add age-based local vault

Author: jahvon

.gitignore

@@ -0,0 +1,3 @@
+*.age
+*.txt
+playground/*

cmd/main.go

@@ -0,0 +1,72 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"path/filepath"
+
+	"github.com/jahvon/vault"
+)
+
+func main() {
+	dir := "/Users/jahvon/workspaces/github.com/jahvon/vault/playground"
+	fmt.Printf("Testing vault in: %s\n", dir)
+
+	fmt.Println("\n=== Test 1: Create New Vault ===")
+	vault1, err := vault.New(
+		"test",
+		vault.WithProvider(vault.ProviderTypeLocal),
+		vault.WithRecipients("age1nmkk0tv7ntg5yld0uhxc9f05p0d6zwxcaftxcjvwy82djuuzg96skmuzlk"),
+		vault.WithLocalPath(dir),
+		vault.WithLocalIdentityFromFile("/Users/jahvon/workspaces/github.com/jahvon/vault/playground/key.txt"),
+	)
+	if err != nil {
+		log.Fatal("Failed to create vault:", err)
+	}
+	defer vault1.Close()
+
+	fmt.Printf("Created vault with ID: %s\n", vault1.ID())
+
+	fmt.Println("\n=== Test 2: Set and Get Secrets ===")
+
+	err = vault1.SetSecret("api-key", vault.NewSecretValue([]byte("my-secret-api-key")))
+	if err != nil {
+		log.Fatal("Failed to set secret:", err)
+	}
+	fmt.Println("✓ Set api-key")
+
+	err = vault1.SetSecret("db-password", vault.NewSecretValue([]byte("super-secret-password")))
+	if err != nil {
+		log.Fatal("Failed to set db-password:", err)
+	}
+	fmt.Println("✓ Set db-password")
+
+	secret, err := vault1.GetSecret("api-key")
+	if err != nil {
+		log.Fatal("Failed to get secret:", err)
+	}
+	fmt.Printf("✓ Retrieved api-key: %s (masked: %s)\n", secret.PlainTextString(), secret.String())
+
+	fmt.Println("\n=== Test 3: List Secrets ===")
+	secrets, err := vault1.ListSecrets()
+	if err != nil {
+		log.Fatal("Failed to list secrets:", err)
+	}
+
+	fmt.Printf("Found %d secrets:\n", len(secrets))
+	for _, key := range secrets {
+		fmt.Printf("  - %s\n", key)
+	}
+
+	fmt.Println("\n=== Test 4: Verify Encrypted File ===")
+	vaultFiles, err := filepath.Glob(filepath.Join(dir, "*.age"))
+	if err != nil {
+		log.Fatal("Failed to find vault files:", err)
+	}
+
+	if len(vaultFiles) == 0 {
+		log.Fatal("No .age vault files found!")
+	}
+
+	fmt.Printf("✓ Found encrypted vault file: %s\n", vaultFiles[0])
+}

config.go

@@ -0,0 +1,138 @@
+package vault
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+type ProviderType string
+
+const (
+	ProviderTypeLocal    ProviderType = "local"
+	ProviderTypeExternal ProviderType = "external"
+)
+
+type Config struct {
+	ID       string          `json:"id"`
+	Type     ProviderType    `json:"type"`
+	Local    *LocalConfig    `json:"local,omitempty"`
+	External *ExternalConfig `json:"external,omitempty"`
+}
+
+func (c *Config) Validate() error {
+	if c.ID == "" {
+		return fmt.Errorf("vault ID is required")
+	}
+
+	switch c.Type {
+	case ProviderTypeLocal:
+		if c.Local == nil {
+			return fmt.Errorf("local configuration required for local vault")
+		}
+		return c.Local.Validate()
+	case ProviderTypeExternal:
+		if c.External == nil {
+			return fmt.Errorf("external configuration required for external vault")
+		}
+		return c.External.Validate()
+	default:
+		return fmt.Errorf("unsupported vault type: %s", c.Type)
+	}
+}
+
+// SaveConfigJSON saves the vault configuration to a file in JSON format
+func SaveConfigJSON(config Config, path string) error {
+	data, err := json.MarshalIndent(config, "", "  ")
+	if err != nil {
+		return fmt.Errorf("failed to marshal config: %w", err)
+	}
+
+	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+		return fmt.Errorf("failed to create config directory: %w", err)
+	}
+
+	if err := os.WriteFile(path, data, 0600); err != nil {
+		return fmt.Errorf("failed to write config file: %w", err)
+	}
+
+	return nil
+}
+
+// LoadConfigJSON loads the vault configuration from a file in JSON format
+func LoadConfigJSON(path string) (Config, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return Config{}, fmt.Errorf("failed to read config file: %w", err)
+	}
+
+	var config Config
+	if err := json.Unmarshal(data, &config); err != nil {
+		return Config{}, fmt.Errorf("failed to unmarshal config: %w", err)
+	}
+
+	return config, nil
+}
+
+// IdentitySource represents a source for the local vault identity keys
+type IdentitySource struct {
+	// Type of identity source
+	// Must be one of: "env", "file", "ssh-agent"
+	Type string `json:"type"`
+	// Path to the identity file (for "file" type)
+	Path string `json:"fullPath,omitempty"`
+	// Environment variable name (for "env" type)
+	Name string `json:"name,omitempty"`
+}
+
+// LocalConfig contains local (age-based) vault configuration
+type LocalConfig struct {
+	// Storage location for the vault file
+	StoragePath string `json:"storage_path"`
+
+	// Identity sources for decryption (in order of preference)
+	IdentitySources []IdentitySource `json:"identity_sources,omitempty"`
+
+	// Recipients who can decrypt secrets
+	Recipients []string `json:"recipients,omitempty"`
+}
+
+func (c *LocalConfig) Validate() error {
+	if c.StoragePath == "" {
+		return fmt.Errorf("storage fullPath is required for local vault")
+	}
+	return nil
+}
+
+// CommandSet defines the command templates for external vault operations
+type CommandSet struct {
+	Get    string `json:"get"`
+	Set    string `json:"set"`
+	Delete string `json:"delete"`
+	List   string `json:"list"`
+	Exists string `json:"exists,omitempty"`
+}
+
+// ExternalConfig contains external (cli command-based) vault configuration
+type ExternalConfig struct {
+	// Command templates for operations
+	Commands CommandSet `json:"commands"`
+
+	// Environment variables for commands
+	Environment map[string]string `json:"environment,omitempty"`
+
+	// Timeout for command execution
+	Timeout time.Duration `json:"timeout,omitempty"`
+
+	// WorkingDir for command execution
+	WorkingDir string `json:"working_dir,omitempty"`
+}
+
+func (c *ExternalConfig) Validate() error {
+	if c.Commands.Get == "" || c.Commands.Set == "" {
+		return fmt.Errorf("get and set commands are required for external vault")
+	}
+	return nil
+}

errors.go

@@ -0,0 +1,9 @@
+package vault
+
+import (
+	"errors"
+)
+
+var (
+	ErrSecretNotFound = errors.New("secret not found")
+)

external.go

@@ -0,0 +1,32 @@
+package vault
+
+type ExternalVaultProvider struct {
+}
+
+func (v *ExternalVaultProvider) ID() string {
+	panic("not implemented yet")
+}
+
+func (v *ExternalVaultProvider) GetSecret(_ string) (Secret, error) {
+	panic("not implemented yet")
+}
+
+func (v *ExternalVaultProvider) SetSecret(key string, value Secret) error {
+	panic("not implemented yet")
+}
+
+func (v *ExternalVaultProvider) DeleteSecret(key string) error {
+	panic("not implemented yet")
+}
+
+func (v *ExternalVaultProvider) ListSecrets() ([]string, error) {
+	panic("not implemented yet")
+}
+
+func (v *ExternalVaultProvider) HasSecret(key string) (bool, error) {
+	panic("not implemented yet")
+}
+
+func (v *ExternalVaultProvider) Close() error {
+	return nil
+}

go.mod

@@ -0,0 +1,10 @@
+module github.com/jahvon/vault
+
+go 1.24
+
+require (
+	filippo.io/age v1.2.1
+	golang.org/x/crypto v0.24.0 // indirect
+)
+
+require golang.org/x/sys v0.21.0 // indirect

go.sum

@@ -0,0 +1,8 @@
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805 h1:u2qwJeEvnypw+OCPUHmoZE3IqwfuN5kgDfo5MLzpNM0=
+c2sp.org/CCTV/age v0.0.0-20240306222714-3ec4d716e805/go.mod h1:FomMrUJ2Lxt5jCLmZkG3FHa72zUprnhd3v/Z18Snm4w=
+filippo.io/age v1.2.1 h1:X0TZjehAZylOIj4DubWYU1vWQxv9bJpo+Uu2/LGhi1o=
+filippo.io/age v1.2.1/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

identity.go

@@ -0,0 +1,118 @@
+package vault
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"filippo.io/age"
+)
+
+var (
+	DefaultVaultKeyEnv = "AGE_VAULT_KEY"
+)
+
+type IdentityResolver struct {
+	sources []IdentitySource
+}
+
+func NewIdentityResolver(sources []IdentitySource) *IdentityResolver {
+	if len(sources) == 0 {
+		sources = []IdentitySource{
+			{Type: "env", Name: DefaultVaultKeyEnv},
+		}
+	}
+	return &IdentityResolver{sources: sources}
+}
+
+func (r *IdentityResolver) ResolveIdentities() ([]age.Identity, error) {
+	var identities []age.Identity
+
+	for _, source := range r.sources {
+		switch source.Type {
+		case "env":
+			if id := r.fromEnvironment(source.Name); id != nil {
+				identities = append(identities, id)
+			}
+		case "file":
+			if id, err := r.fromFile(source.Path); err != nil {
+				return nil, fmt.Errorf("failed to read identity from file %s: %w", source.Path, err)
+			} else if id != nil {
+				identities = append(identities, id)
+			}
+		}
+	}
+
+	if len(identities) == 0 {
+		return nil, fmt.Errorf("no valid identities found")
+	}
+
+	return identities, nil
+}
+
+func (r *IdentityResolver) fromEnvironment(envVar string) age.Identity {
+	if envVar == "" {
+		envVar = DefaultVaultKeyEnv
+	}
+
+	keyStr := os.Getenv(envVar)
+	if keyStr == "" {
+		return nil
+	}
+
+	identity, err := age.ParseX25519Identity(keyStr)
+	if err != nil {
+		return nil
+	}
+
+	return identity
+}
+
+func (r *IdentityResolver) fromFile(path string) (age.Identity, error) {
+	if path == "" {
+		return nil, fmt.Errorf("identity file path cannot be empty")
+	}
+
+	expandedPath := expandPath(path)
+	keyBytes, err := os.ReadFile(expandedPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read identity file %s: %w", expandedPath, err)
+	}
+
+	identity, err := age.ParseX25519Identity(strings.TrimSpace(string(keyBytes)))
+	if err != nil {
+		return nil, fmt.Errorf("invalid identity in file %s: %w", expandedPath, err)
+	}
+
+	return identity, nil
+}
+
+func (v *LocalVault) addRecipientToState(publicKey string) error {
+	_, err := age.ParseX25519Recipient(publicKey)
+	if err != nil {
+		return fmt.Errorf("invalid recipient key: %w", err)
+	}
+
+	// for _, existing := range v.state.Recipients {
+	// 	if existing == publicKey {
+	// 		return fmt.Errorf("recipient already exists")
+	// 	}
+	// }
+
+	v.state.Recipients = append(v.state.Recipients, publicKey)
+	return nil
+}
+
+func (v *LocalVault) parseRecipients() error {
+	v.recipients = make([]age.Recipient, 0, len(v.state.Recipients))
+
+	for _, recipientStr := range v.state.Recipients {
+		recipient, err := age.ParseX25519Recipient(recipientStr)
+		if err != nil {
+			return fmt.Errorf("invalid recipient %s: %w", recipientStr, err)
+		}
+		v.recipients = append(v.recipients, recipient)
+	}
+
+	return nil
+}