Compare commits
22 Commits
v0.2.3
...
47d2541b0f
| Author | SHA1 | Date | |
|---|---|---|---|
|
47d2541b0f
|
|||
|
424aed0315
|
|||
|
38c5d5509a
|
|||
|
067e16cb8b
|
|||
| 9f63ee8265 | |||
|
6cba3d6d0b
|
|||
|
b2a51dc1b1
|
|||
| cc44fca54e | |||
|
9a678ae67d
|
|||
|
66b950991c
|
|||
| e8e0bd02e9 | |||
|
ed5a7308be
|
|||
|
044d5960eb
|
|||
| c0aa379b20 | |||
|
f9fd9692aa
|
|||
| 2615b23d6e | |||
| 628a13011e | |||
| cff4420ee0 | |||
| 9944e29ef0 | |||
| c95bae1761 | |||
| 21da7b782e | |||
| d038930ce5 |
@@ -0,0 +1,11 @@
|
|||||||
|
### AI assistance (if any):
|
||||||
|
- List tools here and files touched by them
|
||||||
|
|
||||||
|
### Authorship & Understanding
|
||||||
|
|
||||||
|
- [ ] I wrote or heavily modified this code myself
|
||||||
|
- [ ] I understand how it works end-to-end
|
||||||
|
- [ ] I can maintain this code in the future
|
||||||
|
- [ ] No undisclosed AI-generated code was used
|
||||||
|
- [ ] If AI assistance was used, it is documented below
|
||||||
|
|
||||||
@@ -5,6 +5,28 @@ All notable changes to this project will be documented in this file.
|
|||||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
||||||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||||
|
|
||||||
|
## v0.4.1 (2026-03-20)
|
||||||
|
|
||||||
|
### Feat
|
||||||
|
|
||||||
|
- Upgraded aws-lc-sys version to address high severity CWE-295
|
||||||
|
|
||||||
|
## v0.4.0 (2026-03-09)
|
||||||
|
|
||||||
|
### Feat
|
||||||
|
|
||||||
|
- Added 1password support
|
||||||
|
- sort local keys alphabetically when listing them
|
||||||
|
|
||||||
|
## v0.3.0 (2026-02-02)
|
||||||
|
|
||||||
|
### Fix
|
||||||
|
|
||||||
|
- Upgraded AWS dependencies to address CWE-20
|
||||||
|
- A critical security flaw was discovered that essentially had all local secrets be encrypted with an all-zero key
|
||||||
|
- Addressed XNonce::from_slice deprecation warning
|
||||||
|
- Secrets are now stored exactly as passed without newlines stripped
|
||||||
|
|
||||||
## v0.2.3 (2025-10-14)
|
## v0.2.3 (2025-10-14)
|
||||||
|
|
||||||
### Refactor
|
### Refactor
|
||||||
|
|||||||
+9
-1
@@ -48,7 +48,8 @@ cz commit
|
|||||||
1. Clone this repo
|
1. Clone this repo
|
||||||
2. Run `cargo test` to set up hooks
|
2. Run `cargo test` to set up hooks
|
||||||
3. Make changes
|
3. Make changes
|
||||||
4. Run the application using `make run` or `cargo run`
|
4. Run the application using `just run` or `just run`
|
||||||
|
- Install `just` (`cargo install just`) if you haven't already to use the [justfile](./justfile) in this project.
|
||||||
5. Commit changes. This will trigger pre-commit hooks that will run format, test and lint. If there are errors or
|
5. Commit changes. This will trigger pre-commit hooks that will run format, test and lint. If there are errors or
|
||||||
warnings from Clippy, please fix them.
|
warnings from Clippy, please fix them.
|
||||||
6. Push your code to a new branch named after the feature/bug/etc. you're adding. This will trigger pre-push hooks that
|
6. Push your code to a new branch named after the feature/bug/etc. you're adding. This will trigger pre-push hooks that
|
||||||
@@ -75,6 +76,13 @@ Then, you can run workflows locally without having to commit and see if the GitH
|
|||||||
act -W .github/workflows/release.yml --input_type bump=minor
|
act -W .github/workflows/release.yml --input_type bump=minor
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Authorship Policy
|
||||||
|
|
||||||
|
All code in this repository is written and reviewed by humans. AI-generated code (e.g., Copilot, ChatGPT,
|
||||||
|
Claude, etc.) is not permitted unless explicitly disclosed and approved.
|
||||||
|
|
||||||
|
Submissions must certify that the contributor understands and can maintain the code they submit.
|
||||||
|
|
||||||
## Questions? Reach out to me!
|
## Questions? Reach out to me!
|
||||||
If you encounter any questions while developing G-Man, please don't hesitate to reach out to me at
|
If you encounter any questions while developing G-Man, please don't hesitate to reach out to me at
|
||||||
alex.j.tusa@gmail.com. I'm happy to help contributors in any way I can, regardless of if they're new or experienced!
|
alex.j.tusa@gmail.com. I'm happy to help contributors in any way I can, regardless of if they're new or experienced!
|
||||||
|
|||||||
Generated
+932
-743
File diff suppressed because it is too large
Load Diff
+10
-8
@@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "gman"
|
name = "gman"
|
||||||
version = "0.2.3"
|
version = "0.4.1"
|
||||||
edition = "2024"
|
edition = "2024"
|
||||||
authors = ["Alex Clarke <alex.j.tusa@gmail.com>"]
|
authors = ["Alex Clarke <alex.j.tusa@gmail.com>"]
|
||||||
description = "Universal command line secret management and injection tool"
|
description = "Universal command line secret management and injection tool"
|
||||||
@@ -32,7 +32,7 @@ clap = { version = "4.5.47", features = [
|
|||||||
"wrap_help",
|
"wrap_help",
|
||||||
] }
|
] }
|
||||||
clap_complete = { version = "4.5.57", features = ["unstable-dynamic"] }
|
clap_complete = { version = "4.5.57", features = ["unstable-dynamic"] }
|
||||||
confy = { version = "1.0.0", default-features = false, features = [
|
confy = { version = "2.0.0", default-features = false, features = [
|
||||||
"yaml_conf",
|
"yaml_conf",
|
||||||
] }
|
] }
|
||||||
crossterm = "0.29.0"
|
crossterm = "0.29.0"
|
||||||
@@ -53,20 +53,22 @@ indoc = "2.0.6"
|
|||||||
regex = "1.11.2"
|
regex = "1.11.2"
|
||||||
serde_yaml = "0.9.34"
|
serde_yaml = "0.9.34"
|
||||||
tempfile = "3.22.0"
|
tempfile = "3.22.0"
|
||||||
aws-sdk-secretsmanager = "1.88.0"
|
aws-sdk-secretsmanager = "1.98.0"
|
||||||
tokio = { version = "1.47.1", features = ["full"] }
|
tokio = { version = "1.47.1", features = ["full"] }
|
||||||
aws-config = { version = "1.8.6", features = ["behavior-version-latest"] }
|
aws-config = { version = "1.8.12", features = ["behavior-version-latest"] }
|
||||||
async-trait = "0.1.89"
|
async-trait = "0.1.89"
|
||||||
futures = "0.3.31"
|
futures = "0.3.31"
|
||||||
gcloud-sdk = { version = "0.28.1", features = [
|
gcloud-sdk = { version = "0.28.5", features = [
|
||||||
"google-cloud-secretmanager-v1",
|
"google-cloud-secretmanager-v1",
|
||||||
] }
|
] }
|
||||||
crc32c = "0.6.8"
|
crc32c = "0.6.8"
|
||||||
azure_identity = "0.27.0"
|
azure_core = "0.31.0"
|
||||||
azure_security_keyvault_secrets = "0.6.0"
|
azure_identity = "0.31.0"
|
||||||
aws-lc-sys = { version = "0.31.0", features = ["bindgen"] }
|
azure_security_keyvault_secrets = "0.10.0"
|
||||||
|
aws-lc-sys = { version = "0.39.0", features = ["bindgen"] }
|
||||||
which = "8.0.0"
|
which = "8.0.0"
|
||||||
once_cell = "1.21.3"
|
once_cell = "1.21.3"
|
||||||
|
thiserror = "2"
|
||||||
|
|
||||||
[target.'cfg(all(target_os="linux", target_env="musl"))'.dependencies]
|
[target.'cfg(all(target_os="linux", target_env="musl"))'.dependencies]
|
||||||
openssl = { version = "0.10", features = ["vendored"] }
|
openssl = { version = "0.10", features = ["vendored"] }
|
||||||
|
|||||||
@@ -1,40 +0,0 @@
|
|||||||
#!make
|
|
||||||
default: run
|
|
||||||
|
|
||||||
.PHONY: test test-cov build run lint lint-fix fmt minimal-versions analyze release delete-tag
|
|
||||||
|
|
||||||
test:
|
|
||||||
@cargo test --all
|
|
||||||
|
|
||||||
## Run all tests with coverage - `cargo install cargo-tarpaulin`
|
|
||||||
test-cov:
|
|
||||||
@cargo tarpaulin
|
|
||||||
|
|
||||||
build: test
|
|
||||||
@cargo build --release
|
|
||||||
|
|
||||||
run:
|
|
||||||
@CARGO_INCREMENTAL=1 cargo fmt && make lint && cargo run
|
|
||||||
|
|
||||||
lint:
|
|
||||||
@find . | grep '\.\/src\/.*\.rs$$' | xargs touch && CARGO_INCREMENTAL=0 cargo clippy --all-targets --workspace
|
|
||||||
|
|
||||||
lint-fix:
|
|
||||||
@cargo fix
|
|
||||||
|
|
||||||
fmt:
|
|
||||||
@cargo fmt
|
|
||||||
|
|
||||||
minimal-versions:
|
|
||||||
@cargo +nightly update -Zdirect-minimal-versions
|
|
||||||
|
|
||||||
## Analyze for unsafe usage - `cargo install cargo-geiger`
|
|
||||||
analyze:
|
|
||||||
@cargo geiger
|
|
||||||
|
|
||||||
release:
|
|
||||||
@git tag -a ${V} -m "Release ${V}" && git push origin ${V}
|
|
||||||
|
|
||||||
delete-tag:
|
|
||||||
@git tag -d ${V} && git push --delete origin ${V}
|
|
||||||
|
|
||||||
@@ -2,7 +2,6 @@
|
|||||||
|
|
||||||

|

|
||||||

|

|
||||||

|
|
||||||
[](https://crates.io/crates/gman)
|
[](https://crates.io/crates/gman)
|
||||||

|

|
||||||

|

|
||||||
@@ -14,8 +13,8 @@ files or sprinkling environment variables everywhere.
|
|||||||
|
|
||||||
## Overview
|
## Overview
|
||||||
|
|
||||||
`gman` acts as a universal wrapper for any command that needs credentials. Store your secrets—API tokens, passwords,
|
`gman` acts as a universal wrapper for any command that needs credentials. Store your secrets (e.g. API tokens, passwords,
|
||||||
certs—with a provider, then either fetch them directly or run your command through `gman` to inject what it needs as
|
certs, etc.) with a provider, then either fetch them directly or run your command through `gman` to inject what it needs as
|
||||||
environment variables, flags, or file content.
|
environment variables, flags, or file content.
|
||||||
|
|
||||||
## Quick Examples: Before vs After
|
## Quick Examples: Before vs After
|
||||||
@@ -96,6 +95,7 @@ gman aws sts get-caller-identity
|
|||||||
- [GCP Secret Manager](#provider-gcp_secret_manager)
|
- [GCP Secret Manager](#provider-gcp_secret_manager)
|
||||||
- [Azure Key Vault](#provider-azure_key_vault)
|
- [Azure Key Vault](#provider-azure_key_vault)
|
||||||
- [Gopass](#provider-gopass)
|
- [Gopass](#provider-gopass)
|
||||||
|
- [1Password](#provider-one_password)
|
||||||
- [Run Configurations](#run-configurations)
|
- [Run Configurations](#run-configurations)
|
||||||
- [Specifying a Default Provider per Run Config](#specifying-a-default-provider-per-run-config)
|
- [Specifying a Default Provider per Run Config](#specifying-a-default-provider-per-run-config)
|
||||||
- [Environment Variable Secret Injection](#environment-variable-secret-injection)
|
- [Environment Variable Secret Injection](#environment-variable-secret-injection)
|
||||||
@@ -142,7 +142,7 @@ You can use the following command to run a bash script that downloads and instal
|
|||||||
OS (Linux/MacOS) and architecture (x86_64/arm64):
|
OS (Linux/MacOS) and architecture (x86_64/arm64):
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
curl -fsSL https://raw.githubusercontent.com/Dark-Alex-17/gman/main/install.sh | bash
|
curl -fsSL https://raw.githubusercontent.com/Dark-Alex-17/gman/main/install_gman.sh | bash
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Windows/Linux/MacOS (`PowerShell`)
|
#### Windows/Linux/MacOS (`PowerShell`)
|
||||||
@@ -280,14 +280,14 @@ documented and added without breaking existing setups. The following table shows
|
|||||||
|
|
||||||
|
|
||||||
| Provider Name | Status | Configuration Docs | Comments |
|
| Provider Name | Status | Configuration Docs | Comments |
|
||||||
|--------------------------------------------------------------------------------------------------------------------------|--------|------------------------------------------------------|--------------------------------------------|
|
|-------------------------------------------------------------------------------------------------|--------|------------------------------------------------------|--------------------------------------------|
|
||||||
| `local` | ✅ | [Local](#provider-local) | |
|
| `local` | ✅ | [Local](#provider-local) | |
|
||||||
| [`aws_secrets_manager`](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) | ✅ | [AWS Secrets Manager](#provider-aws_secrets_manager) | |
|
| [`aws_secrets_manager`](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) | ✅ | [AWS Secrets Manager](#provider-aws_secrets_manager) | |
|
||||||
| [`hashicorp_vault`](https://www.hashicorp.com/en/products/vault) | 🕒 | | |
|
| [`hashicorp_vault`](https://www.hashicorp.com/en/products/vault) | 🕒 | | |
|
||||||
| [`azure_key_vault`](https://azure.microsoft.com/en-us/products/key-vault/) | ✅ | [Azure Key Vault](#provider-azure_key_vault) | |
|
| [`azure_key_vault`](https://azure.microsoft.com/en-us/products/key-vault/) | ✅ | [Azure Key Vault](#provider-azure_key_vault) | |
|
||||||
| [`gcp_secret_manager`](https://cloud.google.com/security/products/secret-manager?hl=en) | ✅ | [GCP Secret Manager](#provider-gcp_secret_manager) | |
|
| [`gcp_secret_manager`](https://cloud.google.com/security/products/secret-manager?hl=en) | ✅ | [GCP Secret Manager](#provider-gcp_secret_manager) | |
|
||||||
| [`gopass`](https://www.gopass.pw/) | ✅ | | |
|
| [`gopass`](https://www.gopass.pw/) | ✅ | [Gopass](#provider-gopass) | |
|
||||||
| [`1password`](https://1password.com/) | 🕒 | | |
|
| [`1password`](https://1password.com/) | ✅ | [1Password](#provider-one_password) | |
|
||||||
| [`bitwarden`](https://bitwarden.com/) | 🕒 | | |
|
| [`bitwarden`](https://bitwarden.com/) | 🕒 | | |
|
||||||
| [`dashlane`](https://www.dashlane.com/) | 🕒 | | Waiting for CLI support for adding secrets |
|
| [`dashlane`](https://www.dashlane.com/) | 🕒 | | Waiting for CLI support for adding secrets |
|
||||||
| [`lastpass`](https://www.lastpass.com/) | 🕒 | | |
|
| [`lastpass`](https://www.lastpass.com/) | 🕒 | | |
|
||||||
@@ -450,6 +450,42 @@ Important notes:
|
|||||||
- Secrets are managed using gopass's native commands; `gman` acts as a wrapper to interface with gopass.
|
- Secrets are managed using gopass's native commands; `gman` acts as a wrapper to interface with gopass.
|
||||||
- Updates overwrite existing secrets
|
- Updates overwrite existing secrets
|
||||||
- If no store is specified, the default gopass store is used and `gman sync` will sync with all configured stores.
|
- If no store is specified, the default gopass store is used and `gman sync` will sync with all configured stores.
|
||||||
|
|
||||||
|
### Provider: `one_password`
|
||||||
|
The `one_password` provider uses the [1Password CLI (`op`)](https://developer.1password.com/docs/cli/) as the backing
|
||||||
|
storage location for secrets.
|
||||||
|
|
||||||
|
- Optional: `vault` (string) to specify which 1Password vault to use. If omitted, the default vault is used.
|
||||||
|
- Optional: `account` (string) to specify which 1Password account to use. Useful if you have multiple accounts. If
|
||||||
|
omitted, the default signed-in account is used.
|
||||||
|
|
||||||
|
Configuration example:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
default_provider: op
|
||||||
|
providers:
|
||||||
|
- name: op
|
||||||
|
type: one_password
|
||||||
|
vault: Production # Optional; if omitted, uses the default vault
|
||||||
|
account: my.1password.com # Optional; if omitted, uses the default account
|
||||||
|
```
|
||||||
|
|
||||||
|
Authentication:
|
||||||
|
- **Interactive**: Run `op signin` to sign in interactively.
|
||||||
|
- **Service Account**: Set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable for non-interactive/CI usage.
|
||||||
|
- **Desktop App Integration**: If the 1Password desktop app is installed and configured, the CLI can use biometric
|
||||||
|
authentication (Touch ID, Windows Hello, etc.).
|
||||||
|
|
||||||
|
Important notes:
|
||||||
|
- Ensure the 1Password CLI (`op`) is installed on your system. Install instructions are at
|
||||||
|
https://developer.1password.com/docs/cli/get-started/.
|
||||||
|
- Secrets are stored as 1Password Password items. The item title is the secret name and the `password` field holds the
|
||||||
|
secret value.
|
||||||
|
- **Deletions are permanent. Deleted items are not archived.**
|
||||||
|
- `add` creates a new Password item. If an item with the same title already exists in the vault, `op` will create a
|
||||||
|
duplicate. Use `update` to change an existing secret value.
|
||||||
|
- `list` returns the titles of all items in the configured vault.
|
||||||
|
|
||||||
## Run Configurations
|
## Run Configurations
|
||||||
|
|
||||||
Run configurations (or "profiles") tell `gman` how to inject secrets into a command. Three modes of secret injection are
|
Run configurations (or "profiles") tell `gman` how to inject secrets into a command. Three modes of secret injection are
|
||||||
@@ -657,7 +693,7 @@ gman managarr
|
|||||||
|
|
||||||
### Multiple Providers and Switching
|
### Multiple Providers and Switching
|
||||||
|
|
||||||
You can define multiple providers—even multiple of the same type—and switch between them per command.
|
You can define multiple providers (even multiple of the same type) and switch between them per command.
|
||||||
|
|
||||||
Example: two AWS Secrets Manager providers named `lab` and `prod`.
|
Example: two AWS Secrets Manager providers named `lab` and `prod`.
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,35 @@
|
|||||||
|
# List all recipes
|
||||||
|
default:
|
||||||
|
@just --list
|
||||||
|
|
||||||
|
# Format all files
|
||||||
|
[group: 'style']
|
||||||
|
fmt:
|
||||||
|
@cargo fmt --all
|
||||||
|
|
||||||
|
alias clippy := lint
|
||||||
|
# Run Clippy to inspect all files
|
||||||
|
[group: 'style']
|
||||||
|
lint:
|
||||||
|
@cargo clippy --all
|
||||||
|
|
||||||
|
alias clippy-fix := lint-fix
|
||||||
|
# Automatically fix clippy issues where possible
|
||||||
|
[group: 'style']
|
||||||
|
lint-fix:
|
||||||
|
@cargo fix
|
||||||
|
|
||||||
|
# Run all tests
|
||||||
|
[group: 'test']
|
||||||
|
test:
|
||||||
|
@cargo test --all
|
||||||
|
|
||||||
|
# Build and run the binary for the current system
|
||||||
|
run:
|
||||||
|
@cargo run
|
||||||
|
|
||||||
|
# Build the project for the current system architecture
|
||||||
|
[group: 'build']
|
||||||
|
[arg('build_type', pattern="debug|release")]
|
||||||
|
build build_type='debug':
|
||||||
|
@cargo build {{ if build_type == "release" { "--release" } else { "" } }}
|
||||||
@@ -159,7 +159,7 @@ async fn main() -> Result<()> {
|
|||||||
let plaintext =
|
let plaintext =
|
||||||
read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
|
read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
|
||||||
secrets_provider
|
secrets_provider
|
||||||
.set_secret(&name, plaintext.trim_end())
|
.set_secret(&name, &plaintext)
|
||||||
.await
|
.await
|
||||||
.map(|_| match cli.output {
|
.map(|_| match cli.output {
|
||||||
Some(_) => (),
|
Some(_) => (),
|
||||||
@@ -190,7 +190,7 @@ async fn main() -> Result<()> {
|
|||||||
let plaintext =
|
let plaintext =
|
||||||
read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
|
read_all_stdin().with_context(|| "unable to read plaintext from stdin")?;
|
||||||
secrets_provider
|
secrets_provider
|
||||||
.update_secret(&name, plaintext.trim_end())
|
.update_secret(&name, &plaintext)
|
||||||
.await
|
.await
|
||||||
.map(|_| match cli.output {
|
.map(|_| match cli.output {
|
||||||
Some(_) => (),
|
Some(_) => (),
|
||||||
|
|||||||
@@ -169,6 +169,10 @@ impl ProviderConfig {
|
|||||||
debug!("Using Gopass provider");
|
debug!("Using Gopass provider");
|
||||||
provider_def
|
provider_def
|
||||||
}
|
}
|
||||||
|
SupportedProvider::OnePassword { provider_def } => {
|
||||||
|
debug!("Using 1Password provider");
|
||||||
|
provider_def
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
+65
-31
@@ -22,10 +22,7 @@
|
|||||||
//! filesystem. Prefer `no_run` doctests for those.
|
//! filesystem. Prefer `no_run` doctests for those.
|
||||||
|
|
||||||
use anyhow::{Context, Result, anyhow, bail};
|
use anyhow::{Context, Result, anyhow, bail};
|
||||||
use argon2::{
|
use argon2::{Algorithm, Argon2, Params, Version, password_hash::rand_core::RngCore};
|
||||||
Algorithm, Argon2, Params, Version,
|
|
||||||
password_hash::{SaltString, rand_core::RngCore},
|
|
||||||
};
|
|
||||||
use base64::{Engine as _, engine::general_purpose::STANDARD as B64};
|
use base64::{Engine as _, engine::general_purpose::STANDARD as B64};
|
||||||
use chacha20poly1305::{
|
use chacha20poly1305::{
|
||||||
Key, XChaCha20Poly1305, XNonce,
|
Key, XChaCha20Poly1305, XNonce,
|
||||||
@@ -39,12 +36,14 @@ pub mod config;
|
|||||||
/// Secret provider trait and implementations.
|
/// Secret provider trait and implementations.
|
||||||
pub mod providers;
|
pub mod providers;
|
||||||
|
|
||||||
|
pub use providers::{SecretError, SyncError};
|
||||||
|
|
||||||
pub(crate) const HEADER: &str = "$VAULT";
|
pub(crate) const HEADER: &str = "$VAULT";
|
||||||
pub(crate) const VERSION: &str = "v1";
|
pub(crate) const VERSION: &str = "v1";
|
||||||
pub(crate) const KDF: &str = "argon2id";
|
pub(crate) const KDF: &str = "argon2id";
|
||||||
|
|
||||||
pub(crate) const ARGON_M_COST_KIB: u32 = 19_456;
|
pub(crate) const ARGON_M_COST_KIB: u32 = 65_536;
|
||||||
pub(crate) const ARGON_T_COST: u32 = 2;
|
pub(crate) const ARGON_T_COST: u32 = 3;
|
||||||
pub(crate) const ARGON_P: u32 = 1;
|
pub(crate) const ARGON_P: u32 = 1;
|
||||||
|
|
||||||
pub(crate) const SALT_LEN: usize = 16;
|
pub(crate) const SALT_LEN: usize = 16;
|
||||||
@@ -61,7 +60,7 @@ fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
|
|||||||
.hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
|
.hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
|
||||||
.map_err(|e| anyhow!("argon2 into error: {:?}", e))?;
|
.map_err(|e| anyhow!("argon2 into error: {:?}", e))?;
|
||||||
|
|
||||||
let key = *Key::from_slice(&key_bytes);
|
let key: Key = key_bytes.into();
|
||||||
key_bytes.zeroize();
|
key_bytes.zeroize();
|
||||||
Ok(key)
|
Ok(key)
|
||||||
}
|
}
|
||||||
@@ -84,20 +83,28 @@ fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
|
|||||||
pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Result<String> {
|
pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Result<String> {
|
||||||
let password = password.into();
|
let password = password.into();
|
||||||
|
|
||||||
let salt = SaltString::generate(&mut OsRng);
|
if password.expose_secret().is_empty() {
|
||||||
|
bail!("password cannot be empty");
|
||||||
|
}
|
||||||
|
|
||||||
|
let mut salt = [0u8; SALT_LEN];
|
||||||
|
OsRng.fill_bytes(&mut salt);
|
||||||
let mut nonce_bytes = [0u8; NONCE_LEN];
|
let mut nonce_bytes = [0u8; NONCE_LEN];
|
||||||
OsRng.fill_bytes(&mut nonce_bytes);
|
OsRng.fill_bytes(&mut nonce_bytes);
|
||||||
|
|
||||||
let key = derive_key(&password, salt.as_str().as_bytes())?;
|
let mut key = derive_key(&password, &salt)?;
|
||||||
let cipher = XChaCha20Poly1305::new(&key);
|
let cipher = XChaCha20Poly1305::new(&key);
|
||||||
|
|
||||||
let aad = format!("{};{}", HEADER, VERSION);
|
let aad = format!(
|
||||||
|
"{};{};{};m={},t={},p={}",
|
||||||
|
HEADER, VERSION, KDF, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P
|
||||||
|
);
|
||||||
|
|
||||||
let nonce = XNonce::from_slice(&nonce_bytes);
|
let nonce: XNonce = nonce_bytes.into();
|
||||||
let mut pt = plaintext.as_bytes().to_vec();
|
let mut pt = plaintext.as_bytes().to_vec();
|
||||||
let ct = cipher
|
let ct = cipher
|
||||||
.encrypt(
|
.encrypt(
|
||||||
nonce,
|
&nonce,
|
||||||
chacha20poly1305::aead::Payload {
|
chacha20poly1305::aead::Payload {
|
||||||
msg: &pt,
|
msg: &pt,
|
||||||
aad: aad.as_bytes(),
|
aad: aad.as_bytes(),
|
||||||
@@ -115,13 +122,14 @@ pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Res
|
|||||||
m = ARGON_M_COST_KIB,
|
m = ARGON_M_COST_KIB,
|
||||||
t = ARGON_T_COST,
|
t = ARGON_T_COST,
|
||||||
p = ARGON_P,
|
p = ARGON_P,
|
||||||
salt = B64.encode(salt.as_str().as_bytes()),
|
salt = B64.encode(salt),
|
||||||
nonce = B64.encode(nonce_bytes),
|
nonce = B64.encode(nonce_bytes),
|
||||||
ct = B64.encode(&ct),
|
ct = B64.encode(&ct),
|
||||||
);
|
);
|
||||||
|
|
||||||
drop(cipher);
|
drop(cipher);
|
||||||
let _ = key;
|
key.zeroize();
|
||||||
|
salt.zeroize();
|
||||||
nonce_bytes.zeroize();
|
nonce_bytes.zeroize();
|
||||||
|
|
||||||
Ok(env)
|
Ok(env)
|
||||||
@@ -132,6 +140,9 @@ pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Res
|
|||||||
/// Returns the original plaintext on success or an error if the password is
|
/// Returns the original plaintext on success or an error if the password is
|
||||||
/// wrong, the envelope was tampered with, or the input is malformed.
|
/// wrong, the envelope was tampered with, or the input is malformed.
|
||||||
///
|
///
|
||||||
|
/// This function supports both the current format (with KDF params in AAD) and
|
||||||
|
/// the legacy format (without KDF params in AAD) for backwards compatibility.
|
||||||
|
///
|
||||||
/// Example
|
/// Example
|
||||||
/// ```
|
/// ```
|
||||||
/// use gman::{encrypt_string, decrypt_string};
|
/// use gman::{encrypt_string, decrypt_string};
|
||||||
@@ -145,6 +156,10 @@ pub fn encrypt_string(password: impl Into<SecretString>, plaintext: &str) -> Res
|
|||||||
pub fn decrypt_string(password: impl Into<SecretString>, envelope: &str) -> Result<String> {
|
pub fn decrypt_string(password: impl Into<SecretString>, envelope: &str) -> Result<String> {
|
||||||
let password = password.into();
|
let password = password.into();
|
||||||
|
|
||||||
|
if password.expose_secret().is_empty() {
|
||||||
|
bail!("password cannot be empty");
|
||||||
|
}
|
||||||
|
|
||||||
let parts: Vec<&str> = envelope.split(';').collect();
|
let parts: Vec<&str> = envelope.split(';').collect();
|
||||||
if parts.len() < 7 {
|
if parts.len() < 7 {
|
||||||
bail!("invalid envelope format");
|
bail!("invalid envelope format");
|
||||||
@@ -178,34 +193,55 @@ pub fn decrypt_string(password: impl Into<SecretString>, envelope: &str) -> Resu
|
|||||||
let nonce_b64 = parts[5].strip_prefix("nonce=").context("missing nonce")?;
|
let nonce_b64 = parts[5].strip_prefix("nonce=").context("missing nonce")?;
|
||||||
let ct_b64 = parts[6].strip_prefix("ct=").context("missing ct")?;
|
let ct_b64 = parts[6].strip_prefix("ct=").context("missing ct")?;
|
||||||
|
|
||||||
let salt_bytes = B64.decode(salt_b64).context("bad salt b64")?;
|
let mut salt_bytes = B64.decode(salt_b64).context("bad salt b64")?;
|
||||||
let mut nonce_bytes = B64.decode(nonce_b64).context("bad nonce b64")?;
|
let nonce_bytes = B64.decode(nonce_b64).context("bad nonce b64")?;
|
||||||
let mut ct = B64.decode(ct_b64).context("bad ct b64")?;
|
let mut ct = B64.decode(ct_b64).context("bad ct b64")?;
|
||||||
|
|
||||||
if nonce_bytes.len() != NONCE_LEN {
|
if nonce_bytes.len() != NONCE_LEN {
|
||||||
bail!("nonce length mismatch");
|
bail!("nonce length mismatch");
|
||||||
}
|
}
|
||||||
|
|
||||||
let key = derive_key(&password, &salt_bytes)?;
|
let mut key = derive_key(&password, &salt_bytes)?;
|
||||||
|
|
||||||
let cipher = XChaCha20Poly1305::new(&key);
|
let cipher = XChaCha20Poly1305::new(&key);
|
||||||
|
|
||||||
let aad = format!("{};{}", HEADER, VERSION);
|
let aad_new = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
|
||||||
let nonce = XNonce::from_slice(&nonce_bytes);
|
let aad_legacy = format!("{};{}", HEADER, VERSION);
|
||||||
let pt = cipher
|
|
||||||
.decrypt(
|
let mut nonce_arr: [u8; NONCE_LEN] = nonce_bytes
|
||||||
nonce,
|
.try_into()
|
||||||
|
.map_err(|_| anyhow!("invalid nonce length"))?;
|
||||||
|
let nonce: XNonce = nonce_arr.into();
|
||||||
|
|
||||||
|
let decrypt_result = cipher.decrypt(
|
||||||
|
&nonce,
|
||||||
chacha20poly1305::aead::Payload {
|
chacha20poly1305::aead::Payload {
|
||||||
msg: &ct,
|
msg: &ct,
|
||||||
aad: aad.as_bytes(),
|
aad: aad_new.as_bytes(),
|
||||||
|
},
|
||||||
|
);
|
||||||
|
|
||||||
|
let mut pt = match decrypt_result {
|
||||||
|
Ok(pt) => pt,
|
||||||
|
Err(_) => cipher
|
||||||
|
.decrypt(
|
||||||
|
&nonce,
|
||||||
|
chacha20poly1305::aead::Payload {
|
||||||
|
msg: &ct,
|
||||||
|
aad: aad_legacy.as_bytes(),
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
.map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?;
|
.map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?,
|
||||||
|
};
|
||||||
|
|
||||||
nonce_bytes.zeroize();
|
let s = String::from_utf8(pt.clone()).context("plaintext not valid UTF-8")?;
|
||||||
|
|
||||||
|
key.zeroize();
|
||||||
|
salt_bytes.zeroize();
|
||||||
|
nonce_arr.zeroize();
|
||||||
ct.zeroize();
|
ct.zeroize();
|
||||||
|
pt.zeroize();
|
||||||
|
|
||||||
let s = String::from_utf8(pt).context("plaintext not valid UTF-8")?;
|
|
||||||
Ok(s)
|
Ok(s)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -247,12 +283,10 @@ mod tests {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn empty_password() {
|
fn empty_password_rejected() {
|
||||||
let pw = SecretString::new("".into());
|
let pw = SecretString::new("".into());
|
||||||
let msg = "hello";
|
let msg = "hello";
|
||||||
let env = encrypt_string(pw.clone(), msg).unwrap();
|
assert!(encrypt_string(pw.clone(), msg).is_err());
|
||||||
let out = decrypt_string(pw, &env).unwrap();
|
|
||||||
assert_eq!(msg, out);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
@@ -274,7 +308,7 @@ mod tests {
|
|||||||
let mut ct = base64::engine::general_purpose::STANDARD
|
let mut ct = base64::engine::general_purpose::STANDARD
|
||||||
.decode(ct_b64)
|
.decode(ct_b64)
|
||||||
.unwrap();
|
.unwrap();
|
||||||
ct[0] ^= 0x01; // Flip a bit
|
ct[0] ^= 0x01;
|
||||||
let new_ct_b64 = base64::engine::general_purpose::STANDARD.encode(&ct);
|
let new_ct_b64 = base64::engine::general_purpose::STANDARD.encode(&ct);
|
||||||
let new_ct_part = format!("ct={}", new_ct_b64);
|
let new_ct_part = format!("ct={}", new_ct_b64);
|
||||||
parts[6] = &new_ct_part;
|
parts[6] = &new_ct_part;
|
||||||
|
|||||||
@@ -1,12 +1,14 @@
|
|||||||
use crate::providers::SecretProvider;
|
|
||||||
use anyhow::Context;
|
|
||||||
use anyhow::Result;
|
|
||||||
use aws_config::Region;
|
use aws_config::Region;
|
||||||
use aws_sdk_secretsmanager::Client;
|
use aws_sdk_secretsmanager::Client;
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
use serde_with::skip_serializing_none;
|
use serde_with::skip_serializing_none;
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
|
||||||
|
use crate::providers::error::{SecretError, classify_aws_error};
|
||||||
|
use crate::providers::SecretProvider;
|
||||||
|
|
||||||
|
const PROVIDER: &str = "aws_secrets_manager";
|
||||||
|
|
||||||
#[skip_serializing_none]
|
#[skip_serializing_none]
|
||||||
/// Configuration for AWS Secrets Manager provider
|
/// Configuration for AWS Secrets Manager provider
|
||||||
/// See [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
|
/// See [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/)
|
||||||
@@ -43,18 +45,21 @@ impl SecretProvider for AwsSecretsManagerProvider {
|
|||||||
"AwsSecretsManagerProvider"
|
"AwsSecretsManagerProvider"
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn get_secret(&self, key: &str) -> Result<String> {
|
async fn get_secret(&self, key: &str) -> Result<String, SecretError> {
|
||||||
self.get_client()
|
let client = self.get_client().await?;
|
||||||
.await?
|
let resp = client
|
||||||
.get_secret_value()
|
.get_secret_value()
|
||||||
.secret_id(key)
|
.secret_id(key)
|
||||||
.send()
|
.send()
|
||||||
.await?
|
.await
|
||||||
.secret_string
|
.map_err(|e| classify_aws_error(e.into(), Some(key), "get_secret"))?;
|
||||||
.with_context(|| format!("Secret '{key}' not found"))
|
resp.secret_string.ok_or_else(|| SecretError::NotFound {
|
||||||
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn set_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
self.get_client()
|
self.get_client()
|
||||||
.await?
|
.await?
|
||||||
.create_secret()
|
.create_secret()
|
||||||
@@ -62,12 +67,12 @@ impl SecretProvider for AwsSecretsManagerProvider {
|
|||||||
.secret_string(value)
|
.secret_string(value)
|
||||||
.send()
|
.send()
|
||||||
.await
|
.await
|
||||||
.with_context(|| format!("Failed to set secret '{key}'"))?;
|
.map_err(|e| classify_aws_error(e.into(), Some(key), "set_secret"))?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn update_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn update_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
self.get_client()
|
self.get_client()
|
||||||
.await?
|
.await?
|
||||||
.update_secret()
|
.update_secret()
|
||||||
@@ -75,12 +80,12 @@ impl SecretProvider for AwsSecretsManagerProvider {
|
|||||||
.secret_string(value)
|
.secret_string(value)
|
||||||
.send()
|
.send()
|
||||||
.await
|
.await
|
||||||
.with_context(|| format!("Failed to update secret '{key}'"))?;
|
.map_err(|e| classify_aws_error(e.into(), Some(key), "update_secret"))?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn delete_secret(&self, key: &str) -> Result<()> {
|
async fn delete_secret(&self, key: &str) -> Result<(), SecretError> {
|
||||||
self.get_client()
|
self.get_client()
|
||||||
.await?
|
.await?
|
||||||
.delete_secret()
|
.delete_secret()
|
||||||
@@ -88,32 +93,37 @@ impl SecretProvider for AwsSecretsManagerProvider {
|
|||||||
.force_delete_without_recovery(true)
|
.force_delete_without_recovery(true)
|
||||||
.send()
|
.send()
|
||||||
.await
|
.await
|
||||||
.with_context(|| format!("Failed to delete secret '{key}'"))?;
|
.map_err(|e| classify_aws_error(e.into(), Some(key), "delete_secret"))?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn list_secrets(&self) -> Result<Vec<String>> {
|
async fn list_secrets(&self) -> Result<Vec<String>, SecretError> {
|
||||||
self.get_client()
|
let resp = self
|
||||||
|
.get_client()
|
||||||
.await?
|
.await?
|
||||||
.list_secrets()
|
.list_secrets()
|
||||||
.send()
|
.send()
|
||||||
.await?
|
.await
|
||||||
|
.map_err(|e| classify_aws_error(e.into(), None, "list_secrets"))?;
|
||||||
|
Ok(resp
|
||||||
.secret_list
|
.secret_list
|
||||||
.with_context(|| "No secrets found")
|
.unwrap_or_default()
|
||||||
.map(|secrets| secrets.into_iter().filter_map(|s| s.name).collect())
|
.into_iter()
|
||||||
|
.filter_map(|s| s.name)
|
||||||
|
.collect())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl AwsSecretsManagerProvider {
|
impl AwsSecretsManagerProvider {
|
||||||
async fn get_client(&self) -> Result<Client> {
|
async fn get_client(&self) -> Result<Client, SecretError> {
|
||||||
let region = self
|
let region = self.aws_region.clone().ok_or_else(|| SecretError::Config {
|
||||||
.aws_region
|
provider: PROVIDER,
|
||||||
.clone()
|
message: "aws_region is required".to_string(),
|
||||||
.with_context(|| "aws_region is required")?;
|
})?;
|
||||||
let profile = self
|
let profile = self.aws_profile.clone().ok_or_else(|| SecretError::Config {
|
||||||
.aws_profile
|
provider: PROVIDER,
|
||||||
.clone()
|
message: "aws_profile is required".to_string(),
|
||||||
.with_context(|| "aws_profile is required")?;
|
})?;
|
||||||
|
|
||||||
let config = aws_config::from_env()
|
let config = aws_config::from_env()
|
||||||
.region(Region::new(region))
|
.region(Region::new(region))
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
use crate::providers::SecretProvider;
|
use std::sync::Arc;
|
||||||
use anyhow::{Context, Result};
|
|
||||||
use azure_identity::DefaultAzureCredential;
|
use azure_core::credentials::TokenCredential;
|
||||||
|
use azure_identity::DeveloperToolsCredential;
|
||||||
use azure_security_keyvault_secrets::models::SetSecretParameters;
|
use azure_security_keyvault_secrets::models::SetSecretParameters;
|
||||||
use azure_security_keyvault_secrets::{ResourceExt, SecretClient};
|
use azure_security_keyvault_secrets::{ResourceExt, SecretClient};
|
||||||
use futures::TryStreamExt;
|
use futures::TryStreamExt;
|
||||||
@@ -8,6 +9,11 @@ use serde::{Deserialize, Serialize};
|
|||||||
use serde_with::skip_serializing_none;
|
use serde_with::skip_serializing_none;
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
|
||||||
|
use crate::providers::SecretProvider;
|
||||||
|
use crate::providers::error::{SecretError, classify_azure_error};
|
||||||
|
|
||||||
|
const PROVIDER: &str = "azure_key_vault";
|
||||||
|
|
||||||
#[skip_serializing_none]
|
#[skip_serializing_none]
|
||||||
/// Configuration for Azure Key Vault provider
|
/// Configuration for Azure Key Vault provider
|
||||||
/// See [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/)
|
/// See [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/)
|
||||||
@@ -39,51 +45,70 @@ impl SecretProvider for AzureKeyVaultProvider {
|
|||||||
"AzureKeyVaultProvider"
|
"AzureKeyVaultProvider"
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn get_secret(&self, key: &str) -> Result<String> {
|
async fn get_secret(&self, key: &str) -> Result<String, SecretError> {
|
||||||
let body = self
|
let response = self
|
||||||
.get_client()?
|
.get_client()?
|
||||||
.get_secret(key, "", None)
|
.get_secret(key, None)
|
||||||
.await?
|
.await
|
||||||
.into_body()
|
.map_err(|e| classify_azure_error(e.into(), Some(key), "get_secret"))?;
|
||||||
.await?;
|
let body = response
|
||||||
|
.into_model()
|
||||||
|
.map_err(|e| SecretError::Other(e.into()))?;
|
||||||
|
|
||||||
body.value
|
body.value.ok_or_else(|| SecretError::NotFound {
|
||||||
.with_context(|| format!("Secret '{}' not found", key))
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn set_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
let params = SetSecretParameters {
|
let params = SetSecretParameters {
|
||||||
value: Some(value.to_string()),
|
value: Some(value.to_string()),
|
||||||
..Default::default()
|
..Default::default()
|
||||||
};
|
};
|
||||||
|
|
||||||
|
let body = params
|
||||||
|
.try_into()
|
||||||
|
.map_err(|e: azure_core::Error| classify_azure_error(e.into(), Some(key), "set_secret"))?;
|
||||||
|
|
||||||
self.get_client()?
|
self.get_client()?
|
||||||
.set_secret(key, params.try_into()?, None)
|
.set_secret(key, body, None)
|
||||||
.await?
|
.await
|
||||||
.into_body()
|
.map_err(|e| classify_azure_error(e.into(), Some(key), "set_secret"))?
|
||||||
.await?;
|
.into_model()
|
||||||
|
.map_err(|e| SecretError::Other(e.into()))?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn update_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn update_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
self.set_secret(key, value).await
|
self.set_secret(key, value).await
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn delete_secret(&self, key: &str) -> Result<()> {
|
async fn delete_secret(&self, key: &str) -> Result<(), SecretError> {
|
||||||
self.get_client()?.delete_secret(key, None).await?;
|
self.get_client()?
|
||||||
|
.delete_secret(key, None)
|
||||||
|
.await
|
||||||
|
.map_err(|e| classify_azure_error(e.into(), Some(key), "delete_secret"))?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn list_secrets(&self) -> Result<Vec<String>> {
|
async fn list_secrets(&self) -> Result<Vec<String>, SecretError> {
|
||||||
let mut pager = self
|
let mut pager = self
|
||||||
.get_client()?
|
.get_client()?
|
||||||
.list_secret_properties(None)?
|
.list_secret_properties(None)
|
||||||
.into_stream();
|
.map_err(|e| classify_azure_error(e.into(), None, "list_secrets"))?;
|
||||||
let mut secrets = Vec::new();
|
let mut secrets = Vec::new();
|
||||||
while let Some(props) = pager.try_next().await? {
|
while let Some(props) = pager
|
||||||
let name = props.resource_id()?.name;
|
.try_next()
|
||||||
|
.await
|
||||||
|
.map_err(|e| classify_azure_error(e.into(), None, "list_secrets"))?
|
||||||
|
{
|
||||||
|
let name = props
|
||||||
|
.resource_id()
|
||||||
|
.map_err(|e| SecretError::Other(e.into()))?
|
||||||
|
.name;
|
||||||
secrets.push(name);
|
secrets.push(name);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -92,17 +117,25 @@ impl SecretProvider for AzureKeyVaultProvider {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl AzureKeyVaultProvider {
|
impl AzureKeyVaultProvider {
|
||||||
fn get_client(&self) -> Result<SecretClient> {
|
fn get_client(&self) -> Result<SecretClient, SecretError> {
|
||||||
let credential = DefaultAzureCredential::new()?;
|
let credential: Arc<dyn TokenCredential> =
|
||||||
|
DeveloperToolsCredential::new(None).map_err(|e| SecretError::AuthFailed {
|
||||||
|
provider: PROVIDER,
|
||||||
|
source: e.into(),
|
||||||
|
})?;
|
||||||
|
let vault_name = self.vault_name.as_ref().ok_or_else(|| SecretError::Config {
|
||||||
|
provider: PROVIDER,
|
||||||
|
message: "vault_name is required".to_string(),
|
||||||
|
})?;
|
||||||
let client = SecretClient::new(
|
let client = SecretClient::new(
|
||||||
format!(
|
format!("https://{}.vault.azure.net", vault_name).as_str(),
|
||||||
"https://{}.vault.azure.net",
|
|
||||||
self.vault_name.as_ref().unwrap()
|
|
||||||
)
|
|
||||||
.as_str(),
|
|
||||||
credential,
|
credential,
|
||||||
None,
|
None,
|
||||||
)?;
|
)
|
||||||
|
.map_err(|e| SecretError::Config {
|
||||||
|
provider: PROVIDER,
|
||||||
|
message: format!("failed to create Azure Key Vault client: {}", e),
|
||||||
|
})?;
|
||||||
|
|
||||||
Ok(client)
|
Ok(client)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,225 @@
|
|||||||
|
use std::io;
|
||||||
|
use anyhow::anyhow;
|
||||||
|
use thiserror::Error;
|
||||||
|
|
||||||
|
use crate::providers::git_sync::SyncError;
|
||||||
|
|
||||||
|
#[derive(Debug, Error)]
|
||||||
|
#[non_exhaustive]
|
||||||
|
pub enum SecretError {
|
||||||
|
#[error("secret '{key}' not found in provider '{provider}'")]
|
||||||
|
NotFound { key: String, provider: &'static str },
|
||||||
|
|
||||||
|
#[error(
|
||||||
|
"secret '{key}' already exists in provider '{provider}' (use update_secret to change its value)"
|
||||||
|
)]
|
||||||
|
AlreadyExists { key: String, provider: &'static str },
|
||||||
|
|
||||||
|
#[error("authentication failed for provider '{provider}': {source}")]
|
||||||
|
AuthFailed {
|
||||||
|
provider: &'static str,
|
||||||
|
#[source]
|
||||||
|
source: anyhow::Error,
|
||||||
|
},
|
||||||
|
|
||||||
|
#[error("network error contacting provider '{provider}': {source}")]
|
||||||
|
Network {
|
||||||
|
provider: &'static str,
|
||||||
|
#[source]
|
||||||
|
source: anyhow::Error,
|
||||||
|
},
|
||||||
|
|
||||||
|
#[error("operation '{operation}' not supported by provider '{provider}'")]
|
||||||
|
Unsupported {
|
||||||
|
operation: &'static str,
|
||||||
|
provider: &'static str,
|
||||||
|
},
|
||||||
|
|
||||||
|
#[error("required CLI tool '{tool}' not found in PATH")]
|
||||||
|
CliNotFound { tool: &'static str },
|
||||||
|
|
||||||
|
#[error("provider '{provider}' configuration error: {message}")]
|
||||||
|
Config {
|
||||||
|
provider: &'static str,
|
||||||
|
message: String,
|
||||||
|
},
|
||||||
|
|
||||||
|
#[error("I/O error: {0}")]
|
||||||
|
Io(#[from] io::Error),
|
||||||
|
|
||||||
|
#[error(transparent)]
|
||||||
|
Other(#[from] anyhow::Error),
|
||||||
|
}
|
||||||
|
|
||||||
|
impl From<SyncError> for SecretError {
|
||||||
|
fn from(err: SyncError) -> Self {
|
||||||
|
match err {
|
||||||
|
SyncError::GitNotFound => SecretError::CliNotFound { tool: "git" },
|
||||||
|
SyncError::AuthFailed { source } => SecretError::AuthFailed {
|
||||||
|
provider: "local",
|
||||||
|
source,
|
||||||
|
},
|
||||||
|
SyncError::Network { source } => SecretError::Network {
|
||||||
|
provider: "local",
|
||||||
|
source,
|
||||||
|
},
|
||||||
|
SyncError::Config { message } => SecretError::Config {
|
||||||
|
provider: "local",
|
||||||
|
message,
|
||||||
|
},
|
||||||
|
SyncError::GitCommandFailed { message } => {
|
||||||
|
SecretError::Other(anyhow!("git command failed: {}", message))
|
||||||
|
}
|
||||||
|
SyncError::Io(e) => SecretError::Io(e),
|
||||||
|
SyncError::Other(e) => SecretError::Other(e),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn classify_aws_error(
|
||||||
|
err: anyhow::Error,
|
||||||
|
key: Option<&str>,
|
||||||
|
_op: &'static str,
|
||||||
|
) -> SecretError {
|
||||||
|
let provider = "aws_secrets_manager";
|
||||||
|
let chain_text = err
|
||||||
|
.chain()
|
||||||
|
.map(|e| e.to_string())
|
||||||
|
.collect::<Vec<_>>()
|
||||||
|
.join(" | ")
|
||||||
|
.to_lowercase();
|
||||||
|
|
||||||
|
if chain_text.contains("resourcenotfoundexception") || chain_text.contains("not found") {
|
||||||
|
SecretError::NotFound {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
}
|
||||||
|
} else if chain_text.contains("alreadyexistsexception") {
|
||||||
|
SecretError::AlreadyExists {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
}
|
||||||
|
} else if chain_text.contains("accessdenied")
|
||||||
|
|| chain_text.contains("expiredtoken")
|
||||||
|
|| chain_text.contains("invalidsignature")
|
||||||
|
|| chain_text.contains("unauthorized")
|
||||||
|
|| chain_text.contains("unrecognizedclient")
|
||||||
|
{
|
||||||
|
SecretError::AuthFailed { provider, source: err }
|
||||||
|
} else if chain_text.contains("dispatch failure")
|
||||||
|
|| chain_text.contains("timeout")
|
||||||
|
|| chain_text.contains("connection")
|
||||||
|
|| chain_text.contains("dns")
|
||||||
|
{
|
||||||
|
SecretError::Network { provider, source: err }
|
||||||
|
} else {
|
||||||
|
SecretError::Other(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn classify_gcp_error(
|
||||||
|
err: anyhow::Error,
|
||||||
|
key: Option<&str>,
|
||||||
|
_op: &'static str,
|
||||||
|
) -> SecretError {
|
||||||
|
let provider = "gcp_secret_manager";
|
||||||
|
|
||||||
|
if let Some(status) = err.downcast_ref::<gcloud_sdk::tonic::Status>() {
|
||||||
|
use gcloud_sdk::tonic::Code;
|
||||||
|
return match status.code() {
|
||||||
|
Code::NotFound => SecretError::NotFound {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
},
|
||||||
|
Code::AlreadyExists => SecretError::AlreadyExists {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
},
|
||||||
|
Code::Unauthenticated | Code::PermissionDenied => SecretError::AuthFailed {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
},
|
||||||
|
Code::Unavailable | Code::DeadlineExceeded => SecretError::Network {
|
||||||
|
provider,
|
||||||
|
source: err,
|
||||||
|
},
|
||||||
|
_ => SecretError::Other(err),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
let chain_text = err
|
||||||
|
.chain()
|
||||||
|
.map(|e| e.to_string())
|
||||||
|
.collect::<Vec<_>>()
|
||||||
|
.join(" | ")
|
||||||
|
.to_lowercase();
|
||||||
|
|
||||||
|
if chain_text.contains("notfound") || chain_text.contains("not found") {
|
||||||
|
SecretError::NotFound {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
}
|
||||||
|
} else if chain_text.contains("alreadyexists") || chain_text.contains("already exists") {
|
||||||
|
SecretError::AlreadyExists {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
}
|
||||||
|
} else if chain_text.contains("unauthenticated") || chain_text.contains("permissiondenied") {
|
||||||
|
SecretError::AuthFailed { provider, source: err }
|
||||||
|
} else if chain_text.contains("unavailable") || chain_text.contains("deadlineexceeded") {
|
||||||
|
SecretError::Network { provider, source: err }
|
||||||
|
} else {
|
||||||
|
SecretError::Other(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub(crate) fn classify_azure_error(
|
||||||
|
err: anyhow::Error,
|
||||||
|
key: Option<&str>,
|
||||||
|
_op: &'static str,
|
||||||
|
) -> SecretError {
|
||||||
|
let provider = "azure_key_vault";
|
||||||
|
|
||||||
|
if let Some(azure_err) = err.downcast_ref::<azure_core::Error>() {
|
||||||
|
use azure_core::error::ErrorKind;
|
||||||
|
if let ErrorKind::HttpResponse { status, .. } = azure_err.kind() {
|
||||||
|
let code = u16::from(*status);
|
||||||
|
return match code {
|
||||||
|
401 | 403 => SecretError::AuthFailed { provider, source: err },
|
||||||
|
404 => SecretError::NotFound {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
},
|
||||||
|
_ => SecretError::Other(err),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
let chain_text = err
|
||||||
|
.chain()
|
||||||
|
.map(|e| e.to_string())
|
||||||
|
.collect::<Vec<_>>()
|
||||||
|
.join(" | ")
|
||||||
|
.to_lowercase();
|
||||||
|
|
||||||
|
if chain_text.contains("not found") || chain_text.contains("notfound") {
|
||||||
|
SecretError::NotFound {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider,
|
||||||
|
}
|
||||||
|
} else if chain_text.contains("unauthorized")
|
||||||
|
|| chain_text.contains("forbidden")
|
||||||
|
|| chain_text.contains("401")
|
||||||
|
|| chain_text.contains("403")
|
||||||
|
|| chain_text.contains("authentication")
|
||||||
|
{
|
||||||
|
SecretError::AuthFailed { provider, source: err }
|
||||||
|
} else if chain_text.contains("timeout")
|
||||||
|
|| chain_text.contains("connection")
|
||||||
|
|| chain_text.contains("dns")
|
||||||
|
{
|
||||||
|
SecretError::Network { provider, source: err }
|
||||||
|
} else {
|
||||||
|
SecretError::Other(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -1,5 +1,4 @@
|
|||||||
use crate::providers::SecretProvider;
|
use anyhow::anyhow;
|
||||||
use anyhow::{Context, Result, anyhow};
|
|
||||||
use gcloud_sdk::google::cloud::secretmanager::v1;
|
use gcloud_sdk::google::cloud::secretmanager::v1;
|
||||||
use gcloud_sdk::google::cloud::secretmanager::v1::replication::Automatic;
|
use gcloud_sdk::google::cloud::secretmanager::v1::replication::Automatic;
|
||||||
use gcloud_sdk::google::cloud::secretmanager::v1::secret_manager_service_client::SecretManagerServiceClient;
|
use gcloud_sdk::google::cloud::secretmanager::v1::secret_manager_service_client::SecretManagerServiceClient;
|
||||||
@@ -15,8 +14,13 @@ use serde_with::skip_serializing_none;
|
|||||||
use v1::DeleteSecretRequest;
|
use v1::DeleteSecretRequest;
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
|
||||||
|
use crate::providers::SecretProvider;
|
||||||
|
use crate::providers::error::{SecretError, classify_gcp_error};
|
||||||
|
|
||||||
type SecretsManagerClient = GoogleApi<SecretManagerServiceClient<GoogleAuthMiddleware>>;
|
type SecretsManagerClient = GoogleApi<SecretManagerServiceClient<GoogleAuthMiddleware>>;
|
||||||
|
|
||||||
|
const PROVIDER: &str = "gcp_secret_manager";
|
||||||
|
|
||||||
#[skip_serializing_none]
|
#[skip_serializing_none]
|
||||||
/// Configuration for GCP Secret Manager provider
|
/// Configuration for GCP Secret Manager provider
|
||||||
/// See [GCP Secret Manager](https://cloud.google.com/secret-manager)
|
/// See [GCP Secret Manager](https://cloud.google.com/secret-manager)
|
||||||
@@ -48,8 +52,8 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
"GcpSecretManagerProvider"
|
"GcpSecretManagerProvider"
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn get_secret(&self, key: &str) -> Result<String> {
|
async fn get_secret(&self, key: &str) -> Result<String, SecretError> {
|
||||||
let secret_value = self
|
let response = self
|
||||||
.get_client()
|
.get_client()
|
||||||
.await?
|
.await?
|
||||||
.get()
|
.get()
|
||||||
@@ -60,20 +64,22 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
key
|
key
|
||||||
),
|
),
|
||||||
})
|
})
|
||||||
.await?
|
.await
|
||||||
.into_inner()
|
.map_err(|e| classify_gcp_error(e.into(), Some(key), "get_secret"))?
|
||||||
.payload
|
.into_inner();
|
||||||
.ok_or_else(|| anyhow!("Secret '{}' not found", key))?
|
let payload = response.payload.ok_or_else(|| SecretError::NotFound {
|
||||||
.data
|
key: key.to_string(),
|
||||||
.ref_sensitive_value()
|
provider: PROVIDER,
|
||||||
.to_vec();
|
})?;
|
||||||
let secret_string = String::from_utf8(secret_value)
|
let secret_value = payload.data.ref_sensitive_value().to_vec();
|
||||||
.with_context(|| format!("Invalid UTF-8 in secret '{})'", key))?;
|
let secret_string = String::from_utf8(secret_value).map_err(|_| {
|
||||||
|
SecretError::Other(anyhow!("secret value is not valid UTF-8"))
|
||||||
|
})?;
|
||||||
|
|
||||||
Ok(secret_string)
|
Ok(secret_string)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn set_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
let parent = format!("projects/{}", self.gcp_project_id.as_ref().unwrap());
|
let parent = format!("projects/{}", self.gcp_project_id.as_ref().unwrap());
|
||||||
let secret_name = format!("{}/secrets/{}", parent, key);
|
let secret_name = format!("{}/secrets/{}", parent, key);
|
||||||
let secret = Secret {
|
let secret = Secret {
|
||||||
@@ -96,9 +102,12 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
.await
|
.await
|
||||||
.map_err(|e| {
|
.map_err(|e| {
|
||||||
if e.code() == Code::AlreadyExists {
|
if e.code() == Code::AlreadyExists {
|
||||||
anyhow!("Secret already exists")
|
SecretError::AlreadyExists {
|
||||||
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
e.into()
|
classify_gcp_error(e.into(), Some(key), "set_secret")
|
||||||
}
|
}
|
||||||
})?;
|
})?;
|
||||||
|
|
||||||
@@ -113,12 +122,13 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
data_crc32c: Some(crc32c),
|
data_crc32c: Some(crc32c),
|
||||||
}),
|
}),
|
||||||
})
|
})
|
||||||
.await?;
|
.await
|
||||||
|
.map_err(|e| classify_gcp_error(e.into(), Some(key), "set_secret"))?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn delete_secret(&self, key: &str) -> Result<()> {
|
async fn delete_secret(&self, key: &str) -> Result<(), SecretError> {
|
||||||
let name = format!(
|
let name = format!(
|
||||||
"projects/{}/secrets/{}",
|
"projects/{}/secrets/{}",
|
||||||
self.gcp_project_id.as_ref().unwrap(),
|
self.gcp_project_id.as_ref().unwrap(),
|
||||||
@@ -131,11 +141,12 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
name,
|
name,
|
||||||
etag: "".to_string(),
|
etag: "".to_string(),
|
||||||
})
|
})
|
||||||
.await?;
|
.await
|
||||||
|
.map_err(|e| classify_gcp_error(e.into(), Some(key), "delete_secret"))?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn update_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn update_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
let parent = format!(
|
let parent = format!(
|
||||||
"projects/{}/secrets/{}",
|
"projects/{}/secrets/{}",
|
||||||
self.gcp_project_id.as_ref().unwrap(),
|
self.gcp_project_id.as_ref().unwrap(),
|
||||||
@@ -154,12 +165,13 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
data_crc32c: Some(crc32c),
|
data_crc32c: Some(crc32c),
|
||||||
}),
|
}),
|
||||||
})
|
})
|
||||||
.await?;
|
.await
|
||||||
|
.map_err(|e| classify_gcp_error(e.into(), Some(key), "update_secret"))?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn list_secrets(&self) -> Result<Vec<String>> {
|
async fn list_secrets(&self) -> Result<Vec<String>, SecretError> {
|
||||||
let request = ListSecretsRequest {
|
let request = ListSecretsRequest {
|
||||||
parent: format!("projects/{}", self.gcp_project_id.as_ref().unwrap()),
|
parent: format!("projects/{}", self.gcp_project_id.as_ref().unwrap()),
|
||||||
..Default::default()
|
..Default::default()
|
||||||
@@ -169,7 +181,8 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
.await?
|
.await?
|
||||||
.get()
|
.get()
|
||||||
.list_secrets(request)
|
.list_secrets(request)
|
||||||
.await?
|
.await
|
||||||
|
.map_err(|e| classify_gcp_error(e.into(), None, "list_secrets"))?
|
||||||
.into_inner()
|
.into_inner()
|
||||||
.secrets
|
.secrets
|
||||||
.iter()
|
.iter()
|
||||||
@@ -188,13 +201,17 @@ impl SecretProvider for GcpSecretManagerProvider {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl GcpSecretManagerProvider {
|
impl GcpSecretManagerProvider {
|
||||||
async fn get_client(&self) -> Result<SecretsManagerClient> {
|
async fn get_client(&self) -> Result<SecretsManagerClient, SecretError> {
|
||||||
let client = GoogleApi::from_function(
|
let client = GoogleApi::from_function(
|
||||||
SecretManagerServiceClient::new,
|
SecretManagerServiceClient::new,
|
||||||
"https://secretmanager.googleapis.com",
|
"https://secretmanager.googleapis.com",
|
||||||
None,
|
None,
|
||||||
)
|
)
|
||||||
.await?;
|
.await
|
||||||
|
.map_err(|e| SecretError::AuthFailed {
|
||||||
|
provider: PROVIDER,
|
||||||
|
source: e.into(),
|
||||||
|
})?;
|
||||||
|
|
||||||
Ok(client)
|
Ok(client)
|
||||||
}
|
}
|
||||||
|
|||||||
+181
-94
@@ -1,15 +1,51 @@
|
|||||||
use crate::calling_app_name;
|
use std::io;
|
||||||
use anyhow::{Context, Result, anyhow};
|
use std::path::{Path, PathBuf};
|
||||||
|
use std::process::{Command, Stdio};
|
||||||
|
use std::{env, fs};
|
||||||
|
use anyhow::anyhow;
|
||||||
use chrono::Utc;
|
use chrono::Utc;
|
||||||
use dialoguer::Confirm;
|
use dialoguer::Confirm;
|
||||||
use dialoguer::theme::ColorfulTheme;
|
use dialoguer::theme::ColorfulTheme;
|
||||||
use indoc::formatdoc;
|
use indoc::formatdoc;
|
||||||
use log::debug;
|
use log::debug;
|
||||||
use std::path::{Path, PathBuf};
|
use thiserror::Error;
|
||||||
use std::process::{Command, Stdio};
|
|
||||||
use std::{env, fs};
|
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
|
||||||
|
use crate::calling_app_name;
|
||||||
|
|
||||||
|
#[derive(Debug, Error)]
|
||||||
|
#[non_exhaustive]
|
||||||
|
pub enum SyncError {
|
||||||
|
#[error("git binary not found in PATH")]
|
||||||
|
GitNotFound,
|
||||||
|
|
||||||
|
#[error("git authentication failed (check SSH key / token): {source}")]
|
||||||
|
AuthFailed {
|
||||||
|
#[source]
|
||||||
|
source: anyhow::Error,
|
||||||
|
},
|
||||||
|
|
||||||
|
#[error("network error during git sync: {source}")]
|
||||||
|
Network {
|
||||||
|
#[source]
|
||||||
|
source: anyhow::Error,
|
||||||
|
},
|
||||||
|
|
||||||
|
#[error("git configuration error: {message}")]
|
||||||
|
Config { message: String },
|
||||||
|
|
||||||
|
#[error("git command failed: {message}")]
|
||||||
|
GitCommandFailed { message: String },
|
||||||
|
|
||||||
|
#[error("I/O error during sync: {0}")]
|
||||||
|
Io(#[from] io::Error),
|
||||||
|
|
||||||
|
#[error(transparent)]
|
||||||
|
Other(#[from] anyhow::Error),
|
||||||
|
}
|
||||||
|
|
||||||
|
type SyncResult<T> = std::result::Result<T, SyncError>;
|
||||||
|
|
||||||
#[derive(Debug, Validate, Clone)]
|
#[derive(Debug, Validate, Clone)]
|
||||||
pub struct SyncOpts<'a> {
|
pub struct SyncOpts<'a> {
|
||||||
#[validate(required)]
|
#[validate(required)]
|
||||||
@@ -21,38 +57,36 @@ pub struct SyncOpts<'a> {
|
|||||||
pub git_executable: &'a Option<PathBuf>,
|
pub git_executable: &'a Option<PathBuf>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn sync_and_push(opts: &SyncOpts<'_>) -> Result<()> {
|
pub fn sync_and_push(opts: &SyncOpts<'_>) -> SyncResult<()> {
|
||||||
debug!("Syncing with git: {:?}", opts);
|
debug!("Syncing with git: {:?}", opts);
|
||||||
opts.validate()
|
opts.validate().map_err(|e| SyncError::Config {
|
||||||
.with_context(|| "invalid git sync options")?;
|
message: format!("invalid git sync options: {}", e),
|
||||||
|
})?;
|
||||||
let commit_message = format!("chore: sync @ {}", Utc::now().to_rfc3339());
|
let commit_message = format!("chore: sync @ {}", Utc::now().to_rfc3339());
|
||||||
let config_dir = confy::get_configuration_file_path(&calling_app_name(), "vault")
|
let config_dir = confy::get_configuration_file_path(&calling_app_name(), "vault")
|
||||||
.with_context(|| "get config dir")?
|
.map_err(|e| SyncError::Config {
|
||||||
|
message: format!("get config dir: {}", e),
|
||||||
|
})?
|
||||||
.parent()
|
.parent()
|
||||||
.map(Path::to_path_buf)
|
.map(Path::to_path_buf)
|
||||||
.ok_or_else(|| anyhow!("Failed to determine config dir"))?;
|
.ok_or_else(|| SyncError::Config {
|
||||||
|
message: "Failed to determine config dir".to_string(),
|
||||||
|
})?;
|
||||||
|
|
||||||
let remote_url = opts.remote_url.as_ref().expect("no remote url defined");
|
let remote_url = opts.remote_url.as_ref().expect("no remote url defined");
|
||||||
let repo_name = repo_name_from_url(remote_url);
|
let repo_name = repo_name_from_url(remote_url);
|
||||||
let repo_dir = config_dir.join(format!(".{}", repo_name));
|
let repo_dir = config_dir.join(format!(".{}", repo_name));
|
||||||
fs::create_dir_all(&repo_dir).with_context(|| format!("create {}", repo_dir.display()))?;
|
fs::create_dir_all(&repo_dir)?;
|
||||||
|
|
||||||
// Move the default vault into the repo dir on first sync so only vault.yml is tracked.
|
|
||||||
let default_vault = confy::get_configuration_file_path(&calling_app_name(), "vault")
|
let default_vault = confy::get_configuration_file_path(&calling_app_name(), "vault")
|
||||||
.with_context(|| "get default vault path")?;
|
.map_err(|e| SyncError::Config {
|
||||||
|
message: format!("get default vault path: {}", e),
|
||||||
|
})?;
|
||||||
let repo_vault = repo_dir.join("vault.yml");
|
let repo_vault = repo_dir.join("vault.yml");
|
||||||
if default_vault.exists() && !repo_vault.exists() {
|
if default_vault.exists() && !repo_vault.exists() {
|
||||||
fs::rename(&default_vault, &repo_vault).with_context(|| {
|
fs::rename(&default_vault, &repo_vault)?;
|
||||||
format!(
|
|
||||||
"move {} -> {}",
|
|
||||||
default_vault.display(),
|
|
||||||
repo_vault.display()
|
|
||||||
)
|
|
||||||
})?;
|
|
||||||
} else if !repo_vault.exists() {
|
} else if !repo_vault.exists() {
|
||||||
// Ensure an empty vault exists to allow initial commits
|
fs::write(&repo_vault, "{}\n")?;
|
||||||
fs::write(&repo_vault, "{}\n")
|
|
||||||
.with_context(|| format!("create {}", repo_vault.display()))?;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
let git = resolve_git(opts.git_executable.as_ref())?;
|
let git = resolve_git(opts.git_executable.as_ref())?;
|
||||||
@@ -88,48 +122,43 @@ pub fn sync_and_push(opts: &SyncOpts<'_>) -> Result<()> {
|
|||||||
checkout_branch(&git, &repo_dir, branch)?;
|
checkout_branch(&git, &repo_dir, branch)?;
|
||||||
set_origin(&git, &repo_dir, remote_url)?;
|
set_origin(&git, &repo_dir, remote_url)?;
|
||||||
|
|
||||||
// Always align local with remote before staging/committing. For a fresh
|
|
||||||
// repo where the remote already has content, we intentionally discard any
|
|
||||||
// local working tree changes and take the remote state to avoid merge
|
|
||||||
// conflicts on first sync.
|
|
||||||
fetch_and_pull(&git, &repo_dir, branch)?;
|
fetch_and_pull(&git, &repo_dir, branch)?;
|
||||||
|
|
||||||
// Stage and commit any subsequent local changes after aligning with remote
|
|
||||||
// so we don't merge uncommitted local state.
|
|
||||||
stage_vault_only(&git, &repo_dir)?;
|
stage_vault_only(&git, &repo_dir)?;
|
||||||
|
|
||||||
commit_now(&git, &repo_dir, &commit_message)?;
|
commit_now(&git, &repo_dir, &commit_message)?;
|
||||||
|
|
||||||
run_git(
|
run_git_push(&git, &repo_dir, branch)?;
|
||||||
&git,
|
|
||||||
&repo_dir,
|
|
||||||
&["push", "-u", "origin", "--force", branch],
|
|
||||||
)?;
|
|
||||||
|
|
||||||
run_git(&git, &repo_dir, &["remote", "set-head", "origin", "-a"])
|
run_git(&git, &repo_dir, &["remote", "set-head", "origin", "-a"])
|
||||||
.with_context(|| "Failed to set remote HEAD")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
fn resolve_git_username(git: &Path, name: Option<&String>) -> Result<String> {
|
fn resolve_git_username(git: &Path, name: Option<&String>) -> SyncResult<String> {
|
||||||
debug!("Resolving git username");
|
debug!("Resolving git username");
|
||||||
|
|
||||||
if let Some(name) = name {
|
if let Some(name) = name {
|
||||||
return Ok(name.to_string());
|
return Ok(name.to_string());
|
||||||
}
|
}
|
||||||
|
|
||||||
default_git_username(git)
|
default_git_username(git).map_err(|_| SyncError::Config {
|
||||||
|
message: "git user.name not configured".to_string(),
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
fn resolve_git_email(git: &Path, email: Option<&String>) -> Result<String> {
|
fn resolve_git_email(git: &Path, email: Option<&String>) -> SyncResult<String> {
|
||||||
debug!("Resolving git user email");
|
debug!("Resolving git user email");
|
||||||
if let Some(email) = email {
|
if let Some(email) = email {
|
||||||
return Ok(email.to_string());
|
return Ok(email.to_string());
|
||||||
}
|
}
|
||||||
|
|
||||||
default_git_email(git)
|
default_git_email(git).map_err(|_| SyncError::Config {
|
||||||
|
message: "git user.email not configured".to_string(),
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(in crate::providers) fn resolve_git(override_path: Option<&PathBuf>) -> Result<PathBuf> {
|
pub(in crate::providers) fn resolve_git(
|
||||||
|
override_path: Option<&PathBuf>,
|
||||||
|
) -> SyncResult<PathBuf> {
|
||||||
debug!("Resolving git executable");
|
debug!("Resolving git executable");
|
||||||
if let Some(p) = override_path {
|
if let Some(p) = override_path {
|
||||||
return Ok(p.to_path_buf());
|
return Ok(p.to_path_buf());
|
||||||
@@ -140,63 +169,116 @@ pub(in crate::providers) fn resolve_git(override_path: Option<&PathBuf>) -> Resu
|
|||||||
Ok(PathBuf::from("git"))
|
Ok(PathBuf::from("git"))
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(in crate::providers) fn default_git_username(git: &Path) -> Result<String> {
|
pub(in crate::providers) fn default_git_username(git: &Path) -> SyncResult<String> {
|
||||||
debug!("Checking for default git username");
|
debug!("Checking for default git username");
|
||||||
run_git_config_capture(git, &["config", "user.name"])
|
run_git_config_capture(git, &["config", "user.name"]).map_err(|e| SyncError::Config {
|
||||||
.with_context(|| "unable to determine git user name")
|
message: format!("unable to determine git user name: {}", e),
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(in crate::providers) fn default_git_email(git: &Path) -> Result<String> {
|
pub(in crate::providers) fn default_git_email(git: &Path) -> SyncResult<String> {
|
||||||
debug!("Checking for default git username");
|
debug!("Checking for default git username");
|
||||||
run_git_config_capture(git, &["config", "user.email"])
|
run_git_config_capture(git, &["config", "user.email"]).map_err(|e| SyncError::Config {
|
||||||
.with_context(|| "unable to determine git user email")
|
message: format!("unable to determine git user email: {}", e),
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(in crate::providers) fn ensure_git_available(git: &Path) -> Result<()> {
|
pub(in crate::providers) fn ensure_git_available(git: &Path) -> SyncResult<()> {
|
||||||
let ok = Command::new(git)
|
let ok = Command::new(git)
|
||||||
.arg("--version")
|
.arg("--version")
|
||||||
.stdout(Stdio::null())
|
.stdout(Stdio::null())
|
||||||
.stderr(Stdio::null())
|
.stderr(Stdio::null())
|
||||||
.status()
|
.status()
|
||||||
.context("run git --version")?
|
.map_err(|_| SyncError::GitNotFound)?
|
||||||
.success();
|
.success();
|
||||||
if !ok {
|
if !ok {
|
||||||
Err(anyhow!("`git` not available on PATH"))
|
Err(SyncError::GitNotFound)
|
||||||
} else {
|
} else {
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn run_git(git: &Path, repo: &Path, args: &[&str]) -> Result<()> {
|
fn run_git(git: &Path, repo: &Path, args: &[&str]) -> SyncResult<()> {
|
||||||
let status = Command::new(git)
|
let out = Command::new(git)
|
||||||
.arg("-C")
|
.arg("-C")
|
||||||
.arg(repo)
|
.arg(repo)
|
||||||
.args(args)
|
.args(args)
|
||||||
.status()
|
.output()?;
|
||||||
.with_context(|| format!("git {}", args.join(" ")))?;
|
|
||||||
if !status.success() {
|
if !out.status.success() {
|
||||||
return Err(anyhow!("git failed: {}", args.join(" ")));
|
return Err(SyncError::GitCommandFailed {
|
||||||
|
message: format!(
|
||||||
|
"git {} (exit {}): {}",
|
||||||
|
args.join(" "),
|
||||||
|
out.status.code().unwrap_or(-1),
|
||||||
|
String::from_utf8_lossy(&out.stderr).trim()
|
||||||
|
),
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn run_git_config_capture(git: &Path, args: &[&str]) -> Result<String> {
|
fn run_git_push(git: &Path, repo: &Path, branch: &str) -> SyncResult<()> {
|
||||||
let out = Command::new(git)
|
let out = Command::new(git)
|
||||||
.args(args)
|
.arg("-C")
|
||||||
.output()
|
.arg(repo)
|
||||||
.with_context(|| format!("git {}", args.join(" ")))?;
|
.args(["push", "-u", "origin", "--force", branch])
|
||||||
|
.output()?;
|
||||||
|
|
||||||
if !out.status.success() {
|
if !out.status.success() {
|
||||||
return Err(anyhow!(
|
let stderr = String::from_utf8_lossy(&out.stderr).to_string();
|
||||||
"git failed (exit {}): {}",
|
let lc = stderr.to_lowercase();
|
||||||
|
let source = anyhow!("git push failed: {}", stderr.trim());
|
||||||
|
if lc.contains("authentication failed") || lc.contains("permission denied") {
|
||||||
|
return Err(SyncError::AuthFailed { source });
|
||||||
|
}
|
||||||
|
|
||||||
|
return Err(SyncError::Network { source });
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn run_git_fetch(git: &Path, repo: &Path) -> SyncResult<()> {
|
||||||
|
let out = Command::new(git)
|
||||||
|
.arg("-C")
|
||||||
|
.arg(repo)
|
||||||
|
.args(["fetch", "origin", "--prune"])
|
||||||
|
.output()?;
|
||||||
|
|
||||||
|
if !out.status.success() {
|
||||||
|
let stderr = String::from_utf8_lossy(&out.stderr).to_string();
|
||||||
|
let lc = stderr.to_lowercase();
|
||||||
|
let source = anyhow!("git fetch failed: {}", stderr.trim());
|
||||||
|
|
||||||
|
if lc.contains("authentication failed") || lc.contains("permission denied") {
|
||||||
|
return Err(SyncError::AuthFailed { source });
|
||||||
|
}
|
||||||
|
|
||||||
|
return Err(SyncError::Network { source });
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn run_git_config_capture(git: &Path, args: &[&str]) -> SyncResult<String> {
|
||||||
|
let out = Command::new(git).args(args).output()?;
|
||||||
|
|
||||||
|
if !out.status.success() {
|
||||||
|
return Err(SyncError::GitCommandFailed {
|
||||||
|
message: format!(
|
||||||
|
"git {} (exit {}): {}",
|
||||||
|
args.join(" "),
|
||||||
out.status.code().unwrap_or(-1),
|
out.status.code().unwrap_or(-1),
|
||||||
String::from_utf8_lossy(&out.stderr)
|
String::from_utf8_lossy(&out.stderr).trim()
|
||||||
));
|
),
|
||||||
|
});
|
||||||
}
|
}
|
||||||
Ok(String::from_utf8_lossy(&out.stdout).to_string())
|
Ok(String::from_utf8_lossy(&out.stdout).to_string())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn init_repo_if_needed(git: &Path, repo: &Path, branch: &str) -> Result<()> {
|
fn init_repo_if_needed(git: &Path, repo: &Path, branch: &str) -> SyncResult<()> {
|
||||||
let inside = Command::new(git)
|
let inside = Command::new(git)
|
||||||
.arg("-C")
|
.arg("-C")
|
||||||
.arg(repo)
|
.arg(repo)
|
||||||
@@ -223,19 +305,28 @@ fn init_repo_if_needed(git: &Path, repo: &Path, branch: &str) -> Result<()> {
|
|||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn set_local_identity(git: &Path, repo: &Path, username: String, email: String) -> Result<()> {
|
fn set_local_identity(
|
||||||
run_git(git, repo, &["config", "user.name", &username])?;
|
git: &Path,
|
||||||
run_git(git, repo, &["config", "user.email", &email])?;
|
repo: &Path,
|
||||||
|
username: String,
|
||||||
|
email: String,
|
||||||
|
) -> SyncResult<()> {
|
||||||
|
run_git(git, repo, &["config", "user.name", &username]).map_err(|e| SyncError::Config {
|
||||||
|
message: format!("failed to set git user.name: {}", e),
|
||||||
|
})?;
|
||||||
|
run_git(git, repo, &["config", "user.email", &email]).map_err(|e| SyncError::Config {
|
||||||
|
message: format!("failed to set git user.email: {}", e),
|
||||||
|
})?;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn checkout_branch(git: &Path, repo: &Path, branch: &str) -> Result<()> {
|
fn checkout_branch(git: &Path, repo: &Path, branch: &str) -> SyncResult<()> {
|
||||||
run_git(git, repo, &["checkout", "-B", branch])?;
|
run_git(git, repo, &["checkout", "-B", branch])?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn set_origin(git: &Path, repo: &Path, url: &str) -> Result<()> {
|
fn set_origin(git: &Path, repo: &Path, url: &str) -> SyncResult<()> {
|
||||||
let has_origin = Command::new(git)
|
let has_origin = Command::new(git)
|
||||||
.arg("-C")
|
.arg("-C")
|
||||||
.arg(repo)
|
.arg(repo)
|
||||||
@@ -249,49 +340,48 @@ fn set_origin(git: &Path, repo: &Path, url: &str) -> Result<()> {
|
|||||||
if has_origin {
|
if has_origin {
|
||||||
run_git(git, repo, &["remote", "set-url", "origin", url])?;
|
run_git(git, repo, &["remote", "set-url", "origin", url])?;
|
||||||
} else if Confirm::with_theme(&ColorfulTheme::default())
|
} else if Confirm::with_theme(&ColorfulTheme::default())
|
||||||
.with_prompt(format!("Have you already created the remote origin '{url}' on the Git host so we can push to it?"))
|
.with_prompt(format!(
|
||||||
|
"Have you already created the remote origin '{url}' on the Git host so we can push to it?"
|
||||||
|
))
|
||||||
.default(false)
|
.default(false)
|
||||||
.interact()?
|
.interact()
|
||||||
|
.map_err(|e| SyncError::Config {
|
||||||
|
message: format!("prompt failed: {}", e),
|
||||||
|
})?
|
||||||
{
|
{
|
||||||
run_git(git, repo, &["remote", "add", "origin", url])?;
|
run_git(git, repo, &["remote", "add", "origin", url])?;
|
||||||
} else {
|
} else {
|
||||||
return Err(anyhow!("Remote origin does not yet exist. Please create remote origin before synchronizing, then try again"));
|
return Err(SyncError::Config {
|
||||||
|
message:
|
||||||
|
"Remote origin does not yet exist. Please create remote origin before synchronizing, then try again"
|
||||||
|
.to_string(),
|
||||||
|
});
|
||||||
}
|
}
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn stage_vault_only(git: &Path, repo: &Path) -> Result<()> {
|
fn stage_vault_only(git: &Path, repo: &Path) -> SyncResult<()> {
|
||||||
run_git(git, repo, &["add", "vault.yml"])?;
|
run_git(git, repo, &["add", "vault.yml"])?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn fetch_and_pull(git: &Path, repo: &Path, branch: &str) -> Result<()> {
|
fn fetch_and_pull(git: &Path, repo: &Path, branch: &str) -> SyncResult<()> {
|
||||||
// Fetch all refs from origin (safe even if branch doesn't exist remotely)
|
run_git_fetch(git, repo)?;
|
||||||
run_git(git, repo, &["fetch", "origin", "--prune"])
|
|
||||||
.with_context(|| "Failed to fetch changes from remote")?;
|
|
||||||
|
|
||||||
let origin_ref = format!("origin/{branch}");
|
let origin_ref = format!("origin/{branch}");
|
||||||
let remote_has_branch = has_remote_branch(git, repo, branch);
|
let remote_has_branch = has_remote_branch(git, repo, branch);
|
||||||
|
|
||||||
// If the repo has no commits yet, prefer remote state and discard local
|
|
||||||
// if the remote branch exists. Otherwise, keep local state and allow an
|
|
||||||
// initial commit to be created and pushed.
|
|
||||||
if !has_head(git, repo) {
|
if !has_head(git, repo) {
|
||||||
if remote_has_branch {
|
if remote_has_branch {
|
||||||
run_git(git, repo, &["checkout", "-f", "-B", branch, &origin_ref])
|
run_git(git, repo, &["checkout", "-f", "-B", branch, &origin_ref])?;
|
||||||
.with_context(|| "Failed to checkout remote branch over local state")?;
|
run_git(git, repo, &["reset", "--hard", &origin_ref])?;
|
||||||
run_git(git, repo, &["reset", "--hard", &origin_ref])
|
run_git(git, repo, &["clean", "-fd"])?;
|
||||||
.with_context(|| "Failed to hard reset to remote branch")?;
|
|
||||||
run_git(git, repo, &["clean", "-fd"])
|
|
||||||
.with_context(|| "Failed to clean untracked files")?;
|
|
||||||
}
|
}
|
||||||
return Ok(());
|
return Ok(());
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we have local history and the remote branch exists, fast-forward.
|
|
||||||
if remote_has_branch {
|
if remote_has_branch {
|
||||||
run_git(git, repo, &["merge", "--ff-only", &origin_ref])
|
run_git(git, repo, &["merge", "--ff-only", &origin_ref])?;
|
||||||
.with_context(|| "Failed to merge remote changes")?;
|
|
||||||
}
|
}
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
@@ -325,13 +415,12 @@ fn has_head(git: &Path, repo: &Path) -> bool {
|
|||||||
.unwrap_or(false)
|
.unwrap_or(false)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn commit_now(git: &Path, repo: &Path, msg: &str) -> Result<()> {
|
fn commit_now(git: &Path, repo: &Path, msg: &str) -> SyncResult<()> {
|
||||||
let staged_changed = Command::new(git)
|
let staged_changed = Command::new(git)
|
||||||
.arg("-C")
|
.arg("-C")
|
||||||
.arg(repo)
|
.arg(repo)
|
||||||
.args(["diff", "--cached", "--quiet", "--exit-code"])
|
.args(["diff", "--cached", "--quiet", "--exit-code"])
|
||||||
.status()
|
.status()?
|
||||||
.context("git diff --cached")?
|
|
||||||
.code()
|
.code()
|
||||||
.map(|c| c == 1)
|
.map(|c| c == 1)
|
||||||
.unwrap_or(false);
|
.unwrap_or(false);
|
||||||
@@ -399,12 +488,10 @@ mod tests {
|
|||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn resolve_git_prefers_override_and_env() {
|
fn resolve_git_prefers_override_and_env() {
|
||||||
// Override path wins
|
|
||||||
let override_path = Some(PathBuf::from("/custom/git"));
|
let override_path = Some(PathBuf::from("/custom/git"));
|
||||||
let got = resolve_git(override_path.as_ref()).unwrap();
|
let got = resolve_git(override_path.as_ref()).unwrap();
|
||||||
assert_eq!(got, PathBuf::from("/custom/git"));
|
assert_eq!(got, PathBuf::from("/custom/git"));
|
||||||
|
|
||||||
// If no override, env var is used
|
|
||||||
unsafe {
|
unsafe {
|
||||||
env::set_var("GIT_EXECUTABLE", "/env/git");
|
env::set_var("GIT_EXECUTABLE", "/env/git");
|
||||||
}
|
}
|
||||||
|
|||||||
+76
-44
@@ -1,11 +1,24 @@
|
|||||||
use crate::providers::{ENV_PATH, SecretProvider};
|
|
||||||
use anyhow::{Context, Result, anyhow};
|
|
||||||
use serde::{Deserialize, Serialize};
|
|
||||||
use serde_with::skip_serializing_none;
|
|
||||||
use std::io::{Read, Write};
|
use std::io::{Read, Write};
|
||||||
use std::process::{Command, Stdio};
|
use std::process::{Command, Stdio};
|
||||||
|
|
||||||
|
use anyhow::anyhow;
|
||||||
|
use serde::{Deserialize, Serialize};
|
||||||
|
use serde_with::skip_serializing_none;
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
|
||||||
|
use crate::providers::error::SecretError;
|
||||||
|
use crate::providers::{ENV_PATH, SecretProvider};
|
||||||
|
|
||||||
|
const PROVIDER: &str = "gopass";
|
||||||
|
|
||||||
|
fn map_spawn_err(e: std::io::Error) -> SecretError {
|
||||||
|
if e.kind() == std::io::ErrorKind::NotFound {
|
||||||
|
SecretError::CliNotFound { tool: "gopass" }
|
||||||
|
} else {
|
||||||
|
SecretError::Io(e)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[skip_serializing_none]
|
#[skip_serializing_none]
|
||||||
/// Gopass-based secret provider
|
/// Gopass-based secret provider
|
||||||
/// See [Gopass](https://gopass.pw/) for more information.
|
/// See [Gopass](https://gopass.pw/) for more information.
|
||||||
@@ -37,7 +50,7 @@ impl SecretProvider for GopassProvider {
|
|||||||
"GopassProvider"
|
"GopassProvider"
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn get_secret(&self, key: &str) -> Result<String> {
|
async fn get_secret(&self, key: &str) -> Result<String, SecretError> {
|
||||||
ensure_gopass_installed()?;
|
ensure_gopass_installed()?;
|
||||||
|
|
||||||
let mut child = Command::new("gopass")
|
let mut child = Command::new("gopass")
|
||||||
@@ -47,25 +60,27 @@ impl SecretProvider for GopassProvider {
|
|||||||
.stdout(Stdio::piped())
|
.stdout(Stdio::piped())
|
||||||
.stderr(Stdio::inherit())
|
.stderr(Stdio::inherit())
|
||||||
.spawn()
|
.spawn()
|
||||||
.context("Failed to spawn gopass command")?;
|
.map_err(map_spawn_err)?;
|
||||||
|
|
||||||
let mut output = String::new();
|
let mut output = String::new();
|
||||||
child
|
child
|
||||||
.stdout
|
.stdout
|
||||||
.as_mut()
|
.as_mut()
|
||||||
.expect("Failed to open gopass stdout")
|
.expect("Failed to open gopass stdout")
|
||||||
.read_to_string(&mut output)
|
.read_to_string(&mut output)?;
|
||||||
.context("Failed to read gopass output")?;
|
|
||||||
|
|
||||||
let status = child.wait().context("Failed to wait on gopass process")?;
|
let status = child.wait()?;
|
||||||
if !status.success() {
|
if !status.success() {
|
||||||
return Err(anyhow!("gopass command failed with status: {}", status));
|
return Err(SecretError::NotFound {
|
||||||
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(output.trim_end_matches(&['\r', '\n'][..]).to_string())
|
Ok(output.trim_end_matches(&['\r', '\n'][..]).to_string())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn set_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
ensure_gopass_installed()?;
|
ensure_gopass_installed()?;
|
||||||
|
|
||||||
let mut child = Command::new("gopass")
|
let mut child = Command::new("gopass")
|
||||||
@@ -73,32 +88,41 @@ impl SecretProvider for GopassProvider {
|
|||||||
.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"))
|
.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"))
|
||||||
.stdin(Stdio::piped())
|
.stdin(Stdio::piped())
|
||||||
.stdout(Stdio::inherit())
|
.stdout(Stdio::inherit())
|
||||||
.stderr(Stdio::inherit())
|
.stderr(Stdio::piped())
|
||||||
.spawn()
|
.spawn()
|
||||||
.context("Failed to spawn gopass command")?;
|
.map_err(map_spawn_err)?;
|
||||||
|
|
||||||
{
|
{
|
||||||
let stdin = child.stdin.as_mut().expect("Failed to open gopass stdin");
|
let stdin = child.stdin.as_mut().expect("Failed to open gopass stdin");
|
||||||
stdin
|
stdin.write_all(value.as_bytes())?;
|
||||||
.write_all(value.as_bytes())
|
|
||||||
.context("Failed to write to gopass stdin")?;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
let status = child.wait().context("Failed to wait on gopass process")?;
|
let output = child.wait_with_output()?;
|
||||||
if !status.success() {
|
if !output.status.success() {
|
||||||
return Err(anyhow!("gopass command failed with status: {}", status));
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
||||||
|
if stderr.to_lowercase().contains("already exists") {
|
||||||
|
return Err(SecretError::AlreadyExists {
|
||||||
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
return Err(SecretError::Other(anyhow!(
|
||||||
|
"gopass insert failed: {}",
|
||||||
|
stderr
|
||||||
|
)));
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn update_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn update_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
ensure_gopass_installed()?;
|
ensure_gopass_installed()?;
|
||||||
|
|
||||||
self.set_secret(key, value).await
|
self.set_secret(key, value).await
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn delete_secret(&self, key: &str) -> Result<()> {
|
async fn delete_secret(&self, key: &str) -> Result<(), SecretError> {
|
||||||
ensure_gopass_installed()?;
|
ensure_gopass_installed()?;
|
||||||
|
|
||||||
let mut child = Command::new("gopass")
|
let mut child = Command::new("gopass")
|
||||||
@@ -108,17 +132,20 @@ impl SecretProvider for GopassProvider {
|
|||||||
.stdout(Stdio::inherit())
|
.stdout(Stdio::inherit())
|
||||||
.stderr(Stdio::inherit())
|
.stderr(Stdio::inherit())
|
||||||
.spawn()
|
.spawn()
|
||||||
.context("Failed to spawn gopass command")?;
|
.map_err(map_spawn_err)?;
|
||||||
|
|
||||||
let status = child.wait().context("Failed to wait on gopass process")?;
|
let status = child.wait()?;
|
||||||
if !status.success() {
|
if !status.success() {
|
||||||
return Err(anyhow!("gopass command failed with status: {}", status));
|
return Err(SecretError::NotFound {
|
||||||
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn list_secrets(&self) -> Result<Vec<String>> {
|
async fn list_secrets(&self) -> Result<Vec<String>, SecretError> {
|
||||||
ensure_gopass_installed()?;
|
ensure_gopass_installed()?;
|
||||||
|
|
||||||
let mut child = Command::new("gopass")
|
let mut child = Command::new("gopass")
|
||||||
@@ -126,21 +153,23 @@ impl SecretProvider for GopassProvider {
|
|||||||
.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"))
|
.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"))
|
||||||
.stdin(Stdio::inherit())
|
.stdin(Stdio::inherit())
|
||||||
.stdout(Stdio::piped())
|
.stdout(Stdio::piped())
|
||||||
.stderr(Stdio::inherit())
|
.stderr(Stdio::piped())
|
||||||
.spawn()
|
.spawn()
|
||||||
.context("Failed to spawn gopass command")?;
|
.map_err(map_spawn_err)?;
|
||||||
|
|
||||||
let mut output = String::new();
|
let mut output = String::new();
|
||||||
child
|
child
|
||||||
.stdout
|
.stdout
|
||||||
.as_mut()
|
.as_mut()
|
||||||
.expect("Failed to open gopass stdout")
|
.expect("Failed to open gopass stdout")
|
||||||
.read_to_string(&mut output)
|
.read_to_string(&mut output)?;
|
||||||
.context("Failed to read gopass output")?;
|
|
||||||
|
|
||||||
let status = child.wait().context("Failed to wait on gopass process")?;
|
let result = child.wait_with_output()?;
|
||||||
if !status.success() {
|
if !result.status.success() {
|
||||||
return Err(anyhow!("gopass command failed with status: {}", status));
|
return Err(SecretError::Other(anyhow!(
|
||||||
|
"gopass ls failed: {}",
|
||||||
|
String::from_utf8_lossy(&result.stderr)
|
||||||
|
)));
|
||||||
}
|
}
|
||||||
|
|
||||||
let secrets: Vec<String> = output
|
let secrets: Vec<String> = output
|
||||||
@@ -152,7 +181,7 @@ impl SecretProvider for GopassProvider {
|
|||||||
Ok(secrets)
|
Ok(secrets)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn sync(&mut self) -> Result<()> {
|
async fn sync(&mut self) -> Result<(), SecretError> {
|
||||||
ensure_gopass_installed()?;
|
ensure_gopass_installed()?;
|
||||||
let mut child = Command::new("gopass");
|
let mut child = Command::new("gopass");
|
||||||
child.arg("sync");
|
child.arg("sync");
|
||||||
@@ -161,29 +190,32 @@ impl SecretProvider for GopassProvider {
|
|||||||
child.args(["-s", store]);
|
child.args(["-s", store]);
|
||||||
}
|
}
|
||||||
|
|
||||||
let status = child
|
let output = child
|
||||||
.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"))
|
.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"))
|
||||||
.stdin(Stdio::inherit())
|
.stdin(Stdio::inherit())
|
||||||
.stdout(Stdio::inherit())
|
.stdout(Stdio::inherit())
|
||||||
.stderr(Stdio::inherit())
|
.stderr(Stdio::piped())
|
||||||
.spawn()
|
.spawn()
|
||||||
.context("Failed to spawn gopass command")?
|
.map_err(map_spawn_err)?
|
||||||
.wait()
|
.wait_with_output()?;
|
||||||
.context("Failed to wait on gopass process")?;
|
|
||||||
|
|
||||||
if !status.success() {
|
if !output.status.success() {
|
||||||
return Err(anyhow!("gopass command failed with status: {}", status));
|
return Err(SecretError::Network {
|
||||||
|
provider: PROVIDER,
|
||||||
|
source: anyhow!(
|
||||||
|
"gopass sync failed: {}",
|
||||||
|
String::from_utf8_lossy(&output.stderr)
|
||||||
|
),
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn ensure_gopass_installed() -> Result<()> {
|
fn ensure_gopass_installed() -> Result<(), SecretError> {
|
||||||
if which::which("gopass").is_err() {
|
if which::which("gopass").is_err() {
|
||||||
Err(anyhow!(
|
Err(SecretError::CliNotFound { tool: "gopass" })
|
||||||
"Gopass is not installed or not found in PATH. Please install Gopass from https://gopass.pw/"
|
|
||||||
))
|
|
||||||
} else {
|
} else {
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|||||||
+259
-111
@@ -1,21 +1,8 @@
|
|||||||
use anyhow::{Context, anyhow, bail};
|
|
||||||
use secrecy::{ExposeSecret, SecretString};
|
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::path::{Path, PathBuf};
|
use std::path::{Path, PathBuf};
|
||||||
use std::{env, fs};
|
use std::{env, fs};
|
||||||
use zeroize::Zeroize;
|
|
||||||
|
|
||||||
use crate::config::{Config, get_config_file_path, load_config};
|
use anyhow::{Context as _, anyhow};
|
||||||
use crate::providers::git_sync::{
|
|
||||||
SyncOpts, default_git_email, default_git_username, ensure_git_available, repo_name_from_url,
|
|
||||||
resolve_git, sync_and_push,
|
|
||||||
};
|
|
||||||
use crate::providers::{SecretProvider, SupportedProvider};
|
|
||||||
use crate::{
|
|
||||||
ARGON_M_COST_KIB, ARGON_P, ARGON_T_COST, HEADER, KDF, KEY_LEN, NONCE_LEN, SALT_LEN, VERSION,
|
|
||||||
calling_app_name,
|
|
||||||
};
|
|
||||||
use anyhow::Result;
|
|
||||||
use argon2::{Algorithm, Argon2, Params, Version};
|
use argon2::{Algorithm, Argon2, Params, Version};
|
||||||
use base64::{Engine as _, engine::general_purpose::STANDARD as B64};
|
use base64::{Engine as _, engine::general_purpose::STANDARD as B64};
|
||||||
use chacha20poly1305::aead::rand_core::RngCore;
|
use chacha20poly1305::aead::rand_core::RngCore;
|
||||||
@@ -25,10 +12,35 @@ use chacha20poly1305::{
|
|||||||
};
|
};
|
||||||
use dialoguer::{Input, theme};
|
use dialoguer::{Input, theme};
|
||||||
use log::{debug, error};
|
use log::{debug, error};
|
||||||
|
use secrecy::{ExposeSecret, SecretString};
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
use serde_with::skip_serializing_none;
|
use serde_with::skip_serializing_none;
|
||||||
use theme::ColorfulTheme;
|
use theme::ColorfulTheme;
|
||||||
use validator::Validate;
|
use validator::Validate;
|
||||||
|
use zeroize::Zeroize;
|
||||||
|
|
||||||
|
use crate::config::{Config, get_config_file_path, load_config};
|
||||||
|
use crate::providers::error::SecretError;
|
||||||
|
use crate::providers::git_sync::{
|
||||||
|
SyncOpts, default_git_email, default_git_username, ensure_git_available, repo_name_from_url,
|
||||||
|
resolve_git, sync_and_push,
|
||||||
|
};
|
||||||
|
use crate::providers::{SecretProvider, SupportedProvider};
|
||||||
|
use crate::{
|
||||||
|
ARGON_M_COST_KIB, ARGON_P, ARGON_T_COST, HEADER, KDF, KEY_LEN, NONCE_LEN, SALT_LEN, VERSION,
|
||||||
|
calling_app_name,
|
||||||
|
};
|
||||||
|
|
||||||
|
const PROVIDER: &str = "local";
|
||||||
|
|
||||||
|
type LocalResult<T> = std::result::Result<T, SecretError>;
|
||||||
|
|
||||||
|
fn cfg_err(message: impl Into<String>) -> SecretError {
|
||||||
|
SecretError::Config {
|
||||||
|
provider: PROVIDER,
|
||||||
|
message: message.into(),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[skip_serializing_none]
|
#[skip_serializing_none]
|
||||||
/// File-based vault provider with optional Git sync.
|
/// File-based vault provider with optional Git sync.
|
||||||
@@ -87,12 +99,13 @@ impl SecretProvider for LocalProvider {
|
|||||||
"LocalProvider"
|
"LocalProvider"
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn get_secret(&self, key: &str) -> Result<String> {
|
async fn get_secret(&self, key: &str) -> LocalResult<String> {
|
||||||
let vault_path = self.active_vault_path()?;
|
let vault_path = self.active_vault_path()?;
|
||||||
let vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
let vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
||||||
let envelope = vault
|
let envelope = vault.get(key).ok_or_else(|| SecretError::NotFound {
|
||||||
.get(key)
|
key: key.to_string(),
|
||||||
.with_context(|| format!("key '{key}' not found in the vault"))?;
|
provider: PROVIDER,
|
||||||
|
})?;
|
||||||
|
|
||||||
let password = self.get_password()?;
|
let password = self.get_password()?;
|
||||||
let plaintext = decrypt_string(&password, envelope)?;
|
let plaintext = decrypt_string(&password, envelope)?;
|
||||||
@@ -101,69 +114,78 @@ impl SecretProvider for LocalProvider {
|
|||||||
Ok(plaintext)
|
Ok(plaintext)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn set_secret(&self, key: &str, value: &str) -> LocalResult<()> {
|
||||||
let vault_path = self.active_vault_path()?;
|
let vault_path = self.active_vault_path()?;
|
||||||
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
||||||
if vault.contains_key(key) {
|
if vault.contains_key(key) {
|
||||||
error!(
|
error!(
|
||||||
"Key '{key}' already exists in the vault. Use a different key or delete the existing one first."
|
"Key '{key}' already exists in the vault. Use a different key or delete the existing one first."
|
||||||
);
|
);
|
||||||
bail!("key '{key}' already exists");
|
return Err(SecretError::AlreadyExists {
|
||||||
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
let password = self.get_password()?;
|
let password = self.get_password()?;
|
||||||
let envelope = encrypt_string(&password, value)?;
|
let envelope =
|
||||||
|
encrypt_string(&password, value).map_err(SecretError::Other)?;
|
||||||
drop(password);
|
drop(password);
|
||||||
|
|
||||||
vault.insert(key.to_string(), envelope);
|
vault.insert(key.to_string(), envelope);
|
||||||
|
|
||||||
store_vault(&vault_path, &vault).with_context(|| "failed to save secret to the vault")
|
store_vault(&vault_path, &vault)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn update_secret(&self, key: &str, value: &str) -> Result<()> {
|
async fn update_secret(&self, key: &str, value: &str) -> LocalResult<()> {
|
||||||
let vault_path = self.active_vault_path()?;
|
let vault_path = self.active_vault_path()?;
|
||||||
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
||||||
|
|
||||||
let password = self.get_password()?;
|
let password = self.get_password()?;
|
||||||
let envelope = encrypt_string(&password, value)?;
|
let envelope =
|
||||||
|
encrypt_string(&password, value).map_err(SecretError::Other)?;
|
||||||
drop(password);
|
drop(password);
|
||||||
|
|
||||||
if vault.contains_key(key) {
|
if vault.contains_key(key) {
|
||||||
debug!("Key '{key}' exists in vault. Overwriting previous value");
|
debug!("Key '{key}' exists in vault. Overwriting previous value");
|
||||||
let vault_entry = vault
|
let vault_entry = vault.get_mut(key).ok_or_else(|| SecretError::NotFound {
|
||||||
.get_mut(key)
|
key: key.to_string(),
|
||||||
.with_context(|| format!("key '{key}' not found in the vault"))?;
|
provider: PROVIDER,
|
||||||
|
})?;
|
||||||
*vault_entry = envelope;
|
*vault_entry = envelope;
|
||||||
|
|
||||||
return store_vault(&vault_path, &vault)
|
return store_vault(&vault_path, &vault);
|
||||||
.with_context(|| "failed to save secret to the vault");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
vault.insert(key.to_string(), envelope);
|
vault.insert(key.to_string(), envelope);
|
||||||
store_vault(&vault_path, &vault).with_context(|| "failed to save secret to the vault")
|
store_vault(&vault_path, &vault)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn delete_secret(&self, key: &str) -> Result<()> {
|
async fn delete_secret(&self, key: &str) -> LocalResult<()> {
|
||||||
let vault_path = self.active_vault_path()?;
|
let vault_path = self.active_vault_path()?;
|
||||||
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
let mut vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
||||||
if !vault.contains_key(key) {
|
if !vault.contains_key(key) {
|
||||||
error!("Key '{key}' does not exist in the vault.");
|
error!("Key '{key}' does not exist in the vault.");
|
||||||
bail!("key '{key}' does not exist");
|
return Err(SecretError::NotFound {
|
||||||
|
key: key.to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
vault.remove(key);
|
vault.remove(key);
|
||||||
store_vault(&vault_path, &vault).with_context(|| "failed to save secret to the vault")
|
store_vault(&vault_path, &vault)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn list_secrets(&self) -> Result<Vec<String>> {
|
async fn list_secrets(&self) -> LocalResult<Vec<String>> {
|
||||||
let vault_path = self.active_vault_path()?;
|
let vault_path = self.active_vault_path()?;
|
||||||
let vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
let vault: HashMap<String, String> = load_vault(&vault_path).unwrap_or_default();
|
||||||
let keys: Vec<String> = vault.keys().cloned().collect();
|
let mut keys: Vec<String> = vault.keys().cloned().collect();
|
||||||
|
keys.sort();
|
||||||
|
|
||||||
Ok(keys)
|
Ok(keys)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn sync(&mut self) -> Result<()> {
|
async fn sync(&mut self) -> LocalResult<()> {
|
||||||
let mut config_changed = false;
|
let mut config_changed = false;
|
||||||
let git = resolve_git(self.git_executable.as_ref())?;
|
let git = resolve_git(self.git_executable.as_ref())?;
|
||||||
ensure_git_available(&git)?;
|
ensure_git_available(&git)?;
|
||||||
@@ -174,7 +196,8 @@ impl SecretProvider for LocalProvider {
|
|||||||
let branch: String = Input::with_theme(&ColorfulTheme::default())
|
let branch: String = Input::with_theme(&ColorfulTheme::default())
|
||||||
.with_prompt("Enter git branch to sync with")
|
.with_prompt("Enter git branch to sync with")
|
||||||
.default("main".into())
|
.default("main".into())
|
||||||
.interact_text()?;
|
.interact_text()
|
||||||
|
.map_err(|e| cfg_err(format!("prompt failed: {}", e)))?;
|
||||||
|
|
||||||
self.git_branch = Some(branch);
|
self.git_branch = Some(branch);
|
||||||
}
|
}
|
||||||
@@ -195,7 +218,8 @@ impl SecretProvider for LocalProvider {
|
|||||||
.map(|_| ())
|
.map(|_| ())
|
||||||
.map_err(|e| e.to_string())
|
.map_err(|e| e.to_string())
|
||||||
})
|
})
|
||||||
.interact_text()?;
|
.interact_text()
|
||||||
|
.map_err(|e| cfg_err(format!("prompt failed: {}", e)))?;
|
||||||
|
|
||||||
self.git_remote_url = Some(remote);
|
self.git_remote_url = Some(remote);
|
||||||
}
|
}
|
||||||
@@ -203,11 +227,15 @@ impl SecretProvider for LocalProvider {
|
|||||||
if self.git_user_name.is_none() {
|
if self.git_user_name.is_none() {
|
||||||
config_changed = true;
|
config_changed = true;
|
||||||
debug!("Prompting user git user name");
|
debug!("Prompting user git user name");
|
||||||
let default_user_name = default_git_username(&git)?.trim().to_string();
|
let default_user_name = default_git_username(&git)
|
||||||
|
.map_err(SecretError::from)?
|
||||||
|
.trim()
|
||||||
|
.to_string();
|
||||||
let branch: String = Input::with_theme(&ColorfulTheme::default())
|
let branch: String = Input::with_theme(&ColorfulTheme::default())
|
||||||
.with_prompt("Enter git user name")
|
.with_prompt("Enter git user name")
|
||||||
.default(default_user_name)
|
.default(default_user_name)
|
||||||
.interact_text()?;
|
.interact_text()
|
||||||
|
.map_err(|e| cfg_err(format!("prompt failed: {}", e)))?;
|
||||||
|
|
||||||
self.git_user_name = Some(branch);
|
self.git_user_name = Some(branch);
|
||||||
}
|
}
|
||||||
@@ -215,7 +243,10 @@ impl SecretProvider for LocalProvider {
|
|||||||
if self.git_user_email.is_none() {
|
if self.git_user_email.is_none() {
|
||||||
config_changed = true;
|
config_changed = true;
|
||||||
debug!("Prompting user git email");
|
debug!("Prompting user git email");
|
||||||
let default_user_name = default_git_email(&git)?.trim().to_string();
|
let default_user_name = default_git_email(&git)
|
||||||
|
.map_err(SecretError::from)?
|
||||||
|
.trim()
|
||||||
|
.to_string();
|
||||||
let branch: String = Input::with_theme(&ColorfulTheme::default())
|
let branch: String = Input::with_theme(&ColorfulTheme::default())
|
||||||
.with_prompt("Enter git user email")
|
.with_prompt("Enter git user email")
|
||||||
.validate_with({
|
.validate_with({
|
||||||
@@ -228,7 +259,8 @@ impl SecretProvider for LocalProvider {
|
|||||||
}
|
}
|
||||||
})
|
})
|
||||||
.default(default_user_name)
|
.default(default_user_name)
|
||||||
.interact_text()?;
|
.interact_text()
|
||||||
|
.map_err(|e| cfg_err(format!("prompt failed: {}", e)))?;
|
||||||
|
|
||||||
self.git_user_email = Some(branch);
|
self.git_user_email = Some(branch);
|
||||||
}
|
}
|
||||||
@@ -245,15 +277,17 @@ impl SecretProvider for LocalProvider {
|
|||||||
git_executable: &self.git_executable,
|
git_executable: &self.git_executable,
|
||||||
};
|
};
|
||||||
|
|
||||||
sync_and_push(&sync_opts)
|
sync_and_push(&sync_opts)?;
|
||||||
|
Ok(())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl LocalProvider {
|
impl LocalProvider {
|
||||||
fn persist_git_settings_to_config(&self) -> Result<()> {
|
fn persist_git_settings_to_config(&self) -> LocalResult<()> {
|
||||||
debug!("Saving updated config (only current local provider)");
|
debug!("Saving updated config (only current local provider)");
|
||||||
|
|
||||||
let mut cfg = load_config(true).with_context(|| "failed to load existing config")?;
|
let mut cfg = load_config(true)
|
||||||
|
.map_err(|e| cfg_err(format!("failed to load existing config: {}", e)))?;
|
||||||
|
|
||||||
let target_name = self.runtime_provider_name.clone();
|
let target_name = self.runtime_provider_name.clone();
|
||||||
let mut updated = false;
|
let mut updated = false;
|
||||||
@@ -280,26 +314,30 @@ impl LocalProvider {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if !updated {
|
if !updated {
|
||||||
bail!("unable to find matching local provider in config to update");
|
return Err(cfg_err(
|
||||||
|
"unable to find matching local provider in config to update",
|
||||||
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
let path = get_config_file_path()?;
|
let path = get_config_file_path()
|
||||||
|
.map_err(|e| cfg_err(format!("failed to determine config path: {}", e)))?;
|
||||||
let ext = path.extension().and_then(|s| s.to_str()).unwrap_or("");
|
let ext = path.extension().and_then(|s| s.to_str()).unwrap_or("");
|
||||||
if ext.eq_ignore_ascii_case("yml") || ext.eq_ignore_ascii_case("yaml") {
|
if ext.eq_ignore_ascii_case("yml") || ext.eq_ignore_ascii_case("yaml") {
|
||||||
if let Some(parent) = path.parent() {
|
if let Some(parent) = path.parent() {
|
||||||
fs::create_dir_all(parent)?;
|
fs::create_dir_all(parent)?;
|
||||||
}
|
}
|
||||||
let s = serde_yaml::to_string(&cfg)?;
|
let s = serde_yaml::to_string(&cfg)
|
||||||
fs::write(&path, s).with_context(|| format!("failed to write {}", path.display()))?;
|
.map_err(|e| cfg_err(format!("serialize config: {}", e)))?;
|
||||||
|
fs::write(&path, s)?;
|
||||||
} else {
|
} else {
|
||||||
confy::store(&calling_app_name(), "config", &cfg)
|
confy::store(&calling_app_name(), "config", &cfg)
|
||||||
.with_context(|| "failed to save updated config via confy")?;
|
.map_err(|e| cfg_err(format!("failed to save updated config via confy: {}", e)))?;
|
||||||
}
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn repo_dir_for_config(&self) -> Result<Option<PathBuf>> {
|
fn repo_dir_for_config(&self) -> LocalResult<Option<PathBuf>> {
|
||||||
if let Some(remote) = &self.git_remote_url {
|
if let Some(remote) = &self.git_remote_url {
|
||||||
let name = repo_name_from_url(remote);
|
let name = repo_name_from_url(remote);
|
||||||
let dir = base_config_dir()?.join(format!(".{}", name));
|
let dir = base_config_dir()?.join(format!(".{}", name));
|
||||||
@@ -309,7 +347,7 @@ impl LocalProvider {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn active_vault_path(&self) -> Result<PathBuf> {
|
fn active_vault_path(&self) -> LocalResult<PathBuf> {
|
||||||
if let Some(dir) = self.repo_dir_for_config()?
|
if let Some(dir) = self.repo_dir_for_config()?
|
||||||
&& dir.exists()
|
&& dir.exists()
|
||||||
{
|
{
|
||||||
@@ -319,11 +357,24 @@ impl LocalProvider {
|
|||||||
default_vault_path()
|
default_vault_path()
|
||||||
}
|
}
|
||||||
|
|
||||||
fn get_password(&self) -> Result<SecretString> {
|
fn get_password(&self) -> LocalResult<SecretString> {
|
||||||
if let Some(password_file) = &self.password_file {
|
if let Some(password_file) = &self.password_file {
|
||||||
|
#[cfg(unix)]
|
||||||
|
{
|
||||||
|
use std::os::unix::fs::PermissionsExt;
|
||||||
|
let metadata = fs::metadata(password_file)?;
|
||||||
|
let mode = metadata.permissions().mode();
|
||||||
|
if mode & 0o077 != 0 {
|
||||||
|
return Err(cfg_err(format!(
|
||||||
|
"password file {:?} has insecure permissions {:o} (should be 0600 or 0400)",
|
||||||
|
password_file,
|
||||||
|
mode & 0o777
|
||||||
|
)));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let password = SecretString::new(
|
let password = SecretString::new(
|
||||||
fs::read_to_string(password_file)
|
fs::read_to_string(password_file)?
|
||||||
.with_context(|| format!("failed to read password file {:?}", password_file))?
|
|
||||||
.trim()
|
.trim()
|
||||||
.to_string()
|
.to_string()
|
||||||
.into(),
|
.into(),
|
||||||
@@ -337,7 +388,7 @@ impl LocalProvider {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn default_vault_path() -> Result<PathBuf> {
|
fn default_vault_path() -> LocalResult<PathBuf> {
|
||||||
let xdg_path = env::var_os("XDG_CONFIG_HOME").map(PathBuf::from);
|
let xdg_path = env::var_os("XDG_CONFIG_HOME").map(PathBuf::from);
|
||||||
|
|
||||||
if let Some(xdg) = xdg_path {
|
if let Some(xdg) = xdg_path {
|
||||||
@@ -345,17 +396,17 @@ fn default_vault_path() -> Result<PathBuf> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
confy::get_configuration_file_path(&calling_app_name(), "vault")
|
confy::get_configuration_file_path(&calling_app_name(), "vault")
|
||||||
.with_context(|| "get config dir")
|
.map_err(|e| cfg_err(format!("get config dir: {}", e)))
|
||||||
}
|
}
|
||||||
|
|
||||||
fn base_config_dir() -> Result<PathBuf> {
|
fn base_config_dir() -> LocalResult<PathBuf> {
|
||||||
default_vault_path()?
|
default_vault_path()?
|
||||||
.parent()
|
.parent()
|
||||||
.map(Path::to_path_buf)
|
.map(Path::to_path_buf)
|
||||||
.ok_or_else(|| anyhow!("Failed to determine config dir"))
|
.ok_or_else(|| cfg_err("Failed to determine config dir"))
|
||||||
}
|
}
|
||||||
|
|
||||||
fn load_vault(path: &Path) -> Result<HashMap<String, String>> {
|
fn load_vault(path: &Path) -> anyhow::Result<HashMap<String, String>> {
|
||||||
if !path.exists() {
|
if !path.exists() {
|
||||||
return Ok(HashMap::new());
|
return Ok(HashMap::new());
|
||||||
}
|
}
|
||||||
@@ -364,29 +415,46 @@ fn load_vault(path: &Path) -> Result<HashMap<String, String>> {
|
|||||||
Ok(map)
|
Ok(map)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn store_vault(path: &Path, map: &HashMap<String, String>) -> Result<()> {
|
fn store_vault(path: &Path, map: &HashMap<String, String>) -> LocalResult<()> {
|
||||||
if let Some(parent) = path.parent() {
|
if let Some(parent) = path.parent() {
|
||||||
fs::create_dir_all(parent).with_context(|| format!("create {}", parent.display()))?;
|
fs::create_dir_all(parent)?;
|
||||||
}
|
}
|
||||||
let s = serde_yaml::to_string(map).with_context(|| "serialize vault")?;
|
let s = serde_yaml::to_string(map)
|
||||||
fs::write(path, s).with_context(|| format!("write {}", path.display()))
|
.map_err(|e| SecretError::Other(anyhow!("serialize vault: {}", e)))?;
|
||||||
|
fs::write(path, &s)?;
|
||||||
|
|
||||||
|
#[cfg(unix)]
|
||||||
|
{
|
||||||
|
use std::os::unix::fs::PermissionsExt;
|
||||||
|
fs::set_permissions(path, fs::Permissions::from_mode(0o600))?;
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
fn encrypt_string(password: &SecretString, plaintext: &str) -> anyhow::Result<String> {
|
||||||
|
if password.expose_secret().is_empty() {
|
||||||
|
anyhow::bail!("password cannot be empty");
|
||||||
}
|
}
|
||||||
|
|
||||||
fn encrypt_string(password: &SecretString, plaintext: &str) -> Result<String> {
|
|
||||||
let mut salt = [0u8; SALT_LEN];
|
let mut salt = [0u8; SALT_LEN];
|
||||||
OsRng.fill_bytes(&mut salt);
|
OsRng.fill_bytes(&mut salt);
|
||||||
let mut nonce_bytes = [0u8; NONCE_LEN];
|
let mut nonce_bytes = [0u8; NONCE_LEN];
|
||||||
OsRng.fill_bytes(&mut nonce_bytes);
|
OsRng.fill_bytes(&mut nonce_bytes);
|
||||||
|
|
||||||
let key = derive_key(password, &salt)?;
|
let mut key = derive_key(password, &salt)?;
|
||||||
let cipher = XChaCha20Poly1305::new(&key);
|
let cipher = XChaCha20Poly1305::new(&key);
|
||||||
let aad = format!("{};{}", HEADER, VERSION);
|
|
||||||
|
|
||||||
let nonce = XNonce::from_slice(&nonce_bytes);
|
let aad = format!(
|
||||||
|
"{};{};{};m={},t={},p={}",
|
||||||
|
HEADER, VERSION, KDF, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P
|
||||||
|
);
|
||||||
|
|
||||||
|
let nonce: XNonce = nonce_bytes.into();
|
||||||
let mut pt = plaintext.as_bytes().to_vec();
|
let mut pt = plaintext.as_bytes().to_vec();
|
||||||
let ct = cipher
|
let ct = cipher
|
||||||
.encrypt(
|
.encrypt(
|
||||||
nonce,
|
&nonce,
|
||||||
chacha20poly1305::aead::Payload {
|
chacha20poly1305::aead::Payload {
|
||||||
msg: &pt,
|
msg: &pt,
|
||||||
aad: aad.as_bytes(),
|
aad: aad.as_bytes(),
|
||||||
@@ -409,6 +477,7 @@ fn encrypt_string(password: &SecretString, plaintext: &str) -> Result<String> {
|
|||||||
);
|
);
|
||||||
|
|
||||||
drop(cipher);
|
drop(cipher);
|
||||||
|
key.zeroize();
|
||||||
salt.zeroize();
|
salt.zeroize();
|
||||||
nonce_bytes.zeroize();
|
nonce_bytes.zeroize();
|
||||||
|
|
||||||
@@ -421,7 +490,7 @@ fn derive_key_with_params(
|
|||||||
m_cost: u32,
|
m_cost: u32,
|
||||||
t_cost: u32,
|
t_cost: u32,
|
||||||
p: u32,
|
p: u32,
|
||||||
) -> Result<Key> {
|
) -> anyhow::Result<Key> {
|
||||||
let params = Params::new(m_cost, t_cost, p, Some(KEY_LEN))
|
let params = Params::new(m_cost, t_cost, p, Some(KEY_LEN))
|
||||||
.map_err(|e| anyhow!("argon2 params error: {:?}", e))?;
|
.map_err(|e| anyhow!("argon2 params error: {:?}", e))?;
|
||||||
let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
|
let argon = Argon2::new(Algorithm::Argon2id, Version::V0x13, params);
|
||||||
@@ -429,32 +498,49 @@ fn derive_key_with_params(
|
|||||||
argon
|
argon
|
||||||
.hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
|
.hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
|
||||||
.map_err(|e| anyhow!("argon2 derive error: {:?}", e))?;
|
.map_err(|e| anyhow!("argon2 derive error: {:?}", e))?;
|
||||||
|
let key: Key = key_bytes.into();
|
||||||
key_bytes.zeroize();
|
key_bytes.zeroize();
|
||||||
let key = Key::from_slice(&key_bytes);
|
Ok(key)
|
||||||
Ok(*key)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
|
fn derive_key(password: &SecretString, salt: &[u8]) -> anyhow::Result<Key> {
|
||||||
derive_key_with_params(password, salt, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P)
|
derive_key_with_params(password, salt, ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn decrypt_string(password: &SecretString, envelope: &str) -> Result<String> {
|
fn try_decrypt(
|
||||||
|
cipher: &XChaCha20Poly1305,
|
||||||
|
nonce: &XNonce,
|
||||||
|
ct: &[u8],
|
||||||
|
aad: &[u8],
|
||||||
|
) -> std::result::Result<Vec<u8>, chacha20poly1305::aead::Error> {
|
||||||
|
cipher.decrypt(nonce, chacha20poly1305::aead::Payload { msg: ct, aad })
|
||||||
|
}
|
||||||
|
|
||||||
|
type EnvelopeComponents = (u32, u32, u32, Vec<u8>, [u8; NONCE_LEN], Vec<u8>);
|
||||||
|
|
||||||
|
fn parse_envelope(envelope: &str) -> LocalResult<EnvelopeComponents> {
|
||||||
let parts: Vec<&str> = envelope.trim().split(';').collect();
|
let parts: Vec<&str> = envelope.trim().split(';').collect();
|
||||||
if parts.len() < 7 {
|
if parts.len() < 7 {
|
||||||
debug!("Invalid envelope format: {:?}", parts);
|
debug!("Invalid envelope format: {:?}", parts);
|
||||||
bail!("invalid envelope format");
|
return Err(SecretError::Other(anyhow!("invalid envelope format")));
|
||||||
}
|
}
|
||||||
if parts[0] != HEADER {
|
if parts[0] != HEADER {
|
||||||
debug!("Invalid header: {}", parts[0]);
|
debug!("Invalid header: {}", parts[0]);
|
||||||
bail!("unexpected header");
|
return Err(SecretError::Other(anyhow!("unexpected header")));
|
||||||
}
|
}
|
||||||
if parts[1] != VERSION {
|
if parts[1] != VERSION {
|
||||||
debug!("Unsupported version: {}", parts[1]);
|
debug!("Unsupported version: {}", parts[1]);
|
||||||
bail!("unsupported version {}", parts[1]);
|
return Err(SecretError::Unsupported {
|
||||||
|
operation: "decrypt_envelope_version",
|
||||||
|
provider: PROVIDER,
|
||||||
|
});
|
||||||
}
|
}
|
||||||
if parts[2] != KDF {
|
if parts[2] != KDF {
|
||||||
debug!("Unsupported kdf: {}", parts[2]);
|
debug!("Unsupported kdf: {}", parts[2]);
|
||||||
bail!("unsupported kdf {}", parts[2]);
|
return Err(SecretError::Unsupported {
|
||||||
|
operation: "decrypt_kdf",
|
||||||
|
provider: PROVIDER,
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
let params_str = parts[3];
|
let params_str = parts[3];
|
||||||
@@ -474,62 +560,90 @@ fn decrypt_string(password: &SecretString, envelope: &str) -> Result<String> {
|
|||||||
|
|
||||||
let salt_b64 = parts[4]
|
let salt_b64 = parts[4]
|
||||||
.strip_prefix("salt=")
|
.strip_prefix("salt=")
|
||||||
.with_context(|| "missing salt")?;
|
.ok_or_else(|| SecretError::Other(anyhow!("missing salt")))?;
|
||||||
let nonce_b64 = parts[5]
|
let nonce_b64 = parts[5]
|
||||||
.strip_prefix("nonce=")
|
.strip_prefix("nonce=")
|
||||||
.with_context(|| "missing nonce")?;
|
.ok_or_else(|| SecretError::Other(anyhow!("missing nonce")))?;
|
||||||
let ct_b64 = parts[6].strip_prefix("ct=").with_context(|| "missing ct")?;
|
let ct_b64 = parts[6]
|
||||||
|
.strip_prefix("ct=")
|
||||||
|
.ok_or_else(|| SecretError::Other(anyhow!("missing ct")))?;
|
||||||
|
|
||||||
let mut salt = B64.decode(salt_b64).with_context(|| "bad salt b64")?;
|
let salt = B64
|
||||||
let mut nonce_bytes = B64.decode(nonce_b64).with_context(|| "bad nonce b64")?;
|
.decode(salt_b64)
|
||||||
let mut ct = B64.decode(ct_b64).with_context(|| "bad ct b64")?;
|
.map_err(|e| SecretError::Other(anyhow!("bad salt b64: {}", e)))?;
|
||||||
|
let nonce_bytes = B64
|
||||||
|
.decode(nonce_b64)
|
||||||
|
.map_err(|e| SecretError::Other(anyhow!("bad nonce b64: {}", e)))?;
|
||||||
|
let ct = B64
|
||||||
|
.decode(ct_b64)
|
||||||
|
.map_err(|e| SecretError::Other(anyhow!("bad ct b64: {}", e)))?;
|
||||||
|
|
||||||
if salt.len() != SALT_LEN || nonce_bytes.len() != NONCE_LEN {
|
if nonce_bytes.len() != NONCE_LEN {
|
||||||
debug!(
|
debug!("Nonce length mismatch: {}", nonce_bytes.len());
|
||||||
"Salt/nonce length mismatch: salt {}, nonce {}",
|
return Err(SecretError::Other(anyhow!("nonce length mismatch")));
|
||||||
salt.len(),
|
|
||||||
nonce_bytes.len()
|
|
||||||
);
|
|
||||||
bail!("salt/nonce length mismatch");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
let key = derive_key_with_params(password, &salt, m, t, p)?;
|
let nonce_arr: [u8; NONCE_LEN] = nonce_bytes
|
||||||
|
.try_into()
|
||||||
|
.map_err(|_| SecretError::Other(anyhow!("invalid nonce length")))?;
|
||||||
|
|
||||||
|
Ok((m, t, p, salt, nonce_arr, ct))
|
||||||
|
}
|
||||||
|
|
||||||
|
fn decrypt_string(password: &SecretString, envelope: &str) -> LocalResult<String> {
|
||||||
|
if password.expose_secret().is_empty() {
|
||||||
|
return Err(cfg_err("password cannot be empty"));
|
||||||
|
}
|
||||||
|
|
||||||
|
let (m, t, p, mut salt, mut nonce_arr, mut ct) = parse_envelope(envelope)?;
|
||||||
|
let nonce: XNonce = nonce_arr.into();
|
||||||
|
|
||||||
|
let aad_current = format!("{};{};{};m={},t={},p={}", HEADER, VERSION, KDF, m, t, p);
|
||||||
|
|
||||||
|
let mut key = derive_key_with_params(password, &salt, m, t, p)
|
||||||
|
.map_err(|source| SecretError::AuthFailed {
|
||||||
|
provider: PROVIDER,
|
||||||
|
source,
|
||||||
|
})?;
|
||||||
let cipher = XChaCha20Poly1305::new(&key);
|
let cipher = XChaCha20Poly1305::new(&key);
|
||||||
let aad = format!("{};{}", HEADER, VERSION);
|
|
||||||
let nonce = XNonce::from_slice(&nonce_bytes);
|
|
||||||
|
|
||||||
let pt = cipher
|
|
||||||
.decrypt(
|
|
||||||
nonce,
|
|
||||||
chacha20poly1305::aead::Payload {
|
|
||||||
msg: &ct,
|
|
||||||
aad: aad.as_bytes(),
|
|
||||||
},
|
|
||||||
)
|
|
||||||
.map_err(|_| anyhow!("decryption failed (wrong password or corrupted data)"))?;
|
|
||||||
|
|
||||||
|
if let Ok(pt) = try_decrypt(&cipher, &nonce, &ct, aad_current.as_bytes()) {
|
||||||
|
let s = String::from_utf8(pt.clone())
|
||||||
|
.map_err(|e| SecretError::Other(anyhow!("plaintext not valid UTF-8: {}", e)))?;
|
||||||
|
key.zeroize();
|
||||||
salt.zeroize();
|
salt.zeroize();
|
||||||
nonce_bytes.zeroize();
|
nonce_arr.zeroize();
|
||||||
|
ct.zeroize();
|
||||||
|
return Ok(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
key.zeroize();
|
||||||
|
salt.zeroize();
|
||||||
|
nonce_arr.zeroize();
|
||||||
ct.zeroize();
|
ct.zeroize();
|
||||||
|
|
||||||
let s = String::from_utf8(pt).with_context(|| "plaintext not valid UTF-8")?;
|
Err(SecretError::AuthFailed {
|
||||||
Ok(s)
|
provider: PROVIDER,
|
||||||
|
source: anyhow!("decryption failed (wrong password or corrupted data)"),
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mod tests {
|
mod tests {
|
||||||
use super::*;
|
use std::env as std_env;
|
||||||
|
|
||||||
use pretty_assertions::assert_eq;
|
use pretty_assertions::assert_eq;
|
||||||
use secrecy::{ExposeSecret, SecretString};
|
use secrecy::{ExposeSecret, SecretString};
|
||||||
use std::env as std_env;
|
|
||||||
use tempfile::tempdir;
|
use tempfile::tempdir;
|
||||||
|
|
||||||
|
use super::*;
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn test_derive_key() {
|
fn test_derive_key() {
|
||||||
let password = SecretString::new("test_password".to_string().into());
|
let password = SecretString::new("test_password".to_string().into());
|
||||||
let salt = [0u8; 16];
|
let salt = [0u8; 16];
|
||||||
let key = derive_key(&password, &salt).unwrap();
|
let key = derive_key(&password, &salt).unwrap();
|
||||||
assert_eq!(key.as_slice().len(), 32);
|
assert_eq!(key.len(), 32);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
@@ -537,7 +651,7 @@ mod tests {
|
|||||||
let password = SecretString::new("test_password".to_string().into());
|
let password = SecretString::new("test_password".to_string().into());
|
||||||
let salt = [0u8; 16];
|
let salt = [0u8; 16];
|
||||||
let key = derive_key_with_params(&password, &salt, 10, 1, 1).unwrap();
|
let key = derive_key_with_params(&password, &salt, 10, 1, 1).unwrap();
|
||||||
assert_eq!(key.as_slice().len(), 32);
|
assert_eq!(key.len(), 32);
|
||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
@@ -550,6 +664,40 @@ mod tests {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
|
#[cfg(unix)]
|
||||||
|
fn get_password_reads_password_file() {
|
||||||
|
use std::os::unix::fs::PermissionsExt;
|
||||||
|
let dir = tempdir().unwrap();
|
||||||
|
let file = dir.path().join("pw.txt");
|
||||||
|
fs::write(&file, "secretpw\n").unwrap();
|
||||||
|
fs::set_permissions(&file, fs::Permissions::from_mode(0o600)).unwrap();
|
||||||
|
let provider = LocalProvider {
|
||||||
|
password_file: Some(file),
|
||||||
|
runtime_provider_name: None,
|
||||||
|
..LocalProvider::default()
|
||||||
|
};
|
||||||
|
let pw = provider.get_password().unwrap();
|
||||||
|
assert_eq!(pw.expose_secret(), "secretpw");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
#[cfg(unix)]
|
||||||
|
fn get_password_rejects_insecure_file() {
|
||||||
|
use std::os::unix::fs::PermissionsExt;
|
||||||
|
let dir = tempdir().unwrap();
|
||||||
|
let file = dir.path().join("pw.txt");
|
||||||
|
fs::write(&file, "secretpw\n").unwrap();
|
||||||
|
fs::set_permissions(&file, fs::Permissions::from_mode(0o644)).unwrap();
|
||||||
|
let provider = LocalProvider {
|
||||||
|
password_file: Some(file),
|
||||||
|
runtime_provider_name: None,
|
||||||
|
..LocalProvider::default()
|
||||||
|
};
|
||||||
|
assert!(provider.get_password().is_err());
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
#[cfg(not(unix))]
|
||||||
fn get_password_reads_password_file() {
|
fn get_password_reads_password_file() {
|
||||||
let dir = tempdir().unwrap();
|
let dir = tempdir().unwrap();
|
||||||
let file = dir.path().join("pw.txt");
|
let file = dir.path().join("pw.txt");
|
||||||
|
|||||||
+42
-24
@@ -4,23 +4,30 @@
|
|||||||
//! interface used by the CLI.
|
//! interface used by the CLI.
|
||||||
pub mod aws_secrets_manager;
|
pub mod aws_secrets_manager;
|
||||||
pub mod azure_key_vault;
|
pub mod azure_key_vault;
|
||||||
|
pub mod error;
|
||||||
pub mod gcp_secret_manager;
|
pub mod gcp_secret_manager;
|
||||||
mod git_sync;
|
pub mod git_sync;
|
||||||
pub mod gopass;
|
pub mod gopass;
|
||||||
pub mod local;
|
pub mod local;
|
||||||
|
pub mod one_password;
|
||||||
|
|
||||||
use crate::providers::gopass::GopassProvider;
|
use std::fmt::{Display, Formatter};
|
||||||
use crate::providers::local::LocalProvider;
|
use std::{env, fmt};
|
||||||
use anyhow::{Context, Result, anyhow};
|
|
||||||
|
use anyhow::{Context, Result};
|
||||||
use aws_secrets_manager::AwsSecretsManagerProvider;
|
use aws_secrets_manager::AwsSecretsManagerProvider;
|
||||||
use azure_key_vault::AzureKeyVaultProvider;
|
use azure_key_vault::AzureKeyVaultProvider;
|
||||||
use gcp_secret_manager::GcpSecretManagerProvider;
|
use gcp_secret_manager::GcpSecretManagerProvider;
|
||||||
use once_cell::sync::Lazy;
|
use once_cell::sync::Lazy;
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
use std::fmt::{Display, Formatter};
|
|
||||||
use std::{env, fmt};
|
|
||||||
use validator::{Validate, ValidationErrors};
|
use validator::{Validate, ValidationErrors};
|
||||||
|
|
||||||
|
pub use crate::providers::error::SecretError;
|
||||||
|
pub use crate::providers::git_sync::SyncError;
|
||||||
|
use crate::providers::gopass::GopassProvider;
|
||||||
|
use crate::providers::local::LocalProvider;
|
||||||
|
use crate::providers::one_password::OnePasswordProvider;
|
||||||
|
|
||||||
pub(in crate::providers) static ENV_PATH: Lazy<Result<String>> =
|
pub(in crate::providers) static ENV_PATH: Lazy<Result<String>> =
|
||||||
Lazy::new(|| env::var("PATH").context("No PATH environment variable"));
|
Lazy::new(|| env::var("PATH").context("No PATH environment variable"));
|
||||||
|
|
||||||
@@ -29,26 +36,26 @@ pub(in crate::providers) static ENV_PATH: Lazy<Result<String>> =
|
|||||||
#[async_trait::async_trait]
|
#[async_trait::async_trait]
|
||||||
pub trait SecretProvider: Send + Sync {
|
pub trait SecretProvider: Send + Sync {
|
||||||
fn name(&self) -> &'static str;
|
fn name(&self) -> &'static str;
|
||||||
async fn get_secret(&self, key: &str) -> Result<String>;
|
async fn get_secret(&self, key: &str) -> Result<String, SecretError>;
|
||||||
async fn set_secret(&self, key: &str, value: &str) -> Result<()>;
|
async fn set_secret(&self, key: &str, value: &str) -> Result<(), SecretError>;
|
||||||
async fn update_secret(&self, _key: &str, _value: &str) -> Result<()> {
|
async fn update_secret(&self, _key: &str, _value: &str) -> Result<(), SecretError> {
|
||||||
Err(anyhow!(
|
Err(SecretError::Unsupported {
|
||||||
"update secret not supported for provider {}",
|
operation: "update_secret",
|
||||||
self.name()
|
provider: self.name(),
|
||||||
))
|
})
|
||||||
}
|
}
|
||||||
async fn delete_secret(&self, key: &str) -> Result<()>;
|
async fn delete_secret(&self, key: &str) -> Result<(), SecretError>;
|
||||||
async fn list_secrets(&self) -> Result<Vec<String>> {
|
async fn list_secrets(&self) -> Result<Vec<String>, SecretError> {
|
||||||
Err(anyhow!(
|
Err(SecretError::Unsupported {
|
||||||
"list secrets is not supported for the provider {}",
|
operation: "list_secrets",
|
||||||
self.name()
|
provider: self.name(),
|
||||||
))
|
})
|
||||||
}
|
}
|
||||||
async fn sync(&mut self) -> Result<()> {
|
async fn sync(&mut self) -> Result<(), SecretError> {
|
||||||
Err(anyhow!(
|
Err(SecretError::Unsupported {
|
||||||
"sync is not supported for the provider {}",
|
operation: "sync",
|
||||||
self.name()
|
provider: self.name(),
|
||||||
))
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -76,6 +83,10 @@ pub enum SupportedProvider {
|
|||||||
#[serde(flatten)]
|
#[serde(flatten)]
|
||||||
provider_def: GopassProvider,
|
provider_def: GopassProvider,
|
||||||
},
|
},
|
||||||
|
OnePassword {
|
||||||
|
#[serde(flatten)]
|
||||||
|
provider_def: OnePasswordProvider,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Validate for SupportedProvider {
|
impl Validate for SupportedProvider {
|
||||||
@@ -86,6 +97,7 @@ impl Validate for SupportedProvider {
|
|||||||
SupportedProvider::GcpSecretManager { provider_def } => provider_def.validate(),
|
SupportedProvider::GcpSecretManager { provider_def } => provider_def.validate(),
|
||||||
SupportedProvider::AzureKeyVault { provider_def } => provider_def.validate(),
|
SupportedProvider::AzureKeyVault { provider_def } => provider_def.validate(),
|
||||||
SupportedProvider::Gopass { provider_def } => provider_def.validate(),
|
SupportedProvider::Gopass { provider_def } => provider_def.validate(),
|
||||||
|
SupportedProvider::OnePassword { provider_def } => provider_def.validate(),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -106,6 +118,12 @@ impl Display for SupportedProvider {
|
|||||||
SupportedProvider::GcpSecretManager { .. } => write!(f, "gcp_secret_manager"),
|
SupportedProvider::GcpSecretManager { .. } => write!(f, "gcp_secret_manager"),
|
||||||
SupportedProvider::AzureKeyVault { .. } => write!(f, "azure_key_vault"),
|
SupportedProvider::AzureKeyVault { .. } => write!(f, "azure_key_vault"),
|
||||||
SupportedProvider::Gopass { .. } => write!(f, "gopass"),
|
SupportedProvider::Gopass { .. } => write!(f, "gopass"),
|
||||||
|
SupportedProvider::OnePassword { .. } => write!(f, "one_password"),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[allow(unused_imports)]
|
||||||
|
pub(crate) use crate::providers::error::{
|
||||||
|
classify_aws_error, classify_azure_error, classify_gcp_error,
|
||||||
|
};
|
||||||
|
|||||||
@@ -0,0 +1,232 @@
|
|||||||
|
use std::io::Read;
|
||||||
|
use std::process::{Command, Stdio};
|
||||||
|
|
||||||
|
use anyhow::anyhow;
|
||||||
|
use serde::{Deserialize, Serialize};
|
||||||
|
use serde_with::skip_serializing_none;
|
||||||
|
use validator::Validate;
|
||||||
|
|
||||||
|
use crate::providers::error::SecretError;
|
||||||
|
use crate::providers::{ENV_PATH, SecretProvider};
|
||||||
|
|
||||||
|
const PROVIDER: &str = "one_password";
|
||||||
|
|
||||||
|
fn map_spawn_err(e: std::io::Error) -> SecretError {
|
||||||
|
if e.kind() == std::io::ErrorKind::NotFound {
|
||||||
|
SecretError::CliNotFound { tool: "op" }
|
||||||
|
} else {
|
||||||
|
SecretError::Io(e)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[skip_serializing_none]
|
||||||
|
/// 1Password-based secret provider.
|
||||||
|
/// See [1Password CLI](https://developer.1password.com/docs/cli/) for more
|
||||||
|
/// information.
|
||||||
|
///
|
||||||
|
/// You must already have the 1Password CLI (`op`) installed and configured
|
||||||
|
/// on your system.
|
||||||
|
///
|
||||||
|
/// This provider stores secrets as 1Password Password items. It requires
|
||||||
|
/// an optional vault name and an optional account identifier to be specified.
|
||||||
|
/// If no vault is specified, the user's default vault is used. If no account
|
||||||
|
/// is specified, the default signed-in account is used.
|
||||||
|
///
|
||||||
|
/// Example
|
||||||
|
/// ```no_run
|
||||||
|
/// use gman::providers::one_password::OnePasswordProvider;
|
||||||
|
/// use gman::providers::{SecretProvider, SupportedProvider};
|
||||||
|
/// use gman::config::Config;
|
||||||
|
///
|
||||||
|
/// let provider = OnePasswordProvider::default();
|
||||||
|
/// let _ = provider.set_secret("MY_SECRET", "value");
|
||||||
|
/// ```
|
||||||
|
#[derive(Debug, Default, Clone, Validate, Serialize, Deserialize, PartialEq, Eq)]
|
||||||
|
#[serde(deny_unknown_fields)]
|
||||||
|
pub struct OnePasswordProvider {
|
||||||
|
pub vault: Option<String>,
|
||||||
|
pub account: Option<String>,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl OnePasswordProvider {
|
||||||
|
fn base_command(&self) -> Command {
|
||||||
|
let mut cmd = Command::new("op");
|
||||||
|
cmd.env("PATH", ENV_PATH.as_ref().expect("No ENV_PATH set"));
|
||||||
|
if let Some(account) = &self.account {
|
||||||
|
cmd.args(["--account", account]);
|
||||||
|
}
|
||||||
|
cmd
|
||||||
|
}
|
||||||
|
|
||||||
|
fn vault_args(&self) -> Vec<&str> {
|
||||||
|
match &self.vault {
|
||||||
|
Some(vault) => vec!["--vault", vault],
|
||||||
|
None => vec![],
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn classify_op_stderr(stderr: &str, key: Option<&str>) -> SecretError {
|
||||||
|
let lc = stderr.to_lowercase();
|
||||||
|
if lc.contains("isn't an item") || lc.contains("doesn't exist") || lc.contains("not found") {
|
||||||
|
SecretError::NotFound {
|
||||||
|
key: key.unwrap_or("").to_string(),
|
||||||
|
provider: PROVIDER,
|
||||||
|
}
|
||||||
|
} else if lc.contains("not currently signed in")
|
||||||
|
|| lc.contains("session expired")
|
||||||
|
|| lc.contains("not signed in")
|
||||||
|
{
|
||||||
|
SecretError::AuthFailed {
|
||||||
|
provider: PROVIDER,
|
||||||
|
source: anyhow!("op auth error: {}", stderr.trim()),
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
SecretError::Other(anyhow!("op command failed: {}", stderr.trim()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#[async_trait::async_trait]
|
||||||
|
impl SecretProvider for OnePasswordProvider {
|
||||||
|
fn name(&self) -> &'static str {
|
||||||
|
"OnePasswordProvider"
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn get_secret(&self, key: &str) -> Result<String, SecretError> {
|
||||||
|
ensure_op_installed()?;
|
||||||
|
|
||||||
|
let mut cmd = self.base_command();
|
||||||
|
cmd.args(["item", "get", key, "--fields", "password", "--reveal"]);
|
||||||
|
cmd.args(self.vault_args());
|
||||||
|
cmd.stdin(Stdio::inherit())
|
||||||
|
.stdout(Stdio::piped())
|
||||||
|
.stderr(Stdio::piped());
|
||||||
|
|
||||||
|
let mut child = cmd.spawn().map_err(map_spawn_err)?;
|
||||||
|
|
||||||
|
let mut output = String::new();
|
||||||
|
child
|
||||||
|
.stdout
|
||||||
|
.as_mut()
|
||||||
|
.expect("Failed to open op stdout")
|
||||||
|
.read_to_string(&mut output)?;
|
||||||
|
|
||||||
|
let result = child.wait_with_output()?;
|
||||||
|
if !result.status.success() {
|
||||||
|
let stderr = String::from_utf8_lossy(&result.stderr);
|
||||||
|
return Err(classify_op_stderr(&stderr, Some(key)));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(output.trim_end_matches(&['\r', '\n'][..]).to_string())
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn set_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
|
ensure_op_installed()?;
|
||||||
|
|
||||||
|
let mut cmd = self.base_command();
|
||||||
|
cmd.args(["item", "create", "--category", "password", "--title", key]);
|
||||||
|
cmd.args(self.vault_args());
|
||||||
|
cmd.arg(format!("password={}", value));
|
||||||
|
cmd.stdin(Stdio::inherit())
|
||||||
|
.stdout(Stdio::piped())
|
||||||
|
.stderr(Stdio::piped());
|
||||||
|
|
||||||
|
let child = cmd.spawn().map_err(map_spawn_err)?;
|
||||||
|
|
||||||
|
let result = child.wait_with_output()?;
|
||||||
|
if !result.status.success() {
|
||||||
|
let stderr = String::from_utf8_lossy(&result.stderr);
|
||||||
|
return Err(classify_op_stderr(&stderr, Some(key)));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn update_secret(&self, key: &str, value: &str) -> Result<(), SecretError> {
|
||||||
|
ensure_op_installed()?;
|
||||||
|
|
||||||
|
let mut cmd = self.base_command();
|
||||||
|
cmd.args(["item", "edit", key]);
|
||||||
|
cmd.args(self.vault_args());
|
||||||
|
cmd.arg(format!("password={}", value));
|
||||||
|
cmd.stdin(Stdio::inherit())
|
||||||
|
.stdout(Stdio::piped())
|
||||||
|
.stderr(Stdio::piped());
|
||||||
|
|
||||||
|
let child = cmd.spawn().map_err(map_spawn_err)?;
|
||||||
|
|
||||||
|
let result = child.wait_with_output()?;
|
||||||
|
if !result.status.success() {
|
||||||
|
let stderr = String::from_utf8_lossy(&result.stderr);
|
||||||
|
return Err(classify_op_stderr(&stderr, Some(key)));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn delete_secret(&self, key: &str) -> Result<(), SecretError> {
|
||||||
|
ensure_op_installed()?;
|
||||||
|
|
||||||
|
let mut cmd = self.base_command();
|
||||||
|
cmd.args(["item", "delete", key]);
|
||||||
|
cmd.args(self.vault_args());
|
||||||
|
cmd.stdin(Stdio::inherit())
|
||||||
|
.stdout(Stdio::inherit())
|
||||||
|
.stderr(Stdio::piped());
|
||||||
|
|
||||||
|
let child = cmd.spawn().map_err(map_spawn_err)?;
|
||||||
|
|
||||||
|
let result = child.wait_with_output()?;
|
||||||
|
if !result.status.success() {
|
||||||
|
let stderr = String::from_utf8_lossy(&result.stderr);
|
||||||
|
return Err(classify_op_stderr(&stderr, Some(key)));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn list_secrets(&self) -> Result<Vec<String>, SecretError> {
|
||||||
|
ensure_op_installed()?;
|
||||||
|
|
||||||
|
let mut cmd = self.base_command();
|
||||||
|
cmd.args(["item", "list", "--format", "json"]);
|
||||||
|
cmd.args(self.vault_args());
|
||||||
|
cmd.stdin(Stdio::inherit())
|
||||||
|
.stdout(Stdio::piped())
|
||||||
|
.stderr(Stdio::piped());
|
||||||
|
|
||||||
|
let mut child = cmd.spawn().map_err(map_spawn_err)?;
|
||||||
|
|
||||||
|
let mut output = String::new();
|
||||||
|
child
|
||||||
|
.stdout
|
||||||
|
.as_mut()
|
||||||
|
.expect("Failed to open op stdout")
|
||||||
|
.read_to_string(&mut output)?;
|
||||||
|
|
||||||
|
let result = child.wait_with_output()?;
|
||||||
|
if !result.status.success() {
|
||||||
|
let stderr = String::from_utf8_lossy(&result.stderr);
|
||||||
|
return Err(classify_op_stderr(&stderr, None));
|
||||||
|
}
|
||||||
|
|
||||||
|
let items: Vec<serde_json::Value> = serde_json::from_str(&output)
|
||||||
|
.map_err(|e| SecretError::Other(anyhow!("failed to parse op output: {}", e)))?;
|
||||||
|
|
||||||
|
let secrets: Vec<String> = items
|
||||||
|
.iter()
|
||||||
|
.filter_map(|item| item.get("title").and_then(|t| t.as_str()))
|
||||||
|
.map(|s| s.to_string())
|
||||||
|
.collect();
|
||||||
|
|
||||||
|
Ok(secrets)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn ensure_op_installed() -> Result<(), SecretError> {
|
||||||
|
if which::which("op").is_err() {
|
||||||
|
Err(SecretError::CliNotFound { tool: "op" })
|
||||||
|
} else {
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
}
|
||||||
+73
-31
@@ -1,3 +1,8 @@
|
|||||||
|
//! CLI integration tests that execute the gman binary.
|
||||||
|
//!
|
||||||
|
//! These tests are skipped when cross-compiling because the compiled binary
|
||||||
|
//! cannot be executed on a different architecture (e.g., ARM64 binary on x86_64 host).
|
||||||
|
|
||||||
use assert_cmd::prelude::*;
|
use assert_cmd::prelude::*;
|
||||||
use predicates::prelude::*;
|
use predicates::prelude::*;
|
||||||
use std::fs;
|
use std::fs;
|
||||||
@@ -7,6 +12,20 @@ use std::path::{Path, PathBuf};
|
|||||||
use std::process::{Command, Stdio};
|
use std::process::{Command, Stdio};
|
||||||
use tempfile::TempDir;
|
use tempfile::TempDir;
|
||||||
|
|
||||||
|
fn gman_bin() -> PathBuf {
|
||||||
|
PathBuf::from(env!("CARGO_BIN_EXE_gman"))
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Check if the gman binary can be executed on this system.
|
||||||
|
/// Returns false when cross-compiling (e.g., ARM64 binary on x86_64 host).
|
||||||
|
fn can_execute_binary() -> bool {
|
||||||
|
Command::new(gman_bin())
|
||||||
|
.arg("--version")
|
||||||
|
.output()
|
||||||
|
.map(|o| o.status.success())
|
||||||
|
.unwrap_or(false)
|
||||||
|
}
|
||||||
|
|
||||||
fn setup_env() -> (TempDir, PathBuf, PathBuf) {
|
fn setup_env() -> (TempDir, PathBuf, PathBuf) {
|
||||||
let td = tempfile::tempdir().expect("tempdir");
|
let td = tempfile::tempdir().expect("tempdir");
|
||||||
let cfg_home = td.path().join("config");
|
let cfg_home = td.path().join("config");
|
||||||
@@ -46,27 +65,38 @@ providers:
|
|||||||
password_file.display()
|
password_file.display()
|
||||||
)
|
)
|
||||||
};
|
};
|
||||||
// Confy with yaml feature typically uses .yml; write both to be safe.
|
|
||||||
fs::write(app_dir.join("config.yml"), &cfg).unwrap();
|
fs::write(app_dir.join("config.yml"), &cfg).unwrap();
|
||||||
fs::write(app_dir.join("config.yaml"), &cfg).unwrap();
|
fs::write(app_dir.join("config.yaml"), &cfg).unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn create_password_file(path: &Path, content: &[u8]) {
|
||||||
|
fs::write(path, content).unwrap();
|
||||||
|
#[cfg(unix)]
|
||||||
|
{
|
||||||
|
fs::set_permissions(path, fs::Permissions::from_mode(0o600)).unwrap();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
#[cfg(unix)]
|
#[cfg(unix)]
|
||||||
fn cli_config_no_changes() {
|
fn cli_config_no_changes() {
|
||||||
|
if !can_execute_binary() {
|
||||||
|
eprintln!("Skipping test: cannot execute cross-compiled binary");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
let (td, xdg_cfg, xdg_cache) = setup_env();
|
let (td, xdg_cfg, xdg_cache) = setup_env();
|
||||||
let pw_file = td.path().join("pw.txt");
|
let pw_file = td.path().join("pw.txt");
|
||||||
fs::write(&pw_file, b"pw\n").unwrap();
|
create_password_file(&pw_file, b"pw\n");
|
||||||
write_yaml_config(&xdg_cfg, &pw_file, None);
|
write_yaml_config(&xdg_cfg, &pw_file, None);
|
||||||
|
|
||||||
// Create a no-op editor script that exits successfully without modifying the file
|
|
||||||
let editor = td.path().join("noop-editor.sh");
|
let editor = td.path().join("noop-editor.sh");
|
||||||
fs::write(&editor, b"#!/bin/sh\nexit 0\n").unwrap();
|
fs::write(&editor, b"#!/bin/sh\nexit 0\n").unwrap();
|
||||||
let mut perms = fs::metadata(&editor).unwrap().permissions();
|
let mut perms = fs::metadata(&editor).unwrap().permissions();
|
||||||
perms.set_mode(0o755);
|
perms.set_mode(0o755);
|
||||||
fs::set_permissions(&editor, perms).unwrap();
|
fs::set_permissions(&editor, perms).unwrap();
|
||||||
|
|
||||||
let mut cmd = Command::cargo_bin("gman").unwrap();
|
let mut cmd = Command::new(gman_bin());
|
||||||
cmd.env("XDG_CONFIG_HOME", &xdg_cfg)
|
cmd.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.env("EDITOR", &editor)
|
.env("EDITOR", &editor)
|
||||||
@@ -80,15 +110,23 @@ fn cli_config_no_changes() {
|
|||||||
#[test]
|
#[test]
|
||||||
#[cfg(unix)]
|
#[cfg(unix)]
|
||||||
fn cli_config_updates_and_persists() {
|
fn cli_config_updates_and_persists() {
|
||||||
|
if !can_execute_binary() {
|
||||||
|
eprintln!("Skipping test: cannot execute cross-compiled binary");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
let (td, xdg_cfg, xdg_cache) = setup_env();
|
let (td, xdg_cfg, xdg_cache) = setup_env();
|
||||||
let pw_file = td.path().join("pw.txt");
|
let pw_file = td.path().join("pw.txt");
|
||||||
fs::write(&pw_file, b"pw\n").unwrap();
|
create_password_file(&pw_file, b"pw\n");
|
||||||
write_yaml_config(&xdg_cfg, &pw_file, None);
|
write_yaml_config(&xdg_cfg, &pw_file, None);
|
||||||
|
|
||||||
// Editor script appends a valid run_configs section to the YAML file
|
|
||||||
let editor = td.path().join("append-run-config.sh");
|
let editor = td.path().join("append-run-config.sh");
|
||||||
|
// Note: We need a small sleep to ensure the file modification timestamp changes.
|
||||||
|
// The dialoguer Editor uses file modification time to detect changes, and on fast
|
||||||
|
// systems the edit can complete within the same timestamp granularity.
|
||||||
let script = r#"#!/bin/sh
|
let script = r#"#!/bin/sh
|
||||||
FILE="$1"
|
FILE="$1"
|
||||||
|
sleep 0.1
|
||||||
cat >> "$FILE" <<'EOF'
|
cat >> "$FILE" <<'EOF'
|
||||||
run_configs:
|
run_configs:
|
||||||
- name: echo
|
- name: echo
|
||||||
@@ -101,7 +139,7 @@ exit 0
|
|||||||
perms.set_mode(0o755);
|
perms.set_mode(0o755);
|
||||||
fs::set_permissions(&editor, perms).unwrap();
|
fs::set_permissions(&editor, perms).unwrap();
|
||||||
|
|
||||||
let mut cmd = Command::cargo_bin("gman").unwrap();
|
let mut cmd = Command::new(gman_bin());
|
||||||
cmd.env("XDG_CONFIG_HOME", &xdg_cfg)
|
cmd.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.env("EDITOR", &editor)
|
.env("EDITOR", &editor)
|
||||||
@@ -111,7 +149,6 @@ exit 0
|
|||||||
"Configuration updated successfully",
|
"Configuration updated successfully",
|
||||||
));
|
));
|
||||||
|
|
||||||
// Verify that the config file now contains the run_configs key
|
|
||||||
let cfg_path = xdg_cfg.join("gman").join("config.yml");
|
let cfg_path = xdg_cfg.join("gman").join("config.yml");
|
||||||
let written = fs::read_to_string(&cfg_path).expect("config file readable");
|
let written = fs::read_to_string(&cfg_path).expect("config file readable");
|
||||||
assert!(written.contains("run_configs:"));
|
assert!(written.contains("run_configs:"));
|
||||||
@@ -120,8 +157,13 @@ exit 0
|
|||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn cli_shows_help() {
|
fn cli_shows_help() {
|
||||||
|
if !can_execute_binary() {
|
||||||
|
eprintln!("Skipping test: cannot execute cross-compiled binary");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
let (_td, cfg, cache) = setup_env();
|
let (_td, cfg, cache) = setup_env();
|
||||||
let mut cmd = Command::cargo_bin("gman").unwrap();
|
let mut cmd = Command::new(gman_bin());
|
||||||
cmd.env("XDG_CACHE_HOME", &cache)
|
cmd.env("XDG_CACHE_HOME", &cache)
|
||||||
.env("XDG_CONFIG_HOME", &cfg)
|
.env("XDG_CONFIG_HOME", &cfg)
|
||||||
.arg("--help");
|
.arg("--help");
|
||||||
@@ -132,13 +174,17 @@ fn cli_shows_help() {
|
|||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn cli_add_get_list_update_delete_roundtrip() {
|
fn cli_add_get_list_update_delete_roundtrip() {
|
||||||
|
if !can_execute_binary() {
|
||||||
|
eprintln!("Skipping test: cannot execute cross-compiled binary");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
let (td, xdg_cfg, xdg_cache) = setup_env();
|
let (td, xdg_cfg, xdg_cache) = setup_env();
|
||||||
let pw_file = td.path().join("pw.txt");
|
let pw_file = td.path().join("pw.txt");
|
||||||
fs::write(&pw_file, b"testpw\n").unwrap();
|
create_password_file(&pw_file, b"testpw\n");
|
||||||
write_yaml_config(&xdg_cfg, &pw_file, None);
|
write_yaml_config(&xdg_cfg, &pw_file, None);
|
||||||
|
|
||||||
// add
|
let mut add = Command::new(gman_bin());
|
||||||
let mut add = Command::cargo_bin("gman").unwrap();
|
|
||||||
add.env("XDG_CONFIG_HOME", &xdg_cfg)
|
add.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.stdin(Stdio::piped())
|
.stdin(Stdio::piped())
|
||||||
@@ -154,8 +200,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
|
|||||||
let add_out = child.wait_with_output().unwrap();
|
let add_out = child.wait_with_output().unwrap();
|
||||||
assert!(add_out.status.success());
|
assert!(add_out.status.success());
|
||||||
|
|
||||||
// get (text)
|
let mut get = Command::new(gman_bin());
|
||||||
let mut get = Command::cargo_bin("gman").unwrap();
|
|
||||||
get.env("XDG_CONFIG_HOME", &xdg_cfg)
|
get.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.args(["get", "my_api_key"]);
|
.args(["get", "my_api_key"]);
|
||||||
@@ -163,8 +208,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
|
|||||||
.success()
|
.success()
|
||||||
.stdout(predicate::str::contains("super_secret"));
|
.stdout(predicate::str::contains("super_secret"));
|
||||||
|
|
||||||
// get as JSON
|
let mut get_json = Command::new(gman_bin());
|
||||||
let mut get_json = Command::cargo_bin("gman").unwrap();
|
|
||||||
get_json
|
get_json
|
||||||
.env("XDG_CONFIG_HOME", &xdg_cfg)
|
.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
@@ -173,8 +217,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
|
|||||||
predicate::str::contains("my_api_key").and(predicate::str::contains("super_secret")),
|
predicate::str::contains("my_api_key").and(predicate::str::contains("super_secret")),
|
||||||
);
|
);
|
||||||
|
|
||||||
// list
|
let mut list = Command::new(gman_bin());
|
||||||
let mut list = Command::cargo_bin("gman").unwrap();
|
|
||||||
list.env("XDG_CONFIG_HOME", &xdg_cfg)
|
list.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.arg("list");
|
.arg("list");
|
||||||
@@ -182,8 +225,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
|
|||||||
.success()
|
.success()
|
||||||
.stdout(predicate::str::contains("my_api_key"));
|
.stdout(predicate::str::contains("my_api_key"));
|
||||||
|
|
||||||
// update
|
let mut update = Command::new(gman_bin());
|
||||||
let mut update = Command::cargo_bin("gman").unwrap();
|
|
||||||
update
|
update
|
||||||
.env("XDG_CONFIG_HOME", &xdg_cfg)
|
.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
@@ -199,8 +241,7 @@ fn cli_add_get_list_update_delete_roundtrip() {
|
|||||||
let upd_out = child.wait_with_output().unwrap();
|
let upd_out = child.wait_with_output().unwrap();
|
||||||
assert!(upd_out.status.success());
|
assert!(upd_out.status.success());
|
||||||
|
|
||||||
// get again
|
let mut get2 = Command::new(gman_bin());
|
||||||
let mut get2 = Command::cargo_bin("gman").unwrap();
|
|
||||||
get2.env("XDG_CONFIG_HOME", &xdg_cfg)
|
get2.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.args(["get", "my_api_key"]);
|
.args(["get", "my_api_key"]);
|
||||||
@@ -208,15 +249,13 @@ fn cli_add_get_list_update_delete_roundtrip() {
|
|||||||
.success()
|
.success()
|
||||||
.stdout(predicate::str::contains("new_val"));
|
.stdout(predicate::str::contains("new_val"));
|
||||||
|
|
||||||
// delete
|
let mut del = Command::new(gman_bin());
|
||||||
let mut del = Command::cargo_bin("gman").unwrap();
|
|
||||||
del.env("XDG_CONFIG_HOME", &xdg_cfg)
|
del.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.args(["delete", "my_api_key"]);
|
.args(["delete", "my_api_key"]);
|
||||||
del.assert().success();
|
del.assert().success();
|
||||||
|
|
||||||
// get should now fail
|
let mut get_missing = Command::new(gman_bin());
|
||||||
let mut get_missing = Command::cargo_bin("gman").unwrap();
|
|
||||||
get_missing
|
get_missing
|
||||||
.env("XDG_CONFIG_HOME", &xdg_cfg)
|
.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
@@ -226,13 +265,17 @@ fn cli_add_get_list_update_delete_roundtrip() {
|
|||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn cli_wrap_dry_run_env_injection() {
|
fn cli_wrap_dry_run_env_injection() {
|
||||||
|
if !can_execute_binary() {
|
||||||
|
eprintln!("Skipping test: cannot execute cross-compiled binary");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
let (td, xdg_cfg, xdg_cache) = setup_env();
|
let (td, xdg_cfg, xdg_cache) = setup_env();
|
||||||
let pw_file = td.path().join("pw.txt");
|
let pw_file = td.path().join("pw.txt");
|
||||||
fs::write(&pw_file, b"pw\n").unwrap();
|
create_password_file(&pw_file, b"pw\n");
|
||||||
write_yaml_config(&xdg_cfg, &pw_file, Some("echo"));
|
write_yaml_config(&xdg_cfg, &pw_file, Some("echo"));
|
||||||
|
|
||||||
// Add the secret so the profile can read it
|
let mut add = Command::new(gman_bin());
|
||||||
let mut add = Command::cargo_bin("gman").unwrap();
|
|
||||||
add.env("XDG_CONFIG_HOME", &xdg_cfg)
|
add.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.stdin(Stdio::piped())
|
.stdin(Stdio::piped())
|
||||||
@@ -243,8 +286,7 @@ fn cli_wrap_dry_run_env_injection() {
|
|||||||
let add_out = child.wait_with_output().unwrap();
|
let add_out = child.wait_with_output().unwrap();
|
||||||
assert!(add_out.status.success());
|
assert!(add_out.status.success());
|
||||||
|
|
||||||
// Dry-run wrapping: prints preview command
|
let mut wrap = Command::new(gman_bin());
|
||||||
let mut wrap = Command::cargo_bin("gman").unwrap();
|
|
||||||
wrap.env("XDG_CONFIG_HOME", &xdg_cfg)
|
wrap.env("XDG_CONFIG_HOME", &xdg_cfg)
|
||||||
.env("XDG_CACHE_HOME", &xdg_cache)
|
.env("XDG_CACHE_HOME", &xdg_cache)
|
||||||
.arg("--dry-run")
|
.arg("--dry-run")
|
||||||
|
|||||||
@@ -0,0 +1,8 @@
|
|||||||
|
# Seeds for failure cases proptest has generated in the past. It is
|
||||||
|
# automatically read and these particular cases re-run before any
|
||||||
|
# novel cases are generated.
|
||||||
|
#
|
||||||
|
# It is recommended to check this file in to source control so that
|
||||||
|
# everyone who runs the test benefits from these saved cases.
|
||||||
|
cc 155469a45d7311cd4003e23a3bcdaa8e55879e6222c1b6313a2b1f0b563bb195 # shrinks to password = "", msg = " "
|
||||||
|
cc 0bc9f608677234c082d10ff51b15dc39b4c194cdf920b4d87e553467c93824ed # shrinks to password = "", msg = ""
|
||||||
@@ -1,15 +1,15 @@
|
|||||||
use base64::Engine;
|
use base64::Engine;
|
||||||
use gman::{decrypt_string, encrypt_string};
|
use gman::{decrypt_string, encrypt_string};
|
||||||
use proptest::prelude::*;
|
use proptest::prelude::*;
|
||||||
|
|
||||||
proptest! {
|
|
||||||
#![proptest_config(ProptestConfig::with_cases(64))]
|
|
||||||
}
|
|
||||||
use secrecy::SecretString;
|
use secrecy::SecretString;
|
||||||
|
|
||||||
proptest! {
|
proptest! {
|
||||||
|
// Reduced case count because Argon2 key derivation is intentionally slow
|
||||||
|
// (65 MiB memory, 3 iterations per encryption/decryption)
|
||||||
|
#![proptest_config(ProptestConfig::with_cases(4))]
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn prop_encrypt_decrypt_roundtrip(password in ".{0,64}", msg in ".{0,512}") {
|
fn prop_encrypt_decrypt_roundtrip(password in ".{1,64}", msg in ".{0,512}") {
|
||||||
let pw = SecretString::new(password.into());
|
let pw = SecretString::new(password.into());
|
||||||
let env = encrypt_string(pw.clone(), &msg).unwrap();
|
let env = encrypt_string(pw.clone(), &msg).unwrap();
|
||||||
let out = decrypt_string(pw, &env).unwrap();
|
let out = decrypt_string(pw, &env).unwrap();
|
||||||
@@ -18,10 +18,9 @@ proptest! {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[test]
|
#[test]
|
||||||
fn prop_tamper_ciphertext_detected(password in ".{0,32}", msg in ".{1,128}") {
|
fn prop_tamper_ciphertext_detected(password in ".{1,32}", msg in ".{1,128}") {
|
||||||
let pw = SecretString::new(password.into());
|
let pw = SecretString::new(password.into());
|
||||||
let env = encrypt_string(pw.clone(), &msg).unwrap();
|
let env = encrypt_string(pw.clone(), &msg).unwrap();
|
||||||
// Flip a bit in the ct payload segment
|
|
||||||
let mut parts: Vec<&str> = env.split(';').collect();
|
let mut parts: Vec<&str> = env.split(';').collect();
|
||||||
let ct_b64 = parts[6].strip_prefix("ct=").unwrap();
|
let ct_b64 = parts[6].strip_prefix("ct=").unwrap();
|
||||||
let mut ct = base64::engine::general_purpose::STANDARD.decode(ct_b64).unwrap();
|
let mut ct = base64::engine::general_purpose::STANDARD.decode(ct_b64).unwrap();
|
||||||
|
|||||||
@@ -3,4 +3,5 @@ mod azure_key_vault_tests;
|
|||||||
mod gcp_secret_manager_tests;
|
mod gcp_secret_manager_tests;
|
||||||
mod gopass_tests;
|
mod gopass_tests;
|
||||||
mod local_tests;
|
mod local_tests;
|
||||||
|
mod one_password_tests;
|
||||||
mod provider_tests;
|
mod provider_tests;
|
||||||
|
|||||||
@@ -0,0 +1,113 @@
|
|||||||
|
use gman::config::{Config, ProviderConfig};
|
||||||
|
use gman::providers::{SecretProvider, SupportedProvider};
|
||||||
|
use pretty_assertions::{assert_eq, assert_str_eq};
|
||||||
|
use validator::Validate;
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_one_password_supported_provider_display_and_validate_from_yaml() {
|
||||||
|
let yaml = r#"---
|
||||||
|
type: one_password
|
||||||
|
vault: Production
|
||||||
|
account: my.1password.com
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
|
||||||
|
assert!(sp.validate().is_ok());
|
||||||
|
assert_eq!(sp.to_string(), "one_password");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_one_password_supported_provider_minimal_yaml() {
|
||||||
|
let yaml = r#"---
|
||||||
|
type: one_password
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
|
||||||
|
assert!(sp.validate().is_ok());
|
||||||
|
assert_eq!(sp.to_string(), "one_password");
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_one_password_supported_provider_vault_only() {
|
||||||
|
let yaml = r#"---
|
||||||
|
type: one_password
|
||||||
|
vault: Personal
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
|
||||||
|
assert!(sp.validate().is_ok());
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_one_password_supported_provider_account_only() {
|
||||||
|
let yaml = r#"---
|
||||||
|
type: one_password
|
||||||
|
account: team.1password.com
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let sp: SupportedProvider = serde_yaml::from_str(yaml).expect("valid supported provider yaml");
|
||||||
|
assert!(sp.validate().is_ok());
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_one_password_supported_provider_rejects_unknown_fields() {
|
||||||
|
let yaml = r#"---
|
||||||
|
type: one_password
|
||||||
|
vault: Production
|
||||||
|
unknown_field: bad
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let result: Result<SupportedProvider, _> = serde_yaml::from_str(yaml);
|
||||||
|
assert!(result.is_err());
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_provider_config_with_one_password_deserialize_and_extract() {
|
||||||
|
let yaml = r#"---
|
||||||
|
name: op
|
||||||
|
type: one_password
|
||||||
|
"#;
|
||||||
|
|
||||||
|
let pc: ProviderConfig = serde_yaml::from_str(yaml).expect("valid provider config yaml");
|
||||||
|
assert!(pc.validate().is_ok());
|
||||||
|
|
||||||
|
let mut pc_owned = pc.clone();
|
||||||
|
let provider: &mut dyn SecretProvider = pc_owned.extract_provider();
|
||||||
|
assert_str_eq!(provider.name(), "OnePasswordProvider");
|
||||||
|
|
||||||
|
let cfg_yaml = r#"---
|
||||||
|
default_provider: op
|
||||||
|
providers:
|
||||||
|
- name: op
|
||||||
|
type: one_password
|
||||||
|
vault: Production
|
||||||
|
account: my.1password.com
|
||||||
|
"#;
|
||||||
|
let cfg: Config = serde_yaml::from_str(cfg_yaml).expect("valid config yaml");
|
||||||
|
assert!(cfg.validate().is_ok());
|
||||||
|
|
||||||
|
let extracted = cfg
|
||||||
|
.extract_provider_config(None)
|
||||||
|
.expect("should find default provider");
|
||||||
|
assert_eq!(extracted.name.as_deref(), Some("op"));
|
||||||
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
fn test_one_password_config_with_multiple_providers() {
|
||||||
|
let cfg_yaml = r#"---
|
||||||
|
default_provider: local
|
||||||
|
providers:
|
||||||
|
- name: local
|
||||||
|
type: local
|
||||||
|
- name: op
|
||||||
|
type: one_password
|
||||||
|
vault: Production
|
||||||
|
"#;
|
||||||
|
let cfg: Config = serde_yaml::from_str(cfg_yaml).expect("valid config yaml");
|
||||||
|
assert!(cfg.validate().is_ok());
|
||||||
|
|
||||||
|
let extracted = cfg
|
||||||
|
.extract_provider_config(Some("op".into()))
|
||||||
|
.expect("should find op provider");
|
||||||
|
assert_eq!(extracted.name.as_deref(), Some("op"));
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user