makit 0.0.164 → 0.0.166

data/lib/makit/secrets/azure_secrets.rb

@@ -1,183 +1,221 @@
-# frozen_string_literal: true
-
-require_relative "azure_key_vault"
-
-module Makit
-  module Secrets
-    # Azure Key Vault adapter that implements the LocalSecrets interface
-    # Uses Azure CLI to store and retrieve individual secrets
-    class AzureSecrets
-      def initialize(keyvault_name: nil, secret_prefix: nil)
-        @keyvault_name = keyvault_name || AzureKeyVault.keyvault_name
-        @secret_prefix = secret_prefix || AzureKeyVault.secret_prefix
-        raise "Azure Key Vault name is required" if @keyvault_name.nil? || @keyvault_name.empty?
-      end
-
-      def add(key, value)
-        set(key, value)
-      end
-
-      def remove(key)
-        secret_name = build_secret_name(key)
-        return true unless secret_exists?(secret_name)
-
-        unless AzureKeyVault.azure_cli_authenticated?
-          raise "Azure CLI is not authenticated. Run 'az login' first"
-        end
-
-        cmd = [
-          "az keyvault secret delete",
-          "--vault-name '#{@keyvault_name}'",
-          "--name '#{secret_name}'",
-          "2>&1"
-        ].join(" ")
-
-        output = `#{cmd}`
-        exit_code = $?.exitstatus
-
-        if exit_code != 0
-          raise "Failed to delete secret '#{secret_name}': #{output}"
-        end
-
-        true
-      end
-
-      def has_key?(key)
-        secret_name = build_secret_name(key)
-        secret_exists?(secret_name)
-      end
-
-      def get(key)
-        secret_name = build_secret_name(key)
-        return nil unless secret_exists?(secret_name)
-
-        unless AzureKeyVault.azure_cli_authenticated?
-          raise "Azure CLI is not authenticated. Run 'az login' first"
-        end
-
-        cmd = [
-          "az keyvault secret show",
-          "--vault-name '#{@keyvault_name}'",
-          "--name '#{secret_name}'",
-          "--query value",
-          "-o tsv",
-          "2>&1"
-        ].join(" ")
-
-        output = `#{cmd}`.strip
-        exit_code = $?.exitstatus
-
-        if exit_code != 0
-          nil
-        else
-          output
-        end
-      end
-
-      def set(key, value)
-        secret_name = build_secret_name(key)
-        AzureKeyVault.set(secret_name, value.to_s, keyvault_name: @keyvault_name)
-      end
-
-      def get_secrets_filename
-        "#{@keyvault_name}/secrets"
-      end
-
-      def get_secrets_hash
-        # Load all secrets from Azure Key Vault
-        # This is a simplified version - in practice, you might want to list all secrets
-        # For now, we'll return an empty hash and let individual get() calls retrieve secrets
-        {}
-      end
-
-      def save_secrets_hash(hash)
-        # Save all secrets from hash to Azure Key Vault
-        hash.each do |key, value|
-          set(key, value)
-        end
-      end
-
-      def info
-        unless AzureKeyVault.azure_cli_authenticated?
-          puts "  Azure CLI is not authenticated. Run 'az login' first"
-          return
-        end
-
-        cmd = [
-          "az keyvault secret list",
-          "--vault-name '#{@keyvault_name}'",
-          "--query '[].name'",
-          "-o tsv",
-          "2>&1"
-        ].join(" ")
-
-        output = `#{cmd}`.strip
-        exit_code = $?.exitstatus
-
-        if exit_code != 0
-          # Check if it's a permission error
-          if output.include?("Forbidden") || output.include?("ForbiddenByRbac")
-            puts "  Error: Insufficient permissions to list secrets from Azure Key Vault"
-            puts "  The authenticated identity does not have the required RBAC permissions."
-            puts "  Required permission: 'Microsoft.KeyVault/vaults/secrets/readMetadata/action'"
-            puts "  Required role: 'Key Vault Secrets User' or 'Key Vault Secrets Officer'"
-            puts "  Vault: #{@keyvault_name}"
-            puts ""
-            puts "  To fix this, ask your Azure administrator to grant you one of these roles:"
-            puts "    - Key Vault Secrets User (read-only access to secret names and values)"
-            puts "    - Key Vault Secrets Officer (full access to secrets)"
-          else
-            puts "  Error: Failed to list secrets from Azure Key Vault"
-            puts "  #{output}"
-          end
-          return
-        end
-
-        secret_names = output.split("\n").map(&:strip).reject(&:empty?)
-
-        if @secret_prefix
-          # Filter secrets that match the prefix and remove the prefix
-          filtered_secrets = secret_names.select { |name| name.start_with?("#{@secret_prefix}-") }
-                                         .map { |name| name.sub(/^#{Regexp.escape(@secret_prefix)}-/, "") }
-        else
-          filtered_secrets = secret_names
-        end
-
-        if filtered_secrets.empty?
-          puts "  No secrets found"
-        else
-          puts "  Available secrets (#{filtered_secrets.count}):"
-          filtered_secrets.sort.each do |key|
-            puts "    - #{key}"
-          end
-        end
-      end
-
-      private
-
-      def build_secret_name(key)
-        if @secret_prefix
-          "#{@secret_prefix}-#{key}"
-        else
-          key.to_s
-        end
-      end
-
-      def secret_exists?(secret_name)
-        unless AzureKeyVault.azure_cli_authenticated?
-          return false
-        end
-
-        cmd = [
-          "az keyvault secret show",
-          "--vault-name '#{@keyvault_name}'",
-          "--name '#{secret_name}'",
-          "2>&1"
-        ].join(" ")
-
-        system("#{cmd} > /dev/null 2>&1")
-      end
-    end
-  end
-end
-
+# frozen_string_literal: true
+
+require_relative "azure_key_vault"
+
+module Makit
+  module Secrets
+    # Azure Key Vault adapter that implements the LocalSecrets interface
+    # Uses Azure CLI to store and retrieve individual secrets
+    class AzureSecrets
+      def initialize(keyvault_name: nil, secret_prefix: nil)
+        @keyvault_name = keyvault_name || AzureKeyVault.keyvault_name
+        @secret_prefix = secret_prefix || AzureKeyVault.secret_prefix
+        raise "Azure Key Vault name is required" if @keyvault_name.nil? || @keyvault_name.empty?
+      end
+
+      def add(key, value)
+        set(key, value)
+      end
+
+      def remove(key)
+        secret_name = build_secret_name(key)
+        return true unless secret_exists?(secret_name)
+
+        unless AzureKeyVault.azure_cli_authenticated?
+          raise "Azure CLI is not authenticated. Run 'az login' first"
+        end
+
+        cmd = [
+          "az keyvault secret delete",
+          "--vault-name '#{@keyvault_name}'",
+          "--name '#{secret_name}'",
+          "2>&1"
+        ].join(" ")
+
+        output = `#{cmd}`
+        exit_code = $?.exitstatus
+
+        if exit_code != 0
+          raise "Failed to delete secret '#{secret_name}': #{output}"
+        end
+
+        true
+      end
+
+      def has_key?(key)
+        secret_name = build_secret_name(key)
+        secret_exists?(secret_name)
+      end
+
+      def get(key)
+        secret_name = build_secret_name(key)
+        return nil unless secret_exists?(secret_name)
+
+        unless AzureKeyVault.azure_cli_authenticated?
+          raise "Azure CLI is not authenticated. Run 'az login' first"
+        end
+
+        cmd = [
+          "az keyvault secret show",
+          "--vault-name '#{@keyvault_name}'",
+          "--name '#{secret_name}'",
+          "--query value",
+          "-o tsv",
+          "2>&1"
+        ].join(" ")
+
+        output = `#{cmd}`.strip
+        exit_code = $?.exitstatus
+
+        if exit_code != 0
+          nil
+        else
+          output
+        end
+      end
+
+      def set(key, value)
+        secret_name = build_secret_name(key)
+        success = AzureKeyVault.set(secret_name, value.to_s, keyvault_name: @keyvault_name)
+        unless success
+          raise "Failed to set secret '#{secret_name}' in Azure Key Vault '#{@keyvault_name}'"
+        end
+        true
+      end
+
+      def get_secrets_filename
+        "#{@keyvault_name}/secrets"
+      end
+
+      def get_secrets_hash
+        # Load all secrets from Azure Key Vault
+        # This is a simplified version - in practice, you might want to list all secrets
+        # For now, we'll return an empty hash and let individual get() calls retrieve secrets
+        {}
+      end
+
+      def save_secrets_hash(hash)
+        # Save all secrets from hash to Azure Key Vault
+        hash.each do |key, value|
+          set(key, value)
+        end
+      end
+
+      def info
+        unless AzureKeyVault.azure_cli_authenticated?
+          puts "  Azure CLI is not authenticated. Run 'az login' first"
+          return
+        end
+
+        cmd = [
+          "az keyvault secret list",
+          "--vault-name '#{@keyvault_name}'",
+          "--query '[].name'",
+          "-o tsv",
+          "2>&1"
+        ].join(" ")
+
+        output = `#{cmd}`.strip
+        exit_code = $?.exitstatus
+
+        if exit_code != 0
+          # Check if it's a permission error
+          if output.include?("Forbidden") || output.include?("ForbiddenByRbac")
+            puts "  Error: Insufficient permissions to list secrets from Azure Key Vault"
+            puts "  The authenticated identity does not have the required RBAC permissions."
+            puts "  Required permission: 'Microsoft.KeyVault/vaults/secrets/readMetadata/action'"
+            puts "  Required role: 'Key Vault Secrets User' or 'Key Vault Secrets Officer'"
+            puts "  Vault: #{@keyvault_name}"
+            puts ""
+            puts "  To fix this, ask your Azure administrator to grant you one of these roles:"
+            puts "    - Key Vault Secrets User (read-only access to secret names and values)"
+            puts "    - Key Vault Secrets Officer (full access to secrets)"
+          else
+            puts "  Error: Failed to list secrets from Azure Key Vault"
+            puts "  #{output}"
+          end
+          return
+        end
+
+        secret_names = output.split("\n").map(&:strip).reject(&:empty?)
+
+        if @secret_prefix
+          # Filter secrets that match the prefix and remove the prefix
+          filtered_secrets = secret_names.select { |name| name.start_with?("#{@secret_prefix}-") }
+                                         .map { |name| name.sub(/^#{Regexp.escape(@secret_prefix)}-/, "") }
+        else
+          filtered_secrets = secret_names
+        end
+
+        if filtered_secrets.empty?
+          puts "  No secrets found"
+        else
+          puts "  Available secrets (#{filtered_secrets.count}):"
+          filtered_secrets.sort.each do |key|
+            puts "    - #{key}"
+          end
+        end
+      end
+
+      private
+
+      # Builds a valid Azure Key Vault secret name from a key
+      # Azure Key Vault secret names must be 1-127 characters, alphanumeric and hyphens only,
+      # cannot start or end with hyphen, and cannot have consecutive hyphens
+      def build_secret_name(key)
+        # Sanitize the key to make it valid for Azure Key Vault
+        sanitized_key = sanitize_secret_name(key.to_s)
+        
+        if @secret_prefix
+          "#{@secret_prefix}-#{sanitized_key}"
+        else
+          sanitized_key
+        end
+      end
+
+      # Sanitizes a secret name to be valid for Azure Key Vault
+      # Rules: 1-127 characters, alphanumeric and hyphens only,
+      # cannot start or end with hyphen, cannot have consecutive hyphens
+      def sanitize_secret_name(name)
+        # Replace invalid characters with hyphens
+        name = name.gsub(/[^a-zA-Z0-9\-]/, "-")
+        
+        # Remove consecutive hyphens
+        name = name.gsub(/-+/, "-")
+        
+        # Remove leading/trailing hyphens
+        name = name.gsub(/^-+|-+$/, "")
+        
+        # Ensure it starts with a letter or number (Azure requirement)
+        name = "secret-#{name}" if name.empty? || name.match(/^[^a-zA-Z0-9]/)
+        
+        # Truncate to 127 characters (Azure Key Vault limit)
+        name = name[0, 127]
+        
+        # Remove trailing hyphen if truncation created one
+        name = name.gsub(/-+$/, "")
+        
+        # Ensure it's not empty
+        name = "secret" if name.empty?
+        
+        name
+      end
+
+      def secret_exists?(secret_name)
+        unless AzureKeyVault.azure_cli_authenticated?
+          return false
+        end
+
+        cmd = [
+          "az keyvault secret show",
+          "--vault-name '#{@keyvault_name}'",
+          "--name '#{secret_name}'",
+          "2>&1"
+        ].join(" ")
+
+        system("#{cmd} > /dev/null 2>&1")
+      end
+    end
+  end
+end
+

data/lib/makit/secrets/local_secrets.rb

@@ -1,72 +1,72 @@
-# frozen_string_literal: true
-
-require "json"
-require_relative "../directories" unless defined?(Makit::Directories)
-
-module Makit
-  module Secrets
-    class LocalSecrets
-      def add(key, value)
-        secrets_hash = get_secrets_hash
-        secrets_hash[key] = value
-        save_secrets_hash(secrets_hash)
-      end
-
-      def remove(key)
-        secrets_hash = get_secrets_hash
-        secrets_hash.delete(key)
-        save_secrets_hash(secrets_hash)
-      end
-
-      def has_key?(key)
-        secrets_hash = get_secrets_hash
-        secrets_hash.key?(key)
-      end
-
-      def get(key)
-        secrets_hash = get_secrets_hash
-        secrets_hash[key]
-      end
-
-      def set(key, value)
-        secrets_hash = get_secrets_hash
-        secrets_hash[key] = value
-        save_secrets_hash(secrets_hash)
-      end
-
-      def get_secrets_filename
-        "#{Makit::Directories::ROOT}/secrets.json"
-      end
-
-      def get_secrets_hash
-        secrets_file = get_secrets_filename
-        return {} unless File.exist?(secrets_file)
-
-        text = File.read(secrets_file).strip
-        return {} if text.empty?
-
-        JSON.parse(text)
-      rescue JSON::ParserError
-        {}
-      end
-
-      def save_secrets_hash(hash)
-        secrets_file = get_secrets_filename
-        # pretty print the hash
-        File.open(secrets_file, "w") { |f| f.puts JSON.pretty_generate(hash) }
-      end
-
-      def info
-        secrets_hash = get_secrets_hash
-        if secrets_hash.empty?
-          puts "  No secrets found"
-        else
-          puts "  Available secrets (#{secrets_hash.keys.count}):"
-          secrets_hash.keys.sort.each do |key|
-            puts "    - #{key}"
-          end
-        end
-      end
-    end
-  end
-end
+# frozen_string_literal: true
+
+require "json"
+require_relative "../directories" unless defined?(Makit::Directories)
+
+module Makit
+  module Secrets
+    class LocalSecrets
+      def add(key, value)
+        secrets_hash = get_secrets_hash
+        secrets_hash[key] = value
+        save_secrets_hash(secrets_hash)
+      end
+
+      def remove(key)
+        secrets_hash = get_secrets_hash
+        secrets_hash.delete(key)
+        save_secrets_hash(secrets_hash)
+      end
+
+      def has_key?(key)
+        secrets_hash = get_secrets_hash
+        secrets_hash.key?(key)
+      end
+
+      def get(key)
+        secrets_hash = get_secrets_hash
+        secrets_hash[key]
+      end
+
+      def set(key, value)
+        secrets_hash = get_secrets_hash
+        secrets_hash[key] = value
+        save_secrets_hash(secrets_hash)
+      end
+
+      def get_secrets_filename
+        "#{Makit::Directories::ROOT}/secrets.json"
+      end
+
+      def get_secrets_hash
+        secrets_file = get_secrets_filename
+        return {} unless File.exist?(secrets_file)
+
+        text = File.read(secrets_file).strip
+        return {} if text.empty?
+
+        JSON.parse(text)
+      rescue JSON::ParserError
+        {}
+      end
+
+      def save_secrets_hash(hash)
+        secrets_file = get_secrets_filename
+        # pretty print the hash
+        File.open(secrets_file, "w") { |f| f.puts JSON.pretty_generate(hash) }
+      end
+
+      def info
+        secrets_hash = get_secrets_hash
+        if secrets_hash.empty?
+          puts "  No secrets found"
+        else
+          puts "  Available secrets (#{secrets_hash.keys.count}):"
+          secrets_hash.keys.sort.each do |key|
+            puts "    - #{key}"
+          end
+        end
+      end
+    end
+  end
+end