git.delta.rocks / jrsonnet / refs/commits / 1b47815c9318

difftreelog

fix expectedOwners is nullable

Lach2025-04-24parent: #11af00b.patch.diff
in: trunk

1 file changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
after · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, stdin, stdout, Read, Write},4	path::PathBuf,5};67use age::Recipient;8use anyhow::{anyhow, bail, ensure, Context, Result};9use chrono::{DateTime, Utc};10use clap::Parser;11use fleet_base::{12	fleetdata::{encrypt_secret_data, FleetSecret, FleetSecretPart, FleetSharedSecret},13	host::Config,14	opts::FleetOpts,15};16use fleet_shared::SecretData;17use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};18use owo_colors::OwoColorize;19use serde::Deserialize;20use tabled::{Table, Tabled};21use tokio::fs::read;22use tracing::{error, info, info_span, warn, Instrument};2324#[derive(Parser)]25pub enum Secret {26	/// Force load host keys for all defined hosts27	ForceKeys,28	/// Add secret, data should be provided in stdin29	AddShared {30		/// Secret name31		name: String,32		/// Secret owners33		#[clap(long, short)]34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,5253		/// How to name public secret part54		#[clap(long, short = 'p', default_value = "public")]55		public_part: String,56		/// How to name private secret part57		#[clap(short = 's', long, default_value = "secret")]58		part: String,59	},60	/// Add secret, data should be provided in stdin61	Add {62		/// Secret name63		name: String,64		/// Secret owner65		#[clap(short = 'm', long)]66		machine: String,67		/// Replace secret if already present68		#[clap(long)]69		replace: bool,70		/// Add new parts to existing secret71		#[clap(long)]72		merge: bool,73		/// Secret public part74		#[clap(long)]75		public: Option<String>,76		/// Load public part from specified file77		#[clap(long)]78		public_file: Option<PathBuf>,7980		/// How to name public secret part81		#[clap(short = 'p', long, default_value = "public")]82		public_part: String,83		/// How to name private secret part84		#[clap(short = 's', long, default_value = "secret")]85		part: String,86	},87	/// Read secret from remote host, requires sudo on said host88	Read {89		name: String,90		#[clap(short = 'm', long)]91		machine: String,9293		/// Which private secret part to read94		#[clap(short = 'p', long, default_value = "secret")]95		part: String,96	},97	/// Read secret from remote host, requires sudo on said host98	ReadShared {99		name: String,100		/// Which private secret part to read101		#[clap(short = 'p', long, default_value = "secret")]102		part: String,103		/// Which host should we use to decrypt, in case if reencryption is required, without104		/// regeneration105		#[clap(long)]106		prefer_identities: Vec<String>,107	},108	UpdateShared {109		name: String,110111		#[clap(short = 'm', long)]112		machine: Option<Vec<String>>,113114		#[clap(long)]115		add_machine: Vec<String>,116		#[clap(long)]117		remove_machine: Vec<String>,118119		/// Which host should we use to decrypt120		#[clap(long)]121		prefer_identities: Vec<String>,122	},123	Regenerate {124		/// Which host should we use to decrypt, in case if reencryption is required, without125		/// regeneration126		#[clap(long)]127		prefer_identities: Vec<String>,128		/// Only regenerate shared secrets129		#[clap(long)]130		skip_hosts: bool,131	},132	List {},133	Edit {134		name: String,135		#[clap(short = 'm', long)]136		machine: String,137138		#[clap(long)]139		add: bool,140141		/// Which private secret part to read142		#[clap(short = 'p', long, default_value = "secret")]143		part: String,144	},145}146147fn secret_needs_regeneration(148	secret: &FleetSecret,149	expected_generation_data: &serde_json::Value,150) -> bool {151	let data_is_expected = secret.generation_data == *expected_generation_data;152	// TODO: Leeway?153	let expired = secret154		.expires_at155		.map(|expiration| expiration < Utc::now())156		.unwrap_or(false);157	expired || !data_is_expected158}159160#[allow(clippy::too_many_arguments)]161#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]162async fn maybe_regenerate_shared_secret(163	secret_name: &str,164	config: &Config,165	mut secret: FleetSharedSecret,166	field: Value,167	expected_owners: &[String],168	expected_generation_data: serde_json::Value,169	prefer_identities: &[String],170	batch: Option<NixBuildBatch>,171) -> Result<FleetSharedSecret> {172	let original_set = secret.owners.clone();173174	let set = original_set.iter().collect::<BTreeSet<_>>();175	let expected_set = expected_owners.iter().collect::<BTreeSet<_>>();176177	let regeneration_required =178		secret_needs_regeneration(&secret.secret, &expected_generation_data);179180	if set == expected_set && !regeneration_required {181		info!("no need to update owner list, it is already correct");182		return Ok(secret);183	}184185	let should_regenerate = if regeneration_required {186		info!("secret has its generation data changed, regeneration is required");187		true188	} else if set.difference(&expected_set).next().is_some() {189		// TODO: Remove this warning for revokable secrets.190		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");191		nix_go_json!(field.regenerateOnOwnerRemoved)192	} else if expected_set.difference(&set).next().is_some() {193		nix_go_json!(field.regenerateOnOwnerAdded)194	} else {195		false196	};197198	if should_regenerate {199		info!("secret needs to be regenerated");200		let generated = generate_shared(201			config,202			secret_name,203			field,204			expected_owners.to_vec(),205			expected_generation_data,206			batch,207		)208		.await?;209		Ok(generated)210	} else {211		drop(batch);212		let identity_holder = if !prefer_identities.is_empty() {213			prefer_identities214				.iter()215				.find(|i| original_set.iter().any(|s| s == *i))216		} else {217			secret.owners.first()218		};219		let Some(identity_holder) = identity_holder else {220			bail!("no available holder found");221		};222223		for (part_name, part) in secret.secret.parts.iter_mut() {224			let _span = info_span!("part reencryption", part_name);225			if !part.raw.encrypted {226				continue;227			}228			let host = config.host(identity_holder).await?;229			let encrypted = host230				.reencrypt(part.raw.clone(), expected_owners.to_vec())231				.await?;232			part.raw = encrypted;233		}234235		secret.owners = expected_owners.to_vec();236		Ok(secret)237	}238}239240#[derive(Deserialize)]241#[serde(rename_all = "camelCase")]242enum GeneratorKind {243	Impure,244	Pure,245}246247async fn generate_pure(248	_config: &Config,249	_display_name: &str,250	_secret: Value,251	_default_generator: Value,252	_owners: &[String],253) -> Result<FleetSecret> {254	bail!("pure generators are broken for now")255}256async fn generate_impure(257	config: &Config,258	_display_name: &str,259	secret: Value,260	default_generator: Value,261	expected_owners: &[String],262	expected_generation_data: serde_json::Value,263	batch: Option<NixBuildBatch>,264) -> Result<FleetSecret> {265	let generator = nix_go!(secret.generator);266	let on: Option<String> = nix_go_json!(default_generator.impureOn);267268	let nixpkgs = &config.nixpkgs;269270	let host = if let Some(on) = &on {271		config.host(on).await?272	} else {273		config.local_host()274	};275	let on_pkgs = host.pkgs().await?;276	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);277278	let mut recipients = Vec::new();279	for owner in expected_owners {280		let key = config.key(owner).await?;281		recipients.push(key);282	}283	let generators = nix_go!(mk_secret_generators(Obj { recipients }));284	let pkgs_and_generators = nix_go!(on_pkgs + generators);285286	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));287288	let generator = nix_go!(call_package(generator)(Obj {}));289290	let generator = generator.build_maybe_batch(batch).await?;291	let generator = generator292		.get("out")293		.ok_or_else(|| anyhow!("missing generateImpure out"))?;294	let generator = host.remote_derivation(generator).await?;295296	let out_parent = host.mktemp_dir().await?;297	let out = format!("{out_parent}/out");298299	let mut gen = host.cmd(generator).await?;300	gen.env("out", &out);301	if on.is_none() {302		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.303		let project_path: String = config304			.directory305			.clone()306			.into_os_string()307			.into_string()308			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;309		gen.env("FLEET_PROJECT", project_path);310	}311	gen.run().await.context("impure generator")?;312313	{314		let marker = host.read_file_text(format!("{out}/marker")).await?;315		ensure!(marker == "SUCCESS", "generation not succeeded");316	}317318	let mut parts = BTreeMap::new();319	for part in host.read_dir(&out).await? {320		if part == "created_at" || part == "expires_at" || part == "marker" {321			continue;322		}323		let contents: SecretData = host324			.read_file_text(format!("{out}/{part}"))325			.await?326			.parse()327			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;328		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });329	}330331	let created_at = host.read_file_value(format!("{out}/created_at")).await?;332	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();333334	Ok(FleetSecret {335		created_at,336		expires_at,337		parts,338		generation_data: expected_generation_data,339	})340}341async fn generate(342	config: &Config,343	display_name: &str,344	secret: Value,345	expected_owners: &[String],346	expected_generation_data: serde_json::Value,347	batch: Option<NixBuildBatch>,348) -> Result<FleetSecret> {349	let generator = nix_go!(secret.generator);350	// Can't properly check on nix module system level351	{352		let gen_ty = generator.type_of().await?;353		if gen_ty == "null" {354			bail!("secret has no generator defined, can't automatically generate it.");355		}356		if gen_ty == "set" {357			if !generator.has_field("__functor").await? {358				bail!("generator should be functor, got {gen_ty}");359			}360		} else if gen_ty != "lambda" {361			bail!("generator should be functor, got {gen_ty}");362		}363	}364	let nixpkgs = &config.nixpkgs;365	let default_pkgs = &config.default_pkgs;366	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);367	// Generators provide additional information in passthru, to access368	// passthru we should call generator, but information about where this generator is supposed to build369	// is located in passthru... Thus evaluating generator on host.370	//371	// Maybe it is also possible to do some magic with __functor?372	//373	// I don't want to make modules always responsible for additional secret data anyway,374	// so it should be in derivation, and not in the secret data itself.375	let generators = nix_go!(default_mk_secret_generators(Obj {376		recipients: <Vec<String>>::new(),377	}));378	let pkgs_and_generators = nix_go!(default_pkgs + generators);379380	let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));381	let default_generator = nix_go!(call_package(generator)(Obj {}));382383	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);384385	match kind {386		GeneratorKind::Impure => {387			generate_impure(388				config,389				display_name,390				secret,391				default_generator,392				expected_owners,393				expected_generation_data,394				batch,395			)396			.await397		}398		GeneratorKind::Pure => {399			generate_pure(400				config,401				display_name,402				secret,403				default_generator,404				expected_owners,405			)406			.await407		}408	}409}410async fn generate_shared(411	config: &Config,412	display_name: &str,413	secret: Value,414	expected_owners: Vec<String>,415	expected_generation_data: serde_json::Value,416	batch: Option<NixBuildBatch>,417) -> Result<FleetSharedSecret> {418	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);419	Ok(FleetSharedSecret {420		secret: generate(421			config,422			display_name,423			secret,424			&expected_owners,425			expected_generation_data,426			batch,427		)428		.await?,429		owners: expected_owners,430	})431}432433async fn parse_public(434	public: Option<String>,435	public_file: Option<PathBuf>,436) -> Result<Option<SecretData>> {437	Ok(match (public, public_file) {438		(Some(v), None) => Some(SecretData {439			data: v.into(),440			encrypted: false,441		}),442		(None, Some(v)) => Some(SecretData {443			data: read(v).await?,444			encrypted: false,445		}),446		(Some(_), Some(_)) => {447			bail!("only public or public_file should be set")448		}449		(None, None) => None,450	})451}452453async fn parse_secret() -> Result<Option<Vec<u8>>> {454	let mut input = vec![];455	stdin().read_to_end(&mut input)?;456	if input.is_empty() {457		Ok(None)458	} else {459		Ok(Some(input))460	}461}462463fn parse_machines(464	initial: Vec<String>,465	machines: Option<Vec<String>>,466	mut add_machines: Vec<String>,467	mut remove_machines: Vec<String>,468) -> Result<Vec<String>> {469	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {470		bail!("no operation");471	}472473	let initial_machines = initial.clone();474	let mut target_machines = initial;475	info!("Currently encrypted for {initial_machines:?}");476477	// ensure!(machines.is_some() || !add_machines.is_empty() || )478	if let Some(machines) = machines {479		ensure!(480			add_machines.is_empty() && remove_machines.is_empty(),481			"can't combine --machines and --add-machines/--remove-machines"482		);483		let target = initial_machines.iter().collect::<HashSet<_>>();484		let source = machines.iter().collect::<HashSet<_>>();485		for removed in target.difference(&source) {486			remove_machines.push((*removed).clone());487		}488		for added in source.difference(&target) {489			add_machines.push((*added).clone());490		}491	}492493	for machine in &remove_machines {494		let mut removed = false;495		while let Some(pos) = target_machines.iter().position(|m| m == machine) {496			target_machines.swap_remove(pos);497			removed = true;498		}499		if !removed {500			warn!("secret is not enabled for {machine}");501		}502	}503	for machine in &add_machines {504		if target_machines.iter().any(|m| m == machine) {505			warn!("secret is already added to {machine}");506		} else {507			target_machines.push(machine.to_owned());508		}509	}510	if !remove_machines.is_empty() {511		// TODO: maybe force secret regeneration?512		// Not that useful without revokation.513		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");514	}515	Ok(target_machines)516}517impl Secret {518	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {519		match self {520			Secret::ForceKeys => {521				for host in config.list_hosts().await? {522					if opts.should_skip(&host).await? {523						continue;524					}525					config.key(&host.name).await?;526				}527			}528			Secret::AddShared {529				mut machines,530				name,531				force,532				public,533				public_part: public_name,534				public_file,535				expires_at,536				re_add,537				part: part_name,538			} => {539				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).540541				let exists = config.has_shared(&name);542				if exists && !force && !re_add {543					bail!("secret already defined");544				}545				if re_add {546					// Fixme: use clap to limit this usage547					ensure!(!force, "--force and --readd are not compatible");548					ensure!(exists, "secret doesn't exists");549					ensure!(550						machines.is_empty(),551						"you can't use machines argument for --readd"552					);553					let shared = config.shared_secret(&name)?;554					machines = shared.owners;555				}556557				let recipients = config.recipients(machines.clone()).await?;558559				let mut parts = BTreeMap::new();560561				let mut input = vec![];562				io::stdin().read_to_end(&mut input)?;563564				if !input.is_empty() {565					let encrypted =566						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)567							.ok_or_else(|| anyhow!("no recipients provided"))?;568					parts.insert(part_name, FleetSecretPart { raw: encrypted });569				}570571				if let Some(public) = parse_public(public, public_file).await? {572					parts.insert(public_name, FleetSecretPart { raw: public });573				}574575				config.replace_shared(576					name,577					FleetSharedSecret {578						owners: machines,579						secret: FleetSecret {580							created_at: Utc::now(),581							expires_at,582							parts,583							generation_data: serde_json::Value::Null,584						},585					},586				);587			}588			Secret::Add {589				machine,590				name,591				replace,592				merge,593				public,594				public_part: public_name,595				public_file,596				part: part_name,597			} => {598				if config.has_secret(&machine, &name) && !replace && !merge {599					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");600				}601602				let mut out = if merge && !replace {603					config604						.host_secret(&machine, &name)605						.context("failed to read existing secret for --merge")?606				} else {607					FleetSecret {608						created_at: Utc::now(),609						expires_at: None,610						parts: BTreeMap::new(),611						generation_data: serde_json::Value::Null,612					}613				};614615				if let Some(secret) = parse_secret().await? {616					let recipient = config.recipient(&machine).await?;617					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)618						.expect("recipient provided");619					if out620						.parts621						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })622						.is_some() && !replace623					{624						bail!("part {part_name:?} is already defined");625					}626				}627628				if let Some(public) = parse_public(public, public_file).await? {629					if out630						.parts631						.insert(public_name.clone(), FleetSecretPart { raw: public })632						.is_some() && !replace633					{634						bail!("part {public_name:?} is already defined");635					}636				};637638				config.insert_secret(&machine, name, out);639			}640			#[allow(clippy::await_holding_refcell_ref)]641			Secret::Read {642				name,643				machine,644				part: part_name,645			} => {646				let secret = config.host_secret(&machine, &name)?;647				let Some(secret) = secret.parts.get(&part_name) else {648					bail!("no part {part_name} in secret {name}");649				};650				let data = if secret.raw.encrypted {651					let host = config.host(&machine).await?;652					host.decrypt(secret.raw.clone()).await?653				} else {654					secret.raw.data.clone()655				};656657				stdout().write_all(&data)?;658			}659			Secret::ReadShared {660				name,661				part: part_name,662				prefer_identities,663			} => {664				let secret = config.shared_secret(&name)?;665				let Some(part) = secret.secret.parts.get(&part_name) else {666					bail!("no part {part_name} in secret {name}");667				};668				let data = if part.raw.encrypted {669					let identity_holder = if !prefer_identities.is_empty() {670						prefer_identities671							.iter()672							.find(|i| secret.owners.iter().any(|s| s == *i))673					} else {674						secret.owners.first()675					};676					let Some(identity_holder) = identity_holder else {677						bail!("no available holder found");678					};679					let host = config.host(identity_holder).await?;680					host.decrypt(part.raw.clone()).await?681				} else {682					part.raw.data.clone()683				};684				stdout().write_all(&data)?;685			}686			Secret::UpdateShared {687				name,688				machine,689				add_machine,690				remove_machine,691				prefer_identities,692			} => {693				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).694695				let secret = config.shared_secret(&name)?;696				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {697					bail!("no secret");698				}699700				let initial_machines = secret.owners.clone();701				let target_machines = parse_machines(702					initial_machines.clone(),703					machine,704					add_machine,705					remove_machine,706				)?;707708				if target_machines.is_empty() {709					info!("no machines left for secret, removing it");710					config.remove_shared(&name);711					return Ok(());712				}713714				let config_field = &config.config_field;715				let field = nix_go!(config_field.sharedSecrets[{ name }]);716				let expected_generation_data = nix_go_json!(field.expectedGenerationData);717718				let updated = maybe_regenerate_shared_secret(719					&name,720					config,721					secret,722					field,723					&target_machines,724					expected_generation_data,725					&prefer_identities,726					None,727				)728				.await?;729				config.replace_shared(name, updated);730			}731			Secret::Regenerate {732				prefer_identities,733				skip_hosts,734			} => {735				info!("checking for secrets to regenerate");736				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();737				{738					// Generate missing shared739					let shared_batch = None;740					let _span = info_span!("shared").entered();741					let expected_shared_set = config742						.list_configured_shared()743						.await?744						.into_iter()745						.collect::<HashSet<_>>();746					for missing in expected_shared_set.difference(&stored_shared_set) {747						let config_field = &config.config_field;748						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);749						let expected_generation_data: serde_json::Value =750							nix_go_json!(secret.expectedGenerationData);751						let expected_owners: Option<Vec<String>> =752							nix_go_json!(secret.expectedOwners);753						let Some(expected_owners) = expected_owners else {754							// Can't generate this missing secret, as it has no defined owners.755							continue;756						};757						info!("generating secret: {missing}");758						let shared = generate_shared(759							config,760							missing,761							secret,762							expected_owners,763							expected_generation_data,764							shared_batch.clone(),765						)766						.in_current_span()767						.await?;768						config.replace_shared(missing.to_string(), shared)769					}770				}771				if !skip_hosts {772					let hosts_batch = None;773					for host in config.list_hosts().await? {774						if opts.should_skip(&host).await? {775							continue;776						}777778						let _span = info_span!("host", host = host.name).entered();779						let expected_set = host780							.list_configured_secrets()781							.in_current_span()782							.await?783							.into_iter()784							.collect::<HashSet<_>>();785						let stored_set = config786							.list_secrets(&host.name)787							.into_iter()788							.collect::<HashSet<_>>();789						for missing in expected_set.difference(&stored_set) {790							info!("generating secret: {missing}");791							let secret = host.secret_field(missing).in_current_span().await?;792							let expected_generation_data =793								nix_go_json!(secret.expectedGenerationData);794							let generated = match generate(795								config,796								missing,797								secret,798								&[host.name.clone()],799								expected_generation_data,800								hosts_batch.clone(),801							)802							.in_current_span()803							.await804							{805								Ok(v) => v,806								Err(e) => {807									error!("{e:?}");808									continue;809								}810							};811							config.insert_secret(&host.name, missing.to_string(), generated)812						}813						for name in stored_set {814							info!("updating secret: {name}");815							let data = config.host_secret(&host.name, &name)?;816							let secret = host.secret_field(&name).in_current_span().await?;817							let expected_generation_data =818								nix_go_json!(secret.expectedGenerationData);819							if secret_needs_regeneration(&data, &expected_generation_data) {820								let generated = match generate(821									config,822									&name,823									secret,824									&[host.name.clone()],825									expected_generation_data,826									hosts_batch.clone(),827								)828								.in_current_span()829								.await830								{831									Ok(v) => v,832									Err(e) => {833										error!("{e:?}");834										continue;835									}836								};837								config.insert_secret(&host.name, name.to_string(), generated)838							}839						}840					}841				}842				let mut to_remove = Vec::new();843				for name in &stored_shared_set {844					info!("updating secret: {name}");845					let data = config.shared_secret(name)?;846					let config_field = &config.config_field;847					let expected_owners: Option<Vec<String>> =848						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);849					let Some(expected_owners) = expected_owners else {850						warn!("secret was removed from fleet config: {name}, removing from data");851						to_remove.push(name.to_string());852						continue;853					};854855					let secret = nix_go!(config_field.sharedSecrets[{ name }]);856					let expected_generation_data = nix_go_json!(secret.expectedGenerationData);857					config.replace_shared(858						name.to_owned(),859						maybe_regenerate_shared_secret(860							name,861							config,862							data,863							secret,864							&expected_owners,865							expected_generation_data,866							&prefer_identities,867							None,868						)869						.await?,870					);871				}872				for k in to_remove {873					config.remove_shared(&k);874				}875			}876			Secret::List {} => {877				let _span = info_span!("loading secrets").entered();878				let configured = config.list_configured_shared().await?;879				#[derive(Tabled)]880				struct SecretDisplay {881					#[tabled(rename = "Name")]882					name: String,883					#[tabled(rename = "Owners")]884					owners: String,885				}886				let mut table = vec![];887				for name in configured.iter().cloned() {888					let config = config.clone();889					let expected_owners = config.shared_secret_expected_owners(&name).await?;890					let data = config.shared_secret(&name)?;891					let owners = data892						.owners893						.iter()894						.map(|o| {895							if expected_owners.contains(o) {896								o.green().to_string()897							} else {898								o.red().to_string()899							}900						})901						.collect::<Vec<_>>();902					table.push(SecretDisplay {903						owners: owners.join(", "),904						name,905					})906				}907				info!("loaded\n{}", Table::new(table).to_string())908			}909			Secret::Edit {910				name,911				machine,912				part,913				add,914			} => {915				let secret = config.host_secret(&machine, &name)?;916				if let Some(data) = secret.parts.get(&part) {917					let host = config.host(&machine).await?;918					let secret = host.decrypt(data.raw.clone()).await?;919					String::from_utf8(secret).context("secret is not utf8")?920				} else if add {921					String::new()922				} else {923					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");924				};925			}926		}927		Ok(())928	}929}930931/*932async fn edit_temp_file(933	builder: tempfile::Builder<'_, '_>,934	r: Vec<u8>,935	header: &str,936	comment: &str,937) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {938	if !stdin().is_tty() {939		// TODO: Also try to open /dev/tty directly?940		bail!("stdin is not tty, can't open editor");941	}942943	use std::fmt::Write;944	let mut file = builder.tempfile()?;945946	let mut full_header = String::new();947	let mut had = false;948	for line in header.trim_end().lines() {949		had = true;950		writeln!(&mut full_header, "{comment}{line}")?;951	}952	if had {953		writeln!(&mut full_header, "{}", comment.trim_end())?;954	}955	writeln!(956		&mut full_header,957		"{comment}Do not touch this header! It will be removed automatically"958	)?;959960	file.write_all(full_header.as_bytes())?;961	file.write_all(&r)?;962963	let abs_path = file.into_temp_path();964	let editor = std::env::var_os("VISUAL")965		.or_else(|| std::env::var_os("EDITOR"))966		.unwrap_or_else(|| "vi".into());967	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())968		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;969	let editor_args = editor_args970		.into_iter()971		.map(|v| {972			// Only ASCII subsequences are replaced973			unsafe { OsString::from_encoded_bytes_unchecked(v) }974		})975		.collect_vec();976	let Some((editor, args)) = editor_args.split_first() else {977		bail!("EDITOR env var has no command");978	};979	let mut command = Command::new(editor);980	command.args(args);981982	let path_arg = abs_path.canonicalize()?;983984	// TODO: Save full state, using tcget/_getmode/_setmode985	let was_raw = terminal::is_raw_mode_enabled()?;986	terminal::enable_raw_mode()?;987988	let status = command.arg(path_arg).status().await;989990	if !was_raw {991		terminal::disable_raw_mode()?;992	}993994	let success = match status {995		Ok(s) => s.success(),996		Err(e) if e.kind() == io::ErrorKind::NotFound => {997			bail!("editor not found")998		}999		Err(e) => bail!("editor spawn error: {e}"),1000	};10011002	let mut file = std::fs::read(&abs_path).context("read editor output")?;1003	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {1004		todo!();1005	};1006	todo!();10071008	// Ok((success, abs_path))1009}1010*/