package cli
import (
"fmt"
"log/slog"
"os"
"path/filepath"
"strings"
"time"
"filippo.io/age"
"git.eeqj.de/sneak/secret/internal/secret"
"git.eeqj.de/sneak/secret/internal/vault"
"git.eeqj.de/sneak/secret/pkg/agehd"
"github.com/spf13/afero"
"github.com/spf13/cobra"
"github.com/tyler-smith/go-bip39"
)
func newInitCmd() *cobra.Command {
return &cobra.Command{
Use: "init",
Short: "Initialize the secrets manager",
Long: `Create the necessary directory structure for storing secrets and generate encryption keys.`,
RunE: func(cmd *cobra.Command, args []string) error {
cli := NewCLIInstance()
return cli.Init(cmd)
},
}
}
// Init initializes the secrets manager
func (cli *CLIInstance) Init(cmd *cobra.Command) error {
secret.Debug("Starting secret manager initialization")
// Create state directory
stateDir := cli.GetStateDir()
secret.DebugWith("Creating state directory", slog.String("path", stateDir))
if err := cli.fs.MkdirAll(stateDir, secret.DirPerms); err != nil {
secret.Debug("Failed to create state directory", "error", err)
return fmt.Errorf("failed to create state directory: %w", err)
}
if cmd != nil {
cmd.Printf("Initialized secrets manager at: %s\n", stateDir)
}
// Prompt for mnemonic
var mnemonicStr string
if envMnemonic := os.Getenv(secret.EnvMnemonic); envMnemonic != "" {
secret.Debug("Using mnemonic from environment variable")
mnemonicStr = envMnemonic
} else {
secret.Debug("Prompting user for mnemonic phrase")
// Read mnemonic from stdin using shared line reader
var err error
mnemonicStr, err = readLineFromStdin("Enter your BIP39 mnemonic phrase: ")
if err != nil {
secret.Debug("Failed to read mnemonic from stdin", "error", err)
return fmt.Errorf("failed to read mnemonic: %w", err)
}
}
if mnemonicStr == "" {
secret.Debug("Empty mnemonic provided")
return fmt.Errorf("mnemonic cannot be empty")
}
// Validate the mnemonic using BIP39
secret.DebugWith("Validating BIP39 mnemonic", slog.Int("word_count", len(strings.Fields(mnemonicStr))))
if !bip39.IsMnemonicValid(mnemonicStr) {
secret.Debug("Invalid BIP39 mnemonic provided")
return fmt.Errorf("invalid BIP39 mnemonic phrase\nRun 'secret generate mnemonic' to create a valid mnemonic")
}
// Calculate mnemonic hash for index tracking
mnemonicHash := vault.ComputeDoubleSHA256([]byte(mnemonicStr))
secret.DebugWith("Calculated mnemonic hash", slog.String("hash", mnemonicHash))
// Get the next available derivation index for this mnemonic
derivationIndex, err := vault.GetNextDerivationIndex(cli.fs, cli.stateDir, mnemonicHash)
if err != nil {
secret.Debug("Failed to get next derivation index", "error", err)
return fmt.Errorf("failed to get next derivation index: %w", err)
}
secret.DebugWith("Using derivation index", slog.Uint64("index", uint64(derivationIndex)))
// Derive long-term keypair from mnemonic with the appropriate index
secret.DebugWith("Deriving long-term key from mnemonic", slog.Uint64("index", uint64(derivationIndex)))
ltIdentity, err := agehd.DeriveIdentity(mnemonicStr, derivationIndex)
if err != nil {
secret.Debug("Failed to derive long-term key", "error", err)
return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
}
// Calculate the long-term key hash
ltKeyHash := vault.ComputeDoubleSHA256([]byte(ltIdentity.String()))
secret.DebugWith("Calculated long-term key hash", slog.String("hash", ltKeyHash))
// Create the default vault
secret.Debug("Creating default vault")
vlt, err := vault.CreateVault(cli.fs, cli.stateDir, "default")
if err != nil {
secret.Debug("Failed to create default vault", "error", err)
return fmt.Errorf("failed to create default vault: %w", err)
}
// Set as current vault
secret.Debug("Setting default vault as current")
if err := vault.SelectVault(cli.fs, cli.stateDir, "default"); err != nil {
secret.Debug("Failed to select default vault", "error", err)
return fmt.Errorf("failed to select default vault: %w", err)
}
// Store long-term public key in vault
vaultDir := filepath.Join(stateDir, "vaults.d", "default")
ltPubKey := ltIdentity.Recipient().String()
secret.DebugWith("Storing long-term public key", slog.String("pubkey", ltPubKey), slog.String("vault_dir", vaultDir))
if err := afero.WriteFile(cli.fs, filepath.Join(vaultDir, "pub.age"), []byte(ltPubKey), secret.FilePerms); err != nil {
secret.Debug("Failed to write long-term public key", "error", err)
return fmt.Errorf("failed to write long-term public key: %w", err)
}
// Save vault metadata
metadata := &vault.VaultMetadata{
Name: "default",
CreatedAt: time.Now(),
DerivationIndex: derivationIndex,
LongTermKeyHash: ltKeyHash,
MnemonicHash: mnemonicHash,
}
if err := vault.SaveVaultMetadata(cli.fs, vaultDir, metadata); err != nil {
secret.Debug("Failed to save vault metadata", "error", err)
return fmt.Errorf("failed to save vault metadata: %w", err)
}
secret.Debug("Saved vault metadata with derivation index and key hash")
// Unlock the vault with the derived long-term key
vlt.Unlock(ltIdentity)
// Prompt for passphrase for unlocker
var passphraseStr string
if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
secret.Debug("Using unlock passphrase from environment variable")
passphraseStr = envPassphrase
} else {
secret.Debug("Prompting user for unlock passphrase")
// Use secure passphrase input with confirmation
passphraseStr, err = readSecurePassphrase("Enter passphrase for unlocker: ")
if err != nil {
secret.Debug("Failed to read unlock passphrase", "error", err)
return fmt.Errorf("failed to read passphrase: %w", err)
}
}
// Create passphrase-protected unlocker
secret.Debug("Creating passphrase-protected unlocker")
passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseStr)
if err != nil {
secret.Debug("Failed to create unlocker", "error", err)
return fmt.Errorf("failed to create unlocker: %w", err)
}
// Encrypt long-term private key to the unlocker
unlockerDir := passphraseUnlocker.GetDirectory()
// Read unlocker public key
unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
if err != nil {
return fmt.Errorf("failed to read unlocker public key: %w", err)
}
unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
if err != nil {
return fmt.Errorf("failed to parse unlocker public key: %w", err)
}
// Encrypt long-term private key to unlocker
ltPrivKeyData := []byte(ltIdentity.String())
encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, unlockerRecipient)
if err != nil {
return fmt.Errorf("failed to encrypt long-term private key: %w", err)
}
// Write encrypted long-term private key
if err := afero.WriteFile(cli.fs, filepath.Join(unlockerDir, "longterm.age"), encryptedLtPrivKey, secret.FilePerms); err != nil {
return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
}
if cmd != nil {
cmd.Printf("\nDefault vault created and configured\n")
cmd.Printf("Long-term public key: %s\n", ltPubKey)
cmd.Printf("Unlocker ID: %s\n", passphraseUnlocker.GetID())
cmd.Println("\nYour secret manager is ready to use!")
cmd.Println("Note: When using SB_SECRET_MNEMONIC environment variable,")
cmd.Println("unlockers are not required for secret operations.")
}
return nil
}
// readSecurePassphrase reads a passphrase securely from the terminal without echoing
// This version adds confirmation (read twice) for creating new unlockers
func readSecurePassphrase(prompt string) (string, error) {
// Get the first passphrase
passphrase1, err := secret.ReadPassphrase(prompt)
if err != nil {
return "", err
}
// Read confirmation passphrase
passphrase2, err := secret.ReadPassphrase("Confirm passphrase: ")
if err != nil {
return "", fmt.Errorf("failed to read passphrase confirmation: %w", err)
}
// Compare passphrases
if passphrase1 != passphrase2 {
return "", fmt.Errorf("passphrases do not match")
}
return passphrase1, nil
}