@meshxdata/fops 0.1.48 → 0.1.50

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -171,6 +171,11 @@ export function reconcileOk(label, detail) {
   console.log(chalk.green(line));
 }
 
+/** Section divider for grouping reconcile steps */
+export function reconcileSection(title) {
+  console.log(chalk.dim(`\n  ─ ${title} ─`));
+}
+
 export function banner(title) {
   const line = "─".repeat(Math.max(0, 46 - title.length));
   console.log(ACCENT(`\n  ── ${title} ${line}`));

package/src/plugins/bundled/fops-plugin-azure/lib/azure-keyvault-keys.js

@@ -0,0 +1,413 @@
+/**
+ * Azure Key Vault — Key operations (with auto-rotation)
+ * Extracted from azure-keyvault.js for maintainability
+ */
+import chalk from "chalk";
+import {
+  DIM, OK, WARN, ACCENT,
+  banner, kvLine, hint,
+  lazyExeca, subArgs, ensureAzCli, ensureAzAuth,
+  resolveCliSrc,
+} from "./azure-helpers.js";
+
+// ── Shared keyvault helpers (also used by azure-keyvault.js) ─────────────────
+
+export function shortDate(val) {
+  if (!val) return "—";
+  const d = typeof val === "number" ? new Date(val * 1000) : new Date(val);
+  if (isNaN(d.getTime())) return String(val);
+  return d.toLocaleString();
+}
+
+export async function resolveVault(execa, explicit, sub) {
+  if (explicit) return explicit;
+
+  hint("No --vault given, listing vaults…");
+  const { stdout } = await execa("az", [
+    "keyvault", "list", "--query", "[].{name:name, location:location}",
+    "--output", "json", ...subArgs(sub),
+  ], { timeout: 30000 });
+  const vaults = JSON.parse(stdout);
+
+  if (vaults.length === 0) {
+    console.error(chalk.red("\n  No Key Vaults found in this subscription.\n"));
+    hint("Create one: fops azure keyvault create <name> --resource-group <rg> --location <region>\n");
+    process.exit(1);
+  }
+  if (vaults.length === 1) {
+    hint(`Using vault: ${vaults[0].name}`);
+    return vaults[0].name;
+  }
+
+  const { selectOption } = await import(resolveCliSrc("ui/confirm.js"));
+  const selected = await selectOption(
+    "Select Key Vault",
+    vaults.map((v) => ({ label: `${v.name}  ${DIM(v.location)}`, value: v.name })),
+  );
+  if (!selected) { console.log(DIM("\n  Cancelled.\n")); process.exit(0); }
+  return selected;
+}
+
+// ── Key operation helpers ────────────────────────────────────────────────────
+
+function humanDuration(iso) {
+  if (!iso) return "—";
+  const m = iso.match(/^P(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?$/i);
+  if (!m) return iso;
+  const parts = [];
+  if (m[1]) parts.push(`${m[1]} year${m[1] === "1" ? "" : "s"}`);
+  if (m[2]) parts.push(`${m[2]} month${m[2] === "1" ? "" : "s"}`);
+  if (m[3]) parts.push(`${m[3]} day${m[3] === "1" ? "" : "s"}`);
+  return parts.join(", ") || iso;
+}
+
+function computeExpiryDate(isoDuration) {
+  const m = isoDuration.match(/^P(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?$/i);
+  if (!m) return new Date(Date.now() + 365 * 86400000).toISOString().replace(/\.\d{3}Z$/, "Z");
+  const d = new Date();
+  if (m[1]) d.setFullYear(d.getFullYear() + Number(m[1]));
+  if (m[2]) d.setMonth(d.getMonth() + Number(m[2]));
+  if (m[3]) d.setDate(d.getDate() + Number(m[3]));
+  return d.toISOString().replace(/\.\d{3}Z$/, "Z");
+}
+
+async function setRotationPolicyInner(execa, vault, name, sub, opts) {
+  const lifetimeActions = [
+    {
+      trigger: { timeAfterCreate: opts.rotateEvery },
+      action: { type: "Rotate" },
+    },
+  ];
+
+  if (opts.notifyBefore || opts.expiresIn) {
+    lifetimeActions.push({
+      trigger: { timeBeforeExpiry: opts.notifyBefore || "P30D" },
+      action: { type: "Notify" },
+    });
+  }
+
+  const policy = { lifetimeActions };
+  if (opts.expiresIn) {
+    policy.attributes = { expiryTime: opts.expiresIn };
+  }
+
+  const policyJson = JSON.stringify(policy);
+
+  const { exitCode, stderr } = await execa("az", [
+    "keyvault", "key", "rotation-policy", "update", "--vault-name", vault,
+    "--name", name, "--value", policyJson, "--output", "none", ...subArgs(sub),
+  ], { timeout: 30000, reject: false });
+
+  if (exitCode !== 0) {
+    console.log(WARN(`  ⚠ Rotation policy failed: ${(stderr || "").split("\n")[0]}`));
+    hint("Ensure the vault uses premium SKU for HSM keys, and key type supports rotation.");
+    return;
+  }
+
+  console.log(OK(`  ✓ Rotation policy set — auto-rotate every ${humanDuration(opts.rotateEvery)}`));
+  if (opts.expiresIn) console.log(OK(`  ✓ Key expiry: ${humanDuration(opts.expiresIn)}`));
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Key operations
+// ═══════════════════════════════════════════════════════════════════════════
+
+export async function keyList(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+
+  const vault = await resolveVault(execa, opts.vault, sub);
+
+  banner(`Keys in "${vault}"`);
+
+  const { stdout, exitCode, stderr } = await execa("az", [
+    "keyvault", "key", "list", "--vault-name", vault,
+    "--output", "json", ...subArgs(sub),
+  ], { timeout: 30000, reject: false });
+
+  if (exitCode !== 0) {
+    const msg = (stderr || "").includes("Forbidden")
+      ? `Access denied — you need "Key Vault Crypto Officer" or "Key Vault Reader" role on "${vault}"`
+      : (stderr || "").split("\n")[0];
+    console.error(chalk.red(`\n  ✗ ${msg}\n`));
+    hint(`Grant access: az role assignment create --assignee <your-object-id> --role "Key Vault Crypto Officer" --scope $(az keyvault show --name ${vault} --query id -o tsv)`);
+    console.log("");
+    process.exit(1);
+  }
+
+  const keys = JSON.parse(stdout);
+  if (!keys.length) {
+    hint("No keys found.\n");
+    return;
+  }
+
+  const nameWidth = Math.min(50, Math.max(20, ...keys.map((k) => {
+    const name = k.kid?.split("/").pop() || k.name || "—";
+    return name.length;
+  })));
+
+  for (const k of keys) {
+    const name = k.kid?.split("/").pop() || k.name || "—";
+    const enabled = k.attributes?.enabled !== false;
+    const updated = shortDate(k.attributes?.updated || k.attributes?.created);
+    const managed = k.managed ? DIM(" [managed]") : "";
+    const status = enabled ? "" : WARN(" [disabled]");
+
+    console.log(`  ${chalk.bold.white(name.padEnd(nameWidth))}  ${DIM(updated)}${status}${managed}`);
+  }
+  console.log(DIM(`\n  ${keys.length} key(s)`));
+  hint(`Details: fops azure keyvault key show <name> --vault ${vault}\n`);
+}
+
+export async function keyShow(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+
+  const vault = await resolveVault(execa, opts.vault, sub);
+  const { name } = opts;
+  if (!name) {
+    console.error(chalk.red("\n  Key name is required.\n"));
+    process.exit(1);
+  }
+
+  const [keyResult, policyResult] = await Promise.allSettled([
+    execa("az", [
+      "keyvault", "key", "show", "--vault-name", vault,
+      "--name", name, "--output", "json", ...subArgs(sub),
+    ], { timeout: 30000, reject: false }),
+    execa("az", [
+      "keyvault", "key", "rotation-policy", "show", "--vault-name", vault,
+      "--name", name, "--output", "json", ...subArgs(sub),
+    ], { timeout: 15000, reject: false }),
+  ]);
+
+  if (keyResult.status === "rejected" || keyResult.value.exitCode !== 0) {
+    const stderr = keyResult.value?.stderr || keyResult.reason?.message || "";
+    const msg = stderr.includes("KeyNotFound")
+      ? `Key "${name}" not found in vault "${vault}"`
+      : stderr.split("\n")[0];
+    console.error(chalk.red(`\n  ✗ ${msg}\n`));
+    process.exit(1);
+  }
+
+  const k = JSON.parse(keyResult.value.stdout);
+  const keyProps = k.key || {};
+
+  banner(`Key — "${name}"`);
+  kvLine("Vault", DIM(vault));
+  kvLine("Name", chalk.bold.white(name));
+  kvLine("Type", DIM(keyProps.kty || "—"));
+  if (keyProps.kty?.startsWith("RSA")) kvLine("Size", DIM(String(keyProps.n ? Math.ceil(keyProps.n.length * 6 / 8) * 8 : "—")));
+  if (keyProps.kty?.startsWith("EC")) kvLine("Curve", DIM(keyProps.crv || "—"));
+  kvLine("Operations", DIM((keyProps.keyOps || []).join(", ") || "—"));
+  kvLine("Enabled", k.attributes?.enabled !== false ? OK("true") : WARN("false"));
+  kvLine("Created", DIM(shortDate(k.attributes?.created)));
+  kvLine("Updated", DIM(shortDate(k.attributes?.updated)));
+  if (k.attributes?.expires) kvLine("Expires", DIM(shortDate(k.attributes.expires)));
+  kvLine("Version", DIM((k.key?.kid || k.kid || "").split("/").pop() || "—"));
+
+  // Rotation policy
+  console.log("");
+  if (policyResult.status === "fulfilled" && policyResult.value.exitCode === 0) {
+    const policy = JSON.parse(policyResult.value.stdout);
+    const actions = policy.lifetimeActions || [];
+    const expiry = policy.expiresIn || policy.attributes?.expiryTime;
+
+    console.log(ACCENT("  Rotation Policy"));
+    kvLine("  Expiry", DIM(expiry ? humanDuration(expiry) : "none"));
+
+    if (actions.length === 0) {
+      kvLine("  Actions", DIM("none"));
+    }
+    for (const a of actions) {
+      const actionType = a.action?.type || a.action || "?";
+      const trigger = (a.timeAfterCreate || a.trigger?.timeAfterCreate)
+        ? `${humanDuration(a.timeAfterCreate || a.trigger?.timeAfterCreate)} after create`
+        : (a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)
+          ? `${humanDuration(a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)} before expiry`
+          : "—";
+      kvLine(`  ${actionType}`, DIM(trigger));
+    }
+  } else {
+    console.log(DIM("  Rotation Policy  none"));
+    hint(`Enable: fops azure keyvault key rotation-policy set ${name} --vault ${vault} --rotate-every P90D`);
+  }
+  console.log("");
+}
+
+export async function keyCreate(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+
+  const vault = await resolveVault(execa, opts.vault, sub);
+  const { name } = opts;
+  if (!name) {
+    console.error(chalk.red("\n  Key name is required.\n"));
+    process.exit(1);
+  }
+
+  const kty = opts.type || "RSA";
+  const size = opts.size || (kty.startsWith("RSA") ? "2048" : undefined);
+  const curve = opts.curve || (kty.startsWith("EC") ? "P-256" : undefined);
+  const ops = opts.ops || "encrypt decrypt sign verify wrapKey unwrapKey";
+
+  banner("Creating Key");
+  kvLine("Name", chalk.bold.white(name));
+  kvLine("Vault", DIM(vault));
+  kvLine("Type", DIM(kty));
+  if (size) kvLine("Size", DIM(size));
+  if (curve) kvLine("Curve", DIM(curve));
+  kvLine("Operations", DIM(ops));
+  if (opts.rotateEvery) kvLine("Auto-rotate", DIM(humanDuration(opts.rotateEvery)));
+  if (opts.expiresIn) kvLine("Expiry", DIM(humanDuration(opts.expiresIn)));
+  console.log("");
+
+  // 1. Create the key
+  const args = [
+    "keyvault", "key", "create", "--vault-name", vault,
+    "--name", name, "--kty", kty, "--output", "json", ...subArgs(sub),
+  ];
+  if (size && kty.startsWith("RSA")) args.push("--size", size);
+  if (curve && kty.startsWith("EC")) args.push("--curve", curve);
+  if (opts.ops) args.push("--ops", ...ops.split(/[\s,]+/));
+  if (opts.disabled) args.push("--disabled", "true");
+  if (opts.expiresIn) args.push("--expires", computeExpiryDate(opts.expiresIn));
+
+  const { stdout, exitCode, stderr } = await execa("az", args, { timeout: 30000, reject: false });
+  if (exitCode !== 0) {
+    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
+    process.exit(1);
+  }
+
+  const k = JSON.parse(stdout);
+  console.log(OK(`  ✓ Key "${name}" created`));
+  kvLine("Version", DIM(k.key?.kid?.split("/").pop() || "—"));
+
+  // 2. Set rotation policy if requested
+  if (opts.rotateEvery) {
+    await setRotationPolicyInner(execa, vault, name, sub, {
+      rotateEvery: opts.rotateEvery,
+      expiresIn: opts.expiresIn,
+      notifyBefore: opts.notifyBefore,
+    });
+  }
+  console.log("");
+  hint(`Show:    fops azure keyvault key show ${name} --vault ${vault}`);
+  hint(`Rotate:  fops azure keyvault key rotate ${name} --vault ${vault}\n`);
+}
+
+export async function keyRotate(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+
+  const vault = await resolveVault(execa, opts.vault, sub);
+  const { name } = opts;
+  if (!name) {
+    console.error(chalk.red("\n  Key name is required.\n"));
+    process.exit(1);
+  }
+
+  hint(`Rotating key "${name}"…`);
+  const { stdout, exitCode, stderr } = await execa("az", [
+    "keyvault", "key", "rotate", "--vault-name", vault,
+    "--name", name, "--output", "json", ...subArgs(sub),
+  ], { timeout: 30000, reject: false });
+
+  if (exitCode !== 0) {
+    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
+    process.exit(1);
+  }
+
+  const k = JSON.parse(stdout);
+  console.log(OK(`  ✓ Key "${name}" rotated — new version: ${k.key?.kid?.split("/").pop() || "?"}\n`));
+}
+
+export async function keyRotationPolicyShow(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+
+  const vault = await resolveVault(execa, opts.vault, sub);
+  const { name } = opts;
+  if (!name) {
+    console.error(chalk.red("\n  Key name is required.\n"));
+    process.exit(1);
+  }
+
+  const { stdout, exitCode, stderr } = await execa("az", [
+    "keyvault", "key", "rotation-policy", "show", "--vault-name", vault,
+    "--name", name, "--output", "json", ...subArgs(sub),
+  ], { timeout: 15000, reject: false });
+
+  if (exitCode !== 0) {
+    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
+    process.exit(1);
+  }
+
+  const policy = JSON.parse(stdout);
+  const actions = policy.lifetimeActions || [];
+  const expiry = policy.expiresIn || policy.attributes?.expiryTime;
+
+  banner(`Rotation Policy — "${name}"`);
+  kvLine("Vault", DIM(vault));
+  kvLine("Key", chalk.bold.white(name));
+  kvLine("Expiry", DIM(expiry ? humanDuration(expiry) : "none"));
+  console.log("");
+
+  if (actions.length === 0) {
+    hint("No rotation actions configured.");
+  } else {
+    for (const a of actions) {
+      const actionType = a.action?.type || a.action || "?";
+      const trigger = (a.timeAfterCreate || a.trigger?.timeAfterCreate)
+        ? `${humanDuration(a.timeAfterCreate || a.trigger?.timeAfterCreate)} after create`
+        : (a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)
+          ? `${humanDuration(a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)} before expiry`
+          : "—";
+      kvLine(`  ${actionType}`, DIM(trigger));
+    }
+  }
+  console.log("");
+  hint(`Update: fops azure keyvault key rotation-policy set ${name} --vault ${vault} --rotate-every P90D`);
+  hint(`Rotate now: fops azure keyvault key rotate ${name} --vault ${vault}\n`);
+}
+
+export async function keyRotationPolicySet(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+
+  const vault = await resolveVault(execa, opts.vault, sub);
+  const { name } = opts;
+  if (!name) {
+    console.error(chalk.red("\n  Key name is required.\n"));
+    process.exit(1);
+  }
+
+  if (!opts.rotateEvery) {
+    console.error(chalk.red("\n  --rotate-every <duration> is required (e.g. P90D, P30D, P1Y).\n"));
+    hint("ISO 8601 durations: P30D = 30 days, P90D = 90 days, P6M = 6 months, P1Y = 1 year\n");
+    process.exit(1);
+  }
+
+  banner(`Setting Rotation Policy — "${name}"`);
+  kvLine("Vault", DIM(vault));
+  kvLine("Key", chalk.bold.white(name));
+  kvLine("Rotate every", DIM(humanDuration(opts.rotateEvery)));
+  if (opts.expiresIn) kvLine("Key expiry", DIM(humanDuration(opts.expiresIn)));
+  if (opts.notifyBefore) kvLine("Notify before", DIM(humanDuration(opts.notifyBefore)));
+  console.log("");
+
+  await setRotationPolicyInner(execa, vault, name, sub, opts);
+  console.log("");
+}