mcli-framework 7.8.4__py3-none-any.whl → 7.9.0__py3-none-any.whl

mcli/lib/secrets/commands.py

@@ -0,0 +1,185 @@
+"""
+CLI commands for secrets management.
+"""
+
+from pathlib import Path
+from typing import Optional
+
+import click
+
+from mcli.lib.ui.styling import error, info, success, warning
+
+from .manager import SecretsManager
+from .repl import run_repl
+from .store import SecretsStore
+
+
+@click.group(name="secrets", help="Secure secrets management with encryption and git sync")
+def secrets_group():
+    """Secrets management commands."""
+    pass
+
+
+@secrets_group.command(name="repl", help="Launch interactive secrets shell")
+def secrets_repl():
+    """Launch the interactive secrets REPL."""
+    run_repl()
+
+
+@secrets_group.command(name="set", help="Set a secret value")
+@click.argument("key")
+@click.argument("value")
+@click.option("-n", "--namespace", default="default", help="Namespace for the secret")
+def secrets_set(key: str, value: str, namespace: str):
+    """Set a secret value."""
+    manager = SecretsManager()
+    try:
+        manager.set(key, value, namespace)
+        success(f"Secret '{key}' set in namespace '{namespace}'")
+    except Exception as e:
+        error(f"Failed to set secret: {e}")
+
+
+@secrets_group.command(name="get", help="Get a secret value")
+@click.argument("key")
+@click.option("-n", "--namespace", default="default", help="Namespace for the secret")
+@click.option("-s", "--show", is_flag=True, help="Show the full value (not masked)")
+def secrets_get(key: str, namespace: str, show: bool):
+    """Get a secret value."""
+    manager = SecretsManager()
+    value = manager.get(key, namespace)
+
+    if value is not None:
+        if show:
+            click.echo(value)
+        else:
+            # Mask the value
+            masked = (
+                value[:3] + "*" * (len(value) - 6) + value[-3:]
+                if len(value) > 6
+                else "*" * len(value)
+            )
+            info(f"{key} = {masked}")
+            info("Use --show to display the full value")
+    else:
+        warning(f"Secret '{key}' not found in namespace '{namespace}'")
+
+
+@secrets_group.command(name="list", help="List all secrets")
+@click.option("-n", "--namespace", help="Filter by namespace")
+def secrets_list(namespace: Optional[str]):
+    """List all secrets."""
+    manager = SecretsManager()
+    secrets = manager.list(namespace)
+
+    if secrets:
+        info("Secrets:")
+        for secret in secrets:
+            click.echo(f"  • {secret}")
+    else:
+        info("No secrets found")
+
+
+@secrets_group.command(name="delete", help="Delete a secret")
+@click.argument("key")
+@click.option("-n", "--namespace", default="default", help="Namespace for the secret")
+@click.confirmation_option(prompt="Are you sure you want to delete this secret?")
+def secrets_delete(key: str, namespace: str):
+    """Delete a secret."""
+    manager = SecretsManager()
+    if manager.delete(key, namespace):
+        success(f"Secret '{key}' deleted from namespace '{namespace}'")
+    else:
+        warning(f"Secret '{key}' not found in namespace '{namespace}'")
+
+
+@secrets_group.command(name="export", help="Export secrets as environment variables")
+@click.option("-n", "--namespace", help="Namespace to export")
+@click.option("-o", "--output", type=click.Path(), help="Output file (defaults to stdout)")
+def secrets_export(namespace: Optional[str], output: Optional[str]):
+    """Export secrets as environment variables."""
+    manager = SecretsManager()
+    env_vars = manager.export_env(namespace)
+
+    if env_vars:
+        if output:
+            with open(output, "w") as f:
+                for key, value in env_vars.items():
+                    f.write(f"export {key}={value}\n")
+            success(f"Exported {len(env_vars)} secrets to {output}")
+        else:
+            for key, value in env_vars.items():
+                click.echo(f"export {key}={value}")
+    else:
+        info("No secrets to export")
+
+
+@secrets_group.command(name="import", help="Import secrets from environment file")
+@click.argument("env_file", type=click.Path(exists=True))
+@click.option("-n", "--namespace", default="default", help="Namespace to import into")
+def secrets_import(env_file: str, namespace: str):
+    """Import secrets from environment file."""
+    manager = SecretsManager()
+    count = manager.import_env(Path(env_file), namespace)
+    success(f"Imported {count} secrets into namespace '{namespace}'")
+
+
+@secrets_group.group(name="store", help="Git-based secrets synchronization")
+def store_group():
+    """Store management commands."""
+    pass
+
+
+@store_group.command(name="init", help="Initialize secrets store")
+@click.option("-r", "--remote", help="Git remote URL")
+def store_init(remote: Optional[str]):
+    """Initialize the secrets store."""
+    store = SecretsStore()
+    store.init(remote)
+
+
+@store_group.command(name="push", help="Push secrets to store")
+@click.option("-m", "--message", help="Commit message")
+def store_push(message: Optional[str]):
+    """Push secrets to store."""
+    manager = SecretsManager()
+    store = SecretsStore()
+    store.push(manager.secrets_dir, message)
+
+
+@store_group.command(name="pull", help="Pull secrets from store")
+def store_pull():
+    """Pull secrets from store."""
+    manager = SecretsManager()
+    store = SecretsStore()
+    store.pull(manager.secrets_dir)
+
+
+@store_group.command(name="sync", help="Sync secrets with store")
+@click.option("-m", "--message", help="Commit message")
+def store_sync(message: Optional[str]):
+    """Sync secrets with store."""
+    manager = SecretsManager()
+    store = SecretsStore()
+    store.sync(manager.secrets_dir, message)
+
+
+@store_group.command(name="status", help="Show store status")
+def store_status():
+    """Show store status."""
+    store = SecretsStore()
+    status = store.status()
+
+    info("Secrets Store Status:")
+    click.echo(f"  Initialized: {status['initialized']}")
+    click.echo(f"  Path: {status['store_path']}")
+
+    if status["initialized"]:
+        click.echo(f"  Branch: {status['branch']}")
+        click.echo(f"  Commit: {status['commit']}")
+        click.echo(f"  Clean: {status['clean']}")
+
+        if status["has_remote"]:
+            click.echo(f"  Remote: {status['remote_url']}")
+        else:
+            click.echo("  Remote: Not configured")

mcli/lib/secrets/manager.py

@@ -0,0 +1,213 @@
+"""
+Secrets manager for handling secure storage and retrieval of secrets.
+"""
+
+import base64
+import json
+import os
+from pathlib import Path
+from typing import Dict, List, Optional
+
+import click
+from cryptography.fernet import Fernet
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+
+from mcli.lib.logger.logger import get_logger
+
+logger = get_logger(__name__)
+
+
+class SecretsManager:
+    """Manages secrets storage with encryption."""
+
+    def __init__(self, secrets_dir: Optional[Path] = None):
+        """Initialize the secrets manager.
+
+        Args:
+            secrets_dir: Directory to store secrets. Defaults to ~/.mcli/secrets/
+        """
+        self.secrets_dir = secrets_dir or Path.home() / ".mcli" / "secrets"
+        self.secrets_dir.mkdir(parents=True, exist_ok=True)
+        self._cipher_suite = self._get_cipher_suite()
+
+    def _get_cipher_suite(self) -> Fernet:
+        """Get or create encryption key."""
+        key_file = self.secrets_dir / ".key"
+
+        if key_file.exists():
+            with open(key_file, "rb") as f:
+                key = f.read()
+        else:
+            # Generate a new key from a password
+            password = click.prompt("Enter a password for secrets encryption", hide_input=True)
+            password_bytes = password.encode()
+
+            # Use PBKDF2 to derive a key from the password
+            kdf = PBKDF2HMAC(
+                algorithm=hashes.SHA256(),
+                length=32,
+                salt=b"mcli-secrets-salt",  # In production, use a random salt
+                iterations=100000,
+            )
+            key = base64.urlsafe_b64encode(kdf.derive(password_bytes))
+
+            # Save the key (in production, this should be stored more securely)
+            with open(key_file, "wb") as f:
+                f.write(key)
+
+            # Set restrictive permissions
+            os.chmod(key_file, 0o600)
+
+        return Fernet(key)
+
+    def set(self, key: str, value: str, namespace: Optional[str] = None) -> None:
+        """Set a secret value.
+
+        Args:
+            key: Secret key
+            value: Secret value
+            namespace: Optional namespace for grouping secrets
+        """
+        namespace = namespace or "default"
+        namespace_dir = self.secrets_dir / namespace
+        namespace_dir.mkdir(exist_ok=True)
+
+        # Encrypt the value
+        encrypted_value = self._cipher_suite.encrypt(value.encode())
+
+        # Store the encrypted value
+        secret_file = namespace_dir / f"{key}.secret"
+        with open(secret_file, "wb") as f:
+            f.write(encrypted_value)
+
+        # Set restrictive permissions
+        os.chmod(secret_file, 0o600)
+
+        logger.debug(f"Secret '{key}' stored in namespace '{namespace}'")
+
+    def get(self, key: str, namespace: Optional[str] = None) -> Optional[str]:
+        """Get a secret value.
+
+        Args:
+            key: Secret key
+            namespace: Optional namespace
+
+        Returns:
+            Decrypted secret value or None if not found
+        """
+        namespace = namespace or "default"
+        secret_file = self.secrets_dir / namespace / f"{key}.secret"
+
+        if not secret_file.exists():
+            return None
+
+        with open(secret_file, "rb") as f:
+            encrypted_value = f.read()
+
+        try:
+            decrypted_value = self._cipher_suite.decrypt(encrypted_value)
+            return decrypted_value.decode()
+        except Exception as e:
+            logger.error(f"Failed to decrypt secret '{key}': {e}")
+            return None
+
+    def list(self, namespace: Optional[str] = None) -> List[str]:
+        """List all secret keys.
+
+        Args:
+            namespace: Optional namespace filter
+
+        Returns:
+            List of secret keys
+        """
+        if namespace:
+            namespace_dirs = [self.secrets_dir / namespace]
+        else:
+            namespace_dirs = [
+                d for d in self.secrets_dir.iterdir() if d.is_dir() and not d.name.startswith(".")
+            ]
+
+        secrets = []
+        for namespace_dir in namespace_dirs:
+            if namespace_dir.exists():
+                for secret_file in namespace_dir.glob("*.secret"):
+                    key = secret_file.stem
+                    ns = namespace_dir.name
+                    secrets.append(f"{ns}/{key}" if not namespace else key)
+
+        return sorted(secrets)
+
+    def delete(self, key: str, namespace: Optional[str] = None) -> bool:
+        """Delete a secret.
+
+        Args:
+            key: Secret key
+            namespace: Optional namespace
+
+        Returns:
+            True if deleted, False if not found
+        """
+        namespace = namespace or "default"
+        secret_file = self.secrets_dir / namespace / f"{key}.secret"
+
+        if secret_file.exists():
+            secret_file.unlink()
+            logger.debug(f"Secret '{key}' deleted from namespace '{namespace}'")
+            return True
+
+        return False
+
+    def export_env(self, namespace: Optional[str] = None) -> Dict[str, str]:
+        """Export secrets as environment variables.
+
+        Args:
+            namespace: Optional namespace filter
+
+        Returns:
+            Dictionary of key-value pairs
+        """
+        env_vars = {}
+
+        for secret_key in self.list(namespace):
+            if "/" in secret_key:
+                ns, key = secret_key.split("/", 1)
+                value = self.get(key, ns)
+            else:
+                value = self.get(secret_key, namespace)
+
+            if value:
+                # Convert to uppercase for environment variable convention
+                if "/" in secret_key:
+                    env_key = key.upper().replace("-", "_")
+                else:
+                    env_key = secret_key.upper().replace("-", "_")
+                env_vars[env_key] = value
+
+        return env_vars
+
+    def import_env(self, env_file: Path, namespace: Optional[str] = None) -> int:
+        """Import secrets from an environment file.
+
+        Args:
+            env_file: Path to .env file
+            namespace: Optional namespace
+
+        Returns:
+            Number of secrets imported
+        """
+        namespace = namespace or "default"
+        count = 0
+
+        with open(env_file) as f:
+            for line in f:
+                line = line.strip()
+                if line and not line.startswith("#") and "=" in line:
+                    key, value = line.split("=", 1)
+                    key = key.strip()
+                    value = value.strip().strip('"').strip("'")
+
+                    self.set(key.lower().replace("_", "-"), value, namespace)
+                    count += 1
+
+        return count

mcli/lib/secrets/repl.py

@@ -0,0 +1,297 @@
+"""
+REPL (Read-Eval-Print Loop) for LSH secrets management.
+"""
+
+import os
+from pathlib import Path
+from typing import List
+
+import click
+from prompt_toolkit import prompt
+from prompt_toolkit.auto_suggest import AutoSuggestFromHistory
+from prompt_toolkit.completion import WordCompleter
+from prompt_toolkit.history import FileHistory
+
+from mcli.lib.logger.logger import get_logger
+
+logger = get_logger(__name__)
+from mcli.lib.ui.styling import console, error, info, success, warning
+
+from .manager import SecretsManager
+from .store import SecretsStore
+
+
+class SecretsREPL:
+    """Interactive REPL for secrets management."""
+
+    def __init__(self):
+        """Initialize the REPL."""
+        self.manager = SecretsManager()
+        self.store = SecretsStore()
+        self.running = False
+        self.namespace = "default"
+        self.history_file = Path.home() / ".mcli" / "secrets_repl_history"
+
+        # Commands
+        self.commands = {
+            "set": self.cmd_set,
+            "get": self.cmd_get,
+            "list": self.cmd_list,
+            "delete": self.cmd_delete,
+            "namespace": self.cmd_namespace,
+            "export": self.cmd_export,
+            "import": self.cmd_import,
+            "push": self.cmd_push,
+            "pull": self.cmd_pull,
+            "sync": self.cmd_sync,
+            "status": self.cmd_status,
+            "help": self.cmd_help,
+            "exit": self.cmd_exit,
+            "quit": self.cmd_exit,
+        }
+
+        # Command completer
+        self.completer = WordCompleter(list(self.commands.keys()) + ["ns"], ignore_case=True)
+
+    def run(self):
+        """Run the REPL."""
+        self.running = True
+
+        # Print welcome message
+        console.print("[bold cyan]MCLI Secrets Management Shell[/bold cyan]")
+        console.print("Type 'help' for available commands or 'exit' to quit.\n")
+
+        # Create history file directory if needed
+        self.history_file.parent.mkdir(parents=True, exist_ok=True)
+
+        while self.running:
+            try:
+                # Build prompt
+                prompt_text = f"[{self.namespace}]> "
+
+                # Get user input
+                user_input = prompt(
+                    prompt_text,
+                    completer=self.completer,
+                    history=FileHistory(str(self.history_file)),
+                    auto_suggest=AutoSuggestFromHistory(),
+                ).strip()
+
+                if not user_input:
+                    continue
+
+                # Parse command and arguments
+                parts = user_input.split()
+                command = parts[0].lower()
+                args = parts[1:] if len(parts) > 1 else []
+
+                # Handle command aliases
+                if command == "ns":
+                    command = "namespace"
+
+                # Execute command
+                if command in self.commands:
+                    self.commands[command](args)
+                else:
+                    error(f"Unknown command: {command}")
+                    console.print("Type 'help' for available commands.")
+
+            except KeyboardInterrupt:
+                console.print("\nUse 'exit' or 'quit' to leave the shell.")
+            except EOFError:
+                self.cmd_exit([])
+            except Exception as e:
+                error(f"Error: {e}")
+                logger.exception("REPL error")
+
+    def cmd_set(self, args: List[str]):
+        """Set a secret value."""
+        if len(args) < 2:
+            error("Usage: set <key> <value>")
+            return
+
+        key = args[0]
+        value = " ".join(args[1:])
+
+        try:
+            self.manager.set(key, value, self.namespace)
+            success(f"Secret '{key}' set in namespace '{self.namespace}'")
+        except Exception as e:
+            error(f"Failed to set secret: {e}")
+
+    def cmd_get(self, args: List[str]):
+        """Get a secret value."""
+        if len(args) != 1:
+            error("Usage: get <key>")
+            return
+
+        key = args[0]
+        value = self.manager.get(key, self.namespace)
+
+        if value is not None:
+            # Mask the value for security
+            masked_value = (
+                value[:3] + "*" * (len(value) - 6) + value[-3:]
+                if len(value) > 6
+                else "*" * len(value)
+            )
+            info(f"{key} = {masked_value}")
+
+            if click.confirm("Show full value?", default=False):
+                console.print(f"[yellow]{value}[/yellow]")
+        else:
+            warning(f"Secret '{key}' not found in namespace '{self.namespace}'")
+
+    def cmd_list(self, args: List[str]):
+        """List all secrets."""
+        secrets = self.manager.list(self.namespace if args != ["all"] else None)
+
+        if secrets:
+            console.print("[bold]Secrets:[/bold]")
+            for secret in secrets:
+                console.print(f"  • {secret}")
+        else:
+            info("No secrets found")
+
+    def cmd_delete(self, args: List[str]):
+        """Delete a secret."""
+        if len(args) != 1:
+            error("Usage: delete <key>")
+            return
+
+        key = args[0]
+
+        if click.confirm(f"Delete secret '{key}' from namespace '{self.namespace}'?"):
+            if self.manager.delete(key, self.namespace):
+                success(f"Secret '{key}' deleted")
+            else:
+                warning(f"Secret '{key}' not found")
+
+    def cmd_namespace(self, args: List[str]):
+        """Switch namespace."""
+        if len(args) == 0:
+            # List namespaces
+            namespaces = set()
+            for d in self.manager.secrets_dir.iterdir():
+                if d.is_dir() and not d.name.startswith("."):
+                    namespaces.add(d.name)
+
+            console.print(f"[bold]Current namespace:[/bold] {self.namespace}")
+            if namespaces:
+                console.print("[bold]Available namespaces:[/bold]")
+                for ns in sorted(namespaces):
+                    marker = "→" if ns == self.namespace else " "
+                    console.print(f"  {marker} {ns}")
+        elif len(args) == 1:
+            self.namespace = args[0]
+            success(f"Switched to namespace '{self.namespace}'")
+        else:
+            error("Usage: namespace [<name>]")
+
+    def cmd_export(self, args: List[str]):
+        """Export secrets as environment variables."""
+        env_vars = self.manager.export_env(self.namespace)
+
+        if env_vars:
+            if args and args[0] == "file":
+                # Export to file
+                filename = args[1] if len(args) > 1 else f"{self.namespace}.env"
+                with open(filename, "w") as f:
+                    for key, value in env_vars.items():
+                        f.write(f"{key}={value}\n")
+                success(f"Exported {len(env_vars)} secrets to {filename}")
+            else:
+                # Display export commands
+                console.print("[bold]Export commands:[/bold]")
+                for key, value in env_vars.items():
+                    masked_value = value[:3] + "***" + value[-3:] if len(value) > 6 else "***"
+                    console.print(f"export {key}={masked_value}")
+        else:
+            info("No secrets to export")
+
+    def cmd_import(self, args: List[str]):
+        """Import secrets from environment file."""
+        if len(args) != 1:
+            error("Usage: import <env-file>")
+            return
+
+        env_file = Path(args[0])
+        if not env_file.exists():
+            error(f"File not found: {env_file}")
+            return
+
+        count = self.manager.import_env(env_file, self.namespace)
+        success(f"Imported {count} secrets from {env_file}")
+
+    def cmd_push(self, args: List[str]):
+        """Push secrets to git store."""
+        message = " ".join(args) if args else None
+        self.store.push(self.manager.secrets_dir, message)
+
+    def cmd_pull(self, args: List[str]):
+        """Pull secrets from git store."""
+        self.store.pull(self.manager.secrets_dir)
+
+    def cmd_sync(self, args: List[str]):
+        """Sync secrets with git store."""
+        message = " ".join(args) if args else None
+        self.store.sync(self.manager.secrets_dir, message)
+
+    def cmd_status(self, args: List[str]):
+        """Show store status."""
+        status = self.store.status()
+
+        console.print("[bold]Secrets Store Status:[/bold]")
+        console.print(f"  Initialized: {status['initialized']}")
+        console.print(f"  Path: {status['store_path']}")
+
+        if status["initialized"]:
+            console.print(f"  Branch: {status['branch']}")
+            console.print(f"  Commit: {status['commit']}")
+            console.print(f"  Clean: {status['clean']}")
+
+            if status["has_remote"]:
+                console.print(f"  Remote: {status['remote_url']}")
+            else:
+                console.print("  Remote: [dim]Not configured[/dim]")
+
+    def cmd_help(self, args: List[str]):
+        """Show help information."""
+        console.print("[bold]Available Commands:[/bold]\n")
+
+        help_text = {
+            "set": "Set a secret value",
+            "get": "Get a secret value",
+            "list": "List all secrets (use 'list all' for all namespaces)",
+            "delete": "Delete a secret",
+            "namespace": "Switch namespace or list namespaces (alias: ns)",
+            "export": "Export secrets as environment variables",
+            "import": "Import secrets from .env file",
+            "push": "Push secrets to git store",
+            "pull": "Pull secrets from git store",
+            "sync": "Sync secrets with git store",
+            "status": "Show store status",
+            "help": "Show this help",
+            "exit": "Exit the shell (alias: quit)",
+        }
+
+        for cmd, desc in help_text.items():
+            console.print(f"  [cyan]{cmd:12}[/cyan] {desc}")
+
+        console.print("\n[bold]Examples:[/bold]")
+        console.print("  set api-key sk-1234567890")
+        console.print("  get api-key")
+        console.print("  namespace production")
+        console.print("  export file production.env")
+        console.print("  import .env.local")
+
+    def cmd_exit(self, args: List[str]):
+        """Exit the REPL."""
+        self.running = False
+        console.print("\nGoodbye!")
+
+
+def run_repl():
+    """Entry point for the REPL."""
+    repl = SecretsREPL()
+    repl.run()