git.delta.rocks / jrsonnet / refs/commits / 0528ea184e69

difftreelog

fix secret encoding handling

Yaroslav Bolyukin2024-07-05parent: #453e81e.patch.diff
in: trunk

2 files changed

modifiedcmds/fleet/src/host.rsdiffbeforeafterboth
130			.await130			.await
131			.context("failed to call remote host for decrypt")?;131			.context("failed to call remote host for decrypt")?;
132		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;132		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
133		ensure!(!data.encrypted, "didn't decrypted secret");133		ensure!(!data.encrypted, "secret came out encrypted");
134		Ok(data.data)134		Ok(data.data)
135	}135	}
136	pub async fn reencrypt(&self, data: SecretData, targets: Vec<String>) -> Result<SecretData> {136	pub async fn reencrypt(&self, data: SecretData, targets: Vec<String>) -> Result<SecretData> {
147			.await147			.await
148			.context("failed to call remote host for decrypt")?;148			.context("failed to call remote host for decrypt")?;
149		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;149		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
150		ensure!(!data.encrypted, "didn't decrypted secret");150		ensure!(data.encrypted, "secret came out not encrypted");
151		Ok(data)151		Ok(data)
152	}152	}
153	/// Returns path for futureproofing, as path might change i.e on conversion to CA153	/// Returns path for futureproofing, as path might change i.e on conversion to CA
modifiednixos/secrets.nixdiffbeforeafterboth
5  ...5  ...
6}:6}:
7with lib; let7with lib; let
8  inherit (lib.strings) hasPrefix stripPrefix;8  inherit (lib.strings) hasPrefix removePrefix;
9  plaintextPrefix = "<PLAINTEXT>";9  plaintextPrefix = "<PLAINTEXT>";
10  plaintextNewlinePrefix = "<PLAINTEXT-NL>";10  plaintextNewlinePrefix = "<PLAINTEXT-NL>";
1111
40        hash = mkOptionDefault (builtins.hashString "sha1" config.raw);40        hash = mkOptionDefault (builtins.hashString "sha1" config.raw);
41        data = mkOptionDefault (41        data = mkOptionDefault (
42          if hasPrefix plaintextPrefix config.raw42          if hasPrefix plaintextPrefix config.raw
43          then stripPrefix plaintextPrefix config.raw43          then removePrefix plaintextPrefix config.raw
44          else if hasPrefix plaintextNewlinePrefix config.raw44          else if hasPrefix plaintextNewlinePrefix config.raw
45          then stripPrefix plaintextNewlinePrefix config.raw45          then removePrefix plaintextNewlinePrefix config.raw
46          else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"46          else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"
47        );47        );
48        path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";48        path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";