fnox 1.25.1

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317

use crate::commands::Cli;
use crate::config::{self, Config, SecretConfig, SyncConfig, local_override_filename};
use crate::error::{FnoxError, Result};
use crate::secret_resolver::resolve_secrets_batch;
use clap::Args;
use console;
use indexmap::IndexMap;
use regex::Regex;
use std::io;
use std::path::PathBuf;

/// Sync secrets from remote providers to a local encryption provider
#[derive(Args)]
pub struct SyncCommand {
    /// Only sync these specific secret keys
    keys: Vec<String>,

    /// Skip confirmation prompt
    #[arg(short, long)]
    force: bool,

    /// Write to global config (~/.config/fnox/config.toml)
    #[arg(short = 'g', long)]
    global: bool,

    /// Show what would be done without making changes
    #[arg(short = 'n', long)]
    dry_run: bool,

    /// Target encryption provider (defaults to default_provider)
    #[arg(short = 'p', long)]
    provider: Option<String>,

    /// Only sync secrets from this source provider
    #[arg(short = 's', long)]
    source: Option<String>,

    /// Only sync matching secrets (regex pattern)
    #[arg(long)]
    filter: Option<String>,

    /// Write sync overrides to the local override file next to the config file
    #[arg(long, conflicts_with = "global")]
    local_file: bool,
}

impl SyncCommand {
    pub async fn run(&self, cli: &Cli, merged_config: Config) -> Result<()> {
        let profile = Config::get_profile(cli.profile.as_deref());
        tracing::debug!("Syncing secrets for profile '{}'", profile);

        let effective_config_path =
            if cli.config == std::path::Path::new(config::DEFAULT_CONFIG_FILENAME) {
                let current_dir = std::env::current_dir().map_err(|e| {
                    FnoxError::Config(format!("Failed to get current directory: {}", e))
                })?;
                let candidate = config::find_local_config(&current_dir, Some(&profile));
                if local_override_filename(&candidate).is_some() {
                    candidate
                } else {
                    cli.config.clone()
                }
            } else {
                cli.config.clone()
            };

        let local_override_filename = self
            .local_file
            .then(|| {
                local_override_filename(&effective_config_path).ok_or_else(|| {
                    FnoxError::Config(format!(
                        "--local-file requires --config to be 'fnox.toml' or '.fnox.toml'; '{}' would not load the adjacent local override file",
                        effective_config_path.display()
                    ))
                })
            })
            .transpose()?;

        // Determine target provider
        let target_provider_name = if let Some(ref p) = self.provider {
            p.clone()
        } else if let Some(dp) = merged_config.get_default_provider(&profile)? {
            dp
        } else {
            return Err(FnoxError::Config(
                "No target provider specified and no default_provider configured. Use -p <provider> to specify one.".to_string(),
            ));
        };

        // Verify target provider exists and has Encryption capability
        let providers = merged_config.get_providers(&profile);
        let provider_config = providers.get(&target_provider_name).ok_or_else(|| {
            FnoxError::ProviderNotConfigured {
                provider: target_provider_name.clone(),
                profile: profile.to_string(),
                config_path: None,
                suggestion: None,
            }
        })?;

        let target_provider = crate::providers::get_provider_resolved(
            &merged_config,
            &profile,
            &target_provider_name,
            provider_config,
        )
        .await?;
        let capabilities = target_provider.capabilities();
        if !capabilities.contains(&crate::providers::ProviderCapability::Encryption) {
            return Err(FnoxError::SyncTargetProviderUnsupported {
                provider: target_provider_name.clone(),
            });
        }

        // Get all secrets from config
        let all_secrets = merged_config.get_secrets(&profile)?;

        // Filter secrets to sync
        let filter_regex = if let Some(ref filter) = self.filter {
            Some(
                Regex::new(filter).map_err(|e| FnoxError::InvalidRegexFilter {
                    pattern: filter.clone(),
                    details: e.to_string(),
                })?,
            )
        } else {
            None
        };

        let keys_filter: std::collections::HashSet<_> = self.keys.iter().collect();
        let mut secrets_to_sync = IndexMap::new();
        for (key, secret_config) in &all_secrets {
            // Must have a provider configured (skip env-var-only and default-only secrets)
            let Some(source_provider) = secret_config.provider() else {
                continue;
            };

            // Must not already use the target provider
            if source_provider == target_provider_name {
                continue;
            }

            // Apply --source filter
            if let Some(ref source) = self.source
                && source_provider != source
            {
                continue;
            }

            // Apply positional KEYS filter
            if !keys_filter.is_empty() && !keys_filter.contains(key) {
                continue;
            }

            // Apply --filter regex
            if let Some(ref regex) = filter_regex
                && !regex.is_match(key)
            {
                continue;
            }

            secrets_to_sync.insert(key.clone(), secret_config.clone());
        }

        if secrets_to_sync.is_empty() {
            println!("No secrets to sync");
            return Ok(());
        }

        let destination_suffix = if self.local_file {
            " (local-file)"
        } else if self.global {
            " (global)"
        } else {
            ""
        };

        // Dry-run mode: show what would be done and exit
        if self.dry_run {
            let dry_run_label = console::style("[dry-run]").yellow().bold();
            let styled_profile = console::style(&profile).magenta();
            let styled_provider = console::style(&target_provider_name).green();

            println!(
                "{dry_run_label} Would sync {} secrets in profile {styled_profile} to provider {styled_provider}{destination_suffix}:",
                secrets_to_sync.len()
            );
            for (key, secret_config) in &secrets_to_sync {
                let source = secret_config.provider().unwrap_or("unknown");
                println!(
                    "  {} (from {})",
                    console::style(key).cyan(),
                    console::style(source).dim()
                );
            }
            return Ok(());
        }

        // Confirm unless forced
        if !self.force {
            println!(
                "\nReady to sync {} secrets to provider '{}':",
                secrets_to_sync.len(),
                target_provider_name
            );
            for (key, secret_config) in secrets_to_sync.iter().take(10) {
                let source = secret_config.provider().unwrap_or("unknown");
                println!("  {} (from {})", key, source);
            }
            if secrets_to_sync.len() > 10 {
                println!("  ... and {} more", secrets_to_sync.len() - 10);
            }

            println!("\nContinue? [y/N]");
            let mut response = String::new();
            io::stdin()
                .read_line(&mut response)
                .map_err(|e| FnoxError::StdinReadFailed { source: e })?;

            if !response.trim().to_lowercase().starts_with('y') {
                println!("Sync cancelled");
                return Ok(());
            }
        }

        // Resolve raw values from the original provider:
        // - Cached sync values would prevent picking up changes after the first sync.
        // - Post-processed values (e.g. from json_path) would cause future reads to fail.
        let secrets_for_resolve: IndexMap<String, SecretConfig> = secrets_to_sync
            .iter()
            .map(|(key, sc)| (key.clone(), sc.for_raw_resolve()))
            .collect();

        let resolved =
            resolve_secrets_batch(&merged_config, &profile, &secrets_for_resolve).await?;

        // Encrypt each value and build updated secret configs
        let mut synced_secrets = IndexMap::new();
        let mut synced_count = 0;
        let mut skipped_count = 0;

        // Determine target config file path
        let (target_path, ensure_parent_dir) = if self.local_file {
            let config_dir = effective_config_path
                .parent()
                .filter(|p| !p.as_os_str().is_empty())
                .map(PathBuf::from)
                .unwrap_or_else(|| PathBuf::from("."));
            (
                config_dir
                    .join(local_override_filename.expect("validated local override filename")),
                true,
            )
        } else if self.global {
            (Config::global_config_path(), true)
        } else {
            (cli.config.clone(), false)
        };

        if ensure_parent_dir
            && let Some(parent) = target_path.parent()
            && !parent.as_os_str().is_empty()
        {
            std::fs::create_dir_all(parent).map_err(|e| FnoxError::CreateDirFailed {
                path: parent.to_path_buf(),
                source: e,
            })?;
        }

        for (key, plaintext) in &resolved {
            let Some(plaintext) = plaintext else {
                tracing::warn!("Skipping '{}': could not resolve value", key);
                skipped_count += 1;
                continue;
            };

            let mut secret_config = secrets_to_sync[key].clone();

            // Encrypt with target provider
            match target_provider.encrypt(plaintext).await {
                Ok(encrypted) => {
                    secret_config.sync = Some(SyncConfig {
                        provider: target_provider_name.clone(),
                        value: encrypted,
                    });
                    synced_secrets.insert(key.clone(), secret_config);
                    synced_count += 1;
                }
                Err(e) => {
                    return Err(FnoxError::SyncEncryptionFailed {
                        key: key.clone(),
                        provider: target_provider_name.clone(),
                        details: e.to_string(),
                    });
                }
            }
        }

        if synced_secrets.is_empty() {
            println!("No secrets were synced (all skipped)");
            return Ok(());
        }

        // Save to config
        Config::save_secrets_to_source(&synced_secrets, &profile, &target_path)?;

        println!(
            "Synced {} secrets to provider '{}'{}",
            synced_count, target_provider_name, destination_suffix
        );
        if skipped_count > 0 {
            println!("Skipped {} secrets (could not resolve)", skipped_count);
        }

        Ok(())
    }
}