@meshxdata/fops 0.1.49 → 0.1.50

package/src/plugins/bundled/fops-plugin-azure/lib/azure-keyvault.js

@@ -2,6 +2,17 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import chalk from "chalk";
+import {
+  resolveVault, shortDate,
+  keyList, keyShow, keyCreate, keyRotate,
+  keyRotationPolicyShow, keyRotationPolicySet,
+} from "./azure-keyvault-keys.js";
+
+// Re-export key functions for backwards compatibility
+export {
+  keyList, keyShow, keyCreate, keyRotate,
+  keyRotationPolicyShow, keyRotationPolicySet,
+} from "./azure-keyvault-keys.js";
 
 const DIM = chalk.dim;
 const OK = chalk.green;
@@ -51,44 +62,7 @@ async function ensureAzAuth(execa, { subscription } = {}) {
   }
 }
 
-function shortDate(val) {
-  if (!val) return "—";
-  const d = typeof val === "number" ? new Date(val * 1000) : new Date(val);
-  if (isNaN(d.getTime())) return String(val);
-  return d.toLocaleString();
-}
-
-// ── Vault resolver ──────────────────────────────────────────────────────────
-
-async function resolveVault(execa, explicit, sub) {
-  if (explicit) return explicit;
-
-  hint("No --vault given, listing vaults…");
-  const { stdout } = await execa("az", [
-    "keyvault", "list", "--query", "[].{name:name, location:location}",
-    "--output", "json", ...subArgs(sub),
-  ], { timeout: 30000 });
-  const vaults = JSON.parse(stdout);
-
-  if (vaults.length === 0) {
-    console.error(chalk.red("\n  No Key Vaults found in this subscription.\n"));
-    hint("Create one: fops azure keyvault create <name> --resource-group <rg> --location <region>\n");
-    process.exit(1);
-  }
-  if (vaults.length === 1) {
-    hint(`Using vault: ${vaults[0].name}`);
-    return vaults[0].name;
-  }
-
-  const { resolveCliSrc } = await import("./azure-helpers.js");
-  const { selectOption } = await import(resolveCliSrc("ui/confirm.js"));
-  const selected = await selectOption(
-    "Select Key Vault",
-    vaults.map((v) => ({ label: `${v.name}  ${DIM(v.location)}`, value: v.name })),
-  );
-  if (!selected) { console.log(DIM("\n  Cancelled.\n")); process.exit(0); }
-  return selected;
-}
+// shortDate and resolveVault imported from azure-keyvault-keys.js
 
 async function resolveResourceGroup(execa, explicit, sub) {
   if (explicit) return explicit;
@@ -494,367 +468,8 @@ export async function secretDelete(opts = {}) {
   hint(`Recover: az keyvault secret recover --vault-name ${vault} --name ${name}\n`);
 }
 
-// ═══════════════════════════════════════════════════════════════════════════
-// Key operations (with auto-rotation)
-// ═══════════════════════════════════════════════════════════════════════════
-
-export async function keyList(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-
-  const vault = await resolveVault(execa, opts.vault, sub);
-
-  banner(`Keys in "${vault}"`);
-
-  const { stdout, exitCode, stderr } = await execa("az", [
-    "keyvault", "key", "list", "--vault-name", vault,
-    "--output", "json", ...subArgs(sub),
-  ], { timeout: 30000, reject: false });
-
-  if (exitCode !== 0) {
-    const msg = (stderr || "").includes("Forbidden")
-      ? `Access denied — you need "Key Vault Crypto Officer" or "Key Vault Reader" role on "${vault}"`
-      : (stderr || "").split("\n")[0];
-    console.error(chalk.red(`\n  ✗ ${msg}\n`));
-    hint(`Grant access: az role assignment create --assignee <your-object-id> --role "Key Vault Crypto Officer" --scope $(az keyvault show --name ${vault} --query id -o tsv)`);
-    console.log("");
-    process.exit(1);
-  }
-
-  const keys = JSON.parse(stdout);
-  if (!keys.length) {
-    hint("No keys found.\n");
-    return;
-  }
-
-  const nameWidth = Math.min(50, Math.max(20, ...keys.map((k) => {
-    const name = k.kid?.split("/").pop() || k.name || "—";
-    return name.length;
-  })));
-
-  for (const k of keys) {
-    const name = k.kid?.split("/").pop() || k.name || "—";
-    const enabled = k.attributes?.enabled !== false;
-    const updated = shortDate(k.attributes?.updated || k.attributes?.created);
-    const managed = k.managed ? DIM(" [managed]") : "";
-    const status = enabled ? "" : WARN(" [disabled]");
-
-    console.log(`  ${chalk.bold.white(name.padEnd(nameWidth))}  ${DIM(updated)}${status}${managed}`);
-  }
-  console.log(DIM(`\n  ${keys.length} key(s)`));
-  hint(`Details: fops azure keyvault key show <name> --vault ${vault}\n`);
-}
-
-export async function keyShow(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-
-  const vault = await resolveVault(execa, opts.vault, sub);
-  const { name } = opts;
-  if (!name) {
-    console.error(chalk.red("\n  Key name is required.\n"));
-    process.exit(1);
-  }
-
-  const [keyResult, policyResult] = await Promise.allSettled([
-    execa("az", [
-      "keyvault", "key", "show", "--vault-name", vault,
-      "--name", name, "--output", "json", ...subArgs(sub),
-    ], { timeout: 30000, reject: false }),
-    execa("az", [
-      "keyvault", "key", "rotation-policy", "show", "--vault-name", vault,
-      "--name", name, "--output", "json", ...subArgs(sub),
-    ], { timeout: 15000, reject: false }),
-  ]);
-
-  if (keyResult.status === "rejected" || keyResult.value.exitCode !== 0) {
-    const stderr = keyResult.value?.stderr || keyResult.reason?.message || "";
-    const msg = stderr.includes("KeyNotFound")
-      ? `Key "${name}" not found in vault "${vault}"`
-      : stderr.split("\n")[0];
-    console.error(chalk.red(`\n  ✗ ${msg}\n`));
-    process.exit(1);
-  }
-
-  const k = JSON.parse(keyResult.value.stdout);
-  const keyProps = k.key || {};
-
-  banner(`Key — "${name}"`);
-  kvLine("Vault", DIM(vault));
-  kvLine("Name", chalk.bold.white(name));
-  kvLine("Type", DIM(keyProps.kty || "—"));
-  if (keyProps.kty?.startsWith("RSA")) kvLine("Size", DIM(String(keyProps.n ? Math.ceil(keyProps.n.length * 6 / 8) * 8 : "—")));
-  if (keyProps.kty?.startsWith("EC")) kvLine("Curve", DIM(keyProps.crv || "—"));
-  kvLine("Operations", DIM((keyProps.keyOps || []).join(", ") || "—"));
-  kvLine("Enabled", k.attributes?.enabled !== false ? OK("true") : WARN("false"));
-  kvLine("Created", DIM(shortDate(k.attributes?.created)));
-  kvLine("Updated", DIM(shortDate(k.attributes?.updated)));
-  if (k.attributes?.expires) kvLine("Expires", DIM(shortDate(k.attributes.expires)));
-  kvLine("Version", DIM((k.key?.kid || k.kid || "").split("/").pop() || "—"));
-
-  // Rotation policy
-  console.log("");
-  if (policyResult.status === "fulfilled" && policyResult.value.exitCode === 0) {
-    const policy = JSON.parse(policyResult.value.stdout);
-    const actions = policy.lifetimeActions || [];
-    const expiry = policy.expiresIn || policy.attributes?.expiryTime;
-
-    console.log(ACCENT("  Rotation Policy"));
-    kvLine("  Expiry", DIM(expiry ? humanDuration(expiry) : "none"));
-
-    if (actions.length === 0) {
-      kvLine("  Actions", DIM("none"));
-    }
-    for (const a of actions) {
-      const actionType = a.action?.type || a.action || "?";
-      const trigger = (a.timeAfterCreate || a.trigger?.timeAfterCreate)
-        ? `${humanDuration(a.timeAfterCreate || a.trigger?.timeAfterCreate)} after create`
-        : (a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)
-          ? `${humanDuration(a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)} before expiry`
-          : "—";
-      kvLine(`  ${actionType}`, DIM(trigger));
-    }
-  } else {
-    console.log(DIM("  Rotation Policy  none"));
-    hint(`Enable: fops azure keyvault key rotation-policy set ${name} --vault ${vault} --rotate-every P90D`);
-  }
-  console.log("");
-}
-
-export async function keyCreate(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-
-  const vault = await resolveVault(execa, opts.vault, sub);
-  const { name } = opts;
-  if (!name) {
-    console.error(chalk.red("\n  Key name is required.\n"));
-    process.exit(1);
-  }
-
-  const kty = opts.type || "RSA";
-  const size = opts.size || (kty.startsWith("RSA") ? "2048" : undefined);
-  const curve = opts.curve || (kty.startsWith("EC") ? "P-256" : undefined);
-  const ops = opts.ops || "encrypt decrypt sign verify wrapKey unwrapKey";
-
-  banner("Creating Key");
-  kvLine("Name", chalk.bold.white(name));
-  kvLine("Vault", DIM(vault));
-  kvLine("Type", DIM(kty));
-  if (size) kvLine("Size", DIM(size));
-  if (curve) kvLine("Curve", DIM(curve));
-  kvLine("Operations", DIM(ops));
-  if (opts.rotateEvery) kvLine("Auto-rotate", DIM(humanDuration(opts.rotateEvery)));
-  if (opts.expiresIn) kvLine("Expiry", DIM(humanDuration(opts.expiresIn)));
-  console.log("");
-
-  // 1. Create the key
-  const args = [
-    "keyvault", "key", "create", "--vault-name", vault,
-    "--name", name, "--kty", kty, "--output", "json", ...subArgs(sub),
-  ];
-  if (size && kty.startsWith("RSA")) args.push("--size", size);
-  if (curve && kty.startsWith("EC")) args.push("--curve", curve);
-  if (opts.ops) args.push("--ops", ...ops.split(/[\s,]+/));
-  if (opts.disabled) args.push("--disabled", "true");
-  if (opts.expiresIn) args.push("--expires", computeExpiryDate(opts.expiresIn));
-
-  const { stdout, exitCode, stderr } = await execa("az", args, { timeout: 30000, reject: false });
-  if (exitCode !== 0) {
-    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
-    process.exit(1);
-  }
-
-  const k = JSON.parse(stdout);
-  console.log(OK(`  ✓ Key "${name}" created`));
-  kvLine("Version", DIM(k.key?.kid?.split("/").pop() || "—"));
-
-  // 2. Set rotation policy if requested
-  if (opts.rotateEvery) {
-    await setRotationPolicyInner(execa, vault, name, sub, {
-      rotateEvery: opts.rotateEvery,
-      expiresIn: opts.expiresIn,
-      notifyBefore: opts.notifyBefore,
-    });
-  }
-  console.log("");
-  hint(`Show:    fops azure keyvault key show ${name} --vault ${vault}`);
-  hint(`Rotate:  fops azure keyvault key rotate ${name} --vault ${vault}\n`);
-}
-
-export async function keyRotate(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-
-  const vault = await resolveVault(execa, opts.vault, sub);
-  const { name } = opts;
-  if (!name) {
-    console.error(chalk.red("\n  Key name is required.\n"));
-    process.exit(1);
-  }
-
-  hint(`Rotating key "${name}"…`);
-  const { stdout, exitCode, stderr } = await execa("az", [
-    "keyvault", "key", "rotate", "--vault-name", vault,
-    "--name", name, "--output", "json", ...subArgs(sub),
-  ], { timeout: 30000, reject: false });
-
-  if (exitCode !== 0) {
-    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
-    process.exit(1);
-  }
-
-  const k = JSON.parse(stdout);
-  console.log(OK(`  ✓ Key "${name}" rotated — new version: ${k.key?.kid?.split("/").pop() || "?"}\n`));
-}
-
-export async function keyRotationPolicyShow(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-
-  const vault = await resolveVault(execa, opts.vault, sub);
-  const { name } = opts;
-  if (!name) {
-    console.error(chalk.red("\n  Key name is required.\n"));
-    process.exit(1);
-  }
-
-  const { stdout, exitCode, stderr } = await execa("az", [
-    "keyvault", "key", "rotation-policy", "show", "--vault-name", vault,
-    "--name", name, "--output", "json", ...subArgs(sub),
-  ], { timeout: 15000, reject: false });
-
-  if (exitCode !== 0) {
-    console.error(chalk.red(`\n  ✗ ${(stderr || "").split("\n")[0]}\n`));
-    process.exit(1);
-  }
-
-  const policy = JSON.parse(stdout);
-  const actions = policy.lifetimeActions || [];
-  const expiry = policy.expiresIn || policy.attributes?.expiryTime;
-
-  banner(`Rotation Policy — "${name}"`);
-  kvLine("Vault", DIM(vault));
-  kvLine("Key", chalk.bold.white(name));
-  kvLine("Expiry", DIM(expiry ? humanDuration(expiry) : "none"));
-  console.log("");
-
-  if (actions.length === 0) {
-    hint("No rotation actions configured.");
-  } else {
-    for (const a of actions) {
-      const actionType = a.action?.type || a.action || "?";
-      const trigger = (a.timeAfterCreate || a.trigger?.timeAfterCreate)
-        ? `${humanDuration(a.timeAfterCreate || a.trigger?.timeAfterCreate)} after create`
-        : (a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)
-          ? `${humanDuration(a.timeBeforeExpiry || a.trigger?.timeBeforeExpiry)} before expiry`
-          : "—";
-      kvLine(`  ${actionType}`, DIM(trigger));
-    }
-  }
-  console.log("");
-  hint(`Update: fops azure keyvault key rotation-policy set ${name} --vault ${vault} --rotate-every P90D`);
-  hint(`Rotate now: fops azure keyvault key rotate ${name} --vault ${vault}\n`);
-}
-
-export async function keyRotationPolicySet(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-
-  const vault = await resolveVault(execa, opts.vault, sub);
-  const { name } = opts;
-  if (!name) {
-    console.error(chalk.red("\n  Key name is required.\n"));
-    process.exit(1);
-  }
-
-  if (!opts.rotateEvery) {
-    console.error(chalk.red("\n  --rotate-every <duration> is required (e.g. P90D, P30D, P1Y).\n"));
-    hint("ISO 8601 durations: P30D = 30 days, P90D = 90 days, P6M = 6 months, P1Y = 1 year\n");
-    process.exit(1);
-  }
-
-  banner(`Setting Rotation Policy — "${name}"`);
-  kvLine("Vault", DIM(vault));
-  kvLine("Key", chalk.bold.white(name));
-  kvLine("Rotate every", DIM(humanDuration(opts.rotateEvery)));
-  if (opts.expiresIn) kvLine("Key expiry", DIM(humanDuration(opts.expiresIn)));
-  if (opts.notifyBefore) kvLine("Notify before", DIM(humanDuration(opts.notifyBefore)));
-  console.log("");
-
-  await setRotationPolicyInner(execa, vault, name, sub, opts);
-  console.log("");
-}
-
-async function setRotationPolicyInner(execa, vault, name, sub, opts) {
-  const lifetimeActions = [
-    {
-      trigger: { timeAfterCreate: opts.rotateEvery },
-      action: { type: "Rotate" },
-    },
-  ];
-
-  if (opts.notifyBefore || opts.expiresIn) {
-    lifetimeActions.push({
-      trigger: { timeBeforeExpiry: opts.notifyBefore || "P30D" },
-      action: { type: "Notify" },
-    });
-  }
-
-  const policy = { lifetimeActions };
-  if (opts.expiresIn) {
-    policy.attributes = { expiryTime: opts.expiresIn };
-  }
-
-  const policyJson = JSON.stringify(policy);
-
-  const { exitCode, stderr } = await execa("az", [
-    "keyvault", "key", "rotation-policy", "update", "--vault-name", vault,
-    "--name", name, "--value", policyJson, "--output", "none", ...subArgs(sub),
-  ], { timeout: 30000, reject: false });
-
-  if (exitCode !== 0) {
-    console.log(WARN(`  ⚠ Rotation policy failed: ${(stderr || "").split("\n")[0]}`));
-    hint("Ensure the vault uses premium SKU for HSM keys, and key type supports rotation.");
-    return;
-  }
-
-  console.log(OK(`  ✓ Rotation policy set — auto-rotate every ${humanDuration(opts.rotateEvery)}`));
-  if (opts.expiresIn) console.log(OK(`  ✓ Key expiry: ${humanDuration(opts.expiresIn)}`));
-}
-
-function humanDuration(iso) {
-  if (!iso) return "—";
-  const m = iso.match(/^P(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?$/i);
-  if (!m) return iso;
-  const parts = [];
-  if (m[1]) parts.push(`${m[1]} year${m[1] === "1" ? "" : "s"}`);
-  if (m[2]) parts.push(`${m[2]} month${m[2] === "1" ? "" : "s"}`);
-  if (m[3]) parts.push(`${m[3]} day${m[3] === "1" ? "" : "s"}`);
-  return parts.join(", ") || iso;
-}
-
-function computeExpiryDate(isoDuration) {
-  const m = isoDuration.match(/^P(?:(\d+)Y)?(?:(\d+)M)?(?:(\d+)D)?$/i);
-  if (!m) return new Date(Date.now() + 365 * 86400000).toISOString().replace(/\.\d{3}Z$/, "Z");
-  const d = new Date();
-  if (m[1]) d.setFullYear(d.getFullYear() + Number(m[1]));
-  if (m[2]) d.setMonth(d.getMonth() + Number(m[2]));
-  if (m[3]) d.setDate(d.getDate() + Number(m[3]));
-  return d.toISOString().replace(/\.\d{3}Z$/, "Z");
-}
+// Key operations (keyList, keyShow, keyCreate, keyRotate, keyRotationPolicyShow, keyRotationPolicySet)
+// are now in azure-keyvault-keys.js and re-exported above for backwards compatibility
 
 // ═══════════════════════════════════════════════════════════════════════════
 // .env.keyvault template sync (mirrors 1Password plugin pattern)