secenv 0.0.0

Secure environments.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

pub mod args;
pub mod config;
pub mod pgp;
pub mod reference;

use {
    anyhow::{
        Context,
        Result,
    },
    args::ManualFormat,
    std::collections::HashMap,
};

#[tokio::main]
async fn main() -> Result<()> {
    let cmd = crate::args::ClapArgumentLoader::load()?;

    match cmd.command {
        | crate::args::Command::Manual { path, format } => {
            std::fs::create_dir_all(&path)
                .with_context(|| format!("Failed to create directory: {}", path.display()))?;
            match format {
                | ManualFormat::Manpages => {
                    reference::build_manpages(&path)?;
                },
                | ManualFormat::Markdown => {
                    reference::build_markdown(&path)?;
                },
            }
            Ok(())
        },
        | crate::args::Command::Autocomplete { path, shell } => {
            std::fs::create_dir_all(&path)
                .with_context(|| format!("Failed to create directory: {}", path.display()))?;
            reference::build_shell_completion(&path, &shell)?;
            Ok(())
        },
        | crate::args::Command::Unlock { profile, command } => {
            let mut env_vars = HashMap::new();
            
            for (key, value) in profile.vars.iter() {
                match value.get_value() {
                    | Ok(val) => {
                        env_vars.insert(key.clone(), val);
                    },
                    | Err(e) => {
                        eprintln!("Error decrypting {}: {}", key, e);
                        return Err(e);
                    },
                }
            }

            match command {
                Some(cmd_args) if !cmd_args.is_empty() => {
                    execute_command_with_env(&cmd_args, &env_vars, &profile.propagate)
                },
                _ => {
                    for (key, value) in env_vars {
                        println!("{}={}", key, value);
                    }
                    Ok(())
                }
            }
        },
        | crate::args::Command::Init { path, force } => {
            if path.exists() && !force {
                return Err(anyhow::anyhow!(
                    "Config file '{}' already exists. Use --force to overwrite.",
                    path.display()
                ));
            }

            let example_config = generate_example_config();
            
            std::fs::write(&path, example_config)
                .with_context(|| format!("Failed to write config file: {}", path.display()))?;
            
            println!("Created example configuration file: {}", path.display());
            println!("Edit the file to add your own variables and PGP keys.");
            Ok(())
        },
    }
}

/// Execute a command with the specified environment variables
fn execute_command_with_env(
    cmd_args: &[String], 
    env_vars: &HashMap<String, String>, 
    propagate_patterns: &Option<Vec<String>>
) -> Result<()> {
    use std::process::Command;
    use regex::Regex;
    
    if cmd_args.is_empty() {
        return Err(anyhow::anyhow!("No command provided"));
    }

    let program = &cmd_args[0];
    let args = &cmd_args[1..];

    let mut command = Command::new(program);
    command.args(args);

    match propagate_patterns {
        None => {
            for (key, value) in env_vars {
                command.env(key, value);
            }
        }
        Some(patterns) => {
            command.env_clear();
            
            let compiled_patterns: Result<Vec<Regex>, _> = patterns
                .iter()
                .map(|pattern| Regex::new(pattern))
                .collect();
            
            let compiled_patterns = compiled_patterns
                .with_context(|| "Failed to compile regex patterns")?;
            
            for (env_key, env_value) in std::env::vars() {
                for pattern in &compiled_patterns {
                    if pattern.is_match(&env_key) {
                        command.env(&env_key, &env_value);
                        break;
                    }
                }
            }
            
            for (key, value) in env_vars {
                command.env(key, value);
            }
        }
    }

    let status = command.status()
        .with_context(|| format!("Failed to execute command: {}", program))?;

    if !status.success() {
        if let Some(code) = status.code() {
            std::process::exit(code);
        } else {
            std::process::exit(1);
        }
    }

    Ok(())
}

/// Generate an example configuration file content
fn generate_example_config() -> String {
    r#"# secenv configuration file
# 
# This file contains environment variable definitions organized by profiles.
# You can encrypt sensitive values using PGP encryption.

# Define reusable PGP key fingerprints as YAML anchors
.defaultkey: &defaultkey "YOUR-PGP-KEY-FINGERPRINT-HERE"

profiles:
  # Development profile
  dev:
    # propagate: omitted (default) - propagates all existing environment variables
    vars:
      # Literal string value
      APP_NAME: !literal "myapp-dev"
      
      # Reference to an environment variable
      HOME_DIR: !environment "HOME"
      
      # Read content from a file
      CONFIG_JSON_CONTENT: !file "/etc/myapp/config.json"
      
      # PGP encrypted value
      # To create: echo "your-secret" | gpg --encrypt --armor --recipient YOUR-EMAIL
      DATABASE_PASSWORD: !pgp
        key: *defaultkey
        value: |
          -----BEGIN PGP MESSAGE-----
          
          Replace this with your actual PGP encrypted message.
          Use: echo "your-secret" | gpg --encrypt --armor --recipient your@email.com
          Then copy the entire output including BEGIN/END lines.
          
          -----END PGP MESSAGE-----

  # Production profile with selective environment propagation
  production:
    # Only propagate environment variables matching these regex patterns
    propagate:
      - "^PATH$"           # Exact match for PATH
      - "^HOME$"           # Exact match for HOME
      - "^LANG.*"          # Any variable starting with LANG
      - "^LC_.*"           # Any locale variable
    vars:
      APP_NAME: !literal "myapp"
      
      # Use a different key for production
      DATABASE_PASSWORD: !pgp
        key: "PRODUCTION-PGP-KEY-FINGERPRINT"
        value: |
          -----BEGIN PGP MESSAGE-----
          
          Production encrypted value here
          
          -----END PGP MESSAGE-----

  # Staging profile with no environment propagation
  staging:
    propagate: []  # Empty list = clear all environment variables
    vars:
      APP_NAME: !literal "myapp-staging"

# Usage:
# secenv unlock                    # Uses 'dev' profile by default
# secenv unlock --profile production
# secenv unlock --config /path/to/config.yaml --profile staging
"#.to_string()
}