main.go

// Copyright 2019 The Berglas Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package main

import (
	"bufio"
	"bytes"
	"context"
	"fmt"
	"io"
	"os"
	"os/exec"
	"os/signal"
	"sort"
	"strings"
	"syscall"
	"text/tabwriter"

	"github.com/GoogleCloudPlatform/berglas/v2/internal/version"
	"github.com/GoogleCloudPlatform/berglas/v2/pkg/berglas"
	"github.com/GoogleCloudPlatform/berglas/v2/pkg/berglas/logging"
	"github.com/spf13/cobra"
)

const (
	// APIExitCode is the exit code returned with an upstream API call fails.
	APIExitCode = 60

	// MisuseExitCode is the exit code returned when the user did something wrong
	// such as misused a flag.
	MisuseExitCode = 61
)

var (
	stdout = os.Stdout
	stderr = os.Stderr
	stdin  = os.Stdin

	logFormat string
	logLevel  string
	logDebug  bool

	accessGeneration int64

	listGenerations bool
	listPrefix      string

	key       string
	execLocal bool

	editor          string
	createIfMissing bool

	members []string

	projectID      string
	bucket         string
	bucketLocation string
	kmsLocation    string
	kmsKeyRing     string
	kmsCryptoKey   string
	smLocations    []string
)

var rootCmd = &cobra.Command{
	Use:   "berglas",
	Short: "Interact with encrypted secrets",
	Long: strings.Trim(`
berglas is a CLI tool to reading, writing, and deleting secrets from a Cloud
Storage bucket encrypted with a Google Cloud KMS key. Secrets are encrypted
locally using envelope encryption before being uploaded to Cloud Storage.

Secrets are specified in the format:

    <bucket>/<secret>

For example:

    my-gcs-bucket/my-secret
    my-gcs-bucket/foo/bar/baz

For more information and examples, see the help text for a specific command.
`, "\n"),
	SilenceErrors: true,
	SilenceUsage:  true,
	Version:       version.HumanVersion,
}

var accessCmd = &cobra.Command{
	Use:   "access SECRET",
	Short: "Access a secret's contents",
	Long: strings.Trim(`
Accesses the contents of a secret by reading the encrypted data from Google
Cloud Storage and decrypting it with Google Cloud KMS.

The result will be the raw value without any additional formatting or newline
characters.
`, "\n"),
	Example: strings.Trim(`
  # Read a secret named "api-key" from the bucket "my-secrets"
  berglas access my-secrets/api-key

  # Read generation 1563925940580201 of a secret named "api-key" from the bucket "my-secrets"
  berglas access my-secrets/api-key#1563925940580201
`, "\n"),
	Args: cobra.ExactArgs(1),
	RunE: accessRun,
}

var bootstrapCmd = &cobra.Command{
	Use:   "bootstrap",
	Short: "Bootstrap a berglas environment",
	Long: strings.Trim(`
Bootstrap a Berglas environment by creating a Cloud Storage bucket and a Cloud
KMS key with properly scoped permissions to the caller.

This command will create a new Cloud Storage bucket with "private" ACLs and
grant permission only to the caller in the specified project. It will enable
versioning on the bucket, configured to retain the last 10 verions. If the
bucket already exists, an error is returned.

This command will also create a Cloud KMS key ring and crypto key in the
specified project. If the key ring or crypto key already exist, no errors are
returned.
`, "\n"),
	Example: strings.Trim(`
  # Bootstrap a berglas environment
  berglas bootstrap --project my-project --bucket my-bucket
`, "\n"),
	Args: cobra.ExactArgs(0),
	RunE: bootstrapRun,
}

var completionCmd = &cobra.Command{
	Use:   "completion SHELL",
	Args:  cobra.ExactArgs(1),
	Short: "Outputs shell completion for the given shell (bash or zsh)",
	Long: strings.Trim(
		`Outputs shell completion for the given shell (bash or zsh)

This depends on the bash-completion package. To install it:

  # Mac OS X
  brew install bash-completion

  # Debian
  apt-get install bash-completion

Zsh users may also put the file somewhere on their $fpath, like
/usr/local/share/zsh/site-functions
`, "\n"),
	Example: strings.Trim(`
  # Enable completion for bash users
  source <(berglas completion bash)

  # Enable completion for zsh users
  source <(berglas completion zsh)
`, "\n"),
	RunE: completionRun,
}

var createCmd = &cobra.Command{
	Use:   "create SECRET DATA",
	Short: "Create a secret",
	Long: strings.Trim(`
Creates a new secret with the given name and contents, encrypted with the
provided Cloud KMS key. If the secret already exists, an error is returned.

Use the "edit" or "update" commands to update an existing secret.
`, "\n"),
	Example: strings.Trim(`
  # Create a secret named "api-key" with the contents "abcd1234"
  berglas create my-secrets/api-key abcd1234 \
    --key projects/my-p/locations/global/keyRings/my-kr/cryptoKeys/my-k

  # Read a secret from stdin
  echo ${SECRET} | berglas create my-secrets/api-key - --key...

  # Read a secret from a local file
  berglas create my-secrets/api-key @/path/to/file --key...
`, "\n"),
	Args: cobra.ExactArgs(2),
	RunE: createRun,
}

var deleteCmd = &cobra.Command{
	Use:   "delete SECRET",
	Short: "Remove a secret",
	Long: strings.Trim(`
Deletes a secret from a Google Cloud Storage bucket by deleting the underlying
GCS object. If the secret does not exist, this operation is a no-op.

This command will exit successfully even if the secret does not exist.
`, "\n"),
	Example: strings.Trim(`
  # Delete a secret named "api-key"
  berglas delete my-secrets/api-key
`, "\n"),
	Args: cobra.ExactArgs(1),
	RunE: deleteRun,
}

var editCmd = &cobra.Command{
	Use:   "edit SECRET",
	Short: "Edit an existing secret",
	Long: strings.Trim(`
Updates the contents of an existing secret by reading the encrypted data from
Google Cloud Storage, decrypting it with Google Cloud KMS, editing it in-place
using an editor, encrypting the updated content using Google Cloud KMS, writing
it back into Google Cloud Storage.

The file must be saved with changes and editor must exit with exit code 0 for
the secret to be updated.
`, "\n"),
	Example: strings.Trim(`
  # Edit a secret named "api-key" from the bucket "my-secrets"
  berglas edit my-secrets/api-key

  # Edit a secret named "api-key" from the bucket "my-secrets" using emacs
  berglas edit my-secrets/api-key --editor emacs
`, "\n"),
	Args: cobra.ExactArgs(1),
	RunE: editRun,
}

var execCmd = &cobra.Command{
	Use:   "exec -- SUBCOMMAND",
	Short: "Spawn an environment with secrets",
	Long: strings.Trim(`
Parse berglas references and spawn the given command with the secrets in the
childprocess environment similar to exec(1). This is very useful in Docker
containers or languages that do not support auto-import.

Berglas will remain the parent process, but stdin, stdout, stderr, and any
signals are proxied to the child process.

WARNING: Using berglas exec exposes secrets in plaintext in environment
variables. You should have a strong understanding of your software supply
chain security before blindly running a process with berglas exec. The
resolved secrets will be in plaintext and available to the entire process.
`, "\n"),
	Example: strings.Trim(`
  # Spawn a subshell with secrets populated
  berglas exec -- ${SHELL}
`, "\n"),
	Args: cobra.MinimumNArgs(1),
	RunE: execRun,
}

var grantCmd = &cobra.Command{
	Use:   "grant SECRET",
	Short: "Grant access to a secret",
	Long: strings.Trim(`
Grant IAM access to an existing secret for a given list of members. The secret
must exist before access can be granted.

When executed, this command grants each specified member two IAM permissions:

  - roles/storage.legacyObjectReader on the Cloud Storage object
  - roles/cloudkms.cryptoKeyDecrypter on the Cloud KMS crypto key

Members must be specified with their type, for example:

  - domain:mydomain.com
  - group:group@mydomain.com
  - serviceAccount:xyz@gserviceaccount.com
  - user:user@mydomain.com
`, "\n"),
	Example: strings.Trim(`
  # Grant access to a user
  berglas grant my-secrets/api-key --member user:user@mydomain.com

  # Grant access to service account
  berglas grant my-secrets/api-key \
    --member serviceAccount:sa@project.iam.gserviceaccount.com

  # Add multiple members
  berglas grant my-secrets/api-key \
    --member user:user@mydomain.com \
    --member serviceAccount:sa@project.iam.gserviceaccount.com
`, "\n"),
	Args: cobra.ExactArgs(1),
	RunE: grantRun,
}

var listCmd = &cobra.Command{
	Use:   "list BUCKET",
	Short: "List secrets in a bucket",
	Long: strings.Trim(`
Lists secrets by name in the given Google Cloud Storage bucket. It does not
read their values, only their key names. To retrieve the value of a secret, use
the "access" command instead.
`, "\n"),
	Example: strings.Trim(`
  # List all secrets in the bucket "my-secrets"
  berglas list my-secrets

  # List all secrets with names starting with "secret" in the bucket "my-secrets"
  berglas list my-secrets --prefix secret

  # List all generations of all secrets in the bucket "my-secrets"
  berglas list my-secrets --all-generations
`, "\n"),
	Args: cobra.ExactArgs(1),
	RunE: listRun,
}

var migrateCmd = &cobra.Command{
	Use:   "migrate BUCKET ",
	Short: "Migrate Berglas secrets to Secret Manager",
	Long: strings.Trim(`
Migrate secrets in the given Google Cloud Storage bucket to Secret Manager. This
is designed to be a single-use command and should not be used as part of a
regular workflow. Secrets will be migrated as-is with the following caveats:

- Deeply-nested secrets in folders will be underscored. Since Secret Manager
  does not support nested structures, any secrets in the bucket inside folders
  will be renamed with the slash ("/") as an underscore ("_").

- Generation versions are not preserved. Generations (versions) in Cloud Storage
  are random integers. Versions in Secret Manager are auto-incrementing. While
  relative ordering will be preserved, the versions will differ.

This command is intentionally a slow and non-parallelized operation to both
avoid quota limits and to discourage recurrent use.
`, "\n"),
	Example: strings.Trim(`
  # Migrate all secrets in the "my-secrets" bucket to Secret Manager in the
  # project "my-project"
  berglas migrate my-secrets --project my-project
`, "\n"),
	Args: cobra.ExactArgs(1),
	RunE: migrateRun,
}

var revokeCmd = &cobra.Command{
	Use:   "revoke SECRET",
	Short: "Revoke access to a secret",
	Long: strings.Trim(`
Revoke IAM access to an existing secret for a given list of members. The secret
must exist for access to be revoked.

When executed, this command revokes the following IAM permissions for each
member:

  - roles/storage.legacyObjectReader on the Cloud Storage object
  - roles/cloudkms.cryptoKeyDecrypter on the Cloud KMS crypto key

If the member is not granted the IAM permissions, no action is taken.
Specifically, this does not return an error if the member did not originally
have permission to access the secret.

Members must be specified with their type, for example:

  - domain:mydomain.com
  - group:group@mydomain.com
  - serviceAccount:xyz@gserviceaccount.com
  - user:user@mydomain.com
`, "\n"),
	Example: strings.Trim(`
  # Revoke access from a user
  berglas revoke my-secrets/api-key --member user:user@mydomain.com

  # Revoke revoke from a service account
  berglas grant my-secrets/api-key \
    --member serviceAccount:sa@project.iam.gserviceaccount.com

  # Remove multiple members
  berglas revoke my-secrets/api-key \
    --member user:user@mydomain.com \
    --member serviceAccount:sa@project.iam.gserviceaccount.com
`, "\n"),
	Args: cobra.ExactArgs(1),
	RunE: revokeRun,
}

var updateCmd = &cobra.Command{
	Use:   "update SECRET [DATA]",
	Short: "Update an existing secret",
	Long: strings.Trim(`
Update an existing secret. If the secret does not exist, an error is returned.

Run with --create-if-missing to force creation of the secret if it does not
already exist.
`, "\n"),
	Example: strings.Trim(`
  # Update the secret named "api-key" with the contents "new-contents"
  berglas update my-secrets/api-key new-contents

  # Update the secret named "api-key" with a new KMS encryption key, keeping
  # the original secret value
  berglas update my-secrets/api-key --key=...

  # Update the secret named "api-key", creating it if it does not already exist
  berglas update my-secrets/api-key abcd1234 --create-if-missing --key...
`, "\n"),
	Args: cobra.RangeArgs(1, 2),
	RunE: updateRun,
}

func main() {
	rootCmd.SetVersionTemplate(`{{printf "%s\n" .Version}}`)

	rootCmd.PersistentFlags().StringVarP(&logFormat, "log-format", "f", "text",
		"Format in which to log")
	rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "l", "warning",
		"Level at which to log")
	rootCmd.PersistentFlags().BoolVar(&logDebug, "log-debug", false,
		"Enable verbose source debug logging")

	rootCmd.AddCommand(accessCmd)
	accessCmd.Flags().Int64Var(&accessGeneration, "generation", 0,
		"Get a specific generation")
	if err := accessCmd.Flags().MarkDeprecated("generation",
		"please use hash notation instead (e.g. my-secrets/api-key#12345)"); err != nil {
		panic(err)
	}

	rootCmd.AddCommand(bootstrapCmd)
	bootstrapCmd.Flags().StringVar(&projectID, "project", "",
		"Google Cloud Project ID")
	if err := bootstrapCmd.MarkFlagRequired("project"); err != nil {
		panic(err)
	}
	bootstrapCmd.Flags().StringVar(&bucket, "bucket", "",
		"Name of the Cloud Storage bucket to create")
	if err := bootstrapCmd.MarkFlagRequired("bucket"); err != nil {
		panic(err)
	}
	bootstrapCmd.Flags().StringVar(&bucketLocation, "bucket-location", "US",
		"Location in which to create Cloud Storage bucket")
	bootstrapCmd.Flags().StringVar(&kmsLocation, "kms-location", "global",
		"Location in which to create the Cloud KMS key ring")
	bootstrapCmd.Flags().StringVar(&kmsKeyRing, "kms-keyring", "berglas",
		"Name of the KMS key ring to create")
	bootstrapCmd.Flags().StringVar(&kmsCryptoKey, "kms-key", "berglas-key",
		"Name of the KMS key to create")

	rootCmd.AddCommand(completionCmd)

	rootCmd.AddCommand(createCmd)
	createCmd.Flags().StringVar(&key, "key", "",
		"KMS key to use for encryption")
	createCmd.Flags().StringSliceVar(&smLocations, "locations", nil,
		"Comma-separated canonical IDs in which to replicate secrets (e.g. 'us-east1,us-west-1')")

	rootCmd.AddCommand(deleteCmd)

	rootCmd.AddCommand(editCmd)
	editCmd.Flags().StringVar(&editor, "editor", "",
		"Editor program to use. If unspecified, this defaults to $VISUAL or "+
			"$EDITOR in that order.")
	editCmd.Flags().BoolVar(&createIfMissing, "create-if-missing", false,
		"Create the secret if it doesn't exist")
	editCmd.Flags().StringVar(&key, "key", "",
		"KMS key to use for encryption (only used when secret doesn't exist)")

	rootCmd.AddCommand(execCmd)
	execCmd.Flags().BoolVar(&execLocal, "local", false, "")
	if err := execCmd.Flags().MarkDeprecated("local", "there is no replacement"); err != nil {
		panic(err)
	}

	rootCmd.AddCommand(grantCmd)
	grantCmd.Flags().StringSliceVar(&members, "member", nil,
		"Member to add")

	rootCmd.AddCommand(listCmd)
	listCmd.Flags().BoolVar(&listGenerations, "all-generations", false,
		"List all versions of secrets")
	listCmd.Flags().StringVar(&listPrefix, "prefix", "",
		"List secrets that match prefix")

	rootCmd.AddCommand(migrateCmd)
	migrateCmd.Flags().StringVar(&projectID, "project", "",
		"Google Cloud Project ID")
	if err := migrateCmd.MarkFlagRequired("project"); err != nil {
		panic(err)
	}

	rootCmd.AddCommand(revokeCmd)
	revokeCmd.Flags().StringSliceVar(&members, "member", nil,
		"Member to remove")

	rootCmd.AddCommand(updateCmd)
	updateCmd.Flags().BoolVar(&createIfMissing, "create-if-missing", false,
		"Create the secret if it does not already exist")
	updateCmd.Flags().StringVar(&key, "key", "",
		"KMS key to use for re-encryption")

	ctx, cancel := signal.NotifyContext(context.Background(),
		syscall.SIGINT, syscall.SIGTERM)
	defer cancel()

	if err := rootCmd.ExecuteContext(ctx); err != nil {
		cancel()

		code := 1
		if terr, ok := err.(*exitError); ok {
			code = terr.code
		}

		fmt.Fprintf(stderr, "%s\n", err)
		os.Exit(code)
	}
}

func accessRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	// Deprecated - update to new syntax
	if accessGeneration != 0 {
		args[0] = fmt.Sprintf("%s#%d", args[0], accessGeneration)
	}

	ref, err := parseRef(args[0])
	if err != nil {
		return misuseError(err)
	}

	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		plaintext, err := client.Access(ctx, &berglas.SecretManagerAccessRequest{
			Project: ref.Project(),
			Name:    ref.Name(),
			Version: ref.Version(),
		})
		if err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "%s", plaintext)
	case berglas.ReferenceTypeStorage:
		plaintext, err := client.Access(ctx, &berglas.StorageAccessRequest{
			Bucket:     ref.Bucket(),
			Object:     ref.Object(),
			Generation: ref.Generation(),
		})
		if err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "%s", plaintext)
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	return nil
}

func bootstrapRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	if err := client.Bootstrap(ctx, &berglas.BootstrapRequest{
		ProjectID:      projectID,
		Bucket:         bucket,
		BucketLocation: bucketLocation,
		KMSLocation:    kmsLocation,
		KMSKeyRing:     kmsKeyRing,
		KMSCryptoKey:   kmsCryptoKey,
	}); err != nil {
		return apiError(err)
	}

	kmsKeyID := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s",
		projectID, kmsLocation, kmsKeyRing, kmsCryptoKey)

	fmt.Fprintf(stdout, "Successfully created berglas environment:\n")
	fmt.Fprintf(stdout, "\n")
	fmt.Fprintf(stdout, "  Bucket: %s\n", bucket)
	fmt.Fprintf(stdout, "  KMS key: %s\n", kmsKeyID)
	fmt.Fprintf(stdout, "\n")
	fmt.Fprintf(stdout, "To create a secret:\n")
	fmt.Fprintf(stdout, "\n")
	fmt.Fprintf(stdout, "  berglas create %s/my-secret abcd1234 \\\n", bucket)
	fmt.Fprintf(stdout, "    --key %s\n", kmsKeyID)
	fmt.Fprintf(stdout, "\n")
	fmt.Fprintf(stdout, "To grant access to that secret:\n")
	fmt.Fprintf(stdout, "\n")
	fmt.Fprintf(stdout, "  berglas grant %s/my-secret \\\n", bucket)
	fmt.Fprintf(stdout, "    --member user:jane.doe@mycompany.com\n")
	fmt.Fprintf(stdout, "\n")
	fmt.Fprintf(stdout, "For more help and examples, please run \"berglas -h\".\n")
	return nil
}

func completionRun(cmd *cobra.Command, args []string) error {
	switch shell := args[0]; shell {
	case "bash":
		if err := rootCmd.GenBashCompletion(stdout); err != nil {
			err = fmt.Errorf("failed to generate bash completion: %w", err)
			return apiError(err)
		}
	case "zsh":
		if err := rootCmd.GenZshCompletion(stdout); err != nil {
			err = fmt.Errorf("failed to generate zsh completion: %w", err)
			return apiError(err)
		}

		// enable the `source <(berglas completion SHELL)` pattern for zsh
		if _, err := io.WriteString(stdout, "compdef _berglas berglas\n"); err != nil {
			err = fmt.Errorf("failed to run compdef: %w", err)
			return apiError(err)
		}
	default:
		err := fmt.Errorf("unknown completion %q", shell)
		return misuseError(err)
	}

	return nil
}

func createRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	ref, err := parseRef(args[0])
	if err != nil {
		return misuseError(err)
	}

	data := strings.TrimSpace(args[1])
	plaintext, err := readData(data)
	if err != nil {
		return misuseError(err)
	}

	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		secret, err := client.Create(ctx, &berglas.SecretManagerCreateRequest{
			Project:   ref.Project(),
			Name:      ref.Name(),
			Locations: smLocations,
			Plaintext: plaintext,
		})
		if err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully created secret [%s] with version [%s]\n",
			secret.Name, secret.Version)
	case berglas.ReferenceTypeStorage:
		// Check if no unsupported options have been given
		if len(smLocations) > 0 {
			return misuseError(fmt.Errorf("locations on a per-secret basis unsupported for Storage keys"))
		}

		// Create the requested secret
		secret, err := client.Create(ctx, &berglas.StorageCreateRequest{
			Bucket:    ref.Bucket(),
			Object:    ref.Object(),
			Key:       key,
			Plaintext: plaintext,
		})
		if err != nil {
			return apiError(err)
		}

		fmt.Fprintf(stdout, "Successfully created secret [%s] with generation [%d]\n",
			secret.Name, secret.Generation)
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	return nil
}

func deleteRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	ref, err := parseRef(args[0])
	if err != nil {
		return misuseError(err)
	}

	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		if err := client.Delete(ctx, &berglas.SecretManagerDeleteRequest{
			Project: ref.Project(),
			Name:    ref.Name(),
		}); err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully deleted secret [%s] if it existed\n",
			ref.Name())
	case berglas.ReferenceTypeStorage:
		if err := client.Delete(ctx, &berglas.StorageDeleteRequest{
			Bucket: ref.Bucket(),
			Object: ref.Object(),
		}); err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully deleted secret [%s] if it existed\n",
			ref.Object())
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	return nil
}

func editRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	// Find the editor
	var editor string
	for _, e := range []string{"VISUAL", "EDITOR"} {
		if v := os.Getenv(e); v != "" {
			editor = v
			break
		}
	}
	if editor == "" {
		err := fmt.Errorf("no editor is set - set VISUAL or EDITOR")
		return apiError(err)
	}

	ref, err := parseRef(args[0])
	if err != nil {
		return misuseError(err)
	}

	var originalSecret *berglas.Secret

	// Get the existing secret
	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		originalSecret, err = client.Read(ctx, &berglas.SecretManagerReadRequest{
			Project: ref.Project(),
			Name:    ref.Name(),
			Version: ref.Version(),
		})
	case berglas.ReferenceTypeStorage:
		originalSecret, err = client.Read(ctx, &berglas.StorageReadRequest{
			Bucket:     ref.Bucket(),
			Object:     ref.Object(),
			Generation: ref.Generation(),
		})
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	if err != nil {
		return apiError(err)
	}

	// Create the tempfile
	f, err := os.CreateTemp("", "berglas-")
	if err != nil {
		err = fmt.Errorf("failed to create tempfile for secret: %w", err)
		return apiError(err)
	}

	defer func() {
		if err := os.Remove(f.Name()); err != nil {
			fmt.Fprintf(stderr, "failed to cleanup tempfile %s: %s\n", f.Name(), err)
		}
	}()

	// Write contents to the original file
	if _, err := f.Write(originalSecret.Plaintext); err != nil {
		err = fmt.Errorf("failed to write tempfile for secret: %w", err)
		return apiError(err)
	}

	if err := f.Sync(); err != nil {
		err = fmt.Errorf("failed to sync tempfile for secret: %w", err)
		return apiError(err)
	}

	if err := f.Close(); err != nil {
		err = fmt.Errorf("failed to close tempfile for secret: %w", err)
		return apiError(err)
	}

	// Spawn editor
	editorSplit := strings.Split(editor, " ")
	editorCmd, editorArgs := editorSplit[0], editorSplit[1:]
	editorArgs = append(editorArgs, f.Name())
	externalCmd := exec.CommandContext(ctx, editorCmd, editorArgs...)
	externalCmd.Stdin = stdin
	externalCmd.Stdout = stdout
	externalCmd.Stderr = stderr
	if err := externalCmd.Start(); err != nil {
		err = fmt.Errorf("failed to start editor: %w", err)
		return misuseError(err)
	}
	if err := externalCmd.Wait(); err != nil {
		if terr, ok := err.(*exec.ExitError); ok && terr.ProcessState != nil {
			code := terr.ProcessState.ExitCode()
			return exitWithCode(code, fmt.Errorf("editor did not exit 0: %w", err))
		}
		err = fmt.Errorf("unknown failure in running editor: %w", err)
		return misuseError(err)
	}

	// Read the new secret value
	newPlaintext, err := os.ReadFile(f.Name())
	if err != nil {
		err = fmt.Errorf("failed to read secret tempfile: %w", err)
		return misuseError(err)
	}

	// Error if the secret is empty
	if len(newPlaintext) == 0 {
		err := fmt.Errorf("secret is empty")
		return misuseError(err)
	}

	if bytes.Equal(newPlaintext, originalSecret.Plaintext) {
		err := fmt.Errorf("secret unchanged - not going to update")
		return misuseError(err)
	}

	// Update the secret
	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		updatedSecret, err := client.Update(ctx, &berglas.SecretManagerUpdateRequest{
			Project:   ref.Project(),
			Name:      ref.Name(),
			Plaintext: newPlaintext,
		})
		if err != nil {
			err = fmt.Errorf("failed to update secret: %w", err)
			return misuseError(err)
		}

		fmt.Fprintf(stdout, "Successfully updated secret [%s] to version [%s]\n",
			updatedSecret.Name, updatedSecret.Version)
	case berglas.ReferenceTypeStorage:
		updatedSecret, err := client.Update(ctx, &berglas.StorageUpdateRequest{
			Bucket:         ref.Bucket(),
			Object:         ref.Object(),
			Generation:     originalSecret.Generation,
			Key:            originalSecret.KMSKey,
			Metageneration: originalSecret.Metageneration,
			Plaintext:      newPlaintext,
		})
		if err != nil {
			err = fmt.Errorf("failed to update secret: %w", err)
			return misuseError(err)
		}

		fmt.Fprintf(stdout, "Successfully updated secret [%s] with generation [%d]\n",
			updatedSecret.Name, updatedSecret.Generation)
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	return nil
}

func execRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	execCmd := args[0]
	execArgs := args[1:]

	// Parse local env
	env := os.Environ()

	for i, e := range env {
		p := strings.SplitN(e, "=", 2)
		if len(p) < 2 {
			continue
		}

		k, v := p[0], p[1]
		if !berglas.IsReference(v) {
			continue
		}

		s, err := client.Resolve(ctx, v)
		if err != nil {
			return apiError(err)
		}
		env[i] = fmt.Sprintf("%s=%s", k, s)
	}

	execCmdFull, err := exec.LookPath(execCmd)
	if err != nil {
		return fmt.Errorf("failed to lookup path for %q: %w", execCmd, err)
	}

	// Unlike os/exec, execv(3) expects the arguments to include the command.
	execArgs = append([]string{execCmdFull}, execArgs...)

	if err := syscall.Exec(execCmdFull, execArgs, env); err != nil {
		return fmt.Errorf("failed to execute %q: %w", execCmd, err)
	}
	return nil
}

func grantRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	ref, err := parseRef(args[0])
	if err != nil {
		return misuseError(err)
	}

	sort.Strings(members)

	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		if err := client.Grant(ctx, &berglas.SecretManagerGrantRequest{
			Project: ref.Project(),
			Name:    ref.Name(),
			Members: members,
		}); err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully granted permission on [%s] to: \n- %s\n",
			ref.Name(), strings.Join(members, "\n- "))
	case berglas.ReferenceTypeStorage:
		if err := client.Grant(ctx, &berglas.StorageGrantRequest{
			Bucket:  ref.Bucket(),
			Object:  ref.Object(),
			Members: members,
		}); err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully granted permission on [%s] to: \n- %s\n",
			ref.Object(), strings.Join(members, "\n- "))
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	return nil
}

func listRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	var list *berglas.ListResponse

	switch {
	case strings.HasPrefix(args[0], "sm://"):
		project := strings.Trim(strings.TrimPrefix(args[0], "sm://"), "/")
		list, err = client.List(ctx, &berglas.SecretManagerListRequest{
			Project:  project,
			Prefix:   listPrefix,
			Versions: listGenerations,
		})
		if err != nil {
			return apiError(err)
		}

		if len(list.Secrets) == 0 {
			return nil
		}

		tw := new(tabwriter.Writer)
		tw.Init(stdout, 0, 4, 4, ' ', 0)
		fmt.Fprintf(tw, "NAME\tVERSION\tUPDATED\n")
		for _, s := range list.Secrets {
			fmt.Fprintf(tw, "%s\t%s\t%s\n", s.Name, s.Version, s.UpdatedAt.Local())
		}
		tw.Flush()
	default:
		bucket := strings.Trim(strings.TrimPrefix(args[0], "gs://"), "/")
		list, err = client.List(ctx, &berglas.ListRequest{
			Bucket:      bucket,
			Prefix:      listPrefix,
			Generations: listGenerations,
		})
		if err != nil {
			return apiError(err)
		}

		if len(list.Secrets) == 0 {
			return nil
		}

		tw := new(tabwriter.Writer)
		tw.Init(stdout, 0, 4, 4, ' ', 0)
		fmt.Fprintf(tw, "NAME\tGENERATION\tUPDATED\n")
		for _, s := range list.Secrets {
			fmt.Fprintf(tw, "%s\t%d\t%s\n", s.Name, s.Generation, s.UpdatedAt.Local())
		}
		tw.Flush()
	}

	return nil
}

func migrateRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	bucket := strings.Trim(strings.TrimPrefix(args[0], "gs://"), "/")

	storageList, err := client.List(ctx, &berglas.StorageListRequest{
		Bucket:      bucket,
		Generations: true,
	})
	if err != nil {
		return apiError(err)
	}

	for _, s := range storageList.Secrets {
		name := strings.Replace(s.Name, "/", "_", -1)
		fmt.Fprintf(stdout, "Migrating %s to projects/%s/secrets/%s... ",
			s.Name, projectID, name)

		secret, err := client.Read(ctx, &berglas.StorageReadRequest{
			Bucket: s.Parent,
			Object: s.Name,
		})
		if err != nil {
			return apiError(err)
		}

		if len(secret.Plaintext) == 0 {
			fmt.Fprintf(stdout, "skip (empty plaintext)\n")
			continue
		}

		if _, err := client.Update(ctx, &berglas.SecretManagerUpdateRequest{
			Project:         projectID,
			Name:            name,
			Plaintext:       secret.Plaintext,
			CreateIfMissing: true,
		}); err != nil {
			return apiError(err)
		}

		fmt.Fprintf(stdout, "done!\n")
	}

	return nil
}

func revokeRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	ref, err := parseRef(args[0])
	if err != nil {
		return misuseError(err)
	}

	sort.Strings(members)

	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		if err := client.Revoke(ctx, &berglas.SecretManagerRevokeRequest{
			Project: ref.Project(),
			Name:    ref.Name(),
			Members: members,
		}); err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully revoked permission on [%s] from: \n- %s\n",
			ref.Name(), strings.Join(members, "\n- "))
	case berglas.ReferenceTypeStorage:
		if err := client.Revoke(ctx, &berglas.StorageRevokeRequest{
			Bucket:  ref.Bucket(),
			Object:  ref.Object(),
			Members: members,
		}); err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully revoked permission on [%s] from: \n- %s\n",
			ref.Object(), strings.Join(members, "\n- "))
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	return nil
}

func updateRun(cmd *cobra.Command, args []string) error {
	ctx, client, err := clientWithContext(cmd.Context())
	if err != nil {
		return misuseError(err)
	}

	ref, err := parseRef(args[0])
	if err != nil {
		return misuseError(err)
	}

	var plaintext []byte
	if len(args) > 1 {
		plaintext, err = readData(strings.TrimSpace(args[1]))
		if err != nil {
			return misuseError(err)
		}
	}

	switch t := ref.Type(); t {
	case berglas.ReferenceTypeSecretManager:
		secret, err := client.Update(ctx, &berglas.SecretManagerUpdateRequest{
			Project:         ref.Project(),
			Name:            ref.Name(),
			Plaintext:       plaintext,
			CreateIfMissing: createIfMissing,
		})
		if err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully updated secret [%s] to version [%s]\n",
			secret.Name, secret.Version)
	case berglas.ReferenceTypeStorage:
		secret, err := client.Update(ctx, &berglas.StorageUpdateRequest{
			Bucket:          ref.Bucket(),
			Object:          ref.Object(),
			Key:             key,
			Plaintext:       plaintext,
			CreateIfMissing: createIfMissing,
		})
		if err != nil {
			return apiError(err)
		}
		fmt.Fprintf(stdout, "Successfully updated secret [%s] to generation [%d]\n",
			secret.Name, secret.Generation)
	default:
		return misuseError(fmt.Errorf("unknown type %T", t))
	}

	return nil
}

// exitError is a typed error to return.
type exitError struct {
	err  error
	code int
}

// Error implements error.
func (e *exitError) Error() string {
	if e.err == nil {
		return "<missing error>"
	}
	return e.err.Error()
}

// exitWithCode prints exits with the specified error and exit code.
func exitWithCode(code int, err error) *exitError {
	return &exitError{
		err:  err,
		code: code,
	}
}

// apiError returns the given error with an API error exit code.
func apiError(err error) *exitError {
	return exitWithCode(APIExitCode, err)
}

// misuseError returns the given error with a userland exit code.
func misuseError(err error) *exitError {
	return exitWithCode(MisuseExitCode, err)
}

// clientWithContext returns an instantiated berglas client and context with a
// closer.
func clientWithContext(ctx context.Context) (context.Context, *berglas.Client, error) {
	logger, err := logging.New(stderr, logLevel, logFormat, logDebug)
	if err != nil {
		return ctx, nil, err
	}
	ctx = logging.WithLogger(ctx, logger)

	client, err := berglas.New(ctx)
	if err != nil {
		return ctx, nil, fmt.Errorf("failed to create berglas client: %w", err)
	}
	return ctx, client, nil
}

// readData reads the given string. If the string starts with an "@", it is
// assumed to be a filepath. If the string starts with a "-", data is read from
// stdin. If the data starts with a "\", it is assumed to be an escape character
// only when specified as the first character.
func readData(s string) ([]byte, error) {
	switch {
	case strings.HasPrefix(s, "@"):
		return os.ReadFile(s[1:])
	case strings.HasPrefix(s, "-"):
		r := bufio.NewReader(stdin)
		b, err := r.ReadBytes('\n')
		if err == io.EOF {
			return b, nil
		}
		if err != nil {
			return nil, err
		}
		return b, nil
	case strings.HasPrefix(s, "\\"):
		return []byte(s[1:]), nil
	default:
		return []byte(s), nil
	}
}

// parseRef parses a secret ref and returns any errors.
func parseRef(r string) (*berglas.Reference, error) {
	s := r

	// Replace gs:// with berglas://
	if strings.HasPrefix(s, "gs://") {
		s = "berglas://" + s[5:]
	}

	// If there's no protocol, assume berglas:// (backwards compat)
	if !strings.Contains(s, "://") {
		s = "berglas://" + s
	}

	ref, err := berglas.ParseReference(s)
	if err != nil {
		return nil, fmt.Errorf("failed to parse reference %q: %w", s, err)
	}
	return ref, nil
}