all: make the magic line "#put:" use explicit source for encrypted file

Previously, the magic line "#put" detect whether the source file is
encrypted or not automatically, so we did not need to put ".vault"
suffix in the source path.
This changes make it to be always explicit.
If we want to copy encrypted file than the source file must be the path
to encrypted file.

Implements: https://todo.sr.ht/~shulhan/awwan/7

3 files changed, 20 insertions, 32 deletions

diff --git a/session.go b/session.go
index 0510b8d..7a845c8 100644
--- a/session.go
+++ b/session.go
@@ -541,19 +541,20 @@ func (ses *Session) executeScriptOnRemote(req *ExecRequest, pos linePosition) (e
 func (ses *Session) generateFileInput(in string) (out string, isVault bool, err error) {
 	// Check if the file is binary first, since binary file will not get
 	// encrypted.
-	if libos.IsBinary(in) {
+	if !strings.HasSuffix(in, defEncryptExt) && libos.IsBinary(in) {
 		return in, false, nil
 	}
 
 	var (
-		logp = `generateFileInput`
+		logp         = `generateFileInput`
+		relPathInput = relativePath(ses.BaseDir, in)
 
 		contentInput []byte
 	)
 
 	contentInput, isVault, err = ses.loadFileInput(in)
 	if err != nil {
-		return ``, false, err
+		return ``, false, fmt.Errorf(`%s %q: %w`, logp, relPathInput, err)
 	}
 
 	var contentOut []byte
@@ -704,43 +705,30 @@ func (ses *Session) loadFileEnv(awwanEnv string, isVault bool) (err error) {
 }
 
 // loadFileInput read the input file for Copy or Put operation.
-// If the original input file does not exist, try loading the encrypted file
-// with ".vault" extension.
+//
+// If the input path end with ".vault" suffix, the file will be decrypted
+// first.
 //
 // On success, it will return the content of file and true if the file is
 // from encrypted file .vault.
 func (ses *Session) loadFileInput(path string) (content []byte, isVault bool, err error) {
-	var (
-		logp    = `loadFileInput`
-		relPath = relativePath(ses.BaseDir, path)
-	)
-
-	content, err = os.ReadFile(path)
-	if err == nil {
-		return content, false, nil
-	}
-	if !errors.Is(err, fs.ErrNotExist) {
-		return nil, false, err
+	if strings.HasSuffix(path, defEncryptExt) {
+		content, err = os.ReadFile(path)
+		if err != nil {
+			return nil, true, err
+		}
+		content, err = ses.cryptoc.decrypt(content)
+		if err != nil {
+			return nil, true, err
+		}
+		return content, true, nil
 	}
-	log.Printf(`??? %s %q: not exist`, logp, relPath)
-
-	path = path + defEncryptExt
-	relPath += defEncryptExt
 
 	content, err = os.ReadFile(path)
 	if err != nil {
-		if errors.Is(err, fs.ErrNotExist) {
-			return nil, false, fmt.Errorf(`%s %q: %w`, logp, relPath, fs.ErrNotExist)
-		}
 		return nil, false, err
 	}
-
-	content, err = ses.cryptoc.decrypt(content)
-	if err != nil {
-		return nil, false, fmt.Errorf(`%s %q: %s`, logp, relPath, err)
-	}
-
-	return content, true, nil
+	return content, false, nil
 }
 
 func (ses *Session) loadRawEnv(content []byte) (err error) {
diff --git a/testdata/local/put.aww b/testdata/local/put.aww
index c67f9c3..c076bd7 100644
--- a/testdata/local/put.aww
+++ b/testdata/local/put.aww
@@ -2,7 +2,7 @@
 
 #put: {{.ScriptDir}}/missing_val_encrypted.txt {{.ScriptDir}}/tmp/missing_val_encrypted.txt
 
-#put: {{.ScriptDir}}/encrypted.txt {{.ScriptDir}}/tmp/decrypted.txt
+#put: {{.ScriptDir}}/encrypted.txt.vault {{.ScriptDir}}/tmp/decrypted.txt
 
 #put! {{.ScriptDir}}/plain.txt /etc/plain.txt
 sudo chmod 0644 /etc/plain.txt
diff --git a/testdata/local/put.data b/testdata/local/put.data
index b548ea1..e457391 100644
--- a/testdata/local/put.data
+++ b/testdata/local/put.data
@@ -10,7 +10,7 @@ The host name is encrypt.
 The secret password is this_is_a_secret.
 
 <<< encrypted_empty_passphrase.stderr
-Local: Copy: loadFileInput "encrypted.txt.vault": private key is missing or not loaded
+Local: Copy: generateFileInput "encrypted.txt.vault": private key is missing or not loaded
 
 <<< encrypted_invalid_passphrase
 Local: NewSession: .awwan.env.vault: LoadPrivateKeyInteractive: x509: decryption password incorrect