From 3b8059d4c529599c342bd3f4cb03d4994cff6d8a Mon Sep 17 00:00:00 2001 From: Yaroslav Bolyukin Date: Tue, 03 Dec 2024 19:18:34 +0000 Subject: [PATCH] feat: secret read-shared subcommand --- --- a/cmds/fleet/src/cmds/secrets/mod.rs +++ b/cmds/fleet/src/cmds/secrets/mod.rs @@ -94,6 +94,17 @@ #[clap(short = 'p', long, default_value = "secret")] part: String, }, + /// Read secret from remote host, requires sudo on said host + ReadShared { + name: String, + /// Which private secret part to read + #[clap(short = 'p', long, default_value = "secret")] + part: String, + /// Which host should we use to decrypt, in case if reencryption is required, without + /// regeneration + #[clap(long)] + prefer_identities: Vec, + }, UpdateShared { name: String, @@ -634,6 +645,33 @@ stdout().write_all(&data)?; } + Secret::ReadShared { + name, + part: part_name, + prefer_identities, + } => { + let secret = config.shared_secret(&name)?; + let Some(part) = secret.secret.parts.get(&part_name) else { + bail!("no part {part_name} in secret {name}"); + }; + let data = if part.raw.encrypted { + let identity_holder = if !prefer_identities.is_empty() { + prefer_identities + .iter() + .find(|i| secret.owners.iter().any(|s| s == *i)) + } else { + secret.owners.first() + }; + let Some(identity_holder) = identity_holder else { + bail!("no available holder found"); + }; + let host = config.host(identity_holder).await?; + host.decrypt(part.raw.clone()).await? + } else { + part.raw.data.clone() + }; + stdout().write_all(&data)?; + } Secret::UpdateShared { name, machine, --- a/crates/fleet-base/src/lib.rs +++ b/crates/fleet-base/src/lib.rs @@ -1,5 +1,5 @@ +pub mod command; pub mod fleetdata; pub mod host; -pub mod command; +mod keys; pub mod opts; -mod keys; --- a/crates/nix-eval/build.rs +++ b/crates/nix-eval/build.rs @@ -9,7 +9,6 @@ // } // } - fn main() { // // let mut libnix = bindgen::builder().header_contents("nix.h", " -- gitstuff