inputs decryption using SOPS
- Add support for --input-json and --input-yaml (plaintext) - Input files can optionally be encrypted using sops, with transparent decryption by dagger Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This commit is contained in:
Andrea Luzzardi
@@ -6,6 +6,8 @@ import (
|
||||
|
||||
"cuelang.org/go/cue"
|
||||
cueerrors "cuelang.org/go/cue/errors"
|
||||
cuejson "cuelang.org/go/encoding/json"
|
||||
cueyaml "cuelang.org/go/encoding/yaml"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -34,6 +36,14 @@ func Err(err error) error {
|
||||
return DefaultCompiler.Err(err)
|
||||
}
|
||||
|
||||
func DecodeJSON(path string, data []byte) (*Value, error) {
|
||||
return DefaultCompiler.DecodeJSON(path, data)
|
||||
}
|
||||
|
||||
func DecodeYAML(path string, data []byte) (*Value, error) {
|
||||
return DefaultCompiler.DecodeYAML(path, data)
|
||||
}
|
||||
|
||||
// Polyfill for a cue runtime
|
||||
// (we call it compiler to avoid confusion with dagger runtime)
|
||||
// Use this instead of cue.Runtime
|
||||
@@ -83,6 +93,22 @@ func (c *Compiler) Compile(name string, src interface{}) (*Value, error) {
|
||||
return c.Wrap(inst.Value(), inst), nil
|
||||
}
|
||||
|
||||
func (c *Compiler) DecodeJSON(path string, data []byte) (*Value, error) {
|
||||
inst, err := cuejson.Decode(c.Cue(), path, data)
|
||||
if err != nil {
|
||||
return nil, Err(err)
|
||||
}
|
||||
return c.Wrap(inst.Value(), inst), nil
|
||||
}
|
||||
|
||||
func (c *Compiler) DecodeYAML(path string, data []byte) (*Value, error) {
|
||||
inst, err := cueyaml.Decode(c.Cue(), path, data)
|
||||
if err != nil {
|
||||
return nil, Err(err)
|
||||
}
|
||||
return c.Wrap(inst.Value(), inst), nil
|
||||
}
|
||||
|
||||
func (c *Compiler) Wrap(v cue.Value, inst *cue.Instance) *Value {
|
||||
return wrapValue(v, inst, c)
|
||||
}
|
||||
|
||||
@@ -2,14 +2,19 @@ package dagger
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/url"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"cuelang.org/go/cue"
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
"dagger.io/go/dagger/compiler"
|
||||
|
||||
"go.mozilla.org/sops"
|
||||
"go.mozilla.org/sops/decrypt"
|
||||
)
|
||||
|
||||
// A mutable cue value with an API suitable for user inputs,
|
||||
@@ -222,6 +227,60 @@ func (f cueFlag) Type() string {
|
||||
return "CUE"
|
||||
}
|
||||
|
||||
func (iv *InputValue) YAMLFlag() pflag.Value {
|
||||
return fileFlag{
|
||||
iv: iv,
|
||||
format: "yaml",
|
||||
}
|
||||
}
|
||||
|
||||
func (iv *InputValue) JSONFlag() pflag.Value {
|
||||
return fileFlag{
|
||||
iv: iv,
|
||||
format: "json",
|
||||
}
|
||||
}
|
||||
|
||||
type fileFlag struct {
|
||||
format string
|
||||
iv *InputValue
|
||||
}
|
||||
|
||||
func (f fileFlag) Set(s string) error {
|
||||
return f.iv.Set(s, func(s string) (interface{}, error) {
|
||||
content, err := os.ReadFile(s)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
plaintext, err := decrypt.Data(content, f.format)
|
||||
if err != nil && !errors.Is(err, sops.MetadataNotFound) {
|
||||
return nil, fmt.Errorf("unable to decrypt %q: %w", s, err)
|
||||
}
|
||||
|
||||
if len(plaintext) > 0 {
|
||||
content = plaintext
|
||||
}
|
||||
|
||||
switch f.format {
|
||||
case "json":
|
||||
return compiler.DecodeJSON(s, content)
|
||||
case "yaml":
|
||||
return compiler.DecodeYAML(s, content)
|
||||
default:
|
||||
panic("unsupported file format")
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func (f fileFlag) String() string {
|
||||
return f.iv.String()
|
||||
}
|
||||
|
||||
func (f fileFlag) Type() string {
|
||||
return strings.ToUpper(f.format)
|
||||
}
|
||||
|
||||
// UTILITIES
|
||||
|
||||
func splitkv(kv string) (cue.Path, string) {
|
||||
|
||||
Reference in New Issue
Block a user