add: re-ecnrypt vars after edit

Author: queil

src/age_utils.rs

@@ -23,6 +23,20 @@ pub fn mount(target: &str) -> Mount {
     }
 }
 
+pub enum Variable {
+    Secret { value: String },
+    ClearText { value: String },
+}
+
+impl Variable {
+    pub fn to_string(&self) -> String {
+        match &self {
+            Variable::Secret { value } => value.to_string(),
+            Variable::ClearText { value } => value.to_string(),
+        }
+    }
+}
+
 impl<'a> WorkspaceApi<'a> {
     pub async fn read_age_identity(&self) -> Result<Identity, AnyError> {
         let workspace_key = id::random_suffix("tmp");
@@ -104,8 +118,8 @@ pub fn encrypt(plaintext: String, recipient: Recipient) -> Result<String, AnyErr
 pub fn decrypt(
     identity: &dyn age::Identity,
     env_vars: LinkedHashMap<String, String>,
-) -> Result<LinkedHashMap<String, String>, AnyError> {
-    let mut ret = LinkedHashMap::<String, String>::new();
+) -> Result<LinkedHashMap<String, Variable>, AnyError> {
+    let mut ret = LinkedHashMap::<String, Variable>::new();
     for (k, v) in env_vars.iter() {
         if v.starts_with(SECRET_HEADER) {
             let formatted = v.replace("|", "\n");
@@ -126,10 +140,17 @@ pub fn decrypt(
 
             ret.insert(
                 k.to_string(),
-                std::str::from_utf8(&decrypted[..])?.to_string(),
+                Variable::Secret {
+                    value: std::str::from_utf8(&decrypted[..])?.to_string(),
+                },
             );
         } else {
-            ret.insert(k.to_string(), v.to_string());
+            ret.insert(
+                k.to_string(),
+                Variable::ClearText {
+                    value: v.to_string(),
+                },
+            );
         }
     }
     Ok(ret)

src/api/workspace.rs

@@ -1,14 +1,14 @@
-use std::path::Path;
-
+use age::x25519::Identity;
 use bollard::{
     network::ListNetworksOptions,
     service::{ContainerSummary, Volume},
     volume::ListVolumesOptions,
 };
 use linked_hash_map::LinkedHashMap;
+use std::path::Path;
 
 use crate::{
-    age_utils,
+    age_utils::{self, Variable},
     api::WorkspaceApi,
     constants,
     labels::{self, Labels, ROLE},
@@ -211,21 +211,61 @@ impl<'a> WorkspaceApi<'a> {
         Ok(())
     }
 
+    pub fn encrypt(
+        &self,
+        identity: Identity,
+        name: &str,
+        vars: LinkedHashMap<String, String>,
+    ) -> Result<LinkedHashMap<String, String>, AnyError> {
+        let encrypted = self.encrypt_value(identity, vars[name].to_string())?;
+        let mut new_vars = vars.clone();
+        new_vars.insert(name.to_string(), encrypted);
+        Ok(new_vars)
+    }
+
+    pub fn encrypt_value(
+        &self,
+        identity: Identity,
+        clear_text: String,
+    ) -> Result<String, AnyError> {
+        age_utils::encrypt(clear_text, identity.to_public())
+    }
+
     pub async fn decrypt(
         &self,
         vars: Option<LinkedHashMap<String, String>>,
-    ) -> Result<LinkedHashMap<String, String>, AnyError> {
+    ) -> Result<LinkedHashMap<String, age_utils::Variable>, AnyError> {
         log::debug!("Checking if vars need decryption");
         if let Some(vars) = age_utils::needs_decryption(vars.clone()) {
             log::debug!("Decrypting vars");
             let identity = self.read_age_identity().await?;
             age_utils::decrypt(&identity, vars)
         } else {
             log::debug!("No encrypted vars found");
-            Ok(vars.unwrap_or_default())
+            let mut ret = LinkedHashMap::<String, Variable>::new();
+            match vars {
+                Some(vars) => {
+                    for (k, v) in vars {
+                        ret.insert(k, Variable::ClearText { value: v });
+                    }
+                    Ok(ret)
+                }
+                None => Ok(ret),
+            }
         }
     }
 
+    pub fn variables_to_string(
+        &self,
+        vars: &LinkedHashMap<String, Variable>,
+    ) -> LinkedHashMap<String, String> {
+        let mut ret = LinkedHashMap::<String, String>::new();
+        for (k, v) in vars {
+            ret.insert(k.clone(), v.to_string());
+        }
+        ret
+    }
+
     pub async fn edit(&self, workspace_key: &str) -> Result<(), AnyError> {
         let labels = Labels::new(Some(workspace_key), Some(WORK_ROLE));
         for c in self.api.container.get_all(&labels).await? {
@@ -234,15 +274,36 @@ impl<'a> WorkspaceApi<'a> {
                 let format = FileFormat::from_path(config_source);
                 let config =
                     RoozCfg::deserialize_config(&labels[labels::CONFIG_BODY], format)?.unwrap();
+                let decrypted = self.decrypt(config.clone().vars).await?;
                 let decrypted_config = RoozCfg {
-                    vars: Some(self.decrypt(config.clone().vars).await?),
+                    vars: Some(self.variables_to_string(&decrypted)),
                     ..config
                 };
-                let edited_config = edit::edit(decrypted_config.to_string(format)?)?;
-
-                println!("edited: {}", edited_config);
+                let edited_string = edit::edit(decrypted_config.to_string(format)?)?;
+
+                let edited_config = RoozCfg::from_string(&edited_string, format)?;
+
+                let identity = self.read_age_identity().await?;
+
+                let mut encrypted_vars = LinkedHashMap::<String, String>::new();
+                for (k, v) in &decrypted {
+                    let edited_value = &edited_config.clone().vars.unwrap()[k];
+                    match v {
+                        Variable::ClearText { .. } => {
+                            encrypted_vars.insert(k.to_string(), edited_value.to_string())
+                        }
+                        Variable::Secret { .. } => encrypted_vars.insert(
+                            k.to_string(),
+                            self.encrypt_value(identity.clone(), edited_value.to_string())?,
+                        ),
+                    };
+                }
+                let encrypted_config = RoozCfg {
+                    vars: Some(encrypted_vars),
+                    ..edited_config
+                };
 
-                // encrypt
+                println!("{}", encrypted_config.to_string(format)?)
                 // save to label
                 // apply
             }

src/cmd/new.rs

@@ -30,7 +30,8 @@ impl<'a> WorkspaceApi<'a> {
         }
         cfg_builder.from_cli(cli_params, None);
 
-        cfg_builder.vars = Some(self.decrypt(cfg_builder.clone().vars).await?);
+        cfg_builder.vars =
+            Some(self.variables_to_string(&self.decrypt(cfg_builder.clone().vars).await?));
 
         cfg_builder.expand_vars()?;
 

src/main.rs

@@ -220,12 +220,8 @@ async fn main() -> Result<(), AnyError> {
             if let Some(vars) = cfg.vars {
                 if vars.contains_key(&name) {
                     let identity = workspace.read_age_identity().await?;
-                    let pub_key = identity.to_public();
-                    let encrypted = age_utils::encrypt(vars[&name].to_string(), pub_key)?;
-                    let mut new_vars = vars.clone();
-                    new_vars.insert(name, encrypted);
                     RoozCfg {
-                        vars: Some(new_vars),
+                        vars: Some(workspace.encrypt(identity, &name, vars)?),
                         ..cfg
                     }
                     .to_file(&config_file_path)?

src/model/config.rs

@@ -123,7 +123,7 @@ impl RoozCfg {
         Self::from_string(&fs::read_to_string(path)?, FileFormat::from_path(&path))
     }
 
-    fn from_string(config: &str, file_format: FileFormat) -> Result<Self, AnyError> {
+    pub fn from_string(config: &str, file_format: FileFormat) -> Result<Self, AnyError> {
         Ok(match file_format {
             FileFormat::Yaml => serde_yaml::from_str(&config)?,
             FileFormat::Toml => toml::from_str(&config)?,