makit 0.0.147 → 0.0.153

data/lib/makit/secrets/azure_key_vault.rb

@@ -0,0 +1,323 @@
+
+
+module Makit
+    module Secrets
+      # Azure Key Vault operations
+      class AzureKeyVault
+        # Required environment variables
+        REQUIRED_VARS = [
+          "AZURE_STORAGE_ACCOUNT",
+          "AZURE_STORAGE_ACCOUNT_KEY",
+        ].freeze
+  
+        # Optional environment variables
+        OPTIONAL_VARS = [
+          "AZURE_CDN_RESOURCE_GROUP",
+          "AZURE_CDN_PROFILE_NAME",
+          "AZURE_CDN_ENDPOINT_NAME",
+          "GITLAB_NUGET_TOKEN",
+          "GITLAB_USERNAME",
+        ].freeze
+  
+        # All environment variablesazure_key_vault.r
+        ALL_VARS = (REQUIRED_VARS + OPTIONAL_VARS).freeze
+  
+        # Check if kvenv is available
+        def self.kvenv_available?
+          system("which kvenv > /dev/null 2>&1")
+        end
+  
+        # Check if Azure CLI is authenticated
+        def self.azure_cli_authenticated?
+          return false unless system("which az > /dev/null 2>&1")
+          system("az account show > /dev/null 2>&1")
+        end
+  
+        # Get Azure Key Vault name from environment or use default
+        def self.keyvault_name
+          ENV["AZURE_KEYVAULT_NAME"] || "louparslow-secrets"
+        end
+  
+        # Get secret name from environment or auto-generate from GIT_REMOTE_URL
+        def self.secret_name
+          return ENV["AZURE_SECRET_NAME"] if ENV["AZURE_SECRET_NAME"] && !ENV["AZURE_SECRET_NAME"].empty?
+          
+          # Auto-generate from GIT_REMOTE_URL
+          git_remote_url = get_git_remote_url
+          if git_remote_url && !git_remote_url.empty?
+            generate_secret_name_from_url(git_remote_url)
+          else
+            "portal-secrets"  # Fallback default
+          end
+        end
+        
+        # Get GIT_REMOTE_URL from various sources
+        def self.get_git_remote_url
+          # Try constant first
+          return GIT_REMOTE_URL if defined?(GIT_REMOTE_URL) && !GIT_REMOTE_URL.nil? && !GIT_REMOTE_URL.empty?
+          
+          # Try Git module
+          if defined?(Makit::Git) && Makit::Git.git_repo?
+            url = Makit::Git.get_remote_url
+            return url if url && !url.empty?
+          end
+          
+          # Try project configuration
+          if defined?(Makit::Configuration::Project)
+            project = Makit::Configuration::Project.default
+            url = project.git_remote_url
+            return url if url && !url.nil? && !url.empty?
+          end
+          
+          nil
+        end
+        
+        # Generate a valid Azure Key Vault secret name from a Git remote URL
+        # Azure Key Vault secret names must be 1-127 characters, alphanumeric and hyphens only,
+        # cannot start or end with hyphen, and cannot have consecutive hyphens
+        def self.generate_secret_name_from_url(url)
+          # Remove protocol (http://, https://, git@)
+          name = url.gsub(/^https?:\/\//, "").gsub(/^git@/, "")
+          
+          # Remove .git suffix if present
+          name = name.gsub(/\.git$/, "")
+          
+          # Replace invalid characters with hyphens
+          name = name.gsub(/[^a-zA-Z0-9\-]/, "-")
+          
+          # Remove consecutive hyphens
+          name = name.gsub(/-+/, "-")
+          
+          # Remove leading/trailing hyphens
+          name = name.gsub(/^-+|-+$/, "")
+          
+          # Ensure it starts with a letter or number (Azure requirement)
+          name = "secret-#{name}" if name.empty? || name.match(/^[^a-zA-Z0-9]/)
+          
+          # Truncate to 127 characters (Azure Key Vault limit)
+          name = name[0, 127]
+          
+          # Remove trailing hyphen if truncation created one
+          name = name.gsub(/-+$/, "")
+          
+          # Ensure it's not empty
+          name = "git-secrets" if name.empty?
+          
+          name
+        end
+  
+        # Get secret prefix from environment
+        def self.secret_prefix
+          ENV["AZURE_SECRET_PREFIX"]
+        end
+  
+        # Setup method: Attempt to initialize environment variables
+        def self.setup
+          puts "Setting up secrets...".colorize(:blue)
+  
+          # Check if required variables are already set
+          missing_required = REQUIRED_VARS.select { |var| ENV[var].nil? || ENV[var].empty? }
+  
+          if missing_required.empty?
+            puts "  All required environment variables are already set".colorize(:green)
+            return true
+          end
+  
+          puts "  Missing required variables: #{missing_required.join(", ")}".colorize(:yellow)
+          puts "  Attempting to load from Azure Key Vault...".colorize(:yellow)
+  
+          # Try to load from Azure Key Vault
+          if load(keyvault_name: nil, secret_name: nil)
+            # Verify again after loading
+            still_missing = REQUIRED_VARS.select { |var| ENV[var].nil? || ENV[var].empty? }
+            if still_missing.empty?
+              puts "  Successfully loaded all required secrets".colorize(:green)
+              return true
+            else
+              puts "  Warning: Still missing required variables: #{still_missing.join(", ")}".colorize(:yellow)
+              return false
+            end
+          else
+            puts "  Could not load secrets from Azure Key Vault".colorize(:yellow)
+            puts "  Please set environment variables manually or configure Azure Key Vault access".colorize(:yellow)
+            return false
+          end
+        end
+  
+        # Verify that expected environment variables are set
+        def self.verify(warn_only: true)
+          issues = []
+          warnings = []
+  
+          # Check required variables
+          REQUIRED_VARS.each do |var|
+            if ENV[var].nil? || ENV[var].empty?
+              issues << "Required variable '#{var}' is not set"
+            end
+          end
+  
+          # Check optional variables (only warn)
+          OPTIONAL_VARS.each do |var|
+            if ENV[var].nil? || ENV[var].empty?
+              warnings << "Optional variable '#{var}' is not set"
+            end
+          end
+  
+          # Report issues
+          if issues.any?
+            if warn_only
+              issues.each { |issue| puts "  ⚠️  #{issue}".colorize(:yellow) }
+            else
+              issues.each { |issue| puts "  ❌ #{issue}".colorize(:red) }
+            end
+          end
+  
+          if warnings.any?
+            warnings.each { |warning| puts "  ℹ️  #{warning}".colorize(:cyan) }
+          end
+  
+          if issues.empty? && warnings.empty?
+            puts "  ✅ All environment variables are set".colorize(:green)
+            return true
+          elsif issues.empty?
+            puts "  ✅ All required environment variables are set".colorize(:green)
+            return true
+          else
+            return false
+          end
+        end
+  
+        # Get status of all environment variables
+        def self.status
+          puts "Environment Variables Status:".colorize(:blue)
+          puts ""
+  
+          puts "Required Variables:".colorize(:cyan)
+          REQUIRED_VARS.each do |var|
+            status = ENV[var].nil? || ENV[var].empty? ? "❌ Not set" : "✅ Set"
+            color = ENV[var].nil? || ENV[var].empty? ? :red : :green
+            puts "  #{var}: #{status}".colorize(color)
+          end
+  
+          puts ""
+          puts "Optional Variables:".colorize(:cyan)
+          OPTIONAL_VARS.each do |var|
+            status = ENV[var].nil? || ENV[var].empty? ? "⚪ Not set" : "✅ Set"
+            color = ENV[var].nil? || ENV[var].empty? ? :yellow : :green
+            puts "  #{var}: #{status}".colorize(color)
+          end
+        end
+  
+        # Load secrets from Azure Key Vault using kvenv
+        # @param keyvault_name [String, nil] The Azure Key Vault name (defaults to ENV["AZURE_KEYVAULT_NAME"] or "louparslow-secrets")
+        # @param secret_name [String, nil] The secret name in Key Vault (defaults to ENV["AZURE_SECRET_NAME"] or "portal-secrets")
+        # @return [Boolean] true if secrets were loaded successfully, false otherwise
+        def self.load(keyvault_name: nil, secret_name: nil)
+          # Use provided parameters or fall back to defaults
+          kv_name = keyvault_name || self.keyvault_name
+          sec_name = secret_name || self.secret_name
+  
+          unless kvenv_available?
+            puts "  Warning: kvenv not installed, secrets will not be loaded".colorize(:yellow)
+            return false
+          end
+  
+          # Check if Azure CLI is authenticated (kvenv can use this)
+          unless azure_cli_authenticated?
+            puts "  Warning: Azure CLI not authenticated, run 'az login' first".colorize(:yellow)
+            return false
+          end
+  
+          cache_file = "/tmp/kvenv-#{sec_name}.json"
+  
+          # Build kvenv command
+          cmd_parts = [
+            "kvenv cache",
+            "--azure",
+            "--azure-keyvault-name #{kv_name}",
+          ]
+  
+          if secret_prefix
+            cmd_parts << "--secret-prefix #{secret_prefix}"
+          else
+            cmd_parts << "--secret-name #{sec_name}"
+          end
+  
+          cmd_parts << "--output #{cache_file}"
+  
+          # Run kvenv to cache secrets
+          puts "  Loading secrets from Key Vault: #{kv_name}, Secret: #{sec_name}".colorize(:cyan)
+          success = system(cmd_parts.join(" "))
+          return false unless success
+          return false unless File.exist?(cache_file)
+  
+          # Load secrets from cache file
+          begin
+            require "json"
+            secrets = JSON.parse(File.read(cache_file))
+  
+            # Set environment variables (don't override existing ones)
+            loaded_count = 0
+            secrets.each do |key, value|
+              unless ENV[key]
+                ENV[key] = value
+                loaded_count += 1
+              end
+            end
+  
+            puts "  Loaded #{loaded_count} secrets from Azure Key Vault (#{secrets.keys.count} total in secret)".colorize(:green)
+            true
+          rescue => e
+            puts "  Warning: Could not parse secrets from cache: #{e.message}".colorize(:yellow)
+            false
+          end
+        end
+  
+        # Set a secret in Azure Key Vault
+        # @param secret_name [String] The name of the secret to set
+        # @param secret_value [String] The value of the secret
+        # @param keyvault_name [String, nil] The Azure Key Vault name (defaults to ENV["AZURE_KEYVAULT_NAME"] or "louparslow-secrets")
+        # @return [Boolean] true if secret was set successfully, false otherwise
+        def self.set(secret_name, secret_value, keyvault_name: nil)
+          # Use provided parameter or fall back to default
+          kv_name = keyvault_name || self.keyvault_name
+  
+          if secret_name.nil? || secret_name.empty?
+            raise "Secret name is required"
+          end
+  
+          if secret_value.nil? || secret_value.empty?
+            raise "Secret value is required"
+          end
+  
+          unless azure_cli_authenticated?
+            raise "Azure CLI is not authenticated. Run 'az login' first"
+          end
+  
+          puts "  Setting secret '#{secret_name}' in Key Vault: #{kv_name}".colorize(:cyan)
+  
+          # Build Azure CLI command
+          cmd = [
+            "az keyvault secret set",
+            "--vault-name '#{kv_name}'",
+            "--name '#{secret_name}'",
+            "--value '#{secret_value}'",
+            "2>&1",
+          ].join(" ")
+  
+          output = `#{cmd}`
+          exit_code = $?.exitstatus
+  
+          if exit_code != 0
+            puts "  Error: Failed to set secret".colorize(:red)
+            puts "  #{output}".colorize(:red)
+            return false
+          end
+  
+          puts "  Successfully set secret '#{secret_name}' in Key Vault".colorize(:green)
+          true
+        end
+      end
+    end
+  end
+  

data/lib/makit/secrets/azure_secrets.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require_relative "azure_key_vault"
+
+module Makit
+  module Secrets
+    # Azure Key Vault adapter that implements the LocalSecrets interface
+    # Uses Azure CLI to store and retrieve individual secrets
+    class AzureSecrets
+      def initialize(keyvault_name: nil, secret_prefix: nil)
+        @keyvault_name = keyvault_name || AzureKeyVault.keyvault_name
+        @secret_prefix = secret_prefix || AzureKeyVault.secret_prefix
+        raise "Azure Key Vault name is required" if @keyvault_name.nil? || @keyvault_name.empty?
+      end
+
+      def add(key, value)
+        set(key, value)
+      end
+
+      def remove(key)
+        secret_name = build_secret_name(key)
+        return true unless secret_exists?(secret_name)
+
+        unless AzureKeyVault.azure_cli_authenticated?
+          raise "Azure CLI is not authenticated. Run 'az login' first"
+        end
+
+        cmd = [
+          "az keyvault secret delete",
+          "--vault-name '#{@keyvault_name}'",
+          "--name '#{secret_name}'",
+          "2>&1"
+        ].join(" ")
+
+        output = `#{cmd}`
+        exit_code = $?.exitstatus
+
+        if exit_code != 0
+          raise "Failed to delete secret '#{secret_name}': #{output}"
+        end
+
+        true
+      end
+
+      def has_key?(key)
+        secret_name = build_secret_name(key)
+        secret_exists?(secret_name)
+      end
+
+      def get(key)
+        secret_name = build_secret_name(key)
+        return nil unless secret_exists?(secret_name)
+
+        unless AzureKeyVault.azure_cli_authenticated?
+          raise "Azure CLI is not authenticated. Run 'az login' first"
+        end
+
+        cmd = [
+          "az keyvault secret show",
+          "--vault-name '#{@keyvault_name}'",
+          "--name '#{secret_name}'",
+          "--query value",
+          "-o tsv",
+          "2>&1"
+        ].join(" ")
+
+        output = `#{cmd}`.strip
+        exit_code = $?.exitstatus
+
+        if exit_code != 0
+          nil
+        else
+          output
+        end
+      end
+
+      def set(key, value)
+        secret_name = build_secret_name(key)
+        AzureKeyVault.set(secret_name, value.to_s, keyvault_name: @keyvault_name)
+      end
+
+      def get_secrets_filename
+        "#{@keyvault_name}/secrets"
+      end
+
+      def get_secrets_hash
+        # Load all secrets from Azure Key Vault
+        # This is a simplified version - in practice, you might want to list all secrets
+        # For now, we'll return an empty hash and let individual get() calls retrieve secrets
+        {}
+      end
+
+      def save_secrets_hash(hash)
+        # Save all secrets from hash to Azure Key Vault
+        hash.each do |key, value|
+          set(key, value)
+        end
+      end
+
+      def info
+        unless AzureKeyVault.azure_cli_authenticated?
+          puts "  Azure CLI is not authenticated. Run 'az login' first"
+          return
+        end
+
+        cmd = [
+          "az keyvault secret list",
+          "--vault-name '#{@keyvault_name}'",
+          "--query '[].name'",
+          "-o tsv",
+          "2>&1"
+        ].join(" ")
+
+        output = `#{cmd}`.strip
+        exit_code = $?.exitstatus
+
+        if exit_code != 0
+          # Check if it's a permission error
+          if output.include?("Forbidden") || output.include?("ForbiddenByRbac")
+            puts "  Error: Insufficient permissions to list secrets from Azure Key Vault"
+            puts "  The authenticated identity does not have the required RBAC permissions."
+            puts "  Required permission: 'Microsoft.KeyVault/vaults/secrets/readMetadata/action'"
+            puts "  Required role: 'Key Vault Secrets User' or 'Key Vault Secrets Officer'"
+            puts "  Vault: #{@keyvault_name}"
+            puts ""
+            puts "  To fix this, ask your Azure administrator to grant you one of these roles:"
+            puts "    - Key Vault Secrets User (read-only access to secret names and values)"
+            puts "    - Key Vault Secrets Officer (full access to secrets)"
+          else
+            puts "  Error: Failed to list secrets from Azure Key Vault"
+            puts "  #{output}"
+          end
+          return
+        end
+
+        secret_names = output.split("\n").map(&:strip).reject(&:empty?)
+
+        if @secret_prefix
+          # Filter secrets that match the prefix and remove the prefix
+          filtered_secrets = secret_names.select { |name| name.start_with?("#{@secret_prefix}-") }
+                                         .map { |name| name.sub(/^#{Regexp.escape(@secret_prefix)}-/, "") }
+        else
+          filtered_secrets = secret_names
+        end
+
+        if filtered_secrets.empty?
+          puts "  No secrets found"
+        else
+          puts "  Available secrets (#{filtered_secrets.count}):"
+          filtered_secrets.sort.each do |key|
+            puts "    - #{key}"
+          end
+        end
+      end
+
+      private
+
+      def build_secret_name(key)
+        if @secret_prefix
+          "#{@secret_prefix}-#{key}"
+        else
+          key.to_s
+        end
+      end
+
+      def secret_exists?(secret_name)
+        unless AzureKeyVault.azure_cli_authenticated?
+          return false
+        end
+
+        cmd = [
+          "az keyvault secret show",
+          "--vault-name '#{@keyvault_name}'",
+          "--name '#{secret_name}'",
+          "2>&1"
+        ].join(" ")
+
+        system("#{cmd} > /dev/null 2>&1")
+      end
+    end
+  end
+end
+

data/lib/makit/secrets/local_secrets.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "../directories" unless defined?(Makit::Directories)
+
+module Makit
+  module Secrets
+    class LocalSecrets
+      def add(key, value)
+        secrets_hash = get_secrets_hash
+        secrets_hash[key] = value
+        save_secrets_hash(secrets_hash)
+      end
+
+      def remove(key)
+        secrets_hash = get_secrets_hash
+        secrets_hash.delete(key)
+        save_secrets_hash(secrets_hash)
+      end
+
+      def has_key?(key)
+        secrets_hash = get_secrets_hash
+        secrets_hash.key?(key)
+      end
+
+      def get(key)
+        secrets_hash = get_secrets_hash
+        secrets_hash[key]
+      end
+
+      def set(key, value)
+        secrets_hash = get_secrets_hash
+        secrets_hash[key] = value
+        save_secrets_hash(secrets_hash)
+      end
+
+      def get_secrets_filename
+        "#{Makit::Directories::ROOT}/secrets.json"
+      end
+
+      def get_secrets_hash
+        secrets_file = get_secrets_filename
+        return {} unless File.exist?(secrets_file)
+
+        text = File.read(secrets_file).strip
+        return {} if text.empty?
+
+        JSON.parse(text)
+      rescue JSON::ParserError
+        {}
+      end
+
+      def save_secrets_hash(hash)
+        secrets_file = get_secrets_filename
+        # pretty print the hash
+        File.open(secrets_file, "w") { |f| f.puts JSON.pretty_generate(hash) }
+      end
+
+      def info
+        secrets_hash = get_secrets_hash
+        if secrets_hash.empty?
+          puts "  No secrets found"
+        else
+          puts "  Available secrets (#{secrets_hash.keys.count}):"
+          secrets_hash.keys.sort.each do |key|
+            puts "    - #{key}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/makit/secrets/secrets_manager.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require_relative "local_secrets"
+
+module Makit
+  module Secrets
+    # Manager class for secrets management
+    # Uses AzureSecrets if Azure Key Vault environment variables are set,
+    # otherwise falls back to LocalSecrets
+    class SecretsManager
+      def initialize
+        @secrets_backend = choose_backend
+      end
+
+      private
+
+      def choose_backend
+        # Check if Azure Key Vault environment variables are set
+        if azure_keyvault_configured?
+          require_relative "azure_secrets"
+          AzureSecrets.new
+        else
+          LocalSecrets.new
+        end
+      end
+
+      def azure_keyvault_configured?
+        # Check for Azure Key Vault configuration
+        # Requires both AZURE_SERVICE_PRINCIPAL_APP_ID and AZURE_KEYVAULT_NAME
+        ENV["AZURE_SERVICE_PRINCIPAL_APP_ID"] && !ENV["AZURE_SERVICE_PRINCIPAL_APP_ID"].empty? &&
+          ENV["AZURE_KEYVAULT_NAME"] && !ENV["AZURE_KEYVAULT_NAME"].empty?
+      end
+
+      public
+
+      def add(key, value)
+        @secrets_backend.add(key, value)
+      end
+
+      def remove(key)
+        @secrets_backend.remove(key)
+      end
+
+      def has_key?(key)
+        @secrets_backend.has_key?(key)
+      end
+
+      def key?(key)
+        @secrets_backend.has_key?(key)
+      end
+
+      def get(key)
+        @secrets_backend.get(key)
+      end
+
+      def set(key, value)
+        @secrets_backend.set(key, value)
+      end
+
+      def get_secrets_filename
+        @secrets_backend.get_secrets_filename
+      end
+
+      def get_secrets_hash
+        @secrets_backend.get_secrets_hash
+      end
+
+      def save_secrets_hash(hash)
+        @secrets_backend.save_secrets_hash(hash)
+      end
+
+      def info
+        backend_name = backend_type
+        puts "  Backend: #{backend_name}"
+        
+        backend_class_name = @secrets_backend.class.name
+        if backend_class_name == "Makit::Secrets::AzureSecrets"
+          puts "  Key Vault: #{@secrets_backend.instance_variable_get(:@keyvault_name)}"
+          secret_name = Makit::Secrets::AzureKeyVault.secret_name
+          puts "  Secret Name: #{secret_name}"
+          prefix = @secrets_backend.instance_variable_get(:@secret_prefix)
+          puts "  Secret Prefix: #{prefix}" if prefix
+        elsif backend_class_name == "Makit::Secrets::LocalSecrets"
+          puts "  Secrets File: #{@secrets_backend.get_secrets_filename}"
+        end
+        puts ""
+        @secrets_backend.info
+      end
+
+      private
+
+      def backend_type
+        backend_class_name = @secrets_backend.class.name
+        case backend_class_name
+        when "Makit::Secrets::AzureSecrets"
+          "Azure Key Vault"
+        when "Makit::Secrets::LocalSecrets"
+          "LocalSecrets"
+        else
+          backend_class_name.split("::").last
+        end
+      end
+    end
+  end
+end