env-secrets 0.3.3 → 0.5.0

package/__tests__/cli/helpers.test.ts

@@ -0,0 +1,217 @@
+import { mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { PassThrough } from 'node:stream';
+
+import {
+  asOutputFormat,
+  parseEnvSecrets,
+  parseRecoveryDays,
+  printData,
+  readStdin,
+  renderTable,
+  resolveAwsScope,
+  resolveSecretValue
+} from '../../src/cli/helpers';
+
+describe('cli/helpers', () => {
+  it('validates output format', () => {
+    expect(asOutputFormat('json')).toBe('json');
+    expect(asOutputFormat('table')).toBe('table');
+    expect(() => asOutputFormat('xml')).toThrow('Invalid output format');
+  });
+
+  it('renders empty table message', () => {
+    const output = renderTable([{ key: 'name', label: 'Name' }], []);
+    expect(output).toBe('No results.');
+  });
+
+  it('renders aligned table output', () => {
+    const output = renderTable(
+      [
+        { key: 'name', label: 'Name' },
+        { key: 'value', label: 'Value' }
+      ],
+      [{ name: 'one', value: '1' }]
+    );
+
+    expect(output).toContain('Name');
+    expect(output).toContain('Value');
+    expect(output).toContain('one');
+  });
+
+  it('prints JSON output', () => {
+    const consoleSpy = jest
+      .spyOn(console, 'log')
+      .mockImplementation(() => undefined);
+
+    printData('json', [{ key: 'name', label: 'Name' }], [{ name: 'value' }]);
+
+    expect(consoleSpy).toHaveBeenCalledWith(
+      JSON.stringify([{ name: 'value' }], null, 2)
+    );
+    consoleSpy.mockRestore();
+  });
+
+  it('parses valid recovery days and rejects invalid values', () => {
+    expect(parseRecoveryDays('7')).toBe(7);
+    expect(parseRecoveryDays('30')).toBe(30);
+    expect(() => parseRecoveryDays('6')).toThrow();
+    expect(() => parseRecoveryDays('31')).toThrow();
+    expect(() => parseRecoveryDays('abc')).toThrow();
+  });
+
+  it('reads stdin content and strips one trailing newline', async () => {
+    const stream = new PassThrough();
+    const promise = readStdin(stream as unknown as NodeJS.ReadStream);
+
+    stream.write('secret-value\n');
+    stream.end();
+
+    await expect(promise).resolves.toBe('secret-value');
+  });
+
+  it('resolves secret value from explicit --value', async () => {
+    await expect(resolveSecretValue('inline', false)).resolves.toBe('inline');
+  });
+
+  it('rejects when both --value and --value-stdin are used', async () => {
+    await expect(resolveSecretValue('inline', true)).rejects.toThrow(
+      'Use only one secret value source: --value, --value-stdin, or --file.'
+    );
+  });
+
+  it('rejects when --file and --value-stdin are used together', async () => {
+    await expect(
+      resolveSecretValue(undefined, true, './secret.txt')
+    ).rejects.toThrow(
+      'Use only one secret value source: --value, --value-stdin, or --file.'
+    );
+  });
+
+  it('rejects when --value and --file are used together', async () => {
+    await expect(
+      resolveSecretValue('inline', false, './secret.txt')
+    ).rejects.toThrow(
+      'Use only one secret value source: --value, --value-stdin, or --file.'
+    );
+  });
+
+  it('treats explicit empty --value as provided for mutual exclusion', async () => {
+    await expect(resolveSecretValue('', false, './secret.txt')).rejects.toThrow(
+      'Use only one secret value source: --value, --value-stdin, or --file.'
+    );
+  });
+
+  it('rejects stdin mode when no stdin is provided', async () => {
+    const originalStdin = process.stdin;
+    Object.defineProperty(process, 'stdin', {
+      value: { ...originalStdin, isTTY: true },
+      configurable: true
+    });
+
+    await expect(resolveSecretValue(undefined, true)).rejects.toThrow(
+      'No stdin detected. Pipe a value when using --value-stdin.'
+    );
+
+    Object.defineProperty(process, 'stdin', {
+      value: originalStdin,
+      configurable: true
+    });
+  });
+
+  it('reads secret value from file and strips one trailing newline', async () => {
+    const dir = mkdtempSync(join(tmpdir(), 'env-secrets-test-'));
+    const file = join(dir, 'secret.txt');
+    writeFileSync(file, 'file-secret\n');
+
+    await expect(resolveSecretValue(undefined, false, file)).resolves.toBe(
+      'file-secret'
+    );
+
+    rmSync(dir, { recursive: true, force: true });
+  });
+
+  it('parses env secrets from KEY=value and export KEY=value formats', () => {
+    const parsed = parseEnvSecrets(
+      [
+        '# comment',
+        'export API_KEY=secret1',
+        'DATABASE_URL=postgres://db',
+        ''
+      ].join('\n')
+    );
+
+    expect(parsed.entries).toEqual([
+      { key: 'API_KEY', value: 'secret1', line: 2 },
+      { key: 'DATABASE_URL', value: 'postgres://db', line: 3 }
+    ]);
+    expect(parsed.skipped).toEqual([]);
+  });
+
+  it('handles whitespace around equals in env file', () => {
+    const parsed = parseEnvSecrets('  export   NAME =  secret1  ');
+
+    expect(parsed.entries).toEqual([
+      { key: 'NAME', value: 'secret1', line: 1 }
+    ]);
+  });
+
+  it('skips duplicate keys when parsing env file', () => {
+    const parsed = parseEnvSecrets(['A=1', 'A=2'].join('\n'));
+
+    expect(parsed.entries).toEqual([{ key: 'A', value: '1', line: 1 }]);
+    expect(parsed.skipped).toEqual([
+      { key: 'A', line: 2, reason: 'duplicate key' }
+    ]);
+  });
+
+  it('throws clear error for malformed env lines', () => {
+    expect(() => parseEnvSecrets('NOT_A_VALID_LINE')).toThrow(
+      'Malformed env line 1'
+    );
+    expect(() => parseEnvSecrets('BAD=secret')).not.toThrow();
+  });
+
+  it('does not include raw line content in malformed env errors', () => {
+    expect(() => parseEnvSecrets('export SECRET_ONLY')).toThrow(
+      'Expected KEY=value or export KEY=value.'
+    );
+    expect(() => parseEnvSecrets('export SECRET_ONLY')).not.toThrow(
+      /SECRET_ONLY/
+    );
+  });
+
+  it('prefers explicit aws scope options over global options', () => {
+    const command = {
+      optsWithGlobals: () => ({
+        profile: 'global-profile',
+        region: 'us-west-2'
+      })
+    };
+
+    expect(
+      resolveAwsScope(
+        { profile: 'local-profile', region: 'us-east-1' },
+        command
+      )
+    ).toEqual({
+      profile: 'local-profile',
+      region: 'us-east-1'
+    });
+  });
+
+  it('falls back to global aws scope options when local options are absent', () => {
+    const command = {
+      optsWithGlobals: () => ({
+        profile: 'global-profile',
+        region: 'us-west-2'
+      })
+    };
+
+    expect(resolveAwsScope({}, command)).toEqual({
+      profile: 'global-profile',
+      region: 'us-west-2'
+    });
+  });
+});

package/__tests__/vaults/aws-config.test.ts

@@ -0,0 +1,85 @@
+import { fromIni } from '@aws-sdk/credential-providers';
+
+jest.mock('@aws-sdk/credential-providers');
+
+import { buildAwsClientConfig } from '../../src/vaults/aws-config';
+
+const mockFromIni = fromIni as jest.MockedFunction<typeof fromIni>;
+
+describe('aws-config', () => {
+  let originalEnv: NodeJS.ProcessEnv;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    originalEnv = { ...process.env };
+    process.env = { ...originalEnv };
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  it('uses explicit profile when provided', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+
+    const config = buildAwsClientConfig({
+      profile: 'my-profile',
+      region: 'us-east-1'
+    });
+
+    expect(mockFromIni).toHaveBeenCalledWith({ profile: 'my-profile' });
+    expect(config).toEqual({
+      region: 'us-east-1',
+      credentials: mockCredentials
+    });
+  });
+
+  it('uses environment credentials when access key and secret are present', () => {
+    process.env.AWS_ACCESS_KEY_ID = 'test';
+    process.env.AWS_SECRET_ACCESS_KEY = 'test';
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(mockFromIni).not.toHaveBeenCalled();
+    expect(config).toEqual({
+      region: 'us-east-1',
+      credentials: undefined
+    });
+  });
+
+  it('falls back to default profile when no explicit credentials are provided', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(mockFromIni).toHaveBeenCalledWith({ profile: 'default' });
+    expect(config).toEqual({
+      region: 'us-east-1',
+      credentials: mockCredentials
+    });
+  });
+
+  it('prefers AWS_ENDPOINT_URL for custom endpoint', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+    process.env.AWS_ENDPOINT_URL = 'http://localhost:4566';
+    process.env.AWS_SECRETS_MANAGER_ENDPOINT = 'http://localhost:4577';
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(config.endpoint).toBe('http://localhost:4566');
+  });
+
+  it('uses AWS_SECRETS_MANAGER_ENDPOINT when AWS_ENDPOINT_URL is unset', () => {
+    const mockCredentials = jest.fn();
+    mockFromIni.mockReturnValue(mockCredentials as ReturnType<typeof fromIni>);
+    delete process.env.AWS_ENDPOINT_URL;
+    process.env.AWS_SECRETS_MANAGER_ENDPOINT = 'http://localhost:4577';
+
+    const config = buildAwsClientConfig({ region: 'us-east-1' });
+
+    expect(config.endpoint).toBe('http://localhost:4577');
+  });
+});

package/__tests__/vaults/secretsmanager-admin.test.ts

@@ -0,0 +1,355 @@
+import { SecretsManagerClient } from '@aws-sdk/client-secrets-manager';
+import { STSClient } from '@aws-sdk/client-sts';
+import { fromIni } from '@aws-sdk/credential-providers';
+
+const mockSecretsManagerSend = jest.fn();
+const mockSTSSend = jest.fn();
+
+jest.mock('@aws-sdk/client-secrets-manager', () => {
+  return {
+    SecretsManagerClient: jest.fn().mockImplementation(() => ({
+      send: mockSecretsManagerSend
+    })),
+    CreateSecretCommand: jest.fn().mockImplementation((input) => ({ input })),
+    UpdateSecretCommand: jest.fn().mockImplementation((input) => ({ input })),
+    GetSecretValueCommand: jest.fn().mockImplementation((input) => ({ input })),
+    ListSecretsCommand: jest.fn().mockImplementation((input) => ({ input })),
+    DescribeSecretCommand: jest.fn().mockImplementation((input) => ({ input })),
+    DeleteSecretCommand: jest.fn().mockImplementation((input) => ({ input }))
+  };
+});
+
+jest.mock('@aws-sdk/client-sts', () => {
+  return {
+    STSClient: jest.fn().mockImplementation(() => ({
+      send: mockSTSSend
+    })),
+    GetCallerIdentityCommand: jest
+      .fn()
+      .mockImplementation((input) => ({ input }))
+  };
+});
+
+jest.mock('@aws-sdk/credential-providers');
+
+import {
+  createSecret,
+  updateSecret,
+  listSecrets,
+  getSecretMetadata,
+  deleteSecret,
+  secretExists,
+  getSecretString,
+  validateSecretName
+} from '../../src/vaults/secretsmanager-admin';
+
+const mockSecretsManagerClient = SecretsManagerClient as jest.MockedClass<
+  typeof SecretsManagerClient
+>;
+const mockSTSClient = STSClient as jest.MockedClass<typeof STSClient>;
+const mockFromIni = fromIni as jest.MockedFunction<typeof fromIni>;
+
+describe('secretsmanager-admin', () => {
+  let originalEnv: NodeJS.ProcessEnv;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    originalEnv = { ...process.env };
+    process.env = { ...originalEnv };
+    mockSTSSend.mockResolvedValue({ Account: '123456789012' });
+  });
+
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  it('validates secret names', () => {
+    expect(() => validateSecretName('valid/name_1')).not.toThrow();
+    expect(() => validateSecretName('invalid name')).toThrow(
+      'Invalid secret name'
+    );
+  });
+
+  it('creates a secret with tags', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:aws:secretsmanager:us-east-1:123456789012:secret:test-secret',
+      VersionId: 'v1'
+    });
+
+    const result = await createSecret({
+      name: 'test-secret',
+      value: '{"API_KEY":"abc"}',
+      description: 'test',
+      tags: ['team=platform', 'env=dev'],
+      region: 'us-east-1'
+    });
+
+    expect(mockSTSClient).toHaveBeenCalled();
+    expect(mockSecretsManagerClient).toHaveBeenCalled();
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          Name: 'test-secret',
+          SecretString: '{"API_KEY":"abc"}',
+          Tags: [
+            { Key: 'team', Value: 'platform' },
+            { Key: 'env', Value: 'dev' }
+          ]
+        })
+      })
+    );
+    expect(result).toEqual({
+      arn: 'arn:aws:secretsmanager:us-east-1:123456789012:secret:test-secret',
+      name: 'test-secret',
+      versionId: 'v1'
+    });
+  });
+
+  it('supports tags with multiple equals signs', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:test',
+      VersionId: 'v1'
+    });
+
+    await createSecret({
+      name: 'test-secret',
+      value: 'value',
+      tags: ['url=https://example.com?a=1'],
+      region: 'us-east-1'
+    });
+
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          Tags: [{ Key: 'url', Value: 'https://example.com?a=1' }]
+        })
+      })
+    );
+  });
+
+  it('throws for malformed tags', async () => {
+    await expect(
+      createSecret({
+        name: 'test-secret',
+        value: 'value',
+        tags: ['invalid-tag'],
+        region: 'us-east-1'
+      })
+    ).rejects.toThrow('Invalid tag format');
+  });
+
+  it('omits tags when none are provided', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:test',
+      VersionId: 'v1'
+    });
+
+    await createSecret({
+      name: 'test-secret',
+      value: 'value',
+      region: 'us-east-1'
+    });
+
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          Tags: undefined
+        })
+      })
+    );
+  });
+
+  it('maps create secret AlreadyExistsException', async () => {
+    mockSecretsManagerSend.mockRejectedValueOnce({
+      name: 'AlreadyExistsException'
+    });
+
+    await expect(
+      createSecret({
+        name: 'existing-secret',
+        value: 'abc',
+        region: 'us-east-1'
+      })
+    ).rejects.toThrow('already exists');
+  });
+
+  it('updates a secret value and description', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'test-secret',
+      ARN: 'arn:test',
+      VersionId: 'v2'
+    });
+
+    const result = await updateSecret({
+      name: 'test-secret',
+      value: '{"API_KEY":"new"}',
+      description: 'updated',
+      region: 'us-east-1'
+    });
+
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          SecretId: 'test-secret',
+          SecretString: '{"API_KEY":"new"}',
+          Description: 'updated'
+        })
+      })
+    );
+    expect(result.versionId).toBe('v2');
+  });
+
+  it('lists secrets and applies prefix/tag filters', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      SecretList: [
+        {
+          Name: 'app/one',
+          Description: 'One',
+          Tags: [{ Key: 'env', Value: 'dev' }],
+          LastChangedDate: new Date('2026-02-16T00:00:00.000Z')
+        },
+        {
+          Name: 'app/two',
+          Description: 'Two',
+          Tags: [{ Key: 'env', Value: 'prod' }],
+          LastChangedDate: new Date('2026-02-16T00:00:00.000Z')
+        }
+      ]
+    });
+
+    const result = await listSecrets({
+      prefix: 'app/',
+      tags: ['env=dev'],
+      region: 'us-east-1'
+    });
+
+    expect(result).toHaveLength(1);
+    expect(result[0].name).toBe('app/one');
+  });
+
+  it('ignores invalid AWS tags during tag filtering', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      SecretList: [
+        {
+          Name: 'app/one',
+          Tags: [{ Key: undefined, Value: 'dev' }]
+        },
+        {
+          Name: 'app/two',
+          Tags: [{ Key: 'env', Value: 'dev' }]
+        }
+      ]
+    });
+
+    const result = await listSecrets({
+      tags: ['env=dev'],
+      region: 'us-east-1'
+    });
+
+    expect(result).toHaveLength(1);
+    expect(result[0].name).toBe('app/two');
+  });
+
+  it('returns secret metadata without secret value', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'app/meta',
+      ARN: 'arn:meta',
+      Description: 'Meta secret',
+      KmsKeyId: 'kms-key',
+      CreatedDate: new Date('2026-02-16T00:00:00.000Z'),
+      LastChangedDate: new Date('2026-02-16T01:00:00.000Z'),
+      VersionIdsToStages: { abc: ['AWSCURRENT'] },
+      Tags: [{ Key: 'env', Value: 'dev' }]
+    });
+
+    const result = await getSecretMetadata({
+      name: 'app/meta',
+      region: 'us-east-1'
+    });
+
+    expect(result).toEqual(
+      expect.objectContaining({
+        name: 'app/meta',
+        arn: 'arn:meta',
+        tags: { env: 'dev' },
+        versionIdsToStages: { abc: ['AWSCURRENT'] }
+      })
+    );
+    expect(Object.keys(result)).not.toContain('secretString');
+  });
+
+  it('returns true when secret exists', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'app/existing'
+    });
+
+    await expect(
+      secretExists({ name: 'app/existing', region: 'us-east-1' })
+    ).resolves.toBe(true);
+  });
+
+  it('returns false when secret does not exist', async () => {
+    mockSecretsManagerSend.mockRejectedValueOnce({
+      name: 'ResourceNotFoundException'
+    });
+
+    await expect(
+      secretExists({ name: 'app/missing', region: 'us-east-1' })
+    ).resolves.toBe(false);
+  });
+
+  it('gets current secret string value', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      SecretString: '{"API_KEY":"abc"}'
+    });
+
+    await expect(
+      getSecretString({ name: 'app/existing', region: 'us-east-1' })
+    ).resolves.toBe('{"API_KEY":"abc"}');
+  });
+
+  it('rejects binary/non-string secrets for append/remove workflows', async () => {
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      SecretBinary: new Uint8Array([1, 2, 3])
+    });
+
+    await expect(
+      getSecretString({ name: 'app/existing', region: 'us-east-1' })
+    ).rejects.toThrow('cannot be edited with append/remove');
+  });
+
+  it('deletes secret with recovery options', async () => {
+    const mockCredentials = jest.fn().mockResolvedValue({
+      accessKeyId: 'default',
+      secretAccessKey: 'default'
+    });
+    mockFromIni.mockReturnValue(mockCredentials);
+
+    mockSecretsManagerSend.mockResolvedValueOnce({
+      Name: 'app/delete',
+      ARN: 'arn:delete',
+      DeletionDate: new Date('2026-02-16T02:00:00.000Z')
+    });
+
+    const result = await deleteSecret({
+      name: 'app/delete',
+      recoveryDays: 7,
+      profile: 'test-profile',
+      region: 'us-east-1'
+    });
+
+    expect(mockFromIni).toHaveBeenCalledWith({ profile: 'test-profile' });
+    expect(mockSecretsManagerSend).toHaveBeenCalledWith(
+      expect.objectContaining({
+        input: expect.objectContaining({
+          SecretId: 'app/delete',
+          RecoveryWindowInDays: 7
+        })
+      })
+    );
+    expect(result.name).toBe('app/delete');
+  });
+});