git.delta.rocks / jrsonnet / refs/commits / bd8e3e569d41

difftreelog

feat fleet secret add --merge cli flag

Yaroslav Bolyukin2024-07-05parent: #0528ea1.patch.diff
in: trunk

1 file changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
66		/// Secret owner66		/// Secret owner
67		#[clap(short = 'm', long)]67		#[clap(short = 'm', long)]
68		machine: String,68		machine: String,
69		/// Override secret if already present69		/// Replace secret if already present
70		#[clap(long)]70		#[clap(long)]
71		force: bool,71		replace: bool,
72		/// Add new parts to existing secret
73		#[clap(long)]
74		merge: bool,
72		/// Secret public part75		/// Secret public part
73		#[clap(long)]76		#[clap(long)]
74		public: Option<String>,77		public: Option<String>,
500			Secret::Add {503			Secret::Add {
501				machine,504				machine,
502				name,505				name,
503				force,506				replace,
507				merge,
504				public,508				public,
505				public_part: public_name,509				public_part: public_name,
506				public_file,510				public_file,
507				part: part_name,511				part: part_name,
508			} => {512			} => {
509				if config.has_secret(&machine, &name) && !force {513				if config.has_secret(&machine, &name) && !replace && !merge {
510					bail!("secret already defined");514					bail!("secret already defined.\nUse --replace to override, or --merge to add new parts to existing secret");
511				}515				}
512516
513				let mut parts = BTreeMap::new();517				let mut out = if merge && !replace {
518					config
519						.host_secret(&machine, &name)
520						.context("failed to read existing secret for --merge")?
521				} else {
522					FleetSecret {
523						created_at: Utc::now(),
524						expires_at: None,
525						parts: BTreeMap::new(),
526					}
527				};
514528
515				if let Some(secret) = parse_secret().await? {529				if let Some(secret) = parse_secret().await? {
516					let recipient = config.recipient(&machine).await?;530					let recipient = config.recipient(&machine).await?;
517					let encrypted =531					let encrypted =
518						encrypt_secret_data(vec![recipient], secret).expect("recipient provided");532						encrypt_secret_data(vec![recipient], secret).expect("recipient provided");
533					if out
519					parts.insert(part_name, FleetSecretPart { raw: encrypted });534						.parts
535						.insert(part_name.clone(), FleetSecretPart { raw: encrypted })
536						.is_some() && !replace
537					{
538						bail!("part {part_name:?} is already defined");
539					}
520				}540				}
521541
522				if let Some(public) = parse_public(public, public_file).await? {542				if let Some(public) = parse_public(public, public_file).await? {
543					if out
523					parts.insert(public_name, FleetSecretPart { raw: public });544						.parts
545						.insert(public_name.clone(), FleetSecretPart { raw: public })
546						.is_some() && !replace
547					{
548						bail!("part {public_name:?} is already defined");
549					}
524				};550				};
525551
526				config.insert_secret(552				config.insert_secret(&machine, name, out);
527					&machine,
528					name,
529					FleetSecret {
530						created_at: Utc::now(),
531						expires_at: None,
532						parts,
533					},
534				);
535			}553			}
536			#[allow(clippy::await_holding_refcell_ref)]554			#[allow(clippy::await_holding_refcell_ref)]