phasehq / cli Goto Github PK

Securely manage and sync environment variables with Phase.

License: GNU General Public License v3.0

Python 96.41% Shell 3.44% Dockerfile 0.15%

cli's Introduction

Phase-CLI

λ phase
Securely manage application secrets and environment variables with Phase.

                     @@@
              @@@@@@@@@@
          @@@@@@@@@@@@@@@@
       P@@@@@&@@@?&@@&@@@@@P
     P@@@@#        @&@    @P@@@
    &@@@#         *@&      #@@@&
   &@@@5          &@?       5@@@&
  Y@@@#          ^@@         #@@@J
  #@@@7          B@5         7@@@#
  #@@@?         .@@.         ?@@@#
  @@@@&         5@G          &@@@7
   #@@@B        @@^         #@@@B
    B@@@@      .@#        7@@@@B
     @@@@@@    &.@       P@@@@@7
       @@@@@@@@@@@@@@@@@@@@@
          @@@@@@@@@@@@@@@
             @@@@@@@@
             @@@

options:
  -h, --help   show this help message and exit
  --version, -v
               show program's version number and exit


Commands:

    auth             💻 Authenticate with Phase
    init             🔗 Link your project with your Phase app
    run              🚀 Run and inject secrets to your app
    secrets          🗝️ Manage your secrets
    secrets list     📇 List all the secrets
    secrets get      🔍 Get a specific secret by key
    secrets create   💳 Create a new secret
    secrets update   📝 Update an existing secret
    secrets delete   🗑️ Delete a secret
    secrets import   📩 Import secrets from a .env file
    secrets export   🥡 Export secrets in a dotenv format
    users            👥 Manage users and accounts
    users whoami     🙋 See details of the current user
    users logout     🏃 Logout from phase-cli
    users keyring    🔐 Display information about the Phase keyring
    docs             📖 Open the Phase CLI Docs in your browser
    console          🖥️ Open the Phase Console in your browser
    update           🆙 Update the Phase CLI to the latest version

Features

Inject secrets to your application during runtime without any code changes
Import your existing .env files and encrypt them
Sync encrypted secrets with Phase cloud
Multiple environments eg. dev, testing, staging, production

See it in action

Installation

You can install Phase-CLI using curl:

curl -fsSL https://get.phase.dev | bash

Usage

Login

Create an app in the Phase Console and copy appID and pss

phase auth

Initialize

Link the phase cli to your project

phase init

Import .env

Import and encrypt existing secrets and environment variables

phase secrets import .env

List / view secrets

phase secrets list --show

Run and inject secrets

phase run // your run command

Example:

phase run yarn dev

phase run go run

phase run npm start

Development:

Make sure virtualenv is installed

pip3 install virtualenv

Create a virtualenv:

virtualenv phase-cli

Switch to the virtualenv:

source phase-cli/bin/activate

Install dependencies:

pip3 install -r requirements.txt

export PYTHONPATH="$PWD"

python3 phase_cli/main.py

cli's People

Contributors

Stargazers

Watchers

Forkers

0x4f53 crimsonfinale dodistyo

cli's Issues

If PHASE_HOST is missing use default PHASE_CLOUD_API_HOST

$ phase init
PHASE_HOST missing: Please set PHASE_HOST environment variable or login via phase auth

Fetch a single secret using secret digest when using phase secrets get

No development environment found

When a service token is created for a non development environment and phase is initialized

phase init
? Select an App: console
No 'Development' environment found.

version mismtach on the latest tag on docker hub

> sudo docker run phasehq/cli:latest phase -v
1.5.3

Add version argument to phase cli install script

Python GLIC depedency issue

phase
[244] Error loading Python lib '/usr/local/bin/_internal/libpython3.11.so.1.0': dlopen: /lib64/libm.so.6: version `GLIBC_2.35' not found (required by /usr/local/bin/_internal/libpython3.11.so.1.0)

Add loading spinner for export

Exports can take a few seconds sometimes, so adding a loading spinner similar to the one for phase run would be helpful:

⠴ ⠸ Fetching secrets...

Improve client side secret key processing

Process the keys of secrets to replace empty space with '_' and handle special characters.

Skip ssl verification for self-signed certificate using environment variable PHASE_VERIFY_SSL

Based on this documentation https://docs.phase.dev/cli/commands#phase-verify-ssl, we can skip ssl verification by setting environment variable PHASE_VERIFY_SSL=False.
However, I've tried to set it as the document said and got error like below:
`
/ # echo $PHASE_VERIFY_SSL
False
/ # phase secrets export --app "DevOps" --env production --path security/officer
Traceback (most recent call last):
File "urllib3/connectionpool.py", line 466, in _make_request
File "urllib3/connectionpool.py", line 1095, in validate_conn
File "urllib3/connection.py", line 652, in connect
File "urllib3/connection.py", line 805, in ssl_wrap_socket_and_match_hostname
File "urllib3/util/ssl.py", line 465, in ssl_wrap_socket
File "urllib3/util/ssl.py", line 509, in _ssl_wrap_socket_impl
File "ssl.py", line 517, in wrap_socket
File "ssl.py", line 1104, in _create
File "ssl.py", line 1382, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "urllib3/connectionpool.py", line 789, in urlopen
File "urllib3/connectionpool.py", line 490, in _make_request
urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "requests/adapters.py", line 564, in send
File "urllib3/connectionpool.py", line 843, in urlopen
File "urllib3/util/retry.py", line 519, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /service/secrets/tokens/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "main.py", line 303, in main
File "cmd/secrets/export.py", line 54, in phase_secrets_env_export
File "utils/phase_io.py", line 187, in get
File "utils/phase_io.py", line 420, in decrypt
File "utils/network.py", line 167, in fetch_wrapped_key_share
File "requests/api.py", line 73, in get
File "requests/api.py", line 59, in request
File "requests/sessions.py", line 589, in request
File "requests/sessions.py", line 703, in send
File "requests/adapters.py", line 595, in send
requests.exceptions.SSLError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /service/secrets/tokens/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')))
`
I think I have find the issue, and it looks like it missing parameter verify in the request code.
I've already create a PR for the fix.

#162

Add a --silent flag to phase run and phase export

mkfifo phase-console-testing-secrets
:~/$ phase secrets export --env staging --app application > application-testing-secrets &
[1] 1901377
$ cat application-testing-secrets
[06:29:20]  🥡 Exported 44 secrets from the Staging environment.                                                                                                         export.py:100

Phase auth error on alpine linux

? Choose your Phase instance type: ☁️  Phase Cloud
An error occurred: unable to determine login name
Command exited with non-zero status 1
real	0m 1.32s
user	0m 0.22s
sys	0m 0.06s
/workspace # uname -a
Linux 5048c2d09604 6.5.8-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Oct 20 15:53:48 UTC 2023 x86_64 Linux

keyring issues in ubntu docker

root@8100edf20c58:/home# phase
usage: phase-cli [-h] [--version] {auth,init,run,secrets,logout,web,keyring} ...

                
        :S@tX88%%t.                   
        ;X;%;@%8X@%;.  Phase-cli               
      ;Xt%;S8:;;t%S    Encrypt the signal, store the noise.               
      ;SXStS@.;t8@: ;. © 2023 Phase Security Inc.               
    ;@:t;S8  ;@.%.;8:  https://phase.dev               
    :X:S%88    S.88t:. https://github.com/phasehq/console                
  :X:%%88     :S:t.t8t                              
.@8X888@88888888X8.%8X8888888X8.S88: 
                ;t;X ;X;    ;tXS:%X;
                :@:8@X..   tXXS%S8    
                ...X:@8S ..X%88X:;     
                  ..@:X88:8Xt8:.       
                    .;%88@S8:XS                       
    

positional arguments:
  {auth,init,run,secrets,logout,web,keyring}
    auth                Authenticate with Phase
    init                Link your local repo to a Phase app environment
    run                 Automatically run and inject environment variables to your application
    secrets             Manage your secrets
    logout              Logout from phase-cli and delete local credentials
    web                 Open the Phase Console in the default web browser
    keyring             Display information about the phase keyring

options:
  -h, --help            show this help message and exit
  --version, -v         show program's version number and exit
root@8100edf20c58:/home# phase init
Traceback (most recent call last):
  File "phase-cli.py", line 425, in <module>
  File "phase-cli.py", line 330, in get_credentials
  File "keyring/core.py", line 55, in get_password
  File "keyring/backends/fail.py", line 25, in get_password
keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.
[226] Failed to execute script 'phase-cli' due to unhandled exception!
root@8100edf20c58:/home# phase auth
Traceback (most recent call last):
  File "phase-cli.py", line 425, in <module>
  File "phase-cli.py", line 330, in get_credentials
  File "keyring/core.py", line 55, in get_password
  File "keyring/backends/fail.py", line 25, in get_password
keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.
[228] Failed to execute script 'phase-cli' due to unhandled exception!
root@8100edf20c58:/home# phase auth
Traceback (most recent call last):
  File "phase-cli.py", line 425, in <module>
  File "phase-cli.py", line 330, in get_credentials
  File "keyring/core.py", line 55, in get_password
  File "keyring/backends/fail.py", line 25, in get_password
keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.
[230] Failed to execute script 'phase-cli' due to unhandled exception!
root@8100edf20c58:/home# phase-cli 
bash: phase-cli: command not found
root@8100edf20c58:/home# phase keyring
Traceback (most recent call last):
  File "phase-cli.py", line 425, in <module>
  File "phase-cli.py", line 330, in get_credentials
  File "keyring/core.py", line 55, in get_password
  File "keyring/backends/fail.py", line 25, in get_password
keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.
[233] Failed to execute script 'phase-cli' due to unhandled exception!

notes: include keyring backend package

Install script permission issue

curl -fsSL https://pkg.phase.dev/install.sh | bash
Installing unzip...
Reading package lists... Done
E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)
E: Unable to lock directory /var/lib/apt/lists/
W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)
W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)

Sign packages with gpg keys

Add a --docker export format

To add multi-line secret support

Add exception handling to keyring not being present

^[[Api@blackrock:~/cli/dist/phase $ PHASE_DEBUG=True ./phase auth --mode token

? Choose your Phase instance type: ☁️ Phase Cloud
? Please enter your email: [email protected]
Please enter Phase user token (hidden):
An error occurred: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.

CLI is broken on windows git bash

CLI is broken on Git Bash / Windows

'charmap' codec can't encode character '\U0001f64b' in position 0: character maps to <undefined>

add basic checks and dependencies in the install script

check if sudo, wget, curl is available
check if the user running the script is a root user

λ phase secrets list
🚫 Not authorized. Token expired or revoked.
⚠️  Warning: The environment 'None' either does not exist or you do not have access to it

Default env being passed as None

> PHASE_DEBUG=True phase secrets list
⚠️  Warning: The environment 'None' either does not exist or you do not have access to it.