Skip to content

Add "--value-file" option to "sops set [...]" #1876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add "--value-file" option to "sops set [...]" #1876

wants to merge 1 commit into from

Conversation

bjornfor
Copy link

This allows running "sops set [...]" without leaking secrets in process
listings.

To read secrets from stdin, use "/dev/stdin" as the file path.

Fixes #729

I'm not a go programmer, please review carefully :-)

@bjornfor bjornfor mentioned this pull request Jun 22, 2025
Closed
@bjornfor bjornfor force-pushed the set-value-from-file branch from a241b77 to 0efd03e Compare June 22, 2025 21:41
@bjornfor
Copy link
Author

About the CI failure; make test succeeds on my machine.

I amended the commit to include sign-off. When is CI going to be run again? (It's been 8+ hours.)

@felixfontein
Copy link
Contributor

About the CI failure; make test succeeds on my machine.

That runs the unit tests; these also pass in CI. What fails are the functional tests (make functional-tests).

When is CI going to be run again? (It's been 8+ hours.)

When someone with appropriate rights presses the buttons. Please remember that we are volunteers who do this in their free time.

@bjornfor
Copy link
Author

About the CI failure; make test succeeds on my machine.

That runs the unit tests; these also pass in CI. What fails are the functional tests (make functional-tests).

Ok, thanks. I can reproduce the make functional-tests errors locally, so I can start looking at them now.

When is CI going to be run again? (It's been 8+ hours.)

When someone with appropriate rights presses the buttons. Please remember that we are volunteers who do this in their free time.

Oh, sorry, I thought it was automatic, and given the short time spent on "make test" locally I was surprised about 8+ hour latency on github 🙈

@bjornfor bjornfor force-pushed the set-value-from-file branch from 0efd03e to ee2de08 Compare June 23, 2025 20:56
@bjornfor
Copy link
Author

Functional tests are passing locally now (except for publish_json_file_vault and publish_json_file_vault_version_1 which fail in main branch for me).

I'll try to create a functional test for the new "--value-file" option tomorrow.

@bjornfor bjornfor force-pushed the set-value-from-file branch 2 times, most recently from 6e2475f to 5fe0683 Compare June 24, 2025 18:50
@bjornfor
Copy link
Author

Hm. The first full make functional-tests fails on my new test. Then, running (cd functional-tests && cargo test set_json_file_insert) allows my new test, and the test I based it upon, to succeed. And after that make functional-tests works again.

Where's the state that makes the test non-deterministic? How to get rid of it?

@bjornfor
Copy link
Author

Where's the state that makes the test non-deterministic? How to get rid of it?

It seems test order is random, and some orders work, some does not:

  • (cd functional-tests && cargo test set_json_file_insert) seems to always work.
  • (cd functional-tests && cargo test) sometimes fails.

I based the new test, set_json_file_insert_with_value_file, on the existing set_json_file_insert and I'm surprised to see this difference.

Actually, it might be more nuanced than test order: I ran for i in $(seq 1000); do echo "i=$i"; (cd functional-tests && cargo test set_json_file_insert); echo $? >> results.txt; done and got 8/1000 failures.

@bjornfor
Copy link
Author

Here's the output of a failing/racy run:

i=930                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
    Finished `test` profile [unoptimized + debuginfo] target(s) in 0.02s                                                                                                                                                                                                                                                                                                                                                                                                                      
     Running unittests src/lib.rs (target/debug/deps/functional_tests-f17a3fe490e958b4)                                                                                                                                                                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
running 2 tests                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
test tests::set_json_file_insert ... FAILED                                                                                                                                                                                                                                                                                                                                                                                                                                                   
test tests::set_json_file_insert_with_value_file ... FAILED                                                                                                                                                                                                                                                                                                                                                                                                                                   
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
failures:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
---- tests::set_json_file_insert stdout ----                                                                                                                                                                                                                                                                                                                                                                                                                                                  
stdout: , stderr: Error unmarshalling input json: invalid character '}' after top-level value                                                                                                                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
thread 'tests::set_json_file_insert' panicked at src/lib.rs:476:9:                                                                                                                                                                                                                                                                                                                                                                                                                            
sops didn't exit successfully                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace                                                                                                                                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
---- tests::set_json_file_insert_with_value_file stdout ----                                                                                                                                                                                                                                                                                                                                                                                                                                  
stdout: , stderr: Error unmarshalling input json: invalid character '}' after top-level value                                                                                                                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
thread 'tests::set_json_file_insert_with_value_file' panicked at src/lib.rs:522:9:                                                                                                                                                                                                                                                                                                                                                                                                            
sops didn't exit successfully                                                                                                                                                                                                                                                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
failures:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
    tests::set_json_file_insert                                                                                                                                                                                                                                                                                                                                                                                                                                                               
    tests::set_json_file_insert_with_value_file                                                                                                                                                                                                                                                                                                                                                                                                                                               
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
test result: FAILED. 0 passed; 2 failed; 0 ignored; 0 measured; 36 filtered out; finished in 0.03s                                                                                                                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
error: test failed, to rerun pass `--lib`

@felixfontein
Copy link
Contributor

Using different filenames from the test you modified can help.

@bjornfor
Add "--value-file" option to "sops set [...]"
088d677 
This allows running "sops set [...]" without leaking secrets in process
listings.

To read secrets from stdin, use "/dev/stdin" as the file path.

Fixes getsops#729

Signed-off-by: Bjørn Forsman <bjorn.forsman@gmail.com>
@bjornfor bjornfor force-pushed the set-value-from-file branch from 5fe0683 to 088d677 Compare June 25, 2025 18:20
@bjornfor
Copy link
Author

Using different filenames from the test you modified can help.

Aha, cargo test runs tests in parallel with threads! Thanks! It all makes sense now.

The latest push fixes the tests, by using a unique file name.

@felixfontein felixfontein requested a review from a team June 25, 2025 18:26
felixfontein
felixfontein reviewed Jun 28, 2025
View reviewed changes
cmd/sops/main.go
cli.BoolFlag{
Name: "value-file",
Usage: "treat 'value' as a file to read the actual value from (avoids leaking secrets in process listings)",
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about adding a (mutually exclusive) further option that reads from stdin instead of a file? That would provide a platform independent way of reading from stdin (/dev/stdin doesn't work on Windows).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, but that would take some more time for me to implement and test (noob here). Also, isn't that something that can be added on top of this PR and is not in conflict/wrong direction with this change (iow, not a blocker)?

Another option could be to make the "value" argument optional, and if missing, read from stdin. (On Linux it's trivial to pipe file contents to stdin, I don't know about Windows.)

Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felixfontein felixfontein felixfontein left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Setting values from stdin directly
2 participants
@bjornfor @felixfontein