5 Commits

Author SHA1 Message Date
Dark-Alex-17 fbf88ec144 fmt: applied formatting
Check / stable / fmt (push) Failing after 24s
Check / beta / clippy (push) Failing after 44s
Check / stable / clippy (push) Failing after 43s
Check / nightly / doc (push) Failing after 42s
Check / 1.89.0 / check (push) Failing after 44s
Test Suite / ubuntu / beta (push) Failing after 43s
Test Suite / ubuntu / stable (push) Failing after 45s
Test Suite / ubuntu / stable / coverage (push) Failing after 1m16s
Test Suite / macos-latest / stable (push) Has been cancelled
Test Suite / windows-latest / stable (push) Has been cancelled
2026-06-23 14:06:46 -06:00
Dark-Alex-17 117b1a24b3 build: updated dependencies
Check / stable / fmt (push) Failing after 24s
Check / beta / clippy (push) Failing after 42s
Check / stable / clippy (push) Failing after 43s
Check / nightly / doc (push) Failing after 42s
Check / 1.89.0 / check (push) Failing after 43s
Test Suite / ubuntu / beta (push) Failing after 44s
Test Suite / ubuntu / stable (push) Failing after 44s
Test Suite / ubuntu / stable / coverage (push) Failing after 1m16s
Test Suite / macos-latest / stable (push) Has been cancelled
Test Suite / windows-latest / stable (push) Has been cancelled
2026-06-23 13:16:00 -06:00
Dark-Alex-17 30fdebc810 fix: support Jinja-style whitespace inside {{}} when specifying secret names in files
Check / stable / fmt (push) Failing after 24s
Check / beta / clippy (push) Failing after 42s
Check / stable / clippy (push) Failing after 43s
Check / nightly / doc (push) Failing after 41s
Check / 1.89.0 / check (push) Failing after 43s
Test Suite / ubuntu / beta (push) Failing after 44s
Test Suite / ubuntu / stable (push) Failing after 44s
Test Suite / ubuntu / stable / coverage (push) Failing after 1m18s
Test Suite / macos-latest / stable (push) Has been cancelled
Test Suite / windows-latest / stable (push) Has been cancelled
2026-06-23 13:15:36 -06:00
github-actions[bot] 14bd1a9e53 bump: version 0.4.1 → 0.5.0 [skip ci] 2026-06-02 18:32:13 +00:00
Dark-Alex-17 74f25445ce style: applied uniform formatting across library code
Check / stable / fmt (push) Failing after 24s
Check / beta / clippy (push) Failing after 42s
Check / stable / clippy (push) Failing after 41s
Check / nightly / doc (push) Failing after 41s
Check / 1.89.0 / check (push) Failing after 44s
Test Suite / ubuntu / beta (push) Failing after 44s
Test Suite / ubuntu / stable (push) Failing after 44s
Test Suite / ubuntu / stable / coverage (push) Failing after 1m14s
Test Suite / macos-latest / stable (push) Has been cancelled
Test Suite / windows-latest / stable (push) Has been cancelled
2026-06-02 12:22:28 -06:00
10 changed files with 288 additions and 427 deletions
+6
View File
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## v0.5.0 (2026-06-02)
### Feat
- Added typed errors to improve library DevX and removed now deprecated migrate command
## v0.4.1 (2026-03-20) ## v0.4.1 (2026-03-20)
### Feat ### Feat
Generated
+131 -368
View File
File diff suppressed because it is too large Load Diff
+1 -1
View File
@@ -1,6 +1,6 @@
[package] [package]
name = "gman" name = "gman"
version = "0.4.1" version = "0.5.0"
edition = "2024" edition = "2024"
authors = ["Alex Clarke <alex.j.tusa@gmail.com>"] authors = ["Alex Clarke <alex.j.tusa@gmail.com>"]
description = "Universal command line secret management and injection tool" description = "Universal command line secret management and injection tool"
+81 -1
View File
@@ -167,7 +167,7 @@ fn generate_files_secret_injections(
secrets: HashMap<&str, String>, secrets: HashMap<&str, String>,
run_config: &RunConfig, run_config: &RunConfig,
) -> Result<Vec<(PathBuf, String, String)>> { ) -> Result<Vec<(PathBuf, String, String)>> {
let re = Regex::new(r"\{\{(.+)}}")?; let re = Regex::new(r"\{\{\s*(.+?)\s*}}")?;
let mut results = Vec::new(); let mut results = Vec::new();
for file in run_config for file in run_config
.files .files
@@ -358,6 +358,86 @@ mod tests {
assert_str_eq!(result[0].2, "value1"); assert_str_eq!(result[0].2, "value1");
} }
#[test]
fn test_generate_files_secret_injections_tolerates_whitespace_around_key() {
let mut secrets = HashMap::new();
secrets.insert("api/gmail/email/meli_password", "hunter2".to_string());
let temp_dir = tempfile::tempdir().unwrap();
let file_path = temp_dir.path().join("test.toml");
fs::write(
&file_path,
"server_password = \"{{ api/gmail/email/meli_password }}\"\nother = \"{{\tapi/gmail/email/meli_password\t}}\"",
)
.unwrap();
let run_config = RunConfig {
name: Some("meli".to_string()),
provider: None,
secrets: Some(vec!["api/gmail/email/meli_password".to_string()]),
files: Some(vec![file_path.clone()]),
flag: None,
flag_position: None,
arg_format: None,
};
let result = generate_files_secret_injections(secrets, &run_config).unwrap();
assert_eq!(result.len(), 1);
assert_str_eq!(
result[0].2,
"server_password = \"hunter2\"\nother = \"hunter2\""
);
}
#[test]
fn test_generate_files_secret_injections_handles_multiple_placeholders_on_one_line() {
let mut secrets = HashMap::new();
secrets.insert("a", "alpha".to_string());
secrets.insert("b", "beta".to_string());
let temp_dir = tempfile::tempdir().unwrap();
let file_path = temp_dir.path().join("test.txt");
fs::write(&file_path, "{{a}} foo {{ b }}").unwrap();
let run_config = RunConfig {
name: Some("test".to_string()),
provider: None,
secrets: Some(vec!["a".to_string(), "b".to_string()]),
files: Some(vec![file_path.clone()]),
flag: None,
flag_position: None,
arg_format: None,
};
let result = generate_files_secret_injections(secrets, &run_config).unwrap();
assert_eq!(result.len(), 1);
assert_str_eq!(result[0].2, "alpha foo beta");
}
#[test]
fn test_generate_files_secret_injections_leaves_unknown_keys_untouched() {
let mut secrets = HashMap::new();
secrets.insert("known", "value".to_string());
let temp_dir = tempfile::tempdir().unwrap();
let file_path = temp_dir.path().join("test.txt");
fs::write(&file_path, "{{known}} {{ unknown }}").unwrap();
let run_config = RunConfig {
name: Some("test".to_string()),
provider: None,
secrets: Some(vec!["known".to_string()]),
files: Some(vec![file_path.clone()]),
flag: None,
flag_position: None,
arg_format: None,
};
let result = generate_files_secret_injections(secrets, &run_config).unwrap();
assert_eq!(result.len(), 1);
assert_str_eq!(result[0].2, "value {{ unknown }}");
}
#[test] #[test]
fn test_parse_args_insert_and_append() { fn test_parse_args_insert_and_append() {
let run_config = RunConfig { let run_config = RunConfig {
+8 -5
View File
@@ -4,8 +4,8 @@ use serde::{Deserialize, Serialize};
use serde_with::skip_serializing_none; use serde_with::skip_serializing_none;
use validator::Validate; use validator::Validate;
use crate::providers::error::{SecretError, classify_aws_error};
use crate::providers::SecretProvider; use crate::providers::SecretProvider;
use crate::providers::error::{SecretError, classify_aws_error};
const PROVIDER: &str = "aws_secrets_manager"; const PROVIDER: &str = "aws_secrets_manager";
@@ -120,10 +120,13 @@ impl AwsSecretsManagerProvider {
provider: PROVIDER, provider: PROVIDER,
message: "aws_region is required".to_string(), message: "aws_region is required".to_string(),
})?; })?;
let profile = self.aws_profile.clone().ok_or_else(|| SecretError::Config { let profile = self
provider: PROVIDER, .aws_profile
message: "aws_profile is required".to_string(), .clone()
})?; .ok_or_else(|| SecretError::Config {
provider: PROVIDER,
message: "aws_profile is required".to_string(),
})?;
let config = aws_config::from_env() let config = aws_config::from_env()
.region(Region::new(region)) .region(Region::new(region))
+10 -7
View File
@@ -67,9 +67,9 @@ impl SecretProvider for AzureKeyVaultProvider {
..Default::default() ..Default::default()
}; };
let body = params let body = params.try_into().map_err(|e: azure_core::Error| {
.try_into() classify_azure_error(e.into(), Some(key), "set_secret")
.map_err(|e: azure_core::Error| classify_azure_error(e.into(), Some(key), "set_secret"))?; })?;
self.get_client()? self.get_client()?
.set_secret(key, body, None) .set_secret(key, body, None)
@@ -123,10 +123,13 @@ impl AzureKeyVaultProvider {
provider: PROVIDER, provider: PROVIDER,
source: e.into(), source: e.into(),
})?; })?;
let vault_name = self.vault_name.as_ref().ok_or_else(|| SecretError::Config { let vault_name = self
provider: PROVIDER, .vault_name
message: "vault_name is required".to_string(), .as_ref()
})?; .ok_or_else(|| SecretError::Config {
provider: PROVIDER,
message: "vault_name is required".to_string(),
})?;
let client = SecretClient::new( let client = SecretClient::new(
format!("https://{}.vault.azure.net", vault_name).as_str(), format!("https://{}.vault.azure.net", vault_name).as_str(),
credential, credential,
+29 -8
View File
@@ -1,5 +1,5 @@
use std::io;
use anyhow::anyhow; use anyhow::anyhow;
use std::io;
use thiserror::Error; use thiserror::Error;
use crate::providers::git_sync::SyncError; use crate::providers::git_sync::SyncError;
@@ -105,13 +105,19 @@ pub(crate) fn classify_aws_error(
|| chain_text.contains("unauthorized") || chain_text.contains("unauthorized")
|| chain_text.contains("unrecognizedclient") || chain_text.contains("unrecognizedclient")
{ {
SecretError::AuthFailed { provider, source: err } SecretError::AuthFailed {
provider,
source: err,
}
} else if chain_text.contains("dispatch failure") } else if chain_text.contains("dispatch failure")
|| chain_text.contains("timeout") || chain_text.contains("timeout")
|| chain_text.contains("connection") || chain_text.contains("connection")
|| chain_text.contains("dns") || chain_text.contains("dns")
{ {
SecretError::Network { provider, source: err } SecretError::Network {
provider,
source: err,
}
} else { } else {
SecretError::Other(err) SecretError::Other(err)
} }
@@ -165,9 +171,15 @@ pub(crate) fn classify_gcp_error(
provider, provider,
} }
} else if chain_text.contains("unauthenticated") || chain_text.contains("permissiondenied") { } else if chain_text.contains("unauthenticated") || chain_text.contains("permissiondenied") {
SecretError::AuthFailed { provider, source: err } SecretError::AuthFailed {
provider,
source: err,
}
} else if chain_text.contains("unavailable") || chain_text.contains("deadlineexceeded") { } else if chain_text.contains("unavailable") || chain_text.contains("deadlineexceeded") {
SecretError::Network { provider, source: err } SecretError::Network {
provider,
source: err,
}
} else { } else {
SecretError::Other(err) SecretError::Other(err)
} }
@@ -185,7 +197,10 @@ pub(crate) fn classify_azure_error(
if let ErrorKind::HttpResponse { status, .. } = azure_err.kind() { if let ErrorKind::HttpResponse { status, .. } = azure_err.kind() {
let code = u16::from(*status); let code = u16::from(*status);
return match code { return match code {
401 | 403 => SecretError::AuthFailed { provider, source: err }, 401 | 403 => SecretError::AuthFailed {
provider,
source: err,
},
404 => SecretError::NotFound { 404 => SecretError::NotFound {
key: key.unwrap_or("").to_string(), key: key.unwrap_or("").to_string(),
provider, provider,
@@ -213,12 +228,18 @@ pub(crate) fn classify_azure_error(
|| chain_text.contains("403") || chain_text.contains("403")
|| chain_text.contains("authentication") || chain_text.contains("authentication")
{ {
SecretError::AuthFailed { provider, source: err } SecretError::AuthFailed {
provider,
source: err,
}
} else if chain_text.contains("timeout") } else if chain_text.contains("timeout")
|| chain_text.contains("connection") || chain_text.contains("connection")
|| chain_text.contains("dns") || chain_text.contains("dns")
{ {
SecretError::Network { provider, source: err } SecretError::Network {
provider,
source: err,
}
} else { } else {
SecretError::Other(err) SecretError::Other(err)
} }
+2 -3
View File
@@ -72,9 +72,8 @@ impl SecretProvider for GcpSecretManagerProvider {
provider: PROVIDER, provider: PROVIDER,
})?; })?;
let secret_value = payload.data.ref_sensitive_value().to_vec(); let secret_value = payload.data.ref_sensitive_value().to_vec();
let secret_string = String::from_utf8(secret_value).map_err(|_| { let secret_string = String::from_utf8(secret_value)
SecretError::Other(anyhow!("secret value is not valid UTF-8")) .map_err(|_| SecretError::Other(anyhow!("secret value is not valid UTF-8")))?;
})?;
Ok(secret_string) Ok(secret_string)
} }
+12 -21
View File
@@ -1,13 +1,13 @@
use std::io;
use std::path::{Path, PathBuf};
use std::process::{Command, Stdio};
use std::{env, fs};
use anyhow::anyhow; use anyhow::anyhow;
use chrono::Utc; use chrono::Utc;
use dialoguer::Confirm; use dialoguer::Confirm;
use dialoguer::theme::ColorfulTheme; use dialoguer::theme::ColorfulTheme;
use indoc::formatdoc; use indoc::formatdoc;
use log::debug; use log::debug;
use std::io;
use std::path::{Path, PathBuf};
use std::process::{Command, Stdio};
use std::{env, fs};
use thiserror::Error; use thiserror::Error;
use validator::Validate; use validator::Validate;
@@ -78,9 +78,11 @@ pub fn sync_and_push(opts: &SyncOpts<'_>) -> SyncResult<()> {
let repo_dir = config_dir.join(format!(".{}", repo_name)); let repo_dir = config_dir.join(format!(".{}", repo_name));
fs::create_dir_all(&repo_dir)?; fs::create_dir_all(&repo_dir)?;
let default_vault = confy::get_configuration_file_path(&calling_app_name(), "vault") let default_vault =
.map_err(|e| SyncError::Config { confy::get_configuration_file_path(&calling_app_name(), "vault").map_err(|e| {
message: format!("get default vault path: {}", e), SyncError::Config {
message: format!("get default vault path: {}", e),
}
})?; })?;
let repo_vault = repo_dir.join("vault.yml"); let repo_vault = repo_dir.join("vault.yml");
if default_vault.exists() && !repo_vault.exists() { if default_vault.exists() && !repo_vault.exists() {
@@ -156,9 +158,7 @@ fn resolve_git_email(git: &Path, email: Option<&String>) -> SyncResult<String> {
}) })
} }
pub(in crate::providers) fn resolve_git( pub(in crate::providers) fn resolve_git(override_path: Option<&PathBuf>) -> SyncResult<PathBuf> {
override_path: Option<&PathBuf>,
) -> SyncResult<PathBuf> {
debug!("Resolving git executable"); debug!("Resolving git executable");
if let Some(p) = override_path { if let Some(p) = override_path {
return Ok(p.to_path_buf()); return Ok(p.to_path_buf());
@@ -199,11 +199,7 @@ pub(in crate::providers) fn ensure_git_available(git: &Path) -> SyncResult<()> {
} }
fn run_git(git: &Path, repo: &Path, args: &[&str]) -> SyncResult<()> { fn run_git(git: &Path, repo: &Path, args: &[&str]) -> SyncResult<()> {
let out = Command::new(git) let out = Command::new(git).arg("-C").arg(repo).args(args).output()?;
.arg("-C")
.arg(repo)
.args(args)
.output()?;
if !out.status.success() { if !out.status.success() {
return Err(SyncError::GitCommandFailed { return Err(SyncError::GitCommandFailed {
@@ -305,12 +301,7 @@ fn init_repo_if_needed(git: &Path, repo: &Path, branch: &str) -> SyncResult<()>
Ok(()) Ok(())
} }
fn set_local_identity( fn set_local_identity(git: &Path, repo: &Path, username: String, email: String) -> SyncResult<()> {
git: &Path,
repo: &Path,
username: String,
email: String,
) -> SyncResult<()> {
run_git(git, repo, &["config", "user.name", &username]).map_err(|e| SyncError::Config { run_git(git, repo, &["config", "user.name", &username]).map_err(|e| SyncError::Config {
message: format!("failed to set git user.name: {}", e), message: format!("failed to set git user.name: {}", e),
})?; })?;
+8 -13
View File
@@ -128,8 +128,7 @@ impl SecretProvider for LocalProvider {
} }
let password = self.get_password()?; let password = self.get_password()?;
let envelope = let envelope = encrypt_string(&password, value).map_err(SecretError::Other)?;
encrypt_string(&password, value).map_err(SecretError::Other)?;
drop(password); drop(password);
vault.insert(key.to_string(), envelope); vault.insert(key.to_string(), envelope);
@@ -142,8 +141,7 @@ impl SecretProvider for LocalProvider {
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default(); let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
let password = self.get_password()?; let password = self.get_password()?;
let envelope = let envelope = encrypt_string(&password, value).map_err(SecretError::Other)?;
encrypt_string(&password, value).map_err(SecretError::Other)?;
drop(password); drop(password);
if vault.contains_key(key) { if vault.contains_key(key) {
@@ -373,12 +371,8 @@ impl LocalProvider {
} }
} }
let password = SecretString::new( let password =
fs::read_to_string(password_file)? SecretString::new(fs::read_to_string(password_file)?.trim().to_string().into());
.trim()
.to_string()
.into(),
);
Ok(password) Ok(password)
} else { } else {
@@ -600,11 +594,12 @@ fn decrypt_string(password: &SecretString, envelope: &str) -> LocalResult<String
let aad_current = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p); let aad_current = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
let mut key = derive_key_with_params(password, &salt, m, t, p) let mut key = derive_key_with_params(password, &salt, m, t, p).map_err(|source| {
.map_err(|source| SecretError::AuthFailed { SecretError::AuthFailed {
provider: PROVIDER, provider: PROVIDER,
source, source,
})?; }
})?;
let cipher = XChaCha20Poly1305::new(&key); let cipher = XChaCha20Poly1305::new(&key);
if let Ok(pt) = try_decrypt(&cipher, &nonce, &ct, aad_current.as_bytes()) { if let Ok(pt) = try_decrypt(&cipher, &nonce, &ct, aad_current.as_bytes()) {