git.delta.rocks / jrsonnet / refs/commits / 0528ea184e69

difftreelog

fix secret encoding handling

Yaroslav Bolyukin2024-07-05parent: #453e81e.patch.diff
in: trunk

2 files changed

modifiedcmds/fleet/src/host.rsdiffbeforeafterboth
--- a/cmds/fleet/src/host.rs
+++ b/cmds/fleet/src/host.rs
@@ -130,7 +130,7 @@
 			.await
 			.context("failed to call remote host for decrypt")?;
 		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
-		ensure!(!data.encrypted, "didn't decrypted secret");
+		ensure!(!data.encrypted, "secret came out encrypted");
 		Ok(data.data)
 	}
 	pub async fn reencrypt(&self, data: SecretData, targets: Vec<String>) -> Result<SecretData> {
@@ -147,7 +147,7 @@
 			.await
 			.context("failed to call remote host for decrypt")?;
 		let data: SecretData = encoded.parse().map_err(|e| anyhow!("{e}"))?;
-		ensure!(!data.encrypted, "didn't decrypted secret");
+		ensure!(data.encrypted, "secret came out not encrypted");
 		Ok(data)
 	}
 	/// Returns path for futureproofing, as path might change i.e on conversion to CA
modifiednixos/secrets.nixdiffbeforeafterboth
5  ...5  ...
6}:6}:
7with lib; let7with lib; let
8  inherit (lib.strings) hasPrefix stripPrefix;8  inherit (lib.strings) hasPrefix removePrefix;
9  plaintextPrefix = "<PLAINTEXT>";9  plaintextPrefix = "<PLAINTEXT>";
10  plaintextNewlinePrefix = "<PLAINTEXT-NL>";10  plaintextNewlinePrefix = "<PLAINTEXT-NL>";
1111
40        hash = mkOptionDefault (builtins.hashString "sha1" config.raw);40        hash = mkOptionDefault (builtins.hashString "sha1" config.raw);
41        data = mkOptionDefault (41        data = mkOptionDefault (
42          if hasPrefix plaintextPrefix config.raw42          if hasPrefix plaintextPrefix config.raw
43          then stripPrefix plaintextPrefix config.raw43          then removePrefix plaintextPrefix config.raw
44          else if hasPrefix plaintextNewlinePrefix config.raw44          else if hasPrefix plaintextNewlinePrefix config.raw
45          then stripPrefix plaintextNewlinePrefix config.raw45          then removePrefix plaintextNewlinePrefix config.raw
46          else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"46          else throw "secret.part.data attribute only works for public plaintext secret parts, got ${config.raw}"
47        );47        );
48        path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";48        path = mkOptionDefault "/run/secrets/${secretName}/${config.hash}-${partName}";