clonebox 1.1.3__py3-none-any.whl → 1.1.5__py3-none-any.whl

clonebox/secrets.py

@@ -0,0 +1,331 @@
+"""
+Secrets management for CloneBox.
+Supports multiple backends: env, vault, sops, age.
+"""
+
+import json
+import os
+import secrets
+import string
+import subprocess
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any, Dict, List, Optional, Tuple
+
+
+@dataclass
+class SecretValue:
+    """Represents a secret value with metadata."""
+
+    key: str
+    value: str
+    source: str  # 'env', 'vault', 'sops', 'generated'
+    expires_at: Optional[str] = None
+
+    def __repr__(self) -> str:
+        return f"SecretValue(key={self.key}, source={self.source}, value=***)"
+
+    def redacted(self) -> str:
+        """Return redacted version for logging."""
+        return f"{self.value[:2]}***{self.value[-2:]}" if len(self.value) > 4 else "***"
+
+
+class SecretsProvider(ABC):
+    """Abstract base class for secrets providers."""
+
+    @abstractmethod
+    def get_secret(self, key: str) -> Optional[SecretValue]:
+        """Retrieve a secret by key."""
+        pass
+
+    @abstractmethod
+    def list_secrets(self) -> List[str]:
+        """List available secret keys."""
+        pass
+
+    @abstractmethod
+    def is_available(self) -> bool:
+        """Check if this provider is configured and available."""
+        pass
+
+
+class EnvSecretsProvider(SecretsProvider):
+    """Load secrets from environment variables and .env files."""
+
+    def __init__(self, env_file: Optional[Path] = None):
+        self.env_file = env_file or Path(".env")
+        self._cache: Dict[str, str] = {}
+        self._load_env_file()
+
+    def _load_env_file(self) -> None:
+        if self.env_file.exists():
+            with open(self.env_file) as f:
+                for line in f:
+                    line = line.strip()
+                    if line and not line.startswith("#") and "=" in line:
+                        key, _, value = line.partition("=")
+                        self._cache[key.strip()] = value.strip().strip("'\"")
+
+    def get_secret(self, key: str) -> Optional[SecretValue]:
+        # Check environment first, then cache from file
+        value = os.environ.get(key) or self._cache.get(key)
+        if value:
+            return SecretValue(key=key, value=value, source="env")
+        return None
+
+    def list_secrets(self) -> List[str]:
+        return list(
+            set(
+                list(self._cache.keys())
+                + [
+                    k
+                    for k in os.environ.keys()
+                    if k.startswith("VM_") or k.startswith("CLONEBOX_")
+                ]
+            )
+        )
+
+    def is_available(self) -> bool:
+        return True
+
+
+class VaultSecretsProvider(SecretsProvider):
+    """Load secrets from HashiCorp Vault."""
+
+    def __init__(
+        self,
+        addr: Optional[str] = None,
+        token: Optional[str] = None,
+        path_prefix: str = "secret/clonebox",
+    ):
+        self.addr = addr or os.environ.get("VAULT_ADDR", "http://127.0.0.1:8200")
+        self.token = token or os.environ.get("VAULT_TOKEN")
+        self.path_prefix = path_prefix
+        self._client = None
+
+    def _get_client(self):
+        if self._client is None:
+            try:
+                import hvac
+
+                self._client = hvac.Client(url=self.addr, token=self.token)
+            except ImportError:
+                raise RuntimeError(
+                    "hvac package required for Vault support: pip install hvac"
+                )
+        return self._client
+
+    def get_secret(self, key: str) -> Optional[SecretValue]:
+        try:
+            client = self._get_client()
+            path = f"{self.path_prefix}/{key}"
+            response = client.secrets.kv.v2.read_secret_version(path=path)
+            value = response["data"]["data"].get("value")
+            if value:
+                return SecretValue(key=key, value=value, source="vault")
+        except Exception:
+            pass
+        return None
+
+    def list_secrets(self) -> List[str]:
+        try:
+            client = self._get_client()
+            response = client.secrets.kv.v2.list_secrets(path=self.path_prefix)
+            return response["data"]["keys"]
+        except Exception:
+            return []
+
+    def is_available(self) -> bool:
+        try:
+            client = self._get_client()
+            return client.is_authenticated()
+        except Exception:
+            return False
+
+
+class SOPSSecretsProvider(SecretsProvider):
+    """Load secrets from SOPS-encrypted files."""
+
+    def __init__(self, secrets_file: Optional[Path] = None):
+        self.secrets_file = secrets_file or Path(".clonebox.secrets.yaml")
+        self._cache: Optional[Dict[str, Any]] = None
+
+    def _decrypt(self) -> Dict[str, Any]:
+        if self._cache is not None:
+            return self._cache
+
+        if not self.secrets_file.exists():
+            self._cache = {}
+            return self._cache
+
+        try:
+            result = subprocess.run(
+                ["sops", "-d", str(self.secrets_file)],
+                capture_output=True,
+                text=True,
+                check=True,
+            )
+            import yaml
+
+            self._cache = yaml.safe_load(result.stdout) or {}
+        except (subprocess.CalledProcessError, FileNotFoundError):
+            self._cache = {}
+
+        return self._cache
+
+    def get_secret(self, key: str) -> Optional[SecretValue]:
+        data = self._decrypt()
+        # Support nested keys: "vm.password" -> data['vm']['password']
+        parts = key.split(".")
+        value = data
+        for part in parts:
+            if isinstance(value, dict) and part in value:
+                value = value[part]
+            else:
+                return None
+
+        if isinstance(value, str):
+            return SecretValue(key=key, value=value, source="sops")
+        return None
+
+    def list_secrets(self) -> List[str]:
+        data = self._decrypt()
+        return list(data.keys())
+
+    def is_available(self) -> bool:
+        try:
+            subprocess.run(["sops", "--version"], capture_output=True, check=True)
+            return self.secrets_file.exists()
+        except (subprocess.CalledProcessError, FileNotFoundError):
+            return False
+
+
+class SecretsManager:
+    """
+    Unified secrets management with multiple provider fallback.
+
+    Usage:
+        secrets = SecretsManager()
+        password = secrets.get('VM_PASSWORD')
+
+        # Or with explicit provider
+        secrets = SecretsManager(provider='vault')
+    """
+
+    PROVIDERS = {
+        "env": EnvSecretsProvider,
+        "vault": VaultSecretsProvider,
+        "sops": SOPSSecretsProvider,
+    }
+
+    def __init__(self, provider: Optional[str] = None, **kwargs):
+        self._providers: List[SecretsProvider] = []
+
+        if provider:
+            # Use specific provider
+            if provider not in self.PROVIDERS:
+                raise ValueError(
+                    f"Unknown provider: {provider}. Available: {list(self.PROVIDERS.keys())}"
+                )
+            self._providers = [self.PROVIDERS[provider](**kwargs)]
+        else:
+            # Auto-detect and use all available providers
+            for name, cls in self.PROVIDERS.items():
+                try:
+                    instance = cls(**kwargs)
+                    if instance.is_available():
+                        self._providers.append(instance)
+                except Exception:
+                    pass
+
+            # Always have env as fallback
+            if not any(isinstance(p, EnvSecretsProvider) for p in self._providers):
+                self._providers.append(EnvSecretsProvider())
+
+    def get(self, key: str, default: Optional[str] = None) -> Optional[str]:
+        """Get a secret value, trying each provider in order."""
+        for provider in self._providers:
+            secret = provider.get_secret(key)
+            if secret:
+                return secret.value
+        return default
+
+    def get_secret(self, key: str) -> Optional[SecretValue]:
+        """Get a SecretValue with metadata."""
+        for provider in self._providers:
+            secret = provider.get_secret(key)
+            if secret:
+                return secret
+        return None
+
+    def require(self, key: str) -> str:
+        """Get a secret or raise an error if not found."""
+        value = self.get(key)
+        if value is None:
+            raise ValueError(f"Required secret '{key}' not found in any provider")
+        return value
+
+    @staticmethod
+    def generate_password(length: int = 24) -> str:
+        """Generate a secure random password."""
+        alphabet = string.ascii_letters + string.digits + "!@#$%^&*"
+        return "".join(secrets.choice(alphabet) for _ in range(length))
+
+    @staticmethod
+    def generate_one_time_password() -> Tuple[str, str]:
+        """
+        Generate a one-time password that expires on first login.
+        Returns (password, cloud-init chpasswd config)
+        """
+        password = SecretsManager.generate_password(16)
+        # Force password change on first login
+        chpasswd_config = f"""
+chpasswd:
+  expire: true
+  users:
+    - name: ubuntu
+      password: {password}
+      type: text
+"""
+        return password, chpasswd_config
+
+
+# SSH Key Management
+@dataclass
+class SSHKeyPair:
+    """SSH key pair for VM authentication."""
+
+    private_key: str
+    public_key: str
+    key_type: str = "ed25519"
+
+    @classmethod
+    def generate(cls, key_type: str = "ed25519") -> "SSHKeyPair":
+        """Generate a new SSH key pair."""
+        import tempfile
+
+        with tempfile.TemporaryDirectory() as tmpdir:
+            key_path = Path(tmpdir) / "key"
+            subprocess.run(
+                ["ssh-keygen", "-t", key_type, "-N", "", "-f", str(key_path), "-q"],
+                check=True,
+            )
+
+            private_key = key_path.read_text()
+            public_key = key_path.with_suffix(".pub").read_text()
+
+        return cls(private_key=private_key, public_key=public_key, key_type=key_type)
+
+    @classmethod
+    def from_file(cls, private_key_path: Path) -> "SSHKeyPair":
+        """Load existing SSH key pair."""
+        private_key = private_key_path.read_text()
+        public_key = private_key_path.with_suffix(".pub").read_text()
+        return cls(private_key=private_key, public_key=public_key)
+
+    def save(self, private_key_path: Path) -> None:
+        """Save key pair to files."""
+        private_key_path.write_text(self.private_key)
+        private_key_path.chmod(0o600)
+        private_key_path.with_suffix(".pub").write_text(self.public_key)

clonebox/snapshots/__init__.py

@@ -0,0 +1,12 @@
+"""Snapshot management for CloneBox VMs."""
+
+from .models import Snapshot, SnapshotType, SnapshotState, SnapshotPolicy
+from .manager import SnapshotManager
+
+__all__ = [
+    "Snapshot",
+    "SnapshotType",
+    "SnapshotState",
+    "SnapshotPolicy",
+    "SnapshotManager",
+]

clonebox/snapshots/manager.py

@@ -0,0 +1,349 @@
+#!/usr/bin/env python3
+"""Snapshot manager for CloneBox VMs."""
+
+import json
+import subprocess
+from datetime import datetime, timedelta
+from pathlib import Path
+from typing import Any, Dict, List, Optional
+
+from .models import Snapshot, SnapshotPolicy, SnapshotState, SnapshotType
+
+try:
+    import libvirt
+except ImportError:
+    libvirt = None
+
+
+class SnapshotManager:
+    """Manage VM snapshots via libvirt."""
+
+    def __init__(self, conn_uri: str = "qemu:///session"):
+        self.conn_uri = conn_uri
+        self._conn = None
+        self._snapshots_dir = Path.home() / ".local/share/clonebox/snapshots"
+        self._snapshots_dir.mkdir(parents=True, exist_ok=True)
+
+    @property
+    def conn(self):
+        if self._conn is None:
+            if libvirt is None:
+                raise RuntimeError("libvirt-python not installed")
+            self._conn = libvirt.open(self.conn_uri)
+        return self._conn
+
+    def create(
+        self,
+        vm_name: str,
+        name: str,
+        description: Optional[str] = None,
+        snapshot_type: SnapshotType = SnapshotType.DISK_ONLY,
+        tags: Optional[List[str]] = None,
+        auto_policy: Optional[str] = None,
+        expires_in_days: Optional[int] = None,
+    ) -> Snapshot:
+        """Create a new snapshot.
+
+        Args:
+            vm_name: Name of VM to snapshot
+            name: Snapshot name
+            description: Optional description
+            snapshot_type: Type of snapshot (disk, full, external)
+            tags: Optional tags for categorization
+            auto_policy: If auto-created, the policy name
+            expires_in_days: Auto-expire after N days
+        """
+        domain = self.conn.lookupByName(vm_name)
+
+        # Generate snapshot XML
+        snapshot_xml = self._generate_snapshot_xml(
+            name=name,
+            description=description,
+            snapshot_type=snapshot_type,
+        )
+
+        # Create snapshot
+        flags = 0
+        if snapshot_type == SnapshotType.DISK_ONLY:
+            flags = libvirt.VIR_DOMAIN_SNAPSHOT_CREATE_DISK_ONLY
+        elif snapshot_type == SnapshotType.FULL:
+            flags = libvirt.VIR_DOMAIN_SNAPSHOT_CREATE_ATOMIC
+
+        try:
+            snap = domain.snapshotCreateXML(snapshot_xml, flags)
+        except libvirt.libvirtError as e:
+            raise RuntimeError(f"Failed to create snapshot: {e}")
+
+        # Build snapshot object
+        snapshot = Snapshot(
+            name=name,
+            vm_name=vm_name,
+            snapshot_type=snapshot_type,
+            state=SnapshotState.READY,
+            created_at=datetime.now(),
+            description=description,
+            tags=tags or [],
+            auto_created=auto_policy is not None,
+            auto_policy=auto_policy,
+            expires_at=(
+                datetime.now() + timedelta(days=expires_in_days) if expires_in_days else None
+            ),
+        )
+
+        # Save metadata
+        self._save_snapshot_metadata(snapshot)
+
+        return snapshot
+
+    def restore(
+        self,
+        vm_name: str,
+        name: str,
+        force: bool = False,
+    ) -> bool:
+        """Restore VM to a snapshot.
+
+        Args:
+            vm_name: Name of VM
+            name: Snapshot name to restore
+            force: Force restore even if VM is running
+        """
+        domain = self.conn.lookupByName(vm_name)
+
+        # Check if VM is running
+        if domain.isActive() and not force:
+            raise RuntimeError(f"VM '{vm_name}' is running. Stop it first or use --force")
+
+        try:
+            snap = domain.snapshotLookupByName(name)
+        except libvirt.libvirtError:
+            raise RuntimeError(f"Snapshot '{name}' not found for VM '{vm_name}'")
+
+        # Revert to snapshot
+        flags = libvirt.VIR_DOMAIN_SNAPSHOT_REVERT_FORCE if force else 0
+        try:
+            domain.revertToSnapshot(snap, flags)
+        except libvirt.libvirtError as e:
+            raise RuntimeError(f"Failed to restore snapshot: {e}")
+
+        return True
+
+    def delete(
+        self,
+        vm_name: str,
+        name: str,
+        delete_children: bool = False,
+    ) -> bool:
+        """Delete a snapshot.
+
+        Args:
+            vm_name: Name of VM
+            name: Snapshot name to delete
+            delete_children: Also delete child snapshots
+        """
+        domain = self.conn.lookupByName(vm_name)
+
+        try:
+            snap = domain.snapshotLookupByName(name)
+        except libvirt.libvirtError:
+            raise RuntimeError(f"Snapshot '{name}' not found for VM '{vm_name}'")
+
+        flags = 0
+        if delete_children:
+            flags = libvirt.VIR_DOMAIN_SNAPSHOT_DELETE_CHILDREN
+
+        try:
+            snap.delete(flags)
+        except libvirt.libvirtError as e:
+            raise RuntimeError(f"Failed to delete snapshot: {e}")
+
+        # Remove metadata
+        self._delete_snapshot_metadata(vm_name, name)
+
+        return True
+
+    def list(self, vm_name: str) -> List[Snapshot]:
+        """List all snapshots for a VM."""
+        domain = self.conn.lookupByName(vm_name)
+        snapshots = []
+
+        try:
+            snap_names = domain.snapshotListNames()
+        except libvirt.libvirtError:
+            return []
+
+        for snap_name in snap_names:
+            try:
+                snap = domain.snapshotLookupByName(snap_name)
+                snap_xml = snap.getXMLDesc()
+
+                # Parse XML for details
+                import xml.etree.ElementTree as ET
+
+                root = ET.fromstring(snap_xml)
+
+                name = root.findtext("name", snap_name)
+                description = root.findtext("description", "")
+                creation_time = root.findtext("creationTime", "0")
+
+                # Check for saved metadata
+                metadata = self._load_snapshot_metadata(vm_name, name)
+
+                snapshot = Snapshot(
+                    name=name,
+                    vm_name=vm_name,
+                    snapshot_type=SnapshotType(
+                        metadata.get("type", "disk") if metadata else "disk"
+                    ),
+                    state=SnapshotState.READY,
+                    created_at=(
+                        datetime.fromtimestamp(int(creation_time))
+                        if creation_time != "0"
+                        else datetime.now()
+                    ),
+                    description=description or None,
+                    tags=metadata.get("tags", []) if metadata else [],
+                    auto_created=metadata.get("auto_created", False) if metadata else False,
+                    auto_policy=metadata.get("auto_policy") if metadata else None,
+                    expires_at=(
+                        datetime.fromisoformat(metadata["expires_at"])
+                        if metadata and metadata.get("expires_at")
+                        else None
+                    ),
+                )
+                snapshots.append(snapshot)
+
+            except Exception:
+                continue
+
+        return sorted(snapshots, key=lambda s: s.created_at, reverse=True)
+
+    def get(self, vm_name: str, name: str) -> Optional[Snapshot]:
+        """Get a specific snapshot."""
+        snapshots = self.list(vm_name)
+        for snap in snapshots:
+            if snap.name == name:
+                return snap
+        return None
+
+    def cleanup_expired(self, vm_name: str) -> List[str]:
+        """Delete expired snapshots for a VM."""
+        deleted = []
+        for snapshot in self.list(vm_name):
+            if snapshot.is_expired:
+                try:
+                    self.delete(vm_name, snapshot.name)
+                    deleted.append(snapshot.name)
+                except Exception:
+                    pass
+        return deleted
+
+    def apply_policy(self, vm_name: str, policy: SnapshotPolicy) -> List[str]:
+        """Apply retention policy to VM snapshots."""
+        if not policy.auto_cleanup:
+            return []
+
+        snapshots = self.list(vm_name)
+        auto_snapshots = [s for s in snapshots if s.auto_policy == policy.name]
+
+        deleted = []
+
+        # Sort by age (oldest first)
+        auto_snapshots.sort(key=lambda s: s.created_at)
+
+        # Delete if over max count
+        while len(auto_snapshots) > policy.max_snapshots:
+            if len(auto_snapshots) <= policy.min_snapshots:
+                break
+            oldest = auto_snapshots.pop(0)
+            try:
+                self.delete(vm_name, oldest.name)
+                deleted.append(oldest.name)
+            except Exception:
+                pass
+
+        # Delete if over max age
+        max_age = timedelta(days=policy.max_age_days)
+        for snap in auto_snapshots[:]:
+            if snap.age > max_age:
+                if len(auto_snapshots) <= policy.min_snapshots:
+                    break
+                try:
+                    self.delete(vm_name, snap.name)
+                    deleted.append(snap.name)
+                    auto_snapshots.remove(snap)
+                except Exception:
+                    pass
+
+        return deleted
+
+    def create_auto_snapshot(
+        self,
+        vm_name: str,
+        operation: str,
+        policy: Optional[SnapshotPolicy] = None,
+    ) -> Snapshot:
+        """Create automatic snapshot before operation."""
+        policy = policy or SnapshotPolicy(name="default")
+
+        name = policy.generate_snapshot_name(operation)
+
+        return self.create(
+            vm_name=vm_name,
+            name=name,
+            description=f"Auto-snapshot before {operation}",
+            snapshot_type=SnapshotType.DISK_ONLY,
+            auto_policy=policy.name,
+            expires_in_days=policy.max_age_days,
+        )
+
+    def _generate_snapshot_xml(
+        self,
+        name: str,
+        description: Optional[str],
+        snapshot_type: SnapshotType,
+    ) -> str:
+        """Generate libvirt snapshot XML."""
+        desc_xml = f"<description>{description}</description>" if description else ""
+
+        if snapshot_type == SnapshotType.DISK_ONLY:
+            disks_xml = "<disks><disk name='vda' snapshot='internal'/></disks>"
+        else:
+            disks_xml = ""
+
+        return f"""
+        <domainsnapshot>
+            <name>{name}</name>
+            {desc_xml}
+            {disks_xml}
+        </domainsnapshot>
+        """
+
+    def _save_snapshot_metadata(self, snapshot: Snapshot) -> None:
+        """Save snapshot metadata to disk."""
+        vm_dir = self._snapshots_dir / snapshot.vm_name
+        vm_dir.mkdir(parents=True, exist_ok=True)
+
+        meta_file = vm_dir / f"{snapshot.name}.json"
+        meta_file.write_text(json.dumps(snapshot.to_dict(), indent=2))
+
+    def _load_snapshot_metadata(self, vm_name: str, name: str) -> Optional[Dict[str, Any]]:
+        """Load snapshot metadata from disk."""
+        meta_file = self._snapshots_dir / vm_name / f"{name}.json"
+        if meta_file.exists():
+            try:
+                return json.loads(meta_file.read_text())
+            except Exception:
+                return None
+        return None
+
+    def _delete_snapshot_metadata(self, vm_name: str, name: str) -> None:
+        """Delete snapshot metadata from disk."""
+        meta_file = self._snapshots_dir / vm_name / f"{name}.json"
+        if meta_file.exists():
+            meta_file.unlink()
+
+    def close(self) -> None:
+        if self._conn is not None:
+            self._conn.close()
+            self._conn = None