@salefronts/cli 1.0.0

package/.nvmrc

@@ -0,0 +1 @@
+v22.12.0

package/bin/sf

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+
+const { spawn } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+if (!command) {
+  console.log('Usage: sf <command>');
+  process.exit(1);
+}
+
+const jsCommandPath = path.join(__dirname, '../commands', `${command}.js`);
+const shCommandPath = path.join(__dirname, '../commands', `${command}.sh`);
+
+if (fs.existsSync(jsCommandPath)) {
+  try {
+    const commandModule = require(jsCommandPath);
+    if (typeof commandModule === 'function') {
+      commandModule(args.slice(1));
+    } else {
+      console.error('Error: Command module is not a function.');
+    }
+  } catch (err) {
+    console.error('Error:', err.message);
+    process.exit(1);
+  }
+} else if (fs.existsSync(shCommandPath)) {
+  const bash = spawn('bash', [shCommandPath, ...args.slice(1)], {
+    stdio: 'inherit',
+  });
+
+  bash.on('exit', (code) => {
+    process.exit(code);
+  });
+} else {
+  console.error(`Unknown command: ${command}`);
+  process.exit(1);
+}

package/commands/help.js

@@ -0,0 +1,25 @@
+#!/usr/bin/env node
+
+const fs = require('fs');
+const path = require('path');
+
+// Helper function to display the general help
+function showHelp() {
+  console.log('Usage: sf <command>\n');
+  console.log('Available commands:');
+  console.log('  jwt         Generate JWT tokens');
+  console.log('  keypair     Generate public/private key pairs');
+  console.log('  passphrase  Generate secure passphrases');
+  console.log('  secret      Generate a random secret');
+  console.log('  ssh         Generate SSH key');;
+  console.log('  uuidv4      Generate a UUID v4');
+  console.log('  uuidv7      Generate a UUID v7');
+  console.log('  seal        Seal Kubernetes secrets');
+  console.log('  unseal      Unseal Kubernetes secrets');
+  console.log('  tag         Tagging version for the latest commit on main')
+}
+
+module.exports = async function () {
+  showHelp();
+  process.exit(0);
+}

package/commands/jwt.js

@@ -0,0 +1,39 @@
+const readline = require('readline');
+const jwt = require('jsonwebtoken');
+
+function ask(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => rl.question(question, (answer) => {
+    rl.close();
+    resolve(answer.trim());
+  }));
+}
+
+module.exports = async function () {
+  try {
+    const sub = await ask('Subject (sub): ');
+    if (!sub) {
+      console.error('Aborted: subject is required.');
+      return;
+    }
+
+    const secret = await ask('Secret: ');
+    if (!secret) {
+      console.error('Aborted: secret is required.');
+      return;
+    }
+
+    const expInput = await ask('Expiration in seconds (default 3600): ');
+    const exp = expInput ? parseInt(expInput, 10) : 3600;
+
+    const payload = {
+      sub,
+      exp: Math.floor(Date.now() / 1000) + exp,
+    };
+
+    const token = jwt.sign(payload, secret);
+    console.log('\nJWT:\n' + token);
+  } catch (err) {
+    console.error('Error:', err.message);
+  }
+};

package/commands/keypair.js

@@ -0,0 +1,63 @@
+const readline = require('readline');
+const { execSync } = require('child_process');
+const fs = require('fs');
+const niceware = require('niceware');
+
+function ask(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => rl.question(question, (answer) => {
+    rl.close();
+    resolve(answer.trim());
+  }));
+}
+
+module.exports = async function () {
+  try {
+    // 1. Ask if passphrase is needed
+    const passphraseAnswer = (await ask('Use passphrase? (y/N): ')).toLowerCase();
+    const usePassphrase = passphraseAnswer === 'y' || passphraseAnswer === 'yes';
+
+    let passphrase = null;
+    const tempPrivate = 'temp_private.pem';
+    const tempPublic = 'temp_public.pem';
+
+    // 2. Generate private key
+    if (usePassphrase) {
+      const words = niceware.generatePassphrase(6);
+      passphrase = words.join('-');
+      console.log(`Generated passphrase: ${passphrase}\n`);
+      execSync(`openssl genpkey -algorithm RSA -out ${tempPrivate} -aes256 -pass pass:${passphrase}`, { stdio: 'ignore' });
+    } else {
+      execSync(`openssl genpkey -algorithm RSA -out ${tempPrivate}`, { stdio: 'ignore' });
+    }
+
+    // 3. Generate public key
+    if (usePassphrase) {
+      execSync(`openssl rsa -pubout -in ${tempPrivate} -out ${tempPublic} -passin pass:${passphrase}`, { stdio: 'ignore' });
+    } else {
+      execSync(`openssl rsa -pubout -in ${tempPrivate} -out ${tempPublic}`, { stdio: 'ignore' });
+    }
+
+    // 4. Ask for file name
+    const name = await ask('File name (without extension): ');
+    if (!name) {
+      fs.unlinkSync(tempPrivate);
+      fs.unlinkSync(tempPublic);
+      return;
+    }
+
+    // 5. Rename files
+    const privateOut = `${name}_private_key.pem`;
+    const publicOut = `${name}_public_key.pem`;
+    fs.renameSync(tempPrivate, privateOut);
+    fs.renameSync(tempPublic, publicOut);
+
+    // 6. Write passphrase if needed
+    if (usePassphrase && passphrase) {
+      const passphraseFile = `${name}_passphrase.txt`;
+      fs.writeFileSync(passphraseFile, passphrase + '\n', { mode: 0o600 }); // restrict permissions
+    }
+  } catch (err) {
+    console.error('Error:', err.message);
+  }
+};

package/commands/passphrase.js

@@ -0,0 +1,18 @@
+const niceware = require('niceware');
+
+module.exports = function (args) {
+  // Default values
+  let wordCount = 5;
+  let separator = '-';
+
+  args.forEach(arg => {
+    if (arg.startsWith('-W=')) {
+      wordCount = parseInt(arg.split('=')[1], 10);
+    } else if (arg.startsWith('-S=')) {
+      separator = arg.split('=')[1];
+    }
+  });
+
+  const passphrase = niceware.generatePassphrase(wordCount * 2);
+  console.log(passphrase.join(separator));
+};

package/commands/seal.sh

@@ -0,0 +1,163 @@
+#!/bin/bash
+
+set -euo pipefail  # Safe mode
+
+# Ensure required dependencies are installed
+for cmd in kubectl yq jq kubeseal; do
+  if ! command -v "$cmd" >/dev/null 2>&1; then
+    echo "❌ Error: $cmd is required but not installed."
+    exit 1
+  fi
+done
+
+# Check if a file path is provided, otherwise prompt for it
+if [ -z "${1:-}" ]; then
+  echo -n "📄 Enter path to the secret file (e.g., secret.yaml): "
+  read SECRET_FILE
+else
+  SECRET_FILE=$1
+fi
+
+# Ensure the file exists
+if [ ! -f "$SECRET_FILE" ]; then
+  echo "❌ Error: File not found: $SECRET_FILE"
+  exit 1
+fi
+
+# Ensure the file is a Kubernetes Secret
+KIND=$(yq eval '.kind' "$SECRET_FILE")
+if [ "$KIND" != "Secret" ]; then
+  echo "❌ Error: File is not a Kubernetes Secret (found kind: $KIND)"
+  exit 1
+fi
+
+# Extract namespace and secret name
+NAMESPACE=$(yq eval '.metadata.namespace // "default"' "$SECRET_FILE")
+SECRET_NAME=$(yq eval '.metadata.name' "$SECRET_FILE")
+
+# Validate extracted values
+if [ -z "$SECRET_NAME" ]; then
+  echo "❌ Error: Could not extract secret name from $SECRET_FILE"
+  exit 1
+fi
+
+# Get the current Kubernetes cluster name
+CLUSTER_NAME=$(kubectl config current-context)
+
+if ! kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" >/dev/null 2>&1; then
+  echo "❗ Secret does not exist in cluster."
+  changes_detected=true
+else
+  # Extract and decode Kubernetes secret
+  K8S_SECRET_JSON=$(kubectl get secret "$SECRET_NAME" -n "$NAMESPACE" -o json)
+  K8S_SECRET_DATA=$(echo "$K8S_SECRET_JSON" | jq -r '.data | to_entries | map("\(.key) \(.value | @base64d)") | .[]')
+
+  # Extract `stringData` from input file while preserving order
+  FILE_SECRET_JSON=$(yq eval -o=json '.stringData // {}' "$SECRET_FILE")
+  FILE_SECRET_DATA=$(echo "$FILE_SECRET_JSON" | jq -r 'to_entries | map("\(.key) \(.value)") | .[]')
+
+  # Convert to associative arrays for easier comparison and maintain order
+  declare -A k8s_secret_map
+  while IFS= read -r line; do
+    key=$(echo "$line" | awk '{print $1}')
+    value=$(echo "$line" | cut -d' ' -f2-)
+    k8s_secret_map["$key"]="$value"
+  done <<< "$K8S_SECRET_DATA"
+
+  declare -A file_secret_map
+  declare -a file_secret_keys
+  while IFS= read -r line; do
+    key=$(echo "$line" | awk '{print $1}')
+    value=$(echo "$line" | cut -d' ' -f2-)
+    file_secret_map["$key"]="$value"
+    file_secret_keys+=("$key")
+  done <<< "$FILE_SECRET_DATA"
+
+  RED="\e[31m"
+  GREEN="\e[32m"
+  YELLOW="\e[33m"
+  MAGENTA="\e[35m"
+  BLUE="\e[34m"
+  RESET="\e[0m"
+
+  # Get terminal width
+  COLUMNS=$(tput cols)
+
+  # Function to truncate text with ellipses
+  truncate_text() {
+    local text="$1"
+    local max_length=$((COLUMNS - 20))  # Adjust based on your needs
+    if [ ${#text} -gt $max_length ]; then
+      echo "${text:0:$max_length}..."
+    else
+      echo "$text"
+    fi
+  }
+
+  # Compare and print secrets
+  changes_detected=false
+  for key in "${file_secret_keys[@]}"; do
+    if [[ -v k8s_secret_map["$key"] ]]; then
+      if [[ "${file_secret_map[$key]}" != "${k8s_secret_map[$key]}" ]]; then
+        changes_detected=true
+        break
+      fi
+    else
+      changes_detected=true
+      break
+    fi
+  done
+
+  for key in "${!k8s_secret_map[@]}"; do
+    if [[ ! -v file_secret_map["$key"] ]]; then
+      changes_detected=true
+      break
+    fi
+  done
+
+  if $changes_detected; then
+    echo -e "Comparing secrets...\n"
+    for key in "${file_secret_keys[@]}"; do
+      if [[ -v k8s_secret_map["$key"] ]]; then
+        if [[ "${file_secret_map[$key]}" == "${k8s_secret_map[$key]}" ]]; then
+          :
+          # truncated_value=$(truncate_text "${file_secret_map[$key]}")
+          # printf "• %s: %s\n" "$key" "$truncated_value"
+        else
+          printf "${YELLOW}🔄 %s:${RESET}\n" "$key"
+          printf "  ${MAGENTA}Old:${RESET} %s\n" "${k8s_secret_map[$key]}"
+          printf "  ${BLUE}New:${RESET} %s\n" "${file_secret_map[$key]}"
+        fi
+      else
+        printf "${GREEN}➕ %s:${RESET} %s\n" "$key" "${file_secret_map[$key]}"
+      fi
+    done
+
+    for key in "${!k8s_secret_map[@]}"; do
+      if [[ ! -v file_secret_map["$key"] ]]; then
+        printf "${RED}➖ %s:${RESET} %s\n" "$key" "${k8s_secret_map[$key]}"
+      fi
+    done
+  else
+    echo "😶 No changes detected!"
+  fi
+fi
+
+# Ask for confirmation to create a sealed secret
+echo
+echo -e "📂 Input File ($SECRET_FILE)"
+echo -e "🌎 K8s Secret ($SECRET_NAME in $NAMESPACE)"
+echo -e "🔗 Cluster: $CLUSTER_NAME"
+echo "Press Enter to create a Sealed Secret or Ctrl+C to cancel"
+read
+
+# Ensure output is a valid YAML
+OUTPUT_FILE="${SECRET_FILE/secret.yaml/sealed-secret.yaml}"
+kubeseal < "$SECRET_FILE" | yq eval -P > "$OUTPUT_FILE"
+
+if [ $? -eq 0 ]; then
+  echo "✅ Sealed secret successfully created: $OUTPUT_FILE (YAML format)"
+else
+  echo "❌ Error: Failed to create sealed secret."
+  exit 1
+fi

package/commands/secret.js

@@ -0,0 +1,10 @@
+const crypto = require('crypto');
+
+module.exports = function () {
+  const randomString = crypto.randomBytes(32)
+    .toString('base64')
+    .replace(/[^a-zA-Z0-9]/g, '')
+    .slice(0, 32);
+
+  console.log(randomString);
+};

package/commands/ssh.js

@@ -0,0 +1,30 @@
+const readline = require('readline');
+const { execSync } = require('child_process');
+
+function ask(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => rl.question(question, (answer) => {
+    rl.close();
+    resolve(answer.trim());
+  }));
+}
+
+module.exports = async function () {
+  try {
+    const filename = await ask('File name (without extension): ');
+    if (!filename) {
+      console.error('Cancelled: No file name provided.');
+      return;
+    }
+
+    const username = await ask('Username/Email (for comment): ');
+    if (!username) {
+      console.error('Cancelled: No username provided.');
+      return;
+    }
+
+    execSync(`ssh-keygen -t rsa -b 4096 -f ${filename} -C "${username}"`, { stdio: 'inherit' });
+  } catch (err) {
+    console.error('Error generating SSH key:', err.message);
+  }
+};

package/commands/tag.js

@@ -0,0 +1,118 @@
+#!/usr/bin/env node
+
+const { execSync } = require("child_process");
+const readline = require("readline");
+
+function runCommand(cmd, allowError = false) {
+  try {
+    return execSync(cmd, { encoding: "utf-8" }).trim();
+  } catch (error) {
+    if (!allowError) {    
+      console.error(`❌ Error running command: ${cmd}`);
+    }
+    return "";
+  }
+}
+
+function getLatestGlobalTag() {
+  const tags = runCommand("git tag", true)
+    .split("\n")
+    .filter(tag => /^v\d{6}\.\d+$/.test(tag)) // match vYYMMDD.N
+    .sort((a, b) => a.localeCompare(b, undefined, { numeric: true }))
+    .filter(Boolean);
+
+  return tags[tags.length - 1] || "";
+}
+
+function getNextGlobalTag() {
+  const today = new Intl.DateTimeFormat("vi-VN", {
+    timeZone: "Asia/Ho_Chi_Minh",
+    year: "2-digit",
+    month: "2-digit",
+    day: "2-digit",
+  })
+    .format(new Date())
+    .split("/")
+    .reverse()
+    .join(""); // YYMMDD
+
+  const lastTag = getLatestGlobalTag();
+
+  let nextNumber = 1;
+  if (lastTag) {
+    const lastNumber = parseInt(lastTag.split(".")[1], 10);
+    nextNumber = lastNumber + 1;
+  }
+
+  return `v${today}.${nextNumber}`;
+}
+
+function getLastTaggableCommitOnMain() {
+  const commits = runCommand(`git log origin/main --pretty=format:"%h%x09%s"`).split("\n");
+
+  for (const line of commits) {
+    const [hash, message] = line.trim().split("\t");
+    if (!/skip-ci/i.test(message)) {
+      return { hash, message };
+    }
+  }
+
+  console.error("❌ No suitable commit found on origin/main without 'skip-ci' in the message.");
+  return null;
+}
+
+function tagLatestCommitOnMain(tag) {
+  const result = getLastTaggableCommitOnMain();
+  if (!result) return;
+
+  const { hash, message } = result;
+
+  const tagsOnCommit = runCommand(`git tag --contains ${hash}`, true)
+    .split("\n")
+    .filter(Boolean);
+
+  if (tagsOnCommit.length > 0) {
+    console.error(`❌ Commit ${hash} - ${message} is already tagged with: ${tagsOnCommit.join(", ")}`);
+    return;
+  }
+
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  rl.question(
+    `👉 New tag will be: ${tag}\nTag commit: ${hash} - ${message}\nPress Enter to confirm, or Ctrl+C to cancel: `,
+    () => {
+      runCommand(`git tag ${tag} ${hash}`);
+      runCommand(`git push origin ${tag}`);
+      console.log(`✅ Tagged ${hash} on origin/main with ${tag}`);
+      rl.close();
+    }
+  );
+}
+function isGitRepo() {
+  try {
+    const result = execSync('git rev-parse --is-inside-work-tree', { stdio: 'pipe' })
+      .toString()
+      .trim();
+    return result === 'true';
+  } catch {
+    return false;
+  }
+}
+function fetchOriginMain() {
+  if (!isGitRepo()) {
+    console.error("❌ Not a git repository.");
+    process.exit(1);
+  }
+
+  console.log("📥 Fetching latest from origin...");
+  runCommand("git fetch origin main");
+}
+
+module.exports = function () {
+  fetchOriginMain();
+  const tag = getNextGlobalTag();
+  tagLatestCommitOnMain(tag);
+};

package/commands/unseal.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+fetch_secret() {
+    local sealed_secret_path=$1
+
+    # Prompt if no path provided
+    while [[ -z "$sealed_secret_path" ]]; do
+        echo -n "📄 Enter path to the SealedSecret YAML file: "
+        read sealed_secret_path
+    done
+
+    # Ensure file exists
+    if [[ ! -f "$sealed_secret_path" ]]; then
+        echo "❌ File not found: $sealed_secret_path"
+        exit 1
+    fi
+
+    if ! cat "$sealed_secret_path" | kubeseal --validate; then
+        echo "❌ SealedSecret validation failed for: $sealed_secret_path"
+        exit 1
+    fi
+
+    # Check if the kind of the file is SealedSecret
+    local kind=$(yq eval '.kind' "$sealed_secret_path")
+    if [[ "$kind" != "SealedSecret" ]]; then
+        echo "❌ The file is not a SealedSecret."
+        exit 1
+    fi
+
+    # Derive the secret_output_path by removing 'sealed-' from the sealed_secret_path
+    local secret_output_path="${sealed_secret_path/sealed-/}"
+
+    # Extract name and namespace from spec.template.metadata
+    local secret_name=$(yq eval '.spec.template.metadata.name // ""' "$sealed_secret_path")
+    local secret_namespace=$(yq eval '.spec.template.metadata.namespace // ""' "$sealed_secret_path")
+
+    if [[ -z "$secret_name" || -z "$secret_namespace" ]]; then
+        echo "❌ Missing name or namespace in spec.template.metadata."
+        exit 1
+    fi
+
+    echo "📡 Fetching secret: $secret_name from namespace: $secret_namespace"
+
+    # Fetch the secret from Kubernetes
+    raw_secret=$(kubectl get secret "$secret_name" -n "$secret_namespace" -o yaml 2>/dev/null)
+
+    if [[ -z "$raw_secret" ]]; then
+        echo "❌ Failed to fetch the secret from Kubernetes."
+        exit 1
+    fi
+
+    # Extract the encryptedData keys into a list of strings
+    encrypted_data_keys=$(yq eval -o=json '.spec.encryptedData | keys' "$sealed_secret_path" | jq -c '.')
+
+    # Extract metadata from the sealed secret and convert it to JSON
+    metadata_json=$(yq eval '.spec.template.metadata' "$sealed_secret_path" | yq eval -o=json)
+
+    # Construct new Secret YAML
+    echo "$raw_secret" | yq eval "
+        .apiVersion = \"v1\" |
+        .kind = \"Secret\" |
+        .metadata = $metadata_json |
+        del(.metadata.creationTimestamp) |
+        .stringData = (.data | with_entries(select(.key as \$k | ($encrypted_data_keys | map(select(. == \$k))) | length > 0) | .value |= @base64d)) |
+        del(.data)
+    " - > "$secret_output_path"
+
+    if [[ $? -ne 0 ]]; then
+        echo "❌ Failed to process the secret."
+        exit 1
+    fi
+
+    echo "✅ Secret has been written to: $secret_output_path"
+}
+
+# Accept path as optional argument
+sealed_secret_path="$1"
+fetch_secret "$sealed_secret_path"

package/commands/uuidv4.js

@@ -0,0 +1,11 @@
+const { uuidv4 } = require('uuidv7');
+
+module.exports = function () {
+  try {
+    const uuid = uuidv4()
+    console.log(uuid);
+  } catch (err) {
+    console.error('Error generating UUID:', err.message);
+    process.exit(1);
+  }
+};

package/commands/uuidv7.js

@@ -0,0 +1,11 @@
+const { uuidv7 } = require('uuidv7');
+
+module.exports = function () {
+  try {
+    const uuid = uuidv7()
+    console.log(uuid);
+  } catch (err) {
+    console.error('Error generating UUID:', err.message);
+    process.exit(1);
+  }
+};

package/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "@salefronts/cli",
+  "version": "1.0.0",
+  "bin": {
+    "sf": "bin/sf"
+  },
+  "scripts": {
+    "postinstall": "chmod +x bin/sf",
+    "publish": "publish --access public"
+  },
+  "dependencies": {
+    "jsonwebtoken": "^9.0.2",
+    "niceware": "^4.0.0",
+    "uuidv7": "~1.0.2"
+  }
+}