Dark-Alex-17/gman
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Full local password management support

Browse Source
This commit is contained in:
Alex Clarke
2025-09-08 15:13:13 -06:00
parent e4f983618f
commit 8ac9ca40df
11 changed files with 3329 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+5
View File
@@ -0,0 +1,5 @@
/target
/.idea/
/.scannerwork/
/.act/
gman.iml
Cargo.lock
Generated
+2232
View File
File diff suppressed because it is too large Load Diff
Cargo.toml
+47
View File
@@ -0,0 +1,47 @@
[package]
name = "gman"
version = "0.1.0"
edition = "2024"
authors = ["Alex Clarke <alex.j.tusa@gmail.com>"]
description = "Universal credential management CLI"
keywords = ["cli", "secrets", "credentials", "passwords"]
documentation = "https://github.com/Dark-Alex-17/gman"
repository = "https://github.com/Dark-Alex-17/gman"
homepage = "https://github.com/Dark-Alex-17/gman"
readme = "README.md"
license = "MIT"
rust-version = "1.89.0"
exclude = [".github", "CONTRIBUTING.md", "*.log", "tags"]
[dependencies]
anyhow = "1.0.99"
argon2 = "0.5.3"
backtrace = "0.3.75"
base64 = "0.22.1"
chacha20poly1305 = { version = "0.10.1", features = ["std"] }
clap = { version = "4.5.47", features = ["cargo", "derive", "env", "wrap_help"] }
clap_complete = "4.5.57"
confy = { version = "1.0.0", default-features = false, features = ["yaml_conf"] }
crossterm = "0.29.0"
dirs = "6.0.0"
human-panic = "2.0.3"
log = "0.4.28"
log4rs = "1.4.0"
rpassword = "7.4.0"
secrecy = "0.10.3"
validator = { version = "0.20.0", features = ["derive"] }
zeroize = "1.8.1"
serde = { version = "1.0.219", features = ["derive"] }
heck = "0.5.0"
thiserror = "2.0.16"
serde_with = "3.14.0"
serde_json = "1.0.143"
[[bin]]
bench = false
name = "gman"
[profile.release]
lto = true
strip = true
opt-level = "z"
README.md
+149 -1
View File
@@ -1,2 +1,150 @@
# gman # gman
Universal credential management CLI A universal credential management CLI with a unified interface for all your secret providers.
`gman` provides a single, consistent set of commands to manage secrets, whether they are stored in a secure local vault or any other supported provider. Switch between providers on the fly, script interactions with JSON output, and manage your secrets with ease.
## Features
- **Secure Local Storage**: Out-of-the-box support for a local vault (`~/.config/gman/vault.yml`) with strong encryption using **Argon2id** for key derivation and **XChaCha20-Poly1305** for authenticated encryption.
- **Unified Interface**: A consistent command set (`add`, `get`, `list`, etc.) for every supported provider.
- **Provider Selection**: Explicitly choose a provider for a command using the `--provider` flag.
- **Flexible Output**: Get secrets in plaintext for scripting, structured `json` for applications, or human-readable text.
- **Password Management**: For local secret storage: securely prompts for the vault password. For automation, a password can be supplied via a `~/.gman_password` file, similar to Ansible Vault.
- **Shell Completions**: Generate completion scripts for Bash, Zsh, Fish, and other shells.
- **Standardized Naming**: Secret names are automatically converted to `snake_case` to ensure consistency.
## Installation
Ensure you have Rust and Cargo installed. Then, clone the repository and install the binary:
```sh
git clone https://github.com/Dark-Alex-17/gman.git
cd gman
cargo install --path .
```
## Configuration
`gman` is configured through a YAML file located at `~/.config/gman/config.yml`.
A default configuration is created automatically. Here is an example:
```yaml
# ~/.config/gman/config.yml
---
provider: local
password_file: null # Can be set to a path like /home/user/.gman_password
```
### Vault File
For the `local` provider, secrets are stored in an encrypted vault file at `~/.config/gman/vault.yml`. This file should not be edited manually.
### Password File
To avoid being prompted for a password with every command, you can create a file at `~/.gman_password` containing your vault password. `gman` will automatically detect and use this file if it exists.
```sh
# Create the password file with the correct permissions
echo "your-super-secret-password" > ~/.gman_password
chmod 600 ~/.gman_password
```
## Usage
`gman` uses simple commands to manage secrets. Secret values are passed via `stdin`.
### Commands
**1. Add a Secret**
To add a new secret, use the `add` command. You will be prompted to enter the secret value, followed by `Ctrl-D` to save.
```sh
gman add my_api_key
```
```
Enter the text to encrypt, then press Ctrl-D twice to finish input
this-is-my-secret-api-key
^D
✓ Secret 'my_api_key' added to the vault.
```
You can also pipe the value directly:
```sh
echo "this-is-my-secret-api-key" | gman add my_api_key
```
**2. Get a Secret**
Retrieve a secret's plaintext value with the `get` command.
```sh
gman get my_api_key
```
```
this-is-my-secret-api-key
```
**3. Get a Secret as JSON**
Use the `--output json` flag to get the secret in a structured format.
```sh
gman get my_api_key --output json
```
```
{
"my_api_key": "this-is-my-secret-api-key"
}
```
**4. List Secrets**
List the names of all secrets in the vault.
```sh
gman list
```
```
Secrets in the vault:
- my_api_key
- another_secret
```
**5. Update a Secret**
Update an existing secret's value.
```sh
echo "new-secret-value" | gman update my_api_key
```
```
✓ Secret 'my_api_key' updated in the vault.
```
**6. Delete a Secret**
Remove a secret from the vault.
```sh
gman delete my_api_key
```
```
✓ Secret 'my_api_key' deleted from the vault.
```
**7. Generate Shell Completions**
Create a completion script for your shell to enable auto-complete for commands and arguments.
```sh
# For Bash
gman completions bash > /etc/bash_completion.d/gman
# For Zsh
gman completions zsh > /usr/local/share/zsh/site-functions/_gman
```
## Creator
* [Alex Clarke](https://github.com/Dark-Alex-17)
rustfmt.toml
+10
View File
@@ -0,0 +1,10 @@
tab_spaces=4
edition = "2021"
reorder_imports = true
imports_granularity = "Crate"
group_imports = "StdExternalCrate"
reorder_modules = true
merge_derives = true
use_field_init_shorthand = true
format_macro_matchers = true
format_macro_bodies = true
src/bin/gman/main.rs
+278
View File
@@ -0,0 +1,278 @@
use clap::{
CommandFactory, Parser, ValueEnum, crate_authors, crate_description, crate_name, crate_version,
};
use anyhow::{Context, Result};
use clap::Subcommand;
use crossterm::execute;
use crossterm::terminal::{LeaveAlternateScreen, disable_raw_mode};
use gman::config::Config;
use gman::providers::SupportedProvider;
use gman::providers::local::LocalProvider;
use heck::ToSnakeCase;
use std::io::{self, IsTerminal, Read, Write};
use std::panic;
use std::panic::PanicHookInfo;
mod utils;
#[derive(Debug, Clone, ValueEnum)]
enum OutputFormat {
Text,
Json,
}
#[derive(Debug, Clone, ValueEnum)]
#[clap(rename_all = "lower")]
pub enum ProviderKind {
Local,
}
impl From<ProviderKind> for SupportedProvider {
fn from(k: ProviderKind) -> Self {
match k {
ProviderKind::Local => SupportedProvider::Local(LocalProvider::default()),
}
}
}
#[derive(Debug, Parser)]
#[command(
name = crate_name!(),
author = crate_authors!(),
version = crate_version!(),
about = crate_description!(),
help_template = "\
{before-help}{name} {version}
{author-with-newline}
{about-with-newline}
{usage-heading} {usage}
{all-args}{after-help}"
)]
struct Cli {
/// Specify the output format
#[arg(short, long, value_enum)]
output: Option<OutputFormat>,
/// Specify the secret provider to use (defaults to 'provider' in config or 'local')
#[arg(long, value_enum)]
provider: Option<ProviderKind>,
#[command(subcommand)]
command: Commands,
}
#[derive(Subcommand, Debug)]
enum Commands {
/// Add a secret to the configured secret provider
Add {
/// Name of the secret to store
name: String,
},
/// Decrypt a secret and print the plaintext
Get {
/// Name of the secret to retrieve
name: String,
},
/// Update an existing secret in the configured secret provider
Update {
/// Name of the secret to update
name: String,
},
/// Delete a secret from the configured secret provider
Delete {
/// Name of the secret to delete
name: String,
},
/// List all secrets stored in the configured secret provider
List {},
/// Generate shell completion scripts
Completions {
/// The shell to generate the script for
#[arg(value_enum)]
shell: clap_complete::Shell,
},
}
fn main() -> Result<()> {
log4rs::init_config(utils::init_logging_config())?;
panic::set_hook(Box::new(|info| {
panic_hook(info);
}));
let cli = Cli::parse();
let config = load_config(&cli)?;
let secrets_provider = config.extract_provider();
match cli.command {
Commands::Add { name } => {
let plaintext =
read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
let snake_case_name = name.to_snake_case();
secrets_provider
.set_secret(&config, &snake_case_name, plaintext.trim_end())
.map(|_| match cli.output {
Some(_) => (),
None => println!("✓ Secret '{snake_case_name}' added to the vault."),
})?;
}
Commands::Get { name } => {
let snake_case_name = name.to_snake_case();
secrets_provider
.get_secret(&config, &snake_case_name)
.map(|secret| match cli.output {
Some(OutputFormat::Json) => {
let json_output = serde_json::json!({
snake_case_name: secret
});
println!(
"{}",
serde_json::to_string_pretty(&json_output)
.expect("failed to serialize secret to JSON")
);
}
Some(OutputFormat::Text) | None => {
println!("{}", secret);
}
})?;
}
Commands::Update { name } => {
let plaintext =
read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
let snake_case_name = name.to_snake_case();
secrets_provider
.update_secret(&config, &snake_case_name, plaintext.trim_end())
.map(|_| match cli.output {
Some(_) => (),
None => println!("✓ Secret '{snake_case_name}' updated in the vault."),
})?;
}
Commands::Delete { name } => {
let snake_case_name = name.to_snake_case();
secrets_provider
.delete_secret(&snake_case_name)
.map(|_| match cli.output {
None => println!("✓ Secret '{snake_case_name}' deleted from the vault."),
Some(_) => (),
})?;
}
Commands::List {} => {
let secrets = secrets_provider.list_secrets()?;
if secrets.is_empty() {
match cli.output {
Some(OutputFormat::Json) => {
let json_output = serde_json::json!([]);
println!("{}", serde_json::to_string_pretty(&json_output)?);
}
Some(OutputFormat::Text) => (),
None => println!("The vault is empty."),
}
} else {
match cli.output {
Some(OutputFormat::Json) => {
let json_output = serde_json::json!(secrets);
println!("{}", serde_json::to_string_pretty(&json_output)?);
return Ok(());
}
Some(OutputFormat::Text) => {
for key in &secrets {
println!("- {}", key);
}
}
None => {
println!("Secrets in the vault:");
for key in &secrets {
println!("- {}", key);
}
}
}
}
}
Commands::Completions { shell } => {
let mut cmd = Cli::command();
let bin_name = cmd.get_name().to_string();
clap_complete::generate(shell, &mut cmd, bin_name, &mut io::stdout());
}
}
Ok(())
}
fn load_config(cli: &Cli) -> Result<Config> {
let mut config: Config = confy::load("gman", "config")?;
if let Some(local_password_file) = Config::local_provider_password_file() {
config.password_file = Some(local_password_file);
}
if let Some(provider_kind) = &cli.provider {
let provider: SupportedProvider = provider_kind.clone().into();
config.provider = provider.into();
}
Ok(config)
}
fn read_all_stdin() -> Result<String> {
if io::stdin().is_terminal() {
#[cfg(not(windows))]
eprintln!("Enter the text to encrypt, then press Ctrl-D twice to finish input");
#[cfg(windows)]
eprintln!("Enter the text to encrypt, then press Ctrl-Z to finish input");
io::stderr().flush()?;
}
let mut buf = String::new();
let stdin_tty = io::stdin().is_terminal();
let stdout_tty = io::stdout().is_terminal();
io::stdin().read_to_string(&mut buf)?;
if stdin_tty && stdout_tty && !buf.ends_with('\n') {
let mut out = io::stdout().lock();
out.write_all(b"\n")?;
out.flush()?;
}
Ok(buf)
}
#[cfg(debug_assertions)]
fn panic_hook(info: &PanicHookInfo<'_>) {
use backtrace::Backtrace;
use crossterm::style::Print;
let location = info.location().unwrap();
let msg = match info.payload().downcast_ref::<&'static str>() {
Some(s) => *s,
None => match info.payload().downcast_ref::<String>() {
Some(s) => &s[..],
None => "Box<Any>",
},
};
let stacktrace: String = format!("{:?}", Backtrace::new()).replace('\n', "\n\r");
disable_raw_mode().unwrap();
execute!(
io::stdout(),
LeaveAlternateScreen,
Print(format!(
"thread '<unnamed>' panicked at '{msg}', {location}\n\r{stacktrace}"
)),
)
.unwrap();
}
#[cfg(not(debug_assertions))]
fn panic_hook(info: &PanicHookInfo<'_>) {
use human_panic::{handle_dump, metadata, print_msg};
let meta = metadata!();
let file_path = handle_dump(&meta, info);
disable_raw_mode().unwrap();
execute!(io::stdout(), LeaveAlternateScreen).unwrap();
print_msg(file_path, &meta).expect("human-panic: printing error message to console failed");
}
src/bin/gman/utils.rs
+43
View File
@@ -0,0 +1,43 @@
use std::fs;
use std::path::PathBuf;
use log4rs::append::file::FileAppender;
use log4rs::config::{Appender, Root};
use log4rs::encode::pattern::PatternEncoder;
use log::LevelFilter;
pub fn init_logging_config() -> log4rs::Config {
let logfile = FileAppender::builder()
.encoder(Box::new(PatternEncoder::new(
"{d(%Y-%m-%d %H:%M:%S%.3f)(utc)} <{i}> [{l}] {f}:{L} - {m}{n}",
)))
.build(get_log_path())
.unwrap();
log4rs::Config::builder()
.appender(Appender::builder().build("logfile", Box::new(logfile)))
.build(
Root::builder()
.appender("logfile")
.build(LevelFilter::Debug),
)
.unwrap()
}
pub fn get_log_path() -> PathBuf {
let mut log_path = if cfg!(target_os = "linux") {
dirs::cache_dir().unwrap_or_else(|| PathBuf::from("~/.cache"))
} else if cfg!(target_os = "macos") {
dirs::home_dir().unwrap().join("Library/Logs")
} else {
dirs::data_local_dir().unwrap_or_else(|| PathBuf::from("C:\\Logs"))
};
log_path.push("gman");
if let Err(e) = fs::create_dir_all(&log_path) {
eprintln!("Failed to create log directory: {e:?}");
}
log_path.push("gman.log");
log_path
}
src/config.rs
+46
View File
@@ -0,0 +1,46 @@
use crate::providers::{SecretProvider, SupportedProvider};
use serde::{Deserialize, Serialize};
use serde_with::DisplayFromStr;
use serde_with::serde_as;
use std::path::PathBuf;
use log::{debug};
use validator::Validate;
#[serde_as]
#[derive(Debug, Validate, Serialize, Deserialize)]
pub struct Config {
#[serde_as(as = "DisplayFromStr")]
pub provider: SupportedProvider,
pub password_file: Option<PathBuf>,
}
impl Default for Config {
fn default() -> Self {
Self {
provider: SupportedProvider::Local(Default::default()),
password_file: Config::local_provider_password_file(),
}
}
}
impl Config {
pub fn extract_provider(&self) -> Box<&dyn SecretProvider> {
match &self.provider {
SupportedProvider::Local(p) => {
debug!("Using local secret provider");
Box::new(p)
}
}
}
pub fn local_provider_password_file() -> Option<PathBuf> {
let mut path = dirs::home_dir().map(|p| p.join(".gman_password"));
if let Some(p) = &path {
if !p.exists() {
path = None;
}
}
path
}
}
src/lib.rs
+197
View File
@@ -0,0 +1,197 @@
use anyhow::{anyhow, bail, Context, Result};
use argon2::{
password_hash::{rand_core::RngCore, SaltString},
Algorithm, Argon2, Params, PasswordHasher, Version,
};
use base64::{engine::general_purpose::STANDARD as B64, Engine as _};
use chacha20poly1305::{
aead::{Aead, KeyInit, OsRng},
Key, XChaCha20Poly1305, XNonce,
};
use secrecy::{ExposeSecret, SecretString};
use zeroize::Zeroize;
pub mod providers;
pub mod config;
pub (in crate) const HEADER: &str = "$VAULT";
pub (in crate) const VERSION: &str = "v1";
pub (in crate) const KDF: &str = "argon2id";
pub (in crate) const ARGON_M_COST_KIB: u32 = 19_456;
pub (in crate) const ARGON_T_COST: u32 = 2;
pub (in crate) const ARGON_P: u32 = 1;
pub (in crate) const SALT_LEN: usize = 16;
pub (in crate) const NONCE_LEN: usize = 24;
pub (in crate) const KEY_LEN: usize = 32;
fn derive_key(password: &SecretString, salt: &SaltString) -> Result<(Key, String)> {
let params = Params::new(ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P, Some(KEY_LEN))
.map_err(|e| anyhow!("argon2 params error: {:?}", e))?;
let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
let phc = argon
.hash_password(password.expose_secret().as_bytes(), salt)
.map_err(|e| anyhow!("argon2 hash error: {:?}", e))?
.to_string();
let mut key_bytes = [0u8; KEY_LEN];
argon
.hash_password_into(
password.expose_secret().as_bytes(),
salt.to_string().as_bytes(),
&mut key_bytes,
)
.map_err(|e| anyhow!("argon2 into error: {:?}", e))?;
key_bytes.zeroize();
let key = Key::from_slice(&key_bytes);
Ok((*key, phc))
}
pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Result<String> {
let password = password.into();
let salt = SaltString::generate(&mut OsRng);
let mut nonce_bytes = [0u8; NONCE_LEN];
OsRng.fill_bytes(&mut nonce_bytes);
let (key, _phc) = derive_key(&password, &salt)?;
let cipher = XChaCha20Poly1305::new(&key);
let aad = format!("{};{}", HEADER, VERSION);
let nonce = XNonce::from_slice(&nonce_bytes);
let mut pt = plaintext.as_bytes().to_vec();
let ct = cipher
.encrypt(
nonce,
chacha20poly1305::aead::Payload {
msg: &pt,
aad: aad.as_bytes(),
},
)
.map_err(|_| anyhow!("encryption failed"))?;
pt.zeroize();
let env = format!(
"{};{};{};m={m},t={t},p={p};salt={salt};nonce={nonce};ct={ct}",
HEADER,
VERSION,
KDF,
m = ARGON_M_COST_KIB,
t = ARGON_T_COST,
p = ARGON_P,
salt = B64.encode(salt.to_string().as_bytes()),
nonce = B64.encode(nonce_bytes),
ct = B64.encode(&ct),
);
drop(cipher);
let _ = key;
nonce_bytes.zeroize();
Ok(env)
}
pub fn decrypt_string(password: impl Into<SecretString>, envelope: &str) -> Result<String> {
let password = password.into();
let parts: Vec<&str> = envelope.split(';').collect();
if parts.len() < 7 {
bail!("invalid envelope format");
}
if parts[0] != HEADER {
bail!("unexpected header");
}
if parts[1] != VERSION {
bail!("unsupported version {}", parts[1]);
}
if parts[2] != KDF {
bail!("unsupported kdf {}", parts[2]);
}
let params_str = parts[3];
let mut m = ARGON_M_COST_KIB;
let mut t = ARGON_T_COST;
let mut p = ARGON_P;
for kv in params_str.split(',') {
if let Some((k, v)) = kv.split_once('=') {
match k {
"m" => m = v.parse().unwrap_or(m),
"t" => t = v.parse().unwrap_or(t),
"p" => p = v.parse().unwrap_or(p),
_ => {}
}
}
}
let salt_b64 = parts[4].strip_prefix("salt=").context("missing salt")?;
let nonce_b64 = parts[5].strip_prefix("nonce=").context("missing nonce")?;
let ct_b64 = parts[6].strip_prefix("ct=").context("missing ct")?;
let salt_bytes = B64.decode(salt_b64).context("bad salt b64")?;
let mut nonce_bytes = B64.decode(nonce_b64).context("bad nonce b64")?;
let mut ct = B64.decode(ct_b64).context("bad ct b64")?;
if nonce_bytes.len() != NONCE_LEN {
bail!("nonce length mismatch");
}
let params =
Params::new(m, t, p, Some(KEY_LEN)).map_err(|e| anyhow!("argon2 params error: {:?}", e))?;
let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
let mut key_bytes = [0u8; KEY_LEN];
argon
.hash_password_into(
password.expose_secret().as_bytes(),
&salt_bytes,
&mut key_bytes,
)
.map_err(|e| anyhow!("argon2 derive error: {:?}", e))?;
let key_clone = key_bytes;
let key = Key::from_slice(&key_clone);
key_bytes.zeroize();
let cipher = XChaCha20Poly1305::new(key);
let aad = format!("{};{}", HEADER, VERSION);
let nonce = XNonce::from_slice(&nonce_bytes);
let pt = cipher
.decrypt(
nonce,
chacha20poly1305::aead::Payload {
msg: &ct,
aad: aad.as_bytes(),
},
)
.map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?;
nonce_bytes.zeroize();
ct.zeroize();
let s = String::from_utf8(pt).context("plaintext not valid UTF-8")?;
Ok(s)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn round_trip() {
let pw = SecretString::new("correct horse battery staple".into());
let msg = "swordfish";
let env = encrypt_string(pw.clone(), msg).unwrap();
let out = decrypt_string(pw, &env).unwrap();
assert_eq!(msg, out);
}
#[test]
fn wrong_password_fails() {
let env = encrypt_string(SecretString::new("pw1".into()), "hello").unwrap();
assert!(decrypt_string(SecretString::new("pw2".into()), &env).is_err());
}
}
src/providers/local.rs
+274
View File
@@ -0,0 +1,274 @@
use anyhow::{Context, anyhow, bail};
use secrecy::{ExposeSecret, SecretString};
use std::collections::HashMap;
use std::fs;
use zeroize::Zeroize;
use crate::config::Config;
use crate::providers::SecretProvider;
use crate::{
ARGON_M_COST_KIB, ARGON_P, ARGON_T_COST, HEADER, KDF, KEY_LEN, NONCE_LEN, SALT_LEN, VERSION,
};
use anyhow::Result;
use argon2::{Algorithm, Argon2, Params, Version};
use base64::{Engine as _, engine::general_purpose::STANDARD as B64};
use chacha20poly1305::aead::rand_core::RngCore;
use chacha20poly1305::{
Key, XChaCha20Poly1305, XNonce,
aead::{Aead, KeyInit, OsRng},
};
use log::{debug, error};
use serde::Deserialize;
#[derive(Debug, Clone)]
pub struct LocalProviderConfig {
pub vault_path: String,
}
impl Default for LocalProviderConfig {
fn default() -> Self {
Self {
vault_path: dirs::home_dir()
.map(|p| p.join(".gman_vault"))
.and_then(|p| p.to_str().map(|s| s.to_string()))
.unwrap_or_else(|| ".gman_vault".into()),
}
}
}
#[derive(Debug, Default, Deserialize)]
pub struct LocalProvider;
impl SecretProvider for LocalProvider {
fn get_secret(&self, config: &Config, key: &str) -> Result<String> {
let vault: HashMap<String, String> = confy::load("gman", "vault").unwrap_or_default();
let envelope = vault
.get(key)
.with_context(|| format!("key '{key}' not found in the vault"))?;
let password = get_password(&config)?;
let plaintext = decrypt_string(&password, envelope)?;
drop(password);
Ok(plaintext)
}
fn set_secret(&self, config: &Config, key: &str, value: &str) -> Result<()> {
let mut vault: HashMap<String, String> = confy::load("gman", "vault").unwrap_or_default();
if vault.contains_key(key) {
error!(
"Key '{key}' already exists in the vault. Use a different key or delete the existing one first."
);
bail!("key '{key}' already exists");
}
let password = get_password(&config)?;
let envelope = encrypt_string(&password, value)?;
drop(password);
vault.insert(key.to_string(), envelope);
confy::store("gman", "vault", vault)
.with_context(|| "failed to save secret to the vault")
}
fn update_secret(&self, config: &Config, key: &str, value: &str) -> Result<()> {
let mut vault: HashMap<String, String> = confy::load("gman", "vault").unwrap_or_default();
let password = get_password(&config)?;
let envelope = encrypt_string(&password, value)?;
drop(password);
if vault.contains_key(key) {
debug!("Key '{key}' exists in vault. Overwriting previous value");
let vault_entry = vault
.get_mut(key)
.with_context(|| format!("key '{key}' not found in the vault"))?;
*vault_entry = envelope;
return Ok(());
}
vault.insert(key.to_string(), envelope);
confy::store("gman", "vault", vault).with_context(|| "failed to save secret to the vault")
}
fn delete_secret(&self, key: &str) -> Result<()> {
let mut vault: HashMap<String, String> = confy::load("gman", "vault").unwrap_or_default();
if !vault.contains_key(key) {
error!("Key '{key}' does not exist in the vault.");
bail!("key '{key}' does not exist");
}
vault.remove(key);
confy::store("gman", "vault", vault).with_context(|| "failed to save secret to the vault")
}
fn list_secrets(&self) -> Result<Vec<String>> {
let vault: HashMap<String, String> = confy::load("gman", "vault").unwrap_or_default();
let keys: Vec<String> = vault.keys().cloned().collect();
Ok(keys)
}
}
fn encrypt_string(password: &SecretString, plaintext: &str) -> Result<String> {
let mut salt = [0u8; SALT_LEN];
OsRng.fill_bytes(&mut salt);
let mut nonce_bytes = [0u8; NONCE_LEN];
OsRng.fill_bytes(&mut nonce_bytes);
let key = derive_key(password, &salt)?;
let cipher = XChaCha20Poly1305::new(&key);
let aad = format!("{};{}", HEADER, VERSION);
let nonce = XNonce::from_slice(&nonce_bytes);
let mut pt = plaintext.as_bytes().to_vec();
let ct = cipher
.encrypt(
nonce,
chacha20poly1305::aead::Payload {
msg: &pt,
aad: aad.as_bytes(),
},
)
.map_err(|_| anyhow!("encryption failed"))?;
pt.zeroize();
let env = format!(
"{};{};{};m={m},t={t},p={p};salt={salt};nonce={nonce};ct={ct}",
HEADER,
VERSION,
KDF,
m = ARGON_M_COST_KIB,
t = ARGON_T_COST,
p = ARGON_P,
salt = B64.encode(salt),
nonce = B64.encode(nonce_bytes),
ct = B64.encode(&ct),
);
drop(cipher);
salt.zeroize();
nonce_bytes.zeroize();
Ok(env)
}
fn derive_key_with_params(
password: &SecretString,
salt: &[u8],
m_cost: u32,
t_cost: u32,
p: u32,
) -> Result<Key> {
let params = Params::new(m_cost, t_cost, p, Some(KEY_LEN))
.map_err(|e| anyhow!("argon2 params error: {:?}", e))?;
let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
let mut key_bytes = [0u8; KEY_LEN];
argon
.hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
.map_err(|e| anyhow!("argon2 derive error: {:?}", e))?;
key_bytes.zeroize();
let key = Key::from_slice(&key_bytes);
Ok(*key)
}
fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
derive_key_with_params(password, salt, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P)
}
fn decrypt_string(password: &SecretString, envelope: &str) -> Result<String> {
let parts: Vec<&str> = envelope.trim().split(';').collect();
if parts.len() < 7 {
debug!("Invalid envelope format: {:?}", parts);
bail!("invalid envelope format");
}
if parts[0] != HEADER {
debug!("Invalid header: {}", parts[0]);
bail!("unexpected header");
}
if parts[1] != VERSION {
debug!("Unsupported version: {}", parts[1]);
bail!("unsupported version {}", parts[1]);
}
if parts[2] != KDF {
debug!("Unsupported kdf: {}", parts[2]);
bail!("unsupported kdf {}", parts[2]);
}
let params_str = parts[3];
let mut m = ARGON_M_COST_KIB;
let mut t = ARGON_T_COST;
let mut p = ARGON_P;
for kv in params_str.split(',') {
if let Some((k, v)) = kv.split_once('=') {
match k {
"m" => m = v.parse().unwrap_or(m),
"t" => t = v.parse().unwrap_or(t),
"p" => p = v.parse().unwrap_or(p),
_ => {}
}
}
}
let salt_b64 = parts[4]
.strip_prefix("salt=")
.with_context(|| "missing salt")?;
let nonce_b64 = parts[5]
.strip_prefix("nonce=")
.with_context(|| "missing nonce")?;
let ct_b64 = parts[6].strip_prefix("ct=").with_context(|| "missing ct")?;
let mut salt = B64.decode(salt_b64).with_context(|| "bad salt b64")?;
let mut nonce_bytes = B64.decode(nonce_b64).with_context(|| "bad nonce b64")?;
let mut ct = B64.decode(ct_b64).with_context(|| "bad ct b64")?;
if salt.len() != SALT_LEN || nonce_bytes.len() != NONCE_LEN {
debug!(
"Salt/nonce length mismatch: salt {}, nonce {}",
salt.len(),
nonce_bytes.len()
);
bail!("salt/nonce length mismatch");
}
let key = derive_key_with_params(password, &salt, m, t, p)?;
let cipher = XChaCha20Poly1305::new(&key);
let aad = format!("{};{}", HEADER, VERSION);
let nonce = XNonce::from_slice(&nonce_bytes);
let pt = cipher
.decrypt(
nonce,
chacha20poly1305::aead::Payload {
msg: &ct,
aad: aad.as_bytes(),
},
)
.map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?;
salt.zeroize();
nonce_bytes.zeroize();
ct.zeroize();
let s = String::from_utf8(pt).with_context(|| "plaintext not valid UTF-8")?;
Ok(s)
}
fn get_password(config: &Config) -> Result<SecretString> {
if let Some(password_file) = &config.password_file {
let password = SecretString::new(
fs::read_to_string(&password_file)
.with_context(|| format!("failed to read password file {:?}", password_file))?
.trim()
.to_string()
.into(),
);
Ok(password)
} else {
let password = rpassword::prompt_password("\nPassword: ")?;
Ok(SecretString::new(password.into()))
}
}
src/providers/mod.rs
+48
View File
@@ -0,0 +1,48 @@
pub mod local;
use crate::config::Config;
use crate::providers::local::LocalProvider;
use anyhow::Result;
use serde::{Deserialize};
use std::fmt::{Display, Formatter};
use std::str::FromStr;
use thiserror::Error;
pub trait SecretProvider {
fn get_secret(&self, config: &Config, key: &str) -> Result<String>;
fn set_secret(&self, config: &Config, key: &str, value: &str) -> Result<()>;
fn update_secret(&self, config: &Config, key: &str, value: &str) -> Result<()>;
fn delete_secret(&self, key: &str) -> Result<()>;
fn list_secrets(&self) -> Result<Vec<String>>;
// fn sync(&self, config: &config) -> Result<()>;
}
#[derive(Debug, Error)]
pub enum ParseProviderError {
#[error("unsupported provider '{0}'")]
Unsupported(String),
}
#[derive(Debug, Deserialize)]
pub enum SupportedProvider {
Local(LocalProvider),
}
impl FromStr for SupportedProvider {
type Err = ParseProviderError;
fn from_str(s: &str) -> Result<Self, Self::Err> {
match s.trim().to_lowercase().as_str() {
"local" => Ok(SupportedProvider::Local(LocalProvider)),
_ => Err(ParseProviderError::Unsupported(s.to_string())),
}
}
}
impl Display for SupportedProvider {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
match self {
SupportedProvider::Local(_) => write!(f, "local"),
}
}
}