Files
coyote/src/vault/mod.rs
T

350 lines
11 KiB
Rust

mod utils;
use std::fs::read_to_string;
use std::path::PathBuf;
use crate::config::paths;
pub use utils::create_vault_password_file;
pub use utils::interpolate_secrets;
pub use utils::prompt_provider_choice;
use crate::cli::Cli;
use crate::config::AppConfig;
use crate::vault::utils::ensure_password_file_initialized;
use anyhow::{Context, Result, anyhow, bail};
use fancy_regex::Regex;
use gman::providers::SecretProvider;
use gman::providers::SupportedProvider;
use gman::providers::local::LocalProvider;
use inquire::{Password, PasswordDisplayMode, required};
use log::{info, warn};
use serde_yaml::Value;
use std::sync::{Arc, LazyLock};
use tokio::runtime::Handle;
use uuid::Uuid;
pub static SECRET_RE: LazyLock<Regex> = LazyLock::new(|| Regex::new(r"\{\{([^{}]+)}}").unwrap());
fn apply_sandboxed_home_translation(provider_def: &mut LocalProvider) {
let Some(ref pf) = provider_def.password_file else {
return;
};
if pf.exists() {
return;
}
let Some(translated) = paths::translate_sandboxed_home_path(pf) else {
return;
};
if !translated.exists() {
return;
}
info!(
"vault password file '{}' not found; resolved to sandboxed path '{}'",
pf.display(),
translated.display()
);
provider_def.password_file = Some(translated);
}
#[derive(Debug, Default, Clone)]
pub struct Vault {
pub(crate) provider: SupportedProvider,
}
pub type GlobalVault = Arc<Vault>;
impl Vault {
pub fn init_bare() -> Result<Self> {
let config_path = paths::config_file();
if !config_path.exists() {
bail!(
"Coyote config not found at {}. Run first-run setup before using the vault.",
config_path.display()
);
}
let content = read_to_string(&config_path)
.with_context(|| format!("failed to read config at {}", config_path.display()))?;
let value: Value = serde_yaml::from_str(&content)
.with_context(|| format!("failed to parse config at {}", config_path.display()))?;
let provider = match value.get("secrets_provider") {
Some(v) if !v.is_null() => serde_yaml::from_value::<SupportedProvider>(v.clone())
.with_context(|| "failed to parse 'secrets_provider' from config")?,
_ => {
let password_file = value
.get("vault_password_file")
.and_then(|v| v.as_str())
.map(PathBuf::from)
.unwrap_or_else(|| AppConfig::default().vault_password_file());
SupportedProvider::Local {
provider_def: LocalProvider {
password_file: Some(password_file),
git_branch: None,
..LocalProvider::default()
},
}
}
};
Ok(Self { provider })
}
pub fn default_local() -> Self {
Self {
provider: SupportedProvider::Local {
provider_def: LocalProvider {
password_file: Some(AppConfig::default().vault_password_file()),
git_branch: None,
..LocalProvider::default()
},
},
}
}
pub fn init(config: &AppConfig) -> Result<Self> {
let mut provider = match &config.secrets_provider {
Some(p) => p.clone(),
None => SupportedProvider::Local {
provider_def: LocalProvider {
password_file: Some(config.vault_password_file()),
..LocalProvider::default()
},
},
};
if let SupportedProvider::Local { provider_def } = &mut provider {
apply_sandboxed_home_translation(provider_def);
ensure_password_file_initialized(provider_def)?;
}
Ok(Self { provider })
}
pub fn local_password_file(&self) -> Result<PathBuf> {
match &self.provider {
SupportedProvider::Local { provider_def } => provider_def
.password_file
.clone()
.with_context(|| "A password file is required for the local provider"),
_ => Err(anyhow!(
"password_file is only available for the local provider"
)),
}
}
fn provider_ref(&self) -> &dyn SecretProvider {
match &self.provider {
SupportedProvider::Local { provider_def } => provider_def,
SupportedProvider::AwsSecretsManager { provider_def } => provider_def,
SupportedProvider::GcpSecretManager { provider_def } => provider_def,
SupportedProvider::AzureKeyVault { provider_def } => provider_def,
SupportedProvider::Gopass { provider_def } => provider_def,
SupportedProvider::OnePassword { provider_def } => provider_def,
}
}
pub fn add_secret(&self, secret_name: &str) -> Result<()> {
let secret_value = Password::new("Enter the secret value:")
.with_validator(required!())
.with_display_mode(PasswordDisplayMode::Masked)
.prompt()
.with_context(|| "unable to read secret from input")?;
let h = Handle::current();
tokio::task::block_in_place(|| {
h.block_on(self.provider_ref().set_secret(secret_name, &secret_value))
})?;
println!("✓ Secret '{secret_name}' added to the vault.");
Ok(())
}
pub fn get_secret(&self, secret_name: &str, display_output: bool) -> Result<String> {
let h = Handle::current();
let secret = tokio::task::block_in_place(|| {
h.block_on(self.provider_ref().get_secret(secret_name))
})?;
if display_output {
println!("{}", secret);
}
Ok(secret)
}
pub fn update_secret(&self, secret_name: &str) -> Result<()> {
let secret_value = Password::new("Enter the secret value:")
.with_validator(required!())
.with_display_mode(PasswordDisplayMode::Masked)
.prompt()
.with_context(|| "unable to read secret from input")?;
let h = Handle::current();
tokio::task::block_in_place(|| {
h.block_on(
self.provider_ref()
.update_secret(secret_name, &secret_value),
)
})?;
println!("✓ Secret '{secret_name}' updated in the vault.");
Ok(())
}
pub fn delete_secret(&self, secret_name: &str) -> Result<()> {
let h = Handle::current();
tokio::task::block_in_place(|| h.block_on(self.provider_ref().delete_secret(secret_name)))?;
println!("✓ Secret '{secret_name}' deleted from the vault.");
Ok(())
}
pub fn list_secrets(&self, display_output: bool) -> Result<Vec<String>> {
let h = Handle::current();
let secrets =
tokio::task::block_in_place(|| h.block_on(self.provider_ref().list_secrets()))?;
if display_output {
if secrets.is_empty() {
println!("The vault is empty.");
} else {
for key in &secrets {
println!("{}", key);
}
}
}
Ok(secrets)
}
pub fn auth_hint(&self) -> Option<&'static str> {
match &self.provider {
SupportedProvider::AwsSecretsManager { .. } => Some(
"Try `aws sso login` (for SSO setups) or `aws configure` (for static keys), then retry.",
),
SupportedProvider::GcpSecretManager { .. } => {
Some("Try `gcloud auth application-default login`, then retry.")
}
SupportedProvider::AzureKeyVault { .. } => Some("Try `az login`, then retry."),
SupportedProvider::Gopass { .. } => {
Some("Make sure `gopass init` has been run and `gopass` is on your PATH.")
}
SupportedProvider::OnePassword { .. } => Some("Try `op signin`, then retry."),
SupportedProvider::Local { .. } => None,
}
}
pub fn validate_round_trip(&self) -> Result<()> {
const PROBE_VALUE: &str = "ok";
let probe_key = format!("coyote-setup-probe-{}", Uuid::new_v4().simple());
let h = Handle::current();
let result: Result<()> = tokio::task::block_in_place(|| {
h.block_on(async {
self.provider_ref()
.set_secret(&probe_key, PROBE_VALUE)
.await
.with_context(|| "vault write probe failed")?;
let got = self
.provider_ref()
.get_secret(&probe_key)
.await
.with_context(|| "vault read probe failed")?;
if got != PROBE_VALUE {
if let Err(cleanup_err) = self.provider_ref().delete_secret(&probe_key).await {
warn!("vault probe cleanup failed for key '{probe_key}': {cleanup_err}");
}
bail!("vault read probe returned an unexpected value");
}
self.provider_ref()
.delete_secret(&probe_key)
.await
.with_context(|| "vault delete probe failed")?;
Ok(())
})
});
result.with_context(|| {
let base = "Vault validation failed. Check that your credentials have permission to create, read, and delete secrets in the configured backend.";
match self.auth_hint() {
Some(hint) => format!("{base}\n\nHint: {hint}"),
None => base.to_string(),
}
})?;
println!("✓ Vault validation succeeded.");
Ok(())
}
pub fn handle_vault_flags(cli: Cli, vault: &Vault) -> Result<()> {
if let Some(secret_name) = cli.add_secret {
vault.add_secret(&secret_name)?;
}
if let Some(secret_name) = cli.get_secret {
vault.get_secret(&secret_name, true)?;
}
if let Some(secret_name) = cli.update_secret {
vault.update_secret(&secret_name)?;
}
if let Some(secret_name) = cli.delete_secret {
vault.delete_secret(&secret_name)?;
}
if cli.list_secrets {
vault.list_secrets(true)?;
}
Ok(())
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn secret_re_matches_double_braces() {
let captures = SECRET_RE.captures("{{MY_SECRET}}").unwrap().unwrap();
assert_eq!(&captures[1], "MY_SECRET");
}
#[test]
fn secret_re_matches_with_surrounding_text() {
let text = "key={{API_KEY}} here";
let captures = SECRET_RE.captures(text).unwrap().unwrap();
assert_eq!(&captures[1], "API_KEY");
}
#[test]
fn secret_re_no_match_single_braces() {
let result = SECRET_RE.captures("{NOT_SECRET}").unwrap();
assert!(result.is_none());
}
#[test]
fn secret_re_no_match_plain_text() {
let result = SECRET_RE.captures("just plain text").unwrap();
assert!(result.is_none());
}
#[test]
fn secret_re_matches_with_spaces() {
let captures = SECRET_RE.captures("{{ SPACED }}").unwrap().unwrap();
assert_eq!(&captures[1], " SPACED ");
}
#[test]
fn vault_default_creates_instance() {
let vault = Vault::default();
assert!(vault.local_password_file().is_err());
}
}