1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-14 11:57:52 +00:00

reformat with gofumpt

This commit is contained in:
Jörg Thalheim 2023-11-03 14:31:26 +01:00 committed by Jörg Thalheim
parent cc2cfe5630
commit c59da7ac29
6 changed files with 42 additions and 46 deletions

View file

@ -71,5 +71,4 @@ func TestShellHook(t *testing.T) {
if !strings.Contains(stderr, expectedStderr) { if !strings.Contains(stderr, expectedStderr) {
t.Fatalf("'%v' not in '%v'", expectedStderr, stdout) t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
} }
} }

View file

@ -54,7 +54,7 @@ func SecureSymlinkChown(symlinkToCheck string, expectedTarget string, owner, gro
// newfs_hfs $mydev // newfs_hfs $mydev
// mount -t hfs $mydev /tmp/mymount // mount -t hfs $mydev /tmp/mymount
func MountSecretFs(mountpoint string, keysGid int, _useTmpfs bool, userMode bool) error { func MountSecretFs(mountpoint string, keysGid int, _useTmpfs bool, userMode bool) error {
if err := os.MkdirAll(mountpoint, 0751); err != nil { if err := os.MkdirAll(mountpoint, 0o751); err != nil {
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err) return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
} }
if _, err := os.Stat(mountpoint + "/sops-nix-secretfs"); !errors.Is(err, os.ErrNotExist) { if _, err := os.Stat(mountpoint + "/sops-nix-secretfs"); !errors.Is(err, os.ErrNotExist) {
@ -90,7 +90,7 @@ func MountSecretFs(mountpoint string, keysGid int, _useTmpfs bool, userMode bool
// There is no documented way to check for memfs mountpoint. Thus we place a file. // There is no documented way to check for memfs mountpoint. Thus we place a file.
_, err = os.Create(mountpoint + "/sops-nix-secretfs") _, err = os.Create(mountpoint + "/sops-nix-secretfs")
// This would be the way to check on unix. // This would be the way to check on unix.
//buf := unix.Statfs_t{} //buf := unix.Statfs_t{}
//if err := unix.Statfs(mountpoint, &buf); err != nil { //if err := unix.Statfs(mountpoint, &buf); err != nil {
// return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err) // return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)

View file

@ -4,18 +4,18 @@
package main package main
import ( import (
"fmt" "fmt"
"os" "os"
"golang.org/x/sys/unix" "golang.org/x/sys/unix"
) )
func RuntimeDir() (string, error) { func RuntimeDir() (string, error) {
rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR") rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
if !ok { if !ok {
return "", fmt.Errorf("$XDG_RUNTIME_DIR is not set!") return "", fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
} }
return rundir, nil return rundir, nil
} }
func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error { func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
@ -51,11 +51,11 @@ func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int)
} }
func MountSecretFs(mountpoint string, keysGid int, useTmpfs bool, userMode bool) error { func MountSecretFs(mountpoint string, keysGid int, useTmpfs bool, userMode bool) error {
if err := os.MkdirAll(mountpoint, 0751); err != nil { if err := os.MkdirAll(mountpoint, 0o751); err != nil {
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err) return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
} }
// We can't create a ramfs as user // We can't create a ramfs as user
if userMode { if userMode {
return nil return nil
} }

View file

@ -18,9 +18,9 @@ import (
"github.com/Mic92/sops-nix/pkgs/sops-install-secrets/sshkeys" "github.com/Mic92/sops-nix/pkgs/sops-install-secrets/sshkeys"
agessh "github.com/Mic92/ssh-to-age" agessh "github.com/Mic92/ssh-to-age"
"github.com/joho/godotenv"
"github.com/mozilla-services/yaml" "github.com/mozilla-services/yaml"
"go.mozilla.org/sops/v3/decrypt" "go.mozilla.org/sops/v3/decrypt"
"github.com/joho/godotenv"
) )
type secret struct { type secret struct {
@ -79,10 +79,10 @@ const (
func IsValidFormat(format string) bool { func IsValidFormat(format string) bool {
switch format { switch format {
case string(Yaml), case string(Yaml),
string(Json), string(Json),
string(Binary), string(Binary),
string(Dotenv), string(Dotenv),
string(Ini): string(Ini):
return true return true
default: default:
return false return false
@ -94,7 +94,7 @@ func (f *FormatType) UnmarshalJSON(b []byte) error {
if err := json.Unmarshal(b, &s); err != nil { if err := json.Unmarshal(b, &s); err != nil {
return err return err
} }
var t = FormatType(s) t := FormatType(s)
switch t { switch t {
case "": case "":
*f = Yaml *f = Yaml
@ -304,8 +304,10 @@ func decryptSecrets(secrets []secret) error {
return nil return nil
} }
const RAMFS_MAGIC int32 = -2054924042 const (
const TMPFS_MAGIC int32 = 16914836 RAMFS_MAGIC int32 = -2054924042
TMPFS_MAGIC int32 = 16914836
)
func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) { func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) {
var generation uint64 var generation uint64
@ -328,7 +330,7 @@ func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, us
return nil, fmt.Errorf("Cannot remove existing %s: %w", dir, err) return nil, fmt.Errorf("Cannot remove existing %s: %w", dir, err)
} }
} }
if err := os.Mkdir(dir, os.FileMode(0751)); err != nil { if err := os.Mkdir(dir, os.FileMode(0o751)); err != nil {
return nil, fmt.Errorf("mkdir(): %w", err) return nil, fmt.Errorf("mkdir(): %w", err)
} }
if !userMode { if !userMode {
@ -347,7 +349,7 @@ func writeSecrets(secretDir string, secrets []secret, keysGid int, userMode bool
pathSoFar := secretDir pathSoFar := secretDir
for _, dir := range dirs { for _, dir := range dirs {
pathSoFar = filepath.Join(pathSoFar, dir) pathSoFar = filepath.Join(pathSoFar, dir)
if err := os.MkdirAll(pathSoFar, 0751); err != nil { if err := os.MkdirAll(pathSoFar, 0o751); err != nil {
return fmt.Errorf("Cannot create directory '%s' for %s: %w", pathSoFar, fp, err) return fmt.Errorf("Cannot create directory '%s' for %s: %w", pathSoFar, fp, err)
} }
if !userMode { if !userMode {
@ -382,15 +384,15 @@ func lookupGroup(groupname string) (int, error) {
} }
func lookupKeysGroup() (int, error) { func lookupKeysGroup() (int, error) {
gid, err1 := lookupGroup("keys") gid, err1 := lookupGroup("keys")
if err1 == nil { if err1 == nil {
return gid, nil return gid, nil
} }
gid, err2 := lookupGroup("nogroup") gid, err2 := lookupGroup("nogroup")
if err2 == nil { if err2 == nil {
return gid, nil return gid, nil
} }
return 0, fmt.Errorf("Can't find group 'keys' nor 'nogroup' (%w).", err2) return 0, fmt.Errorf("Can't find group 'keys' nor 'nogroup' (%w).", err2)
} }
func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) { func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) {
@ -435,7 +437,6 @@ func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) {
keys: keys, keys: keys,
firstSecret: s, firstSecret: s,
}, nil }, nil
} }
func (app *appContext) validateSopsFile(s *secret, file *secretFile) error { func (app *appContext) validateSopsFile(s *secret, file *secretFile) error {
@ -444,7 +445,7 @@ func (app *appContext) validateSopsFile(s *secret, file *secretFile) error {
s.Name, s.SopsFile, s.Format, s.Name, s.SopsFile, s.Format,
file.firstSecret.Format, file.firstSecret.Name) file.firstSecret.Format, file.firstSecret.Name)
} }
if app.checkMode != Manifest && (!(s.Format == Binary || s.Format == Dotenv || s.Format == Ini )) { if app.checkMode != Manifest && (!(s.Format == Binary || s.Format == Dotenv || s.Format == Ini)) {
_, err := recurseSecretKey(file.keys, s.Key) _, err := recurseSecretKey(file.keys, s.Key)
if err != nil { if err != nil {
return fmt.Errorf("secret %s in %s is not valid: %w", s.Name, s.SopsFile, err) return fmt.Errorf("secret %s in %s is not valid: %w", s.Name, s.SopsFile, err)
@ -605,7 +606,7 @@ func pruneGenerations(secretsMountPoint, secretsDir string, keepGenerations int)
func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) error { func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) error {
secringPath := filepath.Join(gpgHome, "secring.gpg") secringPath := filepath.Join(gpgHome, "secring.gpg")
secring, err := os.OpenFile(secringPath, os.O_WRONLY|os.O_CREATE, 0600) secring, err := os.OpenFile(secringPath, os.O_WRONLY|os.O_CREATE, 0o600)
if err != nil { if err != nil {
return fmt.Errorf("Cannot create %s: %w", secringPath, err) return fmt.Errorf("Cannot create %s: %w", secringPath, err)
} }
@ -661,7 +662,6 @@ func importAgeSSHKeys(logcfg loggingConfig, keyPaths []string, ageFile os.File)
// Inspired by https://github.com/facebookarchive/symwalk // Inspired by https://github.com/facebookarchive/symwalk
func symlinkWalk(filename string, linkDirname string, walkFn filepath.WalkFunc) error { func symlinkWalk(filename string, linkDirname string, walkFn filepath.WalkFunc) error {
symWalkFunc := func(path string, info os.FileInfo, err error) error { symWalkFunc := func(path string, info os.FileInfo, err error) error {
if fname, err := filepath.Rel(filename, path); err == nil { if fname, err := filepath.Rel(filename, path); err == nil {
path = filepath.Join(linkDirname, fname) path = filepath.Join(linkDirname, fname)
} else { } else {
@ -735,7 +735,7 @@ func handleModifications(isDry bool, logcfg loggingConfig, symlinkPath string, s
writeLines := func(list []string, file string) error { writeLines := func(list []string, file string) error {
if len(list) != 0 { if len(list) != 0 {
f, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600) f, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0o600)
if err != nil { if err != nil {
return err return err
} }
@ -893,9 +893,9 @@ func installSecrets(args []string) error {
} }
if manifest.UserMode { if manifest.UserMode {
rundir, err := RuntimeDir() rundir, err := RuntimeDir()
if opts.checkMode == Off && err != nil { if opts.checkMode == Off && err != nil {
return fmt.Errorf("Error: %v", err) return fmt.Errorf("Error: %v", err)
} }
manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir) manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir)
manifest.SymlinkPath = replaceRuntimeDir(manifest.SymlinkPath, rundir) manifest.SymlinkPath = replaceRuntimeDir(manifest.SymlinkPath, rundir)
@ -953,7 +953,7 @@ func installSecrets(args []string) error {
keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt") keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
os.Setenv("SOPS_AGE_KEY_FILE", keyfile) os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
// Create the keyfile // Create the keyfile
ageFile, err := os.OpenFile(keyfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) ageFile, err := os.OpenFile(keyfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
if err != nil { if err != nil {
return fmt.Errorf("Cannot create '%s': %w", keyfile, err) return fmt.Errorf("Cannot create '%s': %w", keyfile, err)
} }
@ -1013,7 +1013,6 @@ func installSecrets(args []string) error {
} }
return nil return nil
} }
func main() { func main() {

View file

@ -38,7 +38,7 @@ func equals(tb testing.TB, exp, act interface{}) {
func writeManifest(t *testing.T, dir string, m *manifest) string { func writeManifest(t *testing.T, dir string, m *manifest) string {
filename := path.Join(dir, "manifest.json") filename := path.Join(dir, "manifest.json")
f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0755) f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0o755)
ok(t, err) ok(t, err)
encoder := json.NewEncoder(f) encoder := json.NewEncoder(f)
ok(t, encoder.Encode(m)) ok(t, encoder.Encode(m))
@ -82,7 +82,7 @@ func testGPG(t *testing.T) {
gpgHome := path.Join(testdir.path, "gpg-home") gpgHome := path.Join(testdir.path, "gpg-home")
gpgEnv := append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", gpgHome)) gpgEnv := append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", gpgHome))
ok(t, os.Mkdir(gpgHome, os.FileMode(0700))) ok(t, os.Mkdir(gpgHome, os.FileMode(0o700)))
cmd := exec.Command("gpg", "--import", path.Join(assets, "key.asc")) cmd := exec.Command("gpg", "--import", path.Join(assets, "key.asc"))
cmd.Stdout = os.Stdout cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr cmd.Stderr = os.Stderr
@ -144,7 +144,6 @@ func testGPG(t *testing.T) {
iniSecret.SopsFile = path.Join(assets, "secrets.ini") iniSecret.SopsFile = path.Join(assets, "secrets.ini")
iniSecret.Path = path.Join(testdir.secretsPath, "test5") iniSecret.Path = path.Join(testdir.secretsPath, "test5")
manifest := manifest{ manifest := manifest{
Secrets: []secret{yamlSecret, jsonSecret, binarySecret, dotenvSecret, iniSecret}, Secrets: []secret{yamlSecret, jsonSecret, binarySecret, dotenvSecret, iniSecret},
SecretsMountPoint: testdir.secretsPath, SecretsMountPoint: testdir.secretsPath,
@ -169,7 +168,7 @@ func testGPG(t *testing.T) {
ok(t, err) ok(t, err)
equals(t, true, yamlStat.Mode().IsRegular()) equals(t, true, yamlStat.Mode().IsRegular())
equals(t, 0400, int(yamlStat.Mode().Perm())) equals(t, 0o400, int(yamlStat.Mode().Perm()))
stat, success := yamlStat.Sys().(*syscall.Stat_t) stat, success := yamlStat.Sys().(*syscall.Stat_t)
equals(t, true, success) equals(t, true, success)
content, err := os.ReadFile(yamlSecret.Path) content, err := os.ReadFile(yamlSecret.Path)
@ -187,7 +186,7 @@ func testGPG(t *testing.T) {
jsonStat, err := os.Stat(jsonSecret.Path) jsonStat, err := os.Stat(jsonSecret.Path)
ok(t, err) ok(t, err)
equals(t, true, jsonStat.Mode().IsRegular()) equals(t, true, jsonStat.Mode().IsRegular())
equals(t, 0700, int(jsonStat.Mode().Perm())) equals(t, 0o700, int(jsonStat.Mode().Perm()))
if stat, ok := jsonStat.Sys().(*syscall.Stat_t); ok { if stat, ok := jsonStat.Sys().(*syscall.Stat_t); ok {
equals(t, 0, int(stat.Uid)) equals(t, 0, int(stat.Uid))
equals(t, 0, int(stat.Gid)) equals(t, 0, int(stat.Gid))

View file

@ -65,5 +65,4 @@ func TestShellHook(t *testing.T) {
if !strings.Contains(stderr, expectedStderr) { if !strings.Contains(stderr, expectedStderr) {
t.Fatalf("'%v' not in '%v'", expectedStderr, stdout) t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
} }
} }