fnox 1.25.1

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290

use crate::commands::Cli;
use crate::config::{Config, ProviderConfig, SecretConfig};
use crate::error::{FnoxError, Result};
use crate::providers::{WizardCategory, WizardInfo, get_provider_from_resolved};
use clap::Args;
use demand::{Confirm, DemandOption, Input, Select};
use std::collections::HashMap;

#[derive(Debug, Args)]
#[command(visible_alias = "i")]
pub struct InitCommand {
    /// Overwrite existing configuration file
    #[arg(short, long)]
    force: bool,

    /// Initialize the global config file (~/.config/fnox/config.toml)
    #[arg(short = 'g', long)]
    global: bool,

    /// Skip the interactive wizard and create a minimal config
    #[arg(long)]
    skip_wizard: bool,
}

impl InitCommand {
    pub async fn run(&self, cli: &Cli) -> Result<()> {
        // Determine the target config path
        let config_path = if self.global {
            Config::global_config_path()
        } else {
            cli.config.clone()
        };

        tracing::debug!(
            "Initializing new fnox configuration at '{}'",
            config_path.display()
        );

        if config_path.exists() && !self.force {
            return Err(FnoxError::Config(format!(
                "Configuration file '{}' already exists. Use --force to overwrite.",
                config_path.display()
            )));
        }

        // Create parent directory if it doesn't exist (for global config)
        if self.global
            && let Some(parent) = config_path.parent()
        {
            std::fs::create_dir_all(parent).map_err(|e| {
                FnoxError::Config(format!(
                    "Failed to create config directory '{}': {}",
                    parent.display(),
                    e
                ))
            })?;
        }

        let config = if self.skip_wizard || !atty::is(atty::Stream::Stdin) {
            // Non-interactive mode
            Config::new()
        } else {
            // Interactive wizard mode
            self.run_wizard().await?
        };

        config.save(&config_path)?;

        println!(
            "\n✓ Created new fnox configuration at '{}'",
            config_path.display()
        );
        if self.global {
            println!("\nThis global config will be used as the base for all projects.");
        }
        println!("\nNext steps:");
        println!(
            "  • Add secrets: fnox set MY_SECRET <value>{}",
            if self.global { " --global" } else { "" }
        );
        println!("  • List secrets: fnox list");
        println!("  • Use in commands: fnox exec -- <command>");

        Ok(())
    }

    async fn run_wizard(&self) -> Result<Config> {
        println!("\n🔐 Welcome to fnox setup wizard!\n");
        println!("This will help you configure your first secret provider.\n");

        // Ask if they want to set up a provider
        let setup_provider = Confirm::new("Would you like to set up a provider now?")
            .affirmative("Yes")
            .negative("No, I'll configure it later")
            .run()
            .map_err(|e| FnoxError::Config(format!("Wizard cancelled: {}", e)))?;

        if !setup_provider {
            println!("\n✓ Creating minimal configuration file.");
            return Ok(Config::new());
        }

        // Select provider category
        let category = self.select_category()?;

        // Get providers for that category
        let providers = ProviderConfig::wizard_info_by_category(category);

        // Select specific provider
        let provider_info = self.select_provider(&providers)?;

        // Print setup instructions
        println!("\n{}\n", provider_info.setup_instructions);

        // Collect fields from user
        let fields = self.collect_fields(provider_info)?;

        // Build the config using the builder
        let provider_config =
            ProviderConfig::from_wizard_fields(provider_info.provider_type, &fields)?;

        // Get provider name before testing, since some providers (FIDO2, YubiKey)
        // use the provider name as HKDF context for key derivation.
        let provider_name = self.get_provider_name(provider_info.default_name)?;

        // Test the connection using the Provider trait
        self.test_provider_connection(&provider_name, &provider_config)
            .await;

        // Create config with provider
        let mut config = Config::new();
        config
            .providers
            .insert(provider_name.clone(), provider_config);
        config.set_default_provider(Some(provider_name));

        // Ask if they want to add an example secret
        let add_example = Confirm::new("Would you like to add an example secret?")
            .affirmative("Yes")
            .negative("No")
            .run()
            .unwrap_or(false);

        if add_example {
            let secret_name = Input::new("Secret name:")
                .placeholder("MY_SECRET")
                .run()
                .unwrap_or_else(|_| "EXAMPLE_SECRET".to_string());

            let description = Input::new("Description (optional):")
                .placeholder("Example secret for testing")
                .run()
                .ok();

            let mut secret_config = SecretConfig::new();
            secret_config.description = description.filter(|s| !s.is_empty());
            secret_config.set_provider(config.default_provider().map(|s| s.to_string()));
            // value will be set with `fnox set` later
            config.secrets.insert(secret_name, secret_config);
        }

        Ok(config)
    }

    /// Select a provider category
    fn select_category(&self) -> Result<WizardCategory> {
        let mut select = Select::new("What type of provider do you want to use?")
            .description("Choose a category based on your security and convenience needs")
            .filterable(false);

        for category in WizardCategory::all() {
            select = select.option(
                DemandOption::new(category.display_name())
                    .label(category.display_name())
                    .description(category.description()),
            );
        }

        let selected = select
            .run()
            .map_err(|e| FnoxError::Config(format!("Wizard cancelled: {}", e)))?;

        // Map the display name back to the category
        for category in WizardCategory::all() {
            if category.display_name() == selected {
                return Ok(*category);
            }
        }

        Err(FnoxError::Config("Unknown provider category".to_string()))
    }

    /// Select a specific provider from the given list
    fn select_provider(&self, providers: &[&'static WizardInfo]) -> Result<&'static WizardInfo> {
        let mut select = Select::new("Select provider:").filterable(false);

        for info in providers {
            select = select.option(
                DemandOption::new(info.provider_type)
                    .label(info.display_name)
                    .description(info.description),
            );
        }

        let selected = select
            .run()
            .map_err(|e| FnoxError::Config(format!("Wizard cancelled: {}", e)))?;

        // Find the selected provider info
        for info in providers {
            if info.provider_type == selected {
                return Ok(info);
            }
        }

        Err(FnoxError::Config("Unknown provider".to_string()))
    }

    /// Collect field values from the user
    fn collect_fields(&self, info: &WizardInfo) -> Result<HashMap<String, String>> {
        let mut fields = HashMap::new();

        for field in info.fields {
            let result = Input::new(field.label).placeholder(field.placeholder).run();

            match result {
                Ok(value) => {
                    if value.is_empty() && field.required {
                        return Err(FnoxError::Config(format!("{} is required", field.name)));
                    }
                    fields.insert(field.name.to_string(), value);
                }
                Err(e) => {
                    return Err(FnoxError::Config(format!("Wizard cancelled: {}", e)));
                }
            }
        }

        Ok(fields)
    }

    /// Get the provider name from the user
    fn get_provider_name(&self, default: &str) -> Result<String> {
        Input::new("Provider name:")
            .placeholder(default)
            .run()
            .map(|name| {
                if name.is_empty() {
                    default.to_string()
                } else {
                    name
                }
            })
            .map_err(|e| FnoxError::Config(format!("Wizard cancelled: {}", e)))
    }

    /// Test the provider connection and print the result
    async fn test_provider_connection(
        &self,
        provider_name: &str,
        provider_config: &ProviderConfig,
    ) {
        println!("\n🔍 Testing provider connection...");

        // Wizard-created configs always have literal values, so we can use try_to_resolved
        match provider_config.try_to_resolved() {
            Ok(resolved) => match get_provider_from_resolved(provider_name, &resolved) {
                Ok(provider) => match provider.test_connection().await {
                    Ok(()) => {
                        println!("✓ Provider connection successful!\n");
                    }
                    Err(e) => {
                        println!("⚠️  Provider connection test failed: {}", e);
                        println!(
                            "   You can still save the configuration and fix the issue later.\n"
                        );
                    }
                },
                Err(e) => {
                    println!("⚠️  Could not create provider: {}", e);
                    println!("   You can still save the configuration and fix the issue later.\n");
                }
            },
            Err(e) => {
                println!("⚠️  Could not resolve provider config: {}", e);
                println!("   You can still save the configuration and fix the issue later.\n");
            }
        }
    }
}