From cf8caf8844b51d71e39f5b454fc7c79a9bec3227 Mon Sep 17 00:00:00 2001 From: Shulhan Date: Sat, 16 Dec 2023 18:28:59 +0700 Subject: all: make the magic line "#put:" use explicit source for encrypted file Previously, the magic line "#put" detect whether the source file is encrypted or not automatically, so we did not need to put ".vault" suffix in the source path. This changes make it to be always explicit. If we want to copy encrypted file than the source file must be the path to encrypted file. Implements: https://todo.sr.ht/~shulhan/awwan/7 --- session.go | 48 ++++++++++++++++++------------------------------ testdata/local/put.aww | 2 +- testdata/local/put.data | 2 +- 3 files changed, 20 insertions(+), 32 deletions(-) diff --git a/session.go b/session.go index 0510b8d..7a845c8 100644 --- a/session.go +++ b/session.go @@ -541,19 +541,20 @@ func (ses *Session) executeScriptOnRemote(req *ExecRequest, pos linePosition) (e func (ses *Session) generateFileInput(in string) (out string, isVault bool, err error) { // Check if the file is binary first, since binary file will not get // encrypted. - if libos.IsBinary(in) { + if !strings.HasSuffix(in, defEncryptExt) && libos.IsBinary(in) { return in, false, nil } var ( - logp = `generateFileInput` + logp = `generateFileInput` + relPathInput = relativePath(ses.BaseDir, in) contentInput []byte ) contentInput, isVault, err = ses.loadFileInput(in) if err != nil { - return ``, false, err + return ``, false, fmt.Errorf(`%s %q: %w`, logp, relPathInput, err) } var contentOut []byte @@ -704,43 +705,30 @@ func (ses *Session) loadFileEnv(awwanEnv string, isVault bool) (err error) { } // loadFileInput read the input file for Copy or Put operation. -// If the original input file does not exist, try loading the encrypted file -// with ".vault" extension. +// +// If the input path end with ".vault" suffix, the file will be decrypted +// first. // // On success, it will return the content of file and true if the file is // from encrypted file .vault. func (ses *Session) loadFileInput(path string) (content []byte, isVault bool, err error) { - var ( - logp = `loadFileInput` - relPath = relativePath(ses.BaseDir, path) - ) - - content, err = os.ReadFile(path) - if err == nil { - return content, false, nil - } - if !errors.Is(err, fs.ErrNotExist) { - return nil, false, err + if strings.HasSuffix(path, defEncryptExt) { + content, err = os.ReadFile(path) + if err != nil { + return nil, true, err + } + content, err = ses.cryptoc.decrypt(content) + if err != nil { + return nil, true, err + } + return content, true, nil } - log.Printf(`??? %s %q: not exist`, logp, relPath) - - path = path + defEncryptExt - relPath += defEncryptExt content, err = os.ReadFile(path) if err != nil { - if errors.Is(err, fs.ErrNotExist) { - return nil, false, fmt.Errorf(`%s %q: %w`, logp, relPath, fs.ErrNotExist) - } return nil, false, err } - - content, err = ses.cryptoc.decrypt(content) - if err != nil { - return nil, false, fmt.Errorf(`%s %q: %s`, logp, relPath, err) - } - - return content, true, nil + return content, false, nil } func (ses *Session) loadRawEnv(content []byte) (err error) { diff --git a/testdata/local/put.aww b/testdata/local/put.aww index c67f9c3..c076bd7 100644 --- a/testdata/local/put.aww +++ b/testdata/local/put.aww @@ -2,7 +2,7 @@ #put: {{.ScriptDir}}/missing_val_encrypted.txt {{.ScriptDir}}/tmp/missing_val_encrypted.txt -#put: {{.ScriptDir}}/encrypted.txt {{.ScriptDir}}/tmp/decrypted.txt +#put: {{.ScriptDir}}/encrypted.txt.vault {{.ScriptDir}}/tmp/decrypted.txt #put! {{.ScriptDir}}/plain.txt /etc/plain.txt sudo chmod 0644 /etc/plain.txt diff --git a/testdata/local/put.data b/testdata/local/put.data index b548ea1..e457391 100644 --- a/testdata/local/put.data +++ b/testdata/local/put.data @@ -10,7 +10,7 @@ The host name is encrypt. The secret password is this_is_a_secret. <<< encrypted_empty_passphrase.stderr -Local: Copy: loadFileInput "encrypted.txt.vault": private key is missing or not loaded +Local: Copy: generateFileInput "encrypted.txt.vault": private key is missing or not loaded <<< encrypted_invalid_passphrase Local: NewSession: .awwan.env.vault: LoadPrivateKeyInteractive: x509: decryption password incorrect -- cgit v1.3