earl 0.5.2

AI-safe CLI for AI agents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

pub mod keychain;
pub mod metadata_index;
pub mod resolver;
pub mod resolvers;
pub mod store;

use anyhow::Result;
use secrecy::SecretString;
use std::path::PathBuf;

use crate::config;

use self::keychain::KeychainSecretStore;
use self::metadata_index::{load_index, save_index};
use self::resolver::SecretResolver;
use self::store::{SecretIndex, SecretMetadata, SecretStore};

pub struct SecretManager {
    store: Box<dyn SecretStore + Send + Sync>,
    resolvers: Vec<Box<dyn SecretResolver>>,
    index_path: std::path::PathBuf,
}

#[allow(clippy::vec_init_then_push)]
fn default_resolvers() -> Vec<Box<dyn SecretResolver>> {
    #[allow(unused_mut)]
    let mut resolvers: Vec<Box<dyn SecretResolver>> = Vec::new();
    #[cfg(feature = "secrets-1password")]
    resolvers.push(Box::new(resolvers::onepassword::OpResolver::new()));
    #[cfg(feature = "secrets-vault")]
    resolvers.push(Box::new(resolvers::vault::VaultResolver::new()));
    #[cfg(feature = "secrets-aws")]
    resolvers.push(Box::new(resolvers::aws::AwsResolver::new()));
    #[cfg(feature = "secrets-gcp")]
    resolvers.push(Box::new(resolvers::gcp::GcpResolver::new()));
    #[cfg(feature = "secrets-azure")]
    resolvers.push(Box::new(resolvers::azure::AzureResolver::new()));
    resolvers
}

impl SecretManager {
    pub fn new() -> Self {
        Self {
            store: Box::new(KeychainSecretStore),
            resolvers: default_resolvers(),
            index_path: config::secrets_index_path(),
        }
    }

    /// Create a `SecretManager` with a custom store and index path.
    ///
    /// No external secret resolvers are registered — this is intended for
    /// testing scenarios that only need the local keychain store.
    pub fn with_store_and_index(
        store: Box<dyn SecretStore + Send + Sync>,
        index_path: PathBuf,
    ) -> Self {
        Self {
            store,
            resolvers: Vec::new(),
            index_path,
        }
    }

    pub fn set(&self, key: &str, secret: SecretString) -> Result<()> {
        self.store.as_ref().set_secret(key, secret)?;
        let mut index = self.load_index()?;
        index.upsert(key);
        save_index(&self.index_path, &index)?;
        Ok(())
    }

    pub fn get(&self, key: &str) -> Result<Option<SecretMetadata>> {
        let secret_exists = self.store.as_ref().get_secret(key)?.is_some();
        if !secret_exists {
            return Ok(None);
        }
        let mut index = self.load_index()?;
        if index.get(key).is_none() {
            index.upsert(key);
            save_index(&self.index_path, &index)?;
        }
        Ok(index.get(key).cloned())
    }

    pub fn list(&self) -> Result<Vec<SecretMetadata>> {
        let index = self.load_index()?;
        let mut entries: Vec<_> = index.list().into_iter().cloned().collect();
        entries.sort_by(|a, b| a.key.cmp(&b.key));
        Ok(entries)
    }

    pub fn delete(&self, key: &str) -> Result<bool> {
        let deleted = self.store.as_ref().delete_secret(key)?;
        let mut index = self.load_index()?;
        index.remove(key);
        save_index(&self.index_path, &index)?;
        Ok(deleted)
    }

    pub fn store(&self) -> &dyn SecretStore {
        self.store.as_ref()
    }

    pub fn resolvers(&self) -> &[Box<dyn SecretResolver>] {
        &self.resolvers
    }

    fn load_index(&self) -> Result<SecretIndex> {
        load_index(&self.index_path)
    }
}

impl Default for SecretManager {
    fn default() -> Self {
        Self::new()
    }
}