-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect inline keys config #22
Detect inline keys config #22
Conversation
1186f09
to
e25d86d
Compare
Hi, thanks for the contribution! I have a full weekend but i will have closer look at the beginning of next week. But something from the top of my head: Have you tested this? Because from memory the issue is not that you cant derypt the file, but that the plugin doesnt know how to encrypt it again since all this information is lost during decryption. I have two ideas spinning in my head:
Yes this is maintained via the plugin marketplace. |
Hi there, thanks for your feedback! You are correct I didn't try the edit functionality, only the decryption.
|
I found a way to do the replace using the inline metadata. Admittedly a little hacky but it works nicely:
The reason this is nice is that I don't need to handle all the possible keys schemes that sops manages, we let sops use the normal edit flow. We simply replace the editor with a script that replaces the content. This way, sops takes care of the decryption/encryption using either the yaml config or the inline metadata. Note that it only works for mac/linux so far as I'm writing a temp bash script, but easily extendable for windows. Curious to see what you think 😄 |
The original version of this plugin was using IntelliJ as the sops editor, which was working fine for IntelliJ on macOS but neither with a different OS nor with a different Jetbrains product 😄 This solution does not care about which jetbrains product you use and only has the operating system to consider. I will have good think about what implications this may have 🤔 |
Interesting to hear about the history of the plugin 😄 The only os-dependent bit here is to have an EDITOR script that simply copies a file. I'm not versed into windows stuff for a long time now, but the current solution should work for mac/linux. In any case, let me know if I can help |
After attacking the other PR today i could not let go and after hours of pain and misery i got it working under windows 🥳 Not sure if this is its final form because i can no longer think straight. Will have another look tomorrow if i can make sense of what i wrote today. |
Fantastic! I can't test the windows part, but it looks like you got it nicely covered. I tested with your change, and my only nit is that the original file doesn't always refresh after re-encrypting. Let me know if that's ok. |
It always worked for me asynchronously but i have no strong feelings either way. Ill probably adjust the exception handling a bit when i get the time, ill release the other PR first. |
TODOs:
|
I for myself thought about fixing the problem of #11 with the
I hope my thoughts are not to overwhelming and I do not want to say, that anyone here does a bad job, I am just sharing my two cents. It is up to you if any of those points are getting into this PR, end up in a separate issue or being thrown into the garbage. Thank all of you for your work and have a nice day, |
Quick answers:
Thats what we are already doing :)
Exactly. Currently we write the in memory file into a temp file.
Thanks for your insight! Thats exactly why i commented in all the old issues so that more people take a look and we end up with something worthwhile. |
FYI: getsops/sops#696 |
…o sops instead of temp file
I took another crack at it and got it working on macOS and Windows with environment variables instead of temp files, what do you think @ProbstDJakob and @pierre-borckmans? |
It looks nice, I guess the only caveat would be the size limit on env vars on windows/linux. A quick google search seems to indicate:
|
Besides having a content limit, there are other problems with this solution:
For a more detailed explanation see also https://stackoverflow.com/a/55804985. A solution to those problems would be to use the stdin as proposed earlier. The following pseudo code demonstrates the process: String identifier = "simple-sosp-edit-ready-" + Random.hash();
// It is up to you to find an equivalent for Windows ^^
String script = [
"#!/usr/bin/env sh",
"set -eu",
"printf '%s\n' " + identifier, // will tell us that the script is ready; since the identifier does not contain any special characters, we do not need to escape the string (neither within java, nor the script)
"cat - >\"$1\""
].join("\n");
try (Script script = writeTempScript(script)) { // The Script class implements Closeable which will deleted the file on close - see try-with-resources statement if the syntax is unknown
Command sopsCommand = Command.prepareCommand("sops", /* some args */);
sopsCommand.setEnvVar("EDITOR", script.path);
Process sopsProcess = sopsCommand.run();
for (String line : sopsProcess.stdout.stream()) { // a live stream of the stdout line per line without trailing new lines
if (line.equals(identifier)) {
sopsProcess.stdin.write(unencryptedFileContent);
return;
}
}
Logger.warning("Something went wrong and the content has not been written.");
} It is a very long time since I last wrote something in Java, thus the code might look weird, but I think you will get what I am trying to "say". Also there may be some other flaws with this solution, therefore it should also be discussed. |
@ProbstDJakob got it working on Windows and macOS with stdin! Needs some clean up and refactoring still, but im gonna make use of the nice weather for once. Maybe ill have time to finish it this evening. |
There is still work to be done (and a lot of testing), but it is working! |
The current version looks fine to me. Only two questions. Have you tried it on Linux/macOS? BTW: In your first version 5bb400d you had the following: final String startIdentifier = "simple-sops-edit-ready" + RandomStringUtils.randomAlphanumeric(32);
// ...
"printf '%s'".formatted(startIdentifier),
// ... This could randomly fail to work in cases were the import org.apache.commons.text.StringEscapeUtils;
// ...
"printf \"%s\n\"".formatted(StringEscapeUtils.escapeXSI(startIdentifier)), // note the double quotes around the printf argument, single quotes would cause other problems
// ... Or even better by passing the string as an argument to import org.apache.commons.text.StringEscapeUtils;
// ...
"printf '%s\n' " + StringEscapeUtils.escapeXSI(startIdentifier),
// ... Downside of this approach is the use of apache commons-text. This library drops the newline (source code - at least the code looks like, I have not tried it) instead of properly escaping it. So it may be reasonable to look for an alternative library, because this would cause also random breaks, but I just want to give an example. The current version does not suffer from those problems, since there are no unknown characters and the string does not contain any sequences which could cause problems. |
Worked on Windows and macOS, have not yet tested on Linux.
Works on macOS, have not tested linux. They use a different path separator though so it should be fine? Im unhappy with the current solution as well, since there could be an edge case. Ill check if i can find a more universal solution.
It should only contain alphanumerics though? |
…ecation warning; fix version range in build.gradle.kts
Released as a pre-release on github and as a beta via jetbrains marketplace. Ill ask friends and colleagues to test, but same as before: your input is highly appreciated. Please let me know if the README.md makes any sense to you. PS: You can add |
Maybe something like: String editorPath = scriptFiles.script().toAbsolutePath().toString();
if (SystemUtils.IS_OS_WINDOWS) {
// escape twice for windows because of ENV variable parsing
editorPath = editorPath.replace("\\", "\\\\")
}
// escape whitespaces
editorPath = editorPath.replace(" ", "\\ ");
Reading correctly seems to be very hard ^^
It makes sense, though I might not be the right person to check if the grammar and syntax is correct (I am a non-native). But there is a typo in line 24 stating "sops will use the file ending of the existing file to figure our the file type" which should be out. Furthermore I do not think the Last think to note, but that has not much to do with the README itself, is that the Replace option may be better named with something like Encrypt with sops (unless I misunderstood the feature - have not tested it yet).
I will look into it, but maybe not before next week. |
I've just tried it too (also on macOS), works like a charm and solves the problem from #11. Thank you both very much! |
Just wanted to give a quick update. I've been using the 2.0.0 beta for a while on a daily basis and it works like a charm for my needs. |
Im currently swamped, ill finalize the release as soon as i find the time. |
Github release is no longer a pre-release and I published to Jetbrains Marketplace (approval pending) 🥳 |
Currently, the plugin only considers sops files if a
.sops.yaml
is found in one of the parent directories.However, sops also works with standalone files inlining their keys config, like:
This PR allows for the 2 scenarios detection: