feat: Add decrypt and encrypt template functions

docs/REFERENCE.md

@@ -98,6 +98,8 @@ Manage your dotfiles across multiple machines, securely.
   * [`bitwarden` [*arg*...]](#bitwarden-arg)
   * [`bitwardenAttachment` *filename* *itemid*](#bitwardenattachment-filename-itemid)
   * [`bitwardenFields` [*arg*...]](#bitwardenfields-arg)
+  * [`decrypt` *ciphertext*](#decrypt-ciphertext)
+  * [`encrypt` *plaintext*](#encrypt-plaintext)
   * [`gitHubKeys` *user*](#githubkeys-user)
   * [`gopass` *gopass-name*](#gopass-gopass-name)
   * [`gopassRaw` *gopass-name*](#gopassraw-gopass-name)
@@ -1888,6 +1890,24 @@ the same arguments will only invoke `bw get` once.
 
 ---
 
+### `decrypt` *ciphertext*
+
+`decrypt` decrypts *ciphertext* using chezmoi's configured encryption method.
+
+#### `decrypt` examples
+
+```
+{{ joinPath .chezmoi.sourceDir ".ignored-encrypted-file.age" | include | decrypt }}
+```
+
+---
+
+### `encrypt` *plaintext*
+
+`encrypt` encrypts *plaintext* using chezmoi's configured encryption method.
+
+---
+
 ### `gitHubKeys` *user*
 
 `gitHubKeys` returns *user*'s public SSH keys from GitHub using the GitHub API.

internal/cmd/config.go

@@ -388,6 +388,8 @@ func newConfig(options ...configOption) (*Config, error) {
 		"bitwarden":                c.bitwardenTemplateFunc,
 		"bitwardenAttachment":      c.bitwardenAttachmentTemplateFunc,
 		"bitwardenFields":          c.bitwardenFieldsTemplateFunc,
+		"decrypt":                  c.decryptTemplateFunc,
+		"encrypt":                  c.encryptTemplateFunc,
 		"gitHubKeys":               c.gitHubKeysTemplateFunc,
 		"gopass":                   c.gopassTemplateFunc,
 		"gopassRaw":                c.gopassRawTemplateFunc,

internal/cmd/encryptiontemplatefuncs.go

@@ -0,0 +1,19 @@
+package cmd
+
+func (c *Config) decryptTemplateFunc(ciphertext string) string {
+	plaintextBytes, err := c.encryption.Decrypt([]byte(ciphertext))
+	if err != nil {
+		returnTemplateError(err)
+		return ""
+	}
+	return string(plaintextBytes)
+}
+
+func (c *Config) encryptTemplateFunc(plaintext string) string {
+	ciphertextBytes, err := c.encryption.Encrypt([]byte(plaintext))
+	if err != nil {
+		returnTemplateError(err)
+		return ""
+	}
+	return string(ciphertextBytes)
+}

internal/cmd/testdata/scripts/config.txt

@@ -20,7 +20,7 @@ stdout 'sourceDir: .*/config/source'
 chezmoi data --config=$CHEZMOICONFIGDIR/chezmoi.yaml --format=yaml
 stdout 'sourceDir: .*/config2/source'
 
-[windows] skip 'remaining tests require /dev/stdin'
+[windows] stop 'remaining tests require /dev/stdin'
 
 # test that chezmoi can read the config from stdin
 stdin home2/user/.config/chezmoi/chezmoi.yaml

internal/cmd/testdata/scripts/encryptiontemplatefuncs.txt

@@ -0,0 +1,21 @@
+[!exec:age] skip 'age not found in $PATH'
+
+mkageconfig
+
+# test encrypt template function
+chezmoi execute-template '{{ "plaintext" | encrypt }}'
+stdout '-----BEGIN AGE ENCRYPTED FILE-----'
+
+# test encrypt and decrypt template function round trip
+chezmoi execute-template '{{ "plaintext\n" | encrypt | decrypt }}'
+cmp stdout golden/plaintext
+
+[windows] stop 'remaining tests rely on UNIX path handling' # FIXME
+
+# test decrypt template function
+chezmoi encrypt --output=$HOME${/}ciphertext.age golden/plaintext
+chezmoi execute-template '{{ joinPath (env "HOME") "ciphertext.age" | include | decrypt }}'
+cmp stdout golden/plaintext
+
+-- golden/plaintext --
+plaintext

internal/cmd/testdata/scripts/externalguess.txt

@@ -20,8 +20,7 @@ cp www/archive.tar.gz www/archive
 chezmoi apply --force --refresh-externals
 cmp $HOME/.dir/dir/file golden/dir/file
 
-# remaining tests require zip
-[!exec:zip] skip 'zip not found in $PATH'
+[!exec:zip] stop 'zip not found in $PATH'
 
 # test that chezmoi sniffs the format of zip files
 exec zip -r www/archive.zip archive