`feb74e5a3cbb`

1 file changed

modifiedcmds/fleet/src/cmds/secrets/mod.rsdiff before after both
13	opts::FleetOpts,13	opts::FleetOpts,
14};14};
15use fleet_shared::SecretData;15use fleet_shared::SecretData;
16use nix_eval::{nix_go, nix_go_json, Value};16use nix_eval::{nix_go, nix_go_json, NixBuildBatch, Value};
17use owo_colors::OwoColorize;17use owo_colors::OwoColorize;
18use serde::Deserialize;18use serde::Deserialize;
19use tabled::{Table, Tabled};19use tabled::{Table, Tabled};
129	},129	},
130}130}
131131
132#[tracing::instrument(skip(config, secret, field, prefer_identities))]132#[tracing::instrument(skip(config, secret, field, prefer_identities, batch))]
133async fn update_owner_set(133async fn update_owner_set(
134	secret_name: &str,134	secret_name: &str,
135	config: &Config,135	config: &Config,
136	mut secret: FleetSharedSecret,136	mut secret: FleetSharedSecret,
137	field: Value,137	field: Value,
138	updated_set: &[String],138	updated_set: &[String],
139	prefer_identities: &[String],139	prefer_identities: &[String],
140	batch: Option<NixBuildBatch>,
140) -> Result<FleetSharedSecret> {141) -> Result<FleetSharedSecret> {
141	let original_set = secret.owners.clone();142	let original_set = secret.owners.clone();
142143
160161
161	if should_regenerate {162	if should_regenerate {
162		info!("secret is owner-dependent, will regenerate");163		info!("secret is owner-dependent, will regenerate");
163		let generated = generate_shared(config, secret_name, field, updated_set.to_vec()).await?;164		let generated = generate_shared(config, secret_name, field, updated_set.to_vec(), batch).await?;
164		Ok(generated)165		Ok(generated)
165	} else {166	} else {
167		drop(batch);
166		let identity_holder = if !prefer_identities.is_empty() {168		let identity_holder = if !prefer_identities.is_empty() {
167			prefer_identities169			prefer_identities
168				.iter()170				.iter()
213	secret: Value,215	secret: Value,
214	default_generator: Value,216	default_generator: Value,
215	owners: &[String],217	owners: &[String],
218	batch: Option<NixBuildBatch>,
216) -> Result<FleetSecret> {219) -> Result<FleetSecret> {
217	let generator = nix_go!(secret.generator);220	let generator = nix_go!(secret.generator);
218	let on: Option<String> = nix_go_json!(default_generator.impureOn);221	let on: Option<String> = nix_go_json!(default_generator.impureOn);
235238
236	let generator = nix_go!(call_package(generator)(generators));239	let generator = nix_go!(call_package(generator)(generators));
237240
238	let generator = generator.build().await?;241	let generator = generator.build_maybe_batch(batch).await?;
239	let generator = generator242	let generator = generator
240		.get("out")243		.get("out")
241		.ok_or_else(|| anyhow!("missing generateImpure out"))?;244		.ok_or_else(|| anyhow!("missing generateImpure out"))?;
290	display_name: &str,293	display_name: &str,
291	secret: Value,294	secret: Value,
292	owners: &[String],295	owners: &[String],
296	batch: Option<NixBuildBatch>,
293) -> Result<FleetSecret> {297) -> Result<FleetSecret> {
294	let generator = nix_go!(secret.generator);298	let generator = nix_go!(secret.generator);
295	// Can't properly check on nix module system level299	// Can't properly check on nix module system level
331				display_name,
332				secret,
333				default_generator,
334				owners,
335				batch,
336			)
337			.await
326		}338		}
334	display_name: &str,346	display_name: &str,
335	secret: Value,347	secret: Value,
336	expected_owners: Vec<String>,348	expected_owners: Vec<String>,
349	batch: Option<NixBuildBatch>,
337) -> Result<FleetSharedSecret> {350) -> Result<FleetSharedSecret> {
338	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);351	// let owners: Vec<String> = nix_go_json!(secret.expectedOwners);
339	Ok(FleetSharedSecret {352	Ok(FleetSharedSecret {
340		secret: generate(config, display_name, secret, &expected_owners).await?,353		secret: generate(config, display_name, secret, &expected_owners, batch).await?,
341		owners: expected_owners,354		owners: expected_owners,
342	})355	})
343}356}
603					field,616					field,
604					&target_machines,617					&target_machines,
605					&prefer_identities,618					&prefer_identities,
619					None,
606				)620				)
607				.await?;621				.await?;
608				config.replace_shared(name, updated);622				config.replace_shared(name, updated);
609			}623			}
610			Secret::Regenerate { prefer_identities } => {624			Secret::Regenerate { prefer_identities } => {
611				info!("checking for secrets to regenerate");625				info!("checking for secrets to regenerate");
612				{626				{
627					let shared_batch = None;
613					let _span = info_span!("shared").entered();628					let _span = info_span!("shared").entered();
614					let expected_shared_set = config629					let expected_shared_set = config
615						.list_configured_shared()630						.list_configured_shared()
646							config,
647							missing,
648							secret,
649							expected_owners,
650							shared_batch.clone(),
651						)
631							.in_current_span()652						.in_current_span()
632							.await?;653						.await?;
633						config.replace_shared(missing.to_string(), shared)654						config.replace_shared(missing.to_string(), shared)
634					}655					}
635				}656				}
657				let hosts_batch = None;
636				for host in config.list_hosts().await? {658				for host in config.list_hosts().await? {
637					if opts.should_skip(&host).await? {659					if opts.should_skip(&host).await? {
638						continue;660						continue;
656							match generate(config, missing, secret, &[host.name.clone()])678							config,
679							missing,
680							secret,
681							&[host.name.clone()],
682							hosts_batch.clone(),
683						)
657								.in_current_span()684						.in_current_span()
658								.await685						.await
689							secret,716							secret,
690							&expected_owners,717							&expected_owners,
691							&prefer_identities,718							&prefer_identities,
719							None,
692						)720						)
693						.await?,721						.await?,
694					);722					);