mirror of
https://github.com/Mic92/sops-nix.git
synced 2024-12-14 11:57:52 +00:00
reformat with gofumpt
This commit is contained in:
parent
cc2cfe5630
commit
c59da7ac29
6 changed files with 42 additions and 46 deletions
|
@ -71,5 +71,4 @@ func TestShellHook(t *testing.T) {
|
||||||
if !strings.Contains(stderr, expectedStderr) {
|
if !strings.Contains(stderr, expectedStderr) {
|
||||||
t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
|
t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -54,7 +54,7 @@ func SecureSymlinkChown(symlinkToCheck string, expectedTarget string, owner, gro
|
||||||
// newfs_hfs $mydev
|
// newfs_hfs $mydev
|
||||||
// mount -t hfs $mydev /tmp/mymount
|
// mount -t hfs $mydev /tmp/mymount
|
||||||
func MountSecretFs(mountpoint string, keysGid int, _useTmpfs bool, userMode bool) error {
|
func MountSecretFs(mountpoint string, keysGid int, _useTmpfs bool, userMode bool) error {
|
||||||
if err := os.MkdirAll(mountpoint, 0751); err != nil {
|
if err := os.MkdirAll(mountpoint, 0o751); err != nil {
|
||||||
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
|
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
|
||||||
}
|
}
|
||||||
if _, err := os.Stat(mountpoint + "/sops-nix-secretfs"); !errors.Is(err, os.ErrNotExist) {
|
if _, err := os.Stat(mountpoint + "/sops-nix-secretfs"); !errors.Is(err, os.ErrNotExist) {
|
||||||
|
@ -90,7 +90,7 @@ func MountSecretFs(mountpoint string, keysGid int, _useTmpfs bool, userMode bool
|
||||||
// There is no documented way to check for memfs mountpoint. Thus we place a file.
|
// There is no documented way to check for memfs mountpoint. Thus we place a file.
|
||||||
_, err = os.Create(mountpoint + "/sops-nix-secretfs")
|
_, err = os.Create(mountpoint + "/sops-nix-secretfs")
|
||||||
|
|
||||||
// This would be the way to check on unix.
|
// This would be the way to check on unix.
|
||||||
//buf := unix.Statfs_t{}
|
//buf := unix.Statfs_t{}
|
||||||
//if err := unix.Statfs(mountpoint, &buf); err != nil {
|
//if err := unix.Statfs(mountpoint, &buf); err != nil {
|
||||||
// return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
|
// return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
|
||||||
|
|
|
@ -4,18 +4,18 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
)
|
)
|
||||||
|
|
||||||
func RuntimeDir() (string, error) {
|
func RuntimeDir() (string, error) {
|
||||||
rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
|
rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
|
||||||
if !ok {
|
if !ok {
|
||||||
return "", fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
|
return "", fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
|
||||||
}
|
}
|
||||||
return rundir, nil
|
return rundir, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
|
func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
|
||||||
|
@ -51,11 +51,11 @@ func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int)
|
||||||
}
|
}
|
||||||
|
|
||||||
func MountSecretFs(mountpoint string, keysGid int, useTmpfs bool, userMode bool) error {
|
func MountSecretFs(mountpoint string, keysGid int, useTmpfs bool, userMode bool) error {
|
||||||
if err := os.MkdirAll(mountpoint, 0751); err != nil {
|
if err := os.MkdirAll(mountpoint, 0o751); err != nil {
|
||||||
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
|
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// We can't create a ramfs as user
|
// We can't create a ramfs as user
|
||||||
if userMode {
|
if userMode {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,9 +18,9 @@ import (
|
||||||
"github.com/Mic92/sops-nix/pkgs/sops-install-secrets/sshkeys"
|
"github.com/Mic92/sops-nix/pkgs/sops-install-secrets/sshkeys"
|
||||||
agessh "github.com/Mic92/ssh-to-age"
|
agessh "github.com/Mic92/ssh-to-age"
|
||||||
|
|
||||||
|
"github.com/joho/godotenv"
|
||||||
"github.com/mozilla-services/yaml"
|
"github.com/mozilla-services/yaml"
|
||||||
"go.mozilla.org/sops/v3/decrypt"
|
"go.mozilla.org/sops/v3/decrypt"
|
||||||
"github.com/joho/godotenv"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
type secret struct {
|
type secret struct {
|
||||||
|
@ -79,10 +79,10 @@ const (
|
||||||
func IsValidFormat(format string) bool {
|
func IsValidFormat(format string) bool {
|
||||||
switch format {
|
switch format {
|
||||||
case string(Yaml),
|
case string(Yaml),
|
||||||
string(Json),
|
string(Json),
|
||||||
string(Binary),
|
string(Binary),
|
||||||
string(Dotenv),
|
string(Dotenv),
|
||||||
string(Ini):
|
string(Ini):
|
||||||
return true
|
return true
|
||||||
default:
|
default:
|
||||||
return false
|
return false
|
||||||
|
@ -94,7 +94,7 @@ func (f *FormatType) UnmarshalJSON(b []byte) error {
|
||||||
if err := json.Unmarshal(b, &s); err != nil {
|
if err := json.Unmarshal(b, &s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
var t = FormatType(s)
|
t := FormatType(s)
|
||||||
switch t {
|
switch t {
|
||||||
case "":
|
case "":
|
||||||
*f = Yaml
|
*f = Yaml
|
||||||
|
@ -304,8 +304,10 @@ func decryptSecrets(secrets []secret) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
const RAMFS_MAGIC int32 = -2054924042
|
const (
|
||||||
const TMPFS_MAGIC int32 = 16914836
|
RAMFS_MAGIC int32 = -2054924042
|
||||||
|
TMPFS_MAGIC int32 = 16914836
|
||||||
|
)
|
||||||
|
|
||||||
func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) {
|
func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) {
|
||||||
var generation uint64
|
var generation uint64
|
||||||
|
@ -328,7 +330,7 @@ func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, us
|
||||||
return nil, fmt.Errorf("Cannot remove existing %s: %w", dir, err)
|
return nil, fmt.Errorf("Cannot remove existing %s: %w", dir, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if err := os.Mkdir(dir, os.FileMode(0751)); err != nil {
|
if err := os.Mkdir(dir, os.FileMode(0o751)); err != nil {
|
||||||
return nil, fmt.Errorf("mkdir(): %w", err)
|
return nil, fmt.Errorf("mkdir(): %w", err)
|
||||||
}
|
}
|
||||||
if !userMode {
|
if !userMode {
|
||||||
|
@ -347,7 +349,7 @@ func writeSecrets(secretDir string, secrets []secret, keysGid int, userMode bool
|
||||||
pathSoFar := secretDir
|
pathSoFar := secretDir
|
||||||
for _, dir := range dirs {
|
for _, dir := range dirs {
|
||||||
pathSoFar = filepath.Join(pathSoFar, dir)
|
pathSoFar = filepath.Join(pathSoFar, dir)
|
||||||
if err := os.MkdirAll(pathSoFar, 0751); err != nil {
|
if err := os.MkdirAll(pathSoFar, 0o751); err != nil {
|
||||||
return fmt.Errorf("Cannot create directory '%s' for %s: %w", pathSoFar, fp, err)
|
return fmt.Errorf("Cannot create directory '%s' for %s: %w", pathSoFar, fp, err)
|
||||||
}
|
}
|
||||||
if !userMode {
|
if !userMode {
|
||||||
|
@ -382,15 +384,15 @@ func lookupGroup(groupname string) (int, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func lookupKeysGroup() (int, error) {
|
func lookupKeysGroup() (int, error) {
|
||||||
gid, err1 := lookupGroup("keys")
|
gid, err1 := lookupGroup("keys")
|
||||||
if err1 == nil {
|
if err1 == nil {
|
||||||
return gid, nil
|
return gid, nil
|
||||||
}
|
}
|
||||||
gid, err2 := lookupGroup("nogroup")
|
gid, err2 := lookupGroup("nogroup")
|
||||||
if err2 == nil {
|
if err2 == nil {
|
||||||
return gid, nil
|
return gid, nil
|
||||||
}
|
}
|
||||||
return 0, fmt.Errorf("Can't find group 'keys' nor 'nogroup' (%w).", err2)
|
return 0, fmt.Errorf("Can't find group 'keys' nor 'nogroup' (%w).", err2)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) {
|
func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) {
|
||||||
|
@ -435,7 +437,6 @@ func (app *appContext) loadSopsFile(s *secret) (*secretFile, error) {
|
||||||
keys: keys,
|
keys: keys,
|
||||||
firstSecret: s,
|
firstSecret: s,
|
||||||
}, nil
|
}, nil
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (app *appContext) validateSopsFile(s *secret, file *secretFile) error {
|
func (app *appContext) validateSopsFile(s *secret, file *secretFile) error {
|
||||||
|
@ -444,7 +445,7 @@ func (app *appContext) validateSopsFile(s *secret, file *secretFile) error {
|
||||||
s.Name, s.SopsFile, s.Format,
|
s.Name, s.SopsFile, s.Format,
|
||||||
file.firstSecret.Format, file.firstSecret.Name)
|
file.firstSecret.Format, file.firstSecret.Name)
|
||||||
}
|
}
|
||||||
if app.checkMode != Manifest && (!(s.Format == Binary || s.Format == Dotenv || s.Format == Ini )) {
|
if app.checkMode != Manifest && (!(s.Format == Binary || s.Format == Dotenv || s.Format == Ini)) {
|
||||||
_, err := recurseSecretKey(file.keys, s.Key)
|
_, err := recurseSecretKey(file.keys, s.Key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("secret %s in %s is not valid: %w", s.Name, s.SopsFile, err)
|
return fmt.Errorf("secret %s in %s is not valid: %w", s.Name, s.SopsFile, err)
|
||||||
|
@ -605,7 +606,7 @@ func pruneGenerations(secretsMountPoint, secretsDir string, keepGenerations int)
|
||||||
func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) error {
|
func importSSHKeys(logcfg loggingConfig, keyPaths []string, gpgHome string) error {
|
||||||
secringPath := filepath.Join(gpgHome, "secring.gpg")
|
secringPath := filepath.Join(gpgHome, "secring.gpg")
|
||||||
|
|
||||||
secring, err := os.OpenFile(secringPath, os.O_WRONLY|os.O_CREATE, 0600)
|
secring, err := os.OpenFile(secringPath, os.O_WRONLY|os.O_CREATE, 0o600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Cannot create %s: %w", secringPath, err)
|
return fmt.Errorf("Cannot create %s: %w", secringPath, err)
|
||||||
}
|
}
|
||||||
|
@ -661,7 +662,6 @@ func importAgeSSHKeys(logcfg loggingConfig, keyPaths []string, ageFile os.File)
|
||||||
// Inspired by https://github.com/facebookarchive/symwalk
|
// Inspired by https://github.com/facebookarchive/symwalk
|
||||||
func symlinkWalk(filename string, linkDirname string, walkFn filepath.WalkFunc) error {
|
func symlinkWalk(filename string, linkDirname string, walkFn filepath.WalkFunc) error {
|
||||||
symWalkFunc := func(path string, info os.FileInfo, err error) error {
|
symWalkFunc := func(path string, info os.FileInfo, err error) error {
|
||||||
|
|
||||||
if fname, err := filepath.Rel(filename, path); err == nil {
|
if fname, err := filepath.Rel(filename, path); err == nil {
|
||||||
path = filepath.Join(linkDirname, fname)
|
path = filepath.Join(linkDirname, fname)
|
||||||
} else {
|
} else {
|
||||||
|
@ -735,7 +735,7 @@ func handleModifications(isDry bool, logcfg loggingConfig, symlinkPath string, s
|
||||||
|
|
||||||
writeLines := func(list []string, file string) error {
|
writeLines := func(list []string, file string) error {
|
||||||
if len(list) != 0 {
|
if len(list) != 0 {
|
||||||
f, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600)
|
f, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0o600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -893,9 +893,9 @@ func installSecrets(args []string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
if manifest.UserMode {
|
if manifest.UserMode {
|
||||||
rundir, err := RuntimeDir()
|
rundir, err := RuntimeDir()
|
||||||
if opts.checkMode == Off && err != nil {
|
if opts.checkMode == Off && err != nil {
|
||||||
return fmt.Errorf("Error: %v", err)
|
return fmt.Errorf("Error: %v", err)
|
||||||
}
|
}
|
||||||
manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir)
|
manifest.SecretsMountPoint = replaceRuntimeDir(manifest.SecretsMountPoint, rundir)
|
||||||
manifest.SymlinkPath = replaceRuntimeDir(manifest.SymlinkPath, rundir)
|
manifest.SymlinkPath = replaceRuntimeDir(manifest.SymlinkPath, rundir)
|
||||||
|
@ -953,7 +953,7 @@ func installSecrets(args []string) error {
|
||||||
keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
|
keyfile := filepath.Join(manifest.SecretsMountPoint, "age-keys.txt")
|
||||||
os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
|
os.Setenv("SOPS_AGE_KEY_FILE", keyfile)
|
||||||
// Create the keyfile
|
// Create the keyfile
|
||||||
ageFile, err := os.OpenFile(keyfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
ageFile, err := os.OpenFile(keyfile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Cannot create '%s': %w", keyfile, err)
|
return fmt.Errorf("Cannot create '%s': %w", keyfile, err)
|
||||||
}
|
}
|
||||||
|
@ -1013,7 +1013,6 @@ func installSecrets(args []string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
|
|
@ -38,7 +38,7 @@ func equals(tb testing.TB, exp, act interface{}) {
|
||||||
|
|
||||||
func writeManifest(t *testing.T, dir string, m *manifest) string {
|
func writeManifest(t *testing.T, dir string, m *manifest) string {
|
||||||
filename := path.Join(dir, "manifest.json")
|
filename := path.Join(dir, "manifest.json")
|
||||||
f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0755)
|
f, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0o755)
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
encoder := json.NewEncoder(f)
|
encoder := json.NewEncoder(f)
|
||||||
ok(t, encoder.Encode(m))
|
ok(t, encoder.Encode(m))
|
||||||
|
@ -82,7 +82,7 @@ func testGPG(t *testing.T) {
|
||||||
gpgHome := path.Join(testdir.path, "gpg-home")
|
gpgHome := path.Join(testdir.path, "gpg-home")
|
||||||
gpgEnv := append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", gpgHome))
|
gpgEnv := append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", gpgHome))
|
||||||
|
|
||||||
ok(t, os.Mkdir(gpgHome, os.FileMode(0700)))
|
ok(t, os.Mkdir(gpgHome, os.FileMode(0o700)))
|
||||||
cmd := exec.Command("gpg", "--import", path.Join(assets, "key.asc"))
|
cmd := exec.Command("gpg", "--import", path.Join(assets, "key.asc"))
|
||||||
cmd.Stdout = os.Stdout
|
cmd.Stdout = os.Stdout
|
||||||
cmd.Stderr = os.Stderr
|
cmd.Stderr = os.Stderr
|
||||||
|
@ -144,7 +144,6 @@ func testGPG(t *testing.T) {
|
||||||
iniSecret.SopsFile = path.Join(assets, "secrets.ini")
|
iniSecret.SopsFile = path.Join(assets, "secrets.ini")
|
||||||
iniSecret.Path = path.Join(testdir.secretsPath, "test5")
|
iniSecret.Path = path.Join(testdir.secretsPath, "test5")
|
||||||
|
|
||||||
|
|
||||||
manifest := manifest{
|
manifest := manifest{
|
||||||
Secrets: []secret{yamlSecret, jsonSecret, binarySecret, dotenvSecret, iniSecret},
|
Secrets: []secret{yamlSecret, jsonSecret, binarySecret, dotenvSecret, iniSecret},
|
||||||
SecretsMountPoint: testdir.secretsPath,
|
SecretsMountPoint: testdir.secretsPath,
|
||||||
|
@ -169,7 +168,7 @@ func testGPG(t *testing.T) {
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
|
|
||||||
equals(t, true, yamlStat.Mode().IsRegular())
|
equals(t, true, yamlStat.Mode().IsRegular())
|
||||||
equals(t, 0400, int(yamlStat.Mode().Perm()))
|
equals(t, 0o400, int(yamlStat.Mode().Perm()))
|
||||||
stat, success := yamlStat.Sys().(*syscall.Stat_t)
|
stat, success := yamlStat.Sys().(*syscall.Stat_t)
|
||||||
equals(t, true, success)
|
equals(t, true, success)
|
||||||
content, err := os.ReadFile(yamlSecret.Path)
|
content, err := os.ReadFile(yamlSecret.Path)
|
||||||
|
@ -187,7 +186,7 @@ func testGPG(t *testing.T) {
|
||||||
jsonStat, err := os.Stat(jsonSecret.Path)
|
jsonStat, err := os.Stat(jsonSecret.Path)
|
||||||
ok(t, err)
|
ok(t, err)
|
||||||
equals(t, true, jsonStat.Mode().IsRegular())
|
equals(t, true, jsonStat.Mode().IsRegular())
|
||||||
equals(t, 0700, int(jsonStat.Mode().Perm()))
|
equals(t, 0o700, int(jsonStat.Mode().Perm()))
|
||||||
if stat, ok := jsonStat.Sys().(*syscall.Stat_t); ok {
|
if stat, ok := jsonStat.Sys().(*syscall.Stat_t); ok {
|
||||||
equals(t, 0, int(stat.Uid))
|
equals(t, 0, int(stat.Uid))
|
||||||
equals(t, 0, int(stat.Gid))
|
equals(t, 0, int(stat.Gid))
|
||||||
|
|
|
@ -65,5 +65,4 @@ func TestShellHook(t *testing.T) {
|
||||||
if !strings.Contains(stderr, expectedStderr) {
|
if !strings.Contains(stderr, expectedStderr) {
|
||||||
t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
|
t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue