Add --secrets-provider keychain (#30)

Add a flag to allow a secrets provider to be specified. Currently
`basic` is the only option.

Some other cleanups in the code.

Author: dmjb

cmd/vt/common.go

@@ -1,7 +1,11 @@
 package main
 
 import (
+	"fmt"
+
 	"github.com/spf13/cobra"
+
+	"github.com/stacklok/vibetool/pkg/secrets"
 )
 
 // AddOIDCFlags adds OIDC validation flags to the provided command.
@@ -30,3 +34,19 @@ func IsOIDCEnabled(cmd *cobra.Command) bool {
 
 	return jwksURL != "" || issuer != ""
 }
+
+// GetSecretsProviderType returns the secrets provider type from the command flags
+func GetSecretsProviderType(cmd *cobra.Command) (secrets.ManagerType, error) {
+	provider, err := cmd.Flags().GetString("secrets-provider")
+	if err != nil {
+		return "", fmt.Errorf("failed to get secrets-provider flag: %w", err)
+	}
+
+	switch provider {
+	case string(secrets.BasicType), "":
+		return secrets.BasicType, nil
+	default:
+		// TODO: auto-generate the set of valid values.
+		return "", fmt.Errorf("invalid secrets provider type: %s (valid types: basic)", provider)
+	}
+}

cmd/vt/main.go

@@ -35,6 +35,7 @@ var versionCmd = &cobra.Command{
 func init() {
 	// Add persistent flags
 	rootCmd.PersistentFlags().Bool("debug", false, "Enable debug mode")
+	rootCmd.PersistentFlags().String("secrets-provider", "basic", "Secrets provider to use (basic)")
 
 	// Add subcommands
 	rootCmd.AddCommand(runCmd)

cmd/vt/run_common.go

@@ -104,8 +104,16 @@ func RunMCPServer(ctx context.Context, cmd *cobra.Command, options RunOptions) e
 
 	// If any secrets are specified, attempt to load them, and add to list of environment variables.
 	if len(options.Secrets) > 0 {
-		secretManager, err := secrets.CreateDefaultSecretsManager()
+		providerType, err := GetSecretsProviderType(cmd)
 		if err != nil {
+			return fmt.Errorf("error determining secrets provider type: %w", err)
+		}
+
+		secretManager, err := secrets.CreateSecretManager(providerType)
+		if err != nil {
+			if strings.Contains(err.Error(), "incorrect password") {
+				return fmt.Errorf("error: %v", err)
+			}
 			return fmt.Errorf("error instantiating secret manager %v", err)
 		}
 		secretVariables, err := environment.ParseSecretParameters(options.Secrets, secretManager)

cmd/vt/secret.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"os"
+
 	"github.com/spf13/cobra"
 
 	"github.com/stacklok/vibetool/pkg/secrets"
@@ -37,7 +39,13 @@ func newSecretSetCommand() *cobra.Command {
 				return
 			}
 
-			manager, err := secrets.CreateDefaultSecretsManager()
+			providerType, err := GetSecretsProviderType(cmd)
+			if err != nil {
+				cmd.Printf("Error: %v\n", err)
+				os.Exit(1)
+			}
+
+			manager, err := secrets.CreateSecretManager(providerType)
 			if err != nil {
 				cmd.Printf("Failed to create secrets manager: %v\n", err)
 				return
@@ -67,7 +75,13 @@ func newSecretGetCommand() *cobra.Command {
 				return
 			}
 
-			manager, err := secrets.CreateDefaultSecretsManager()
+			providerType, err := GetSecretsProviderType(cmd)
+			if err != nil {
+				cmd.Printf("Error: %v\n", err)
+				os.Exit(1)
+			}
+
+			manager, err := secrets.CreateSecretManager(providerType)
 			if err != nil {
 				cmd.Printf("Failed to create secrets manager: %v\n", err)
 				return
@@ -97,7 +111,13 @@ func newSecretDeleteCommand() *cobra.Command {
 				return
 			}
 
-			manager, err := secrets.CreateDefaultSecretsManager()
+			providerType, err := GetSecretsProviderType(cmd)
+			if err != nil {
+				cmd.Printf("Error: %v\n", err)
+				os.Exit(1)
+			}
+
+			manager, err := secrets.CreateSecretManager(providerType)
 			if err != nil {
 				cmd.Printf("Failed to create secrets manager: %v\n", err)
 				return
@@ -119,7 +139,13 @@ func newSecretListCommand() *cobra.Command {
 		Short: "List all available secrets",
 		Args:  cobra.NoArgs,
 		Run: func(cmd *cobra.Command, _ []string) {
-			manager, err := secrets.CreateDefaultSecretsManager()
+			providerType, err := GetSecretsProviderType(cmd)
+			if err != nil {
+				cmd.Printf("Error: %v\n", err)
+				os.Exit(1)
+			}
+
+			manager, err := secrets.CreateSecretManager(providerType)
 			if err != nil {
 				cmd.Printf("Failed to create secrets manager: %v\n", err)
 				return

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/gofrs/flock v0.12.1
 	github.com/google/uuid v1.6.0
 	github.com/stretchr/testify v1.10.0
+	golang.org/x/sync v0.12.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/apimachinery v0.32.3
 )
@@ -36,7 +37,7 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
-	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
@@ -87,6 +88,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect
-	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
 	k8s.io/client-go v0.32.3
 )

go.sum

@@ -196,15 +196,17 @@ golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbht
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=

pkg/secrets/basic.go

@@ -7,17 +7,15 @@ import (
 	"log"
 	"os"
 	"path"
-	"sync"
 
-	"github.com/adrg/xdg"
+	"golang.org/x/sync/syncmap"
 )
 
 // BasicManager is a simple secrets manager that stores secrets in an
 // unencrypted file. This is for testing/development purposes only.
 type BasicManager struct {
 	filePath string
-	secrets  map[string]string
-	mu       sync.RWMutex // Protects concurrent access to secrets map
+	secrets  syncmap.Map // Thread-safe map for storing secrets
 }
 
 // GetSecret retrieves a secret from the secret store.
@@ -26,14 +24,11 @@ func (b *BasicManager) GetSecret(name string) (string, error) {
 		return "", errors.New("secret name cannot be empty")
 	}
 
-	b.mu.RLock()
-	defer b.mu.RUnlock()
-
-	value, ok := b.secrets[name]
+	value, ok := b.secrets.Load(name)
 	if !ok {
 		return "", fmt.Errorf("secret not found: %s", name)
 	}
-	return value, nil
+	return value.(string), nil
 }
 
 // SetSecret stores a secret in the secret store.
@@ -42,10 +37,7 @@ func (b *BasicManager) SetSecret(name, value string) error {
 		return errors.New("secret name cannot be empty")
 	}
 
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	b.secrets[name] = value
+	b.secrets.Store(name, value)
 	return b.updateFile()
 }
 
@@ -55,32 +47,46 @@ func (b *BasicManager) DeleteSecret(name string) error {
 		return errors.New("secret name cannot be empty")
 	}
 
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if _, exists := b.secrets[name]; !exists {
+	// Check if the secret exists first
+	_, ok := b.secrets.Load(name)
+	if !ok {
 		return fmt.Errorf("cannot delete non-existent secret: %s", name)
 	}
 
-	delete(b.secrets, name)
+	b.secrets.Delete(name)
 	return b.updateFile()
 }
 
 // ListSecrets returns a list of all secret names stored in the manager.
 func (b *BasicManager) ListSecrets() ([]string, error) {
-	b.mu.RLock()
-	defer b.mu.RUnlock()
+	var secretNames []string
 
-	secretNames := make([]string, 0, len(b.secrets))
-	for name := range b.secrets {
-		secretNames = append(secretNames, name)
-	}
+	b.secrets.Range(func(key, _ interface{}) bool {
+		secretNames = append(secretNames, key.(string))
+		return true
+	})
 
 	return secretNames, nil
 }
 
+// Cleanup removes all secrets managed by this manager.
+func (b *BasicManager) Cleanup() error {
+	// Create a new empty syncmap.Map
+	b.secrets = syncmap.Map{}
+
+	// Update the file to reflect the empty state
+	return b.updateFile()
+}
+
 func (b *BasicManager) updateFile() error {
-	contents, err := json.Marshal(fileStructure{Secrets: b.secrets})
+	// Convert syncmap.Map to map[string]string for JSON marshaling
+	secretsMap := make(map[string]string)
+	b.secrets.Range(func(key, value interface{}) bool {
+		secretsMap[key.(string)] = value.(string)
+		return true
+	})
+
+	contents, err := json.Marshal(fileStructure{Secrets: secretsMap})
 	if err != nil {
 		return fmt.Errorf("failed to marshal secrets: %w", err)
 	}
@@ -103,16 +109,8 @@ type fileStructure struct {
 	Secrets map[string]string `json:"secrets"`
 }
 
-// BasicManagerFactory is an implementation of the ManagerFactory interface for BasicManager.
-type BasicManagerFactory struct{}
-
-// Build creates an instance of BasicManager.
-func (BasicManagerFactory) Build(config map[string]interface{}) (Manager, error) {
-	filePath, ok := config["secretsFile"].(string)
-	if !ok {
-		return nil, errors.New("secretsFile is required")
-	}
-
+// NewBasicManager creates an instance of BasicManager.
+func NewBasicManager(filePath string) (Manager, error) {
 	// Add warning for production use
 	if os.Getenv("ENVIRONMENT") == "production" {
 		log.Println("WARNING: BasicManager is not secure for production use")
@@ -131,32 +129,25 @@ func (BasicManagerFactory) Build(config map[string]interface{}) (Manager, error)
 		return nil, fmt.Errorf("failed to stat secrets file: %w", err)
 	}
 
-	var secrets map[string]string
-	if stat.Size() == 0 {
-		secrets = make(map[string]string)
-	} else {
+	// Create a new BasicManager with an empty syncmap.Map
+	manager := &BasicManager{
+		filePath: filePath,
+		secrets:  syncmap.Map{},
+	}
+
+	// If the file is not empty, load the secrets into the syncmap.Map
+	if stat.Size() > 0 {
 		var contents fileStructure
 		err := json.NewDecoder(secretsFile).Decode(&contents)
 		if err != nil {
 			return nil, fmt.Errorf("failed to decode secrets file: %w", err)
 		}
-		secrets = contents.Secrets
-	}
 
-	return &BasicManager{
-		filePath: filePath,
-		secrets:  secrets,
-		mu:       sync.RWMutex{},
-	}, nil
-}
-
-// CreateDefaultSecretsManager creates a secret manager instance with a default config.
-// TODO: Remove once we support more than one provider
-func CreateDefaultSecretsManager() (Manager, error) {
-	// TODO: make this configurable?
-	secretsPath, err := xdg.DataFile("vibetool/secrets")
-	if err != nil {
-		return nil, fmt.Errorf("unable to access secrets file path %v", err)
+		// Store each secret in the syncmap.Map
+		for key, value := range contents.Secrets {
+			manager.secrets.Store(key, value)
+		}
 	}
-	return BasicManagerFactory{}.Build(map[string]any{"secretsFile": secretsPath})
+
+	return manager, nil
 }