use std::collections::HashMap;
use std::io::{IsTerminal, Write as _};
use anyhow::{Context, Result};
use colored::Colorize;
use sha2::{Digest, Sha256};
use tsafe_azure::{acquire_token, delete_secret, push_secret, KvConfig, KvError, PushOutcome};
use tsafe_core::{audit::AuditEntry, events::emit_event};
use crate::helpers::*;
const AKV_TEST_LOCAL_URL_ENV: &str = "TSAFE_AKV_TEST_LOCAL_URL";
const AKV_TEST_TOKEN_ENV: &str = "TSAFE_AKV_TEST_TOKEN";
fn is_allowed_local_test_url(url: &str) -> bool {
url.starts_with("http://127.0.0.1:")
|| url.starts_with("http://localhost:")
|| url.starts_with("http://[::1]:")
}
fn local_test_override() -> Result<Option<(KvConfig, String)>> {
#[cfg(debug_assertions)]
{
if let Ok(raw_url) = std::env::var(AKV_TEST_LOCAL_URL_ENV) {
let url = raw_url.trim();
if !is_allowed_local_test_url(url) {
anyhow::bail!(
"{AKV_TEST_LOCAL_URL_ENV} must use http://127.0.0.1:<port>, http://localhost:<port>, or http://[::1]:<port>"
);
}
let token = std::env::var(AKV_TEST_TOKEN_ENV).with_context(|| {
format!("{AKV_TEST_TOKEN_ENV} must be set when {AKV_TEST_LOCAL_URL_ENV} is used")
})?;
return Ok(Some((
KvConfig {
vault_url: url.to_string(),
},
token,
)));
}
}
Ok(None)
}
fn value_fingerprint(value: &str) -> String {
let mut hasher = Sha256::new();
hasher.update(value.as_bytes());
let result = hasher.finalize();
result[..6].iter().map(|b| format!("{b:02x}")).collect()
}
pub fn normalize_to_provider(local_key: &str) -> String {
local_key.replace('_', "-").to_lowercase()
}
#[tracing::instrument(skip_all, fields(provider = "akv", dry_run))]
pub(crate) fn cmd_kv_push(
profile: &str,
prefix: Option<&str>,
ns: Option<&str>,
dry_run: bool,
yes: bool,
delete_missing: bool,
) -> Result<()> {
tracing::Span::current().record("dry_run", dry_run);
let (cfg, test_token) = match local_test_override()? {
Some((cfg, token)) => (cfg, Some(token)),
None => (
KvConfig::from_env().context("Key Vault is not configured — set TSAFE_AKV_URL")?,
None,
),
};
let acquire = || -> Result<String, KvError> {
match &test_token {
Some(token) => Ok(token.clone()),
None => acquire_token(),
}
};
use tsafe_azure::pull_secrets;
let remote_secrets: HashMap<String, String> = pull_secrets(&cfg, &acquire, None)
.context("failed to fetch remote secrets from Azure Key Vault")?
.into_iter()
.map(|(upper_key, value)| {
let provider_name = upper_key.replace('_', "-").to_lowercase();
(provider_name, value)
})
.collect();
let vault = open_vault(profile)?;
let all_keys: Vec<String> = vault
.list()
.iter()
.map(|k| k.to_string())
.filter(|k| {
if let Some(ns_prefix) = ns {
let ns_slash = format!("{ns_prefix}/");
return k.starts_with(&ns_slash);
}
if let Some(pfx) = prefix {
return k.to_uppercase().starts_with(&pfx.to_uppercase());
}
true
})
.collect();
let mut provider_name_map: HashMap<String, Vec<String>> = HashMap::new();
for local_key in &all_keys {
let provider_name = normalize_to_provider(local_key);
provider_name_map
.entry(provider_name)
.or_default()
.push(local_key.clone());
}
let mut collisions: Vec<(String, Vec<String>)> = provider_name_map
.into_iter()
.filter(|(_, locals)| locals.len() > 1)
.collect();
collisions.sort_by(|(a, _), (b, _)| a.cmp(b));
if !collisions.is_empty() {
let msg = collisions
.iter()
.map(|(provider, locals)| {
format!(
" provider key '{}' claimed by: {}",
provider,
locals.join(", ")
)
})
.collect::<Vec<_>>()
.join("\n");
anyhow::bail!(
"reverse-normalization collision detected — two local keys map to the same \
Azure Key Vault name:\n{msg}\n\
Rename one of the colliding local keys before pushing."
);
}
let mut to_create: Vec<(String, String, String)> = Vec::new(); let mut to_update: Vec<(String, String, String, String)> = Vec::new(); let mut unchanged = 0usize;
for local_key in &all_keys {
let provider_name = normalize_to_provider(local_key);
let local_value = vault.get(local_key).map_err(|e| anyhow::anyhow!("{e}"))?;
let local_hash = value_fingerprint(local_value.as_str());
match remote_secrets.get(&provider_name) {
None => {
to_create.push((local_key.clone(), provider_name, local_hash));
}
Some(remote_value) => {
let remote_hash = value_fingerprint(remote_value);
if remote_hash == local_hash {
unchanged += 1;
} else {
to_update.push((local_key.clone(), provider_name, remote_hash, local_hash));
}
}
}
}
let mut to_delete: Vec<String> = Vec::new();
if delete_missing {
let local_provider_names: std::collections::HashSet<String> =
all_keys.iter().map(|k| normalize_to_provider(k)).collect();
for provider_name in remote_secrets.keys() {
if !local_provider_names.contains(provider_name) {
let should_delete = if let Some(pfx) = prefix {
provider_name
.to_uppercase()
.starts_with(&pfx.to_uppercase())
} else if ns.is_some() {
false
} else {
true
};
if should_delete {
to_delete.push(provider_name.clone());
}
}
}
to_delete.sort();
}
let total_changes = to_create.len() + to_update.len() + to_delete.len();
if total_changes == 0 && unchanged == 0 {
println!(
"{} No secrets to push — local vault is empty for the given filter.",
"i".blue()
);
return Ok(());
}
println!(
"{} Pre-flight diff for Azure Key Vault '{}':",
"→".cyan().bold(),
cfg.vault_url
);
for (local_key, provider_name, hash) in &to_create {
println!(
" {} {} {} (local: {})",
"create".green().bold(),
provider_name,
format!("(sha256: {hash})").dimmed(),
local_key
);
}
for (local_key, provider_name, old_hash, new_hash) in &to_update {
println!(
" {} {} {} (local: {})",
"update".yellow().bold(),
provider_name,
format!("(sha256: {old_hash} → {new_hash})").dimmed(),
local_key
);
}
for provider_name in &to_delete {
println!(
" {} {} {}",
"delete".red().bold(),
provider_name,
"(--delete-missing)".dimmed()
);
}
let delete_note = if !to_delete.is_empty() {
format!(", {} delete(s)", to_delete.len())
} else {
String::new()
};
println!(
" {} {} create(s), {} update(s){delete_note}, {} unchanged",
"---".dimmed(),
to_create.len(),
to_update.len(),
unchanged
);
if !to_delete.is_empty() {
println!(
" {} AKV soft-delete: deleted secrets enter a 30-day recoverable state.",
"warn:".yellow().bold()
);
}
if dry_run {
println!("{} Dry-run complete — no writes made.", "✓".green());
return Ok(());
}
if total_changes == 0 {
println!(
"{} Nothing to push — all secrets are up to date.",
"✓".green()
);
return Ok(());
}
if !yes {
if std::io::stdin().is_terminal() {
let delete_prompt = if !to_delete.is_empty() {
format!(", {} delete(s)", to_delete.len())
} else {
String::new()
};
eprint!(
"Push {} create(s), {} update(s){delete_prompt} to AKV? [y/N] ",
to_create.len(),
to_update.len()
);
std::io::stderr().flush().ok();
let mut response = String::new();
std::io::stdin()
.read_line(&mut response)
.context("failed to read confirmation")?;
if !response.trim().eq_ignore_ascii_case("y") {
println!("{} Push aborted.", "i".blue());
return Ok(());
}
} else {
anyhow::bail!(
"non-interactive stdin and --yes not passed — refusing to push without confirmation.\n\
Add --yes to push from CI or non-interactive contexts:\n tsafe kv-push --yes"
);
}
}
let mut created = 0usize;
let mut updated = 0usize;
let mut deleted = 0usize;
let mut errors: Vec<String> = Vec::new();
for (local_key, provider_name, _hash) in &to_create {
let value = vault.get(local_key).map_err(|e| anyhow::anyhow!("{e}"))?;
match push_secret(&cfg, &acquire, provider_name, value.as_str()) {
Ok(PushOutcome::Created | PushOutcome::Updated) => {
tracing::debug!(provider_name = %provider_name, local_key = %local_key, "created secret");
created += 1;
}
Ok(PushOutcome::Unchanged) => {
}
Ok(PushOutcome::Deleted) => {
}
Err(KvError::SoftDeleted(name)) => {
errors.push(format!(
"soft-deleted conflict: {name} — recover or purge in the Azure portal"
));
}
Err(e) => {
errors.push(format!("failed to create '{provider_name}': {e}"));
}
}
}
for (local_key, provider_name, _old_hash, _new_hash) in &to_update {
let value = vault.get(local_key).map_err(|e| anyhow::anyhow!("{e}"))?;
match push_secret(&cfg, &acquire, provider_name, value.as_str()) {
Ok(PushOutcome::Updated | PushOutcome::Created | PushOutcome::Unchanged) => {
tracing::debug!(provider_name = %provider_name, local_key = %local_key, "updated secret");
updated += 1;
}
Ok(PushOutcome::Deleted) => {
}
Err(KvError::SoftDeleted(name)) => {
errors.push(format!(
"soft-deleted conflict: {name} — recover or purge in the Azure portal"
));
}
Err(e) => {
errors.push(format!("failed to update '{provider_name}': {e}"));
}
}
}
for provider_name in &to_delete {
match delete_secret(&cfg, &acquire, provider_name) {
Ok(()) => {
tracing::debug!(provider_name = %provider_name, "deleted secret");
deleted += 1;
}
Err(e) => {
errors.push(format!("failed to delete '{provider_name}': {e}"));
}
}
}
let audit_context =
format!("created={created} updated={updated} unchanged={unchanged} deleted={deleted}");
audit(profile)
.append(&AuditEntry::success(
profile,
"kv-push",
Some(&audit_context),
))
.ok();
emit_event(profile, "kv-push", Some(&audit_context));
if errors.is_empty() {
let delete_summary = if deleted > 0 {
format!(", {deleted} deleted")
} else {
String::new()
};
println!(
"{} Pushed to Key Vault '{}': {created} created, {updated} updated{delete_summary}, {unchanged} unchanged.",
"✓".green(),
cfg.vault_url
);
} else {
let delete_summary = if deleted > 0 {
format!(", {deleted} deleted")
} else {
String::new()
};
println!(
"{} Partial push to '{}': {created} created, {updated} updated{delete_summary}, {unchanged} unchanged.",
"!".yellow(),
cfg.vault_url
);
for error in &errors {
eprintln!("{} {error}", "error:".red().bold());
}
anyhow::bail!("{} secret(s) failed to push", errors.len());
}
Ok(())
}