🗄 Allow encrypted values to be read from files in vault

Author: bdsoha

cmd/info/env.go

@@ -6,9 +6,10 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/spf13/cobra"
+
 	"github.com/kloudkit/ws-cli/internals/env"
 	"github.com/kloudkit/ws-cli/internals/styles"
-	"github.com/spf13/cobra"
 )
 
 func showEnvironment(writer io.Writer) {

cmd/info/extensions.go

@@ -4,11 +4,13 @@ import (
 	"bufio"
 	"bytes"
 	"fmt"
-	"github.com/kloudkit/ws-cli/internals/styles"
-	"github.com/spf13/cobra"
 	"io"
 	"os/exec"
 	"strings"
+
+	"github.com/spf13/cobra"
+
+	"github.com/kloudkit/ws-cli/internals/styles"
 )
 
 func fetchExtensions() [][]string {

cmd/info/info.go

@@ -6,10 +6,11 @@ import (
 	"io"
 	"os"
 
+	"github.com/spf13/cobra"
+
 	"github.com/kloudkit/ws-cli/internals/config"
 	internalIO "github.com/kloudkit/ws-cli/internals/io"
 	"github.com/kloudkit/ws-cli/internals/styles"
-	"github.com/spf13/cobra"
 )
 
 type Manifest struct {

cmd/info/resources.go

@@ -9,8 +9,9 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/kloudkit/ws-cli/internals/styles"
 	"github.com/spf13/cobra"
+
+	"github.com/kloudkit/ws-cli/internals/styles"
 )
 
 type resources struct {

cmd/info/uptime.go

@@ -3,12 +3,13 @@ package info
 import (
 	"fmt"
 	"io"
-
-	"github.com/kloudkit/ws-cli/internals/styles"
-	"github.com/spf13/cobra"
 	"os"
 	"strings"
 	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/kloudkit/ws-cli/internals/styles"
 )
 
 func readStartup() (time.Time, time.Duration, error) {
@@ -60,11 +61,12 @@ func showUptime(writer io.Writer) {
 	}
 
 	var statusValue string
-	if running.Hours() < 1 {
+	switch {
+	case running.Hours() < 1:
 		statusValue = "Recently started"
-	} else if running.Hours() < 36 {
+	case running.Hours() < 36:
 		statusValue = "Active"
-	} else {
+	default:
 		statusValue = "Long running"
 	}
 

cmd/info/version.go

@@ -1,3 +1,3 @@
 package info
 
-var Version = "0.0.43"
+var Version = "0.0.44"

cmd/logs/logs.go

@@ -2,12 +2,16 @@ package logs
 
 import (
 	"fmt"
+	"slices"
+
+	"github.com/spf13/cobra"
 
 	"github.com/kloudkit/ws-cli/internals/logger"
 	"github.com/kloudkit/ws-cli/internals/styles"
-	"github.com/spf13/cobra"
 )
 
+var validLogLevels = []string{"debug", "info", "warn", "error"}
+
 var LogsCmd = &cobra.Command{
 	Use:   "logs",
 	Short: "Retrieve workspace logs",
@@ -20,7 +24,7 @@ func execute(cmd *cobra.Command, args []string) error {
 	tail, _ := cmd.Flags().GetInt("tail")
 	level, _ := cmd.Flags().GetString("level")
 
-	if level != "" && level != "info" && level != "warn" && level != "error" && level != "debug" {
+	if level != "" && !slices.Contains(validLogLevels, level) {
 		styles.PrintErrorWithOptions(cmd.ErrOrStderr(), "Invalid log level. Must be one of:", [][]string{
 			{"debug", "Debug information"},
 			{"info", "General information"},

internals/io/password.go

@@ -14,34 +14,32 @@ func ReadPasswordInput() (string, error) {
 }
 
 func ReadPasswordFromReader(reader io.Reader) (string, error) {
-	if file, ok := reader.(*os.File); ok {
-		stat, err := file.Stat()
-		if err != nil {
-			return "", fmt.Errorf("failed to stat stdin: %w", err)
-		}
-
-		if (stat.Mode() & os.ModeCharDevice) == 0 {
-			data, err := io.ReadAll(file)
-			if err != nil {
-				return "", fmt.Errorf("failed to read from stdin: %w", err)
-			}
-			password := string(data)
-			if strings.TrimSpace(password) == "" {
-				return "", fmt.Errorf("empty password provided")
-			}
-			return password, nil
-		}
-
-		fmt.Fprint(os.Stderr, "Enter password: ")
-		passwordBytes, err := term.ReadPassword(int(file.Fd()))
-		fmt.Fprintln(os.Stderr)
-		if err != nil {
-			return "", fmt.Errorf("failed to read password: %w", err)
-		}
-
-		return string(passwordBytes), nil
+	file, ok := reader.(*os.File)
+	if !ok {
+		return readPasswordFromStream(reader)
 	}
 
+	stat, err := file.Stat()
+	if err != nil {
+		return "", fmt.Errorf("failed to stat stdin: %w", err)
+	}
+
+	isTerminal := (stat.Mode() & os.ModeCharDevice) != 0
+	if !isTerminal {
+		return readPasswordFromStream(file)
+	}
+
+	fmt.Fprint(os.Stderr, "Enter password: ")
+	passwordBytes, err := term.ReadPassword(int(file.Fd()))
+	fmt.Fprintln(os.Stderr)
+	if err != nil {
+		return "", fmt.Errorf("failed to read password: %w", err)
+	}
+
+	return string(passwordBytes), nil
+}
+
+func readPasswordFromStream(reader io.Reader) (string, error) {
 	data, err := io.ReadAll(reader)
 	if err != nil {
 		return "", fmt.Errorf("failed to read from stdin: %w", err)

internals/secrets/crypto.go

@@ -7,6 +7,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
+	"os"
 	"strings"
 
 	"golang.org/x/crypto/argon2"
@@ -53,6 +54,20 @@ func NormalizeEncrypted(encrypted string) string {
 	return encrypted
 }
 
+func ResolveEncryptedValue(encrypted string) (string, error) {
+	if !strings.HasPrefix(encrypted, "file:") {
+		return encrypted, nil
+	}
+
+	filePath := strings.TrimPrefix(encrypted, "file:")
+	content, err := os.ReadFile(filePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to read encrypted file %s: %w", filePath, err)
+	}
+
+	return NormalizeEncrypted(string(content)), nil
+}
+
 func Decrypt(encodedValue string, masterKey []byte) ([]byte, error) {
 	parts := strings.Split(encodedValue, "$")
 	if len(parts) != 2 {

internals/secrets/vault.go

@@ -213,7 +213,10 @@ func ProcessVault(vault *Vault, opts ProcessOptions) (map[string]string, error)
 
 		effectiveForce := opts.Force || secret.Force
 
-		encryptedValue := NormalizeEncrypted(secret.Encrypted)
+		encryptedValue, err := ResolveEncryptedValue(secret.Encrypted)
+		if err != nil {
+			return nil, fmt.Errorf("failed to resolve encrypted value for %q: %w", key, err)
+		}
 
 		decrypted, err := Decrypt(encryptedValue, opts.MasterKey)
 		if err != nil {