difftreelog
feat secret read-shared subcommand
in: trunk
3 files changed
cmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth--- a/cmds/fleet/src/cmds/secrets/mod.rs
+++ b/cmds/fleet/src/cmds/secrets/mod.rs
@@ -94,6 +94,17 @@
#[clap(short = 'p', long, default_value = "secret")]
part: String,
},
+ /// Read secret from remote host, requires sudo on said host
+ ReadShared {
+ name: String,
+ /// Which private secret part to read
+ #[clap(short = 'p', long, default_value = "secret")]
+ part: String,
+ /// Which host should we use to decrypt, in case if reencryption is required, without
+ /// regeneration
+ #[clap(long)]
+ prefer_identities: Vec<String>,
+ },
UpdateShared {
name: String,
@@ -634,6 +645,33 @@
stdout().write_all(&data)?;
}
+ Secret::ReadShared {
+ name,
+ part: part_name,
+ prefer_identities,
+ } => {
+ let secret = config.shared_secret(&name)?;
+ let Some(part) = secret.secret.parts.get(&part_name) else {
+ bail!("no part {part_name} in secret {name}");
+ };
+ let data = if part.raw.encrypted {
+ let identity_holder = if !prefer_identities.is_empty() {
+ prefer_identities
+ .iter()
+ .find(|i| secret.owners.iter().any(|s| s == *i))
+ } else {
+ secret.owners.first()
+ };
+ let Some(identity_holder) = identity_holder else {
+ bail!("no available holder found");
+ };
+ let host = config.host(identity_holder).await?;
+ host.decrypt(part.raw.clone()).await?
+ } else {
+ part.raw.data.clone()
+ };
+ stdout().write_all(&data)?;
+ }
Secret::UpdateShared {
name,
machine,
crates/fleet-base/src/lib.rsdiffbeforeafterboth--- a/crates/fleet-base/src/lib.rs
+++ b/crates/fleet-base/src/lib.rs
@@ -1,5 +1,5 @@
+pub mod command;
pub mod fleetdata;
pub mod host;
-pub mod command;
+mod keys;
pub mod opts;
-mod keys;
crates/nix-eval/build.rsdiffbeforeafterboth1// use bindgen::callbacks::ParseCallbacks;2// use std::path::PathBuf;3//4// #[derive(Debug)]5// struct StripPrefix;6// impl ParseCallbacks for StripPrefix {7// fn item_name(&self, name: &str) -> Option<String> {8// name.strip_prefix("nix_").map(ToOwned::to_owned)9// }10// }111213fn main() {14 //15 // let mut libnix = bindgen::builder().header_contents("nix.h", "16 // #define GC_THREADS17 // #include <gc/gc.h>18 // #include <nix_api_expr.h>19 // #include <nix_api_store.h>20 // #include <nix_api_util.h>21 // #include <nix_api_value.h>22 // ").parse_callbacks(Box::new(StripPrefix));23 //24 // for header in pkg_config::probe_library("nix-expr-c").expect("nix-expr-c").include_paths.into_iter().chain(pkg_config::probe_library("bdw-gc").expect("bdw-gc").include_paths.into_iter()) {25 // libnix = libnix.clang_arg(format!("-I{}", header.to_str().expect("path is utf-8")));26 // }27 //28 // let mut out = PathBuf::from(std::env::var("OUT_DIR").expect("OUT_DIR is set by cargo"));29 // out.push("bindings.rs");30 // libnix.generate().expect("generate bindings").write_to_file(out).expect("write bindings");31}1// use bindgen::callbacks::ParseCallbacks;2// use std::path::PathBuf;3//4// #[derive(Debug)]5// struct StripPrefix;6// impl ParseCallbacks for StripPrefix {7// fn item_name(&self, name: &str) -> Option<String> {8// name.strip_prefix("nix_").map(ToOwned::to_owned)9// }10// }1112fn main() {13 //14 // let mut libnix = bindgen::builder().header_contents("nix.h", "15 // #define GC_THREADS16 // #include <gc/gc.h>17 // #include <nix_api_expr.h>18 // #include <nix_api_store.h>19 // #include <nix_api_util.h>20 // #include <nix_api_value.h>21 // ").parse_callbacks(Box::new(StripPrefix));22 //23 // for header in pkg_config::probe_library("nix-expr-c").expect("nix-expr-c").include_paths.into_iter().chain(pkg_config::probe_library("bdw-gc").expect("bdw-gc").include_paths.into_iter()) {24 // libnix = libnix.clang_arg(format!("-I{}", header.to_str().expect("path is utf-8")));25 // }26 //27 // let mut out = PathBuf::from(std::env::var("OUT_DIR").expect("OUT_DIR is set by cargo"));28 // out.push("bindings.rs");29 // libnix.generate().expect("generate bindings").write_to_file(out).expect("write bindings");30}