feat: Require Vault set up for first-time setup so all passed in secrets can be encrypted right off the bat

2025-10-27 12:00:27 -06:00
parent 6f77b3f46e
commit b49a27f886
12 changed files with 75 additions and 22 deletions
@@ -1,5 +1,7 @@
 mod utils;

+use std::path::PathBuf;
+pub use utils::create_vault_password_file;
 pub use utils::interpolate_secrets;

 use crate::cli::Cli;
@@ -21,6 +23,17 @@ pub struct Vault {
 }

 impl Vault {
+    pub fn init_bare() -> Self {
+        let vault_password_file = Config::default().vault_password_file();
+        let local_provider = LocalProvider {
+            password_file: Some(vault_password_file),
+            git_branch: None,
+            ..LocalProvider::default()
+        };
+
+        Self { local_provider }
+    }
+
    pub fn init(config: &Config) -> Self {
        let vault_password_file = config.vault_password_file();
        let mut local_provider = LocalProvider {
@@ -35,6 +48,13 @@ impl Vault {
        Self { local_provider }
    }

+    pub fn password_file(&self) -> Result<PathBuf> {
+        self.local_provider
+            .password_file
+            .clone()
+            .with_context(|| "A password file is required for the local provider")
+    }
+
    pub fn add_secret(&self, secret_name: &str) -> Result<()> {
        let secret_value = Password::new("Enter the secret value:")
            .with_validator(required!())
@@ -19,6 +19,28 @@ pub fn ensure_password_file_initialized(local_provider: &mut LocalProvider) -> R
        {
            let file_contents = std::fs::read_to_string(&vault_password_file)?;
            if !file_contents.trim().is_empty() {
+                Ok(())
+            } else {
+                Err(anyhow!("The configured password file '{}' is empty. Please populate it with a password and try again.", vault_password_file.display()))
+            }
+        }
+    } else {
+        Err(anyhow!("A password file is required to utilize the Loki vault. Please configure a password file in your config file and try again."))
+    }
+}
+
+pub fn create_vault_password_file(vault: &mut Vault) -> Result<()> {
+    let vault_password_file = vault
+        .local_provider
+        .password_file
+        .clone()
+        .ok_or_else(|| anyhow!("Password file is not configured"))?;
+
+    if vault_password_file.exists() {
+        {
+            let file_contents = std::fs::read_to_string(&vault_password_file)?;
+            if !file_contents.trim().is_empty() {
+                debug!("create_vault_password_file was called but the password file already exists and is non-empty");
                return Ok(());
            }
        }
@@ -91,13 +113,12 @@ pub fn ensure_password_file_initialized(local_provider: &mut LocalProvider) -> R
            .into();

        if password_file != vault_password_file {
-            println!(
+            debug!(
                "{}",
                formatdoc!(
                    "
-										Note: The default password file path is '{}'.
-										You have chosen to create a different path: '{}'.
-										Please ensure your configuration is updated accordingly.
+										The default password file path is '{}'.
+										User chose to create file at a different path: '{}'.
 										",
                    vault_password_file.display(),
                    password_file.display()
@@ -116,7 +137,7 @@ pub fn ensure_password_file_initialized(local_provider: &mut LocalProvider) -> R
        match password {
            Ok(pw) => {
                std::fs::write(&password_file, pw.as_bytes())?;
-                local_provider.password_file = Some(password_file);
+                vault.local_provider.password_file = Some(password_file);
                println!(
                    "✓ Password file '{}' created.",
                    vault_password_file.display()