %w", err) } secret.DebugWith("Successfully decrypted secret value", slog.String("secret_name", name), slog.Int("decrypted_length", len(decryptedValue)), ) return decryptedValue, nil } // GetSecretObject retrieves a Secret object with metadata loaded from this vault func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) { // First check if the secret exists by checking for the metadata file vaultDir, err := v.GetDirectory() if err != nil { return nil, err } // Convert slashes to percent signs for storage storageName := strings.ReplaceAll(name, "/", "%") secretDir := filepath.Join(vaultDir, "secrets.d", storageName) // Check if secret directory exists exists, err := afero.DirExists(v.fs, secretDir) if err != nil { return nil, fmt.Errorf("failed to check if secret exists: %w", err) } if !exists { return nil, fmt.Errorf("secret %s not found", name) } // Create a Secret object secretObj := secret.NewSecret(v, name) // Load the metadata from disk if err := secretObj.LoadMetadata(); err != nil { return nil, err } return secretObj, nil }