From 5b42c8328ea310f7f4ac9edd6734cc5955407740 Mon Sep 17 00:00:00 2001
From: florian <flo@meergans.org>
Date: Tue, 4 Nov 2025 21:41:25 +0100
Subject: [PATCH] First version

---
 pyproject.toml                       | 15 ++++++++++++
 secret_manager/__init__.py           |  6 +++++
 secret_manager/credentials_loader.py | 36 ++++++++++++++++++++++++++++
 secret_manager/fernet_encryption.py  | 26 ++++++++++++++++++++
 4 files changed, 83 insertions(+)
 create mode 100644 pyproject.toml
 create mode 100644 secret_manager/__init__.py
 create mode 100644 secret_manager/credentials_loader.py
 create mode 100644 secret_manager/fernet_encryption.py

diff --git a/pyproject.toml b/pyproject.toml
new file mode 100644
index 0000000..0a2d574
--- /dev/null
+++ b/pyproject.toml
@@ -0,0 +1,15 @@
+[project]
+name = "lib-secret-manager"
+version = "0.1.0"
+description = "Shared secret manager that consumes secrets"
+readme = "README.md"
+requires-python = ">=3.10"
+authors = [{ name = "Florian Gänsejunge" }]
+dependencies = ["simple-logger-handler @ git+https://git.gansejunge.com/notifier/lib-logger-handler.git@main"]
+
+[build-system]
+requires = ["setuptools>=61"]
+build-backend = "setuptools.build_meta"
+
+[project.urls]
+Homepage = "https://git.gansejunge.com/notifier/lib-secret-manager"
diff --git a/secret_manager/__init__.py b/secret_manager/__init__.py
new file mode 100644
index 0000000..e8bb4ab
--- /dev/null
+++ b/secret_manager/__init__.py
@@ -0,0 +1,6 @@
+from .credentials_loader import return_credentials, cleanup_secret_files
+
+__all__ = [
+    "return_credentials",
+    "cleanup_secret_files",
+]
\ No newline at end of file
diff --git a/secret_manager/credentials_loader.py b/secret_manager/credentials_loader.py
new file mode 100644
index 0000000..8e1271a
--- /dev/null
+++ b/secret_manager/credentials_loader.py
@@ -0,0 +1,36 @@
+from simple_logger_handler import setup_logger
+import os
+from typing import Set
+
+logger = setup_logger(__name__)
+
+
+def return_credentials(path: str) -> str:
+	"""Read and return credentials from a file."""
+	logger.debug(f"Opening credentials for path:{path}")
+	try:
+		with open(path) as file:
+			return file.read().strip()
+	except FileNotFoundError:
+		logger.fatal(f"[FATAL] Secret file not found: {path}")
+		raise
+	except Exception as e:
+		logger.fatal(f"[FATAL] Failed to read secret file {path}: {e}")
+		raise
+
+
+def cleanup_secret_files(secret_paths: Set[str]) -> None:
+	"""Delete secret files after they've been loaded into memory.
+
+	Args:
+		secret_paths: Set of file paths to delete
+	"""
+	for path in secret_paths:
+		try:
+			if os.path.exists(path):
+				os.remove(path)
+				logger.debug(f"Deleted secret file: {path}")
+			else:
+				logger.debug(f"Secret file already removed: {path}")
+		except Exception as e:
+			logger.warning(f"Could not delete secret file {path}: {e}")
\ No newline at end of file
diff --git a/secret_manager/fernet_encryption.py b/secret_manager/fernet_encryption.py
new file mode 100644
index 0000000..78e31d1
--- /dev/null
+++ b/secret_manager/fernet_encryption.py
@@ -0,0 +1,26 @@
+from cryptography.fernet import Fernet
+from simple_logger_handler import setup_logger
+
+logger = setup_logger(__name__)
+
+try:
+	with open("/etc/secrets/encryption_key", "rb") as file:
+		encryption_key = file.read()
+except FileNotFoundError:
+	logger.fatal("[FATAL] Encryption key not found")
+	raise
+except Exception as e:
+	logger.fatal(f"[FATAL] Failed to read encryption key: {e}")
+	raise
+
+fernet = Fernet(encryption_key)
+
+
+def encrypt_token(token: str) -> str:
+	"""Encrypt a token string."""
+	return fernet.encrypt(token.encode()).decode()
+
+
+def decrypt_token(token: str) -> str:
+	"""Decrypt a token string."""
+	return fernet.decrypt(token.encode()).decode()
\ No newline at end of file