keyflux 0.1.14

A CLI tool and library for synchronizing environment secrets across multiple platforms including local files, GitHub Secrets, Supabase Vault, and Vercel Secrets. It facilitates secure management and automation of sensitive data.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320

use async_trait::async_trait;
use log::{info, error};
use reqwest::{Client};
use crate::error::FluxError;
use crate::traits::{Flux};
use crate::key::Key;
use serde::{Deserialize, Serialize};
use futures::future::join_all;
use futures::FutureExt;
use reqwest::header::USER_AGENT;
use serde_json::Value;
use sodiumoxide::crypto::{box_, sealedbox};
use sodiumoxide::base64::{self, Variant};
use sodiumoxide::crypto::box_::PublicKey;
use crate::file::key_collection::KeyCollection;
use crate::flux::{merge, merge_and_return_json, replace_vars_in_json};

/// Represents a GitHub Flux for managing environment secrets.
///
/// This structure encapsulates the necessary parameters for making API requests to GitHub
/// to create, update, and manage environment secrets in a specified repository.
///
/// # Fields
///
/// * `owner` - The account owner of the repository.
/// * `repo` - The name of the repository.
/// * `environment_name` - The name of the environment.
/// * `token_env_key` - An optional environment variable key for the GitHub token.
#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct GitHubVariables {
    pub owner: String,
    pub repo: String,
    pub environment_name: String,
    pub token: Option<String>,
}

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct GitHubFlux {
    pub input: Option<Value>,
}

static GITHUB_ACCESS_TOKEN: &str = "GITHUB_ACCESS_TOKEN";

impl GitHubFlux {
    fn get_token(&self) -> Result<String, FluxError> {
        // let key_input = key.input().clone();
        let mut raw_input = self.input.clone().unwrap();
        replace_vars_in_json(&mut raw_input);
        let input: GitHubVariables = serde_json::from_value(raw_input).unwrap();

        // let token_key = self.token_env_key.clone().unwrap_or_else(|| "GITHUB_TOKEN".to_string());
        // std::env::var(&token_key).map_err(|_| FluxError::Unauthorized(format!("GitHub token not found in environment variable '{}'", token_key)))
        if let Some(token) = &input.token {
            Ok(token.clone())
        } else {
            std::env::var(GITHUB_ACCESS_TOKEN).map_err(|_| {
                FluxError::Unauthorized(format!(
                    "GitHub token not found in environment variable '{}'",
                    GITHUB_ACCESS_TOKEN
                ))
            })
        }
    }

    async fn get_public_key(&self, client: &Client, token: &str) -> Result<(String, box_::PublicKey), FluxError> {
        let mut raw_input = self.input.clone().unwrap();
        replace_vars_in_json(&mut raw_input);
        let input: GitHubVariables = serde_json::from_value(raw_input).unwrap();

        let url = format!(
            "https://api.github.com/repos/{}/{}/environments/{}/secrets/public-key",
            input.owner, input.repo, input.environment_name
        );

        // format url
        info!("Fetching public key from {}", url);

        let res = client.get(&url)
            .bearer_auth(token)
            .header(USER_AGENT, "keyflux-cli")
            .header("Accept", "application/vnd.github+json")
            .send()
            .await?;

        if res.status().is_success() {
            let json: serde_json::Value = res.json().await?;
            let key_id = json["key_id"].as_str().ok_or_else(|| FluxError::InvalidKeyId("Invalid key ID".to_string()))?;
            let key = json["key"].as_str().ok_or_else(|| FluxError::InvalidKey("Invalid key".to_string()))?;
            let decoded_key = base64::decode(key, Variant::Original).map_err(|_| FluxError::DecodeKeyError("Failed to decode key".to_string()))?;
            let public_key = box_::PublicKey::from_slice(&decoded_key).ok_or_else(|| FluxError::CreatePublicKeyError("Failed to create public key".to_string()))?;
            info!("Public key: {:?}", public_key);
            Ok((key_id.to_string(), public_key))
        } else {
            let status = res.status();
            let error_text = res.text().await.unwrap_or_else(|_| "Unknown error".to_string());
            Err(FluxError::GetPublicKeyError(format!("Failed to get public key: {} - {}", status, error_text)))
        }
    }


    // fn encrypt_secret(public_key: &box_::PublicKey, secret: &str) -> Result<String, FluxError> {
    //     let secret_box = box_::seal(secret.as_bytes(), &box_::gen_nonce(), &public_key, &box_::SecretKey::from_slice(&[0u8; box_::SECRETKEYBYTES]).unwrap());
    //     Ok(base64::encode(&secret_box, Variant::Original))
    // }


    fn encrypt_secret(public_key: &PublicKey, secret: &str) -> Result<String, FluxError> {
        // Convert the secret to bytes
        let secret_bytes = secret.as_bytes();

        // Encrypt the secret using the public key
        let encrypted_secret = sealedbox::seal(secret_bytes, public_key);

        // Encode the encrypted secret to Base64
        let encoded_secret = base64::encode(&encrypted_secret, Variant::Original);

        Ok(encoded_secret)
    }
}

#[async_trait]
impl Flux for GitHubFlux {
    async fn initialize(&self) -> Result<(), FluxError> {
        Ok(())
    }

    async fn finalize(&self) -> Result<(), FluxError> {
        Ok(())
    }

    async fn single(&self, key: &Key) -> Result<(), FluxError> {
        let client = Client::new();
        let token = self.get_token()?;

        let mut raw_input = self.input.clone().unwrap();
        replace_vars_in_json(&mut raw_input);
        let input: GitHubVariables = serde_json::from_value(raw_input).unwrap();

        // let mut raw_input = self.input.clone();
        // replace_vars_in_json(&mut raw_input);
        // let input : GitHubVariables = serde_json::from_value(raw_input).unwrap();

        // Fetch the public key for the environment
        let (key_id, public_key) = self.get_public_key(&client, &token).await?;

        // Encrypt the secret value
        let encrypted_value = Self::encrypt_secret(&public_key, &key.value())?;
        let url = format!(
            "https://api.github.com/repos/{}/{}/environments/{}/secrets/{}",
            input.owner, input.repo, input.environment_name, key.name()
        );

        let body = serde_json::json!({
            "encrypted_value": encrypted_value,
            "key_id": key_id});

        let res = client.put(&url)
            .bearer_auth(token)
            .header("Accept", "application/vnd.github+json")
            .header(USER_AGENT, "keyflux-cli")
            .json(&body)
            .send()
            .await?;

        if !res.status().is_success() {
            let status = res.status();
            let error_text = res.text().await.unwrap_or_else(|_| "Unknown error".to_string());
            match status {
                reqwest::StatusCode::FORBIDDEN => {
                    error!("Unauthorized access for secret {}: {} - {}", key.name(), status, error_text);
                    return Err(FluxError::Unauthorized(format!("Unauthorized access for secret {}: {}", key.name(), error_text)));
                }
                reqwest::StatusCode::BAD_REQUEST => {
                    error!("Bad request for secret {}: {} - {}", key.name(), status, error_text);
                    return Err(FluxError::BadRequest(format!("Bad request for secret {}: {}", key.name(), error_text)));
                }
                reqwest::StatusCode::PAYMENT_REQUIRED => {
                    error!("Payment required for secret {}: {} - {}", key.name(), status, error_text);
                    return Err(FluxError::PaymentRequired(format!("Payment required for secret {}: {}", key.name(), error_text)));
                }
                reqwest::StatusCode::CONFLICT => {
                    error!("Conflict for secret {}: {} - {}", key.name(), status, error_text);
                    return Err(FluxError::Conflict(format!("Conflict for secret {}: {}", key.name(), error_text)));
                }
                reqwest::StatusCode::NOT_FOUND => {
                    error!("Secret not found {}: {} - {}", key.name(), status, error_text);
                    return Err(FluxError::NotFound(format!("Secret not found {}: {}", key.name(), error_text)));
                }
                _ => {
                    error!("Failed to set GitHub secret {}: {} - {}", key.name(), status, error_text);
                    return Err(FluxError::NotFound(format!("Failed to set GitHub secret {}: {}", key.name(), error_text)));
                }
            }
        }

        info!("Set GitHub secret {}: {}", key.name(), res.status());
        Ok(())
    }


    async fn batch(&self, keys: &KeyCollection) -> Result<(), FluxError> {
        let client = Client::new();
        let token = self.get_token()?;
        // Fetch the public key for the environment
        let (key_id, public_key) = self.get_public_key(&client, &token).await?;
        let tasks = keys.iter().map(|key| {
            let encrypted_value = match Self::encrypt_secret(&public_key, &key.value()) {
                Ok(val) => val,
                Err(err) => return async { Err(err) }.boxed(),
            };
            let key_input = key.input().clone();
            let mut raw_input = self.input.clone();
            let mut combined = merge_and_return_json(raw_input, key_input).unwrap();
            replace_vars_in_json(&mut combined);
            // info!("Key value: {:?}", key.value());
            let input: GitHubVariables = serde_json::from_value(combined).unwrap();
            // info!("Setting GitHub secret {}, url: {}, value: {}", key.name(), input.owner, encrypted_value);
            let url = format!(
                "https://api.github.com/repos/{}/{}/environments/{}/secrets/{}",
                input.owner, input.repo, input.environment_name, key.name()
            );

            // info!("Setting GitHub secret {}, url: {}", key.name(), url);

            let body = serde_json::json!({
            "encrypted_value": encrypted_value,
            "key_id": key_id
        });

            let client = client.clone();
            let token = token.clone();
            async move {
                let res = client.put(&url)
                    .header("Authorization", format!("Bearer {}", token))
                    .header("Accept", "application/vnd.github+json")
                    .header(USER_AGENT, "keyflux-cli")
                    .json(&body)
                    .send()
                    .await?;

                if !res.status().is_success() {
                    let status = res.status();
                    let error_text = res.text().await.unwrap_or_else(|_| "Unknown error".to_string());
                    match status {
                        reqwest::StatusCode::FORBIDDEN => {
                            error!("Unauthorized access for secret {}: {} - {}", key.name(), status, error_text);
                            return Err(FluxError::Unauthorized(format!("Unauthorized access for secret {}: {}", key.name(), error_text)));
                        }
                        reqwest::StatusCode::BAD_REQUEST => {
                            error!("Bad request for secret {}: {} - {}", key.name(), status, error_text);
                            return Err(FluxError::BadRequest(format!("Bad request for secret {}: {}", key.name(), error_text)));
                        }
                        reqwest::StatusCode::PAYMENT_REQUIRED => {
                            error!("Payment required for secret {}: {} - {}", key.name(), status, error_text);
                            return Err(FluxError::PaymentRequired(format!("Payment required for secret {}: {}", key.name(), error_text)));
                        }
                        reqwest::StatusCode::CONFLICT => {
                            error!("Conflict for secret {}: {} - {}", key.name(), status, error_text);
                            return Err(FluxError::Conflict(format!("Conflict for secret {}: {}", key.name(), error_text)));
                        }
                        reqwest::StatusCode::NOT_FOUND => {
                            error!("Secret not found {}: {} - {}", key.name(), status, error_text);
                            return Err(FluxError::NotFound(format!("Secret not found {}: {}", key.name(), error_text)));
                        }
                        _ => {
                            error!("Failed to set GitHub secret {}: {} - {}", key.name(), status, error_text);
                            return Err(FluxError::NotFound(format!("Failed to set GitHub secret {}: {}", key.name(), error_text)));
                        }
                    }
                }

                info!("Set GitHub secret {}: {}", key.name(), res.status());
                Result::<(), FluxError>::Ok(())
            }.boxed()
        });

        let results = join_all(tasks).await;
        info!("Set {:?} GitHub secrets", results);

        // for (i, result) in results.into_iter().enumerate() {
        //     if let Err(err) = result {
        //         error!("Failed to set secret for key {}: {:?}", keys[i].name(), err);
        //     }
        // }
        // for (index, key) in keys.iter().enumerate() {
        //     error!("Failed to set secret for key {}: {:?}", key.name(), results[index]);
        // }

        Ok(())
    }


    async fn check(&self, _key: &Key) -> Result<Option<String>, FluxError> {
        Ok(None)
    }

    async fn revert(&self, _key: &Key) -> Result<(), FluxError> {
        Ok(())
    }
}

// #[async_trait]
// impl Fetch for GitHubFlux {
//     async fn fetch(&self, client: &Client) -> Result<Response, FluxError> {
//         let token = self.get_token()?;
//         let url = format!("https://api.github.com/repos/{}/{}/environments/{}/secrets/public-key", self.owner, self.repo, self.environment_name);
//
//         let res = client.get(&url)
//             .header("Authorization", format!("Bearer {}", token))
//             .header("Accept", "application/vnd.github+json")
//             .send()
//             .await?;
//
//         if res.status().is_success() {
//             Ok(res)
//         } else {
//             Err(FluxError::ReqwestError(res.error_for_status().unwrap_err()))
//         }
//     }
// }