From f37a7c9e91f5e32608c40dab5757e726fb8b658b Mon Sep 17 00:00:00 2001
From: thycotic-rd <lightvaulttrack@thycotic.com>
Date: Fri, 16 Apr 2021 12:16:27 +0000
Subject: [PATCH] Automated from: 1304921d095afb8d399603b0ec2a880f48be13e1

---
 .gitignore                           |   2 +
 auth/auth.go                         |  67 ++--
 auth/html_responses.go               |   4 +-
 cicd-integration/integration_test.go |  30 +-
 commands/auth.go                     |  40 ++-
 commands/base.go                     |   1 +
 commands/cli-config.go               |  53 +--
 commands/encryption_auto.go          | 501 +++++++++++++++++++++++++++
 commands/encryption_manual.go        | 478 +++++++++++++++++++++++++
 commands/report.go                   | 331 ++++++++++++++++++
 commands/report_test.go              | 181 ++++++++++
 constants/commands.go                |   5 +-
 constants/crypto.go                  |  14 +
 constants/doc.go                     |   4 +-
 fake/fake_graph_client.go            | 120 +++++++
 go.mod                               |   6 +-
 go.sum                               |  80 +++++
 main.go                              |  26 +-
 requests/graphclient.go              |  46 +++
 requests/graphql_test.go             |  33 ++
 tools/tools.go                       |  10 +
 21 files changed, 1954 insertions(+), 78 deletions(-)
 create mode 100644 commands/encryption_auto.go
 create mode 100644 commands/encryption_manual.go
 create mode 100644 commands/report.go
 create mode 100644 commands/report_test.go
 create mode 100644 constants/crypto.go
 create mode 100644 fake/fake_graph_client.go
 create mode 100644 requests/graphclient.go
 create mode 100644 requests/graphql_test.go
 create mode 100644 tools/tools.go

diff --git a/.gitignore b/.gitignore
index 8aefe66d..27f14483 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,6 +28,8 @@ bin/*
 /svc_acct_creds_1
 docs/mkdocsenv/
 docs/site/
+dsv
+dsv.exe
 
 inittests/initenv/
 inittests/__pycache__/
diff --git a/auth/auth.go b/auth/auth.go
index 8fa49cc7..21b0c0a4 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -12,6 +12,7 @@ import (
 	"reflect"
 	"runtime"
 	"strings"
+	"text/template"
 	"time"
 
 	"thy/paths"
@@ -173,7 +174,7 @@ func (a *authenticator) getTokenForAuthType(at AuthType, useCache bool) (*TokenR
 		if keySuffix == "" {
 			keySuffix = cst.DefaultProfile
 		}
-	} else if at == Oidc {
+	} else if at == Oidc || at == FederatedThyOne {
 		profile := viper.GetString(cst.Profile)
 		keySuffix = viper.GetString(keyName)
 		if profile != "" && profile != cst.DefaultProfile {
@@ -271,7 +272,7 @@ func (a *authenticator) getTokenForAuthType(at AuthType, useCache bool) (*TokenR
 		data = requestBody{
 			GrantType: authTypeToGrantType[at],
 		}
-		if at == Password || at == FederatedThyOne {
+		if at == Password {
 			err := setupDataForPasswordAuth(&data)
 			if err != nil {
 				return nil, errors.New(err)
@@ -294,10 +295,16 @@ func (a *authenticator) getTokenForAuthType(at AuthType, useCache bool) (*TokenR
 				}
 				data.RefreshToken = refreshToken
 			}
-		} else if at == Oidc {
+		} else if at == Oidc || at == FederatedThyOne {
 			data.Provider = viper.GetString(cst.AuthProvider)
-			data.CallbackHost = viper.GetString(cst.Callback)
-			data.CallbackUrl = fmt.Sprintf("http://%s/callback", viper.GetString(cst.Callback))
+
+			callback := viper.GetString(cst.Callback)
+			if callback == "" {
+				callback = cst.DefaultCallback
+			}
+
+			data.CallbackHost = callback
+			data.CallbackUrl = fmt.Sprintf("http://%s/callback", callback)
 		}
 	}
 
@@ -345,7 +352,7 @@ func (a *authenticator) fetchTokenVault(at AuthType, data requestBody) (*TokenRe
 	if err := data.ValidateForAuthType(at); err != nil {
 		return nil, errors.New(err)
 	}
-	if at == Oidc {
+	if at == Oidc || at == FederatedThyOne {
 		ui := cli.BasicUi{
 			Writer:      os.Stdout,
 			Reader:      os.Stdin,
@@ -394,9 +401,9 @@ func (a *authenticator) fetchTokenVault(at AuthType, data requestBody) (*TokenRe
 			}
 			data.State = ar.state
 			data.AuthorizationCode = ar.authCode
-			ui.Info(fmt.Sprintf("Received response from oidc provider, submitting authorization code to %s", cst.ProductName))
+			ui.Info(fmt.Sprintf("Received response from %s provider, submitting authorization code to %s", at, cst.ProductName))
 		case <-time.After(5 * time.Minute):
-			ui.Info(fmt.Sprintf("Timeout occurred waiting for callback from oidc provider"))
+			ui.Info(fmt.Sprintf("Timeout occurred waiting for callback from %s provider", at))
 			return nil, errors.NewS("no callback occurred after redirect")
 		}
 	}
@@ -410,10 +417,9 @@ func (a *authenticator) fetchTokenVault(at AuthType, data requestBody) (*TokenRe
 	return &response, nil
 }
 
-//
+// handleOidcAuth handles OIDC and Thycotic One auths
 func (a *authenticator) handleOidcAuth(doneCh chan<- AuthResponse) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
-
 		b, err := ioutil.ReadAll(req.Body)
 		if err != nil {
 			w.Write([]byte(err.Error()))
@@ -434,7 +440,28 @@ func (a *authenticator) handleOidcAuth(doneCh chan<- AuthResponse) http.HandlerF
 			return
 		}
 
-		w.Write([]byte(youDidIt))
+		tmpl, err := template.New("youDidIt").Parse(youDidIt)
+		if err != nil {
+			w.Write([]byte(err.Error()))
+			doneCh <- AuthResponse{
+				err:     errors.New(err),
+				message: "error in html parse template",
+			}
+		}
+
+		vars := map[string]interface{}{
+			"providerName": viper.GetString(cst.AuthType),
+		}
+
+		err = tmpl.Execute(w, vars)
+		if err != nil {
+			w.Write([]byte(err.Error()))
+			doneCh <- AuthResponse{
+				err:     errors.New(err),
+				message: "error in html template execute",
+			}
+		}
+
 		doneCh <- AuthResponse{
 			err:      nil,
 			message:  "success",
@@ -564,7 +591,7 @@ func (r *requestBody) ValidateForAuthType(at AuthType) error {
 
 var authTypeToGrantType = map[AuthType]string{
 	Password:         "password",
-	FederatedThyOne:  "password",
+	FederatedThyOne:  "oidc",
 	ClientCredential: "client_credentials",
 	Certificate:      "certificate",
 	Refresh:          "refresh_token",
@@ -600,20 +627,10 @@ var paramSpecDict = map[AuthType][]paramSpec{
 		},
 	},
 	FederatedThyOne: {
-		{PropName: "Password",
-			ArgName:    cst.Password,
-			IsKey:      false,
-			RequestVar: true,
-		},
-		{PropName: "Username",
-			ArgName:    cst.Username,
+		{PropName: "AuthType",
+			ArgName:    cst.AuthType,
 			IsKey:      true,
-			RequestVar: true,
-		},
-		{PropName: "Provider",
-			ArgName:    cst.AuthProvider,
-			IsKey:      false,
-			RequestVar: true,
+			RequestVar: false,
 		},
 	},
 	ClientCredential: {
diff --git a/auth/html_responses.go b/auth/html_responses.go
index 685a799a..301ac27d 100644
--- a/auth/html_responses.go
+++ b/auth/html_responses.go
@@ -5,7 +5,7 @@ const youDidIt = `<!DOCTYPE html>
 
 <head>
   <meta charset="utf-8">
-  <title>OIDC Sign In Complete</title>
+  <title>{{.providerName}} Sign In Complete</title>
 
   <style>
  /*
@@ -190,7 +190,7 @@ hr {
   <div class="container">
     <div class="row">
       <div class="two-thirds column" style="margin-top: 25%">
-        <h2>OIDC Provider Sign In Complete</h2>
+        <h2>{{.providerName}} Provider Sign In Complete</h2>
         <h5>Return to the CLI to verify sign in to DevOps Secrets Vault finished.</h5>
       </div>
     </div>
diff --git a/cicd-integration/integration_test.go b/cicd-integration/integration_test.go
index edc1e527..c74c3b4e 100644
--- a/cicd-integration/integration_test.go
+++ b/cicd-integration/integration_test.go
@@ -116,6 +116,12 @@ var certPath = strings.Join([]string{"cicd-integration", "data", "cert.pem"}, st
 var privateKeyPath = strings.Join([]string{"cicd-integration", "data", "key.pem"}, string(filepath.Separator))
 var csrPath = strings.Join([]string{"cicd-integration", "data", "csr.pem"}, string(filepath.Separator))
 
+var manualKeyPath = "thekey:first"
+var manualPrivateKey = "MnI1dTh4L0E/RChHK0tiUGVTaFZtWXEzczZ2OXkkQiY="
+var manualKeyNonce = "S1NzeHdFcHB6b1Bz"
+var plaintext = "hello there"
+var ciphertext = "8Tns2mbY/w6YHoICfiDGQM+rDlQzwrZWpqK7"
+
 func addConfigArg(args []string) []string {
 	args = append(args, "--config")
 	args = append(args, configPath)
@@ -360,7 +366,7 @@ func init() {
 
 		{"role-get-pass", []string{"role", "read", roleName}, outputPattern(fmt.Sprintf(`"name":\s*"%s"`, roleName))},
 		{"role-get-implicit-pass", []string{"role", roleName}, outputPattern(fmt.Sprintf(`"name":\s*"%s"`, roleName))},
-		// {"role-search-find-pass", []string{"role", "search", roleName[:3], "data.[0].name"}, outputPattern(roleName)},
+		{"role-search-find-pass", []string{"role", "search", roleName[:3], "data.[0].name"}, outputPattern(roleName)},
 		{"role-search-none-pass", []string{"role", "search", "abcdef"}, outputPattern(`"data": null`)},
 		{"role-create-provider-missing", []string{"role", "create", "--name", "bob", "--external-id", "1234"}, outputPattern("must specify both provider and external ID")},
 		{"role-create-external-id-missing", []string{"role", "create", "--name", "bob", "--provider", "aws-dev"}, outputPattern("must specify both provider and external ID")},
@@ -419,15 +425,22 @@ func init() {
 		{"home-rollback", []string{"home", "rollback", homeSecretPath}, outputPattern(`"version": "2"`)},
 		{"home-get-by-version", []string{"home", "read", homeSecretPath, "version", "2"}, outputPattern(`"version": "2"`)},
 
+		// EaaS-Manual
+		{"crypto-manual-key-upload", []string{"crypto", "manual", "key-upload", "--path", manualKeyPath, "--private-key", manualPrivateKey, "--nonce", manualKeyNonce, "--scheme", "symmetric"}, outputPattern(`"version": "0"`)},
+		{"crypto-manual-key-read", []string{"crypto", "manual", "key-read", "--path", manualKeyPath}, outputPattern(`"version": "0"`)},
+		{"crypto-manual-encrypt", []string{"crypto", "manual", "encrypt", "--path", manualKeyPath, "--data", plaintext}, outputPattern(`"version": "0"`)},
+		{"crypto-manual-decrypt", []string{"crypto", "manual", "decrypt", "--path", manualKeyPath, "--data", ciphertext}, outputPattern(`"data": "hello there"`)},
+		{"crypto-manual-key-update", []string{"crypto", "manual", "key-update", "--path", manualKeyPath, "--private-key", manualPrivateKey}, outputPattern(`"version": "1"`)},
+
 		// Pool
-		{"pool", []string{"pool", "create", "--name", "mypool"}, outputPattern(`"name": "mypool"`)},
-		{"pool", []string{"pool", "read", "--name", "mypool"}, outputPattern(`"name": "mypool"`)},
+		{"pool-create", []string{"pool", "create", "--name", "mypool"}, outputPattern(`"name": "mypool"`)},
+		{"pool-read", []string{"pool", "read", "--name", "mypool"}, outputPattern(`"name": "mypool"`)},
 
 		// Engine
-		{"engine", []string{"engine", "create", "--name", "myengine", "--pool-name", "bad-pool"}, outputPattern(`specified pool doesn't exist`)},
-		{"engine", []string{"engine", "create", "--name", "myengine", "--pool-name", "mypool"}, outputPattern(`"name": "myengine"`)},
-		{"engine", []string{"engine", "read", "--name", "myengine"}, outputPattern(`"name": "myengine"`)},
-		{"engine", []string{"engine", "delete", "myengine"}, outputEmpty()},
+		{"engine-create-fail", []string{"engine", "create", "--name", "myengine", "--pool-name", "bad-pool"}, outputPattern(`specified pool doesn't exist`)},
+		{"engine-create-pass", []string{"engine", "create", "--name", "myengine", "--pool-name", "mypool"}, outputPattern(`"name": "myengine"`)},
+		{"engine-read", []string{"engine", "read", "--name", "myengine"}, outputPattern(`"name": "myengine"`)},
+		{"engine-delete", []string{"engine", "delete", "myengine"}, outputEmpty()},
 
 		// Whoami
 		{"whoami", []string{"whoami", ""}, outputPattern(`users:` + adminUser)},
@@ -476,7 +489,8 @@ func init() {
 		{"rootCA-secret-delete", []string{"secret", "delete", "--path", existingRootSecret, "--force"}, outputEmpty()},
 		{"leafCA-secret-delete", []string{"secret", "delete", "--path", leafSecretPath, "--force"}, outputEmpty()},
 		{"home-secret-delete", []string{"home", "delete", homeSecretPath, "--force"}, outputEmpty()},
-		{"pool", []string{"pool", "delete", "mypool"}, outputEmpty()},
+		{"pool-delete", []string{"pool", "delete", "mypool"}, outputEmpty()},
+		{"crypto-manual-key-delete", []string{"crypto", "manual", "key-delete", "--path", manualKeyPath, "--force"}, outputEmpty()},
 	}
 }
 
diff --git a/commands/auth.go b/commands/auth.go
index e3b8aa80..b8867e38 100644
--- a/commands/auth.go
+++ b/commands/auth.go
@@ -37,14 +37,14 @@ func GetAuthCmd() (cli.Command, error) {
 			auth.NewAuthenticatorDefault,
 			store.GetStore, nil}.handleAuth,
 		NoPreAuth:    true,
-		SynopsisText: fmt.Sprintf("%s", cst.NounAuth),
+		SynopsisText: cst.NounAuth,
 		HelpText: fmt.Sprintf(`Authenticate with %[2]s
 
 Usage:
    • auth --profile staging
    • auth --auth-username %[3]s --auth-password %[4]s
-   • auth --auth-type %[7]s --auth-client-id=%[5]s --auth-client-secret=%[6]s 
-		`, cst.NounAuth, cst.ProductName, cst.ExampleUser, cst.ExamplePassword, cst.ExampleAuthClientID, cst.ExampleAuthClientSecret, string(auth.FederatedAws)),
+   • auth --auth-type %[5]s --auth-client-id %[6]s --domain %[7]s --auth-client-secret %[8]s 
+		`, cst.NounAuth, cst.ProductName, cst.ExampleUser, cst.ExamplePassword, cst.ExampleAuthType, cst.ExampleAuthClientID, cst.ExampleDomain, cst.ExampleAuthClientSecret, string(auth.FederatedAws)),
 	})
 }
 
@@ -100,16 +100,42 @@ Usage:
 
 func (ac AuthCommand) handleAuth(args []string) int {
 	var data []byte
-	token, err := ac.token().GetToken()
-	if err == nil {
-		data, err = errors.Convert(format.JsonMarshal(token))
+	token, apiErr := ac.token().GetToken()
+	if apiErr == nil {
+		data, apiErr = errors.Convert(format.JsonMarshal(token))
 	}
+
 	outClient := ac.outClient
 	if outClient == nil {
 		outClient = format.NewDefaultOutClient()
 	}
 
-	outClient.WriteResponse(data, err)
+	// Ask the user for the password, in case if the stored user information is not set to be able to auth AND username is set AND password is not via flags
+	if strings.Contains(apiErr.Error(), auth.KeyfileNotFoundError.Error()) && viper.GetString(cst.Username) != "" && viper.GetString(cst.Password) == "" {
+		ui := &PasswordUi{
+			cli.BasicUi{
+				Writer:      os.Stdout,
+				Reader:      os.Stdin,
+				ErrorWriter: os.Stderr,
+			},
+		}
+
+		if password, err := getStringAndValidate(ui, "Please enter password", false, nil, true, false); err != nil {
+			outClient.WriteResponse(data, errors.New(err))
+
+			return 0
+		} else {
+			viper.Set(cst.Password, password)
+		}
+
+		token, apiErr = ac.token().GetToken()
+		if apiErr == nil {
+			data, apiErr = errors.Convert(format.JsonMarshal(token))
+		}
+	}
+
+	outClient.WriteResponse(data, apiErr)
+
 	return 0
 }
 
diff --git a/commands/base.go b/commands/base.go
index e7883069..cec910dc 100644
--- a/commands/base.go
+++ b/commands/base.go
@@ -34,6 +34,7 @@ func BasePredictorWrappers() cli.PredictorWrappers {
 		preds.LongFlag(cst.AuthProvider): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.AuthProvider, Usage: "Authentication provider name for federated authentication", Global: true, Hidden: true}), false},
 		preds.LongFlag(cst.Profile):      cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Profile, Usage: "Configuration Profile [default:default]", Global: true}), false},
 		preds.LongFlag(cst.Tenant):       cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Tenant, Shorthand: "t", Usage: "Tenant used for auth", Global: true}), false},
+		preds.LongFlag(cst.DomainName):   cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.DomainName, Usage: "Domain used for auth", Global: true}), false},
 		preds.LongFlag(cst.Encoding):     cli.PredictorWrapper{preds.EncodingTypePredictor{}, preds.NewFlagValue(preds.Params{Name: cst.Encoding, Shorthand: "e", Usage: "Output encoding (json|yaml) [default:json]", Global: true}), false},
 		preds.LongFlag(cst.Beautify):     cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Beautify, Shorthand: "b", Usage: "Should beautify output", Global: true, ValueType: "bool", Hidden: true}), false},
 		// we could get away with just one of beautify / plain but gets tricky because we want the default to be beautify,
diff --git a/commands/cli-config.go b/commands/cli-config.go
index 44781f9c..33b2a753 100644
--- a/commands/cli-config.go
+++ b/commands/cli-config.go
@@ -548,8 +548,8 @@ func handleCliConfigInitCmd(args []string) int {
 	}
 	AddNode(&cfg, jsonish{cst.Type: authType}, profile, cst.NounAuth)
 	if storeType != store.None {
-		if auth.AuthType(authType) == auth.Password || auth.AuthType(authType) == auth.FederatedThyOne {
-			var passwordMessage, userMessage, authProviderMessage string
+		if auth.AuthType(authType) == auth.Password {
+			var passwordMessage, userMessage string
 			var confirmRequired bool
 			tenant := viper.GetString(cst.Tenant)
 			if setupRequired {
@@ -589,23 +589,6 @@ func handleCliConfigInitCmd(args []string) int {
 					viper.Set(cst.Password, password)
 				}
 			}
-
-			if auth.AuthType(authType) == auth.FederatedThyOne {
-				authProvider = cst.DefaultThyOneName
-
-				if authProvider == "" && isDevDomain {
-					authProviderMessage = fmt.Sprintf("Thycotic One authentication provider name (default %s):", cst.DefaultThyOneName)
-					if authProvider, err = getStringAndValidateDefault(ui, authProviderMessage, cst.DefaultThyOneName, true, nil, false, false); err != nil {
-						return 1
-
-					}
-				}
-
-				viper.Set(cst.AuthProvider, authProvider)
-
-				AddNode(&cfg, jsonish{cst.DataProvider: authProvider}, profile, cst.NounAuth)
-			}
-
 		} else if auth.AuthType(authType) == auth.ClientCredential {
 			if id, err := getStringAndValidate(ui, "Please enter client id for client auth:", false, nil, false, false); err != nil {
 				return 1
@@ -636,18 +619,34 @@ func handleCliConfigInitCmd(args []string) int {
 			}
 			AddNode(&cfg, jsonish{cst.NounAwsProfile: awsProfile}, profile, cst.NounAuth)
 			viper.Set(cst.AwsProfile, awsProfile)
-		} else if auth.AuthType(authType) == auth.Oidc {
-			if authProvider == "" {
-				if authProvider, err = getStringAndValidateDefault(ui, fmt.Sprintf("Please enter auth provider name (default:  %s):", cst.DefaultThyOneName), cst.DefaultThyOneName, true, nil, false, false); err != nil {
-					return 1
+		} else if auth.AuthType(authType) == auth.Oidc || auth.AuthType(authType) == auth.FederatedThyOne {
+			if auth.AuthType(authType) == auth.Oidc {
+				if authProvider == "" {
+					authProviderMessage := fmt.Sprintf("Please enter auth provider name (default:  %s):", cst.DefaultThyOneName)
+					if authProvider, err = getStringAndValidateDefault(ui, authProviderMessage, cst.DefaultThyOneName, true, nil, false, false); err != nil {
+						return 1
+					}
+				}
+			} else {
+				authProvider = cst.DefaultThyOneName
+
+				if isDevDomain {
+					authProviderMessage := fmt.Sprintf("Thycotic One authentication provider name (default %s):", cst.DefaultThyOneName)
+					if authProvider, err = getStringAndValidateDefault(ui, authProviderMessage, cst.DefaultThyOneName, true, nil, false, false); err != nil {
+						return 1
+
+					}
 				}
-				viper.Set(cst.AuthProvider, authProvider)
 			}
+
+			viper.Set(cst.AuthProvider, authProvider)
 			AddNode(&cfg, jsonish{cst.DataProvider: authProvider}, profile, cst.NounAuth)
+
 			var callback string
 			if callback = viper.GetString(cst.Callback); callback == "" {
 				callback = cst.DefaultCallback
 			}
+
 			viper.Set(cst.Callback, callback)
 			AddNode(&cfg, jsonish{cst.DataCallback: callback}, profile, cst.NounAuth)
 		}
@@ -672,13 +671,15 @@ func handleCliConfigInitCmd(args []string) int {
 				ui.Output(authError.Error())
 				return 1
 			}
+
 			ui.Output("Failed to authenticate, restoring previous config.")
 			ui.Output("Please check your credentials, or tenant name, or domain name and try again.")
 			return 1
+
 		}
 
-		// Store encryption key file (for auth types password and thy-one).
-		if auth.AuthType(authType) == auth.Password || auth.AuthType(authType) == auth.FederatedThyOne {
+		// Store encryption key file (for auth type password).
+		if auth.AuthType(authType) == auth.Password {
 			st, apiError := store.GetStore(string(storeType))
 			if apiError != nil {
 				ui.Error(apiError.Error())
diff --git a/commands/encryption_auto.go b/commands/encryption_auto.go
new file mode 100644
index 00000000..ff2c7e88
--- /dev/null
+++ b/commands/encryption_auto.go
@@ -0,0 +1,501 @@
+package cmd
+
+import (
+	"encoding/json"
+	goerrors "errors"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+
+	cst "thy/constants"
+	"thy/errors"
+	"thy/format"
+	"thy/paths"
+	preds "thy/predictors"
+	"thy/requests"
+	"thy/utils"
+
+	"github.com/posener/complete"
+	"github.com/spf13/viper"
+	"github.com/thycotic-rd/cli"
+)
+
+const MaxPayloadSizeBytes = 2097152
+
+var ErrPayloadTooLarge = goerrors.New(fmt.Sprintf("payload is too large, maximum size is %dMB", MaxPayloadSizeBytes/1000000))
+
+type encryption struct {
+	request   requests.Client
+	outClient format.OutClient
+}
+
+func GetCryptoCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path: []string{cst.NounEncryption},
+		RunFunc: func(args []string) int {
+			return cli.RunResultHelp
+		},
+		SynopsisText:  "Encryption-as-a-Service with a key managed by DSV (auto)",
+		HelpText:      "Encryption-as-a-Service with a key managed by DSV (auto)",
+		MinNumberArgs: 0,
+	})
+}
+
+func GetAutoKeyCreateCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.NounKey + "/" + cst.Create},
+		RunFunc:      encryption{requests.NewHttpClient(), nil}.handleCreateAutoKey,
+		SynopsisText: "Create a new auto key for encryption/decryption",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.NounKey, cst.Create, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path): cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+		},
+		MinNumberArgs: 1,
+	})
+}
+
+func GetEncryptionRotateCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Rotate},
+		RunFunc:      encryption{requests.NewHttpClient(), nil}.handleRotate,
+		SynopsisText: "Rotate existing data with a later or new version of the key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s --%[3]s "mykeys/key1 --%[4]s '$fh9d87g' --%[5]s 4"
+   • %[1]s %[2]s --%[3]s "mykeys/key1 --%[4]s @cipher.enc --%[5]s 0 --%[6]s 3"
+		`, cst.NounEncryption, cst.Rotate, cst.Path, cst.Data, cst.VersionStart, cst.VersionEnd),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):         cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.Data):         cli.PredictorWrapper{preds.NewPrefixFilePredictor("*"), preds.NewFlagValue(preds.Params{Name: cst.Data, Shorthand: "d", Usage: "Ciphertext to be re-encrypted. Pass a string literal in quotes or specify a filepath prefixed with '@' (required)"}), false},
+			preds.LongFlag(cst.VersionStart): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.VersionStart, Shorthand: "", Usage: "Starting version of the auto key (required)"}), false},
+			preds.LongFlag(cst.VersionEnd):   cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.VersionEnd, Shorthand: "", Usage: "Ending version of the auto key"}), false},
+			preds.LongFlag(cst.Output):       cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Output, Shorthand: "", Usage: "Output file for encrypted value and metadata"}), false},
+		},
+		MinNumberArgs: 5,
+	})
+}
+
+func GetAutoKeyReadMetadataCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.NounKey + "/" + cst.Read},
+		RunFunc:      encryption{requests.NewHttpClient(), nil}.handleReadAutoKey,
+		SynopsisText: "Read metadata of an existing auto key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.NounKey, cst.Read, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path): cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+		},
+		MinNumberArgs: 1,
+	})
+}
+
+func GetAutoKeyDeleteCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.NounKey + "/" + cst.Delete},
+		RunFunc:      encryption{requests.NewHttpClient(), nil}.handleDeleteAutoKey,
+		SynopsisText: "Delete an existingn auto key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.NounKey, cst.Delete, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):  cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.Force): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Force, Shorthand: "", Usage: fmt.Sprintf("Immediately delete %s and all its versions", cst.NounKey), Global: false, ValueType: "bool"}), false},
+		},
+		MinNumberArgs: 1,
+	})
+}
+
+func GetAutoKeyRestoreCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.NounKey + "/" + cst.Restore},
+		RunFunc:      encryption{requests.NewHttpClient(), nil}.handleRestoreAutoKey,
+		SynopsisText: "Restore a previously soft-deletedn auto key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.NounKey, cst.Restore, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path): cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+		},
+		MinNumberArgs: 1,
+	})
+}
+
+func GetEncryptCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Encrypt},
+		RunFunc:      encryption{requests.NewHttpClient(), nil}.handleEncrypt,
+		SynopsisText: "Encrypt data using an auto key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s --%[3]s 'hello world' --%[4]s mykeys/key1
+   • %[1]s %[2]s --%[3]s @mysecret.txt --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.Encrypt, cst.Data, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):    cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.Version): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Version, Shorthand: "", Usage: fmt.Sprintf("Version of the %s used for encryption/decryption", cst.NounKey)}), false},
+			preds.LongFlag(cst.Data):    cli.PredictorWrapper{preds.NewPrefixFilePredictor("*"), preds.NewFlagValue(preds.Params{Name: cst.Data, Shorthand: "d", Usage: "A plaintext string or path to a @file with data to be encrypted"}), false},
+			preds.LongFlag(cst.Output):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Output, Shorthand: "", Usage: "Output file for encrypted value and metadata"}), false},
+		},
+		MinNumberArgs: 4,
+	})
+}
+
+func GetDecryptCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Decrypt},
+		RunFunc:      encryption{requests.NewHttpClient(), nil}.handleDecrypt,
+		SynopsisText: "Decrypt data using an auto key that had performed encryption",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s --%[3]s 'hello world' --%[4]s mykeys/key1
+   • %[1]s %[2]s --%[3]s @mysecret.txt"
+		`, cst.NounEncryption, cst.Decrypt, cst.Data, cst.Path, cst.Version),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):    cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.Version): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Version, Shorthand: "", Usage: fmt.Sprintf("Version of the %s used for encryption/decryption", cst.NounKey)}), false},
+			preds.LongFlag(cst.Data):    cli.PredictorWrapper{preds.NewPrefixFilePredictor("*"), preds.NewFlagValue(preds.Params{Name: cst.Data, Shorthand: "d", Usage: "A ciphertext string or path to a @file with data to be decrypted"}), false},
+			preds.LongFlag(cst.Output):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Output, Shorthand: "", Usage: "Output file for decrypted value and metadata"}), false},
+		},
+		MinNumberArgs: 2,
+	})
+}
+
+func (e encryption) handleCreateAutoKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		path = paths.GetPath(args)
+	}
+	uri, err := e.makeKeyURL(path, nil)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodPost, uri, nil)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e encryption) handleReadAutoKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		path = paths.GetPath(args)
+	}
+
+	uri, err := e.makeKeyURL(path, nil)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodGet, uri, nil)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e encryption) handleDeleteAutoKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		path = paths.GetPath(args)
+	}
+
+	force := viper.GetBool(cst.Force)
+	query := map[string]string{"force": strconv.FormatBool(force)}
+	uri, err := e.makeKeyURL(path, query)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodDelete, uri, nil)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e encryption) handleRestoreAutoKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		path = paths.GetPath(args)
+	}
+
+	uri, err := e.makeKeyURL(path, nil)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodPut, uri+"/restore", nil)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e encryption) handleRotate(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		e.outClient.FailF("%s is required", cst.Path)
+		return 1
+	}
+
+	versionStart := viper.GetString(cst.VersionStart)
+	if versionStart == "" {
+		e.outClient.FailF("%s is required", cst.VersionStart)
+		return 1
+	}
+
+	data := viper.GetString(cst.Data)
+	if data == "" {
+		e.outClient.FailF("Please provide a value for %s. Either a string in quotes or a path to a file (@myfile.txt).", cst.Data)
+		return 1
+	}
+
+	filename := paths.GetFilenameFromArgs(args)
+	isDataInFile := filename != ""
+	var body rotationRequest
+	if isDataInFile {
+		var dr rotationRequest
+		err := json.Unmarshal([]byte(data), &dr)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		body = dr
+	} else {
+		body.Ciphertext = data
+		body.Path = path
+	}
+
+	if len(body.Ciphertext) > MaxPayloadSizeBytes {
+		e.outClient.Fail(ErrPayloadTooLarge)
+		return 1
+	}
+
+	body.StartingVersion = versionStart
+	body.EndingVersion = viper.GetString(cst.VersionEnd)
+
+	basePath := strings.Join([]string{"crypto", cst.Rotate}, "/")
+	uri := paths.CreateURI(basePath, nil)
+
+	resp, apiError := e.request.DoRequest(http.MethodPost, uri, body)
+	if apiError != nil {
+		e.outClient.FailE(apiError)
+		return 1
+	}
+
+	if isDataInFile {
+		var newFileName string
+		output := viper.GetString(cst.Output)
+		if output != "" {
+			newFileName = output
+		} else {
+			info, _ := os.Stat(filename)
+			newFileName = info.Name()
+		}
+
+		err := ioutil.WriteFile(newFileName, resp, 0664)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		e.outClient.WriteResponse([]byte(fmt.Sprintf("Re-encrypted data with metadata successfully saved in %s.", newFileName)), nil)
+		return 0
+	}
+
+	e.outClient.WriteResponse(resp, nil)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e encryption) handleEncrypt(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		e.outClient.FailF("%s is required", cst.Path)
+		return 1
+	}
+
+	data := viper.GetString(cst.Data)
+	if data == "" {
+		e.outClient.FailF("Please provide a value for %s. Either a string in quotes or a path to a file (@myfile.txt).", cst.Data)
+		return 1
+	}
+
+	filename := paths.GetFilenameFromArgs(args)
+	isDataInFile := filename != ""
+	if isDataInFile {
+		data = base64Encode(data)
+	}
+	if len(data) > MaxPayloadSizeBytes {
+		e.outClient.Fail(ErrPayloadTooLarge)
+		return 1
+	}
+
+	body := encryptionRequest{Path: path, Plaintext: data, Version: viper.GetString(cst.Version)}
+	basePath := strings.Join([]string{"crypto", cst.Encrypt}, "/")
+	uri := paths.CreateURI(basePath, nil)
+	resp, apiError := e.request.DoRequest(http.MethodPost, uri, body)
+	if apiError != nil {
+		e.outClient.FailE(apiError)
+		return 1
+	}
+
+	if isDataInFile {
+		var newFileName string
+		output := viper.GetString(cst.Output)
+		if output != "" {
+			newFileName = output
+		} else {
+			info, _ := os.Stat(filename)
+			newFileName = info.Name() + ".enc"
+		}
+
+		err := ioutil.WriteFile(newFileName, resp, 0664)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		e.outClient.WriteResponse([]byte(fmt.Sprintf("Ciphertext with metadata successfully saved in %s.", newFileName)), nil)
+		return 0
+	}
+
+	e.outClient.WriteResponse(resp, nil)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e encryption) handleDecrypt(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	data := viper.GetString(cst.Data)
+	if data == "" {
+		e.outClient.FailF("Please provide a value for %s. Either a string in quotes or a path to a file (@myfile.txt).", cst.Data)
+		return 1
+	}
+
+	filename := paths.GetFilenameFromArgs(args)
+	isDataInFile := filename != ""
+
+	var body decryptionRequest
+	if isDataInFile {
+		var dr decryptionRequest
+		err := json.Unmarshal([]byte(data), &dr)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		body = dr
+	} else {
+		path := viper.GetString(cst.Path)
+		if path == "" {
+			e.outClient.FailF("%s is required", cst.Path)
+			return 1
+		}
+		body.Path = path
+		body.Ciphertext = data
+		body.Version = viper.GetString(cst.Version)
+	}
+
+	if len(body.Ciphertext) > MaxPayloadSizeBytes {
+		e.outClient.Fail(ErrPayloadTooLarge)
+		return 1
+	}
+
+	basePath := strings.Join([]string{"crypto", cst.Decrypt}, "/")
+	uri := paths.CreateURI(basePath, nil)
+
+	resp, apiError := e.request.DoRequest(http.MethodPost, uri, body)
+	if apiError != nil {
+		e.outClient.FailE(apiError)
+		return 1
+	}
+
+	if isDataInFile {
+		var dr decryptionResponse
+		err := json.Unmarshal(resp, &dr)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+
+		resp, _ = json.Marshal(dr)
+
+		var newFileName string
+		output := viper.GetString(cst.Output)
+		if output != "" {
+			newFileName = output
+		} else {
+			info, _ := os.Stat(filename)
+			newFileName = info.Name() + ".txt"
+		}
+
+		err = ioutil.WriteFile(newFileName, resp, 0664)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		e.outClient.WriteResponse([]byte(fmt.Sprintf("Decrypted data with metadata successfully saved in %s.", newFileName)), nil)
+		return 0
+	}
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e encryption) makeKeyURL(path string, query map[string]string) (string, *errors.ApiError) {
+	return paths.GetResourceURIFromResourcePath("crypto/key", path, "", "", true, query, false)
+}
+
+type rotationRequest struct {
+	Path            string `json:"path"`
+	Ciphertext      string `json:"ciphertext"`
+	StartingVersion string `json:"startingVersion"`
+	EndingVersion   string `json:"endingVersion"`
+}
+
+type encryptionRequest struct {
+	Path      string `json:"path"`
+	Plaintext string `json:"plaintext"`
+	Version   string `json:"version"`
+}
+
+type decryptionRequest struct {
+	Path       string `json:"path"`
+	Ciphertext string `json:"ciphertext"`
+	Version    string `json:"version"`
+}
+
+type decryptionResponse struct {
+	Path    string `json:"path"`
+	Data    string `json:"data"`
+	Version string `json:"version"`
+}
diff --git a/commands/encryption_manual.go b/commands/encryption_manual.go
new file mode 100644
index 00000000..1fa4f831
--- /dev/null
+++ b/commands/encryption_manual.go
@@ -0,0 +1,478 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"strconv"
+	"strings"
+
+	cst "thy/constants"
+	"thy/errors"
+	"thy/format"
+	"thy/paths"
+	preds "thy/predictors"
+	"thy/requests"
+	"thy/utils"
+
+	"github.com/posener/complete"
+	"github.com/spf13/viper"
+	"github.com/thycotic-rd/cli"
+)
+
+type manualKeyEncryption struct {
+	request   requests.Client
+	outClient format.OutClient
+}
+
+func GetCryptoManualCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path: []string{cst.NounEncryption, cst.Manual},
+		RunFunc: func(args []string) int {
+			return cli.RunResultHelp
+		},
+		SynopsisText:  "Encryption-as-a-Service with a Manual Key",
+		HelpText:      "Encryption-as-a-Service with a Manual Key",
+		MinNumberArgs: 0,
+	})
+}
+
+func GetManualKeyUploadCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Manual, cst.NounKey + "-" + cst.Upload},
+		RunFunc:      manualKeyEncryption{requests.NewHttpClient(), nil}.handleUploadManualKey,
+		SynopsisText: "Upload a new manual encryption/decryption key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1 --%[5]s %[6]s --%[7]s %[8]s --%[9]s %[10]s
+		`, cst.NounEncryption, cst.Manual, cst.NounKey+"-"+cst.Upload, cst.Path,
+			cst.Scheme, "symmetric", cst.PrivateKey, cst.ExamplePrivateKey, cst.Nonce, cst.ExampleNonce),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):       cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.PrivateKey): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.PrivateKey, Usage: "Private key base64-encoded (required)"}), false},
+			preds.LongFlag(cst.Scheme):     cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Scheme, Usage: "Encryption scheme (required)"}), false},
+			preds.LongFlag(cst.Nonce):      cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Nonce, Usage: "Nonce base64-encoded (optional)"}), false},
+			preds.LongFlag(cst.Metadata):   cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Metadata, Usage: "Metadata as a JSON object (optional)"}), false},
+		},
+		MinNumberArgs: 6,
+	})
+}
+
+func GetManualKeyUpdateCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Manual, cst.NounKey + "-" + cst.Update},
+		RunFunc:      manualKeyEncryption{requests.NewHttpClient(), nil}.handleUpdateManualKey,
+		SynopsisText: "Update an existing encryption key for encryption/decryption",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1 --%[5]s %[6]s
+		`, cst.NounEncryption, cst.Manual, cst.NounKey+"-"+cst.Update, cst.Path,
+			cst.PrivateKey, cst.ExamplePrivateKey),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):       cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.PrivateKey): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.PrivateKey, Usage: "Private key base64-encoded (required)"}), false},
+			preds.LongFlag(cst.Nonce):      cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Nonce, Usage: "Nonce base64-encoded (optional)"}), false},
+			preds.LongFlag(cst.Metadata):   cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Metadata, Usage: "Metadata as a JSON object (optional)"}), false},
+		},
+		MinNumberArgs: 4,
+	})
+}
+
+func GetManualKeyReadCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Manual, cst.NounKey + "/" + cst.Read},
+		RunFunc:      manualKeyEncryption{requests.NewHttpClient(), nil}.handleReadManualKey,
+		SynopsisText: "Read an existing manual encryption key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.NounKey, cst.Read, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path): cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+		},
+		MinNumberArgs: 1,
+	})
+}
+
+func GetManualKeyDeleteCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Manual, cst.NounKey + "/" + cst.Delete},
+		RunFunc:      manualKeyEncryption{requests.NewHttpClient(), nil}.handleDeleteManualKey,
+		SynopsisText: "Delete an existing manual encryption key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.Manual, cst.Delete, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):  cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.Force): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Force, Shorthand: "", Usage: fmt.Sprintf("Immediately delete %s and all its versions", cst.NounKey), Global: false, ValueType: "bool"}), false},
+		},
+		MinNumberArgs: 1,
+	})
+}
+
+func GetManualKeyRestoreCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.NounKey + "/" + cst.Restore},
+		RunFunc:      manualKeyEncryption{requests.NewHttpClient(), nil}.handleRestoreManualKey,
+		SynopsisText: "Restore a previously soft-deleted manual encryption key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s mykeys/key1
+		`, cst.NounEncryption, cst.NounKey, cst.Restore, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path): cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+		},
+		MinNumberArgs: 1,
+	})
+}
+
+func GetManualKeyEncryptCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Encrypt},
+		RunFunc:      manualKeyEncryption{requests.NewHttpClient(), nil}.handleManualKeyEncrypt,
+		SynopsisText: "Encrypt data using a manual key",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s 'hello world' --%[5]s mykeys/key1
+   • %[1]s %[2]s %[3]s --%[4]s @mysecret.txt --%[5]s mykeys/key1
+		`, cst.NounEncryption, cst.Manual, cst.Encrypt, cst.Data, cst.Path),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):    cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s (required)", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.Version): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Version, Shorthand: "", Usage: fmt.Sprintf("Version of the %s used for encryption/decryption", cst.NounKey)}), false},
+			preds.LongFlag(cst.Data):    cli.PredictorWrapper{preds.NewPrefixFilePredictor("*"), preds.NewFlagValue(preds.Params{Name: cst.Data, Shorthand: "d", Usage: "A plaintext string or path to a @file with data to be encrypted"}), false},
+			preds.LongFlag(cst.Output):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Output, Shorthand: "", Usage: "Output file for encrypted value and metadata"}), false},
+		},
+		MinNumberArgs: 4,
+	})
+}
+
+func GetManualKeyDecryptCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounEncryption, cst.Decrypt},
+		RunFunc:      manualKeyEncryption{requests.NewHttpClient(), nil}.handleManualKeyDecrypt,
+		SynopsisText: "Decrypt data using a manual key that had performed encryption",
+		HelpText: fmt.Sprintf(`
+Usage:
+   • %[1]s %[2]s %[3]s --%[4]s 'hello world' --%[5]s mykeys/key1
+   • %[1]s %[2]s %[3]s --%[4]s @mysecret.txt"
+		`, cst.NounEncryption, cst.Manual, cst.Decrypt, cst.Data, cst.Path, cst.Version),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):    cli.PredictorWrapper{preds.NewSecretPathPredictorDefault(), preds.NewFlagValue(preds.Params{Name: cst.Path, Shorthand: "r", Usage: fmt.Sprintf("Target %s to a %s", cst.Path, cst.NounKey)}), false},
+			preds.LongFlag(cst.Version): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Version, Shorthand: "", Usage: fmt.Sprintf("Version of the %s used for encryption/decryption", cst.NounKey)}), false},
+			preds.LongFlag(cst.Data):    cli.PredictorWrapper{preds.NewPrefixFilePredictor("*"), preds.NewFlagValue(preds.Params{Name: cst.Data, Shorthand: "d", Usage: "A ciphertext string or path to a @file with data to be decrypted"}), false},
+			preds.LongFlag(cst.Output):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Output, Shorthand: "", Usage: "Output file for decrypted value and metadata"}), false},
+		},
+		MinNumberArgs: 2,
+	})
+}
+
+func (e manualKeyEncryption) handleUploadManualKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		e.outClient.FailF("%s is required", cst.Path)
+		return 1
+	}
+
+	privateKey := viper.GetString(cst.PrivateKey)
+	if privateKey == "" {
+		e.outClient.FailF("%s is required", cst.PrivateKey)
+		return 1
+	}
+
+	scheme := viper.GetString(cst.Scheme)
+	if scheme == "" {
+		e.outClient.FailF("%s is required", cst.Scheme)
+		return 1
+	}
+
+	nonce := viper.GetString(cst.Nonce)
+	metadata := viper.GetString(cst.Metadata)
+
+	uri, err := e.makeKeyURL(path, nil)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	body := manualKeyData{
+		PrivateKey: privateKey,
+		Nonce:      nonce,
+		Scheme:     scheme,
+	}
+
+	if metadata != "" {
+		var metadataMap map[string]interface{}
+		if err := json.Unmarshal([]byte(metadata), &metadataMap); err != nil {
+			e.outClient.FailS("failed to parse the metadata")
+		} else {
+			body.Metadata = metadataMap
+		}
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodPost, uri, body)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e manualKeyEncryption) handleUpdateManualKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		e.outClient.FailF("%s is required", cst.Path)
+		return 1
+	}
+
+	privateKey := viper.GetString(cst.PrivateKey)
+	if privateKey == "" {
+		e.outClient.FailF("%s is required", cst.PrivateKey)
+		return 1
+	}
+
+	nonce := viper.GetString(cst.Nonce)
+	metadata := viper.GetString(cst.Metadata)
+
+	uri, err := e.makeKeyURL(path, nil)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	body := manualKeyData{
+		PrivateKey: privateKey,
+		Nonce:      nonce,
+	}
+
+	if metadata != "" {
+		var metadataMap map[string]interface{}
+		if err := json.Unmarshal([]byte(metadata), &metadataMap); err != nil {
+			e.outClient.FailS("failed to parse the metadata")
+		} else {
+			body.Metadata = metadataMap
+		}
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodPut, uri, body)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e manualKeyEncryption) handleReadManualKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		path = paths.GetPath(args)
+	}
+
+	uri, err := e.makeKeyURL(path, nil)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodGet, uri, nil)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e manualKeyEncryption) handleDeleteManualKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		path = paths.GetPath(args)
+	}
+
+	force := viper.GetBool(cst.Force)
+	query := map[string]string{"force": strconv.FormatBool(force)}
+	uri, err := e.makeKeyURL(path, query)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodDelete, uri, nil)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e manualKeyEncryption) handleRestoreManualKey(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		path = paths.GetPath(args)
+	}
+
+	uri, err := e.makeKeyURL(path, nil)
+	if err != nil {
+		e.outClient.Fail(err)
+		return utils.GetExecStatus(err)
+	}
+
+	resp, apiError := e.request.DoRequest(http.MethodPut, uri+"/restore", nil)
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e manualKeyEncryption) handleManualKeyEncrypt(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+	path := viper.GetString(cst.Path)
+	if path == "" {
+		e.outClient.FailF("%s is required", cst.Path)
+		return 1
+	}
+
+	data := viper.GetString(cst.Data)
+	if data == "" {
+		e.outClient.FailF("Please provide a value for %s. Either a string in quotes or a path to a file (@myfile.txt).", cst.Data)
+		return 1
+	}
+
+	filename := paths.GetFilenameFromArgs(args)
+	isDataInFile := filename != ""
+	if isDataInFile {
+		data = base64Encode(data)
+	}
+	if len(data) > MaxPayloadSizeBytes {
+		e.outClient.Fail(ErrPayloadTooLarge)
+		return 1
+	}
+
+	body := encryptionRequest{Path: path, Plaintext: data, Version: viper.GetString(cst.Version)}
+	basePath := strings.Join([]string{"crypto/manual", cst.Encrypt}, "/")
+	uri := paths.CreateURI(basePath, nil)
+	resp, apiError := e.request.DoRequest(http.MethodPost, uri, body)
+	if apiError != nil {
+		e.outClient.FailE(apiError)
+		return 1
+	}
+
+	if isDataInFile {
+		var newFileName string
+		output := viper.GetString(cst.Output)
+		if output != "" {
+			newFileName = output
+		} else {
+			info, _ := os.Stat(filename)
+			newFileName = info.Name() + ".enc"
+		}
+
+		err := ioutil.WriteFile(newFileName, resp, 0664)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		e.outClient.WriteResponse([]byte(fmt.Sprintf("Ciphertext with metadata successfully saved in %s.", newFileName)), nil)
+		return 0
+	}
+
+	e.outClient.WriteResponse(resp, nil)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e manualKeyEncryption) handleManualKeyDecrypt(args []string) int {
+	if e.outClient == nil {
+		e.outClient = format.NewDefaultOutClient()
+	}
+
+	data := viper.GetString(cst.Data)
+	if data == "" {
+		e.outClient.FailF("Please provide a value for %s. Either a string in quotes or a path to a file (@myfile.txt).", cst.Data)
+		return 1
+	}
+
+	filename := paths.GetFilenameFromArgs(args)
+	isDataInFile := filename != ""
+
+	var body decryptionRequest
+	if isDataInFile {
+		var dr decryptionRequest
+		err := json.Unmarshal([]byte(data), &dr)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		body = dr
+	} else {
+		path := viper.GetString(cst.Path)
+		if path == "" {
+			e.outClient.FailF("%s is required", cst.Path)
+			return 1
+		}
+		body.Path = path
+		body.Ciphertext = data
+		body.Version = viper.GetString(cst.Version)
+	}
+
+	if len(body.Ciphertext) > MaxPayloadSizeBytes {
+		e.outClient.Fail(ErrPayloadTooLarge)
+		return 1
+	}
+
+	basePath := strings.Join([]string{"crypto/manual", cst.Decrypt}, "/")
+	uri := paths.CreateURI(basePath, nil)
+
+	resp, apiError := e.request.DoRequest(http.MethodPost, uri, body)
+	if apiError != nil {
+		e.outClient.FailE(apiError)
+		return 1
+	}
+
+	if isDataInFile {
+		var dr decryptionResponse
+		err := json.Unmarshal(resp, &dr)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+
+		resp, _ = json.Marshal(dr)
+
+		var newFileName string
+		output := viper.GetString(cst.Output)
+		if output != "" {
+			newFileName = output
+		} else {
+			info, _ := os.Stat(filename)
+			newFileName = info.Name() + ".txt"
+		}
+
+		err = ioutil.WriteFile(newFileName, resp, 0664)
+		if err != nil {
+			e.outClient.Fail(err)
+			return 1
+		}
+		e.outClient.WriteResponse([]byte(fmt.Sprintf("Decrypted data with metadata successfully saved in %s.", newFileName)), nil)
+		return 0
+	}
+	e.outClient.WriteResponse(resp, apiError)
+	return utils.GetExecStatus(apiError)
+}
+
+func (e manualKeyEncryption) makeKeyURL(path string, query map[string]string) (string, *errors.ApiError) {
+	return paths.GetResourceURIFromResourcePath("crypto/manual/key", path, "", "", true, query, false)
+}
+
+type manualKeyData struct {
+	Scheme     string                 `json:"scheme"`
+	PrivateKey string                 `json:"privateKey"`
+	Nonce      string                 `json:"nonce"`
+	Metadata   map[string]interface{} `json:"metadata"`
+}
diff --git a/commands/report.go b/commands/report.go
new file mode 100644
index 00000000..a50c574d
--- /dev/null
+++ b/commands/report.go
@@ -0,0 +1,331 @@
+package cmd
+
+import (
+	"fmt"
+	cst "thy/constants"
+	"thy/format"
+	"thy/paths"
+	preds "thy/predictors"
+	"thy/requests"
+	"thy/utils"
+
+	"github.com/posener/complete"
+
+	"github.com/shurcooL/graphql"
+
+	"github.com/spf13/viper"
+
+	"github.com/thycotic-rd/cli"
+)
+
+type report struct {
+	graphClient requests.GraphClient
+	outClient   format.OutClient
+}
+
+func GetSecretReportCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounReport},
+		RunFunc:      report{graphClient: requests.NewGraphClient()}.handleSecretReport,
+		SynopsisText: "report secret",
+		HelpText: fmt.Sprintf(`Read secret report records
+
+Usage:
+   • %[1]s --%[2]s /x/y/z --%[3]s testUser --%[4]s sysadmins --%[5]s role1 --%[6]s 5
+   • %[1]s --%[2]s 2020-01-01
+   `, cst.NounReport, cst.Path, cst.NounUser, cst.NounGroup, cst.NounRole, cst.Limit),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.Path):      cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Path, Usage: "Path (optional)"}), false},
+			preds.LongFlag(cst.NounUser):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.NounUser, Usage: "User name (optional)"}), false},
+			preds.LongFlag(cst.NounGroup): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.NounGroup, Usage: "Group name (optional)"}), false},
+			preds.LongFlag(cst.NounRole):  cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.NounRole, Usage: "Role name (optional)"}), false},
+			preds.LongFlag(cst.Limit):     cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Limit, Shorthand: "l", Usage: "Maximum number of results per cursor (optional)"}), false},
+		},
+		MinNumberArgs: 0,
+	})
+}
+
+func GetGroupReportCmd() (cli.Command, error) {
+	return NewCommand(CommandArgs{
+		Path:         []string{cst.NounReport},
+		RunFunc:      report{graphClient: requests.NewGraphClient()}.handleGroupReport,
+		SynopsisText: "report group",
+		HelpText: fmt.Sprintf(`Read group report records
+
+Usage:
+   • %[1]s  --%[2]s testUser  --%[3]s role1 --%[4]s 5
+   • %[1]s --%[2]s 2020-01-01
+   `, cst.NounReport, cst.NounUser, cst.NounRole, cst.Limit),
+		FlagsPredictor: cli.PredictorWrappers{
+			preds.LongFlag(cst.NounUser): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.NounUser, Usage: "User name (optional)"}), false},
+			preds.LongFlag(cst.NounRole): cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.NounRole, Usage: "Role name (optional)"}), false},
+			preds.LongFlag(cst.Limit):    cli.PredictorWrapper{complete.PredictAnything, preds.NewFlagValue(preds.Params{Name: cst.Limit, Shorthand: "l", Usage: "Maximum number of results per cursor (optional)"}), false},
+		},
+		MinNumberArgs: 0,
+	})
+}
+
+func (r report) handleSecretReport(args []string) int {
+	user := viper.GetString(cst.NounUser)
+	group := viper.GetString(cst.NounGroup)
+	path := viper.GetString(cst.Path)
+	role := viper.GetString(cst.NounRole)
+	limit := viper.GetInt(cst.Limit)
+
+	if r.outClient == nil {
+		r.outClient = format.NewDefaultOutClient()
+	}
+
+	switch {
+	case user != "":
+		return r.reportUserSecret(limit, user, path)
+	case group != "":
+		return r.reportGroupSecret(limit, group, path)
+	case role != "":
+		return r.reportRoleSecret(limit, role, path)
+		//read sign in user record
+	default:
+		return r.reportSignInUserSecret(limit, path)
+	}
+}
+
+func (r report) handleGroupReport(args []string) int {
+	user := viper.GetString(cst.NounUser)
+	role := viper.GetString(cst.NounRole)
+
+	if r.outClient == nil {
+		r.outClient = format.NewDefaultOutClient()
+	}
+
+	switch {
+	case user != "":
+		return r.reportUserGroup(user)
+
+	case role != "":
+		return r.reportRoleGroup(role)
+
+		//read sign in user record
+	default:
+		return r.reportSignInGroup()
+	}
+}
+
+func (r report) reportRoleSecret(limit int, role string, path string) int {
+	var query struct {
+		Role struct {
+			Name           graphql.String
+			ExternalID     graphql.String
+			Provider       graphql.String
+			Created        graphql.String
+			LastModified   graphql.String
+			CreatedBy      graphql.String
+			LastModifiedBy graphql.String
+			Version        graphql.String
+			Description    graphql.String
+			Secrets        []struct {
+				Actions        []graphql.String
+				ID             graphql.String
+				Path           graphql.String
+				Created        graphql.String
+				LastModified   graphql.String
+				LastModifiedBy graphql.String
+				Version        graphql.String
+			} `graphql:"secrets(limit:$limit, path:$path)"`
+		} `graphql:"role(name: $role)" json:"data"`
+	}
+
+	variables := map[string]interface{}{
+		"limit": graphql.Int(limit),
+		"role":  graphql.String(role),
+		"path":  graphql.String(path),
+	}
+
+	uri := paths.CreateURI("report/query", nil)
+	data, err := r.graphClient.DoRequest(uri, &query, variables)
+	r.outClient.WriteResponse(data, err)
+	return utils.GetExecStatus(err)
+}
+
+func (r report) reportGroupSecret(limit int, group string, path string) int {
+	var query struct {
+		Group struct {
+			Name           graphql.String
+			Created        graphql.String
+			LastModified   graphql.String
+			CreatedBy      graphql.String
+			LastModifiedBy graphql.String
+			Version        graphql.String
+			Secrets        []struct {
+				Actions        []graphql.String
+				ID             graphql.String
+				Path           graphql.String
+				Created        graphql.String
+				LastModified   graphql.String
+				LastModifiedBy graphql.String
+				Version        graphql.String
+			} `graphql:"secrets(limit:$limit, path:$path)"`
+		} `graphql:"group(groupName: $group)" json:"data"`
+	}
+	variables := map[string]interface{}{
+		"limit": graphql.Int(limit),
+		"group": graphql.String(group),
+		"path":  graphql.String(path),
+	}
+
+	uri := paths.CreateURI("report/query", nil)
+	data, err := r.graphClient.DoRequest(uri, &query, variables)
+	r.outClient.WriteResponse(data, err)
+	return utils.GetExecStatus(err)
+}
+
+func (r report) reportUserSecret(limit int, user string, path string) int {
+	var query struct {
+		User struct {
+			UserName       graphql.String
+			Provider       graphql.String
+			Created        graphql.String
+			LastModified   graphql.String
+			CreatedBy      graphql.String
+			LastModifiedBy graphql.String
+			Version        graphql.String
+			Secrets        []struct {
+				Actions        []graphql.String
+				ID             graphql.String
+				Path           graphql.String
+				Created        graphql.String
+				LastModified   graphql.String
+				LastModifiedBy graphql.String
+				Version        graphql.String
+			} `graphql:"secrets(limit:$limit, path:$path)"`
+		} `graphql:"user(name: $user)" json:"data"`
+	}
+
+	variables := map[string]interface{}{
+		"limit": graphql.Int(limit),
+		"user":  graphql.String(user),
+		"path":  graphql.String(path),
+	}
+
+	uri := paths.CreateURI("report/query", nil)
+	data, err := r.graphClient.DoRequest(uri, &query, variables)
+	r.outClient.WriteResponse(data, err)
+	return utils.GetExecStatus(err)
+}
+
+func (r report) reportSignInUserSecret(limit int, path string) int {
+	var query struct {
+		Me struct {
+			UserName       graphql.String
+			Provider       graphql.String
+			Created        graphql.String
+			LastModified   graphql.String
+			CreatedBy      graphql.String
+			LastModifiedBy graphql.String
+			Version        graphql.String
+			Secrets        []struct {
+				Actions        []graphql.String
+				ID             graphql.String
+				Path           graphql.String
+				Created        graphql.String
+				LastModified   graphql.String
+				LastModifiedBy graphql.String
+				Version        graphql.String
+			} `graphql:"secrets(limit:$limit, path:$path)"`
+			Home []struct {
+				ID             graphql.String
+				Path           graphql.String
+				Created        graphql.String
+				LastModified   graphql.String
+				LastModifiedBy graphql.String
+				Version        graphql.String
+			} `graphql:"home(limit:$limit)"`
+		} `json:"data"`
+	}
+
+	variables := map[string]interface{}{
+		"limit": graphql.Int(limit),
+		"path":  graphql.String(path),
+	}
+	uri := paths.CreateURI("report/me", nil)
+	data, err := r.graphClient.DoRequest(uri, &query, variables)
+	r.outClient.WriteResponse(data, err)
+	return utils.GetExecStatus(err)
+}
+
+func (r report) reportSignInGroup() int {
+	var query struct {
+		Me struct {
+			UserName       graphql.String
+			Provider       graphql.String
+			Created        graphql.String
+			LastModified   graphql.String
+			CreatedBy      graphql.String
+			LastModifiedBy graphql.String
+			Version        graphql.String
+			MemberOf       []struct {
+				Name  graphql.String
+				Since graphql.String
+			} `json:"group"`
+		} `json:"data"`
+	}
+
+	data, err := r.graphClient.DoRequest(paths.CreateURI("report/me", nil), &query, nil)
+	r.outClient.WriteResponse(data, nil)
+	return utils.GetExecStatus(err)
+}
+
+func (r report) reportRoleGroup(role string) int {
+	var query struct {
+		Role struct {
+			Name           graphql.String
+			ExternalID     graphql.String
+			Provider       graphql.String
+			Created        graphql.String
+			LastModified   graphql.String
+			CreatedBy      graphql.String
+			LastModifiedBy graphql.String
+			Version        graphql.String
+			Description    graphql.String
+			MemberOf       []struct {
+				Name  graphql.String
+				Since graphql.String
+			} `json:"group"`
+		} `graphql:"role(name: $role)" json:"data"`
+	}
+
+	variables := map[string]interface{}{
+		"role": graphql.String(role),
+	}
+
+	uri := paths.CreateURI("report/query", nil)
+	data, err := r.graphClient.DoRequest(uri, &query, variables)
+	r.outClient.WriteResponse(data, nil)
+	return utils.GetExecStatus(err)
+}
+
+func (r report) reportUserGroup(user string) int {
+	var query struct {
+		User struct {
+			UserName       graphql.String
+			Provider       graphql.String
+			Created        graphql.String
+			LastModified   graphql.String
+			CreatedBy      graphql.String
+			LastModifiedBy graphql.String
+			Version        graphql.String
+			MemberOf       []struct {
+				Name  graphql.String
+				Since graphql.String
+			} `json:"group"`
+		} `graphql:"user(name: $user)" json:"data"`
+	}
+
+	variables := map[string]interface{}{
+		"user": graphql.String(user),
+	}
+
+	uri := paths.CreateURI("report/query", nil)
+	data, err := r.graphClient.DoRequest(uri, &query, variables)
+	r.outClient.WriteResponse(data, nil)
+	return utils.GetExecStatus(err)
+}
diff --git a/commands/report_test.go b/commands/report_test.go
new file mode 100644
index 00000000..0b589b13
--- /dev/null
+++ b/commands/report_test.go
@@ -0,0 +1,181 @@
+package cmd
+
+import (
+	e "errors"
+	"testing"
+	cst "thy/constants"
+	"thy/errors"
+	"thy/fake"
+
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestHandleSecretReport(t *testing.T) {
+	testCase := []struct {
+		name        string
+		user        string
+		group       string
+		role        string
+		apiResponse []byte
+		out         []byte
+		expectedErr *errors.ApiError
+	}{
+		{
+			"User",
+			"user1",
+			"",
+			"",
+			[]byte(`user data`),
+			[]byte(`user data`),
+			nil},
+		{
+			"group",
+			"",
+			"group1",
+			"",
+			[]byte(`group data`),
+			[]byte(`group data`),
+			nil},
+		{
+			"role",
+			"",
+			"",
+			"role1",
+			[]byte(`role data`),
+			[]byte(`role data`),
+			nil},
+		{
+			"Sign in User",
+			"",
+			"",
+			"",
+			[]byte(`user data`),
+			[]byte(`user data`),
+			nil},
+		{
+			"api Error",
+			"user1",
+			"",
+			"",
+			[]byte(`test`),
+			[]byte(`test`),
+			errors.New(e.New("error")),
+		},
+	}
+
+	_, err := GetSecretReportCmd()
+	assert.Nil(t, err)
+
+	viper.Set(cst.Version, "v1")
+	for _, tt := range testCase {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			acmd := &fake.FakeOutClient{}
+			var data []byte
+			var err *errors.ApiError
+			acmd.WriteResponseStub = func(bytes []byte, apiError *errors.ApiError) {
+				data = bytes
+				err = apiError
+			}
+
+			req := &fake.FakeGraphClient{}
+			req.DoRequestStub = func(string, interface{}, map[string]interface{}) ([]byte, *errors.ApiError) {
+				return tt.out, tt.expectedErr
+			}
+			viper.Set(cst.NounUser, tt.user)
+			viper.Set(cst.NounGroup, tt.group)
+			viper.Set(cst.NounRole, tt.role)
+
+			r := report{req, acmd}
+			_ = r.handleSecretReport([]string{})
+			if tt.expectedErr == nil {
+				assert.Equal(t, tt.out, data)
+			} else {
+				assert.Equal(t, tt.expectedErr, err)
+			}
+		})
+	}
+}
+
+func TestHandleGroupReport(t *testing.T) {
+	testCase := []struct {
+		name        string
+		user        string
+		role        string
+		apiResponse []byte
+		out         []byte
+		expectedErr *errors.ApiError
+	}{
+		{
+			"User",
+			"user1",
+			"",
+			[]byte(`user data`),
+			[]byte(`user data`),
+			nil},
+		{
+			"group",
+			"",
+			"",
+			[]byte(`group data`),
+			[]byte(`group data`),
+			nil},
+		{
+			"role",
+			"",
+			"role1",
+			[]byte(`role data`),
+			[]byte(`role data`),
+			nil},
+		{
+			"Sign in User",
+			"",
+			"",
+			[]byte(`user data`),
+			[]byte(`user data`),
+			nil},
+		{
+			"api Error",
+			"user1",
+			"",
+			[]byte(`test`),
+			[]byte(`test`),
+			errors.New(e.New("error")),
+		},
+	}
+
+	_, err := GetSecretReportCmd()
+	assert.Nil(t, err)
+
+	viper.Set(cst.Version, "v1")
+	for _, tt := range testCase {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			acmd := &fake.FakeOutClient{}
+			var data []byte
+			var err *errors.ApiError
+			acmd.WriteResponseStub = func(bytes []byte, apiError *errors.ApiError) {
+				data = bytes
+				err = apiError
+			}
+
+			req := &fake.FakeGraphClient{}
+			req.DoRequestStub = func(string, interface{}, map[string]interface{}) ([]byte, *errors.ApiError) {
+				return tt.out, tt.expectedErr
+			}
+			viper.Set(cst.NounUser, tt.user)
+			viper.Set(cst.NounRole, tt.role)
+
+			r := report{req, acmd}
+			_ = r.handleSecretReport([]string{})
+			if tt.expectedErr == nil {
+				assert.Equal(t, tt.out, data)
+			} else {
+				assert.Equal(t, tt.expectedErr, err)
+			}
+		})
+	}
+}
diff --git a/constants/commands.go b/constants/commands.go
index 7975b765..00711029 100644
--- a/constants/commands.go
+++ b/constants/commands.go
@@ -6,6 +6,7 @@ const (
 	Create         = "create"
 	Update         = "update"
 	Rollback       = "rollback"
+	Upload         = "upload"
 	Edit           = "edit"
 	Delete         = "delete"
 	Describe       = "describe"
@@ -56,8 +57,9 @@ const (
 	NounClientUses      = "uses"
 	NounClientTTL       = "ttl"
 	NounClientDesc      = "desc"
-	NounDataKey         = "key"
+	NounKey             = "key"
 	NounEncryption      = "crypto"
+	NounReport          = "report"
 )
 
 // Cli-Config only
@@ -75,6 +77,7 @@ const (
 	Data                    = "data"
 	Username                = "auth.username"
 	Tenant                  = "tenant"
+	DomainName              = "domain"
 	Password                = "auth.password"
 	SecurePassword          = "auth.securePassword"
 	CurrentPassword         = "currentPassword"
diff --git a/constants/crypto.go b/constants/crypto.go
new file mode 100644
index 00000000..744b2373
--- /dev/null
+++ b/constants/crypto.go
@@ -0,0 +1,14 @@
+package constants
+
+const (
+	Auto   = "auto"
+	Manual = "manual"
+
+	PrivateKey = "private-key"
+	Nonce      = "nonce"
+	Scheme     = "scheme"
+	Metadata   = "metadata"
+
+	ExamplePrivateKey = "MnI1dTh4L0E/RChHK0tiUGVTaFZtWXEzczZ2OXkkQiY="
+	ExampleNonce      = "S1NzeHdFcHB6b1Bz"
+)
diff --git a/constants/doc.go b/constants/doc.go
index ed1c28e2..8011f0e2 100644
--- a/constants/doc.go
+++ b/constants/doc.go
@@ -6,19 +6,19 @@ const (
 	ExamplePolicyPath       = "secrets/databases/mongo-db01"
 	ExampleRoleName         = "gcp-svc-1"
 	ExampleAuthProviderName = "aws-dev"
-	ExamplePath2            = "cloudservices/aws/ec2-provision"
 	ExampleDataJSON         = `'{"Key":"Value","Key2":"Value2"}'`
 	ExampleDataPath         = "@/tmp/data.json"
 	ExampleConfigPath       = "@/tmp/config.yml"
 	ExampleUser             = "kadmin"
 	ExampleSIEM             = "LogsInc"
 	ExamplePassword         = "********"
+	ExampleAuthType         = "clientcred"
 	ExampleUserSearch       = "adm"
 	ExamplePolicySearch     = "secrets/databases"
 	ExampleAuthClientID     = "8sdh2el7-ai29S05a5"
 	ExampleAuthClientSecret = "pLaKNWL99IK2kL-xMI"
+	ExampleDomain           = "secretsvaultcloud.com"
 	ExampleClientID         = "8sdh2el7-ai29S05a5"
-	ExampleClientSecret     = "pLaKNWL99IK2kL-xMI"
 	ExampleGroup            = "administrators"
 	ExampleGroupCreate      = `{"groupName": "administrators"}`
 	ExampleGroupAddMembers  = `{"members": ["member1","member2"]}`
diff --git a/fake/fake_graph_client.go b/fake/fake_graph_client.go
new file mode 100644
index 00000000..cae1d334
--- /dev/null
+++ b/fake/fake_graph_client.go
@@ -0,0 +1,120 @@
+// Code generated by counterfeiter. DO NOT EDIT.
+package fake
+
+import (
+	"sync"
+	"thy/errors"
+	"thy/requests"
+)
+
+type FakeGraphClient struct {
+	DoRequestStub        func(string, interface{}, map[string]interface{}) ([]byte, *errors.ApiError)
+	doRequestMutex       sync.RWMutex
+	doRequestArgsForCall []struct {
+		arg1 string
+		arg2 interface{}
+		arg3 map[string]interface{}
+	}
+	doRequestReturns struct {
+		result1 []byte
+		result2 *errors.ApiError
+	}
+	doRequestReturnsOnCall map[int]struct {
+		result1 []byte
+		result2 *errors.ApiError
+	}
+	invocations      map[string][][]interface{}
+	invocationsMutex sync.RWMutex
+}
+
+func (fake *FakeGraphClient) DoRequest(arg1 string, arg2 interface{}, arg3 map[string]interface{}) ([]byte, *errors.ApiError) {
+	fake.doRequestMutex.Lock()
+	ret, specificReturn := fake.doRequestReturnsOnCall[len(fake.doRequestArgsForCall)]
+	fake.doRequestArgsForCall = append(fake.doRequestArgsForCall, struct {
+		arg1 string
+		arg2 interface{}
+		arg3 map[string]interface{}
+	}{arg1, arg2, arg3})
+	stub := fake.DoRequestStub
+	fakeReturns := fake.doRequestReturns
+	fake.recordInvocation("DoRequest", []interface{}{arg1, arg2, arg3})
+	fake.doRequestMutex.Unlock()
+	if stub != nil {
+		return stub(arg1, arg2, arg3)
+	}
+	if specificReturn {
+		return ret.result1, ret.result2
+	}
+	return fakeReturns.result1, fakeReturns.result2
+}
+
+func (fake *FakeGraphClient) DoRequestCallCount() int {
+	fake.doRequestMutex.RLock()
+	defer fake.doRequestMutex.RUnlock()
+	return len(fake.doRequestArgsForCall)
+}
+
+func (fake *FakeGraphClient) DoRequestCalls(stub func(string, interface{}, map[string]interface{}) ([]byte, *errors.ApiError)) {
+	fake.doRequestMutex.Lock()
+	defer fake.doRequestMutex.Unlock()
+	fake.DoRequestStub = stub
+}
+
+func (fake *FakeGraphClient) DoRequestArgsForCall(i int) (string, interface{}, map[string]interface{}) {
+	fake.doRequestMutex.RLock()
+	defer fake.doRequestMutex.RUnlock()
+	argsForCall := fake.doRequestArgsForCall[i]
+	return argsForCall.arg1, argsForCall.arg2, argsForCall.arg3
+}
+
+func (fake *FakeGraphClient) DoRequestReturns(result1 []byte, result2 *errors.ApiError) {
+	fake.doRequestMutex.Lock()
+	defer fake.doRequestMutex.Unlock()
+	fake.DoRequestStub = nil
+	fake.doRequestReturns = struct {
+		result1 []byte
+		result2 *errors.ApiError
+	}{result1, result2}
+}
+
+func (fake *FakeGraphClient) DoRequestReturnsOnCall(i int, result1 []byte, result2 *errors.ApiError) {
+	fake.doRequestMutex.Lock()
+	defer fake.doRequestMutex.Unlock()
+	fake.DoRequestStub = nil
+	if fake.doRequestReturnsOnCall == nil {
+		fake.doRequestReturnsOnCall = make(map[int]struct {
+			result1 []byte
+			result2 *errors.ApiError
+		})
+	}
+	fake.doRequestReturnsOnCall[i] = struct {
+		result1 []byte
+		result2 *errors.ApiError
+	}{result1, result2}
+}
+
+func (fake *FakeGraphClient) Invocations() map[string][][]interface{} {
+	fake.invocationsMutex.RLock()
+	defer fake.invocationsMutex.RUnlock()
+	fake.doRequestMutex.RLock()
+	defer fake.doRequestMutex.RUnlock()
+	copiedInvocations := map[string][][]interface{}{}
+	for key, value := range fake.invocations {
+		copiedInvocations[key] = value
+	}
+	return copiedInvocations
+}
+
+func (fake *FakeGraphClient) recordInvocation(key string, args []interface{}) {
+	fake.invocationsMutex.Lock()
+	defer fake.invocationsMutex.Unlock()
+	if fake.invocations == nil {
+		fake.invocations = map[string][][]interface{}{}
+	}
+	if fake.invocations[key] == nil {
+		fake.invocations[key] = [][]interface{}{}
+	}
+	fake.invocations[key] = append(fake.invocations[key], args)
+}
+
+var _ requests.GraphClient = new(FakeGraphClient)
diff --git a/go.mod b/go.mod
index 412cb4c8..8a769e14 100644
--- a/go.mod
+++ b/go.mod
@@ -13,28 +13,28 @@ require (
 	github.com/fatih/color v1.7.0
 	github.com/gobuffalo/uuid v2.0.5+incompatible
 	github.com/gofrs/uuid v3.2.0+incompatible // indirect
-	github.com/golang/protobuf v1.3.4 // indirect
 	github.com/hokaccha/go-prettyjson v0.0.0-20190818114111-108c894c2c0e
 	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
 	github.com/jarcoal/httpmock v1.0.4
+	github.com/maxbrunsfeld/counterfeiter/v6 v6.3.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.1.2
 	github.com/peterbourgon/diskv v2.0.1+incompatible
 	github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4
 	github.com/posener/complete v1.1.1
 	github.com/savaki/jq v0.0.0-20161209013833-0e6baecebbf8
+	github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a
 	github.com/spf13/pflag v1.0.3
 	github.com/spf13/viper v1.7.0
 	github.com/stretchr/objx v0.2.0 // indirect
 	github.com/stretchr/testify v1.3.0
 	github.com/thycotic-rd/cli v1.0.1-0.20190221164533-c25d734d6e3d
 	github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51
-	golang.org/x/net v0.0.0-20200301022130-244492dfa37a // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c
 	google.golang.org/api v0.13.0
 	google.golang.org/appengine v1.6.5 // indirect
-	gopkg.in/yaml.v2 v2.2.4
+	gopkg.in/yaml.v2 v2.3.0
 )
 
 go 1.16
diff --git a/go.sum b/go.sum
index 502ecde8..771f91c0 100644
--- a/go.sum
+++ b/go.sum
@@ -1,4 +1,5 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0 h1:eOI3/cP2VTU6uZLDYAoic+eyzzB9YyGmJ7eIjl8rOPg=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
@@ -13,11 +14,13 @@ cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2k
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
+github.com/Azure/go-autorest/autorest v0.9.3 h1:OZEIaBbMdUE/Js+BQKlpO81XlISgipr6yDJ+PSwsgi4=
 github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0=
 github.com/Azure/go-autorest/autorest v0.9.7 h1:VZK9/I6YsDZd8o6OOdgqJWQQA5x7BSPXHkOndIKW6js=
 github.com/Azure/go-autorest/autorest v0.9.7/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630=
 github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
 github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc=
+github.com/Azure/go-autorest/autorest/adal v0.8.1 h1:pZdL8o72rK+avFWl+p9nE8RWi1JInZrWJYlnpfXJwHk=
 github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
 github.com/Azure/go-autorest/autorest/adal v0.8.2 h1:O1X4oexUxnZCaEUGsvMnr8ZGj8HI37tNezwY4npRqA0=
 github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q=
@@ -96,17 +99,30 @@ github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4er
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.4 h1:87PNWwrRvUSnqS4dlcBU/ftvOIBep4sYuBLlh6rX2wk=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c h1:964Od4U6p2jUkFxvCydnIczKteheJEzHRToSGK3Bnlw=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
@@ -135,6 +151,7 @@ github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdv
 github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
+github.com/hashicorp/golang-lru v0.5.0 h1:CL2msUPvZTLb5O648aiLNJw3hnBxN2+1Jq8rCOH9wdo=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -148,6 +165,7 @@ github.com/hokaccha/go-prettyjson v0.0.0-20190818114111-108c894c2c0e h1:0aewS5NT
 github.com/hokaccha/go-prettyjson v0.0.0-20190818114111-108c894c2c0e/go.mod h1:pFlLw2CfqZiIBOx6BuCeRLCrfxBJipTY0nIOF/VbGcI=
 github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c h1:aY2hhxLhjEAbfXOx2nRJxCXezC6CO2V/yN+OCr1srtk=
 github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/jarcoal/httpmock v1.0.4 h1:jp+dy/+nonJE4g4xbVtl9QdrUNbn6/3hDT5R4nDIZnA=
 github.com/jarcoal/httpmock v1.0.4/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
@@ -174,6 +192,8 @@ github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaO
 github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.3.0 h1:8E6DrFvII6QR4eJ3PkFvV+lc03P+2qwqTPLm1ax7694=
+github.com/maxbrunsfeld/counterfeiter/v6 v6.3.0/go.mod h1:fcEyUyXZXoV4Abw8DX0t7wyL8mCDxXyU4iAFZfT3IHw=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -188,7 +208,13 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
@@ -217,7 +243,10 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/savaki/jq v0.0.0-20161209013833-0e6baecebbf8 h1:ajJQhvqPSQFJJ4aV5mDAMx8F7iFi6Dxfo6y62wymLNs=
 github.com/savaki/jq v0.0.0-20161209013833-0e6baecebbf8/go.mod h1:Nw/CCOXNyF5JDd6UpYxBwG5WWZ2FOJ/d5QnXL4KQ6vY=
+github.com/sclevine/spec v1.4.0/go.mod h1:LvpgJaFyvQzRvc1kaDs0bulYwzC70PbiYjC4QnFHkOM=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
+github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a h1:KikTa6HtAK8cS1qjvUvvq4QO21QnwC+EfvB+OAuZ/ZU=
+github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a/go.mod h1:AuYgA5Kyo4c7HfUmvRGs/6rGlMMV/6B1bVnB9JxJEEg=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
@@ -237,6 +266,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -250,6 +280,7 @@ github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51 h1:BP2bjP495BBPaBcS
 github.com/tidwall/pretty v0.0.0-20180105212114-65a9db5fad51/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0 h1:C9hSCOW830chIVkdja34wa6Ky+IzWllkUinR+BtRZd4=
@@ -259,11 +290,15 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413 h1:ULYEB3JvPRE/IfO+9uO7vKV/xzVTO7XPAwm8xbf4w2g=
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -282,14 +317,19 @@ golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a h1:oWX7TPOiFAMXLq8o0ikBYfCJVlRHBcsciT5bXOrH628=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -298,35 +338,53 @@ golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201026091529-146b70c837a4 h1:awiuzyrRjJDb+OXi9ceHO3SDxVoN3JER57mhtqkdQBs=
+golang.org/x/net v0.0.0-20201026091529-146b70c837a4/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 h1:Wo7BWFiOk0QRFMLYMqJGFMd9CgUAcGx7V+qEg/h5IBI=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0 h1:HyfiK1WMnHj5FXFXatD+Qs1A/xC2Run6RzeW1SyHxpc=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -346,7 +404,14 @@ golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191112195655-aa38f8e97acc/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6 h1:rbvTkL9AkFts1cgI78+gG6Yu1pwaqX6hjSJAatB78E4=
+golang.org/x/tools v0.0.0-20201023174141-c8cfbd0f21e6/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -354,12 +419,14 @@ google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEn
 google.golang.org/api v0.13.0 h1:Q3Ui3V3/CVinFWFiW39Iw0kMuVrRzYX0wN6OPFp0lTA=
 google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19 h1:Lj2SnHtxkRGJDqnGaSjo+CCdIieEnwVazbOXILwQemk=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
@@ -373,18 +440,31 @@ google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZi
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1 h1:j6XxA85m/6txkUCHvzlV5f+HBNl/1r5cZ2A/3IEFOO8=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno=
 gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/main.go b/main.go
index 2bb1a45e..36955546 100644
--- a/main.go
+++ b/main.go
@@ -138,13 +138,31 @@ func runCLI(args []string) (exitStatus int, err error) {
 		"engine delete":                 cmd.GetEngineDeleteCmd,
 		"engine ping":                   cmd.GetEnginePingCmd,
 		"crypto":                        cmd.GetCryptoCmd,
-		"crypto key-create":             cmd.GetDataKeyCreateCmd,
-		"crypto key-read":               cmd.GetDataKeyReadMetadataCmd,
-		"crypto key-delete":             cmd.GetDataKeyDeleteCmd,
-		"crypto key-restore":            cmd.GetDataKeyRestoreCmd,
+		"crypto auto":                   cmd.GetCryptoCmd,
+		"crypto key-create":             cmd.GetAutoKeyCreateCmd,
+		"crypto key-read":               cmd.GetAutoKeyReadMetadataCmd,
+		"crypto key-delete":             cmd.GetAutoKeyDeleteCmd,
+		"crypto key-restore":            cmd.GetAutoKeyRestoreCmd,
 		"crypto encrypt":                cmd.GetEncryptCmd,
 		"crypto decrypt":                cmd.GetDecryptCmd,
 		"crypto rotate":                 cmd.GetEncryptionRotateCmd,
+		"crypto auto key-create":        cmd.GetAutoKeyCreateCmd,
+		"crypto auto key-read":          cmd.GetAutoKeyReadMetadataCmd,
+		"crypto auto key-delete":        cmd.GetAutoKeyDeleteCmd,
+		"crypto auto key-restore":       cmd.GetAutoKeyRestoreCmd,
+		"crypto auto encrypt":           cmd.GetEncryptCmd,
+		"crypto auto decrypt":           cmd.GetDecryptCmd,
+		"crypto auto rotate":            cmd.GetEncryptionRotateCmd,
+		"crypto manual":                 cmd.GetCryptoManualCmd,
+		"crypto manual key-upload":      cmd.GetManualKeyUploadCmd,
+		"crypto manual key-update":      cmd.GetManualKeyUpdateCmd,
+		"crypto manual key-read":        cmd.GetManualKeyReadCmd,
+		"crypto manual key-delete":      cmd.GetManualKeyDeleteCmd,
+		"crypto manual key-restore":     cmd.GetManualKeyRestoreCmd,
+		"crypto manual encrypt":         cmd.GetManualKeyEncryptCmd,
+		"crypto manual decrypt":         cmd.GetManualKeyDecryptCmd,
+		"report secret":                 cmd.GetSecretReportCmd,
+		"report group":                  cmd.GetGroupReportCmd,
 	}
 
 	c.Autocomplete = true
diff --git a/requests/graphclient.go b/requests/graphclient.go
new file mode 100644
index 00000000..f92054c0
--- /dev/null
+++ b/requests/graphclient.go
@@ -0,0 +1,46 @@
+package requests
+
+import (
+	"context"
+	cst "thy/constants"
+	"thy/errors"
+	"thy/format"
+
+	"github.com/spf13/viper"
+	"golang.org/x/oauth2"
+
+	"github.com/shurcooL/graphql"
+)
+
+//go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
+
+//counterfeiter:generate . GraphClient
+type GraphClient interface {
+	DoRequest(uri string, query interface{}, variables map[string]interface{}) ([]byte, *errors.ApiError)
+}
+
+type graphClient struct {
+}
+
+func NewGraphClient() GraphClient {
+	return &graphClient{}
+}
+
+func (c *graphClient) DoRequest(uri string, query interface{}, variables map[string]interface{}) ([]byte, *errors.ApiError) {
+	src := oauth2.StaticTokenSource(
+		&oauth2.Token{
+			AccessToken: viper.GetString(cst.NounToken),
+		},
+	)
+	httpClient := oauth2.NewClient(context.Background(), src)
+	client := graphql.NewClient(uri, httpClient)
+	if err := client.Query(context.Background(), query, variables); err != nil {
+		return nil, errors.NewS(err.Error())
+	}
+	resp, err := format.JsonMarshal(&query)
+	if err != nil {
+		return nil, MarshalingError
+	}
+
+	return resp, nil
+}
diff --git a/requests/graphql_test.go b/requests/graphql_test.go
new file mode 100644
index 00000000..e42a9525
--- /dev/null
+++ b/requests/graphql_test.go
@@ -0,0 +1,33 @@
+package requests_test
+
+import (
+	"net/http"
+	"testing"
+	"thy/requests"
+
+	"github.com/shurcooL/graphql"
+
+	"github.com/jarcoal/httpmock"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDoRequest(t *testing.T) {
+	c := requests.NewGraphClient()
+	httpmock.Activate()
+	defer httpmock.DeactivateAndReset()
+	jsonResponse := []byte(`{"data": {"UserName": "json"}`)
+	httpmock.RegisterResponder("POST", "https://localhost:8088",
+		func(req *http.Request) (*http.Response, error) {
+			resp := httpmock.NewBytesResponse(200, jsonResponse)
+			return resp, nil
+		},
+	)
+
+	var query struct {
+		Me struct {
+			UserName graphql.String
+		}
+	}
+	_, err := c.DoRequest("https://localhost:8088", &query, map[string]interface{}{})
+	assert.NotNil(t, err)
+}
diff --git a/tools/tools.go b/tools/tools.go
new file mode 100644
index 00000000..cb715c7c
--- /dev/null
+++ b/tools/tools.go
@@ -0,0 +1,10 @@
+//+build tools
+
+package tools
+
+import (
+	_ "github.com/maxbrunsfeld/counterfeiter/v6"
+)
+
+// Please take a look why we added this file
+// https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module