git.delta.rocks / jrsonnet / refs/commits / e862c17d93fb

difftreelog

feat support secrets without secret data

Yaroslav Bolyukin2021-11-13parent: #4ab80d6.patch.diff
in: trunk

4 files changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiffbeforeafterboth
70					let mut input = vec![];70					let mut input = vec![];
71					io::stdin().read_to_end(&mut input)?;71					io::stdin().read_to_end(&mut input)?;
7272
73					if input.is_empty() {
74						input
75					} else {
73					let mut encrypted = vec![];76						let mut encrypted = vec![];
74					let recipients = recipients77						let recipients = recipients
75						.iter()78							.iter()
81					io::copy(&mut Cursor::new(input), &mut encryptor)?;84						io::copy(&mut Cursor::new(input), &mut encryptor)?;
82					encryptor.finish()?;85						encryptor.finish()?;
83					encrypted86						encrypted
87					}
84				};88				};
8589
86				let mut data = config.data_mut();90				let mut data = config.data_mut();
modifiedcmds/fleet/src/fleetdata.rsdiffbeforeafterboth
40	#[serde(skip_serializing_if = "Option::is_none")]40	#[serde(skip_serializing_if = "Option::is_none")]
41	pub public: Option<String>,41	pub public: Option<String>,
42	#[serde(serialize_with = "as_z85", deserialize_with = "from_z85")]42	#[serde(
43		default,
44		skip_serializing_if = "Vec::is_empty",
45		serialize_with = "as_z85",
46		deserialize_with = "from_z85"
47	)]
modifiedcmds/install-secrets/src/main.rsdiffbeforeafterboth
29	mode: String,29	mode: String,
30	owner: String,30	owner: String,
31	#[serde(deserialize_with = "from_z85")]31	#[serde(deserialize_with = "from_z85")]
32	secret: Vec<u8>,32	secret: Option<Vec<u8>>,
33}33}
3434
35fn from_z85<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>35fn from_z85<'de, D>(deserializer: D) -> Result<Option<Vec<u8>>, D::Error>
36where36where
37	D: Deserializer<'de>,37	D: Deserializer<'de>,
38{38{
39	use serde::de::Error;39	use serde::de::Error;
40	String::deserialize(deserializer)40	if let Some(v) = <Option<String>>::deserialize(deserializer)? {
41		.and_then(|string| z85::decode(&string).map_err(|err| Error::custom(err.to_string())))41		Ok(Some(
42			z85::decode(&v).map_err(|err| Error::custom(err.to_string()))?,
43		))
44	} else {
45		Ok(None)
46	}
42}47}
4348
44type Data = HashMap<String, DataItem>;49type Data = HashMap<String, DataItem>;
49	name: &str,54	name: &str,
50	value: DataItem,55	value: DataItem,
51) -> Result<()> {56) -> Result<()> {
57	if value.secret.is_none() {
58		return Ok(());
59	}
60	let secret = value.secret.as_ref().unwrap();
61
52	let mut path = dir.to_path_buf();62	let mut path = dir.to_path_buf();
53	path.push(name);63	path.push(name);
88	// File is owned by root, and only root can modify it98	// File is owned by root, and only root can modify it
8999
90	let decrypted = {100	let decrypted = {
91		let mut input = Cursor::new(&value.secret);101		let mut input = Cursor::new(&secret);
92		let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;102		let decryptor = Decryptor::new(&mut input).context("failed to init decryptor")?;
93		let decryptor = match decryptor {103		let decryptor = match decryptor {
94			Decryptor::Recipients(r) => r,104			Decryptor::Recipients(r) => r,
modifiedmodules/nixos/secrets.nixdiffbeforeafterboth
3  sysConfig = config;3  sysConfig = config;
4  secretType = types.submodule ({ config, ... }: {4  secretType = types.submodule ({ config, ... }: {
5    config = {5    config = {
6      path = mkOptionDefault "/run/secrets/${config._module.args.name}";6      path = mkOptionDefault (if config.secret == null then (error "secret is not set") else "/run/secrets/${config._module.args.name}");
7      publicPath = mkOptionDefault (pkgs.writeText "pub-${config._module.args.name}" config.public);
8      secret = mkIf (config.public != null) "";
7    };9    };
8    options = {10    options = {
9      public = mkOption {11      public = mkOption {
12        default = null;14        default = null;
13      };15      };
14      secret = mkOption {16      secret = mkOption {
15        type = types.str;17        type = types.nullOr types.str;
16        description = "Encrypted secret data";18        description = "Encrypted secret data";
17      };19      };
18      mode = mkOption {20      mode = mkOption {
36        readOnly = true;38        readOnly = true;
37        description = "Path to the decrypted secret";39        description = "Path to the decrypted secret";
38      };40      };
41      publicPath = mkOption {
42        type = types.package;
43        readOnly = true;
44        description = "Path to the public part of secret";
45      };
39    };46    };
40  });47  });
41  secretsFile = pkgs.writeTextFile {48  secretsFile = pkgs.writeTextFile {