1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
package cmd
import (
"fmt"
"io"
"os"
"strings"
"time"
"envault/vault"
"github.com/spf13/cobra"
)
func init() {
rootCmd.AddCommand(newOpenCmd())
rootCmd.AddCommand(newCloseCmd())
rootCmd.AddCommand(newSessionCmd())
}
func newOpenCmd() *cobra.Command {
var ttlStr string
c := &cobra.Command{
Use: "open",
Short: "Unlock the vault for a timed session — no password prompts for N hours",
Long: `Prompts for the master password once, then caches the secrets in an
encrypted session so all other commands work without re-prompting.
envault open # valid for 8 hours (default)
envault open --ttl 4h # valid for 4 hours
Stores encrypted session metadata under ~/.envault/sessions.
The session key is kept outside that file in the OS credential store.
Typical PyCharm workflow:
1. Run "envault open" once in the terminal
2. In Run Configuration: envault run -- python -m uvicorn main:app --reload
3. No password prompt for the next 8 hours`,
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
ttl, err := time.ParseDuration(ttlStr)
if err != nil {
return fmt.Errorf("invalid --ttl %q (example: 8h, 4h30m): %w", ttlStr, err)
}
if ttl <= 0 || ttl > 24*time.Hour {
return fmt.Errorf("--ttl must be between 1m and 24h")
}
v, _, _, err := openVault()
if err != nil {
return err
}
project := resolveProject()
vars := v.GetAll(project)
if len(vars) == 0 {
fmt.Fprintf(os.Stderr, "Warning: project %q has no secrets.\n", project)
}
expires, err := vault.CreateSession(project, vars, ttl)
if err != nil {
return fmt.Errorf("creating session: %w", err)
}
remaining := time.Until(expires).Round(time.Minute)
fmt.Fprintf(os.Stderr, "\nSession opened · project: %s\n", project)
fmt.Fprintf(os.Stderr, "Valid until: %s (%s)\n", expires.Local().Format("15:04:05"), fmtDuration(remaining))
fmt.Fprintf(os.Stderr, "\nAll envault commands now run without a password prompt.\n")
fmt.Fprintf(os.Stderr, "Run envault close to revoke the session early.\n")
return nil
},
}
c.Flags().StringVar(&ttlStr, "ttl", "8h", "session duration (e.g. 8h, 4h30m, 1h)")
return c
}
func newCloseCmd() *cobra.Command {
return &cobra.Command{
Use: "close",
Short: "Revoke the current session",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
vault.DeleteSession(resolveProject())
fmt.Fprintln(os.Stderr, "Session closed.")
return nil
},
}
}
func newSessionCmd() *cobra.Command {
return &cobra.Command{
Use: "session",
Short: "Show current session status",
Args: cobra.NoArgs,
RunE: func(cmd *cobra.Command, args []string) error {
project := resolveProject()
expires, ok := vault.SessionInfo(project)
if !ok {
fmt.Fprintln(os.Stderr, "No active session.")
return nil
}
remaining := time.Until(expires).Round(time.Minute)
fmt.Fprintf(os.Stderr, "Active session\n")
fmt.Fprintf(os.Stderr, " Project : %s\n", project)
fmt.Fprintf(os.Stderr, " Expires : %s (%s remaining)\n", expires.Local().Format("15:04:05"), fmtDuration(remaining))
return nil
},
}
}
// ensureGitignore adds entry to .gitignore if not already present.
func ensureGitignore(entry string) {
f, err := os.OpenFile(".gitignore", os.O_RDWR|os.O_CREATE, 0644)
if err != nil {
return
}
defer f.Close()
content, _ := io.ReadAll(f)
if strings.Contains(string(content), entry) {
return
}
if len(content) > 0 && content[len(content)-1] != '\n' {
f.WriteString("\n")
}
f.WriteString(entry + "\n")
}
func fmtDuration(d time.Duration) string {
d = d.Round(time.Minute)
h := int(d.Hours())
m := int(d.Minutes()) % 60
if h > 0 && m > 0 {
return fmt.Sprintf("%dh %dm", h, m)
} else if h > 0 {
return fmt.Sprintf("%dh", h)
}
return fmt.Sprintf("%dm", m)
}
|