Add "sctl read" command. #53
Conversation
sctl read will scan the envelope and attempt to find the NAMED secret. If its found, it will decode, decrypt, and display the secret value. This is to help ease the use-case for reading secrets serialized to state without needing to intercept the values in an intermediary process, similar to the hacky work-around of running `sctl run env` just to view the secrets.
commands/cli.go
Outdated
| var client cloud.KMS | ||
| if keyURI == "" { | ||
| log.Warn("No KeyURI found in envelope. Required usage of flag/env config.") | ||
| err := validateContext(c, "read") |
There was a problem hiding this comment.
validateContext is called both here and at the beginning of the read handler fn (L272) -- is this desired?
There was a problem hiding this comment.
So this gave me an idea for a better pattern that i used in the read function post review-feedback. I swap the context evaluation between default and named, which deviates just a slight bit from how it was being used before.
| @@ -88,8 +92,23 @@ func BuildContextualMenu() []cli.Command { | |||
| plaintext = []byte(base64.StdEncoding.EncodeToString(plaintext)) | |||
| } | |||
|
|
|||
| // Init a KMS client | |||
| client := cloud.NewGCPKMS(c.String("key")) | |||
| // Work with the envelope's provided key or switch to CLI flags/env | |||
There was a problem hiding this comment.
Gah, i should have probably refactored this chunk into another commit and a pr all to itself. The add method was a bit broken post key-uri-in-envelope. I didn't notice it would never attempt to open/read/use-the-key-in-envelope-format - always defaulting to ENV. Which can be problematic when the expectation is to only need to specify --key once in a great while once its in the env it should be favored.
LMK if you'd prefer I back these hunks out into a different PR. if not i'll just sqeak this in as a feature/bugfix release.
There was a problem hiding this comment.
I think it should be fine to include in this PR
commands/cli.go
Outdated
| //:= validateContext(c, "add") | ||
| //if err != nil { | ||
| // return err | ||
| //} |
There was a problem hiding this comment.
can remove this if no longer using
| @@ -88,8 +92,23 @@ func BuildContextualMenu() []cli.Command { | |||
| plaintext = []byte(base64.StdEncoding.EncodeToString(plaintext)) | |||
| } | |||
|
|
|||
| // Init a KMS client | |||
| client := cloud.NewGCPKMS(c.String("key")) | |||
| // Work with the envelope's provided key or switch to CLI flags/env | |||
There was a problem hiding this comment.
I think it should be fine to include in this PR
sctl read will scan the envelope and attempt to find the NAMED secret.
If its found, it will decode, decrypt, and display the secret value.
This is to help ease the use-case for reading secrets serialized to
state without needing to intercept the values in an intermediary
process, similar to the hacky work-around of running
sctl run envjustto view the secrets.
This feature needs test coverage before merge.