This reverts commit 7f69a3b23f
.
pull/819/head
parent
7f69a3b23f
commit
7accaeffcf
@ -1,68 +0,0 @@
|
||||
package book
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"github.com/zalando/go-keyring"
|
||||
)
|
||||
|
||||
// Inspired by Github CLI
|
||||
|
||||
const MAIN_KEYRING_SERVICE = "infisical-cli"
|
||||
|
||||
type TimeoutError struct {
|
||||
message string
|
||||
}
|
||||
|
||||
func (e *TimeoutError) Error() string {
|
||||
return e.message
|
||||
}
|
||||
|
||||
func Set(key, value string) error {
|
||||
ch := make(chan error, 1)
|
||||
go func() {
|
||||
defer close(ch)
|
||||
ch <- keyring.Set(MAIN_KEYRING_SERVICE, key, value)
|
||||
}()
|
||||
select {
|
||||
case err := <-ch:
|
||||
return err
|
||||
case <-time.After(3 * time.Second):
|
||||
return &TimeoutError{"timeout while trying to set secret in keyring"}
|
||||
}
|
||||
}
|
||||
|
||||
func Get(key string) (string, error) {
|
||||
ch := make(chan struct {
|
||||
val string
|
||||
err error
|
||||
}, 1)
|
||||
go func() {
|
||||
defer close(ch)
|
||||
val, err := keyring.Get(MAIN_KEYRING_SERVICE, key)
|
||||
ch <- struct {
|
||||
val string
|
||||
err error
|
||||
}{val, err}
|
||||
}()
|
||||
select {
|
||||
case res := <-ch:
|
||||
return res.val, res.err
|
||||
case <-time.After(3 * time.Second):
|
||||
return "", &TimeoutError{"timeout while trying to get secret from keyring"}
|
||||
}
|
||||
}
|
||||
|
||||
func Delete(key string) error {
|
||||
ch := make(chan error, 1)
|
||||
go func() {
|
||||
defer close(ch)
|
||||
ch <- keyring.Delete(MAIN_KEYRING_SERVICE, key)
|
||||
}()
|
||||
select {
|
||||
case err := <-ch:
|
||||
return err
|
||||
case <-time.After(3 * time.Second):
|
||||
return &TimeoutError{"timeout while trying to delete secret from keyring"}
|
||||
}
|
||||
}
|
@ -0,0 +1,103 @@
|
||||
/*
|
||||
Copyright (c) 2023 Infisical Inc.
|
||||
*/
|
||||
package cmd
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/99designs/keyring"
|
||||
"github.com/Infisical/infisical-merge/packages/util"
|
||||
"github.com/posthog/posthog-go"
|
||||
"github.com/rs/zerolog/log"
|
||||
"github.com/spf13/cobra"
|
||||
)
|
||||
|
||||
var vaultSetCmd = &cobra.Command{
|
||||
Example: `infisical vault set pass`,
|
||||
Use: "set [vault-name]",
|
||||
Short: "Used to set the vault backend to store your login details securely at rest",
|
||||
DisableFlagsInUseLine: true,
|
||||
Args: cobra.MinimumNArgs(1),
|
||||
Run: func(cmd *cobra.Command, args []string) {
|
||||
wantedVaultTypeName := args[0]
|
||||
currentVaultBackend, err := util.GetCurrentVaultBackend()
|
||||
if err != nil {
|
||||
log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
|
||||
return
|
||||
}
|
||||
|
||||
if wantedVaultTypeName == string(currentVaultBackend) {
|
||||
log.Error().Msgf("You are already on vault backend [%s]", currentVaultBackend)
|
||||
return
|
||||
}
|
||||
|
||||
if isVaultToSwitchToValid(wantedVaultTypeName) {
|
||||
configFile, err := util.GetConfigFile()
|
||||
if err != nil {
|
||||
log.Error().Msgf("Unable to set vault to [%s] because of [err=%s]", wantedVaultTypeName, err)
|
||||
return
|
||||
}
|
||||
|
||||
configFile.VaultBackendType = keyring.BackendType(wantedVaultTypeName) // save selected vault
|
||||
configFile.LoggedInUserEmail = "" // reset the logged in user to prompt them to re login
|
||||
|
||||
err = util.WriteConfigFile(&configFile)
|
||||
if err != nil {
|
||||
log.Error().Msgf("Unable to set vault to [%s] because an error occurred when saving the config file [err=%s]", wantedVaultTypeName, err)
|
||||
return
|
||||
}
|
||||
|
||||
fmt.Printf("\nSuccessfully, switched vault backend from [%s] to [%s]. Please login in again to store your login details in the new vault with [infisical login]\n", currentVaultBackend, wantedVaultTypeName)
|
||||
|
||||
Telemetry.CaptureEvent("cli-command:vault set", posthog.NewProperties().Set("currentVault", currentVaultBackend).Set("wantedVault", wantedVaultTypeName).Set("version", util.CLI_VERSION))
|
||||
} else {
|
||||
log.Error().Msgf("The requested vault type [%s] is not available on this system. Only the following vault backends are available for you system: %s", wantedVaultTypeName, keyring.AvailableBackends())
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
// runCmd represents the run command
|
||||
var vaultCmd = &cobra.Command{
|
||||
Use: "vault",
|
||||
Short: "Used to manage where your Infisical login token is saved on your machine",
|
||||
DisableFlagsInUseLine: true,
|
||||
Args: cobra.NoArgs,
|
||||
Run: func(cmd *cobra.Command, args []string) {
|
||||
printAvailableVaultBackends()
|
||||
},
|
||||
}
|
||||
|
||||
func printAvailableVaultBackends() {
|
||||
fmt.Printf("The following vaults are available on your system:")
|
||||
for _, backend := range keyring.AvailableBackends() {
|
||||
fmt.Printf("\n- %s", backend)
|
||||
}
|
||||
|
||||
currentVaultBackend, err := util.GetCurrentVaultBackend()
|
||||
if err != nil {
|
||||
log.Error().Msgf("printAvailableVaultBackends: unable to print the available vault backend because of error [err=%s]", err)
|
||||
}
|
||||
|
||||
Telemetry.CaptureEvent("cli-command:vault", posthog.NewProperties().Set("currentVault", currentVaultBackend).Set("version", util.CLI_VERSION))
|
||||
|
||||
fmt.Printf("\n\nYou are currently using [%s] vault to store your login credentials\n", string(currentVaultBackend))
|
||||
}
|
||||
|
||||
// Checks if the vault that the user wants to switch to is a valid available vault
|
||||
func isVaultToSwitchToValid(vaultNameToSwitchTo string) bool {
|
||||
isFound := false
|
||||
for _, backend := range keyring.AvailableBackends() {
|
||||
if vaultNameToSwitchTo == string(backend) {
|
||||
isFound = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
return isFound
|
||||
}
|
||||
|
||||
func init() {
|
||||
vaultCmd.AddCommand(vaultSetCmd)
|
||||
rootCmd.AddCommand(vaultCmd)
|
||||
}
|
@ -0,0 +1,258 @@
|
||||
package util
|
||||
|
||||
import (
|
||||
"io"
|
||||
"os"
|
||||
"path"
|
||||
"testing"
|
||||
|
||||
"github.com/Infisical/infisical-merge/packages/models"
|
||||
)
|
||||
|
||||
// References to self should return the value unaltered
|
||||
func Test_SubstituteSecrets_When_ReferenceToSelf(t *testing.T) {
|
||||
|
||||
var tests = []struct {
|
||||
Key string
|
||||
Value string
|
||||
ExpectedValue string
|
||||
}{
|
||||
{Key: "A", Value: "${A}", ExpectedValue: "${A}"},
|
||||
{Key: "A", Value: "${A} ${A}", ExpectedValue: "${A} ${A}"},
|
||||
{Key: "A", Value: "${A}${A}", ExpectedValue: "${A}${A}"},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
secret := models.SingleEnvironmentVariable{
|
||||
Key: test.Key,
|
||||
Value: test.Value,
|
||||
}
|
||||
|
||||
secrets := []models.SingleEnvironmentVariable{secret}
|
||||
result := SubstituteSecrets(secrets)
|
||||
|
||||
if result[0].Value != test.ExpectedValue {
|
||||
t.Errorf("Test_SubstituteSecrets_When_ReferenceToSelf: expected %s but got %s for input %s", test.ExpectedValue, result[0].Value, test.Value)
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
func Test_SubstituteSecrets_When_ReferenceDoesNotExist(t *testing.T) {
|
||||
|
||||
var tests = []struct {
|
||||
Key string
|
||||
Value string
|
||||
ExpectedValue string
|
||||
}{
|
||||
{Key: "A", Value: "${X}", ExpectedValue: "${X}"},
|
||||
{Key: "A", Value: "${H}HELLO", ExpectedValue: "${H}HELLO"},
|
||||
{Key: "A", Value: "${L}${S}", ExpectedValue: "${L}${S}"},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
secret := models.SingleEnvironmentVariable{
|
||||
Key: test.Key,
|
||||
Value: test.Value,
|
||||
}
|
||||
|
||||
secrets := []models.SingleEnvironmentVariable{secret}
|
||||
result := SubstituteSecrets(secrets)
|
||||
|
||||
if result[0].Value != test.ExpectedValue {
|
||||
t.Errorf("Test_SubstituteSecrets_When_ReferenceToSelf: expected %s but got %s for input %s", test.ExpectedValue, result[0].Value, test.Value)
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
func Test_SubstituteSecrets_When_ReferenceDoesNotExist_And_Self_Referencing(t *testing.T) {
|
||||
|
||||
tests := []struct {
|
||||
Key string
|
||||
Value string
|
||||
ExpectedValue string
|
||||
}{
|
||||
{
|
||||
Key: "O",
|
||||
Value: "${P} ==$$ ${X} ${UNKNOWN} ${A}",
|
||||
ExpectedValue: "DOMAIN === ${A} DOMAIN >>> ==$$ DOMAIN ${UNKNOWN} ${A}",
|
||||
},
|
||||
{
|
||||
Key: "X",
|
||||
Value: "DOMAIN",
|
||||
ExpectedValue: "DOMAIN",
|
||||
},
|
||||
{
|
||||
Key: "A",
|
||||
Value: "*${A}* ${X}",
|
||||
ExpectedValue: "*${A}* DOMAIN",
|
||||
},
|
||||
{
|
||||
Key: "H",
|
||||
Value: "${X} >>>",
|
||||
ExpectedValue: "DOMAIN >>>",
|
||||
},
|
||||
{
|
||||
Key: "P",
|
||||
Value: "DOMAIN === ${A} ${H}",
|
||||
ExpectedValue: "DOMAIN === ${A} DOMAIN >>>",
|
||||
},
|
||||
{
|
||||
Key: "T",
|
||||
Value: "${P} ==$$ ${X} ${UNKNOWN} ${A} ${P} ==$$ ${X} ${UNKNOWN} ${A}",
|
||||
ExpectedValue: "DOMAIN === ${A} DOMAIN >>> ==$$ DOMAIN ${UNKNOWN} ${A} DOMAIN === ${A} DOMAIN >>> ==$$ DOMAIN ${UNKNOWN} ${A}",
|
||||
},
|
||||
{
|
||||
Key: "S",
|
||||
Value: "${ SSS$$ ${HEY}",
|
||||
ExpectedValue: "${ SSS$$ ${HEY}",
|
||||
},
|
||||
}
|
||||
|
||||
secrets := []models.SingleEnvironmentVariable{}
|
||||
for _, test := range tests {
|
||||
secrets = append(secrets, models.SingleEnvironmentVariable{Key: test.Key, Value: test.Value})
|
||||
}
|
||||
|
||||
results := SubstituteSecrets(secrets)
|
||||
|
||||
for index, expanded := range results {
|
||||
if expanded.Value != tests[index].ExpectedValue {
|
||||
t.Errorf("Test_SubstituteSecrets_When_ReferenceToSelf: expected [%s] but got [%s] for input [%s]", tests[index].ExpectedValue, expanded.Value, tests[index].Value)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func Test_SubstituteSecrets_When_No_SubstituteNeeded(t *testing.T) {
|
||||
|
||||
tests := []struct {
|
||||
Key string
|
||||
Value string
|
||||
ExpectedValue string
|
||||
}{
|
||||
{
|
||||
Key: "DOMAIN",
|
||||
Value: "infisical.com",
|
||||
ExpectedValue: "infisical.com",
|
||||
},
|
||||
{
|
||||
Key: "API_KEY",
|
||||
Value: "hdgsvjshcgkdckhevdkd",
|
||||
ExpectedValue: "hdgsvjshcgkdckhevdkd",
|
||||
},
|
||||
{
|
||||
Key: "ENV",
|
||||
Value: "PROD",
|
||||
ExpectedValue: "PROD",
|
||||
},
|
||||
}
|
||||
|
||||
secrets := []models.SingleEnvironmentVariable{}
|
||||
for _, test := range tests {
|
||||
secrets = append(secrets, models.SingleEnvironmentVariable{Key: test.Key, Value: test.Value})
|
||||
}
|
||||
|
||||
results := SubstituteSecrets(secrets)
|
||||
|
||||
for index, expanded := range results {
|
||||
if expanded.Value != tests[index].ExpectedValue {
|
||||
t.Errorf("Test_SubstituteSecrets_When_ReferenceToSelf: expected [%s] but got [%s] for input [%s]", tests[index].ExpectedValue, expanded.Value, tests[index].Value)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func Test_Read_Env_From_File(t *testing.T) {
|
||||
type testCase struct {
|
||||
TestFile string
|
||||
ExpectedEnv string
|
||||
}
|
||||
|
||||
var cases = []testCase{
|
||||
{
|
||||
TestFile: "testdata/infisical-default-env.json",
|
||||
ExpectedEnv: "myDefaultEnv",
|
||||
},
|
||||
{
|
||||
TestFile: "testdata/infisical-branch-env.json",
|
||||
ExpectedEnv: "myMainEnv",
|
||||
},
|
||||
{
|
||||
TestFile: "testdata/infisical-no-matching-branch-env.json",
|
||||
ExpectedEnv: "myDefaultEnv",
|
||||
},
|
||||
}
|
||||
|
||||
// create a tmp directory for testing
|
||||
testDir, err := os.MkdirTemp(os.TempDir(), "infisical-test")
|
||||
if err != nil {
|
||||
t.Errorf("Test_Read_DefaultEnv_From_File: Failed to create temp directory: %s", err)
|
||||
}
|
||||
|
||||
// safe the current working directory
|
||||
originalDir, err := os.Getwd()
|
||||
if err != nil {
|
||||
t.Errorf("Test_Read_DefaultEnv_From_File: Failed to get current working directory: %s", err)
|
||||
}
|
||||
|
||||
// backup the original git command
|
||||
originalGitCmd := getCurrentBranchCmd
|
||||
|
||||
// make sure to clean up after the test
|
||||
t.Cleanup(func() {
|
||||
os.Chdir(originalDir)
|
||||
os.RemoveAll(testDir)
|
||||
getCurrentBranchCmd = originalGitCmd
|
||||
})
|
||||
|
||||
// mock the git command to return "main" as the current branch
|
||||
getCurrentBranchCmd = execCmd{cmd: "echo", args: []string{"main"}}
|
||||
|
||||
for _, c := range cases {
|
||||
// make sure we start in the original directory
|
||||
err = os.Chdir(originalDir)
|
||||
if err != nil {
|
||||
t.Errorf("Test_Read_DefaultEnv_From_File: Failed to change working directory: %s", err)
|
||||
}
|
||||
|
||||
// remove old test file if it exists
|
||||
err = os.Remove(path.Join(testDir, INFISICAL_WORKSPACE_CONFIG_FILE_NAME))
|
||||
if err != nil && !os.IsNotExist(err) {
|
||||
t.Errorf("Test_Read_DefaultEnv_From_File: Failed to remove old test file: %s", err)
|
||||
}
|
||||
|
||||
// deploy the test file
|
||||
copyTestFile(t, c.TestFile, path.Join(testDir, INFISICAL_WORKSPACE_CONFIG_FILE_NAME))
|
||||
|
||||
// change the working directory to the tmp directory
|
||||
err = os.Chdir(testDir)
|
||||
if err != nil {
|
||||
t.Errorf("Test_Read_DefaultEnv_From_File: Failed to change working directory: %s", err)
|
||||
}
|
||||
|
||||
// get env from file
|
||||
env := GetEnvFromWorkspaceFile()
|
||||
if env != c.ExpectedEnv {
|
||||
t.Errorf("Test_Read_DefaultEnv_From_File: Expected env to be %s but got %s", c.ExpectedEnv, env)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func copyTestFile(t *testing.T, src, dst string) {
|
||||
srcFile, err := os.Open(src)
|
||||
if err != nil {
|
||||
t.Errorf("Test_Read_Env_From_File_By_Branch: Failed to open source file: %s", err)
|
||||
}
|
||||
defer srcFile.Close()
|
||||
|
||||
dstFile, err := os.Create(dst)
|
||||
if err != nil {
|
||||
t.Errorf("Test_Read_Env_From_File_By_Branch: Failed to create destination file: %s", err)
|
||||
}
|
||||
defer dstFile.Close()
|
||||
|
||||
_, err = io.Copy(dstFile, srcFile)
|
||||
if err != nil {
|
||||
t.Errorf("Test_Read_Env_From_File_By_Branch: Failed to copy file: %s", err)
|
||||
}
|
||||
}
|
@ -0,0 +1,73 @@
|
||||
package util
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
|
||||
"github.com/99designs/keyring"
|
||||
"golang.org/x/term"
|
||||
)
|
||||
|
||||
func GetCurrentVaultBackend() (keyring.BackendType, error) {
|
||||
configFile, err := GetConfigFile()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("getCurrentVaultBackend: unable to get config file [err=%s]", err)
|
||||
}
|
||||
|
||||
if configFile.VaultBackendType == "" {
|
||||
return keyring.AvailableBackends()[0], nil
|
||||
}
|
||||
|
||||
return configFile.VaultBackendType, nil
|
||||
}
|
||||
|
||||
func GetKeyRing() (keyring.Keyring, error) {
|
||||
currentVaultBackend, err := GetCurrentVaultBackend()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("GetKeyRing: unable to get the current vault backend, [err=%s]", err)
|
||||
}
|
||||
|
||||
keyringInstanceConfig := keyring.Config{
|
||||
FilePasswordFunc: fileKeyringPassphrasePrompt,
|
||||
ServiceName: KEYRING_SERVICE_NAME,
|
||||
LibSecretCollectionName: KEYRING_SERVICE_NAME,
|
||||
KWalletAppID: KEYRING_SERVICE_NAME,
|
||||
KWalletFolder: KEYRING_SERVICE_NAME,
|
||||
KeychainName: "login", // default so user will not be prompted
|
||||
KeychainTrustApplication: true,
|
||||
WinCredPrefix: KEYRING_SERVICE_NAME,
|
||||
FileDir: fmt.Sprintf("~/%s-file-vault", KEYRING_SERVICE_NAME),
|
||||
KeychainAccessibleWhenUnlocked: true,
|
||||
}
|
||||
|
||||
// if the user explicitly sets a vault backend, then only use that
|
||||
if currentVaultBackend != "" {
|
||||
keyringInstanceConfig.AllowedBackends = []keyring.BackendType{keyring.BackendType(currentVaultBackend)}
|
||||
}
|
||||
|
||||
keyringInstance, err := keyring.Open(keyringInstanceConfig)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("GetKeyRing: Unable to create instance of Keyring because of [err=%s]", err)
|
||||
}
|
||||
|
||||
return keyringInstance, nil
|
||||
}
|
||||
|
||||
func fileKeyringPassphrasePrompt(prompt string) (string, error) {
|
||||
if password, ok := os.LookupEnv("VAULT_PASS"); ok {
|
||||
return password, nil
|
||||
} else if password, ok := os.LookupEnv("INFISICAL_VAULT_FILE_PASSPHRASE"); ok {
|
||||
return password, nil
|
||||
} else {
|
||||
fmt.Println("To avoid repeatedly typing your password, set the environment variable `VAULT_PASS` to your password")
|
||||
}
|
||||
|
||||
fmt.Fprintf(os.Stderr, "%s:", prompt)
|
||||
b, err := term.ReadPassword(int(os.Stdin.Fd()))
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
fmt.Println("")
|
||||
return string(b), nil
|
||||
}
|
@ -0,0 +1,51 @@
|
||||
---
|
||||
title: "infisical vault"
|
||||
description: "Change the vault type in Infisical"
|
||||
---
|
||||
|
||||
<Tabs>
|
||||
<Tab title="View current Vault">
|
||||
```bash
|
||||
infisical vault
|
||||
|
||||
# Example output
|
||||
The following vaults are available on your system:
|
||||
- keychain
|
||||
- pass
|
||||
- file
|
||||
|
||||
You are currently using [keychain] vault to store your login credentials
|
||||
```
|
||||
</Tab>
|
||||
|
||||
<Tab title="Switch vault">
|
||||
```bash
|
||||
infisical vault set <name-of-vault>
|
||||
|
||||
# Example
|
||||
infisical vault set keychain
|
||||
```
|
||||
</Tab>
|
||||
</Tabs>
|
||||
|
||||
|
||||
## Description
|
||||
|
||||
To ensure secure storage of your login credentials when using the CLI, Infisical stores login credentials securely in a system vault or encrypted text file with a passphrase known only by the user.
|
||||
|
||||
<Accordion title="Supported vaults">
|
||||
By default, the most appropriate vault is chosen to store your login credentials.
|
||||
For example, if you are on macOS, KeyChain will be automatically selected.
|
||||
|
||||
- [macOS Keychain](https://support.apple.com/en-au/guide/keychain-access/welcome/mac)
|
||||
- [Windows Credential Manager](https://support.microsoft.com/en-au/help/4026814/windows-accessing-credential-manager)
|
||||
- Secret Service ([Gnome Keyring](https://wiki.gnome.org/Projects/GnomeKeyring), [KWallet](https://kde.org/applications/system/org.kde.kwalletmanager5))
|
||||
- [KWallet](https://kde.org/applications/system/org.kde.kwalletmanager5)
|
||||
- [Pass](https://www.passwordstore.org/)
|
||||
- [KeyCtl]()
|
||||
- Encrypted file (JWT)
|
||||
</Accordion>
|
||||
|
||||
<Tip>To avoid constantly entering your passphrase when using the `file` vault type, set the `INFISICAL_VAULT_FILE_PASSPHRASE` environment variable with your password in your shell</Tip>
|
||||
|
||||
|
Loading…
Reference in new issue