git.delta.rocks / jrsonnet / refs/commits / 0528ea184e69

difftreelog

fix secret encoding handling

Yaroslav Bolyukin2024-07-05parent: #453e81e.patch.diff
in: trunk

2 files changed

modifiedcmds/fleet/src/host.rsdiffbeforeafterboth
130			.await130			.await
131			.context("failed to call remote host for decrypt")?;131			.context("failed to call remote host for decrypt")?;
132		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;132		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
133		ensure!(!data.encrypted, "didn't decrypted secret");133		ensure!(!data.encrypted, "secret came out encrypted");
134		Ok(data.data)134		Ok(data.data)
135	}135	}
136	pub async fn reencrypt(&self, data: SecretData, targets: Vec<String>) -> Result<SecretData> {136	pub async fn reencrypt(&self, data: SecretData, targets: Vec<String>) -> Result<SecretData> {
147			.await147			.await
148			.context("failed to call remote host for decrypt")?;148			.context("failed to call remote host for decrypt")?;
149		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;149		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
150		ensure!(!data.encrypted, "didn't decrypted secret");150		ensure!(data.encrypted, "secret came out not encrypted");
151		Ok(data)151		Ok(data)
152	}152	}
153	/// Returns path for futureproofing, as path might change i.e on conversion to CA153	/// Returns path for futureproofing, as path might change i.e on conversion to CA
modifiednixos/secrets.nixdiffbeforeafterboth
--- a/nixos/secrets.nix
+++ b/nixos/secrets.nix
@@ -5,7 +5,7 @@
   ...
 }:
 with lib; let
-  inherit (lib.strings) hasPrefix stripPrefix;
+  inherit (lib.strings) hasPrefix removePrefix;
   plaintextPrefix = "<PLAINTEXT>";
   plaintextNewlinePrefix = "<PLAINTEXT-NL>";
 
@@ -40,9 +40,9 @@
         hash = mkOptionDefault (builtins.hashString "sha1" config.raw);
         data = mkOptionDefault (
           if hasPrefix plaintextPrefix config.raw
-          then stripPrefix plaintextPrefix config.raw
+          then removePrefix plaintextPrefix config.raw
           else if hasPrefix plaintextNewlinePrefix config.raw
-          then stripPrefix plaintextNewlinePrefix config.raw
+          then removePrefix plaintextNewlinePrefix config.raw
           else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"
         );
         path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";