lnp-devopscli 1.0.3__tar.gz → 1.1.0__tar.gz

{lnp_devopscli-1.0.3 → lnp_devopscli-1.1.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: lnp-devopscli
-Version: 1.0.3
+Version: 1.1.0
 Summary: DevOps CLI — workspace sync (GDrive, git, GPG, systemd timers) + GitLab/Bitwarden tooling
 Author-email: Lucas Neves Pires <npires.lucas@gmail.com>
 License: MIT
@@ -25,6 +25,9 @@ Requires-Dist: click>=8.0
 Requires-Dist: pyyaml>=6.0
 Requires-Dist: requests>=2.28
 Requires-Dist: rich>=13.0
+Requires-Dist: fastapi>=0.115
+Requires-Dist: uvicorn[standard]>=0.32
+Requires-Dist: sse-starlette>=2.1
 
 # lnp-devopscli
 

{lnp_devopscli-1.0.3 → lnp_devopscli-1.1.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "lnp-devopscli"
-version = "1.0.3"
+version = "1.1.0"
 description = "DevOps CLI — workspace sync (GDrive, git, GPG, systemd timers) + GitLab/Bitwarden tooling"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -31,8 +31,16 @@ dependencies = [
     "pyyaml>=6.0",
     "requests>=2.28",
     "rich>=13.0",
+    "fastapi>=0.115",
+    "uvicorn[standard]>=0.32",
+    "sse-starlette>=2.1",
 ]
 
+[tool.setuptools.package-data]
+"dc_cli" = ["*.toml", "*.yaml", "*.yml"]
+"dc_cli.installers.scripts" = ["*.sh"]
+"dc_cli.web.static" = ["*.html", "*.css", "*.js"]
+
 [project.urls]
 Homepage = "https://gitlab.com/lnp-consulting-ti/devops/devops-cli"
 Repository = "https://gitlab.com/lnp-consulting-ti/devops/devops-cli"
@@ -50,5 +58,3 @@ where = ["scripts"]
 include = ["dc_cli*"]
 exclude = ["tests*", "*.tests*"]
 
-[tool.setuptools.package-data]
-"dc_cli" = ["*.toml", "*.yaml", "*.yml"]

{lnp_devopscli-1.0.3 → lnp_devopscli-1.1.0}/scripts/dc_cli/__init__.py

@@ -1,3 +1,3 @@
 """DevOps CLI - LNP Consulting TI."""
 
-__version__ = "1.0.0"
+__version__ = "1.1.0"

lnp_devopscli-1.1.0/scripts/dc_cli/bw_secrets/__init__.py

@@ -0,0 +1,22 @@
+"""Bitwarden Secrets Manager integration for machine secrets.
+
+Provides bidirectional sync between local files (~/.ssh, ~/.config/rclone, etc)
+and BWS project `devopscli-machine-secrets`. Replaces leaking via GDrive sync.
+"""
+
+from .mapping import SECRETS, SecretSpec
+from .client import BwsClient, BwsError, BwsSecret
+from .sync import sync_all, migrate_all, sync_one, SyncAction, SyncResult
+
+__all__ = [
+    "SECRETS",
+    "SecretSpec",
+    "BwsClient",
+    "BwsError",
+    "BwsSecret",
+    "sync_all",
+    "sync_one",
+    "migrate_all",
+    "SyncAction",
+    "SyncResult",
+]

lnp_devopscli-1.1.0/scripts/dc_cli/bw_secrets/client.py

@@ -0,0 +1,134 @@
+"""Thin wrapper around the `bws` CLI for project/secret CRUD."""
+
+from __future__ import annotations
+
+import json
+import os
+import shutil
+import subprocess
+from dataclasses import dataclass
+from typing import Any
+
+
+class BwsError(RuntimeError):
+    pass
+
+
+@dataclass
+class BwsSecret:
+    id: str
+    key: str
+    value: str
+    note: str
+    project_id: str
+    revision_date: str
+
+    @classmethod
+    def from_api(cls, data: dict[str, Any]) -> "BwsSecret":
+        return cls(
+            id=data.get("id", ""),
+            key=data.get("key", ""),
+            value=data.get("value", ""),
+            note=data.get("note") or "",
+            project_id=data.get("projectId", ""),
+            revision_date=data.get("revisionDate", ""),
+        )
+
+
+class BwsClient:
+    """Wrap the bws binary. Auto-detects BWS_ACCESS_TOKEN from env."""
+
+    def __init__(self, access_token: str | None = None):
+        self.access_token = access_token or os.environ.get(
+            "BWS_ACCESS_TOKEN"
+        ) or os.environ.get("BW_ACCESS_TOKEN")
+        if not self.access_token:
+            raise BwsError(
+                "BWS_ACCESS_TOKEN nao definido. Exporte em ~/.zshrc."
+            )
+        if not shutil.which("bws"):
+            raise BwsError(
+                "bws CLI nao instalado. Veja: "
+                "https://bitwarden.com/help/secrets-manager-cli/"
+            )
+
+    def _run(self, args: list[str], timeout: int = 30) -> dict:
+        cmd = ["bws", "--access-token", self.access_token, "--output", "json"] + args
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
+        if result.returncode != 0:
+            raise BwsError(
+                f"bws {' '.join(args)} falhou: {result.stderr.strip()[:200]}"
+            )
+        if not result.stdout.strip():
+            return {}
+        try:
+            return json.loads(result.stdout)
+        except json.JSONDecodeError as e:
+            raise BwsError(f"resposta inválida do bws: {e}") from None
+
+    # ─── Projects ──────────────────────────────────────────────────
+
+    def list_projects(self) -> list[dict]:
+        return self._run(["project", "list"])  # type: ignore[return-value]
+
+    def get_project_by_name(self, name: str) -> dict | None:
+        for p in self.list_projects():
+            if p.get("name") == name:
+                return p
+        return None
+
+    def ensure_project(self, name: str) -> str:
+        """Get or create project, return its ID."""
+        existing = self.get_project_by_name(name)
+        if existing:
+            return existing["id"]
+        created = self._run(["project", "create", name])
+        return created["id"]
+
+    # ─── Secrets ───────────────────────────────────────────────────
+
+    def list_secrets(self, project_id: str | None = None) -> list[BwsSecret]:
+        raw = self._run(["secret", "list"])
+        if not isinstance(raw, list):
+            return []
+        secrets = [BwsSecret.from_api(s) for s in raw]
+        if project_id:
+            secrets = [s for s in secrets if s.project_id == project_id]
+        return secrets
+
+    def find_secret(self, key: str, project_id: str) -> BwsSecret | None:
+        for s in self.list_secrets(project_id):
+            if s.key == key:
+                return s
+        return None
+
+    def create_secret(
+        self, key: str, value: str, project_id: str, note: str = ""
+    ) -> BwsSecret:
+        args = ["secret", "create", key, value, project_id]
+        if note:
+            args += ["--note", note]
+        return BwsSecret.from_api(self._run(args))
+
+    def update_secret(
+        self,
+        secret_id: str,
+        project_id: str,
+        key: str | None = None,
+        value: str | None = None,
+        note: str | None = None,
+    ) -> BwsSecret:
+        args = ["secret", "edit", secret_id]
+        # bws edit aceita --key, --value, --note, --project-id
+        if key is not None:
+            args += ["--key", key]
+        if value is not None:
+            args += ["--value", value]
+        if note is not None:
+            args += ["--note", note]
+        if project_id:
+            args += ["--project-id", project_id]
+        return BwsSecret.from_api(self._run(args))
+
+    def delete_secret(self, secret_id: str) -> None:
+        self._run(["secret", "delete", secret_id])

lnp_devopscli-1.1.0/scripts/dc_cli/bw_secrets/mapping.py

@@ -0,0 +1,74 @@
+"""Specification of machine secrets stored in BWS."""
+
+from __future__ import annotations
+
+import os
+from dataclasses import dataclass
+from pathlib import Path
+
+
+DEFAULT_PROJECT_NAME = "devopscli-machine-secrets"
+
+
+@dataclass(frozen=True)
+class SecretSpec:
+    """One machine secret managed by devopscli bw."""
+
+    name: str
+    path: str
+    file_mode: int = 0o600
+    dir_mode: int = 0o700
+    optional: bool = True
+    category: str = "misc"
+    binary: bool = False
+
+    def local_path(self) -> Path:
+        return Path(os.path.expanduser(self.path))
+
+    @property
+    def parent(self) -> Path:
+        return self.local_path().parent
+
+
+SECRETS: tuple[SecretSpec, ...] = (
+    SecretSpec(name="rclone_conf", path="~/.config/rclone/rclone.conf",
+               file_mode=0o600, dir_mode=0o700, category="rclone"),
+    SecretSpec(name="ssh_config", path="~/.ssh/config",
+               file_mode=0o600, category="ssh"),
+    SecretSpec(name="ssh_known_hosts", path="~/.ssh/known_hosts",
+               file_mode=0o644, category="ssh"),
+    SecretSpec(name="ssh_id_rsa", path="~/.ssh/id_rsa",
+               file_mode=0o600, category="ssh"),
+    SecretSpec(name="ssh_id_rsa_pub", path="~/.ssh/id_rsa.pub",
+               file_mode=0o644, category="ssh"),
+    SecretSpec(name="ssh_id_rsa_builders", path="~/.ssh/id_rsa_builders",
+               file_mode=0o600, category="ssh"),
+    SecretSpec(name="ssh_id_rsa_builders_pub", path="~/.ssh/id_rsa_builders.pub",
+               file_mode=0o644, category="ssh"),
+    SecretSpec(name="ssh_id_rsa_git_hml", path="~/.ssh/id_rsa_git_hml",
+               file_mode=0o600, category="ssh"),
+    SecretSpec(name="ssh_id_rsa_git_hml_pub", path="~/.ssh/id_rsa_git_hml.pub",
+               file_mode=0o644, category="ssh"),
+    SecretSpec(name="ssh_id_ed25519", path="~/.ssh/id_ed25519",
+               file_mode=0o600, category="ssh"),
+    SecretSpec(name="ssh_id_ed25519_pub", path="~/.ssh/id_ed25519.pub",
+               file_mode=0o644, category="ssh"),
+    SecretSpec(name="ssh_desktop_key", path="~/.ssh/desktop_key",
+               file_mode=0o600, category="ssh"),
+    SecretSpec(name="ssh_desktop_key_pub", path="~/.ssh/desktop_key.pub",
+               file_mode=0o644, category="ssh"),
+)
+
+
+def secrets_by_category() -> dict[str, list[SecretSpec]]:
+    result: dict[str, list[SecretSpec]] = {}
+    for s in SECRETS:
+        result.setdefault(s.category, []).append(s)
+    return result
+
+
+def find_secret(name: str) -> SecretSpec | None:
+    for s in SECRETS:
+        if s.name == name:
+            return s
+    return None

lnp_devopscli-1.1.0/scripts/dc_cli/bw_secrets/sync.py

@@ -0,0 +1,236 @@
+"""Bidirectional sync logic with hash-based idempotency."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+from dataclasses import dataclass
+from enum import Enum
+from pathlib import Path
+
+from .client import BwsClient, BwsError, BwsSecret
+from .mapping import SECRETS, SecretSpec
+
+
+class SyncAction(str, Enum):
+    UNCHANGED = "unchanged"
+    PULLED = "pulled"
+    PUSHED = "pushed"
+    SKIPPED_LOCAL_MISSING = "skipped_local_missing"
+    SKIPPED_REMOTE_MISSING = "skipped_remote_missing"
+    CREATED_REMOTE = "created_remote"
+    CONFLICT = "conflict"
+    ERROR = "error"
+
+
+@dataclass
+class SyncResult:
+    spec: SecretSpec
+    action: SyncAction
+    detail: str = ""
+
+
+def _sha256_text(s: str) -> str:
+    return hashlib.sha256(s.encode("utf-8")).hexdigest()
+
+
+def _read_local(spec: SecretSpec) -> str | None:
+    path = spec.local_path()
+    if not path.exists():
+        return None
+    try:
+        if spec.binary:
+            return base64.b64encode(path.read_bytes()).decode("ascii")
+        return path.read_text()
+    except OSError:
+        return None
+
+
+def _parse_note(note: str) -> dict:
+    if not note:
+        return {}
+    try:
+        return json.loads(note)
+    except json.JSONDecodeError:
+        return {}
+
+
+def _make_note(local_path: str, content_hash: str) -> str:
+    return json.dumps(
+        {"path": local_path, "sha256": content_hash, "managed_by": "devopscli"},
+        separators=(",", ":"),
+    )
+
+
+def _apply_permissions(spec: SecretSpec) -> None:
+    """chmod the file and ensure parent dir has secure mode."""
+    parent = spec.parent
+    if parent.exists() and parent.is_dir():
+        try:
+            parent.chmod(spec.dir_mode)
+        except OSError:
+            pass
+    path = spec.local_path()
+    if path.exists():
+        try:
+            path.chmod(spec.file_mode)
+        except OSError:
+            pass
+
+
+def _write_local(spec: SecretSpec, content: str) -> None:
+    path = spec.local_path()
+    path.parent.mkdir(parents=True, exist_ok=True)
+    try:
+        path.parent.chmod(spec.dir_mode)
+    except OSError:
+        pass
+    if spec.binary:
+        path.write_bytes(base64.b64decode(content.encode("ascii")))
+    else:
+        path.write_text(content)
+    _apply_permissions(spec)
+
+
+def sync_one(
+    client: BwsClient,
+    spec: SecretSpec,
+    project_id: str,
+    direction: str = "auto",
+    dry_run: bool = False,
+) -> SyncResult:
+    """Sync a single secret.
+
+    direction:
+      - "auto":  if both exist, compare hashes; if remote is newer, pull;
+                 if local is newer, push; if equal, unchanged
+      - "push":  only upload local → BWS
+      - "pull":  only download BWS → local
+    """
+    local_content = _read_local(spec)
+    remote_secret = client.find_secret(spec.name, project_id)
+
+    # ── Caso 1: nada local, nada remoto ─────────────────────────
+    if local_content is None and remote_secret is None:
+        if spec.optional:
+            return SyncResult(spec, SyncAction.SKIPPED_LOCAL_MISSING,
+                              "nem local nem remoto existem")
+        return SyncResult(spec, SyncAction.ERROR, "obrigatorio mas faltando dos dois lados")
+
+    # ── Caso 2: só remoto existe (pull) ─────────────────────────
+    if local_content is None and remote_secret is not None:
+        if direction == "push":
+            return SyncResult(spec, SyncAction.SKIPPED_LOCAL_MISSING,
+                              "push solicitado mas arquivo local nao existe")
+        if dry_run:
+            return SyncResult(spec, SyncAction.PULLED,
+                              f"[dry-run] restauraria {spec.local_path()}")
+        _write_local(spec, remote_secret.value)
+        return SyncResult(spec, SyncAction.PULLED,
+                          f"restaurado em {spec.local_path()}")
+
+    # ── Caso 3: só local existe (push/create) ───────────────────
+    if local_content is not None and remote_secret is None:
+        if direction == "pull":
+            return SyncResult(spec, SyncAction.SKIPPED_REMOTE_MISSING,
+                              "pull solicitado mas secret remoto nao existe")
+        if dry_run:
+            return SyncResult(spec, SyncAction.CREATED_REMOTE,
+                              f"[dry-run] criaria secret {spec.name}")
+        h = _sha256_text(local_content)
+        note = _make_note(spec.path, h)
+        client.create_secret(spec.name, local_content, project_id, note=note)
+        return SyncResult(spec, SyncAction.CREATED_REMOTE,
+                          f"criado no BWS (hash {h[:8]})")
+
+    # ── Caso 4: ambos existem ───────────────────────────────────
+    assert local_content is not None and remote_secret is not None
+    local_hash = _sha256_text(local_content)
+    remote_meta = _parse_note(remote_secret.note)
+    remote_hash = remote_meta.get("sha256", "")
+
+    # Se hashes batem, nada a fazer
+    if local_hash == remote_hash and local_content == remote_secret.value:
+        return SyncResult(spec, SyncAction.UNCHANGED, f"hash {local_hash[:8]}")
+
+    # Conteúdo difere — decide direção
+    if direction == "push":
+        target = "push"
+    elif direction == "pull":
+        target = "pull"
+    else:
+        # auto: prefere remoto se hash do BWS bate com conteúdo (significa
+        # foi alguem com revisao mais nova). Se hashes nao batem na nota,
+        # local ganha (fonte de verdade do dispositivo atual).
+        if remote_secret.value != local_content:
+            # Diferenca real. Local ganha por padrao (push)
+            target = "push"
+        else:
+            target = "pull"
+
+    if target == "push":
+        if dry_run:
+            return SyncResult(spec, SyncAction.PUSHED,
+                              f"[dry-run] sobrescreveria remoto (local hash {local_hash[:8]})")
+        note = _make_note(spec.path, local_hash)
+        client.update_secret(
+            remote_secret.id,
+            project_id=project_id,
+            value=local_content,
+            note=note,
+        )
+        return SyncResult(spec, SyncAction.PUSHED,
+                          f"local → BWS (hash {local_hash[:8]})")
+    else:
+        if dry_run:
+            return SyncResult(spec, SyncAction.PULLED,
+                              f"[dry-run] sobrescreveria local")
+        _write_local(spec, remote_secret.value)
+        return SyncResult(spec, SyncAction.PULLED,
+                          f"BWS → local (hash {remote_hash[:8]})")
+
+
+def sync_all(
+    client: BwsClient,
+    project_id: str,
+    direction: str = "auto",
+    dry_run: bool = False,
+    only: list[str] | None = None,
+    category: str | None = None,
+    on_result=None,
+) -> list[SyncResult]:
+    """Sync all secrets matching filters.
+
+    on_result: optional callback(result) for live progress.
+    """
+    results = []
+    for spec in SECRETS:
+        if only and spec.name not in only:
+            continue
+        if category and spec.category != category:
+            continue
+        try:
+            r = sync_one(client, spec, project_id, direction=direction, dry_run=dry_run)
+        except (BwsError, OSError) as e:
+            r = SyncResult(spec, SyncAction.ERROR, str(e)[:150])
+        results.append(r)
+        if on_result:
+            on_result(r)
+    return results
+
+
+def migrate_all(
+    client: BwsClient,
+    project_id: str,
+    dry_run: bool = False,
+    on_result=None,
+) -> list[SyncResult]:
+    """Upload current state of all local files to BWS (first-time migration)."""
+    return sync_all(
+        client,
+        project_id,
+        direction="push",
+        dry_run=dry_run,
+        on_result=on_result,
+    )