novops icon indicating copy to clipboard operation
novops copied to clipboard
verified publisher icon PierreBeucher

crash with 2 sops_dotenv and an extract

Open teto opened this issue 1 year ago • 4 comments

I haven't linked the secrets file but in one of my .novops.yaml

    sops_dotenv:
      - file: deploysecrets.dev.yaml
      - file: nixos/secrets.dev.yaml
        extract: '["sshPrivateKey"]'

novops load triggers:

❌130 ❯ RUST_BACKTRACE=1 novops load -e dev -s .envrc
thread 'main' panicked at src/modules/sops.rs:121:52:
called `Option::unwrap()` on a `None` value
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: <novops::modules::sops::SopsDotenvInput as novops::core::ResolveTo<alloc::vec::Vec<novops::modules::variables::VariableOutput>>>::resolve::{{closure}}
   4: novops::load_context_and_resolve::{{closure}}
   5: novops::main::{{closure}}
   6: tokio::runtime::park::CachedParkThread::block_on
   7: tokio::runtime::context::runtime::enter_runtime
   8: tokio::runtime::runtime::Runtime::block_on
   9: novops::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.

if I remove the "extract" novops doesn't crash

    sops_dotenv:
      - file: deploysecrets.dev.yaml
      - file: nixos/secrets.dev.yaml

this happens with this version b8e95903a86a7ec0c1593dd368a6ee00a2a6086f

teto avatar Mar 19 '24 09:03 teto

Oh. Will take a look asap

PierreBeucher avatar Mar 19 '24 12:03 PierreBeucher

Can you share an example with encrypted and clear SOPS files please? And your sops --version. I can't reproduce as-is.

The problem comes from https://github.com/PierreBeucher/novops/blob/b8e95903a86a7ec0c1593dd368a6ee00a2a6086f/src/modules/sops.rs#L121

This module uses sops --output-type dotenv option which supposedly outputs lines to stdout like

KEY=VALUE
FOO=BAR

But for some reason SOPS returns a line on stdout which is not a key=value pair as expected (it does not contain = character), hence the issue.

Admittedly this naïve method is not good enough, we should either ignore or error safely on lines not containing = but I can't find the reason behind this SOPS behavior.

PierreBeucher avatar Mar 20 '24 09:03 PierreBeucher

@teto ping :) can you provide the data you used please?

PierreBeucher avatar May 08 '24 08:05 PierreBeucher

I hit this again today with novops 0.19.

running sops --output-type dotenv works and returns something like

ANSIBLE_VAULT_PASSWORD=g8784#carotte%#adada
sopsRunnerKey=AGE-SECRET-KEY-dasdasdasdadadasd
# TONS of 
# comments

Turns out that if I remove comments novops seems to work. Looking at the code, it seems like run_sops_decrypt doesn't strip comments ? That may be the solution !

teto avatar Mar 31 '25 10:03 teto