gobby-code 0.8.1

Fast Rust CLI for Gobby's code index — AST-aware search, symbol navigation, and dependency graph
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177

//! Fernet decryption of gobby's SecretStore.
//!
//! Replicates the Python chain:
//! 1. Read ~/.gobby/machine_id (plain text)
//! 2. Read ~/.gobby/.secret_salt (16 raw bytes)
//! 3. PBKDF2-HMAC-SHA256(password=machine_id, salt=salt, iterations=600_000, length=32)
//! 4. base64url_encode(key_bytes) → Fernet key
//! 5. Fernet(key).decrypt(encrypted_value) → plaintext
//!
//! Source: src/gobby/storage/secrets.py, src/gobby/utils/machine_id.py

use anyhow::{Context as _, bail};
use base64::Engine as _;
use base64::engine::general_purpose::URL_SAFE;
use pbkdf2::pbkdf2_hmac;
use postgres::Client;
use sha2::Sha256;

use crate::db;

/// Derive a Fernet key from machine_id + salt using PBKDF2-HMAC-SHA256.
/// Matches Python: _derive_fernet_key() in storage/secrets.py
fn derive_fernet_key(machine_id: &str, salt: &[u8]) -> String {
    let mut key_bytes = [0u8; 32];
    pbkdf2_hmac::<Sha256>(machine_id.as_bytes(), salt, 600_000, &mut key_bytes);
    URL_SAFE.encode(key_bytes)
}

/// Decrypt a Fernet-encrypted token string.
fn decrypt_fernet(key: &str, token: &str) -> anyhow::Result<String> {
    let fernet = fernet::Fernet::new(key).ok_or_else(|| anyhow::anyhow!("invalid Fernet key"))?;
    let plaintext = fernet
        .decrypt(token)
        .map_err(|_| anyhow::anyhow!("Fernet decryption failed (machine ID may have changed)"))?;
    String::from_utf8(plaintext).context("decrypted secret is not valid UTF-8")
}

/// Resolve a secret by name from the secrets table in the PostgreSQL hub.
///
/// Secret names are normalized to lowercase (matching Python SecretStore._normalize_name).
pub fn resolve_secret(conn: &mut Client, secret_name: &str) -> anyhow::Result<String> {
    let gobby_dir = db::gobby_home()?;
    // Read machine_id
    let machine_id_path = gobby_dir.join("machine_id");
    let machine_id = std::fs::read_to_string(&machine_id_path)
        .with_context(|| format!("failed to read {}", machine_id_path.display()))?
        .trim()
        .to_string();
    if machine_id.is_empty() {
        bail!("machine_id file is empty");
    }

    // Read salt (16 raw bytes)
    let salt_path = gobby_dir.join(".secret_salt");
    let salt = std::fs::read(&salt_path)
        .with_context(|| format!("failed to read {}", salt_path.display()))?;

    // Derive Fernet key
    let fernet_key = derive_fernet_key(&machine_id, &salt);

    let name = secret_name.trim().to_lowercase();
    let row = conn
        .query_one(
            "SELECT encrypted_value FROM secrets WHERE name = $1",
            &[&name],
        )
        .with_context(|| format!("secret '{name}' not found in secrets table"))?;
    let encrypted: String = row.try_get("encrypted_value")?;

    decrypt_fernet(&fernet_key, &encrypted)
}

/// Resolve `$secret:NAME` and `${VAR}` patterns in a config value.
///
/// - `$secret:NAME` → decrypt from secrets table
/// - `${VAR}` → environment variable
/// - `${VAR:-default}` → environment variable with default
/// - plain text → returned unchanged
pub fn resolve_config_value(value: &str, conn: &mut Client) -> anyhow::Result<String> {
    // Fast path: no patterns
    if !value.contains("$secret:") && !value.contains("${") {
        return Ok(value.to_string());
    }

    // $secret:NAME pattern
    if let Some(name) = value.strip_prefix("$secret:") {
        return resolve_secret(conn, name);
    }

    // ${VAR} or ${VAR:-default} pattern
    if value.starts_with("${") && value.ends_with('}') {
        let var_name = &value[2..value.len() - 1];
        if let Some((var, default)) = var_name.split_once(":-") {
            return Ok(std::env::var(var).unwrap_or_else(|_| default.to_string()));
        }
        return std::env::var(var_name)
            .with_context(|| format!("environment variable {var_name} not set"));
    }

    Ok(value.to_string())
}

#[cfg(test)]
fn resolve_config_value_without_secrets(value: &str) -> anyhow::Result<String> {
    if value.contains("$secret:") {
        bail!("secret resolution requires a PostgreSQL connection");
    }
    if !value.contains("${") {
        return Ok(value.to_string());
    }
    if value.starts_with("${") && value.ends_with('}') {
        let var_name = &value[2..value.len() - 1];
        if let Some((var, default)) = var_name.split_once(":-") {
            return Ok(std::env::var(var).unwrap_or_else(|_| default.to_string()));
        }
        return std::env::var(var_name)
            .with_context(|| format!("environment variable {var_name} not set"));
    }
    Ok(value.to_string())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_derive_fernet_key_deterministic() {
        let key1 = derive_fernet_key("test-machine-id", b"0123456789abcdef");
        let key2 = derive_fernet_key("test-machine-id", b"0123456789abcdef");
        assert_eq!(key1, key2);
        assert!(!key1.is_empty());
    }

    #[test]
    fn test_derive_fernet_key_different_salt() {
        let key1 = derive_fernet_key("test-machine-id", b"0123456789abcdef");
        let key2 = derive_fernet_key("test-machine-id", b"fedcba9876543210");
        assert_ne!(key1, key2);
    }

    #[test]
    fn test_decrypt_roundtrip() {
        let machine_id = "test-machine-42";
        let salt = b"abcdef0123456789";
        let fernet_key = derive_fernet_key(machine_id, salt);

        // Encrypt with the same key
        let fernet = fernet::Fernet::new(&fernet_key).unwrap();
        let token = fernet.encrypt(b"my-secret-password");

        // Decrypt
        let decrypted = decrypt_fernet(&fernet_key, &token).unwrap();
        assert_eq!(decrypted, "my-secret-password");
    }

    #[test]
    fn test_resolve_config_value_passthrough() {
        let result = resolve_config_value_without_secrets("http://localhost:8474").unwrap();
        assert_eq!(result, "http://localhost:8474");
    }

    #[test]
    fn test_resolve_config_value_env_var() {
        unsafe { std::env::set_var("GCODE_TEST_VAR_123", "hello") };
        let result = resolve_config_value_without_secrets("${GCODE_TEST_VAR_123}").unwrap();
        assert_eq!(result, "hello");
        unsafe { std::env::remove_var("GCODE_TEST_VAR_123") };
    }

    #[test]
    fn test_resolve_config_value_env_default() {
        unsafe { std::env::remove_var("GCODE_NONEXISTENT_VAR_999") };
        let result =
            resolve_config_value_without_secrets("${GCODE_NONEXISTENT_VAR_999:-fallback}").unwrap();
        assert_eq!(result, "fallback");
    }
}