@ao_zorin/zocket 1.0.0

package/zocket/templates/login.html

@@ -0,0 +1,244 @@
+<!doctype html>
+<html lang="{{ lang }}">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>zocket login</title>
+    <style>
+      :root {
+        --primary-color: #0088cc;
+        --primary-accent: #00a1ff;
+        --dark-bg: #18222d;
+        --dark-surface: #212e3c;
+        --dark-text: #e9ecef;
+        --dark-muted: #adb5bd;
+        --light-bg: #ffffff;
+        --light-surface: #f8f9fa;
+        --light-text: #2c2c2c;
+        --light-muted: #6c757d;
+        --border-radius: 14px;
+        --page-gradient: radial-gradient(circle at 0 0, rgba(242,245,250,1) 0%, rgba(248,249,250,0.8) 55%);
+        --transition: all 0.35s cubic-bezier(0.165, 0.84, 0.44, 1);
+      }
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: grid;
+        place-items: center;
+        padding: 24px;
+        background: var(--page-gradient);
+        color: var(--light-text);
+        font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
+      }
+      body[data-theme="zorin"] {
+        background: radial-gradient(circle at 15% -10%, rgba(0, 136, 204, 0.45), rgba(8, 16, 30, 0.95) 45%), linear-gradient(180deg, #18222d 0%, #0f172a 65%, #0b1a2b 100%);
+        color: var(--dark-text);
+      }
+      body[data-theme="zorin"][data-theme-variant="light"] {
+        background: radial-gradient(circle at 25% -20%, rgba(0, 136, 204, 0.25), transparent 45%), linear-gradient(180deg, #ffffff 0%, #d7efff 100%);
+        color: var(--light-text);
+      }
+      .card {
+        width: min(520px, 94vw);
+        border-radius: var(--border-radius);
+        padding: 24px;
+        background: var(--light-surface);
+        border: 1px solid rgba(0, 0, 0, 0.08);
+        box-shadow: 0 15px 35px rgba(0, 0, 0, 0.12);
+        transition: var(--transition);
+      }
+      body[data-theme="zorin"] .card {
+        background: rgba(8, 11, 24, 0.85);
+        border-color: rgba(255, 255, 255, 0.15);
+        box-shadow: 0 25px 60px rgba(0, 0, 0, 0.6);
+        backdrop-filter: blur(28px);
+      }
+      body[data-theme="zorin"][data-theme-variant="light"] .card {
+        background: rgba(255, 255, 255, 0.96);
+        border-color: rgba(0, 136, 204, 0.25);
+        box-shadow: 0 20px 40px rgba(0, 0, 0, 0.15);
+      }
+      h1 {
+        margin: 0 0 8px;
+        font-size: 42px;
+        letter-spacing: -0.04em;
+        line-height: 1.2;
+      }
+      h2 {
+        margin: 14px 0 8px;
+        font-size: 20px;
+        font-weight: 600;
+      }
+      p {
+        margin: 0 0 12px;
+        color: var(--muted, #6c757d);
+      }
+      input, button {
+        width: 100%;
+        margin-bottom: 12px;
+        padding: 12px;
+        border-radius: var(--border-radius);
+        border: 1px solid rgba(0, 0, 0, 0.1);
+        font: inherit;
+        background: var(--light-surface);
+        color: inherit;
+        transition: var(--transition);
+      }
+      button {
+        border: none;
+        background: linear-gradient(135deg, var(--primary-color), var(--primary-accent));
+        color: white;
+        cursor: pointer;
+        box-shadow: 0 10px 25px rgba(0, 136, 204, 0.25);
+      }
+      button:hover {
+        transform: translateY(-4px);
+      }
+      button.danger {
+        background: linear-gradient(135deg, #ff6b6b, #ff8e8e);
+      }
+      .lang {
+        display: flex;
+        gap: 8px;
+        margin-bottom: 12px;
+      }
+      .lang a {
+        color: var(--primary-color);
+        font-weight: 600;
+        text-decoration: none;
+      }
+      .theme-selector {
+        display: flex;
+        align-items: center;
+        gap: 6px;
+        margin-bottom: 12px;
+        font-size: 14px;
+        color: var(--muted);
+      }
+      .styled-select {
+        appearance: none;
+        -webkit-appearance: none;
+        -moz-appearance: none;
+        padding: 10px 28px 10px 16px;
+        border-radius: 999px;
+        border: 1px solid rgba(0, 0, 0, 0.1);
+        background: var(--light-surface);
+        color: inherit;
+        font-weight: 500;
+        cursor: pointer;
+        background-image: url('data:image/svg+xml,%3Csvg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 20 20\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\"%3E%3Cpolyline points=\"6 8 10 12 14 8\"/%3E%3C/svg%3E'), none;
+        background-position: right 10px center, center;
+        background-repeat: no-repeat;
+      }
+      .theme-selector select:focus {
+        outline: none;
+        box-shadow: 0 0 0 2px rgba(0, 136, 204, 0.3);
+      }
+      .variant-toggle {
+        display: none;
+        align-items: center;
+        gap: 6px;
+        margin-left: 6px;
+      }
+      body[data-theme="zorin"] .variant-toggle {
+        display: inline-flex;
+      }
+      .variant-button {
+        width: 40px;
+        height: 40px;
+        border-radius: 50%;
+        border: 1px solid rgba(255, 255, 255, 0.3);
+        background: rgba(255, 255, 255, 0.08);
+        color: var(--primary-color);
+        font-size: 1.1rem;
+        cursor: pointer;
+        transition: var(--transition);
+      }
+      .variant-button.active {
+        background: var(--primary-color);
+        color: #fff;
+        box-shadow: 0 0 12px rgba(0, 136, 204, 0.6);
+      }
+      .notice {
+        border-radius: var(--border-radius);
+        border: 1px solid rgba(0, 136, 204, 0.3);
+        background: rgba(0, 136, 204, 0.08);
+      }
+      .error {
+        border-radius: var(--border-radius);
+        border: 1px solid #fecdd3;
+        background: #fff1f2;
+      }
+    </style>
+  </head>
+  <body data-theme="{{ theme }}" data-theme-variant="{{ theme_variant }}">
+    <div class="card">
+      <div class="lang">
+        <a href="/login?lang=en">EN</a>
+        <a href="/login?lang=ru">RU</a>
+      </div>
+      <form method="post" action="/set-theme" class="theme-selector">
+        <label for="theme-select">{{ t("ui.theme") }}:</label>
+        <select id="theme-select" class="styled-select" name="theme" onchange="this.form.submit();">
+          <option value="standard" {% if theme == 'standard' %}selected{% endif %}>{{ t('ui.theme_standard') }}</option>
+          <option value="zorin" {% if theme == 'zorin' %}selected{% endif %}>{{ t('ui.theme_zorin') }}</option>
+        </select>
+        <input type="hidden" name="next" value="{{ next_path }}" />
+      </form>
+      {% if theme == "zorin" %}
+      <form method="post" action="/set-theme-variant" class="variant-toggle">
+        <input type="hidden" name="next" value="{{ next_path }}" />
+        <button type="submit" name="variant" value="light" class="variant-button {% if theme_variant == 'light' %}active{% endif %}" aria-label="{{ t('ui.variant_light') }}">☀️</button>
+        <button type="submit" name="variant" value="dark" class="variant-button {% if theme_variant == 'dark' %}active{% endif %}" aria-label="{{ t('ui.variant_dark') }}">🌙</button>
+      </form>
+      {% endif %}
+      <h1>{{ t("ui.sign_in") }}</h1>
+
+      {% if error %}
+        <div class="error">{{ error }}</div>
+      {% endif %}
+
+      {% if missing_password %}
+        <h1>{{ t("ui.first_setup_title") }}</h1>
+        <p>{{ t("ui.first_setup_subtitle") }}</p>
+
+        <div class="section">
+          <h2>{{ t("ui.set_password") }}</h2>
+          <form method="post" action="/setup/first-run">
+            <input type="hidden" name="mode" value="set_password" />
+            <input type="password" name="password" placeholder="{{ t('ui.password') }}" required />
+            <input type="password" name="password_repeat" placeholder="{{ t('ui.password_repeat') }}" required />
+            <button type="submit">{{ t("ui.save_and_enter") }}</button>
+          </form>
+        </div>
+
+        <div class="section">
+          <h2>{{ t("ui.generate_password") }}</h2>
+          <p>{{ t("ui.generate_password_hint") }}</p>
+          <form method="post" action="/setup/first-run">
+            <input type="hidden" name="mode" value="generate_password" />
+            <button type="submit">{{ t("ui.generate_and_enter") }}</button>
+          </form>
+        </div>
+
+        <div class="section warning">
+          <h2>{{ t("ui.continue_without_password") }}</h2>
+          <p>{{ t("ui.insecure_warning") }}</p>
+          <form method="post" action="/setup/first-run" onsubmit="return confirm('{{ t('ui.insecure_confirm_dialog') }}')">
+            <input type="hidden" name="mode" value="no_password" />
+            <label class="checkline">
+              <input type="checkbox" name="confirm_no_password" value="1" required />
+              <span>{{ t("ui.i_understand_risk") }}</span>
+            </label>
+            <button class="danger" type="submit">{{ t("ui.continue_anyway") }}</button>
+          </form>
+        </div>
+      {% else %}
+        <form method="post" action="/login">
+          <input type="password" name="password" placeholder="{{ t('ui.password') }}" required />
+          <button type="submit">{{ t("ui.login") }}</button>
+        </form>
+      {% endif %}
+    </div>
+  </body>
+</html>

package/zocket/vault.py

@@ -0,0 +1,331 @@
+from __future__ import annotations
+
+import fcntl
+import os
+import re
+from contextlib import contextmanager
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any, Iterator
+
+from .crypto import decrypt_payload, encrypt_payload, load_key
+
+PROJECT_RE = re.compile(r"^[a-zA-Z0-9._-]+$")
+SECRET_KEY_RE = re.compile(r"^[A-Z_][A-Z0-9_]*$")
+
+
+def utc_now_iso() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def empty_vault() -> dict[str, Any]:
+    return {"version": 1, "projects": {}}
+
+
+class VaultError(RuntimeError):
+    pass
+
+
+class ProjectNotFoundError(VaultError):
+    pass
+
+
+class SecretNotFoundError(VaultError):
+    pass
+
+
+class ValidationError(VaultError):
+    pass
+
+
+class VaultService:
+    def __init__(
+        self,
+        vault_file: Path,
+        key_file: Path,
+        lock_file: Path,
+        key_storage: str = "file",
+        keyring_service: str = "zocket",
+        keyring_account: str = "master-key",
+    ):
+        self.vault_file = vault_file
+        self.key_file = key_file
+        self.lock_file = lock_file
+        self.key_storage = key_storage
+        self.keyring_service = keyring_service
+        self.keyring_account = keyring_account
+        self._cached_key: bytes | None = None
+
+    def _key(self) -> bytes:
+        if self._cached_key is None:
+            self._cached_key = load_key(
+                self.key_file,
+                storage=self.key_storage,
+                keyring_service=self.keyring_service,
+                keyring_account=self.keyring_account,
+            )
+        return self._cached_key
+
+    @contextmanager
+    def _locked(self) -> Iterator[None]:
+        self.lock_file.parent.mkdir(parents=True, exist_ok=True)
+        with self.lock_file.open("a+") as lock_fd:
+            fcntl.flock(lock_fd.fileno(), fcntl.LOCK_EX)
+            try:
+                yield
+            finally:
+                fcntl.flock(lock_fd.fileno(), fcntl.LOCK_UN)
+
+    def _read_unlocked(self) -> dict[str, Any]:
+        if not self.vault_file.exists():
+            return empty_vault()
+        ciphertext = self.vault_file.read_bytes()
+        if not ciphertext:
+            return empty_vault()
+        payload = decrypt_payload(ciphertext, self._key())
+        if "projects" not in payload or not isinstance(payload["projects"], dict):
+            raise VaultError("Vault payload is malformed: missing `projects` map.")
+        return payload
+
+    def _write_unlocked(self, payload: dict[str, Any]) -> None:
+        self.vault_file.parent.mkdir(parents=True, exist_ok=True)
+        ciphertext = encrypt_payload(payload, self._key())
+        tmp = self.vault_file.with_suffix(self.vault_file.suffix + ".tmp")
+        tmp.write_bytes(ciphertext)
+        os.chmod(tmp, 0o600)
+        os.replace(tmp, self.vault_file)
+
+    def ensure_initialized(self) -> None:
+        with self._locked():
+            if self.vault_file.exists():
+                return
+            self._write_unlocked(empty_vault())
+
+    def _validate_project_name(self, project: str) -> None:
+        if not project or not PROJECT_RE.match(project):
+            raise ValidationError(
+                "Invalid project name. Use only [a-zA-Z0-9._-] characters."
+            )
+
+    def _validate_secret_key(self, key: str) -> None:
+        if not key or not SECRET_KEY_RE.match(key):
+            raise ValidationError(
+                "Invalid secret key. Use UPPERCASE env-like keys, e.g. SSH_PASSWORD."
+            )
+
+    def _normalize_folder_path(
+        self,
+        folder_path: str | None,
+        require_exists: bool,
+    ) -> str | None:
+        if folder_path is None:
+            return None
+        raw = folder_path.strip()
+        if not raw:
+            return None
+        path = Path(raw).expanduser()
+        try:
+            resolved = path.resolve(strict=require_exists)
+        except FileNotFoundError as exc:
+            raise ValidationError(f"Project folder not found: {path}") from exc
+        except OSError as exc:
+            raise ValidationError(f"Invalid project folder path: {path}") from exc
+        if require_exists and not resolved.is_dir():
+            raise ValidationError(f"Project folder is not a directory: {resolved}")
+        return str(resolved)
+
+    def create_project(
+        self,
+        project: str,
+        description: str = "",
+        folder_path: str | None = None,
+    ) -> None:
+        self._validate_project_name(project)
+        normalized_folder = self._normalize_folder_path(
+            folder_path, require_exists=True
+        )
+        with self._locked():
+            payload = self._read_unlocked()
+            projects = payload["projects"]
+            if project in projects:
+                return
+            now = utc_now_iso()
+            projects[project] = {
+                "description": description,
+                "created_at": now,
+                "updated_at": now,
+                "secrets": {},
+            }
+            if normalized_folder:
+                projects[project]["folder_path"] = normalized_folder
+            self._write_unlocked(payload)
+
+    def list_projects(self) -> list[dict[str, Any]]:
+        with self._locked():
+            payload = self._read_unlocked()
+        items: list[dict[str, Any]] = []
+        for project, info in payload["projects"].items():
+            secrets = info.get("secrets", {})
+            items.append(
+                {
+                    "project": project,
+                    "description": info.get("description", ""),
+                    "folder_path": info.get("folder_path"),
+                    "secret_count": len(secrets),
+                    "updated_at": info.get("updated_at"),
+                }
+            )
+        items.sort(key=lambda x: x["project"])
+        return items
+
+    def _get_project(self, payload: dict[str, Any], project: str) -> dict[str, Any]:
+        self._validate_project_name(project)
+        info = payload["projects"].get(project)
+        if info is None:
+            raise ProjectNotFoundError(f"Project not found: {project}")
+        return info
+
+    def list_project_secrets(
+        self, project: str, include_values: bool = False
+    ) -> list[dict[str, Any]]:
+        with self._locked():
+            payload = self._read_unlocked()
+        info = self._get_project(payload, project)
+        result: list[dict[str, Any]] = []
+        for key, item in info.get("secrets", {}).items():
+            row: dict[str, Any] = {
+                "key": key,
+                "description": item.get("description", ""),
+                "updated_at": item.get("updated_at"),
+                "has_value": bool(item.get("value")),
+            }
+            if include_values:
+                row["value"] = item.get("value", "")
+            result.append(row)
+        result.sort(key=lambda x: x["key"])
+        return result
+
+    def upsert_secret(
+        self, project: str, key: str, value: str, description: str = ""
+    ) -> None:
+        self._validate_project_name(project)
+        self._validate_secret_key(key)
+        if value is None:
+            raise ValidationError("Secret value cannot be null.")
+
+        with self._locked():
+            payload = self._read_unlocked()
+            projects = payload["projects"]
+            if project not in projects:
+                now = utc_now_iso()
+                projects[project] = {
+                    "description": "",
+                    "created_at": now,
+                    "updated_at": now,
+                    "secrets": {},
+                }
+            project_info = projects[project]
+            now = utc_now_iso()
+            project_info["secrets"][key] = {
+                "value": value,
+                "description": description,
+                "updated_at": now,
+            }
+            project_info["updated_at"] = now
+            self._write_unlocked(payload)
+
+    def delete_secret(self, project: str, key: str) -> None:
+        self._validate_project_name(project)
+        self._validate_secret_key(key)
+        with self._locked():
+            payload = self._read_unlocked()
+            info = self._get_project(payload, project)
+            if key not in info.get("secrets", {}):
+                raise SecretNotFoundError(f"Secret {key} not found in project {project}")
+            del info["secrets"][key]
+            info["updated_at"] = utc_now_iso()
+            self._write_unlocked(payload)
+
+    def get_secret(self, project: str, key: str) -> dict[str, str]:
+        self._validate_project_name(project)
+        self._validate_secret_key(key)
+        with self._locked():
+            payload = self._read_unlocked()
+        info = self._get_project(payload, project)
+        secret = info.get("secrets", {}).get(key)
+        if secret is None:
+            raise SecretNotFoundError(f"Secret {key} not found in project {project}")
+        return dict(secret)
+
+    def delete_project(self, project: str) -> None:
+        self._validate_project_name(project)
+        with self._locked():
+            payload = self._read_unlocked()
+            if project not in payload["projects"]:
+                raise ProjectNotFoundError(f"Project not found: {project}")
+            del payload["projects"][project]
+            self._write_unlocked(payload)
+
+    def set_project_folder(self, project: str, folder_path: str | None) -> None:
+        self._validate_project_name(project)
+        normalized_folder = self._normalize_folder_path(
+            folder_path, require_exists=True
+        )
+        with self._locked():
+            payload = self._read_unlocked()
+            info = self._get_project(payload, project)
+            if normalized_folder:
+                info["folder_path"] = normalized_folder
+            else:
+                info.pop("folder_path", None)
+            info["updated_at"] = utc_now_iso()
+            self._write_unlocked(payload)
+
+    def find_project_by_path(self, folder_path: str) -> dict[str, Any] | None:
+        normalized_folder = self._normalize_folder_path(
+            folder_path, require_exists=False
+        )
+        if not normalized_folder:
+            return None
+        target = Path(normalized_folder)
+        best_name: str | None = None
+        best_info: dict[str, Any] | None = None
+        best_depth = -1
+
+        with self._locked():
+            payload = self._read_unlocked()
+            for name, info in payload["projects"].items():
+                raw_folder = info.get("folder_path")
+                if not raw_folder:
+                    continue
+                try:
+                    candidate = Path(str(raw_folder)).expanduser().resolve(strict=False)
+                except OSError:
+                    continue
+                if target != candidate and not target.is_relative_to(candidate):
+                    continue
+                depth = len(candidate.parts)
+                if depth > best_depth:
+                    best_name = name
+                    best_info = info
+                    best_depth = depth
+
+        if best_name is None or best_info is None:
+            return None
+
+        return {
+            "project": best_name,
+            "description": best_info.get("description", ""),
+            "folder_path": best_info.get("folder_path"),
+            "secret_count": len(best_info.get("secrets", {})),
+            "updated_at": best_info.get("updated_at"),
+        }
+
+    def get_project_env(self, project: str) -> dict[str, str]:
+        with self._locked():
+            payload = self._read_unlocked()
+        info = self._get_project(payload, project)
+        env: dict[str, str] = {}
+        for key, item in info.get("secrets", {}).items():
+            env[key] = str(item.get("value", ""))
+        return env