secret/internal/cli/init.go

package cli

import (
	"fmt"
	"log/slog"
	"os"
	"path/filepath"
	"strings"
	"syscall"

	"filippo.io/age"
	"git.eeqj.de/sneak/secret/internal/secret"
	"git.eeqj.de/sneak/secret/pkg/agehd"
	"github.com/spf13/afero"
	"github.com/spf13/cobra"
	"github.com/tyler-smith/go-bip39"
	"golang.org/x/term"
)

func newInitCmd() *cobra.Command {
	return &cobra.Command{
		Use:   "init",
		Short: "Initialize the secrets manager",
		Long:  `Create the necessary directory structure for storing secrets and generate encryption keys.`,
		RunE: func(cmd *cobra.Command, args []string) error {
			cli := NewCLIInstance()
			return cli.Init(cmd)
		},
	}
}

// Init initializes the secrets manager
func (cli *CLIInstance) Init(cmd *cobra.Command) error {
	secret.Debug("Starting secret manager initialization")

	// Create state directory
	stateDir := cli.GetStateDir()
	secret.DebugWith("Creating state directory", slog.String("path", stateDir))

	if err := cli.fs.MkdirAll(stateDir, 0700); err != nil {
		secret.Debug("Failed to create state directory", "error", err)
		return fmt.Errorf("failed to create state directory: %w", err)
	}

	if cmd != nil {
		cmd.Printf("Initialized secrets manager at: %s\n", stateDir)
	}

	// Prompt for mnemonic
	var mnemonicStr string

	if envMnemonic := os.Getenv(secret.EnvMnemonic); envMnemonic != "" {
		secret.Debug("Using mnemonic from environment variable")
		mnemonicStr = envMnemonic
	} else {
		secret.Debug("Prompting user for mnemonic phrase")
		// Read mnemonic from stdin using shared line reader
		var err error
		mnemonicStr, err = readLineFromStdin("Enter your BIP39 mnemonic phrase: ")
		if err != nil {
			secret.Debug("Failed to read mnemonic from stdin", "error", err)
			return fmt.Errorf("failed to read mnemonic: %w", err)
		}
	}

	if mnemonicStr == "" {
		secret.Debug("Empty mnemonic provided")
		return fmt.Errorf("mnemonic cannot be empty")
	}

	// Validate the mnemonic using BIP39
	secret.DebugWith("Validating BIP39 mnemonic", slog.Int("word_count", len(strings.Fields(mnemonicStr))))
	if !bip39.IsMnemonicValid(mnemonicStr) {
		secret.Debug("Invalid BIP39 mnemonic provided")
		return fmt.Errorf("invalid BIP39 mnemonic phrase\nRun 'secret generate mnemonic' to create a valid mnemonic")
	}

	// Derive long-term keypair from mnemonic
	secret.DebugWith("Deriving long-term key from mnemonic", slog.Int("index", 0))
	ltIdentity, err := agehd.DeriveIdentity(mnemonicStr, 0)
	if err != nil {
		secret.Debug("Failed to derive long-term key", "error", err)
		return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
	}

	// Create default vault
	secret.Debug("Creating default vault")
	vault, err := secret.CreateVault(cli.fs, cli.stateDir, "default")
	if err != nil {
		secret.Debug("Failed to create default vault", "error", err)
		return fmt.Errorf("failed to create default vault: %w", err)
	}

	// Set default vault as current
	secret.Debug("Setting default vault as current")
	if err := secret.SelectVault(cli.fs, cli.stateDir, "default"); err != nil {
		secret.Debug("Failed to select default vault", "error", err)
		return fmt.Errorf("failed to select default vault: %w", err)
	}

	// Store long-term public key in vault
	vaultDir := filepath.Join(stateDir, "vaults.d", "default")
	ltPubKey := ltIdentity.Recipient().String()
	secret.DebugWith("Storing long-term public key", slog.String("pubkey", ltPubKey), slog.String("vault_dir", vaultDir))
	if err := afero.WriteFile(cli.fs, filepath.Join(vaultDir, "pub.age"), []byte(ltPubKey), 0600); err != nil {
		secret.Debug("Failed to write long-term public key", "error", err)
		return fmt.Errorf("failed to write long-term public key: %w", err)
	}

	// Unlock the vault with the derived long-term key
	vault.Unlock(ltIdentity)

	// Prompt for passphrase for unlock key
	var passphraseStr string
	if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
		secret.Debug("Using unlock passphrase from environment variable")
		passphraseStr = envPassphrase
	} else {
		secret.Debug("Prompting user for unlock passphrase")
		// Use secure passphrase input with confirmation
		passphraseStr, err = readSecurePassphrase("Enter passphrase for unlock key: ")
		if err != nil {
			secret.Debug("Failed to read unlock passphrase", "error", err)
			return fmt.Errorf("failed to read passphrase: %w", err)
		}
	}

	// Create passphrase-protected unlock key
	secret.Debug("Creating passphrase-protected unlock key")
	passphraseKey, err := vault.CreatePassphraseKey(passphraseStr)
	if err != nil {
		secret.Debug("Failed to create unlock key", "error", err)
		return fmt.Errorf("failed to create unlock key: %w", err)
	}

	// Encrypt long-term private key to the unlock key
	unlockKeyDir := passphraseKey.GetDirectory()

	// Read unlock key public key
	unlockPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockKeyDir, "pub.age"))
	if err != nil {
		return fmt.Errorf("failed to read unlock key public key: %w", err)
	}

	unlockRecipient, err := age.ParseX25519Recipient(string(unlockPubKeyData))
	if err != nil {
		return fmt.Errorf("failed to parse unlock key public key: %w", err)
	}

	// Encrypt long-term private key to unlock key
	ltPrivKeyData := []byte(ltIdentity.String())
	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, unlockRecipient)
	if err != nil {
		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
	}

	// Write encrypted long-term private key
	if err := afero.WriteFile(cli.fs, filepath.Join(unlockKeyDir, "longterm.age"), encryptedLtPrivKey, 0600); err != nil {
		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
	}

	if cmd != nil {
		cmd.Printf("\nDefault vault created and configured\n")
		cmd.Printf("Long-term public key: %s\n", ltPubKey)
		cmd.Printf("Unlock key ID: %s\n", passphraseKey.GetMetadata().ID)
		cmd.Println("\nYour secret manager is ready to use!")
		cmd.Println("Note: When using SB_SECRET_MNEMONIC environment variable,")
		cmd.Println("unlock keys are not required for secret operations.")
	}

	return nil
}

// readSecurePassphrase reads a passphrase securely from the terminal without echoing
// and prompts for confirmation. Falls back to regular input when not on a terminal.
func readSecurePassphrase(prompt string) (string, error) {
	// Check if stdin is a terminal
	if !term.IsTerminal(int(syscall.Stdin)) {
		// Not a terminal - never read passphrases from piped input for security reasons
		return "", fmt.Errorf("cannot read passphrase from non-terminal stdin (piped input or script). Please set the SB_UNLOCK_PASSPHRASE environment variable or run interactively")
	}

	// Check if stderr is a terminal - if not, we can't prompt interactively
	if !term.IsTerminal(int(syscall.Stderr)) {
		return "", fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal (running in non-interactive mode). Please set the SB_UNLOCK_PASSPHRASE environment variable")
	}

	// Terminal input - use secure password reading with confirmation
	fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout

	// Read first passphrase
	passphrase1, err := term.ReadPassword(int(syscall.Stdin))
	if err != nil {
		return "", fmt.Errorf("failed to read passphrase: %w", err)
	}
	fmt.Fprintln(os.Stderr) // Print newline to stderr since ReadPassword doesn't echo

	// Read confirmation passphrase
	fmt.Fprint(os.Stderr, "Confirm passphrase: ") // Write prompt to stderr, not stdout
	passphrase2, err := term.ReadPassword(int(syscall.Stdin))
	if err != nil {
		return "", fmt.Errorf("failed to read passphrase confirmation: %w", err)
	}
	fmt.Fprintln(os.Stderr) // Print newline to stderr since ReadPassword doesn't echo

	// Compare passphrases
	if string(passphrase1) != string(passphrase2) {
		return "", fmt.Errorf("passphrases do not match")
	}

	if len(passphrase1) == 0 {
		return "", fmt.Errorf("passphrase cannot be empty")
	}

	return string(passphrase1), nil
}