git.delta.rocks / jrsonnet / refs/commits / 602c928e0efd

difftreelog

feat regenerate --skip-hosts argument

Yaroslav Bolyukin2024-12-03parent: #347bd4a.patch.diff
in: trunk

1 file changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
before · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, stdin, stdout, Read, Write},4	path::PathBuf,5};67use age::Recipient;8use anyhow::{anyhow, bail, ensure, Context, Result};9use chrono::{DateTime, Utc};10use clap::Parser;11use fleet_base::{12	fleetdata::{encrypt_secret_data, FleetSecret, FleetSecretPart, FleetSharedSecret},13	host::Config,14	opts::FleetOpts,15};16use fleet_shared::SecretData;17use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};18use owo_colors::OwoColorize;19use serde::Deserialize;20use tabled::{Table, Tabled};21use tokio::fs::read;22use tracing::{error, info, info_span, warn, Instrument};2324#[derive(Parser)]25pub enum Secret {26	/// Force load host keys for all defined hosts27	ForceKeys,28	/// Add secret, data should be provided in stdin29	AddShared {30		/// Secret name31		name: String,32		/// Secret owners33		#[clap(long, short)]34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,5253		/// How to name public secret part54		#[clap(long, short = 'p', default_value = "public")]55		public_part: String,56		/// How to name private secret part57		#[clap(short = 's', long, default_value = "secret")]58		part: String,59	},60	/// Add secret, data should be provided in stdin61	Add {62		/// Secret name63		name: String,64		/// Secret owner65		#[clap(short = 'm', long)]66		machine: String,67		/// Replace secret if already present68		#[clap(long)]69		replace: bool,70		/// Add new parts to existing secret71		#[clap(long)]72		merge: bool,73		/// Secret public part74		#[clap(long)]75		public: Option<String>,76		/// Load public part from specified file77		#[clap(long)]78		public_file: Option<PathBuf>,7980		/// How to name public secret part81		#[clap(short = 'p', long, default_value = "public")]82		public_part: String,83		/// How to name private secret part84		#[clap(short = 's', long, default_value = "secret")]85		part: String,86	},87	/// Read secret from remote host, requires sudo on said host88	Read {89		name: String,90		#[clap(short = 'm', long)]91		machine: String,9293		/// Which private secret part to read94		#[clap(short = 'p', long, default_value = "secret")]95		part: String,96	},97	UpdateShared {98		name: String,99100		#[clap(short = 'm', long)]101		machine: Option<Vec<String>>,102103		#[clap(long)]104		add_machine: Vec<String>,105		#[clap(long)]106		remove_machine: Vec<String>,107108		/// Which host should we use to decrypt109		#[clap(long)]110		prefer_identities: Vec<String>,111	},112	Regenerate {113		/// Which host should we use to decrypt, in case if reencryption is required, without114		/// regeneration115		#[clap(long)]116		prefer_identities: Vec<String>,117	},118	List {},119	Edit {120		name: String,121		#[clap(short = 'm', long)]122		machine: String,123124		#[clap(long)]125		add: bool,126127		/// Which private secret part to read128		#[clap(short = 'p', long, default_value = "secret")]129		part: String,130	},131}132133fn secret_needs_regeneration(134	secret: &FleetSecret,135	expected_generation_data: &serde_json::Value,136) -> bool {137	let data_is_expected = secret.generation_data == *expected_generation_data;138	// TODO: Leeway?139	let expired = secret140		.expires_at141		.map(|expiration| expiration < Utc::now())142		.unwrap_or(false);143	expired || !data_is_expected144}145146#[allow(clippy::too_many_arguments)]147#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]148async fn maybe_regenerate_shared_secret(149	secret_name: &str,150	config: &Config,151	mut secret: FleetSharedSecret,152	field: Value,153	expected_owners: &[String],154	expected_generation_data: serde_json::Value,155	prefer_identities: &[String],156	batch: Option<NixBuildBatch>,157) -> Result<FleetSharedSecret> {158	let original_set = secret.owners.clone();159160	let set = original_set.iter().collect::<BTreeSet<_>>();161	let expected_set = expected_owners.iter().collect::<BTreeSet<_>>();162163	let regeneration_required =164		secret_needs_regeneration(&secret.secret, &expected_generation_data);165166	if set == expected_set && !regeneration_required {167		info!("no need to update owner list, it is already correct");168		return Ok(secret);169	}170171	let should_regenerate = if regeneration_required {172		info!("secret has its generation data changed, regeneration is required");173		true174	} else if set.difference(&expected_set).next().is_some() {175		// TODO: Remove this warning for revokable secrets.176		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");177		nix_go_json!(field.regenerateOnOwnerRemoved)178	} else if expected_set.difference(&set).next().is_some() {179		nix_go_json!(field.regenerateOnOwnerAdded)180	} else {181		false182	};183184	if should_regenerate {185		info!("secret needs to be regenerated");186		let generated = generate_shared(187			config,188			secret_name,189			field,190			expected_owners.to_vec(),191			expected_generation_data,192			batch,193		)194		.await?;195		Ok(generated)196	} else {197		drop(batch);198		let identity_holder = if !prefer_identities.is_empty() {199			prefer_identities200				.iter()201				.find(|i| original_set.iter().any(|s| s == *i))202		} else {203			secret.owners.first()204		};205		let Some(identity_holder) = identity_holder else {206			bail!("no available holder found");207		};208209		for (part_name, part) in secret.secret.parts.iter_mut() {210			let _span = info_span!("part reencryption", part_name);211			if !part.raw.encrypted {212				continue;213			}214			let host = config.host(identity_holder).await?;215			let encrypted = host216				.reencrypt(part.raw.clone(), expected_owners.to_vec())217				.await?;218			part.raw = encrypted;219		}220221		secret.owners = expected_owners.to_vec();222		Ok(secret)223	}224}225226#[derive(Deserialize)]227#[serde(rename_all = "camelCase")]228enum GeneratorKind {229	Impure,230	Pure,231}232233async fn generate_pure(234	_config: &Config,235	_display_name: &str,236	_secret: Value,237	_default_generator: Value,238	_owners: &[String],239) -> Result<FleetSecret> {240	bail!("pure generators are broken for now")241}242async fn generate_impure(243	config: &Config,244	_display_name: &str,245	secret: Value,246	default_generator: Value,247	expected_owners: &[String],248	expected_generation_data: serde_json::Value,249	batch: Option<NixBuildBatch>,250) -> Result<FleetSecret> {251	let generator = nix_go!(secret.generator);252	let on: Option<String> = nix_go_json!(default_generator.impureOn);253254	let host = if let Some(on) = &on {255		config.host(on).await?256	} else {257		config.local_host()258	};259	let on_pkgs = host.pkgs().await?;260	let call_package = nix_go!(on_pkgs.callPackage);261	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);262263	let mut recipients = Vec::new();264	for owner in expected_owners {265		let key = config.key(owner).await?;266		recipients.push(key);267	}268	let generators = nix_go!(mk_secret_generators(Obj { recipients }));269270	let generator = nix_go!(call_package(generator)(generators));271272	let generator = generator.build_maybe_batch(batch).await?;273	let generator = generator274		.get("out")275		.ok_or_else(|| anyhow!("missing generateImpure out"))?;276	let generator = host.remote_derivation(generator).await?;277278	let out_parent = host.mktemp_dir().await?;279	let out = format!("{out_parent}/out");280281	let mut gen = host.cmd(generator).await?;282	gen.env("out", &out);283	if on.is_none() {284		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.285		let project_path: String = config286			.directory287			.clone()288			.into_os_string()289			.into_string()290			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;291		gen.env("FLEET_PROJECT", project_path);292	}293	gen.run().await.context("impure generator")?;294295	{296		let marker = host.read_file_text(format!("{out}/marker")).await?;297		ensure!(marker == "SUCCESS", "generation not succeeded");298	}299300	let mut parts = BTreeMap::new();301	for part in host.read_dir(&out).await? {302		if part == "created_at" || part == "expired_at" || part == "marker" {303			continue;304		}305		let contents: SecretData = host306			.read_file_text(format!("{out}/{part}"))307			.await?308			.parse()309			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;310		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });311	}312313	let created_at = host.read_file_value(format!("{out}/created_at")).await?;314	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();315316	Ok(FleetSecret {317		created_at,318		expires_at,319		parts,320		generation_data: expected_generation_data,321	})322}323async fn generate(324	config: &Config,325	display_name: &str,326	secret: Value,327	expected_owners: &[String],328	expected_generation_data: serde_json::Value,329	batch: Option<NixBuildBatch>,330) -> Result<FleetSecret> {331	let generator = nix_go!(secret.generator);332	// Can't properly check on nix module system level333	{334		let gen_ty = generator.type_of().await?;335		if gen_ty == "null" {336			bail!("secret has no generator defined, can't automatically generate it.");337		}338		if gen_ty != "lambda" {339			bail!("generator should be lambda, got {gen_ty}");340		}341	}342	let default_pkgs = &config.default_pkgs;343	let default_call_package = nix_go!(default_pkgs.callPackage);344	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);345	// Generators provide additional information in passthru, to access346	// passthru we should call generator, but information about where this generator is supposed to build347	// is located in passthru... Thus evaluating generator on host.348	//349	// Maybe it is also possible to do some magic with __functor?350	//351	// I don't want to make modules always responsible for additional secret data anyway,352	// so it should be in derivation, and not in the secret data itself.353	let generators = nix_go!(default_mk_secret_generators(Obj {354		recipients: <Vec<String>>::new(),355	}));356	let default_generator = nix_go!(default_call_package(generator)(generators));357358	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);359360	match kind {361		GeneratorKind::Impure => {362			generate_impure(363				config,364				display_name,365				secret,366				default_generator,367				expected_owners,368				expected_generation_data,369				batch,370			)371			.await372		}373		GeneratorKind::Pure => {374			generate_pure(375				config,376				display_name,377				secret,378				default_generator,379				expected_owners,380			)381			.await382		}383	}384}385async fn generate_shared(386	config: &Config,387	display_name: &str,388	secret: Value,389	expected_owners: Vec<String>,390	expected_generation_data: serde_json::Value,391	batch: Option<NixBuildBatch>,392) -> Result<FleetSharedSecret> {393	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);394	Ok(FleetSharedSecret {395		secret: generate(396			config,397			display_name,398			secret,399			&expected_owners,400			expected_generation_data,401			batch,402		)403		.await?,404		owners: expected_owners,405	})406}407408async fn parse_public(409	public: Option<String>,410	public_file: Option<PathBuf>,411) -> Result<Option<SecretData>> {412	Ok(match (public, public_file) {413		(Some(v), None) => Some(SecretData {414			data: v.into(),415			encrypted: false,416		}),417		(None, Some(v)) => Some(SecretData {418			data: read(v).await?,419			encrypted: false,420		}),421		(Some(_), Some(_)) => {422			bail!("only public or public_file should be set")423		}424		(None, None) => None,425	})426}427428async fn parse_secret() -> Result<Option<Vec<u8>>> {429	let mut input = vec![];430	stdin().read_to_end(&mut input)?;431	if input.is_empty() {432		Ok(None)433	} else {434		Ok(Some(input))435	}436}437438fn parse_machines(439	initial: Vec<String>,440	machines: Option<Vec<String>>,441	mut add_machines: Vec<String>,442	mut remove_machines: Vec<String>,443) -> Result<Vec<String>> {444	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {445		bail!("no operation");446	}447448	let initial_machines = initial.clone();449	let mut target_machines = initial;450	info!("Currently encrypted for {initial_machines:?}");451452	// ensure!(machines.is_some() || !add_machines.is_empty() || )453	if let Some(machines) = machines {454		ensure!(455			add_machines.is_empty() && remove_machines.is_empty(),456			"can't combine --machines and --add-machines/--remove-machines"457		);458		let target = initial_machines.iter().collect::<HashSet<_>>();459		let source = machines.iter().collect::<HashSet<_>>();460		for removed in target.difference(&source) {461			remove_machines.push((*removed).clone());462		}463		for added in source.difference(&target) {464			add_machines.push((*added).clone());465		}466	}467468	for machine in &remove_machines {469		let mut removed = false;470		while let Some(pos) = target_machines.iter().position(|m| m == machine) {471			target_machines.swap_remove(pos);472			removed = true;473		}474		if !removed {475			warn!("secret is not enabled for {machine}");476		}477	}478	for machine in &add_machines {479		if target_machines.iter().any(|m| m == machine) {480			warn!("secret is already added to {machine}");481		} else {482			target_machines.push(machine.to_owned());483		}484	}485	if !remove_machines.is_empty() {486		// TODO: maybe force secret regeneration?487		// Not that useful without revokation.488		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");489	}490	Ok(target_machines)491}492impl Secret {493	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {494		match self {495			Secret::ForceKeys => {496				for host in config.list_hosts().await? {497					if opts.should_skip(&host).await? {498						continue;499					}500					config.key(&host.name).await?;501				}502			}503			Secret::AddShared {504				mut machines,505				name,506				force,507				public,508				public_part: public_name,509				public_file,510				expires_at,511				re_add,512				part: part_name,513			} => {514				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).515516				let exists = config.has_shared(&name);517				if exists && !force && !re_add {518					bail!("secret already defined");519				}520				if re_add {521					// Fixme: use clap to limit this usage522					ensure!(!force, "--force and --readd are not compatible");523					ensure!(exists, "secret doesn't exists");524					ensure!(525						machines.is_empty(),526						"you can't use machines argument for --readd"527					);528					let shared = config.shared_secret(&name)?;529					machines = shared.owners;530				}531532				let recipients = config.recipients(machines.clone()).await?;533534				let mut parts = BTreeMap::new();535536				let mut input = vec![];537				io::stdin().read_to_end(&mut input)?;538539				if !input.is_empty() {540					let encrypted =541						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)542							.ok_or_else(|| anyhow!("no recipients provided"))?;543					parts.insert(part_name, FleetSecretPart { raw: encrypted });544				}545546				if let Some(public) = parse_public(public, public_file).await? {547					parts.insert(public_name, FleetSecretPart { raw: public });548				}549550				config.replace_shared(551					name,552					FleetSharedSecret {553						owners: machines,554						secret: FleetSecret {555							created_at: Utc::now(),556							expires_at,557							parts,558							generation_data: serde_json::Value::Null,559						},560					},561				);562			}563			Secret::Add {564				machine,565				name,566				replace,567				merge,568				public,569				public_part: public_name,570				public_file,571				part: part_name,572			} => {573				if config.has_secret(&machine, &name) && !replace && !merge {574					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");575				}576577				let mut out = if merge && !replace {578					config579						.host_secret(&machine, &name)580						.context("failed to read existing secret for --merge")?581				} else {582					FleetSecret {583						created_at: Utc::now(),584						expires_at: None,585						parts: BTreeMap::new(),586						generation_data: serde_json::Value::Null,587					}588				};589590				if let Some(secret) = parse_secret().await? {591					let recipient = config.recipient(&machine).await?;592					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)593						.expect("recipient provided");594					if out595						.parts596						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })597						.is_some() && !replace598					{599						bail!("part {part_name:?} is already defined");600					}601				}602603				if let Some(public) = parse_public(public, public_file).await? {604					if out605						.parts606						.insert(public_name.clone(), FleetSecretPart { raw: public })607						.is_some() && !replace608					{609						bail!("part {public_name:?} is already defined");610					}611				};612613				config.insert_secret(&machine, name, out);614			}615			#[allow(clippy::await_holding_refcell_ref)]616			Secret::Read {617				name,618				machine,619				part: part_name,620			} => {621				let secret = config.host_secret(&machine, &name)?;622				let Some(secret) = secret.parts.get(&part_name) else {623					bail!("no part {part_name} in secret {name}");624				};625				let data = if secret.raw.encrypted {626					let host = config.host(&machine).await?;627					host.decrypt(secret.raw.clone()).await?628				} else {629					secret.raw.data.clone()630				};631632				stdout().write_all(&data)?;633			}634			Secret::UpdateShared {635				name,636				machine,637				add_machine,638				remove_machine,639				prefer_identities,640			} => {641				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).642643				let secret = config.shared_secret(&name)?;644				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {645					bail!("no secret");646				}647648				let initial_machines = secret.owners.clone();649				let target_machines = parse_machines(650					initial_machines.clone(),651					machine,652					add_machine,653					remove_machine,654				)?;655656				if target_machines.is_empty() {657					info!("no machines left for secret, removing it");658					config.remove_shared(&name);659					return Ok(());660				}661662				let config_field = &config.config_field;663				let field = nix_go!(config_field.sharedSecrets[{ name }]);664				let expected_generation_data = nix_go_json!(field.expectedGenerationData);665666				let updated = maybe_regenerate_shared_secret(667					&name,668					config,669					secret,670					field,671					&target_machines,672					expected_generation_data,673					&prefer_identities,674					None,675				)676				.await?;677				config.replace_shared(name, updated);678			}679			Secret::Regenerate { prefer_identities } => {680				info!("checking for secrets to regenerate");681				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();682				{683					// Generate missing shared684					let shared_batch = None;685					let _span = info_span!("shared").entered();686					let expected_shared_set = config687						.list_configured_shared()688						.await?689						.into_iter()690						.collect::<HashSet<_>>();691					for missing in expected_shared_set.difference(&stored_shared_set) {692						let config_field = &config.config_field;693						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);694						let expected_generation_data: serde_json::Value =695							nix_go_json!(secret.expectedGenerationData);696						let expected_owners: Option<Vec<String>> =697							nix_go_json!(secret.expectedOwners);698						let Some(expected_owners) = expected_owners else {699							// Can't generate this missing secret, as it has no defined owners.700							continue;701						};702						info!("generating secret: {missing}");703						let shared = generate_shared(704							config,705							missing,706							secret,707							expected_owners,708							expected_generation_data,709							shared_batch.clone(),710						)711						.in_current_span()712						.await?;713						config.replace_shared(missing.to_string(), shared)714					}715				}716				let hosts_batch = None;717				for host in config.list_hosts().await? {718					if opts.should_skip(&host).await? {719						continue;720					}721722					let _span = info_span!("host", host = host.name).entered();723					let expected_set = host724						.list_configured_secrets()725						.in_current_span()726						.await?727						.into_iter()728						.collect::<HashSet<_>>();729					let stored_set = config730						.list_secrets(&host.name)731						.into_iter()732						.collect::<HashSet<_>>();733					for missing in expected_set.difference(&stored_set) {734						info!("generating secret: {missing}");735						let secret = host.secret_field(missing).in_current_span().await?;736						let expected_generation_data = nix_go_json!(secret.expectedGenerationData);737						let generated = match generate(738							config,739							missing,740							secret,741							&[host.name.clone()],742							expected_generation_data,743							hosts_batch.clone(),744						)745						.in_current_span()746						.await747						{748							Ok(v) => v,749							Err(e) => {750								error!("{e:?}");751								continue;752							}753						};754						config.insert_secret(&host.name, missing.to_string(), generated)755					}756					for name in stored_set {757						info!("updating secret: {name}");758						let data = config.host_secret(&host.name, &name)?;759						let secret = host.secret_field(&name).in_current_span().await?;760						let expected_generation_data = nix_go_json!(secret.expectedGenerationData);761						if secret_needs_regeneration(&data, &expected_generation_data) {762							let generated = match generate(763								config,764								&name,765								secret,766								&[host.name.clone()],767								expected_generation_data,768								hosts_batch.clone(),769							)770							.in_current_span()771							.await772							{773								Ok(v) => v,774								Err(e) => {775									error!("{e:?}");776									continue;777								}778							};779							config.insert_secret(&host.name, name.to_string(), generated)780						}781					}782				}783				let mut to_remove = Vec::new();784				for name in &stored_shared_set {785					info!("updating secret: {name}");786					let data = config.shared_secret(name)?;787					let config_field = &config.config_field;788					let expected_owners: Vec<String> =789						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);790					if expected_owners.is_empty() {791						warn!("secret was removed from fleet config: {name}, removing from data");792						to_remove.push(name.to_string());793						continue;794					}795796					let secret = nix_go!(config_field.sharedSecrets[{ name }]);797					let expected_generation_data = nix_go_json!(secret.expectedGenerationData);798					config.replace_shared(799						name.to_owned(),800						maybe_regenerate_shared_secret(801							name,802							config,803							data,804							secret,805							&expected_owners,806							expected_generation_data,807							&prefer_identities,808							None,809						)810						.await?,811					);812				}813				for k in to_remove {814					config.remove_shared(&k);815				}816			}817			Secret::List {} => {818				let _span = info_span!("loading secrets").entered();819				let configured = config.list_configured_shared().await?;820				#[derive(Tabled)]821				struct SecretDisplay {822					#[tabled(rename = "Name")]823					name: String,824					#[tabled(rename = "Owners")]825					owners: String,826				}827				let mut table = vec![];828				for name in configured.iter().cloned() {829					let config = config.clone();830					let expected_owners = config.shared_secret_expected_owners(&name).await?;831					let data = config.shared_secret(&name)?;832					let owners = data833						.owners834						.iter()835						.map(|o| {836							if expected_owners.contains(o) {837								o.green().to_string()838							} else {839								o.red().to_string()840							}841						})842						.collect::<Vec<_>>();843					table.push(SecretDisplay {844						owners: owners.join(", "),845						name,846					})847				}848				info!("loaded\n{}", Table::new(table).to_string())849			}850			Secret::Edit {851				name,852				machine,853				part,854				add,855			} => {856				let secret = config.host_secret(&machine, &name)?;857				if let Some(data) = secret.parts.get(&part) {858					let host = config.host(&machine).await?;859					let secret = host.decrypt(data.raw.clone()).await?;860					String::from_utf8(secret).context("secret is not utf8")?861				} else if add {862					String::new()863				} else {864					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");865				};866			}867		}868		Ok(())869	}870}871872/*873async fn edit_temp_file(874	builder: tempfile::Builder<'_, '_>,875	r: Vec<u8>,876	header: &str,877	comment: &str,878) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {879	if !stdin().is_tty() {880		// TODO: Also try to open /dev/tty directly?881		bail!("stdin is not tty, can't open editor");882	}883884	use std::fmt::Write;885	let mut file = builder.tempfile()?;886887	let mut full_header = String::new();888	let mut had = false;889	for line in header.trim_end().lines() {890		had = true;891		writeln!(&mut full_header, "{comment}{line}")?;892	}893	if had {894		writeln!(&mut full_header, "{}", comment.trim_end())?;895	}896	writeln!(897		&mut full_header,898		"{comment}Do not touch this header! It will be removed automatically"899	)?;900901	file.write_all(full_header.as_bytes())?;902	file.write_all(&r)?;903904	let abs_path = file.into_temp_path();905	let editor = std::env::var_os("VISUAL")906		.or_else(|| std::env::var_os("EDITOR"))907		.unwrap_or_else(|| "vi".into());908	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())909		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;910	let editor_args = editor_args911		.into_iter()912		.map(|v| {913			// Only ASCII subsequences are replaced914			unsafe { OsString::from_encoded_bytes_unchecked(v) }915		})916		.collect_vec();917	let Some((editor, args)) = editor_args.split_first() else {918		bail!("EDITOR env var has no command");919	};920	let mut command = Command::new(editor);921	command.args(args);922923	let path_arg = abs_path.canonicalize()?;924925	// TODO: Save full state, using tcget/_getmode/_setmode926	let was_raw = terminal::is_raw_mode_enabled()?;927	terminal::enable_raw_mode()?;928929	let status = command.arg(path_arg).status().await;930931	if !was_raw {932		terminal::disable_raw_mode()?;933	}934935	let success = match status {936		Ok(s) => s.success(),937		Err(e) if e.kind() == io::ErrorKind::NotFound => {938			bail!("editor not found")939		}940		Err(e) => bail!("editor spawn error: {e}"),941	};942943	let mut file = std::fs::read(&abs_path).context("read editor output")?;944	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {945		todo!();946	};947	todo!();948949	// Ok((success, abs_path))950}951*/
after · cmds/fleet/src/cmds/secrets/mod.rs
1use std::{2	collections::{BTreeMap, BTreeSet, HashSet},3	io::{self, stdin, stdout, Read, Write},4	path::PathBuf,5};67use age::Recipient;8use anyhow::{anyhow, bail, ensure, Context, Result};9use chrono::{DateTime, Utc};10use clap::Parser;11use fleet_base::{12	fleetdata::{encrypt_secret_data, FleetSecret, FleetSecretPart, FleetSharedSecret},13	host::Config,14	opts::FleetOpts,15};16use fleet_shared::SecretData;17use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};18use owo_colors::OwoColorize;19use serde::Deserialize;20use tabled::{Table, Tabled};21use tokio::fs::read;22use tracing::{error, info, info_span, warn, Instrument};2324#[derive(Parser)]25pub enum Secret {26	/// Force load host keys for all defined hosts27	ForceKeys,28	/// Add secret, data should be provided in stdin29	AddShared {30		/// Secret name31		name: String,32		/// Secret owners33		#[clap(long, short)]34		machines: Vec<String>,35		/// Override secret if already present36		#[clap(long)]37		force: bool,38		/// Secret public part39		#[clap(long)]40		public: Option<String>,41		/// Load public part from specified file42		#[clap(long)]43		public_file: Option<PathBuf>,4445		/// Create a notification on secret expiration46		#[clap(long)]47		expires_at: Option<DateTime<Utc>>,4849		/// Secret with this name already exists, override its value while keeping the same owners.50		#[clap(long)]51		re_add: bool,5253		/// How to name public secret part54		#[clap(long, short = 'p', default_value = "public")]55		public_part: String,56		/// How to name private secret part57		#[clap(short = 's', long, default_value = "secret")]58		part: String,59	},60	/// Add secret, data should be provided in stdin61	Add {62		/// Secret name63		name: String,64		/// Secret owner65		#[clap(short = 'm', long)]66		machine: String,67		/// Replace secret if already present68		#[clap(long)]69		replace: bool,70		/// Add new parts to existing secret71		#[clap(long)]72		merge: bool,73		/// Secret public part74		#[clap(long)]75		public: Option<String>,76		/// Load public part from specified file77		#[clap(long)]78		public_file: Option<PathBuf>,7980		/// How to name public secret part81		#[clap(short = 'p', long, default_value = "public")]82		public_part: String,83		/// How to name private secret part84		#[clap(short = 's', long, default_value = "secret")]85		part: String,86	},87	/// Read secret from remote host, requires sudo on said host88	Read {89		name: String,90		#[clap(short = 'm', long)]91		machine: String,9293		/// Which private secret part to read94		#[clap(short = 'p', long, default_value = "secret")]95		part: String,96	},97	UpdateShared {98		name: String,99100		#[clap(short = 'm', long)]101		machine: Option<Vec<String>>,102103		#[clap(long)]104		add_machine: Vec<String>,105		#[clap(long)]106		remove_machine: Vec<String>,107108		/// Which host should we use to decrypt109		#[clap(long)]110		prefer_identities: Vec<String>,111	},112	Regenerate {113		/// Which host should we use to decrypt, in case if reencryption is required, without114		/// regeneration115		#[clap(long)]116		prefer_identities: Vec<String>,117		/// Only regenerate shared secrets118		#[clap(long)]119		skip_hosts: bool,120	},121	List {},122	Edit {123		name: String,124		#[clap(short = 'm', long)]125		machine: String,126127		#[clap(long)]128		add: bool,129130		/// Which private secret part to read131		#[clap(short = 'p', long, default_value = "secret")]132		part: String,133	},134}135136fn secret_needs_regeneration(137	secret: &FleetSecret,138	expected_generation_data: &serde_json::Value,139) -> bool {140	let data_is_expected = secret.generation_data == *expected_generation_data;141	// TODO: Leeway?142	let expired = secret143		.expires_at144		.map(|expiration| expiration < Utc::now())145		.unwrap_or(false);146	expired || !data_is_expected147}148149#[allow(clippy::too_many_arguments)]150#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]151async fn maybe_regenerate_shared_secret(152	secret_name: &str,153	config: &Config,154	mut secret: FleetSharedSecret,155	field: Value,156	expected_owners: &[String],157	expected_generation_data: serde_json::Value,158	prefer_identities: &[String],159	batch: Option<NixBuildBatch>,160) -> Result<FleetSharedSecret> {161	let original_set = secret.owners.clone();162163	let set = original_set.iter().collect::<BTreeSet<_>>();164	let expected_set = expected_owners.iter().collect::<BTreeSet<_>>();165166	let regeneration_required =167		secret_needs_regeneration(&secret.secret, &expected_generation_data);168169	if set == expected_set && !regeneration_required {170		info!("no need to update owner list, it is already correct");171		return Ok(secret);172	}173174	let should_regenerate = if regeneration_required {175		info!("secret has its generation data changed, regeneration is required");176		true177	} else if set.difference(&expected_set).next().is_some() {178		// TODO: Remove this warning for revokable secrets.179		warn!("host was removed from secret owners, but until this host rebuild, the secret will still be stored on it.");180		nix_go_json!(field.regenerateOnOwnerRemoved)181	} else if expected_set.difference(&set).next().is_some() {182		nix_go_json!(field.regenerateOnOwnerAdded)183	} else {184		false185	};186187	if should_regenerate {188		info!("secret needs to be regenerated");189		let generated = generate_shared(190			config,191			secret_name,192			field,193			expected_owners.to_vec(),194			expected_generation_data,195			batch,196		)197		.await?;198		Ok(generated)199	} else {200		drop(batch);201		let identity_holder = if !prefer_identities.is_empty() {202			prefer_identities203				.iter()204				.find(|i| original_set.iter().any(|s| s == *i))205		} else {206			secret.owners.first()207		};208		let Some(identity_holder) = identity_holder else {209			bail!("no available holder found");210		};211212		for (part_name, part) in secret.secret.parts.iter_mut() {213			let _span = info_span!("part reencryption", part_name);214			if !part.raw.encrypted {215				continue;216			}217			let host = config.host(identity_holder).await?;218			let encrypted = host219				.reencrypt(part.raw.clone(), expected_owners.to_vec())220				.await?;221			part.raw = encrypted;222		}223224		secret.owners = expected_owners.to_vec();225		Ok(secret)226	}227}228229#[derive(Deserialize)]230#[serde(rename_all = "camelCase")]231enum GeneratorKind {232	Impure,233	Pure,234}235236async fn generate_pure(237	_config: &Config,238	_display_name: &str,239	_secret: Value,240	_default_generator: Value,241	_owners: &[String],242) -> Result<FleetSecret> {243	bail!("pure generators are broken for now")244}245async fn generate_impure(246	config: &Config,247	_display_name: &str,248	secret: Value,249	default_generator: Value,250	expected_owners: &[String],251	expected_generation_data: serde_json::Value,252	batch: Option<NixBuildBatch>,253) -> Result<FleetSecret> {254	let generator = nix_go!(secret.generator);255	let on: Option<String> = nix_go_json!(default_generator.impureOn);256257	let host = if let Some(on) = &on {258		config.host(on).await?259	} else {260		config.local_host()261	};262	let on_pkgs = host.pkgs().await?;263	let call_package = nix_go!(on_pkgs.callPackage);264	let mk_secret_generators = nix_go!(on_pkgs.mkSecretGenerators);265266	let mut recipients = Vec::new();267	for owner in expected_owners {268		let key = config.key(owner).await?;269		recipients.push(key);270	}271	let generators = nix_go!(mk_secret_generators(Obj { recipients }));272273	let generator = nix_go!(call_package(generator)(generators));274275	let generator = generator.build_maybe_batch(batch).await?;276	let generator = generator277		.get("out")278		.ok_or_else(|| anyhow!("missing generateImpure out"))?;279	let generator = host.remote_derivation(generator).await?;280281	let out_parent = host.mktemp_dir().await?;282	let out = format!("{out_parent}/out");283284	let mut gen = host.cmd(generator).await?;285	gen.env("out", &out);286	if on.is_none() {287		// This path is local, thus we can feed `OsString` directly to env var... But I don't think that's necessary to handle.288		let project_path: String = config289			.directory290			.clone()291			.into_os_string()292			.into_string()293			.map_err(|s| anyhow!("fleet project path is not utf-8: {s:?}"))?;294		gen.env("FLEET_PROJECT", project_path);295	}296	gen.run().await.context("impure generator")?;297298	{299		let marker = host.read_file_text(format!("{out}/marker")).await?;300		ensure!(marker == "SUCCESS", "generation not succeeded");301	}302303	let mut parts = BTreeMap::new();304	for part in host.read_dir(&out).await? {305		if part == "created_at" || part == "expired_at" || part == "marker" {306			continue;307		}308		let contents: SecretData = host309			.read_file_text(format!("{out}/{part}"))310			.await?311			.parse()312			.map_err(|e| anyhow!("failed to decode secret {out:?} part {part:?}: {e}"))?;313		parts.insert(part.to_owned(), FleetSecretPart { raw: contents });314	}315316	let created_at = host.read_file_value(format!("{out}/created_at")).await?;317	let expires_at = host.read_file_value(format!("{out}/expires_at")).await.ok();318319	Ok(FleetSecret {320		created_at,321		expires_at,322		parts,323		generation_data: expected_generation_data,324	})325}326async fn generate(327	config: &Config,328	display_name: &str,329	secret: Value,330	expected_owners: &[String],331	expected_generation_data: serde_json::Value,332	batch: Option<NixBuildBatch>,333) -> Result<FleetSecret> {334	let generator = nix_go!(secret.generator);335	// Can't properly check on nix module system level336	{337		let gen_ty = generator.type_of().await?;338		if gen_ty == "null" {339			bail!("secret has no generator defined, can't automatically generate it.");340		}341		if gen_ty != "lambda" {342			bail!("generator should be lambda, got {gen_ty}");343		}344	}345	let default_pkgs = &config.default_pkgs;346	let default_call_package = nix_go!(default_pkgs.callPackage);347	let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);348	// Generators provide additional information in passthru, to access349	// passthru we should call generator, but information about where this generator is supposed to build350	// is located in passthru... Thus evaluating generator on host.351	//352	// Maybe it is also possible to do some magic with __functor?353	//354	// I don't want to make modules always responsible for additional secret data anyway,355	// so it should be in derivation, and not in the secret data itself.356	let generators = nix_go!(default_mk_secret_generators(Obj {357		recipients: <Vec<String>>::new(),358	}));359	let default_generator = nix_go!(default_call_package(generator)(generators));360361	let kind: GeneratorKind = nix_go_json!(default_generator.generatorKind);362363	match kind {364		GeneratorKind::Impure => {365			generate_impure(366				config,367				display_name,368				secret,369				default_generator,370				expected_owners,371				expected_generation_data,372				batch,373			)374			.await375		}376		GeneratorKind::Pure => {377			generate_pure(378				config,379				display_name,380				secret,381				default_generator,382				expected_owners,383			)384			.await385		}386	}387}388async fn generate_shared(389	config: &Config,390	display_name: &str,391	secret: Value,392	expected_owners: Vec<String>,393	expected_generation_data: serde_json::Value,394	batch: Option<NixBuildBatch>,395) -> Result<FleetSharedSecret> {396	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);397	Ok(FleetSharedSecret {398		secret: generate(399			config,400			display_name,401			secret,402			&expected_owners,403			expected_generation_data,404			batch,405		)406		.await?,407		owners: expected_owners,408	})409}410411async fn parse_public(412	public: Option<String>,413	public_file: Option<PathBuf>,414) -> Result<Option<SecretData>> {415	Ok(match (public, public_file) {416		(Some(v), None) => Some(SecretData {417			data: v.into(),418			encrypted: false,419		}),420		(None, Some(v)) => Some(SecretData {421			data: read(v).await?,422			encrypted: false,423		}),424		(Some(_), Some(_)) => {425			bail!("only public or public_file should be set")426		}427		(None, None) => None,428	})429}430431async fn parse_secret() -> Result<Option<Vec<u8>>> {432	let mut input = vec![];433	stdin().read_to_end(&mut input)?;434	if input.is_empty() {435		Ok(None)436	} else {437		Ok(Some(input))438	}439}440441fn parse_machines(442	initial: Vec<String>,443	machines: Option<Vec<String>>,444	mut add_machines: Vec<String>,445	mut remove_machines: Vec<String>,446) -> Result<Vec<String>> {447	if machines.is_none() && add_machines.is_empty() && remove_machines.is_empty() {448		bail!("no operation");449	}450451	let initial_machines = initial.clone();452	let mut target_machines = initial;453	info!("Currently encrypted for {initial_machines:?}");454455	// ensure!(machines.is_some() || !add_machines.is_empty() || )456	if let Some(machines) = machines {457		ensure!(458			add_machines.is_empty() && remove_machines.is_empty(),459			"can't combine --machines and --add-machines/--remove-machines"460		);461		let target = initial_machines.iter().collect::<HashSet<_>>();462		let source = machines.iter().collect::<HashSet<_>>();463		for removed in target.difference(&source) {464			remove_machines.push((*removed).clone());465		}466		for added in source.difference(&target) {467			add_machines.push((*added).clone());468		}469	}470471	for machine in &remove_machines {472		let mut removed = false;473		while let Some(pos) = target_machines.iter().position(|m| m == machine) {474			target_machines.swap_remove(pos);475			removed = true;476		}477		if !removed {478			warn!("secret is not enabled for {machine}");479		}480	}481	for machine in &add_machines {482		if target_machines.iter().any(|m| m == machine) {483			warn!("secret is already added to {machine}");484		} else {485			target_machines.push(machine.to_owned());486		}487	}488	if !remove_machines.is_empty() {489		// TODO: maybe force secret regeneration?490		// Not that useful without revokation.491		warn!("secret will not be regenerated for removed machines, and until host rebuild, they will still possess the ability to decode secret");492	}493	Ok(target_machines)494}495impl Secret {496	pub async fn run(self, config: &Config, opts: &FleetOpts) -> Result<()> {497		match self {498			Secret::ForceKeys => {499				for host in config.list_hosts().await? {500					if opts.should_skip(&host).await? {501						continue;502					}503					config.key(&host.name).await?;504				}505			}506			Secret::AddShared {507				mut machines,508				name,509				force,510				public,511				public_part: public_name,512				public_file,513				expires_at,514				re_add,515				part: part_name,516			} => {517				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).518519				let exists = config.has_shared(&name);520				if exists && !force && !re_add {521					bail!("secret already defined");522				}523				if re_add {524					// Fixme: use clap to limit this usage525					ensure!(!force, "--force and --readd are not compatible");526					ensure!(exists, "secret doesn't exists");527					ensure!(528						machines.is_empty(),529						"you can't use machines argument for --readd"530					);531					let shared = config.shared_secret(&name)?;532					machines = shared.owners;533				}534535				let recipients = config.recipients(machines.clone()).await?;536537				let mut parts = BTreeMap::new();538539				let mut input = vec![];540				io::stdin().read_to_end(&mut input)?;541542				if !input.is_empty() {543					let encrypted =544						encrypt_secret_data(recipients.iter().map(|r| r as &dyn Recipient), input)545							.ok_or_else(|| anyhow!("no recipients provided"))?;546					parts.insert(part_name, FleetSecretPart { raw: encrypted });547				}548549				if let Some(public) = parse_public(public, public_file).await? {550					parts.insert(public_name, FleetSecretPart { raw: public });551				}552553				config.replace_shared(554					name,555					FleetSharedSecret {556						owners: machines,557						secret: FleetSecret {558							created_at: Utc::now(),559							expires_at,560							parts,561							generation_data: serde_json::Value::Null,562						},563					},564				);565			}566			Secret::Add {567				machine,568				name,569				replace,570				merge,571				public,572				public_part: public_name,573				public_file,574				part: part_name,575			} => {576				if config.has_secret(&machine, &name) && !replace && !merge {577					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");578				}579580				let mut out = if merge && !replace {581					config582						.host_secret(&machine, &name)583						.context("failed to read existing secret for --merge")?584				} else {585					FleetSecret {586						created_at: Utc::now(),587						expires_at: None,588						parts: BTreeMap::new(),589						generation_data: serde_json::Value::Null,590					}591				};592593				if let Some(secret) = parse_secret().await? {594					let recipient = config.recipient(&machine).await?;595					let encrypted = encrypt_secret_data([&recipient as &dyn Recipient], secret)596						.expect("recipient provided");597					if out598						.parts599						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })600						.is_some() && !replace601					{602						bail!("part {part_name:?} is already defined");603					}604				}605606				if let Some(public) = parse_public(public, public_file).await? {607					if out608						.parts609						.insert(public_name.clone(), FleetSecretPart { raw: public })610						.is_some() && !replace611					{612						bail!("part {public_name:?} is already defined");613					}614				};615616				config.insert_secret(&machine, name, out);617			}618			#[allow(clippy::await_holding_refcell_ref)]619			Secret::Read {620				name,621				machine,622				part: part_name,623			} => {624				let secret = config.host_secret(&machine, &name)?;625				let Some(secret) = secret.parts.get(&part_name) else {626					bail!("no part {part_name} in secret {name}");627				};628				let data = if secret.raw.encrypted {629					let host = config.host(&machine).await?;630					host.decrypt(secret.raw.clone()).await?631				} else {632					secret.raw.data.clone()633				};634635				stdout().write_all(&data)?;636			}637			Secret::UpdateShared {638				name,639				machine,640				add_machine,641				remove_machine,642				prefer_identities,643			} => {644				// TODO: Forbid updating secrets with set expectedOwners (= not user-managed).645646				let secret = config.shared_secret(&name)?;647				if secret.secret.parts.values().all(|v| !v.raw.encrypted) {648					bail!("no secret");649				}650651				let initial_machines = secret.owners.clone();652				let target_machines = parse_machines(653					initial_machines.clone(),654					machine,655					add_machine,656					remove_machine,657				)?;658659				if target_machines.is_empty() {660					info!("no machines left for secret, removing it");661					config.remove_shared(&name);662					return Ok(());663				}664665				let config_field = &config.config_field;666				let field = nix_go!(config_field.sharedSecrets[{ name }]);667				let expected_generation_data = nix_go_json!(field.expectedGenerationData);668669				let updated = maybe_regenerate_shared_secret(670					&name,671					config,672					secret,673					field,674					&target_machines,675					expected_generation_data,676					&prefer_identities,677					None,678				)679				.await?;680				config.replace_shared(name, updated);681			}682			Secret::Regenerate {683				prefer_identities,684				skip_hosts,685			} => {686				info!("checking for secrets to regenerate");687				let stored_shared_set = config.list_shared().into_iter().collect::<HashSet<_>>();688				{689					// Generate missing shared690					let shared_batch = None;691					let _span = info_span!("shared").entered();692					let expected_shared_set = config693						.list_configured_shared()694						.await?695						.into_iter()696						.collect::<HashSet<_>>();697					for missing in expected_shared_set.difference(&stored_shared_set) {698						let config_field = &config.config_field;699						let secret = nix_go!(config_field.sharedSecrets[{ missing }]);700						let expected_generation_data: serde_json::Value =701							nix_go_json!(secret.expectedGenerationData);702						let expected_owners: Option<Vec<String>> =703							nix_go_json!(secret.expectedOwners);704						let Some(expected_owners) = expected_owners else {705							// Can't generate this missing secret, as it has no defined owners.706							continue;707						};708						info!("generating secret: {missing}");709						let shared = generate_shared(710							config,711							missing,712							secret,713							expected_owners,714							expected_generation_data,715							shared_batch.clone(),716						)717						.in_current_span()718						.await?;719						config.replace_shared(missing.to_string(), shared)720					}721				}722				if !skip_hosts {723					let hosts_batch = None;724					for host in config.list_hosts().await? {725						if opts.should_skip(&host).await? {726							continue;727						}728729						let _span = info_span!("host", host = host.name).entered();730						let expected_set = host731							.list_configured_secrets()732							.in_current_span()733							.await?734							.into_iter()735							.collect::<HashSet<_>>();736						let stored_set = config737							.list_secrets(&host.name)738							.into_iter()739							.collect::<HashSet<_>>();740						for missing in expected_set.difference(&stored_set) {741							info!("generating secret: {missing}");742							let secret = host.secret_field(missing).in_current_span().await?;743							let expected_generation_data =744								nix_go_json!(secret.expectedGenerationData);745							let generated = match generate(746								config,747								missing,748								secret,749								&[host.name.clone()],750								expected_generation_data,751								hosts_batch.clone(),752							)753							.in_current_span()754							.await755							{756								Ok(v) => v,757								Err(e) => {758									error!("{e:?}");759									continue;760								}761							};762							config.insert_secret(&host.name, missing.to_string(), generated)763						}764						for name in stored_set {765							info!("updating secret: {name}");766							let data = config.host_secret(&host.name, &name)?;767							let secret = host.secret_field(&name).in_current_span().await?;768							let expected_generation_data =769								nix_go_json!(secret.expectedGenerationData);770							if secret_needs_regeneration(&data, &expected_generation_data) {771								let generated = match generate(772									config,773									&name,774									secret,775									&[host.name.clone()],776									expected_generation_data,777									hosts_batch.clone(),778								)779								.in_current_span()780								.await781								{782									Ok(v) => v,783									Err(e) => {784										error!("{e:?}");785										continue;786									}787								};788								config.insert_secret(&host.name, name.to_string(), generated)789							}790						}791					}792				}793				let mut to_remove = Vec::new();794				for name in &stored_shared_set {795					info!("updating secret: {name}");796					let data = config.shared_secret(name)?;797					let config_field = &config.config_field;798					let expected_owners: Vec<String> =799						nix_go_json!(config_field.sharedSecrets[{ name }].expectedOwners);800					if expected_owners.is_empty() {801						warn!("secret was removed from fleet config: {name}, removing from data");802						to_remove.push(name.to_string());803						continue;804					}805806					let secret = nix_go!(config_field.sharedSecrets[{ name }]);807					let expected_generation_data = nix_go_json!(secret.expectedGenerationData);808					config.replace_shared(809						name.to_owned(),810						maybe_regenerate_shared_secret(811							name,812							config,813							data,814							secret,815							&expected_owners,816							expected_generation_data,817							&prefer_identities,818							None,819						)820						.await?,821					);822				}823				for k in to_remove {824					config.remove_shared(&k);825				}826			}827			Secret::List {} => {828				let _span = info_span!("loading secrets").entered();829				let configured = config.list_configured_shared().await?;830				#[derive(Tabled)]831				struct SecretDisplay {832					#[tabled(rename = "Name")]833					name: String,834					#[tabled(rename = "Owners")]835					owners: String,836				}837				let mut table = vec![];838				for name in configured.iter().cloned() {839					let config = config.clone();840					let expected_owners = config.shared_secret_expected_owners(&name).await?;841					let data = config.shared_secret(&name)?;842					let owners = data843						.owners844						.iter()845						.map(|o| {846							if expected_owners.contains(o) {847								o.green().to_string()848							} else {849								o.red().to_string()850							}851						})852						.collect::<Vec<_>>();853					table.push(SecretDisplay {854						owners: owners.join(", "),855						name,856					})857				}858				info!("loaded\n{}", Table::new(table).to_string())859			}860			Secret::Edit {861				name,862				machine,863				part,864				add,865			} => {866				let secret = config.host_secret(&machine, &name)?;867				if let Some(data) = secret.parts.get(&part) {868					let host = config.host(&machine).await?;869					let secret = host.decrypt(data.raw.clone()).await?;870					String::from_utf8(secret).context("secret is not utf8")?871				} else if add {872					String::new()873				} else {874					bail!("part {part} not found in secret {name}. Did you mean to `--add` it?");875				};876			}877		}878		Ok(())879	}880}881882/*883async fn edit_temp_file(884	builder: tempfile::Builder<'_, '_>,885	r: Vec<u8>,886	header: &str,887	comment: &str,888) -> Result<(Vec<u8>, Option<String>), anyhow::Error> {889	if !stdin().is_tty() {890		// TODO: Also try to open /dev/tty directly?891		bail!("stdin is not tty, can't open editor");892	}893894	use std::fmt::Write;895	let mut file = builder.tempfile()?;896897	let mut full_header = String::new();898	let mut had = false;899	for line in header.trim_end().lines() {900		had = true;901		writeln!(&mut full_header, "{comment}{line}")?;902	}903	if had {904		writeln!(&mut full_header, "{}", comment.trim_end())?;905	}906	writeln!(907		&mut full_header,908		"{comment}Do not touch this header! It will be removed automatically"909	)?;910911	file.write_all(full_header.as_bytes())?;912	file.write_all(&r)?;913914	let abs_path = file.into_temp_path();915	let editor = std::env::var_os("VISUAL")916		.or_else(|| std::env::var_os("EDITOR"))917		.unwrap_or_else(|| "vi".into());918	let editor_args = shlex::bytes::split(editor.as_encoded_bytes())919		.ok_or_else(|| anyhow!("EDITOR env var has wrong syntax"))?;920	let editor_args = editor_args921		.into_iter()922		.map(|v| {923			// Only ASCII subsequences are replaced924			unsafe { OsString::from_encoded_bytes_unchecked(v) }925		})926		.collect_vec();927	let Some((editor, args)) = editor_args.split_first() else {928		bail!("EDITOR env var has no command");929	};930	let mut command = Command::new(editor);931	command.args(args);932933	let path_arg = abs_path.canonicalize()?;934935	// TODO: Save full state, using tcget/_getmode/_setmode936	let was_raw = terminal::is_raw_mode_enabled()?;937	terminal::enable_raw_mode()?;938939	let status = command.arg(path_arg).status().await;940941	if !was_raw {942		terminal::disable_raw_mode()?;943	}944945	let success = match status {946		Ok(s) => s.success(),947		Err(e) if e.kind() == io::ErrorKind::NotFound => {948			bail!("editor not found")949		}950		Err(e) => bail!("editor spawn error: {e}"),951	};952953	let mut file = std::fs::read(&abs_path).context("read editor output")?;954	let Some(v) = file.strip_prefix(full_header.as_bytes()) else {955		todo!();956	};957	todo!();958959	// Ok((success, abs_path))960}961*/