aleph-secrets-manager 0.1.0__tar.gz

aleph_secrets_manager-0.1.0/.gitignore

@@ -0,0 +1,207 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+**/.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+#poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+#pdm.lock
+#pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+#pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+**.env*
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Abstra
+# Abstra is an AI-powered process automation framework.
+# Ignore directories containing user credentials, local state, and settings.
+# Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor
+#  Cursor is an AI-powered code editor. `.cursorignore` specifies files/directories to
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/

aleph_secrets_manager-0.1.0/LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2025, AlephTechAi
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

aleph_secrets_manager-0.1.0/PKG-INFO

@@ -0,0 +1,98 @@
+Metadata-Version: 2.4
+Name: aleph-secrets-manager
+Version: 0.1.0
+Summary: Tool for managing secrets in Azure Key Vault
+Author-email: Zachary Lau <zachary.lau@alephtech.ai>
+License: BSD-3-Clause
+License-File: LICENSE
+Classifier: License :: OSI Approved :: BSD License
+Requires-Python: >=3.8
+Requires-Dist: azure-identity>=1.21.0
+Requires-Dist: azure-keyvault-secrets>=4.9.0
+Requires-Dist: pydantic>=2.10.6
+Requires-Dist: pynacl>=1.6.0
+Requires-Dist: python-dotenv>=1.0.1
+Description-Content-Type: text/markdown
+
+# Aleph Secrets Manager
+
+A simple Python tool for managing secrets in Azure Key Vault using a command-line interface (CLI). 
+
+You may also use the underlying Azure Key Vault adaptor directly if for instance you want to load secrets into an application programmatically. 
+
+## Purpose
+- **Read, write, and delete secrets** in Azure Key Vault from the command line.
+- Supports bulk upload/download from `.env` files.
+
+## Dependencies
+Install the following Python packages (see [`aleph_secrets_manager/requirements.txt`](./aleph_secrets_manager/requirements.txt)):
+
+- `azure-identity`
+- `azure-keyvault-secrets`
+- `pydantic`
+- `python-dotenv`
+
+Install dependencies:
+```sh
+pip install -r aleph_secrets_manager/requirements.txt
+```
+
+## CLI Usage
+
+Run the CLI from the project root:
+
+### Read all secrets from Key Vault and save to a .env file
+```sh
+python cli.py -v <vault-name> read -f .env
+```
+
+### Write all secrets from a .env file to Key Vault
+```sh
+python cli.py -v <vault-name> write -f .env
+```
+
+### Delete secrets from Key Vault
+```sh
+python cli.py -v <vault-name> delete -k SECRET_1 -k SECRET_2
+```
+
+- Replace `<vault-name>` with your Azure Key Vault name.
+- The `-f` flag specifies the path to your `.env` file.
+- The `-k` flag can be repeated for each secret key to delete.
+
+## Adaptor Usage
+```python
+# Initialize the secrets manager
+vault_name = "test-kv"
+secrets_manager = AzureSecretsManager(AzureClientFactory.create(vault_name))
+
+# Read a secret
+secrets_manager.read_secret("SECRET-1")
+
+# Write secret
+new_secret = Secret(key="NULL_SECRET", value="test123")
+secrets_manager.write_secret(new_secret)
+
+# List all secrets 
+secrets_manager.list_all_secrets()
+
+# Read all secrets
+secrets_manager.read_all_secrets()
+
+# Download all
+env_path = Path().parent.parent / ".env"
+secrets_manager.download_all_to_env_file(env_path)
+
+# Upload from .env
+secrets_manager.upload_from_env_file(env_path)
+
+# Delete a secret
+secrets_manager.delete_secret('SECRET_2')
+secrets_manager.delete_secret('SECRET_1')
+
+```
+
+## Authentication
+This tool uses Azure's `DefaultAzureCredential`. Make sure you are authenticated (e.g., via `az login`) and have access to the Key Vault (e.g. Key Vault Secrets User).
+
+---

aleph_secrets_manager-0.1.0/README.md

@@ -0,0 +1,82 @@
+# Aleph Secrets Manager
+
+A simple Python tool for managing secrets in Azure Key Vault using a command-line interface (CLI). 
+
+You may also use the underlying Azure Key Vault adaptor directly if for instance you want to load secrets into an application programmatically. 
+
+## Purpose
+- **Read, write, and delete secrets** in Azure Key Vault from the command line.
+- Supports bulk upload/download from `.env` files.
+
+## Dependencies
+Install the following Python packages (see [`aleph_secrets_manager/requirements.txt`](./aleph_secrets_manager/requirements.txt)):
+
+- `azure-identity`
+- `azure-keyvault-secrets`
+- `pydantic`
+- `python-dotenv`
+
+Install dependencies:
+```sh
+pip install -r aleph_secrets_manager/requirements.txt
+```
+
+## CLI Usage
+
+Run the CLI from the project root:
+
+### Read all secrets from Key Vault and save to a .env file
+```sh
+python cli.py -v <vault-name> read -f .env
+```
+
+### Write all secrets from a .env file to Key Vault
+```sh
+python cli.py -v <vault-name> write -f .env
+```
+
+### Delete secrets from Key Vault
+```sh
+python cli.py -v <vault-name> delete -k SECRET_1 -k SECRET_2
+```
+
+- Replace `<vault-name>` with your Azure Key Vault name.
+- The `-f` flag specifies the path to your `.env` file.
+- The `-k` flag can be repeated for each secret key to delete.
+
+## Adaptor Usage
+```python
+# Initialize the secrets manager
+vault_name = "test-kv"
+secrets_manager = AzureSecretsManager(AzureClientFactory.create(vault_name))
+
+# Read a secret
+secrets_manager.read_secret("SECRET-1")
+
+# Write secret
+new_secret = Secret(key="NULL_SECRET", value="test123")
+secrets_manager.write_secret(new_secret)
+
+# List all secrets 
+secrets_manager.list_all_secrets()
+
+# Read all secrets
+secrets_manager.read_all_secrets()
+
+# Download all
+env_path = Path().parent.parent / ".env"
+secrets_manager.download_all_to_env_file(env_path)
+
+# Upload from .env
+secrets_manager.upload_from_env_file(env_path)
+
+# Delete a secret
+secrets_manager.delete_secret('SECRET_2')
+secrets_manager.delete_secret('SECRET_1')
+
+```
+
+## Authentication
+This tool uses Azure's `DefaultAzureCredential`. Make sure you are authenticated (e.g., via `az login`) and have access to the Key Vault (e.g. Key Vault Secrets User).
+
+---

aleph_secrets_manager-0.1.0/aleph_secrets_manager/requirements.txt

@@ -0,0 +1,5 @@
+azure-identity
+azure-keyvault-secrets
+pydantic
+python-dotenv
+pynacl

aleph_secrets_manager-0.1.0/aleph_secrets_manager/src/azure_keyvault_adaptor.py

@@ -0,0 +1,89 @@
+from time import sleep
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+from azure.core.exceptions import ResourceExistsError, ClientAuthenticationError, ResourceNotFoundError
+import re
+import logging
+
+from aleph_secrets_manager.src.port import Secret, SecretsManagerPort
+
+
+class AzureClientFactory:
+    @staticmethod
+    def create(vault_name: str) -> SecretClient:
+        credential = DefaultAzureCredential()
+        vault_url = f"https://{vault_name}.vault.azure.net"
+        client = SecretClient(vault_url=vault_url, credential=credential)
+        return client
+
+
+class AzureSecretsManager(SecretsManagerPort):
+    def __init__(self, client: SecretClient):
+        self.client = client
+
+    def write_secret(self, secret):
+        converted_key = self._convert_write(secret.key)
+        successfully_deleted = False
+
+        while not successfully_deleted: 
+            try: 
+                self.client.set_secret(converted_key, secret.value)
+                successfully_deleted = True
+            except ResourceExistsError as e:
+                code = self._extract_error_code(e.message)
+
+                if self._is_secret_recoverable(code): 
+                    self.client.begin_recover_deleted_secret(converted_key) 
+                    
+                logging.warning(f"🚨 Encountered error writing {secret.key}: \n{e}")
+                logging.warning(f"Retrying writing of {secret.key}...")
+                sleep(1) 
+            except Exception as e:
+                raise
+
+    def _extract_error_code(self, error_msg: str) -> str:
+        """Get the internal error code for an Azure Resource error"""
+        match = re.search(r'"code":\s*"([^"]+)"', error_msg)
+        code = match.group(1)
+        return code
+    
+    def _is_secret_recoverable(self, code: str) -> bool: 
+        """Checks if a secret key can be recovered from an error code"""
+        return code == "ObjectIsDeletedButRecoverable"
+
+    def read_secret(self, key):
+        converted_key = self._convert_write(key)
+
+        try:
+            az_secret = self.client.get_secret(converted_key)
+            return Secret(key=self._convert_read(az_secret.name), value=az_secret.value)
+        except ResourceNotFoundError:
+            raise ValueError(f"❌ Failed to find secret '{key}' in {self.client.vault_url}")
+        except Exception as e:
+            raise
+    
+    def delete_secret(self, key):
+        converted_key = self._convert_write(key)
+
+        try:
+            deleted_secret = self.client.begin_delete_secret(converted_key).result()
+        except ResourceNotFoundError: 
+            raise ValueError(f"❌ Failed to delete secret '{key}' from {self.client.vault_url} as it does not exist.")
+        except Exception as e:
+            raise
+    
+    def list_all_secrets(self):
+        return [
+            self._convert_read(secret_properties.name) 
+            for secret_properties in self.client.list_properties_of_secrets()
+        ]
+    
+    def read_all_secrets(self):
+        keys = self.list_all_secrets()
+        return [self.read_secret(key) for key in keys]
+    
+    def _convert_read(self, key: str): 
+        return key.replace('-', '_')
+    
+    def _convert_write(self, key: str): 
+        return key.replace('_', '-')

aleph_secrets_manager-0.1.0/aleph_secrets_manager/src/gh_secrets_adaptor.py

@@ -0,0 +1,108 @@
+from aleph_secrets_manager.src.port import Secret, SecretsManagerPort
+
+import requests
+import logging
+from nacl import public, encoding
+from base64 import b64encode
+from pydantic import BaseModel
+
+
+class GitHubPublicKey(BaseModel): 
+    id: str
+    value: str
+
+
+# Guide: https://gist.github.com/comdotlinux/9a53bb00767a16d6646464c4b8249094
+# REST API Reference: https://docs.github.com/en/rest/actions?apiVersion=2022-11-28#secrets
+class GitHubSecretsManager(SecretsManagerPort): 
+    def __init__(self, org: str, repo: str, auth_token: str):
+        self.base_url = "https://api.github.com"
+        self.org = org
+        self.repo = repo
+        self.token = auth_token
+        self.headers = {
+            "Authorization": f"Bearer {self.token}", 
+            "X-GitHub-Api-Version": "2022-11-28"
+        }
+        raw_public_key = self._get_public_key(
+            base_url=self.base_url, 
+            org=self.org, 
+            repo=self.repo, 
+            auth_token=self.token
+        )
+        self.public_key = GitHubPublicKey(id=raw_public_key['key_id'], value=raw_public_key['key'])
+        
+
+    def _encrypt(self, public_key: str, unecrypted_value: str) -> str: 
+        """Encrypt a secret value using the repo public key"""
+
+        encoding_system = "utf-8"
+        public_key_obj = public.PublicKey(public_key.encode(encoding_system), encoder=encoding.Base64Encoder())
+        sealed_box = public.SealedBox(public_key_obj)
+        encrypted_value = sealed_box.encrypt(unecrypted_value.encode(encoding_system))
+        
+        return b64encode(encrypted_value).decode(encoding_system)
+
+    def _get_public_key(self, base_url: str, org: str, repo: str, auth_token: str):
+        url = f"{base_url}/repos/{org}/{repo}/actions/secrets/public-key"
+        headers = {"Authorization": f"Bearer {auth_token}"}
+        
+        response = requests.get(url=url, headers=headers, timeout=60)
+        if response.status_code != 200: 
+            logging.error(f"Response: {response.json()}")
+            raise IOError(f"❌ Failed to get public key for {org} ({response.status_code}): \n{response.json()}")
+
+        public_key_json = response.json()
+        return public_key_json
+    
+    def list_all_secrets(self):
+        """Retrieve all environment and repo secrets"""
+        secrets = []
+        url = f"{self.base_url}/repos/{self.org}/{self.repo}/actions/secrets"
+        
+        response = requests.get(url=url, headers=self.headers, timeout=60)
+        if not response.ok: 
+            logging.error(f"Response: {response.json()}")
+            raise IOError(f"❌ Failed to list secrets for {self.org} ({response.status_code}): \n{response.json()}")
+
+        secrets += response.json()["secrets"]
+        return [s['name'] for s in secrets]
+    
+    def write_secret(self, secret: Secret):
+        """Only repository secrets should be written"""
+
+        encrypted_value: str = self._encrypt(self.public_key.value, secret.value)
+        url = f"{self.base_url}/repos/{self.org}/{self.repo}/actions/secrets/{secret.key}"
+        data = {
+            "encrypted_value": encrypted_value,
+            "key_id": self.public_key.id
+        }
+
+        response = requests.put(url=url, headers=self.headers, timeout=60, json=data)
+        if not response.ok: 
+            logging.error(f"Response: {response.json()}")
+            raise IOError(f"❌ Failed to write secret {secret.key} ({response.status_code}): \n{response.json()}")
+
+    def read_secret(self, key):
+        """GitHub does not allow reading of secrets"""
+
+        url = f"{self.base_url}/repos/{self.org}/{self.repo}/actions/secrets/{key}"
+        response = requests.get(url=url, headers=self.headers, timeout=60)
+        if not response.ok: 
+            logging.error(f"Response: {response.json()}")
+            raise IOError(f"❌ Failed to read secret {key} ({response.status_code}): \n{response.json()}")
+        
+        return Secret(key=response.json()['name'], value="")
+        
+    def delete_secret(self, key):
+        url = f"{self.base_url}/repos/{self.org}/{self.repo}/actions/secrets/{key}"
+        response = requests.delete(url=url, headers=self.headers, timeout=60)
+        if not response.ok: 
+            logging.error(f"Response: {response.json()}")
+            if response.status_code == 404: 
+                raise ValueError(f"❌ Failed to delete secret {key}: Does not exist")
+            raise IOError(f"❌ Failed to delete secret {key} ({response.status_code}): \n{response.json()}")
+        
+    def read_all_secrets(self):
+        secret_strings = self.list_all_secrets()
+        return [self.read_secret(key) for key in secret_strings]

aleph_secrets_manager-0.1.0/aleph_secrets_manager/src/port.py

@@ -0,0 +1,55 @@
+from abc import ABC
+from pathlib import Path
+from pydantic import BaseModel
+from dotenv import dotenv_values
+
+import typing as T
+import logging
+
+
+class Secret(BaseModel):
+    key: str
+    value: str
+
+
+class SecretsManagerPort(ABC):
+    def write_secret(self, secret: Secret):
+        """Upload a secret to secret vault/manager"""
+        raise NotImplementedError
+    
+    def read_secret(self, key: str) -> Secret:
+        """Download a secret from a secrets vault/manager"""
+        raise NotImplementedError
+    
+    def delete_secret(self, key: str):
+        """Delete a secret from secret vault/manager"""
+        raise NotImplementedError
+    
+    def list_all_secrets(self) -> T.List[str]:
+        """List all secret names/keys from a secrets vault/manager"""
+        raise NotImplementedError
+    
+    def read_all_secrets(self) -> T.List[Secret]:
+        """Download all secrets""" 
+        raise NotImplementedError
+    
+    def download_all_to_env_file(self, env_path: Path):
+        """Download all secrets from a secrets vault/manager to a `.env` file"""
+        
+        secrets = self.read_all_secrets()
+        with open(env_path, "w") as f: 
+            for secret in secrets: 
+                f.write(f"{secret.key}={secret.value}\n")
+
+        logging.info(f"✅ Downloaded {len(secrets)} secrets to {str(env_path)}!")
+
+
+    def upload_from_env_file(self, env_path: Path):
+        """Upload all secrets to secret vault/manager from env file"""
+
+        kv_pairs = dotenv_values(env_path)
+        for key, value in kv_pairs.items():
+            self.write_secret(Secret(key=key, value=value)) 
+
+        logging.info(f"✅ Uploaded secrets from {str(env_path)}!")
+