ksail icon indicating copy to clipboard operation
ksail copied to clipboard

Published 20 hours ago verified publisher icon devantler

Do not decrypt in-place

Open rvangsgaard opened this issue 1 year ago • 8 comments

Description

When decrypting files, do not overwrite the existing file. Either write to stdout, or write to another file.

I prefer printing the results to stdout, allowing the user to choose if I want to pipe to a file, or just see the results in the console.

Preconditions

No response

Expected work done

No response

Postconditions

When I decrypt a file, the results should be printed to stdout.

rvangsgaard avatar Jul 01 '24 07:07 rvangsgaard

I will be implementing a disable for in-place as an arguement. I still believe the default should be to decrypt in-place.

I am thinking something in terms of:

ksail sops <cluster-name> --decrypt file --in-place false

SOPS already supports redirecting the output to an editor, so for outputting the decrypted file, I think I can rely on the hosts EDITOR env. I will explore the options here, but I want to lean into the what could be expected if using sops outside of sail. I will add more information when I learn it.

devantler avatar Jul 01 '24 19:07 devantler

I want to lean into the what could be expected if using sops outside of sail.

SOPS by default writes to stdout, and most CLIs do this.

Sometimes you just want to inspect a secret variable, and doing a git restore of the file afterwards is cumbersome, because it was edited in-place.

The CLI sed does it like this: https://linux.die.net/man/1/sed - look for --in-place.

I respect your choice, and I might not really understand the most common use case for this yet.

rvangsgaard avatar Jul 02 '24 10:07 rvangsgaard

You are right. I was thinking of this functionality, which I want to be the default:

image

devantler avatar Jul 02 '24 14:07 devantler

But maybe it makes sense to add a specific arguments in this case?

ksail sops <cluster-name> edit <file> Opens your $EDITOR to edit the file in-place. This is what I envisioned is the most likely use case for most. They run the ksail sops because they want to see or update sops encrypted file. This enables both those use cases. ksail sops <cluster-name> decrypt <file> Decrypts the file defaulting to stdout. ksail sops <cluster-name> encrypt <file> Encrypts the file defaulting to stdout. ksail sops <cluster-name> decrypt <file> --in-place Decrypts the file in place. ksail sops <cluster-name> encrypt <file> --in-place Encrypts the file in place. ksail sops <cluster-name> decrypt <file> --output <file> Decrypts the file and outputs it to another file. ksail sops <cluster-name> encrypt <file> --output <file> Encrypts the file and outputs it to another file.

--in-place and --output can be mixed resulting in the file being decrypted/encrypted in place, and outputted to some other file. Having to add <cluster-name> is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.

Would this work for you?

devantler avatar Jul 02 '24 14:07 devantler

Personally I have no use of the --output option. Piping the results of stdout to a file is a well-known practice on Unix/Linux:

ksail sops <cluster-name> decrypt <file> > output-file Decrypts the file and pipes the result to stdout.

rvangsgaard avatar Jul 04 '24 09:07 rvangsgaard

Is this comment for another issue?

Having to add is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.

Nonetheless it seem like a good approach.

rvangsgaard avatar Jul 04 '24 09:07 rvangsgaard

Is this comment for another issue?

Having to add is temporary until a ksail config has been implemented allowing defaulting the current cluster set in the config, as long as ksail is executed in a subfolder of the ksail project. At this point I will probably also add an --agekey argument to allow overwriting the default key used in case that is needed.

Nonetheless it seem like a good approach.

No it was just to inform you that my examples would like change a bit from what is presented here :-)

devantler avatar Jul 04 '24 14:07 devantler

Personally I have no use of the --output option. Piping the results of stdout to a file is a well-known practice on Unix/Linux:

ksail sops <cluster-name> decrypt <file> > output-file Decrypts the file and pipes the result to stdout.

It would be optional :-) So what you suggest here would also be possible. Piping and stuff is just not for everyone, and I want to make it easier for people who find it easier with flag for it. Kind of like a very verbose shortcut, compared to piping which requires some more Linux/syntax knowledge to understand :-)

devantler avatar Jul 04 '24 14:07 devantler

:tada: This issue has been resolved in version 2.1.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

ghost avatar Feb 17 '25 02:02 ghost