-
Notifications
You must be signed in to change notification settings - Fork 841
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add filestatus command #545
Conversation
cmd/sops/main.go
Outdated
return common.NewExitError("File is encrypted", codes.FileAlreadyEncrypted) | ||
} | ||
|
||
fmt.Println("File is unencrypted") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is fmt
the proper way to output such an informative message?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine to me. I'm not sure whether we should use a machine-parseable and extensible format (probably JSON), though. It would let us put more status information there in the future, e.g. whether the MAC is okay.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would something like {"encrypted": true|false}
be ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good :) just a few comments.
cmd/sops/main.go
Outdated
return common.NewExitError(fmt.Sprintf("Error unmarshalling file: %s", err), codes.CouldNotReadInputFile) | ||
} | ||
if err := ensureNoMetadata(opts, branches[0]); err != nil { | ||
return common.NewExitError("File is encrypted", codes.FileAlreadyEncrypted) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm, I'm wondering whether we should return an error when the file is not encrypted, or the other way around. What was your reasoning for choosing this over the alternative?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mainly because there was an error code for "file is already encrypted" and not the other way round. So I would expect users to be already used to such an error.
IMO none is an error, and using JSON output like you requested in a comment above everything makes more sense and this error can probably be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I agree. Let's make none of them be an error for now.
Codecov Report
@@ Coverage Diff @@
## develop #545 +/- ##
========================================
Coverage 36.46% 36.46%
========================================
Files 20 20
Lines 2863 2863
========================================
Hits 1044 1044
Misses 1725 1725
Partials 94 94 Continue to review full report at Codecov.
|
// OutputStore sops.Store | ||
InputPath string | ||
// KeyServices []keyservice.KeyServiceClient | ||
// KeyGroups []sops.KeyGroup | ||
// GroupThreshold int |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove the commented lines since they're not used
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed in commit 80686ab
|
||
// Status rapresent file status | ||
type Status struct { | ||
Encrypted bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Encrypted represents whether the file provided is encrypted by SOPS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved in 80686ab
func checkMetadata(branch sops.TreeBranch) bool { | ||
for _, b := range branch { | ||
if b.Key == "sops" { | ||
return true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn't that a bit weak as a test? I'd suggest at least verifying that a mac
is set and one key exists under the various sections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's indeed a bit weak. It's what we do elsewhere as an easy test to check whether the file is encrypted, but maybe as you say we should have a stricter test here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
May I propose to go with this version for consistency, and work on a more complex test (that we can discuss more) on a separate one? I'm willing to work on that.
We could also extend a bit the scope and extract the check so both places can use the same code.
0fba7e1
to
80686ab
Compare
Any update on that? It would be a really nice feature |
any update? would be really nice to have this command |
No updates. The review comments haven't been addressed in this PR, plus there's merge conflicts. We'd be happy to review a PR that builds on this one an handles the review comments. |
@autrilla May you let me know your opinion on #545 (comment)? I was waiting on a reply there, other concerns should have been addressed as requested. |
It wouldn't take a lot of work to have a slightly better check by doing what jvehent suggests, e.g. ensuring there's a |
3568c88
to
ff0888f
Compare
Codecov Report
@@ Coverage Diff @@
## develop #545 +/- ##
========================================
Coverage 36.44% 36.44%
========================================
Files 22 22
Lines 3205 3205
========================================
Hits 1168 1168
Misses 1918 1918
Partials 119 119 Continue to review full report at Codecov.
|
@autrilla I resolved conflicts and rebased onto latest I started working on how to improve the check and I found out that using an implementation of |
Trying to load the file sounds good to me. |
@autrilla any status here, or are you waiting on the author to rebase this PR again? It seems like he addressed the issues before but now there's conflicts again. What's the hold up? |
Bump ❤️ |
Not all the issues are addressed. In particular, I asked for a better test that the file is encrypted. It's also missing documentation and tests, and as you mention, there's conflicts. |
ff0888f
to
d89029a
Compare
Hello, I have redone the implementation.
I rebased onto master, so I'm not sure why it's still complaining about the conflict. @autrilla is this implementation ok? I also added some tests for it. The Thanks and sorry for the long wait! |
How is the progress in this PR? Do you need any help? |
Hi @ajvb @autrilla @jvehent, I see that roughly a year ago the milestone for this issue was changed to v3.8.0. Would that suggest that this PR is "complete" meaning that when v3.8.0 is released, this will be included, or are there still things that need to be addressed for the maintainers to be happy to merge this? If the answer is no, can we get a indication of what is needed, I'd be more than happy to help out. Subsequently, is there a rough estimate on when v3.8.0 is expected to land? Thanks, |
@endorama would you mind rebasing another time and signing off your commits? Would be great if we could finally get this merged :) |
Can't wait to use it! |
e681ee7
to
0f71653
Compare
Signed-off-by: Edoardo Tenani <[email protected]>
Signed-off-by: Edoardo Tenani <[email protected]>
0f71653
to
59e2ece
Compare
Hello everybody and sorry for the long wait! I'd love to see this finally being merge and I have some time to dedicate to it. Rebasing the old work was quite complex, so given the overall addition in this PR was small I re-implemented it on top of the latest (The second force push is due to the DCO, which I didn't sign the first time) Waiting on the review ❤ |
I did some extensive tests, and it looks good! The method of detecting encrypted files is pretty good; obviously you can fake it with fake values, like the follwing YAML file:
(and similar variants for other storages), but I think that's acceptable, and it also seems to agree to what all reviewers so far asked for. If nobody objects (especially from @getsops/maintainers side), I propose to merge this soon! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@endorama thanks a lot for contributing this! Also thanks a lot to everyone who reviewed this and commented on this over all these years! I'm glad this finally made it :) |
Closes #460
Add
filestatus
command, reporting if the file is in encrypted or unencrypted state.I reused
ensureNoMetadata
logic, thus the command would return0
when the file is not encrypted and203
when the file is encrypted (respecting thecodes.FileAlreadyEncrypted
error code)It does not output the error message as returned by
ensureNoMetadata
, preferring a simpler output: "File is encrypted" or "File is unencrypted".As I'm not so fond on
sops
internals, I'm sure there are multiple things to review, I'll gladly update the code to reflect any suggestion.