env-secrets 0.3.2 → 0.4.0

package/__e2e__/index.test.ts

@@ -2,6 +2,7 @@ import {
   LocalStackHelper,
   cli,
   cliWithEnv,
+  cliWithEnvAndStdin,
   createTempFile,
   cleanupTempFile,
   createTestProfile,
@@ -332,7 +333,157 @@ describe('End-to-End Tests', () => {
         const result = await cliWithEnv(['aws'], getLocalStackEnv());
 
         expect(result.code).toBe(1);
-        expect(result.stderr).toContain('required option');
+        expect(result.stderr).toContain('Missing required option --secret');
+      });
+    });
+
+    describe('AWS Secret Management Commands', () => {
+      test('should create, list, get, and delete a secret', async () => {
+        const secretName = `e2e-managed-secret-${Date.now()}`;
+
+        const createResult = await cliWithEnv(
+          ['aws', 'secret', 'create', '-n', secretName, '-v', 'initial-value'],
+          getLocalStackEnv()
+        );
+
+        expect(createResult.code).toBe(0);
+        expect(createResult.stdout).toContain(secretName);
+
+        const listResult = await cliWithEnv(
+          ['aws', 'secret', 'list', '--prefix', 'e2e-managed-secret-'],
+          getLocalStackEnv()
+        );
+        expect(listResult.code).toBe(0);
+        expect(listResult.stdout).toContain(secretName);
+
+        const getResult = await cliWithEnv(
+          ['aws', 'secret', 'get', '-n', secretName],
+          getLocalStackEnv()
+        );
+        expect(getResult.code).toBe(0);
+        expect(getResult.stdout).toContain(secretName);
+        expect(getResult.stdout).not.toContain('initial-value');
+
+        const deleteResult = await cliWithEnv(
+          [
+            'aws',
+            'secret',
+            'delete',
+            '-n',
+            secretName,
+            '--force-delete-without-recovery',
+            '--yes'
+          ],
+          getLocalStackEnv()
+        );
+        expect(deleteResult.code).toBe(0);
+      });
+
+      test('should update secret value from stdin', async () => {
+        const secret = await createTestSecret({
+          name: `managed-secret-stdin-${Date.now()}`,
+          value: 'initial-value',
+          description: 'Secret for stdin update test'
+        });
+
+        const updateResult = await cliWithEnvAndStdin(
+          [
+            'aws',
+            'secret',
+            'update',
+            '-n',
+            secret.prefixedName,
+            '--value-stdin'
+          ],
+          getLocalStackEnv(),
+          'stdin-updated-value'
+        );
+
+        expect(updateResult.code).toBe(0);
+        expect(updateResult.stderr).toBe('');
+
+        const deleteResult = await cliWithEnv(
+          [
+            'aws',
+            'secret',
+            'delete',
+            '-n',
+            secret.prefixedName,
+            '--force-delete-without-recovery',
+            '--yes'
+          ],
+          getLocalStackEnv()
+        );
+        expect(deleteResult.code).toBe(0);
+      });
+
+      test('should require confirmation for delete', async () => {
+        const secret = await createTestSecret({
+          name: `managed-secret-confirm-${Date.now()}`,
+          value: 'value',
+          description: 'Secret for delete confirmation test'
+        });
+
+        const result = await cliWithEnv(
+          ['aws', 'secret', 'delete', '-n', secret.prefixedName],
+          getLocalStackEnv()
+        );
+
+        expect(result.code).toBe(1);
+        expect(result.stderr).toContain('requires --yes confirmation');
+      });
+
+      test('should honor region flag for secret list across multiple regions', async () => {
+        const secret = await createTestSecret(
+          {
+            name: `managed-secret-multi-region-${Date.now()}`,
+            value: '{"region":"us-west-2"}',
+            description: 'Secret used for region isolation test'
+          },
+          'us-west-2'
+        );
+
+        const westResult = await cliWithEnv(
+          [
+            'aws',
+            'secret',
+            'list',
+            '--prefix',
+            secret.prefixedName,
+            '-r',
+            'us-west-2',
+            '--output',
+            'json'
+          ],
+          getLocalStackEnv()
+        );
+        expect(westResult.code).toBe(0);
+        const westRows = JSON.parse(westResult.stdout) as Array<{
+          name: string;
+        }>;
+        expect(westRows.some((row) => row.name === secret.prefixedName)).toBe(
+          true
+        );
+
+        const eastResult = await cliWithEnv(
+          [
+            'aws',
+            'secret',
+            'list',
+            '--prefix',
+            secret.prefixedName,
+            '-r',
+            'us-east-1',
+            '--output',
+            'json'
+          ],
+          getLocalStackEnv()
+        );
+        expect(eastResult.code).toBe(0);
+        const eastRows = JSON.parse(eastResult.stdout) as Array<{
+          name: string;
+        }>;
+        expect(eastRows).toEqual([]);
       });
     });
   });

package/__e2e__/utils/test-utils.ts

@@ -1,4 +1,4 @@
-import { exec } from 'child_process';
+import { exec, spawn } from 'child_process';
 import { promisify } from 'util';
 import * as path from 'path';
 import * as fs from 'fs';
@@ -506,6 +506,66 @@ export async function cliWithEnv(
   });
 }
 
+export async function cliWithEnvAndStdin(
+  args: string[],
+  env: Record<string, string>,
+  stdin: string,
+  cwd = '.'
+): Promise<CliResult> {
+  return await new Promise((resolve) => {
+    const cleanEnv = { ...process.env };
+    delete cleanEnv.AWS_PROFILE;
+    delete cleanEnv.AWS_DEFAULT_PROFILE;
+    delete cleanEnv.AWS_SESSION_TOKEN;
+    delete cleanEnv.AWS_SECURITY_TOKEN;
+    delete cleanEnv.AWS_ROLE_ARN;
+    delete cleanEnv.AWS_ROLE_SESSION_NAME;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN_FILE;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN;
+
+    const defaultEnv = {
+      AWS_ENDPOINT_URL: process.env.LOCALSTACK_URL || 'http://localhost:4566',
+      AWS_ACCESS_KEY_ID: 'test',
+      AWS_SECRET_ACCESS_KEY: 'test',
+      AWS_DEFAULT_REGION: 'us-east-1',
+      AWS_REGION: 'us-east-1',
+      NODE_ENV: 'test'
+    };
+
+    const envVars = { ...cleanEnv, ...defaultEnv, ...env };
+    const child = spawn('node', [path.resolve('./dist/index'), ...args], {
+      cwd,
+      env: envVars,
+      stdio: 'pipe'
+    });
+
+    let stdout = '';
+    let stderr = '';
+    let error: Error | null = null;
+
+    child.stdout.on('data', (chunk) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on('data', (chunk) => {
+      stderr += chunk.toString();
+    });
+    child.on('error', (err) => {
+      error = err;
+    });
+    child.on('close', (code) => {
+      resolve({
+        code: code ?? (error ? 1 : 0),
+        error,
+        stdout,
+        stderr
+      });
+    });
+
+    child.stdin.write(stdin);
+    child.stdin.end();
+  });
+}
+
 export function createTempFile(content: string) {
   const tempDir = os.tmpdir();
   const tempFile = path.join(tempDir, `env-secrets-test-${Date.now()}.env`);

package/__tests__/cli/helpers.test.ts

@@ -0,0 +1,129 @@
+import { PassThrough } from 'node:stream';
+
+import {
+  asOutputFormat,
+  parseRecoveryDays,
+  printData,
+  readStdin,
+  renderTable,
+  resolveAwsScope,
+  resolveSecretValue
+} from '../../src/cli/helpers';
+
+describe('cli/helpers', () => {
+  it('validates output format', () => {
+    expect(asOutputFormat('json')).toBe('json');
+    expect(asOutputFormat('table')).toBe('table');
+    expect(() => asOutputFormat('xml')).toThrow('Invalid output format');
+  });
+
+  it('renders empty table message', () => {
+    const output = renderTable([{ key: 'name', label: 'Name' }], []);
+    expect(output).toBe('No results.');
+  });
+
+  it('renders aligned table output', () => {
+    const output = renderTable(
+      [
+        { key: 'name', label: 'Name' },
+        { key: 'value', label: 'Value' }
+      ],
+      [{ name: 'one', value: '1' }]
+    );
+
+    expect(output).toContain('Name');
+    expect(output).toContain('Value');
+    expect(output).toContain('one');
+  });
+
+  it('prints JSON output', () => {
+    const consoleSpy = jest
+      .spyOn(console, 'log')
+      .mockImplementation(() => undefined);
+
+    printData('json', [{ key: 'name', label: 'Name' }], [{ name: 'value' }]);
+
+    expect(consoleSpy).toHaveBeenCalledWith(
+      JSON.stringify([{ name: 'value' }], null, 2)
+    );
+    consoleSpy.mockRestore();
+  });
+
+  it('parses valid recovery days and rejects invalid values', () => {
+    expect(parseRecoveryDays('7')).toBe(7);
+    expect(parseRecoveryDays('30')).toBe(30);
+    expect(() => parseRecoveryDays('6')).toThrow();
+    expect(() => parseRecoveryDays('31')).toThrow();
+    expect(() => parseRecoveryDays('abc')).toThrow();
+  });
+
+  it('reads stdin content and strips one trailing newline', async () => {
+    const stream = new PassThrough();
+    const promise = readStdin(stream as unknown as NodeJS.ReadStream);
+
+    stream.write('secret-value\n');
+    stream.end();
+
+    await expect(promise).resolves.toBe('secret-value');
+  });
+
+  it('resolves secret value from explicit --value', async () => {
+    await expect(resolveSecretValue('inline', false)).resolves.toBe('inline');
+  });
+
+  it('rejects when both --value and --value-stdin are used', async () => {
+    await expect(resolveSecretValue('inline', true)).rejects.toThrow(
+      'Use either --value or --value-stdin, not both.'
+    );
+  });
+
+  it('rejects stdin mode when no stdin is provided', async () => {
+    const originalStdin = process.stdin;
+    Object.defineProperty(process, 'stdin', {
+      value: { ...originalStdin, isTTY: true },
+      configurable: true
+    });
+
+    await expect(resolveSecretValue(undefined, true)).rejects.toThrow(
+      'No stdin detected. Pipe a value when using --value-stdin.'
+    );
+
+    Object.defineProperty(process, 'stdin', {
+      value: originalStdin,
+      configurable: true
+    });
+  });
+
+  it('prefers explicit aws scope options over global options', () => {
+    const command = {
+      optsWithGlobals: () => ({
+        profile: 'global-profile',
+        region: 'us-west-2'
+      })
+    };
+
+    expect(
+      resolveAwsScope(
+        { profile: 'local-profile', region: 'us-east-1' },
+        command
+      )
+    ).toEqual({
+      profile: 'local-profile',
+      region: 'us-east-1'
+    });
+  });
+
+  it('falls back to global aws scope options when local options are absent', () => {
+    const command = {
+      optsWithGlobals: () => ({
+        profile: 'global-profile',
+        region: 'us-west-2'
+      })
+    };
+
+    expect(resolveAwsScope({}, command)).toEqual({
+      profile: 'global-profile',
+      region: 'us-west-2'
+    });
+  });
+});

package/__tests__/vaults/aws-config.test.ts

@@ -0,0 +1,85 @@
+import { fromIni } from '@aws-sdk/credential-providers';
+
+jest.mock('@aws-sdk/credential-providers');
+
+import { buildAwsClientConfig } from '../../src/vaults/aws-config';
+
+const mockFromIni = fromIni as jest.MockedFunction<typeof fromIni>;
+
+describe('aws-config', () => {
+  let originalEnv: NodeJS.ProcessEnv;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    originalEnv = { ...process.env };
+    process.env = { ...originalEnv };
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  it('uses explicit profile when provided', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+
+    const config = buildAwsClientConfig({
+      profile: 'my-profile',
+      region: 'us-east-1'
+    });
+
+    expect(mockFromIni).toHaveBeenCalledWith({ profile: 'my-profile' });
+    expect(config).toEqual({
+      region: 'us-east-1',
+      credentials: mockCredentials
+    });
+  });
+
+  it('uses environment credentials when access key and secret are present', () => {
+    process.env.AWS_ACCESS_KEY_ID = 'test';
+    process.env.AWS_SECRET_ACCESS_KEY = 'test';
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(mockFromIni).not.toHaveBeenCalled();
+    expect(config).toEqual({
+      region: 'us-east-1',
+      credentials: undefined
+    });
+  });
+
+  it('falls back to default profile when no explicit credentials are provided', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(mockFromIni).toHaveBeenCalledWith({ profile: 'default' });
+    expect(config).toEqual({
+      region: 'us-east-1',
+      credentials: mockCredentials
+    });
+  });
+
+  it('prefers AWS_ENDPOINT_URL for custom endpoint', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+    process.env.AWS_ENDPOINT_URL = 'http://localhost:4566';
+    process.env.AWS_SECRETS_MANAGER_ENDPOINT = 'http://localhost:4577';
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(config.endpoint).toBe('http://localhost:4566');
+  });
+
+  it('uses AWS_SECRETS_MANAGER_ENDPOINT when AWS_ENDPOINT_URL is unset', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+    delete process.env.AWS_ENDPOINT_URL;
+    process.env.AWS_SECRETS_MANAGER_ENDPOINT = 'http://localhost:4577';
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(config.endpoint).toBe('http://localhost:4577');
+  });
+});