Skip to main content

murk_cli/
init.rs

1//! Vault initialization logic.
2
3use std::collections::{BTreeMap, HashMap};
4use std::env;
5use std::process::Command;
6
7use crate::{crypto, encrypt_value, now_utc, types};
8
9/// Strip embedded credentials from a git remote URL.
10///
11/// Handles `https://user:pass@host/repo` → `https://host/repo` and
12/// `https://token@host/repo` → `https://host/repo`.
13/// SSH and other formats are returned as-is (no credentials to strip).
14fn sanitize_remote_url(url: &str) -> String {
15    if let Some(rest) = url
16        .strip_prefix("https://")
17        .or_else(|| url.strip_prefix("http://"))
18    {
19        let scheme = if url.starts_with("https://") {
20            "https"
21        } else {
22            "http"
23        };
24        if let Some(at_pos) = rest.find('@') {
25            // Only strip if the '@' is before the first '/' (i.e. in the authority).
26            let slash_pos = rest.find('/').unwrap_or(rest.len());
27            if at_pos < slash_pos {
28                return format!("{scheme}://{}", &rest[at_pos + 1..]);
29            }
30        }
31        url.to_string()
32    } else {
33        url.to_string()
34    }
35}
36
37/// A key discovered from the environment or .env file.
38#[derive(Debug)]
39pub struct DiscoveredKey {
40    pub secret_key: String,
41    pub pubkey: String,
42}
43
44/// Try to find an existing age key from the environment.
45///
46/// Checks `MURK_KEY` first, then reads the file at `MURK_KEY_FILE` if set.
47/// Does NOT read `.env` — for direnv users, the shim already exports both
48/// variables into the environment, so the environment is the authoritative
49/// source and `.env` is only a write-only convenience populated by `murk init`.
50pub fn discover_existing_key() -> Result<Option<DiscoveredKey>, String> {
51    let raw = if let Some(k) = env::var(crate::env::ENV_MURK_KEY)
52        .ok()
53        .filter(|k| !k.is_empty())
54    {
55        Some(k)
56    } else if let Ok(path) = env::var(crate::env::ENV_MURK_KEY_FILE) {
57        let p = std::path::Path::new(&path);
58        crate::env::reject_symlink(p, "MURK_KEY_FILE")?;
59        Some(
60            std::fs::read_to_string(p)
61                .map_err(|e| format!("cannot read MURK_KEY_FILE: {e}"))?
62                .trim()
63                .to_string(),
64        )
65    } else {
66        None
67    };
68
69    match raw {
70        Some(key) => {
71            let identity = crypto::parse_identity(&key).map_err(|e| e.to_string())?;
72            let pubkey = identity.pubkey_string().map_err(|e| e.to_string())?;
73            Ok(Some(DiscoveredKey {
74                secret_key: key,
75                pubkey,
76            }))
77        }
78        None => Ok(None),
79    }
80}
81
82/// Status of an existing vault relative to a given key.
83#[derive(Debug)]
84pub struct InitStatus {
85    /// Whether the key's pubkey is in the vault's recipient list.
86    pub authorized: bool,
87    /// The public key derived from the secret key.
88    pub pubkey: String,
89    /// Display name from encrypted meta, if decryptable and present.
90    pub display_name: Option<String>,
91}
92
93/// Check whether a secret key is authorized in an existing vault.
94///
95/// Parses the identity from `secret_key`, checks the recipient list, and
96/// attempts to decrypt meta for the display name.
97pub fn check_init_status(vault: &types::Vault, secret_key: &str) -> Result<InitStatus, String> {
98    let identity = crypto::parse_identity(secret_key).map_err(|e| e.to_string())?;
99    let pubkey = identity.pubkey_string().map_err(|e| e.to_string())?;
100    let authorized = vault.recipients.contains(&pubkey);
101
102    let display_name = if authorized {
103        crate::decrypt_meta(vault, &identity)
104            .and_then(|meta| meta.recipients.get(&pubkey).cloned())
105            .filter(|name| !name.is_empty())
106    } else {
107        None
108    };
109
110    Ok(InitStatus {
111        authorized,
112        pubkey,
113        display_name,
114    })
115}
116
117/// Create a new vault with a single recipient.
118///
119/// Detects the git remote URL and builds the initial vault struct.
120/// The caller is responsible for writing the vault to disk via `vault::write`.
121pub fn create_vault(
122    vault_name: &str,
123    pubkey: &str,
124    name: &str,
125) -> Result<types::Vault, crate::error::MurkError> {
126    use crate::error::MurkError;
127
128    let mut recipient_names = HashMap::new();
129    recipient_names.insert(pubkey.to_string(), name.to_string());
130
131    let recipient = crypto::parse_recipient(pubkey)?;
132
133    // Detect git repo URL, stripping any embedded credentials.
134    let repo = Command::new("git")
135        .args(["remote", "get-url", "origin"])
136        .output()
137        .ok()
138        .filter(|o| o.status.success())
139        .and_then(|o| String::from_utf8(o.stdout).ok())
140        .map(|s| sanitize_remote_url(s.trim()))
141        .unwrap_or_default();
142
143    let mut vault = types::Vault {
144        version: types::VAULT_VERSION.into(),
145        created: now_utc(),
146        vault_name: vault_name.into(),
147        repo,
148        recipients: vec![pubkey.to_string()],
149        schema: BTreeMap::new(),
150        secrets: BTreeMap::new(),
151        meta: String::new(),
152    };
153
154    let mac_key_hex = crate::generate_mac_key();
155    let mac_key = crate::decode_mac_key(&mac_key_hex).unwrap();
156    let mac = crate::compute_mac(&vault, Some(&mac_key));
157    let meta = types::Meta {
158        recipients: recipient_names,
159        mac,
160        mac_key: Some(mac_key_hex),
161        github_pins: HashMap::new(),
162    };
163    let meta_json =
164        serde_json::to_vec(&meta).map_err(|e| MurkError::Secret(format!("meta serialize: {e}")))?;
165    vault.meta = encrypt_value(&meta_json, &[recipient])?;
166
167    Ok(vault)
168}
169
170#[cfg(test)]
171mod tests {
172    use super::*;
173    use crate::testutil::*;
174    use crate::testutil::{CWD_LOCK, ENV_LOCK};
175
176    // ── discover_existing_key tests ──
177
178    #[test]
179    fn discover_existing_key_from_env() {
180        let _lock = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
181        let (secret, pubkey) = generate_keypair();
182        unsafe { env::set_var("MURK_KEY", &secret) };
183        let result = discover_existing_key();
184        unsafe { env::remove_var("MURK_KEY") };
185
186        let dk = result.unwrap().unwrap();
187        assert_eq!(dk.secret_key, secret);
188        assert_eq!(dk.pubkey, pubkey);
189    }
190
191    #[test]
192    fn discover_existing_key_ignores_dotenv() {
193        // murk-82q: discover_existing_key must not read .env from CWD, even
194        // in the init flow. A .env sitting in the current directory with an
195        // inline MURK_KEY is explicitly *not* a trusted input source.
196        let _lock = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
197        let _cwd = CWD_LOCK.lock().unwrap_or_else(|e| e.into_inner());
198        unsafe {
199            env::remove_var("MURK_KEY");
200            env::remove_var("MURK_KEY_FILE");
201        }
202
203        let dir = std::env::temp_dir().join("murk_test_discover_ignores_dotenv");
204        std::fs::create_dir_all(&dir).unwrap();
205        let (secret, _pubkey) = generate_keypair();
206        std::fs::write(dir.join(".env"), format!("MURK_KEY={secret}\n")).unwrap();
207
208        let orig_dir = std::env::current_dir().unwrap();
209        std::env::set_current_dir(&dir).unwrap();
210        let result = discover_existing_key();
211        std::env::set_current_dir(&orig_dir).unwrap();
212        std::fs::remove_dir_all(&dir).unwrap();
213
214        assert!(
215            result.unwrap().is_none(),
216            "discover_existing_key must not fall back to .env"
217        );
218    }
219
220    #[test]
221    fn discover_existing_key_from_env_file_var() {
222        let _lock = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
223        unsafe {
224            env::remove_var("MURK_KEY");
225        }
226
227        let (secret, pubkey) = generate_keypair();
228        let dir = std::env::temp_dir().join("murk_test_discover_env_file");
229        std::fs::create_dir_all(&dir).unwrap();
230        let key_path = dir.join("key");
231        std::fs::write(&key_path, format!("{secret}\n")).unwrap();
232        #[cfg(unix)]
233        {
234            use std::os::unix::fs::PermissionsExt;
235            std::fs::set_permissions(&key_path, std::fs::Permissions::from_mode(0o600)).unwrap();
236        }
237
238        unsafe { env::set_var("MURK_KEY_FILE", &key_path) };
239        let result = discover_existing_key();
240        unsafe { env::remove_var("MURK_KEY_FILE") };
241        std::fs::remove_dir_all(&dir).unwrap();
242
243        let dk = result.unwrap().unwrap();
244        assert_eq!(dk.secret_key, secret);
245        assert_eq!(dk.pubkey, pubkey);
246    }
247
248    #[test]
249    fn discover_existing_key_neither_set() {
250        let _lock = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
251        let _cwd = CWD_LOCK.lock().unwrap_or_else(|e| e.into_inner());
252        unsafe { env::remove_var("MURK_KEY") };
253
254        // Use a dir with no .env.
255        let dir = std::env::temp_dir().join("murk_test_discover_none");
256        std::fs::create_dir_all(&dir).unwrap();
257        let orig_dir = std::env::current_dir().unwrap();
258        std::env::set_current_dir(&dir).unwrap();
259        let result = discover_existing_key();
260        std::env::set_current_dir(&orig_dir).unwrap();
261        std::fs::remove_dir_all(&dir).unwrap();
262
263        assert!(result.unwrap().is_none());
264    }
265
266    #[test]
267    fn discover_existing_key_invalid_key() {
268        let _lock = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
269        unsafe { env::set_var("MURK_KEY", "not-a-valid-age-key") };
270        let result = discover_existing_key();
271        unsafe { env::remove_var("MURK_KEY") };
272
273        assert!(result.is_err());
274    }
275
276    // ── check_init_status tests ──
277
278    #[test]
279    fn check_init_status_authorized() {
280        let (secret, pubkey) = generate_keypair();
281        let recipient = make_recipient(&pubkey);
282
283        // Build a vault with this recipient in the list and encrypted meta.
284        let mut names = HashMap::new();
285        names.insert(pubkey.clone(), "Alice".to_string());
286        let meta = types::Meta {
287            recipients: names,
288            mac: String::new(),
289            mac_key: None,
290            github_pins: HashMap::new(),
291        };
292        let meta_json = serde_json::to_vec(&meta).unwrap();
293        let meta_enc = encrypt_value(&meta_json, &[recipient]).unwrap();
294
295        let vault = types::Vault {
296            version: "2.0".into(),
297            created: "2026-01-01T00:00:00Z".into(),
298            vault_name: ".murk".into(),
299            repo: String::new(),
300            recipients: vec![pubkey.clone()],
301            schema: std::collections::BTreeMap::new(),
302            secrets: std::collections::BTreeMap::new(),
303            meta: meta_enc,
304        };
305
306        let status = check_init_status(&vault, &secret).unwrap();
307        assert!(status.authorized);
308        assert_eq!(status.pubkey, pubkey);
309        assert_eq!(status.display_name.as_deref(), Some("Alice"));
310    }
311
312    #[test]
313    fn check_init_status_not_authorized() {
314        let (secret, pubkey) = generate_keypair();
315        let (_, other_pubkey) = generate_keypair();
316
317        let vault = types::Vault {
318            version: "2.0".into(),
319            created: "2026-01-01T00:00:00Z".into(),
320            vault_name: ".murk".into(),
321            repo: String::new(),
322            recipients: vec![other_pubkey],
323            schema: std::collections::BTreeMap::new(),
324            secrets: std::collections::BTreeMap::new(),
325            meta: String::new(),
326        };
327
328        let status = check_init_status(&vault, &secret).unwrap();
329        assert!(!status.authorized);
330        assert_eq!(status.pubkey, pubkey);
331        assert!(status.display_name.is_none());
332    }
333
334    #[test]
335    fn create_vault_basic() {
336        let (_, pubkey) = generate_keypair();
337
338        let vault = create_vault(".murk", &pubkey, "Bob").unwrap();
339        assert_eq!(vault.version, types::VAULT_VERSION);
340        assert_eq!(vault.vault_name, ".murk");
341        assert_eq!(vault.recipients, vec![pubkey]);
342        assert!(vault.schema.is_empty());
343        assert!(vault.secrets.is_empty());
344        assert!(!vault.meta.is_empty());
345    }
346
347    // ── sanitize_remote_url tests ──
348
349    #[test]
350    fn sanitize_strips_https_credentials() {
351        assert_eq!(
352            sanitize_remote_url("https://user:pass@github.com/org/repo.git"),
353            "https://github.com/org/repo.git"
354        );
355    }
356
357    #[test]
358    fn sanitize_strips_https_token() {
359        assert_eq!(
360            sanitize_remote_url("https://ghp_abc123@github.com/org/repo.git"),
361            "https://github.com/org/repo.git"
362        );
363    }
364
365    #[test]
366    fn sanitize_preserves_clean_https() {
367        assert_eq!(
368            sanitize_remote_url("https://github.com/org/repo.git"),
369            "https://github.com/org/repo.git"
370        );
371    }
372
373    #[test]
374    fn sanitize_preserves_ssh() {
375        assert_eq!(
376            sanitize_remote_url("git@github.com:org/repo.git"),
377            "git@github.com:org/repo.git"
378        );
379    }
380
381    #[test]
382    fn sanitize_strips_http_credentials() {
383        assert_eq!(
384            sanitize_remote_url("http://user:pass@example.com/repo"),
385            "http://example.com/repo"
386        );
387    }
388}