sneak
a6f24e9581
- Restrict --keyid flag to PGP unlocker type only - Add validation to prevent --keyid usage with non-PGP unlockers - Implement 'secret move' command with 'mv' and 'rename' aliases - Add comprehensive tests for move functionality - Update documentation to reflect optional nature of --keyid for PGP The move command allows renaming or moving secrets within a vault while preserving all versions and metadata. It fails if the destination already exists to prevent accidental overwrites.
586 lines
16 KiB
Go
586 lines
16 KiB
Go
package cli
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"git.eeqj.de/sneak/secret/internal/secret"
|
|
"git.eeqj.de/sneak/secret/internal/vault"
|
|
"github.com/awnumar/memguard"
|
|
"github.com/spf13/afero"
|
|
"github.com/spf13/cobra"
|
|
)
|
|
|
|
func newAddCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "add <secret-name>",
|
|
Short: "Add a secret to the vault",
|
|
Long: `Add a secret to the current vault. The secret value is read from stdin.`,
|
|
Args: cobra.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
secret.Debug("Add command RunE starting", "secret_name", args[0])
|
|
force, _ := cmd.Flags().GetBool("force")
|
|
secret.Debug("Got force flag", "force", force)
|
|
|
|
cli := NewCLIInstance()
|
|
cli.cmd = cmd // Set the command for stdin access
|
|
secret.Debug("Created CLI instance, calling AddSecret")
|
|
|
|
return cli.AddSecret(args[0], force)
|
|
},
|
|
}
|
|
|
|
cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
|
|
|
|
return cmd
|
|
}
|
|
|
|
func newGetCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "get <secret-name>",
|
|
Short: "Retrieve a secret from the vault",
|
|
Args: cobra.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
version, _ := cmd.Flags().GetString("version")
|
|
cli := NewCLIInstance()
|
|
|
|
return cli.GetSecretWithVersion(cmd, args[0], version)
|
|
},
|
|
}
|
|
|
|
cmd.Flags().StringP("version", "v", "", "Get a specific version (default: current)")
|
|
|
|
return cmd
|
|
}
|
|
|
|
func newListCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "list [filter]",
|
|
Aliases: []string{"ls"},
|
|
Short: "List all secrets in the current vault",
|
|
Long: `List all secrets in the current vault. Optionally filter by substring match in secret name.`,
|
|
Args: cobra.MaximumNArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
jsonOutput, _ := cmd.Flags().GetBool("json")
|
|
quietOutput, _ := cmd.Flags().GetBool("quiet")
|
|
|
|
var filter string
|
|
if len(args) > 0 {
|
|
filter = args[0]
|
|
}
|
|
|
|
cli := NewCLIInstance()
|
|
|
|
return cli.ListSecrets(cmd, jsonOutput, quietOutput, filter)
|
|
},
|
|
}
|
|
|
|
cmd.Flags().Bool("json", false, "Output in JSON format")
|
|
cmd.Flags().BoolP("quiet", "q", false, "Output only secret names (for scripting)")
|
|
|
|
return cmd
|
|
}
|
|
|
|
func newImportCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "import <secret-name>",
|
|
Short: "Import a secret from a file",
|
|
Long: `Import a secret from a file and store it in the current vault under the given name.`,
|
|
Args: cobra.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
sourceFile, _ := cmd.Flags().GetString("source")
|
|
force, _ := cmd.Flags().GetBool("force")
|
|
|
|
cli := NewCLIInstance()
|
|
|
|
return cli.ImportSecret(cmd, args[0], sourceFile, force)
|
|
},
|
|
}
|
|
|
|
cmd.Flags().StringP("source", "s", "", "Source file to import from (required)")
|
|
cmd.Flags().BoolP("force", "f", false, "Overwrite existing secret")
|
|
_ = cmd.MarkFlagRequired("source")
|
|
|
|
return cmd
|
|
}
|
|
|
|
func newRemoveCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "remove <secret-name>",
|
|
Aliases: []string{"rm"},
|
|
Short: "Remove a secret from the vault",
|
|
Long: `Remove a secret and all its versions from the current vault. This action is permanent and ` +
|
|
`cannot be undone.`,
|
|
Args: cobra.ExactArgs(1),
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
cli := NewCLIInstance()
|
|
|
|
return cli.RemoveSecret(cmd, args[0], false)
|
|
},
|
|
}
|
|
|
|
return cmd
|
|
}
|
|
|
|
func newMoveCmd() *cobra.Command {
|
|
cmd := &cobra.Command{
|
|
Use: "move <source> <destination>",
|
|
Aliases: []string{"mv", "rename"},
|
|
Short: "Move or rename a secret",
|
|
Long: `Move or rename a secret within the current vault. ` +
|
|
`If the destination already exists, the operation will fail.`,
|
|
Args: cobra.ExactArgs(2), //nolint:mnd // Command requires exactly 2 arguments: source and destination
|
|
RunE: func(cmd *cobra.Command, args []string) error {
|
|
cli := NewCLIInstance()
|
|
|
|
return cli.MoveSecret(cmd, args[0], args[1])
|
|
},
|
|
}
|
|
|
|
return cmd
|
|
}
|
|
|
|
// updateBufferSize updates the buffer size based on usage pattern
|
|
func updateBufferSize(currentSize int, sameSize *int) int {
|
|
*sameSize++
|
|
const doubleAfterBuffers = 2
|
|
const growthFactor = 2
|
|
if *sameSize >= doubleAfterBuffers {
|
|
*sameSize = 0
|
|
|
|
return currentSize * growthFactor
|
|
}
|
|
|
|
return currentSize
|
|
}
|
|
|
|
// AddSecret adds a secret to the current vault
|
|
func (cli *Instance) AddSecret(secretName string, force bool) error {
|
|
secret.Debug("CLI AddSecret starting", "secret_name", secretName, "force", force)
|
|
|
|
// Get current vault
|
|
secret.Debug("Getting current vault")
|
|
vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
secret.Debug("Got current vault", "vault_name", vlt.GetName())
|
|
|
|
// Read secret value directly into protected buffers
|
|
secret.Debug("Reading secret value from stdin into protected buffers")
|
|
|
|
const initialSize = 4 * 1024 // 4KB initial buffer
|
|
const maxSize = 100 * 1024 * 1024 // 100MB max
|
|
|
|
type bufferInfo struct {
|
|
buffer *memguard.LockedBuffer
|
|
used int
|
|
}
|
|
|
|
var buffers []bufferInfo
|
|
defer func() {
|
|
for _, b := range buffers {
|
|
b.buffer.Destroy()
|
|
}
|
|
}()
|
|
|
|
reader := cli.cmd.InOrStdin()
|
|
totalSize := 0
|
|
currentBufferSize := initialSize
|
|
sameSize := 0
|
|
|
|
for {
|
|
// Create a new buffer
|
|
buffer := memguard.NewBuffer(currentBufferSize)
|
|
n, err := io.ReadFull(reader, buffer.Bytes())
|
|
|
|
if n == 0 {
|
|
// No data read, destroy the unused buffer
|
|
buffer.Destroy()
|
|
} else {
|
|
buffers = append(buffers, bufferInfo{buffer: buffer, used: n})
|
|
totalSize += n
|
|
|
|
if totalSize > maxSize {
|
|
return fmt.Errorf("secret too large: exceeds 100MB limit")
|
|
}
|
|
|
|
// If we filled the buffer, consider growing for next iteration
|
|
if n == currentBufferSize {
|
|
currentBufferSize = updateBufferSize(currentBufferSize, &sameSize)
|
|
}
|
|
}
|
|
|
|
if err == io.EOF || err == io.ErrUnexpectedEOF {
|
|
break
|
|
} else if err != nil {
|
|
return fmt.Errorf("failed to read secret value: %w", err)
|
|
}
|
|
}
|
|
|
|
// Check for trailing newline in the last buffer
|
|
if len(buffers) > 0 && totalSize > 0 {
|
|
lastBuffer := &buffers[len(buffers)-1]
|
|
if lastBuffer.buffer.Bytes()[lastBuffer.used-1] == '\n' {
|
|
lastBuffer.used--
|
|
totalSize--
|
|
}
|
|
}
|
|
|
|
secret.Debug("Read secret value from stdin", "value_length", totalSize, "buffers", len(buffers))
|
|
|
|
// Combine all buffers into a single protected buffer
|
|
valueBuffer := memguard.NewBuffer(totalSize)
|
|
defer valueBuffer.Destroy()
|
|
|
|
offset := 0
|
|
for _, b := range buffers {
|
|
copy(valueBuffer.Bytes()[offset:], b.buffer.Bytes()[:b.used])
|
|
offset += b.used
|
|
}
|
|
|
|
// Add the secret to the vault
|
|
secret.Debug("Calling vault.AddSecret", "secret_name", secretName, "value_length", valueBuffer.Size(), "force", force)
|
|
if err := vlt.AddSecret(secretName, valueBuffer, force); err != nil {
|
|
secret.Debug("vault.AddSecret failed", "error", err)
|
|
|
|
return err
|
|
}
|
|
|
|
secret.Debug("vault.AddSecret completed successfully")
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetSecret retrieves and prints a secret from the current vault
|
|
func (cli *Instance) GetSecret(cmd *cobra.Command, secretName string) error {
|
|
return cli.GetSecretWithVersion(cmd, secretName, "")
|
|
}
|
|
|
|
// GetSecretWithVersion retrieves and prints a specific version of a secret
|
|
func (cli *Instance) GetSecretWithVersion(cmd *cobra.Command, secretName string, version string) error {
|
|
secret.Debug("GetSecretWithVersion called", "secretName", secretName, "version", version)
|
|
|
|
// Get current vault
|
|
vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
|
|
if err != nil {
|
|
secret.Debug("Failed to get current vault", "error", err)
|
|
|
|
return err
|
|
}
|
|
|
|
// Get the secret value
|
|
var value []byte
|
|
if version == "" {
|
|
value, err = vlt.GetSecret(secretName)
|
|
} else {
|
|
value, err = vlt.GetSecretVersion(secretName, version)
|
|
}
|
|
if err != nil {
|
|
secret.Debug("Failed to get secret", "error", err)
|
|
|
|
return err
|
|
}
|
|
|
|
secret.Debug("Got secret value", "valueLength", len(value))
|
|
|
|
// Print the secret value to stdout
|
|
cmd.Print(string(value))
|
|
secret.Debug("Printed value to cmd")
|
|
|
|
// Debug: Log what we're actually printing
|
|
secret.Debug("Secret retrieval debug info",
|
|
"secretName", secretName,
|
|
"version", version,
|
|
"valueLength", len(value),
|
|
"valueAsString", string(value),
|
|
"isEmpty", len(value) == 0)
|
|
|
|
return nil
|
|
}
|
|
|
|
// ListSecrets lists all secrets in the current vault
|
|
func (cli *Instance) ListSecrets(cmd *cobra.Command, jsonOutput bool, quietOutput bool, filter string) error {
|
|
// Get current vault
|
|
vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Get list of secrets
|
|
secrets, err := vlt.ListSecrets()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to list secrets: %w", err)
|
|
}
|
|
|
|
// Filter secrets if filter is provided
|
|
var filteredSecrets []string
|
|
if filter != "" {
|
|
for _, secretName := range secrets {
|
|
if strings.Contains(secretName, filter) {
|
|
filteredSecrets = append(filteredSecrets, secretName)
|
|
}
|
|
}
|
|
} else {
|
|
filteredSecrets = secrets
|
|
}
|
|
|
|
if jsonOutput { //nolint:nestif // Separate JSON and table output formatting logic
|
|
// For JSON output, get metadata for each secret
|
|
secretsWithMetadata := make([]map[string]interface{}, 0, len(filteredSecrets))
|
|
|
|
for _, secretName := range filteredSecrets {
|
|
secretInfo := map[string]interface{}{
|
|
"name": secretName,
|
|
}
|
|
|
|
// Try to get metadata using GetSecretObject
|
|
if secretObj, err := vlt.GetSecretObject(secretName); err == nil {
|
|
metadata := secretObj.GetMetadata()
|
|
secretInfo["created_at"] = metadata.CreatedAt
|
|
secretInfo["updated_at"] = metadata.UpdatedAt
|
|
}
|
|
|
|
secretsWithMetadata = append(secretsWithMetadata, secretInfo)
|
|
}
|
|
|
|
output := map[string]interface{}{
|
|
"secrets": secretsWithMetadata,
|
|
}
|
|
if filter != "" {
|
|
output["filter"] = filter
|
|
}
|
|
|
|
jsonBytes, err := json.MarshalIndent(output, "", " ")
|
|
if err != nil {
|
|
return fmt.Errorf("failed to marshal JSON: %w", err)
|
|
}
|
|
|
|
cmd.Println(string(jsonBytes))
|
|
} else if quietOutput {
|
|
// Quiet output - just secret names
|
|
for _, secretName := range filteredSecrets {
|
|
cmd.Println(secretName)
|
|
}
|
|
} else {
|
|
// Pretty table output
|
|
if len(filteredSecrets) == 0 {
|
|
if filter != "" {
|
|
cmd.Printf("No secrets found in vault '%s' matching filter '%s'.\n", vlt.GetName(), filter)
|
|
} else {
|
|
cmd.Println("No secrets found in current vault.")
|
|
cmd.Println("Run 'secret add <name>' to create one.")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Get current vault name for display
|
|
if filter != "" {
|
|
cmd.Printf("Secrets in vault '%s' matching '%s':\n\n", vlt.GetName(), filter)
|
|
} else {
|
|
cmd.Printf("Secrets in vault '%s':\n\n", vlt.GetName())
|
|
}
|
|
cmd.Printf("%-40s %-20s\n", "NAME", "LAST UPDATED")
|
|
cmd.Printf("%-40s %-20s\n", "----", "------------")
|
|
|
|
for _, secretName := range filteredSecrets {
|
|
lastUpdated := "unknown"
|
|
if secretObj, err := vlt.GetSecretObject(secretName); err == nil {
|
|
metadata := secretObj.GetMetadata()
|
|
lastUpdated = metadata.UpdatedAt.Format("2006-01-02 15:04")
|
|
}
|
|
cmd.Printf("%-40s %-20s\n", secretName, lastUpdated)
|
|
}
|
|
|
|
cmd.Printf("\nTotal: %d secret(s)", len(filteredSecrets))
|
|
if filter != "" {
|
|
cmd.Printf(" (filtered from %d)", len(secrets))
|
|
}
|
|
cmd.Println()
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ImportSecret imports a secret from a file
|
|
func (cli *Instance) ImportSecret(cmd *cobra.Command, secretName, sourceFile string, force bool) error {
|
|
// Get current vault
|
|
vlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Read secret value from the source file into protected buffers
|
|
file, err := cli.fs.Open(sourceFile)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to open file %s: %w", sourceFile, err)
|
|
}
|
|
defer func() {
|
|
if err := file.Close(); err != nil {
|
|
secret.Debug("Failed to close file", "error", err)
|
|
}
|
|
}()
|
|
|
|
const initialSize = 4 * 1024 // 4KB initial buffer
|
|
const maxSize = 100 * 1024 * 1024 // 100MB max
|
|
|
|
type bufferInfo struct {
|
|
buffer *memguard.LockedBuffer
|
|
used int
|
|
}
|
|
|
|
var buffers []bufferInfo
|
|
defer func() {
|
|
for _, b := range buffers {
|
|
b.buffer.Destroy()
|
|
}
|
|
}()
|
|
|
|
totalSize := 0
|
|
currentBufferSize := initialSize
|
|
sameSize := 0
|
|
|
|
for {
|
|
// Create a new buffer
|
|
buffer := memguard.NewBuffer(currentBufferSize)
|
|
n, err := io.ReadFull(file, buffer.Bytes())
|
|
|
|
if n == 0 {
|
|
// No data read, destroy the unused buffer
|
|
buffer.Destroy()
|
|
} else {
|
|
buffers = append(buffers, bufferInfo{buffer: buffer, used: n})
|
|
totalSize += n
|
|
|
|
if totalSize > maxSize {
|
|
return fmt.Errorf("secret file too large: exceeds 100MB limit")
|
|
}
|
|
|
|
// If we filled the buffer, consider growing for next iteration
|
|
if n == currentBufferSize {
|
|
currentBufferSize = updateBufferSize(currentBufferSize, &sameSize)
|
|
}
|
|
}
|
|
|
|
if err == io.EOF || err == io.ErrUnexpectedEOF {
|
|
break
|
|
} else if err != nil {
|
|
return fmt.Errorf("failed to read secret from file %s: %w", sourceFile, err)
|
|
}
|
|
}
|
|
|
|
// Combine all buffers into a single protected buffer
|
|
valueBuffer := memguard.NewBuffer(totalSize)
|
|
defer valueBuffer.Destroy()
|
|
|
|
offset := 0
|
|
for _, b := range buffers {
|
|
copy(valueBuffer.Bytes()[offset:], b.buffer.Bytes()[:b.used])
|
|
offset += b.used
|
|
}
|
|
|
|
// Store the secret in the vault
|
|
if err := vlt.AddSecret(secretName, valueBuffer, force); err != nil {
|
|
return err
|
|
}
|
|
|
|
cmd.Printf("Successfully imported secret '%s' from file '%s'\n", secretName, sourceFile)
|
|
|
|
return nil
|
|
}
|
|
|
|
// RemoveSecret removes a secret from the vault
|
|
func (cli *Instance) RemoveSecret(cmd *cobra.Command, secretName string, _ bool) error {
|
|
// Get current vault
|
|
currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Check if secret exists
|
|
vaultDir, err := currentVlt.GetDirectory()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
encodedName := strings.ReplaceAll(secretName, "/", "%")
|
|
secretDir := filepath.Join(vaultDir, "secrets.d", encodedName)
|
|
|
|
exists, err := afero.DirExists(cli.fs, secretDir)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to check if secret exists: %w", err)
|
|
}
|
|
if !exists {
|
|
return fmt.Errorf("secret '%s' not found", secretName)
|
|
}
|
|
|
|
// Count versions for information
|
|
versionsDir := filepath.Join(secretDir, "versions")
|
|
versionCount := 0
|
|
if entries, err := afero.ReadDir(cli.fs, versionsDir); err == nil {
|
|
versionCount = len(entries)
|
|
}
|
|
|
|
// Remove the secret directory
|
|
if err := cli.fs.RemoveAll(secretDir); err != nil {
|
|
return fmt.Errorf("failed to remove secret: %w", err)
|
|
}
|
|
|
|
cmd.Printf("Removed secret '%s' (%d version(s) deleted)\n", secretName, versionCount)
|
|
|
|
return nil
|
|
}
|
|
|
|
// MoveSecret moves or renames a secret
|
|
func (cli *Instance) MoveSecret(cmd *cobra.Command, sourceName, destName string) error {
|
|
// Get current vault
|
|
currentVlt, err := vault.GetCurrentVault(cli.fs, cli.stateDir)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Get vault directory
|
|
vaultDir, err := currentVlt.GetDirectory()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Check if source exists
|
|
sourceEncoded := strings.ReplaceAll(sourceName, "/", "%")
|
|
sourceDir := filepath.Join(vaultDir, "secrets.d", sourceEncoded)
|
|
|
|
exists, err := afero.DirExists(cli.fs, sourceDir)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to check if source secret exists: %w", err)
|
|
}
|
|
if !exists {
|
|
return fmt.Errorf("secret '%s' not found", sourceName)
|
|
}
|
|
|
|
// Check if destination already exists
|
|
destEncoded := strings.ReplaceAll(destName, "/", "%")
|
|
destDir := filepath.Join(vaultDir, "secrets.d", destEncoded)
|
|
|
|
exists, err = afero.DirExists(cli.fs, destDir)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to check if destination secret exists: %w", err)
|
|
}
|
|
if exists {
|
|
return fmt.Errorf("secret '%s' already exists", destName)
|
|
}
|
|
|
|
// Perform the move
|
|
if err := cli.fs.Rename(sourceDir, destDir); err != nil {
|
|
return fmt.Errorf("failed to move secret: %w", err)
|
|
}
|
|
|
|
cmd.Printf("Moved secret '%s' to '%s'\n", sourceName, destName)
|
|
|
|
return nil
|
|
}
|