Merge branch 'develop' into feature/upgrade-secrethub-go

Author: jpcoenen

go.mod

@@ -20,11 +20,9 @@ require (
 	github.com/secrethub/secrethub-go v0.31.0
 	github.com/zalando/go-keyring v0.0.0-20190208082241-fbe81aec3a07
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sys v0.0.0-20200501052902-10377860bb8e
 	golang.org/x/text v0.3.2
 	google.golang.org/api v0.26.0
-	google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84
 	gopkg.in/yaml.v2 v2.2.2
 	gotest.tools v2.2.0+incompatible
 )

internals/cli/filemode/filemode.go

@@ -2,6 +2,7 @@
 package filemode
 
 import (
+	"fmt"
 	"os"
 	"strconv"
 
@@ -47,7 +48,7 @@ func (m *FileMode) Set(value string) error {
 
 // String implements the flag.Value interface.
 func (m FileMode) String() string {
-	return string(m)
+	return fmt.Sprintf("%#o", m.FileMode().Perm())
 }
 
 // FileMode returns the file mode as an os.FileMode.

internals/secrethub/app.go

@@ -79,6 +79,8 @@ func NewApp() *App {
 	io := ui.NewUserIO()
 	store := NewCredentialConfig(io)
 	help := "The SecretHub command-line interface is a unified tool to manage your infrastructure secrets with SecretHub.\n\n" +
+		"If you do not yet have a SecretHub account, go here to create one:\n\n" +
+		"  https://signup.secrethub.io/\n\n" +
 		"For a step-by-step introduction, check out:\n\n" +
 		"  https://secrethub.io/docs/getting-started/\n\n" +
 		"To get help, see:\n\n" +

internals/secrethub/credential_store.go

@@ -11,7 +11,7 @@ import (
 
 // Errors
 var (
-	ErrCredentialNotExist = errMain.Code("credential_not_exist").Error("could not find credential file. Run `secrethub signup` to create an account.")
+	ErrCredentialNotExist = errMain.Code("credential_not_exist").Error("could not find credential file. Go to https://signup.secrethub.io/ to create an account or run `secrethub init` to use an already existing account on this machine.")
 )
 
 // CredentialConfig handles the configuration necessary for local credentials.

internals/secrethub/init.go

@@ -16,30 +16,32 @@ import (
 
 // InitCommand configures the user's SecretHub account for use on this machine.
 type InitCommand struct {
-	backupCode                  string
-	force                       bool
-	io                          ui.IO
-	newClient                   newClientFunc
-	newClientWithoutCredentials func(credentials.Provider) (secrethub.ClientInterface, error)
-	credentialStore             CredentialConfig
-	progressPrinter             progress.Printer
+	backupCode               string
+	setupCode                string
+	force                    bool
+	io                       ui.IO
+	newUnauthenticatedClient newClientFunc
+	newClientWithCredentials func(credentials.Provider) (secrethub.ClientInterface, error)
+	credentialStore          CredentialConfig
+	progressPrinter          progress.Printer
 }
 
 // NewInitCommand creates a new InitCommand.
-func NewInitCommand(io ui.IO, newClient newClientFunc, newClientWithoutCredentials func(credentials.Provider) (secrethub.ClientInterface, error), credentialStore CredentialConfig) *InitCommand {
+func NewInitCommand(io ui.IO, newUnauthenticatedClient newClientFunc, newClientWithCredentials func(credentials.Provider) (secrethub.ClientInterface, error), credentialStore CredentialConfig) *InitCommand {
 	return &InitCommand{
-		io:                          io,
-		newClient:                   newClient,
-		newClientWithoutCredentials: newClientWithoutCredentials,
-		credentialStore:             credentialStore,
-		progressPrinter:             progress.NewPrinter(io.Output(), 500*time.Millisecond),
+		io:                       io,
+		newUnauthenticatedClient: newUnauthenticatedClient,
+		newClientWithCredentials: newClientWithCredentials,
+		credentialStore:          credentialStore,
+		progressPrinter:          progress.NewPrinter(io.Output(), 500*time.Millisecond),
 	}
 }
 
 // Register registers the command, arguments and flags on the provided Registerer.
 func (cmd *InitCommand) Register(r command.Registerer) {
 	clause := r.Command("init", "Initialize the SecretHub client for first use on this device.")
 	clause.Flag("backup-code", "The backup code used to restore an existing account to this device.").StringVar(&cmd.backupCode)
+	clause.Flag("setup-code", "The setup code used to configure the CLI to use an account created on the website.").StringVar(&cmd.setupCode)
 	registerForceFlag(clause).BoolVar(&cmd.force)
 
 	command.BindAction(clause, cmd.Run)
@@ -50,11 +52,16 @@ type InitMode int
 const (
 	InitModeSignup InitMode = iota + 1
 	InitModeBackupCode
+	InitModeSetupCode
 )
 
 // Run configures the user's SecretHub account for use on this machine.
 // If an account was already configured, the user is prompted for confirmation to overwrite it.
 func (cmd *InitCommand) Run() error {
+	if cmd.setupCode != "" && cmd.backupCode != "" {
+		return ErrFlagsConflict("--backup-code and --setup-code")
+	}
+
 	credentialPath := cmd.credentialStore.ConfigDir().Credential().Path()
 
 	if cmd.credentialStore.ConfigDir().Credential().Exists() && !cmd.force {
@@ -76,7 +83,9 @@ func (cmd *InitCommand) Run() error {
 	}
 
 	var mode InitMode
-	if cmd.backupCode != "" {
+	if cmd.setupCode != "" {
+		mode = InitModeSetupCode
+	} else if cmd.backupCode != "" {
 		mode = InitModeBackupCode
 	}
 
@@ -86,16 +95,18 @@ func (cmd *InitCommand) Run() error {
 		}
 		option, err := ui.Choose(cmd.io, "How do you want to initialize your SecretHub account on this device?",
 			[]string{
-				"Signup for a new account",
+				"Sign up for a new account",
 				"Use a backup code to recover an existing account",
 			}, 3)
 		if err != nil {
 			return err
 		}
+		fmt.Fprintln(cmd.io.Output())
 
 		switch option {
 		case 0:
-			mode = InitModeSignup
+			fmt.Fprintln(cmd.io.Output(), "Go to https://signup.secrethub.io/ and follow the steps to create an account and get it set up on this machine.")
+			return nil
 		case 1:
 			mode = InitModeBackupCode
 		}
@@ -105,12 +116,83 @@ func (cmd *InitCommand) Run() error {
 	case InitModeSignup:
 		signupCommand := SignUpCommand{
 			io:              cmd.io,
-			newClient:       cmd.newClient,
+			newClient:       cmd.newUnauthenticatedClient,
 			credentialStore: cmd.credentialStore,
 			progressPrinter: cmd.progressPrinter,
 			force:           cmd.force,
 		}
 		return signupCommand.Run()
+	case InitModeSetupCode:
+		setupCode := cmd.setupCode
+
+		fmt.Fprintf(cmd.io.Output(), credentialCreationMessage, credentialPath)
+
+		// Only prompt for a passphrase when the user hasn't used --force.
+		// Otherwise, we assume the passphrase was intentionally not
+		// configured to output a plaintext credential.
+		var passphrase string
+		if !cmd.credentialStore.IsPassphraseSet() && !cmd.force {
+			var err error
+			passphrase, err = askCredentialPassphrase(cmd.io)
+			if err != nil {
+				return err
+			}
+		}
+
+		deviceName, err := promptForDeviceName(cmd.io)
+		if err != nil {
+			return err
+		}
+
+		fmt.Fprint(cmd.io.Output(), "Setting up your account...")
+		cmd.progressPrinter.Start()
+
+		client, err := cmd.newClientWithCredentials(credentials.NewSetupCode(setupCode))
+		if err != nil {
+			cmd.progressPrinter.Stop()
+			return err
+		}
+
+		credential := credentials.CreateKey()
+		_, err = client.Credentials().Create(credential, deviceName)
+		if err != nil {
+			cmd.progressPrinter.Stop()
+			return err
+		}
+
+		err = writeNewCredential(credential, passphrase, cmd.credentialStore.ConfigDir().Credential())
+		if err != nil {
+			cmd.progressPrinter.Stop()
+			return err
+		}
+
+		client, err = cmd.newClientWithCredentials(credential)
+		if err != nil {
+			cmd.progressPrinter.Stop()
+			return err
+		}
+
+		me, err := client.Me().GetUser()
+		if err != nil {
+			cmd.progressPrinter.Stop()
+			return err
+		}
+
+		secretPath, err := createStartRepo(client, me.Username, me.FullName)
+		if err != nil {
+			cmd.progressPrinter.Stop()
+			return err
+		}
+		cmd.progressPrinter.Stop()
+		fmt.Fprint(cmd.io.Output(), "Created your account.\n\n")
+
+		err = createWorkspace(client, cmd.io, "", "", cmd.progressPrinter)
+		if err != nil {
+			return err
+		}
+
+		fmt.Fprintf(cmd.io.Output(), "Setup complete. To read your first secret, run:\n\n    secrethub read %s\n\n", secretPath)
+		return nil
 	case InitModeBackupCode:
 		backupCode := cmd.backupCode
 
@@ -122,7 +204,7 @@ func (cmd *InitCommand) Run() error {
 			}
 		}
 
-		client, err := cmd.newClientWithoutCredentials(credentials.UseBackupCode(backupCode))
+		client, err := cmd.newClientWithCredentials(credentials.UseBackupCode(backupCode))
 		if err != nil {
 			return err
 		}
@@ -146,19 +228,9 @@ func (cmd *InitCommand) Run() error {
 			return nil
 		}
 
-		deviceName := ""
-		question := "What is the name of this device?"
-		hostName, err := os.Hostname()
-		if err == nil {
-			deviceName, err = ui.AskWithDefault(cmd.io, question, hostName)
-			if err != nil {
-				return err
-			}
-		} else {
-			deviceName, err = ui.Ask(cmd.io, question)
-			if err != nil {
-				return err
-			}
+		deviceName, err := promptForDeviceName(cmd.io)
+		if err != nil {
+			return err
 		}
 
 		// Only prompt for a passphrase when the user hasn't used --force.
@@ -167,7 +239,7 @@ func (cmd *InitCommand) Run() error {
 		var passphrase string
 		if !cmd.credentialStore.IsPassphraseSet() && !cmd.force {
 			var err error
-			passphrase, err = ui.AskPassphrase(cmd.io, "Please enter a passphrase to protect your local credential (leave empty for no passphrase): ", "Enter the same passphrase again: ", 3)
+			passphrase, err = askCredentialPassphrase(cmd.io)
 			if err != nil {
 				return err
 			}
@@ -197,3 +269,21 @@ func (cmd *InitCommand) Run() error {
 		return errors.New("invalid option")
 	}
 }
+
+func promptForDeviceName(io ui.IO) (string, error) {
+	deviceName := ""
+	question := "What is the name of this device?"
+	hostName, err := os.Hostname()
+	if err == nil {
+		deviceName, err = ui.AskWithDefault(io, question, hostName)
+		if err != nil {
+			return "", err
+		}
+	} else {
+		deviceName, err = ui.Ask(io, question)
+		if err != nil {
+			return "", err
+		}
+	}
+	return deviceName, nil
+}