Merge pull request #42 from brycenichols/saved-vars

New -u and -x flags for sending vars in and out via base64 blobs

Author: lewg

README.md

@@ -83,8 +83,33 @@ list-buckets: creds.yml
  buildenv -e stage -f $< -r "aws s3 ls"
 ```
 
-*A Note About Vault:* If you have `secrets` or `kv_secrets` defined in either the global or environment scope, it's a mapping from environment variable to the path & key in vault. Buildenv uses all the standard vault environment variables to communicate with vault (`VAULT_ADDR` and `VAULT_TOKEN` being the two you're most likely to use.) You can find the complete list [in the vault client docs](https://pkg.go.dev/github.com/hashicorp/[email protected]#WithEnvironment).
+If it's necessary to merge or save a set of variables (for example, so that vault does not need to be called repeatedly), the -u option allows for saving and using a set of variables from the environment without writing possibly sensitive data out to a file:
+
+```bash
+% export SAVED_ENV=`echo '{"example_var": "the value"}' | base64`
+% buildenv -u SAVED_ENV -f /dev/null
+export example_var="the value"
+```
+
+This takes a base64 encoded json object with key-value pairs and treats them as additional input variables.  The corresponding flag for export in the same format is -x:
+
+```bash
+% buildenv -u SAVED_ENV -f /dev/null -x | base64 -d
+{"example_var":"the value"}
+```
+
+Multiple -u options can be used as well as combined with -f to combine multiple sources.  Given the above variables.yml:
 
+```bash
+% export SAVED_ENV=`echo '{"example_var": "the value"}' | base64`
+% export SAVED_ENV2=`echo '{"another_var": "another value"}' | base64`
+% buildenv -u SAVED_ENV -u SAVED_ENV2 -v
+export GLOBAL="global"
+export example_var="the value"
+export another_var="another value"
+```
+
+*A Note About Vault:* If you have `secrets` or `kv_secrets` defined in either the global or environment scope, it's a mapping from environment variable to the path & key in vault. Buildenv uses all the standard vault environment variables to communicate with vault (`VAULT_ADDR` and `VAULT_TOKEN` being the two you're most likely to use.) You can find the complete list [in the vault client docs](https://pkg.go.dev/github.com/hashicorp/[email protected]#WithEnvironment).
 
 Running on Linux or in Docker container
 ----------

cmd/root.go

@@ -5,6 +5,7 @@ package cmd
 
 import (
 	"context"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -24,6 +25,10 @@ const (
 	ErrorCodeYaml = 5
 	// ErrorCodeVault Exit Code for Vault Errors
 	ErrorCodeVault = 6
+	// ErrorCodeInput Exit Code for Bad Input
+	ErrorCodeInput = 7
+	// ErrorCodeOutput Exit Code for Failed Serialization/Output
+	ErrorCodeOutput = 8
 )
 
 var cfgFile string
@@ -78,7 +83,7 @@ Values can be specified in plain text, or set from a vault server.`,
 		skip_vault, _ := cmd.Flags().GetBool("skip-vault")
 
 		// Setup the Reader
-		reader, err := reader.NewReader(reader.WithSkipVault(skip_vault))
+		rdr, err := reader.NewReader(reader.WithSkipVault(skip_vault))
 		if err != nil {
 			fmt.Printf("Failure creating Reader: %v", err)
 			os.Exit(ErrorCodeVault)
@@ -89,7 +94,7 @@ Values can be specified in plain text, or set from a vault server.`,
 		run, _ := cmd.Flags().GetString("run")
 		dc, _ := cmd.Flags().GetString("datacenter")
 
-		out, err := reader.Read(ctx, &data, env, dc)
+		out, err := rdr.Read(ctx, &data, env, dc)
 		if err != nil {
 			fmt.Printf("Failure reading data: %v", err)
 			os.Exit(ErrorCodeVault)
@@ -100,12 +105,54 @@ Values can be specified in plain text, or set from a vault server.`,
 			fmt.Printf("Output:\n%s\n\n", outData)
 		}
 
+		var use_vars reader.EnvVars
+
+		use, err := cmd.Flags().GetStringArray("use")
+		if err != nil {
+			fmt.Printf("Could not get \"use\" (-u) flag values: %v", err)
+			os.Exit(ErrorCodeInput)
+		}
+
+		for _, use_inst := range use {
+			blob := os.Getenv(use_inst)
+			decoded := make([]byte, base64.StdEncoding.DecodedLen(len(blob)))
+			len, err := base64.StdEncoding.Decode(decoded, []byte(blob))
+			if err != nil {
+				fmt.Printf("Could not decode input to flag \"use\" (-u): %v", err)
+				os.Exit(ErrorCodeInput)
+			}
+			decoded = decoded[:len]
+			/* It adds to the structure, merging matching keys */
+			err = json.Unmarshal([]byte(decoded), &use_vars)
+			if err != nil {
+				fmt.Printf("Could not decode input to flag \"use\" (-u): %v", err)
+				os.Exit(ErrorCodeInput)
+			}
+		}
+
+		vars_out := use_vars.GetOutput()
+		out = append(out, vars_out...)
+
 		// Output the Exports
 		comments, _ := cmd.Flags().GetBool("comments")
 		if cmd.Flags().Lookup("run").Changed {
 			os.Exit(out.Exec(run))
 		} else {
-			out.Print(comments)
+			encoded_export, err := cmd.Flags().GetBool("export")
+			if err != nil {
+				fmt.Printf("Failure reading export flag: %v", err)
+				os.Exit(ErrorCodeInput)
+			}
+
+			if encoded_export {
+				err = out.PrintB64Json()
+				if err != nil {
+					fmt.Printf("Failure printing output: %v", err)
+					os.Exit(ErrorCodeOutput)
+				}
+			} else {
+				out.Print(comments)
+			}
 		}
 	},
 }
@@ -141,6 +188,8 @@ func init() {
 	rootCmd.Flags().BoolP("comments", "c", false, "Comments will be included in output")
 	rootCmd.Flags().Bool("debug", false, "Turn on debugging output")
 	rootCmd.Flags().Bool("version", false, "Print the version number")
+	rootCmd.Flags().StringArrayP("use", "u", []string{}, "Use Stored Vars from named environment variable. Contents should be base64 encoded JSON.")
+	rootCmd.Flags().BoolP("export", "x", false, "Print Vars as base64 encoded json")
 }
 
 // initConfig reads in config file and ENV variables if set.

cram_tests/codec.t

@@ -0,0 +1,15 @@
+Setup
+
+  $ . "$TESTDIR"/setup.sh
+
+Make env vars
+
+  $ export INP=$(printf '{"VAR1": "VAL1", "VAR2": "VAL2"}' | base64)
+  $ be -v -f /dev/null -u INP -x > codec_test.blob
+  $ export BLOB=`cat codec_test.blob`
+  $ echo "$BLOB"
+  eyJWQVIxIjoiVkFMMSIsIlZBUjIiOiJWQUwyIn0=
+  $ be -v -f /dev/null -u BLOB
+  export VAR1="VAL1"
+  export VAR2="VAL2"
+

reader/reader.go

@@ -2,6 +2,8 @@ package reader
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -268,6 +270,26 @@ func (o OutputList) Exec(shell_cmd string) int {
 	return 0
 }
 
+func (ol OutputList) PrintB64Json() error {
+	envs := EnvVars{}
+
+	for _, o := range ol {
+		if o.Key != "" {
+			envs[o.Key] = o.Value
+		}
+	}
+
+	serialized, err := json.Marshal(envs)
+	if err != nil {
+		return err
+	}
+	encoded := base64.StdEncoding.EncodeToString(serialized)
+
+	fmt.Print(encoded)
+
+	return nil
+}
+
 func (o OutputList) Print(showComments bool) {
 	for _, out := range o {
 		if out.Key == "" {

reader/reader_test.go

@@ -3,6 +3,8 @@ package reader
 import (
 	"bytes"
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"io"
 	"log"
 	"net/http"
@@ -727,3 +729,76 @@ func TestOutputList_Exec(t *testing.T) {
 		})
 	}
 }
+
+func TestOutputList_PrintB64Json(t *testing.T) {
+	envVars := EnvVars{
+		"BuildEnvTestKey1": "BuildEnvTestVal1",
+		"BuildEnvTestKey2": "BuildEnvTestVal2",
+	}
+
+	type fields struct {
+		Out OutputList
+	}
+
+	tests := []struct {
+		name    string
+		fields  fields
+		want    EnvVars
+		wantErr bool
+	}{
+		{
+			name:   "Basic 2 vars",
+			fields: fields{Out: envVars.GetOutput()},
+			want:   envVars,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			oldstdout := os.Stdout
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			outC := make(chan string)
+
+			go func() {
+				var buf bytes.Buffer
+				io.Copy(&buf, r)
+				outC <- buf.String()
+			}()
+
+			err := tt.fields.Out.PrintB64Json()
+			if err != nil {
+				t.Errorf("PrintB64Json() error = %v", err)
+			}
+
+			os.Stdout = oldstdout
+
+			w.Close()
+
+			out := <-outC
+
+			decoded := make([]byte, base64.StdEncoding.DecodedLen(len(out)))
+			len, err := base64.StdEncoding.Decode(decoded, []byte(out))
+
+			var out_vars EnvVars
+
+			if err != nil {
+				t.Errorf("Exception parsing output: %v", err)
+				return
+			}
+
+			decoded = decoded[:len]
+
+			err = json.Unmarshal([]byte(decoded), &out_vars)
+			if err != nil {
+				t.Errorf("Exception parsing output: %v", err)
+				return
+			}
+
+			if !reflect.DeepEqual(out_vars, tt.want) {
+				t.Errorf("PrintB64Json() output = %v, want %v", out_vars, tt.want)
+			}
+		})
+	}
+}