From aa6335246bff7d56d3f5e8657f42cf92261a1ec2 Mon Sep 17 00:00:00 2001
From: Solomon Hykes <solomon@dagger.io>
Date: Wed, 23 Jun 2021 10:46:56 +0000
Subject: [PATCH] os.#Container: mount secrets with a more consistent API

Signed-off-by: Solomon Hykes <solomon@dagger.io>
---
 stdlib/.dagger/env/os-container/.gitignore    |  2 ++
 stdlib/.dagger/env/os-container/plan/main.cue | 27 ++++++++++++++++++
 stdlib/.dagger/env/os-container/values.yaml   | 28 +++++++++++++++++++
 stdlib/netlify/netlify.cue                    |  4 +--
 stdlib/os/container.cue                       |  9 ++++--
 stdlib/universe.bats                          |  4 +++
 6 files changed, 69 insertions(+), 5 deletions(-)
 create mode 100644 stdlib/.dagger/env/os-container/.gitignore
 create mode 100644 stdlib/.dagger/env/os-container/plan/main.cue
 create mode 100644 stdlib/.dagger/env/os-container/values.yaml

diff --git a/stdlib/.dagger/env/os-container/.gitignore b/stdlib/.dagger/env/os-container/.gitignore
new file mode 100644
index 00000000000..01ec19b0920
--- /dev/null
+++ b/stdlib/.dagger/env/os-container/.gitignore
@@ -0,0 +1,2 @@
+# dagger state
+state/**
diff --git a/stdlib/.dagger/env/os-container/plan/main.cue b/stdlib/.dagger/env/os-container/plan/main.cue
new file mode 100644
index 00000000000..5b6ebafe2d5
--- /dev/null
+++ b/stdlib/.dagger/env/os-container/plan/main.cue
@@ -0,0 +1,27 @@
+package main
+
+import (
+	"dagger.io/dagger"
+	"dagger.io/os"
+)
+
+// Test secret mount
+SimpleSecret: {
+	// 'encrypted' and 'cleartext' must be set from identical values
+	encrypted: dagger.#Secret @dagger(input)
+	cleartext: string         @dagger(input)
+
+	ctr: os.#Container & {
+		secret: "/secret-in": encrypted
+		command: "cat /secret-in > /secret-out"
+	}
+
+	// Decrypted secret
+	decrypted: (os.#File & {
+			from: ctr
+			path: "/secret-out"
+	}).contents @dagger(output)
+
+	// Assertion: decrypted value must match original cleartext
+	decrypted: cleartext
+}
diff --git a/stdlib/.dagger/env/os-container/values.yaml b/stdlib/.dagger/env/os-container/values.yaml
new file mode 100644
index 00000000000..d76f18a47e4
--- /dev/null
+++ b/stdlib/.dagger/env/os-container/values.yaml
@@ -0,0 +1,28 @@
+plan:
+    module: .dagger/env/os-container/plan
+name: os-container
+inputs:
+    SimpleSecret.cleartext:
+        text: hello, world!
+    SimpleSecret.encrypted:
+        secret: ENC[AES256_GCM,data:Ps0VwEr1g2VJAkuyvA==,iv:LWWhr6wjWhpiv46VIehkVK0p8gwd8S1atmiFYqWcdLI=,tag:lridOOyvkUlSa6n+e6rMPw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SU9NUTRWWTBvZzRWZkNT
+            Tk5TWFBFcHBWMldNSXA4KzU3TlVwTU9pdEZJCkFXNWpMMmZOZGs3WTYxZ3hDZVpv
+            L3lYNVh3Ti9UQXZzaTNWRU9IdGh4UncKLS0tIDFxbE1ZTmlUNElWWmRIN2hSRjk4
+            azJIU2lIVlF4N1VxT2tVWDBPU2RsOEkKqkfxeT/mnnDxdvv/vhXMj2Zl8ogaAHa6
+            xbBUOaCZ8stwj4Zz4/iKdrPspQQKo7/QuxxAcFUfyuK3fULqJHPXPQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-06-23T10:38:38Z"
+    mac: ENC[AES256_GCM,data:tI4WNOV4Ck6mLS0inz8SpVWhReofeB1WHExTwhusFYuEFWfKqvJ5Hau1ErLhPla0JURNf2taUgRAcZC4m6ex7CjGhj5/qjtMndWrz6Vf2/6CZkFPiFUd2a19kRoiEU6Mh/3NFUPIJK04lVMvW76glxxxCkqq7bnTovPXOkumdu4=,iv:ov7MKd/4FegjBUTv2hGb1D6VjhuKK3npHXhWUFZVmns=,tag:KvESE0C2xPmuRlQ05OKO5g==,type:str]
+    pgp: []
+    encrypted_suffix: secret
+    version: 3.7.1
diff --git a/stdlib/netlify/netlify.cue b/stdlib/netlify/netlify.cue
index ea2a0f9b8a4..d1c3d293f85 100644
--- a/stdlib/netlify/netlify.cue
+++ b/stdlib/netlify/netlify.cue
@@ -84,7 +84,7 @@ import (
 			NETLIFY_ACCOUNT: account.name
 		}
 		dir: "/src"
-		mount: "/src": from:                 contents
-		mount: "/run/secrets/token": secret: account.token
+		mount: "/src": from: contents
+		secret: "/run/secrets/token": account.token
 	}
 }
diff --git a/stdlib/os/container.cue b/stdlib/os/container.cue
index 2f06aff04d7..8e8e1e8cc40 100644
--- a/stdlib/os/container.cue
+++ b/stdlib/os/container.cue
@@ -48,14 +48,14 @@ import (
 
 	// Mount contents from other artifacts.
 	// Mount is active when executing `command`, but not `setup`.
-
 	mount: [string]: {
 		from: dagger.#Artifact
 		// FIXME: support source path
-	} | {
-		secret: dagger.#Secret
 	}
 
+	// Safely mount secrets (in cleartext) as non-persistent files
+	secret: [string]: dagger.#Secret
+
 	// Mount persistent cache directories
 	cache: [string]: true
 
@@ -113,6 +113,9 @@ import (
 						"\(dest)": o
 						// FIXME: support source path
 					}
+					for dest, s in secret {
+						"\(dest)": secret: s
+					}
 					for dest, _ in cache {
 						"\(dest)": "cache"
 					}
diff --git a/stdlib/universe.bats b/stdlib/universe.bats
index 577cb4ef27e..55be3aa8fa9 100644
--- a/stdlib/universe.bats
+++ b/stdlib/universe.bats
@@ -29,6 +29,10 @@ setup() {
     dagger -e git up
 }
 
+@test "os.#Container" {
+    dagger -e os-container up
+}
+
 @test "aws: ecr" {
     dagger -e aws-ecr up
 }