Compare commits
5 Commits
47d2541b0f
..
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
fbf88ec144
|
|||
|
117b1a24b3
|
|||
|
30fdebc810
|
|||
| 14bd1a9e53 | |||
|
74f25445ce
|
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
|
|||||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||||
|
|
||||||
|
## v0.5.0 (2026-06-02)
|
||||||
|
|
||||||
|
### Feat
|
||||||
|
|
||||||
|
- Added typed errors to improve library DevX and removed now deprecated migrate command
|
||||||
|
|
||||||
## v0.4.1 (2026-03-20)
|
## v0.4.1 (2026-03-20)
|
||||||
|
|
||||||
### Feat
|
### Feat
|
||||||
|
|||||||
Generated
+131
-368
File diff suppressed because it is too large
Load Diff
+1
-1
@@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "gman"
|
name = "gman"
|
||||||
version = "0.4.1"
|
version = "0.5.0"
|
||||||
edition = "2024"
|
edition = "2024"
|
||||||
authors = ["Alex Clarke <alex.j.tusa@gmail.com>"]
|
authors = ["Alex Clarke <alex.j.tusa@gmail.com>"]
|
||||||
description = "Universal command line secret management and injection tool"
|
description = "Universal command line secret management and injection tool"
|
||||||
|
|||||||
+81
-1
@@ -167,7 +167,7 @@ fn generate_files_secret_injections(
|
|||||||
secrets: HashMap<&str, String>,
|
secrets: HashMap<&str, String>,
|
||||||
run_config: &RunConfig,
|
run_config: &RunConfig,
|
||||||
) -> Result<Vec<(PathBuf, String, String)>> {
|
) -> Result<Vec<(PathBuf, String, String)>> {
|
||||||
let re = Regex::new(r"\{\{(.+)}}")?;
|
let re = Regex::new(r"\{\{\s*(.+?)\s*}}")?;
|
||||||
let mut results = Vec::new();
|
let mut results = Vec::new();
|
||||||
for file in run_config
|
for file in run_config
|
||||||
.files
|
.files
|
||||||
@@ -358,6 +358,86 @@ mod tests {
|
|||||||
assert_str_eq!(result[0].2, "value1");
|
assert_str_eq!(result[0].2, "value1");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_generate_files_secret_injections_tolerates_whitespace_around_key() {
|
||||||
|
let mut secrets = HashMap::new();
|
||||||
|
secrets.insert("api/gmail/email/meli_password", "hunter2".to_string());
|
||||||
|
let temp_dir = tempfile::tempdir().unwrap();
|
||||||
|
let file_path = temp_dir.path().join("test.toml");
|
||||||
|
fs::write(
|
||||||
|
&file_path,
|
||||||
|
"server_password = \"{{ api/gmail/email/meli_password }}\"\nother = \"{{\tapi/gmail/email/meli_password\t}}\"",
|
||||||
|
)
|
||||||
|
.unwrap();
|
||||||
|
|
||||||
|
let run_config = RunConfig {
|
||||||
|
name: Some("meli".to_string()),
|
||||||
|
provider: None,
|
||||||
|
secrets: Some(vec!["api/gmail/email/meli_password".to_string()]),
|
||||||
|
files: Some(vec![file_path.clone()]),
|
||||||
|
flag: None,
|
||||||
|
flag_position: None,
|
||||||
|
arg_format: None,
|
||||||
|
};
|
||||||
|
|
||||||
|
let result = generate_files_secret_injections(secrets, &run_config).unwrap();
|
||||||
|
|
||||||
|
assert_eq!(result.len(), 1);
|
||||||
|
assert_str_eq!(
|
||||||
|
result[0].2,
|
||||||
|
"server_password = \"hunter2\"\nother = \"hunter2\""
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_generate_files_secret_injections_handles_multiple_placeholders_on_one_line() {
|
||||||
|
let mut secrets = HashMap::new();
|
||||||
|
secrets.insert("a", "alpha".to_string());
|
||||||
|
secrets.insert("b", "beta".to_string());
|
||||||
|
let temp_dir = tempfile::tempdir().unwrap();
|
||||||
|
let file_path = temp_dir.path().join("test.txt");
|
||||||
|
fs::write(&file_path, "{{a}} foo {{ b }}").unwrap();
|
||||||
|
|
||||||
|
let run_config = RunConfig {
|
||||||
|
name: Some("test".to_string()),
|
||||||
|
provider: None,
|
||||||
|
secrets: Some(vec!["a".to_string(), "b".to_string()]),
|
||||||
|
files: Some(vec![file_path.clone()]),
|
||||||
|
flag: None,
|
||||||
|
flag_position: None,
|
||||||
|
arg_format: None,
|
||||||
|
};
|
||||||
|
|
||||||
|
let result = generate_files_secret_injections(secrets, &run_config).unwrap();
|
||||||
|
|
||||||
|
assert_eq!(result.len(), 1);
|
||||||
|
assert_str_eq!(result[0].2, "alpha foo beta");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_generate_files_secret_injections_leaves_unknown_keys_untouched() {
|
||||||
|
let mut secrets = HashMap::new();
|
||||||
|
secrets.insert("known", "value".to_string());
|
||||||
|
let temp_dir = tempfile::tempdir().unwrap();
|
||||||
|
let file_path = temp_dir.path().join("test.txt");
|
||||||
|
fs::write(&file_path, "{{known}} {{ unknown }}").unwrap();
|
||||||
|
|
||||||
|
let run_config = RunConfig {
|
||||||
|
name: Some("test".to_string()),
|
||||||
|
provider: None,
|
||||||
|
secrets: Some(vec!["known".to_string()]),
|
||||||
|
files: Some(vec![file_path.clone()]),
|
||||||
|
flag: None,
|
||||||
|
flag_position: None,
|
||||||
|
arg_format: None,
|
||||||
|
};
|
||||||
|
|
||||||
|
let result = generate_files_secret_injections(secrets, &run_config).unwrap();
|
||||||
|
|
||||||
|
assert_eq!(result.len(), 1);
|
||||||
|
assert_str_eq!(result[0].2, "value {{ unknown }}");
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_parse_args_insert_and_append() {
|
fn test_parse_args_insert_and_append() {
|
||||||
let run_config = RunConfig {
|
let run_config = RunConfig {
|
||||||
|
|||||||
@@ -4,8 +4,8 @@ use serde::{Deserialize, Serialize};
|
|||||||
use serde_with::skip_serializing_none;
|
use serde_with::skip_serializing_none;
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
|
||||||
use crate::providers::error::{SecretError, classify_aws_error};
|
|
||||||
use crate::providers::SecretProvider;
|
use crate::providers::SecretProvider;
|
||||||
|
use crate::providers::error::{SecretError, classify_aws_error};
|
||||||
|
|
||||||
const PROVIDER: &str = "aws_secrets_manager";
|
const PROVIDER: &str = "aws_secrets_manager";
|
||||||
|
|
||||||
@@ -120,7 +120,10 @@ impl AwsSecretsManagerProvider {
|
|||||||
provider: PROVIDER,
|
provider: PROVIDER,
|
||||||
message: "aws_region is required".to_string(),
|
message: "aws_region is required".to_string(),
|
||||||
})?;
|
})?;
|
||||||
let profile = self.aws_profile.clone().ok_or_else(|| SecretError::Config {
|
let profile = self
|
||||||
|
.aws_profile
|
||||||
|
.clone()
|
||||||
|
.ok_or_else(|| SecretError::Config {
|
||||||
provider: PROVIDER,
|
provider: PROVIDER,
|
||||||
message: "aws_profile is required".to_string(),
|
message: "aws_profile is required".to_string(),
|
||||||
})?;
|
})?;
|
||||||
|
|||||||
@@ -67,9 +67,9 @@ impl SecretProvider for AzureKeyVaultProvider {
|
|||||||
..Default::default()
|
..Default::default()
|
||||||
};
|
};
|
||||||
|
|
||||||
let body = params
|
let body = params.try_into().map_err(|e: azure_core::Error| {
|
||||||
.try_into()
|
classify_azure_error(e.into(), Some(key), "set_secret")
|
||||||
.map_err(|e: azure_core::Error| classify_azure_error(e.into(), Some(key), "set_secret"))?;
|
})?;
|
||||||
|
|
||||||
self.get_client()?
|
self.get_client()?
|
||||||
.set_secret(key, body, None)
|
.set_secret(key, body, None)
|
||||||
@@ -123,7 +123,10 @@ impl AzureKeyVaultProvider {
|
|||||||
provider: PROVIDER,
|
provider: PROVIDER,
|
||||||
source: e.into(),
|
source: e.into(),
|
||||||
})?;
|
})?;
|
||||||
let vault_name = self.vault_name.as_ref().ok_or_else(|| SecretError::Config {
|
let vault_name = self
|
||||||
|
.vault_name
|
||||||
|
.as_ref()
|
||||||
|
.ok_or_else(|| SecretError::Config {
|
||||||
provider: PROVIDER,
|
provider: PROVIDER,
|
||||||
message: "vault_name is required".to_string(),
|
message: "vault_name is required".to_string(),
|
||||||
})?;
|
})?;
|
||||||
|
|||||||
+29
-8
@@ -1,5 +1,5 @@
|
|||||||
use std::io;
|
|
||||||
use anyhow::anyhow;
|
use anyhow::anyhow;
|
||||||
|
use std::io;
|
||||||
use thiserror::Error;
|
use thiserror::Error;
|
||||||
|
|
||||||
use crate::providers::git_sync::SyncError;
|
use crate::providers::git_sync::SyncError;
|
||||||
@@ -105,13 +105,19 @@ pub(crate) fn classify_aws_error(
|
|||||||
|| chain_text.contains("unauthorized")
|
|| chain_text.contains("unauthorized")
|
||||||
|| chain_text.contains("unrecognizedclient")
|
|| chain_text.contains("unrecognizedclient")
|
||||||
{
|
{
|
||||||
SecretError::AuthFailed { provider, source: err }
|
SecretError::AuthFailed {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
}
|
||||||
} else if chain_text.contains("dispatch failure")
|
} else if chain_text.contains("dispatch failure")
|
||||||
|| chain_text.contains("timeout")
|
|| chain_text.contains("timeout")
|
||||||
|| chain_text.contains("connection")
|
|| chain_text.contains("connection")
|
||||||
|| chain_text.contains("dns")
|
|| chain_text.contains("dns")
|
||||||
{
|
{
|
||||||
SecretError::Network { provider, source: err }
|
SecretError::Network {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
SecretError::Other(err)
|
SecretError::Other(err)
|
||||||
}
|
}
|
||||||
@@ -165,9 +171,15 @@ pub(crate) fn classify_gcp_error(
|
|||||||
provider,
|
provider,
|
||||||
}
|
}
|
||||||
} else if chain_text.contains("unauthenticated") || chain_text.contains("permissiondenied") {
|
} else if chain_text.contains("unauthenticated") || chain_text.contains("permissiondenied") {
|
||||||
SecretError::AuthFailed { provider, source: err }
|
SecretError::AuthFailed {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
}
|
||||||
} else if chain_text.contains("unavailable") || chain_text.contains("deadlineexceeded") {
|
} else if chain_text.contains("unavailable") || chain_text.contains("deadlineexceeded") {
|
||||||
SecretError::Network { provider, source: err }
|
SecretError::Network {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
SecretError::Other(err)
|
SecretError::Other(err)
|
||||||
}
|
}
|
||||||
@@ -185,7 +197,10 @@ pub(crate) fn classify_azure_error(
|
|||||||
if let ErrorKind::HttpResponse { status, .. } = azure_err.kind() {
|
if let ErrorKind::HttpResponse { status, .. } = azure_err.kind() {
|
||||||
let code = u16::from(*status);
|
let code = u16::from(*status);
|
||||||
return match code {
|
return match code {
|
||||||
401 | 403 => SecretError::AuthFailed { provider, source: err },
|
401 | 403 => SecretError::AuthFailed {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
},
|
||||||
404 => SecretError::NotFound {
|
404 => SecretError::NotFound {
|
||||||
key: key.unwrap_or("").to_string(),
|
key: key.unwrap_or("").to_string(),
|
||||||
provider,
|
provider,
|
||||||
@@ -213,12 +228,18 @@ pub(crate) fn classify_azure_error(
|
|||||||
|| chain_text.contains("403")
|
|| chain_text.contains("403")
|
||||||
|| chain_text.contains("authentication")
|
|| chain_text.contains("authentication")
|
||||||
{
|
{
|
||||||
SecretError::AuthFailed { provider, source: err }
|
SecretError::AuthFailed {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
}
|
||||||
} else if chain_text.contains("timeout")
|
} else if chain_text.contains("timeout")
|
||||||
|| chain_text.contains("connection")
|
|| chain_text.contains("connection")
|
||||||
|| chain_text.contains("dns")
|
|| chain_text.contains("dns")
|
||||||
{
|
{
|
||||||
SecretError::Network { provider, source: err }
|
SecretError::Network {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
SecretError::Other(err)
|
SecretError::Other(err)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -72,9 +72,8 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
provider: PROVIDER,
|
provider: PROVIDER,
|
||||||
})?;
|
})?;
|
||||||
let secret_value = payload.data.ref_sensitive_value().to_vec();
|
let secret_value = payload.data.ref_sensitive_value().to_vec();
|
||||||
let secret_string = String::from_utf8(secret_value).map_err(|_| {
|
let secret_string = String::from_utf8(secret_value)
|
||||||
SecretError::Other(anyhow!("secret value is not valid UTF-8"))
|
.map_err(|_| SecretError::Other(anyhow!("secret value is not valid UTF-8")))?;
|
||||||
})?;
|
|
||||||
|
|
||||||
Ok(secret_string)
|
Ok(secret_string)
|
||||||
}
|
}
|
||||||
|
|||||||
+11
-20
@@ -1,13 +1,13 @@
|
|||||||
use std::io;
|
|
||||||
use std::path::{Path, PathBuf};
|
|
||||||
use std::process::{Command, Stdio};
|
|
||||||
use std::{env, fs};
|
|
||||||
use anyhow::anyhow;
|
use anyhow::anyhow;
|
||||||
use chrono::Utc;
|
use chrono::Utc;
|
||||||
use dialoguer::Confirm;
|
use dialoguer::Confirm;
|
||||||
use dialoguer::theme::ColorfulTheme;
|
use dialoguer::theme::ColorfulTheme;
|
||||||
use indoc::formatdoc;
|
use indoc::formatdoc;
|
||||||
use log::debug;
|
use log::debug;
|
||||||
|
use std::io;
|
||||||
|
use std::path::{Path, PathBuf};
|
||||||
|
use std::process::{Command, Stdio};
|
||||||
|
use std::{env, fs};
|
||||||
use thiserror::Error;
|
use thiserror::Error;
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
|
||||||
@@ -78,9 +78,11 @@ pub fn sync_and_push(opts: &SyncOpts<'_>) -> SyncResult<()> {
|
|||||||
let repo_dir = config_dir.join(format!(".{}", repo_name));
|
let repo_dir = config_dir.join(format!(".{}", repo_name));
|
||||||
fs::create_dir_all(&repo_dir)?;
|
fs::create_dir_all(&repo_dir)?;
|
||||||
|
|
||||||
let default_vault = confy::get_configuration_file_path(&calling_app_name(), "vault")
|
let default_vault =
|
||||||
.map_err(|e| SyncError::Config {
|
confy::get_configuration_file_path(&calling_app_name(), "vault").map_err(|e| {
|
||||||
|
SyncError::Config {
|
||||||
message: format!("get default vault path: {}", e),
|
message: format!("get default vault path: {}", e),
|
||||||
|
}
|
||||||
})?;
|
})?;
|
||||||
let repo_vault = repo_dir.join("vault.yml");
|
let repo_vault = repo_dir.join("vault.yml");
|
||||||
if default_vault.exists() && !repo_vault.exists() {
|
if default_vault.exists() && !repo_vault.exists() {
|
||||||
@@ -156,9 +158,7 @@ fn resolve_git_email(git: &Path, email: Option<&String>) -> SyncResult<String> {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(in crate::providers) fn resolve_git(
|
pub(in crate::providers) fn resolve_git(override_path: Option<&PathBuf>) -> SyncResult<PathBuf> {
|
||||||
override_path: Option<&PathBuf>,
|
|
||||||
) -> SyncResult<PathBuf> {
|
|
||||||
debug!("Resolving git executable");
|
debug!("Resolving git executable");
|
||||||
if let Some(p) = override_path {
|
if let Some(p) = override_path {
|
||||||
return Ok(p.to_path_buf());
|
return Ok(p.to_path_buf());
|
||||||
@@ -199,11 +199,7 @@ pub(in crate::providers) fn ensure_git_available(git: &Path) -> SyncResult<()> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
fn run_git(git: &Path, repo: &Path, args: &[&str]) -> SyncResult<()> {
|
fn run_git(git: &Path, repo: &Path, args: &[&str]) -> SyncResult<()> {
|
||||||
let out = Command::new(git)
|
let out = Command::new(git).arg("-C").arg(repo).args(args).output()?;
|
||||||
.arg("-C")
|
|
||||||
.arg(repo)
|
|
||||||
.args(args)
|
|
||||||
.output()?;
|
|
||||||
|
|
||||||
if !out.status.success() {
|
if !out.status.success() {
|
||||||
return Err(SyncError::GitCommandFailed {
|
return Err(SyncError::GitCommandFailed {
|
||||||
@@ -305,12 +301,7 @@ fn init_repo_if_needed(git: &Path, repo: &Path, branch: &str) -> SyncResult<()>
|
|||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn set_local_identity(
|
fn set_local_identity(git: &Path, repo: &Path, username: String, email: String) -> SyncResult<()> {
|
||||||
git: &Path,
|
|
||||||
repo: &Path,
|
|
||||||
username: String,
|
|
||||||
email: String,
|
|
||||||
) -> SyncResult<()> {
|
|
||||||
run_git(git, repo, &["config", "user.name", &username]).map_err(|e| SyncError::Config {
|
run_git(git, repo, &["config", "user.name", &username]).map_err(|e| SyncError::Config {
|
||||||
message: format!("failed to set git user.name: {}", e),
|
message: format!("failed to set git user.name: {}", e),
|
||||||
})?;
|
})?;
|
||||||
|
|||||||
+7
-12
@@ -128,8 +128,7 @@ impl SecretProvider for LocalProvider {
|
|||||||
}
|
}
|
||||||
|
|
||||||
let password = self.get_password()?;
|
let password = self.get_password()?;
|
||||||
let envelope =
|
let envelope = encrypt_string(&password, value).map_err(SecretError::Other)?;
|
||||||
encrypt_string(&password, value).map_err(SecretError::Other)?;
|
|
||||||
drop(password);
|
drop(password);
|
||||||
|
|
||||||
vault.insert(key.to_string(), envelope);
|
vault.insert(key.to_string(), envelope);
|
||||||
@@ -142,8 +141,7 @@ impl SecretProvider for LocalProvider {
|
|||||||
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
||||||
|
|
||||||
let password = self.get_password()?;
|
let password = self.get_password()?;
|
||||||
let envelope =
|
let envelope = encrypt_string(&password, value).map_err(SecretError::Other)?;
|
||||||
encrypt_string(&password, value).map_err(SecretError::Other)?;
|
|
||||||
drop(password);
|
drop(password);
|
||||||
|
|
||||||
if vault.contains_key(key) {
|
if vault.contains_key(key) {
|
||||||
@@ -373,12 +371,8 @@ impl LocalProvider {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
let password = SecretString::new(
|
let password =
|
||||||
fs::read_to_string(password_file)?
|
SecretString::new(fs::read_to_string(password_file)?.trim().to_string().into());
|
||||||
.trim()
|
|
||||||
.to_string()
|
|
||||||
.into(),
|
|
||||||
);
|
|
||||||
|
|
||||||
Ok(password)
|
Ok(password)
|
||||||
} else {
|
} else {
|
||||||
@@ -600,10 +594,11 @@ fn decrypt_string(password: &SecretString, envelope: &str) -> LocalResult<String
|
|||||||
|
|
||||||
let aad_current = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
|
let aad_current = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
|
||||||
|
|
||||||
let mut key = derive_key_with_params(password, &salt, m, t, p)
|
let mut key = derive_key_with_params(password, &salt, m, t, p).map_err(|source| {
|
||||||
.map_err(|source| SecretError::AuthFailed {
|
SecretError::AuthFailed {
|
||||||
provider: PROVIDER,
|
provider: PROVIDER,
|
||||||
source,
|
source,
|
||||||
|
}
|
||||||
})?;
|
})?;
|
||||||
let cipher = XChaCha20Poly1305::new(&key);
|
let cipher = XChaCha20Poly1305::new(&key);
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user