dev-vault 0.1.2__py3-none-any.whl

dev_vault/__init__.py

@@ -0,0 +1,3 @@
+"""dev-vault -- Developer secret vault + OIDC token provider."""
+
+__version__ = "0.1.0"

dev_vault/cli.py

@@ -0,0 +1,177 @@
+"""
+dev-vault CLI entry point.
+
+Routes subcommands to their respective handlers.
+"""
+
+import argparse
+import logging
+import os
+import sys
+
+from rich.console import Console
+from rich.logging import RichHandler
+
+from . import __version__
+
+console = Console()
+logger = logging.getLogger("dev_vault")
+
+
+def _setup_logging(verbose: bool) -> None:
+    enabled = verbose or os.environ.get("DV_DEBUG", "").strip() in ("1", "true", "yes")
+    if not enabled:
+        return
+    logging.basicConfig(
+        level=logging.DEBUG,
+        format="%(message)s",
+        datefmt="[%X]",
+        handlers=[RichHandler(
+            console=Console(stderr=True),
+            rich_tracebacks=True,
+            show_path=False,
+        )],
+    )
+    logger.debug("Verbose mode enabled")
+
+
+def _build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog="dv",
+        description="dev-vault -- Developer secret vault + OIDC token provider",
+    )
+    parser.add_argument("--version", action="version", version=f"dev-vault {__version__}")
+    parser.add_argument("-v", "--verbose", action="store_true", help="enable debug output")
+    parser.add_argument("--json", action="store_true", help="JSON output")
+
+    sub = parser.add_subparsers(dest="command")
+
+    # dv get -- supports both:
+    #   dv get prod caetano           (positional: vault item)
+    #   dv get prod caetano password  (positional: vault item field)
+    #   dv get caetano                (just item, default vault)
+    #   dv get prod/caetano           (slash shorthand still works)
+    p_get = sub.add_parser("get", help="retrieve a secret or OIDC token")
+    p_get.add_argument("args", nargs="+", help="[vault] item [field] or vault/item[/field]")
+
+    # dv set -- supports:
+    #   dv set item field [value]
+    #   dv set vault item field [value]
+    p_set = sub.add_parser("set", help="store a secret")
+    p_set.add_argument("args", nargs="+", help="[vault] item field [value]")
+
+    # dv run
+    p_run = sub.add_parser("run", help="run command with secrets injected as env vars")
+    p_run.add_argument("-s", "--secret", action="append", help="KEY=ref mapping")
+    p_run.add_argument("run_command", nargs=argparse.REMAINDER, help="command to run (after --)")
+
+    # dv inject
+    sub.add_parser("inject", help="replace {{dv://...}} refs in stdin")
+
+    # dv item
+    p_item = sub.add_parser("item", help="manage items")
+    item_sub = p_item.add_subparsers(dest="item_action")
+
+    item_sub.add_parser("list", help="list items")
+    p_ic = item_sub.add_parser("create", help="create item")
+    p_ic.add_argument("name", help="item name")
+    p_ic.add_argument("--kind", choices=["static", "oidc"], default="static")
+    p_ic.add_argument("--vault", help="override vault")
+
+    p_is = item_sub.add_parser("show", help="show item details")
+    p_is.add_argument("name", help="item name")
+    p_is.add_argument("--vault", help="override vault")
+
+    p_id = item_sub.add_parser("delete", help="delete item")
+    p_id.add_argument("name", help="item name")
+    p_id.add_argument("--vault", help="override vault")
+
+    # dv vault
+    p_vault = sub.add_parser("vault", help="manage vaults")
+    vault_sub = p_vault.add_subparsers(dest="vault_action")
+    vault_sub.add_parser("list", help="list vaults")
+    vc = vault_sub.add_parser("create", help="create vault")
+    vc.add_argument("name", help="vault name")
+    vd = vault_sub.add_parser("delete", help="delete vault")
+    vd.add_argument("name", help="vault name")
+
+    # dv setup
+    p_setup = sub.add_parser("setup", help="interactive setup wizard")
+    p_setup.add_argument("--reset", action="store_true", help="backup config and start fresh")
+
+    # dv migrate
+    p_migrate = sub.add_parser("migrate", help="import from another tool")
+    p_migrate.add_argument("source", nargs="?", default="sso-cli", help="source tool (default: sso-cli)")
+
+    # dv config
+    p_config = sub.add_parser("config", help="show configuration")
+    config_sub = p_config.add_subparsers(dest="config_action")
+    config_sub.add_parser("show", help="display current config")
+
+    return parser
+
+
+def cli() -> None:
+    parser = _build_parser()
+    args = parser.parse_args()
+
+    _setup_logging(args.verbose)
+
+    # Strip leading '--' from run command
+    if args.command == "run" and hasattr(args, "run_command"):
+        cmd = getattr(args, "run_command", [])
+        if cmd and cmd[0] == "--":
+            args.run_command = cmd[1:]
+
+    if not args.command:
+        parser.print_help()
+        return
+
+    # Propagate --json to args
+    try:
+        _dispatch(args)
+    except KeyboardInterrupt:
+        print("\nInterrupted.", file=sys.stderr)
+        sys.exit(130)
+    except Exception as e:
+        logger.debug("Error: %s", e, exc_info=True)
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+
+def _dispatch(args) -> None:
+    cmd = args.command
+    if cmd == "get":
+        from .commands.get import run
+        run(args)
+    elif cmd == "set":
+        from .commands.set_cmd import run
+        run(args)
+    elif cmd == "run":
+        from .commands.run import run as run_cmd
+        run_cmd(args)
+    elif cmd == "inject":
+        from .commands.inject import run
+        run(args)
+    elif cmd == "item":
+        from .commands.item import run
+        run(args)
+    elif cmd == "vault":
+        from .commands.vault import run
+        run(args)
+    elif cmd == "setup":
+        from .commands.setup import run
+        run(args)
+    elif cmd == "migrate":
+        from .commands.migrate import run
+        run(args)
+    elif cmd == "config":
+        from .commands.config_cmd import run
+        run(args)
+    else:
+        print(f"Unknown command: {cmd}", file=sys.stderr)
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    cli()

dev_vault/commands/config_cmd.py

@@ -0,0 +1,42 @@
+"""
+dv config show -- display current configuration.
+
+Usage:
+  dv config show
+"""
+
+import json as json_mod
+import logging
+import sys
+
+import yaml
+
+from ..core.config import find_config_path, load_config
+
+logger = logging.getLogger(__name__)
+
+
+def run(args) -> None:
+    """Execute the config command."""
+    action = getattr(args, "config_action", "show")
+    if action == "show":
+        _show(args)
+    else:
+        print(f"Unknown config action: {action}", file=sys.stderr)
+        sys.exit(1)
+
+
+def _show(args) -> None:
+    config_path = find_config_path()
+    try:
+        config = load_config()
+    except FileNotFoundError:
+        print(f"No config found at: {config_path}", file=sys.stderr)
+        sys.exit(1)
+
+    if getattr(args, "json", False):
+        print(json_mod.dumps({"path": config_path, "config": config}, indent=2))
+        return
+
+    print(f"Config: {config_path}\n")
+    print(yaml.dump(config, default_flow_style=False, sort_keys=False), end="")

dev_vault/commands/get.py

@@ -0,0 +1,134 @@
+"""
+dv get -- retrieve a secret or OIDC token.
+
+Usage:
+  dv get <item>                    # default vault, primary field
+  dv get <vault> <item>            # specific vault
+  dv get <vault> <item> <field>    # specific vault + field
+  dv get vault/item/field          # slash shorthand
+"""
+
+import asyncio
+import json as json_mod
+import logging
+import sys
+
+from ..core.config import ensure_config, get_item, get_default_vault, list_all_items
+from ..core.keyring_store import get_secret
+from ..core.resolver import resolve, resolve_prefix
+from ..providers import PROVIDERS
+
+logger = logging.getLogger(__name__)
+
+
+def run(args) -> None:
+    asyncio.run(_get(args))
+
+
+def _parse_args(args) -> tuple:
+    """Parse positional args into (vault, item, field).
+
+    Supports:
+      ["item"]                -> (default, item, None)
+      ["vault", "item"]      -> (vault, item, None)
+      ["vault", "item", "f"] -> (vault, item, f)
+      ["vault/item"]         -> resolve via slash
+      ["vault/item/field"]   -> resolve via slash
+    """
+    parts = args.args
+    config = ensure_config()
+    default_vault = get_default_vault(config)
+
+    # If single arg with slashes, use resolver
+    if len(parts) == 1 and "/" in parts[0]:
+        return resolve(parts[0], default_vault)
+
+    if len(parts) == 1:
+        # Could be just an item name (default vault)
+        # Or could be a vault name if it matches a vault
+        vaults = list(config.get("vaults", {}).keys())
+        if parts[0] in vaults:
+            # Ambiguous: is it a vault or an item in default vault?
+            # Check if it's also an item in default vault
+            default_items = config.get("vaults", {}).get(default_vault, {}).get("items", {})
+            if parts[0] in default_items:
+                return default_vault, parts[0], None
+            # It's a vault name but no item specified
+            print(f"Error: vault '{parts[0]}' specified but no item name.", file=sys.stderr)
+            print(f"Usage: dv get {parts[0]} <item>", file=sys.stderr)
+            sys.exit(1)
+        return default_vault, parts[0], None
+    elif len(parts) == 2:
+        return parts[0], parts[1], None
+    elif len(parts) == 3:
+        return parts[0], parts[1], parts[2]
+    else:
+        print("Error: too many arguments. Usage: dv get [vault] <item> [field]", file=sys.stderr)
+        sys.exit(1)
+
+
+async def _get(args) -> None:
+    config = ensure_config()
+    vault, item_name, field = _parse_args(args)
+    logger.debug("Resolved: vault=%s item=%s field=%s", vault, item_name, field)
+
+    item = get_item(config, vault, item_name)
+    if not item:
+        print(f"Error: item '{item_name}' not found in vault '{vault}'.", file=sys.stderr)
+        sys.exit(1)
+
+    kind = item.get("kind", "static")
+
+    if kind == "oidc" and field is None:
+        value = await _get_oidc_token(item, vault, item_name)
+    elif kind == "oidc" and field == "access_token":
+        value = await _get_oidc_token(item, vault, item_name)
+    else:
+        resolved_field = field or _primary_field(item)
+        if not resolved_field:
+            print(f"Error: item '{item_name}' has no fields.", file=sys.stderr)
+            sys.exit(1)
+        value = get_secret(vault, item_name, resolved_field)
+        if value is None:
+            print(
+                f"Error: no secret for {vault}/{item_name}/{resolved_field}. "
+                "Run 'dv set' to store it.",
+                file=sys.stderr,
+            )
+            sys.exit(1)
+
+    if getattr(args, "json", False):
+        print(json_mod.dumps({"vault": vault, "item": item_name, "field": field, "value": value}))
+    else:
+        print(value)
+
+
+async def _get_oidc_token(item: dict, vault: str, item_name: str) -> str:
+    provider_name = item.get("provider", "keycloak")
+    provider = PROVIDERS.get(provider_name)
+    if not provider:
+        print(f"Error: unknown OIDC provider '{provider_name}'.", file=sys.stderr)
+        sys.exit(1)
+
+    item_config = item.get("config", {})
+    auth_type = item_config.get("auth_type", "user")
+    secret_field = "client_secret" if auth_type == "client" else "password"
+    secret = get_secret(vault, item_name, secret_field)
+    if secret is None:
+        print(
+            f"Error: no {secret_field} in keyring for {vault}/{item_name}. "
+            "Run 'dv setup' to configure.",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    return await provider.get_token(item_config, secret)
+
+
+def _primary_field(item: dict) -> str:
+    fields = item.get("fields", [])
+    if isinstance(fields, list) and fields:
+        return fields[0]
+    if isinstance(fields, dict) and fields:
+        return next(iter(fields))
+    return "value"

dev_vault/commands/inject.py

@@ -0,0 +1,91 @@
+"""
+dv inject -- replace {{dv://...}} references in stdin.
+
+Usage:
+  dv inject < template.env > .env
+  cat template.yaml | dv inject > output.yaml
+"""
+
+import asyncio
+import logging
+import re
+import sys
+
+from ..core.config import ensure_config, get_item, get_default_vault
+from ..core.keyring_store import get_secret
+from ..core.resolver import resolve
+from ..providers import PROVIDERS
+
+logger = logging.getLogger(__name__)
+
+_REF_PATTERN = re.compile(r"\{\{(dv://[^}]+)\}\}")
+
+
+def run(args) -> None:
+    """Execute the inject command."""
+    asyncio.run(_inject(args))
+
+
+async def _inject(args) -> None:
+    config = ensure_config()
+    default_vault = get_default_vault(config)
+
+    template = sys.stdin.read()
+    refs = _REF_PATTERN.findall(template)
+
+    if not refs:
+        print(template, end="")
+        return
+
+    # Resolve all references
+    resolved = {}
+    for ref in set(refs):
+        known_vaults = list(config.get("vaults", {}).keys())
+        vault, item_name, field = resolve(ref, default_vault, known_vaults=known_vaults)
+        item = get_item(config, vault, item_name)
+        if not item:
+            print(f"Error: item '{item_name}' not found in vault '{vault}'.", file=sys.stderr)
+            sys.exit(1)
+
+        kind = item.get("kind", "static")
+        if kind == "oidc" and field is None:
+            value = await _get_oidc_token(item, vault, item_name)
+        else:
+            resolved_field = field or _primary_field(item)
+            value = get_secret(vault, item_name, resolved_field)
+            if value is None:
+                print(f"Error: no secret for {vault}/{item_name}/{resolved_field}.", file=sys.stderr)
+                sys.exit(1)
+
+        resolved[ref] = value
+
+    # Replace all references
+    def replacer(match):
+        return resolved[match.group(1)]
+
+    output = _REF_PATTERN.sub(replacer, template)
+    print(output, end="")
+
+
+async def _get_oidc_token(item: dict, vault: str, item_name: str) -> str:
+    provider_name = item.get("provider", "keycloak")
+    provider = PROVIDERS.get(provider_name)
+    if not provider:
+        print(f"Error: unknown provider '{provider_name}'.", file=sys.stderr)
+        sys.exit(1)
+
+    item_config = item.get("config", {})
+    secret_field = "client_secret" if item_config.get("auth_type") == "client" else "password"
+    secret = get_secret(vault, item_name, secret_field)
+    if secret is None:
+        print(f"Error: no {secret_field} for {vault}/{item_name}.", file=sys.stderr)
+        sys.exit(1)
+
+    return await provider.get_token(item_config, secret)
+
+
+def _primary_field(item: dict) -> str:
+    fields = item.get("fields", [])
+    if isinstance(fields, list) and fields:
+        return fields[0]
+    return "value"

dev_vault/commands/item.py

@@ -0,0 +1,122 @@
+"""
+dv item -- manage items in vaults.
+
+Usage:
+  dv item list [-v vault]
+  dv item create <name> --kind static|oidc [-v vault]
+  dv item show <name> [-v vault]
+  dv item delete <name> [-v vault]
+"""
+
+import json as json_mod
+import logging
+import sys
+
+from ..core.config import ensure_config, get_vault, get_item, list_all_items, save_config
+from ..core.keyring_store import delete_secret
+
+logger = logging.getLogger(__name__)
+
+
+def run(args) -> None:
+    """Route item subcommands."""
+    action = args.item_action
+    if action == "list":
+        _list_items(args)
+    elif action == "create":
+        _create_item(args)
+    elif action == "show":
+        _show_item(args)
+    elif action == "delete":
+        _delete_item(args)
+    else:
+        print(f"Unknown item action: {action}", file=sys.stderr)
+        sys.exit(1)
+
+
+def _list_items(args) -> None:
+    config = ensure_config()
+    vault_filter = getattr(args, "vault", None)
+
+    items = list_all_items(config)
+    if vault_filter:
+        items = [i for i in items if i["vault"] == vault_filter]
+
+    if getattr(args, "json", False):
+        print(json_mod.dumps(items, indent=2))
+        return
+
+    if not items:
+        print("No items found.", file=sys.stderr)
+        return
+
+    for i in items:
+        print(f"  {i['vault']}/{i['item']}  [{i['kind']}]")
+
+
+def _create_item(args) -> None:
+    config = ensure_config()
+    vault_name = args.vault or config.get("defaults", {}).get("vault", "default")
+    vault = get_vault(config, vault_name)
+    items = vault.setdefault("items", {})
+
+    if args.name in items:
+        print(f"Error: item '{args.name}' already exists in vault '{vault_name}'.", file=sys.stderr)
+        sys.exit(1)
+
+    kind = getattr(args, "kind", "static") or "static"
+    items[args.name] = {"kind": kind, "fields": []}
+    save_config(config)
+
+    if getattr(args, "json", False):
+        print(json_mod.dumps({"vault": vault_name, "item": args.name, "kind": kind, "created": True}))
+    else:
+        print(f"Created: {vault_name}/{args.name} [{kind}]", file=sys.stderr)
+
+
+def _show_item(args) -> None:
+    config = ensure_config()
+    vault_name = args.vault or config.get("defaults", {}).get("vault", "default")
+    item = get_item(config, vault_name, args.name)
+    if not item:
+        print(f"Error: item '{args.name}' not found in vault '{vault_name}'.", file=sys.stderr)
+        sys.exit(1)
+
+    if getattr(args, "json", False):
+        print(json_mod.dumps({"vault": vault_name, "item": args.name, **item}, indent=2))
+        return
+
+    kind = item.get("kind", "static")
+    fields = item.get("fields", [])
+    print(f"  {vault_name}/{args.name}  [{kind}]")
+    print(f"  Fields: {', '.join(fields) if fields else '(none)'}")
+    if kind == "oidc":
+        provider = item.get("provider", "keycloak")
+        oidc_config = item.get("config", {})
+        print(f"  Provider: {provider}")
+        for k, v in oidc_config.items():
+            print(f"    {k}: {v}")
+
+
+def _delete_item(args) -> None:
+    config = ensure_config()
+    vault_name = args.vault or config.get("defaults", {}).get("vault", "default")
+    vault_data = config.get("vaults", {}).get(vault_name, {})
+    items = vault_data.get("items", {})
+
+    if args.name not in items:
+        print(f"Error: item '{args.name}' not found in vault '{vault_name}'.", file=sys.stderr)
+        sys.exit(1)
+
+    item = items[args.name]
+    fields = item.get("fields", [])
+    for field in fields:
+        delete_secret(vault_name, args.name, field)
+
+    del items[args.name]
+    save_config(config)
+
+    if getattr(args, "json", False):
+        print(json_mod.dumps({"vault": vault_name, "item": args.name, "deleted": True}))
+    else:
+        print(f"Deleted: {vault_name}/{args.name}", file=sys.stderr)

dev_vault/commands/migrate.py

@@ -0,0 +1,108 @@
+"""
+dv migrate sso-cli -- import config and secrets from sso-cli.
+
+Reads ~/sso_config.yaml and copies secrets from the sso-cli keyring
+to the dev-vault keyring.
+"""
+
+import json as json_mod
+import logging
+import os
+import sys
+
+import yaml
+
+from ..core.config import ensure_config, save_config
+from ..core.keyring_store import store_secret, get_secret_legacy
+
+logger = logging.getLogger(__name__)
+
+
+def run(args) -> None:
+    """Execute the migrate command."""
+    source = getattr(args, "source", "sso-cli")
+    if source != "sso-cli":
+        print(f"Error: unknown migration source '{source}'. Only 'sso-cli' is supported.", file=sys.stderr)
+        sys.exit(1)
+
+    _migrate_sso_cli(args)
+
+
+def _migrate_sso_cli(args) -> None:
+    """Import sso-cli config and secrets into dev-vault."""
+    # Find sso-cli config
+    sso_config_path = os.environ.get("SSO_CONFIG_PATH", "")
+    if not sso_config_path or not os.path.exists(sso_config_path):
+        sso_config_path = os.path.expanduser("~/sso_config.yaml")
+    if not os.path.exists(sso_config_path):
+        print(f"Error: sso-cli config not found at {sso_config_path}.", file=sys.stderr)
+        sys.exit(1)
+
+    print(f"Reading sso-cli config from: {sso_config_path}", file=sys.stderr)
+
+    with open(sso_config_path, "r", encoding="utf-8") as f:
+        raw = yaml.safe_load(f) or {}
+
+    env_cfg = raw.get("environments", raw)
+    if not isinstance(env_cfg, dict):
+        print("Error: invalid sso-cli config format.", file=sys.stderr)
+        sys.exit(1)
+
+    config = ensure_config()
+    migrated = 0
+
+    _LEGACY = {"password": "user", "client_credentials": "client"}
+
+    for env_key, env_data in env_cfg.items():
+        if not isinstance(env_data, dict) or not env_data.get("sso_url"):
+            print(f"  Skipping invalid environment: {env_key}", file=sys.stderr)
+            continue
+
+        # Create vault for this environment
+        vault = config.setdefault("vaults", {}).setdefault(env_key, {"items": {}})
+        items = vault.setdefault("items", {})
+
+        users = env_data.get("users", {})
+        for user_key, user_data in users.items():
+            if not isinstance(user_data, dict):
+                continue
+
+            auth_type = _LEGACY.get(user_data.get("auth_type", ""), user_data.get("auth_type", "user"))
+
+            # Create OIDC item
+            if auth_type == "client":
+                secret_field = "client_secret"
+                item_config = {
+                    "sso_url": env_data["sso_url"],
+                    "auth_type": "client",
+                    "client_id": user_data.get("client_id", user_key),
+                }
+            else:
+                secret_field = "password"
+                item_config = {
+                    "sso_url": env_data["sso_url"],
+                    "auth_type": "user",
+                    "email": user_data.get("email", user_key),
+                }
+
+            items[user_key] = {
+                "kind": "oidc",
+                "provider": "keycloak",
+                "config": item_config,
+                "fields": [secret_field],
+            }
+
+            # Migrate secret from sso-cli keyring
+            old_secret = get_secret_legacy(env_key, user_key)
+            if old_secret:
+                store_secret(env_key, user_key, secret_field, old_secret)
+                print(f"  Migrated: {env_key}/{user_key} ({auth_type})", file=sys.stderr)
+                migrated += 1
+            else:
+                print(f"  Warning: no keyring secret for {env_key}/{user_key}", file=sys.stderr)
+
+    path = save_config(config)
+    print(f"\nMigrated {migrated} item(s). Config saved to: {path}", file=sys.stderr)
+
+    if getattr(args, "json", False):
+        print(json_mod.dumps({"migrated": migrated, "config_path": path}))