mirror of
https://github.com/ryantm/agenix.git
synced 2024-12-22 23:58:29 +03:00
fix -d/--decrypt-only not working correctly for binary data
I had first used `printf` for outputting the data, but that breaks if the secret itself contains null bytes. One could fix this by using e.g. `cat`, but looking a bit more at the code I realized that in the -d case we never need to `mktemp` at all and can just ask `age` to write directly to stdout by not setting -o.
This commit is contained in:
parent
c2a71c83c7
commit
7dae15b7bc
1 changed files with 10 additions and 15 deletions
|
@ -126,9 +126,6 @@ function decrypt {
|
||||||
err "There is no rule for $FILE in $RULES."
|
err "There is no rule for $FILE in $RULES."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
CLEARTEXT_DIR=$(@mktempBin@ -d)
|
|
||||||
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
|
|
||||||
|
|
||||||
if [ -f "$FILE" ]
|
if [ -f "$FILE" ]
|
||||||
then
|
then
|
||||||
DECRYPT=("${DEFAULT_DECRYPT[@]}")
|
DECRYPT=("${DEFAULT_DECRYPT[@]}")
|
||||||
|
@ -143,17 +140,23 @@ function decrypt {
|
||||||
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
||||||
err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
|
err "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."
|
||||||
fi
|
fi
|
||||||
DECRYPT+=(-o "$CLEARTEXT_FILE" "$FILE")
|
|
||||||
@ageBin@ "${DECRYPT[@]}" || exit 1
|
@ageBin@ "${DECRYPT[@]}" "$FILE" || exit 1
|
||||||
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function edit {
|
function edit {
|
||||||
FILE=$1
|
FILE=$1
|
||||||
KEYS=$(keys "$FILE") || exit 1
|
KEYS=$(keys "$FILE") || exit 1
|
||||||
|
|
||||||
|
CLEARTEXT_DIR=$(@mktempBin@ -d)
|
||||||
|
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
|
||||||
|
DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
|
||||||
|
|
||||||
decrypt "$FILE" "$KEYS" || exit 1
|
decrypt "$FILE" "$KEYS" || exit 1
|
||||||
|
|
||||||
|
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
||||||
|
|
||||||
[ -t 0 ] || EDITOR='cp /dev/stdin'
|
[ -t 0 ] || EDITOR='cp /dev/stdin'
|
||||||
|
|
||||||
$EDITOR "$CLEARTEXT_FILE"
|
$EDITOR "$CLEARTEXT_FILE"
|
||||||
|
@ -181,14 +184,6 @@ function edit {
|
||||||
mv -f "$REENCRYPTED_FILE" "$1"
|
mv -f "$REENCRYPTED_FILE" "$1"
|
||||||
}
|
}
|
||||||
|
|
||||||
function decrypt_only {
|
|
||||||
FILE=$1
|
|
||||||
KEYS=$(keys "$FILE") || exit 1
|
|
||||||
decrypt "$FILE" "$KEYS"
|
|
||||||
printf "%s" "$(<"${CLEARTEXT_FILE}")"
|
|
||||||
cleanup
|
|
||||||
}
|
|
||||||
|
|
||||||
function rekey {
|
function rekey {
|
||||||
FILES=$( (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') || exit 1)
|
FILES=$( (@nixInstantiate@ --eval -E "(let rules = import $RULES; in builtins.concatStringsSep \"\n\" (builtins.attrNames rules))" | @sedBin@ 's/"//g' | @sedBin@ 's/\\n/\n/g') || exit 1)
|
||||||
|
|
||||||
|
@ -201,5 +196,5 @@ function rekey {
|
||||||
}
|
}
|
||||||
|
|
||||||
[ $REKEY -eq 1 ] && rekey && exit 0
|
[ $REKEY -eq 1 ] && rekey && exit 0
|
||||||
[ $DECRYPT_ONLY -eq 1 ] && decrypt_only "${FILE}" && exit 0
|
[ $DECRYPT_ONLY -eq 1 ] && decrypt "${FILE}" "$(keys "$FILE")" && exit 0
|
||||||
edit "$FILE" && cleanup && exit 0
|
edit "$FILE" && cleanup && exit 0
|
||||||
|
|
Loading…
Reference in a new issue