secrethub
diff --git a/‎.circleci/config.yml‎
Lines changed: 2 additions & 2 deletions b/‎.circleci/config.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.gitlab-ci.yml‎
Lines changed: 6 additions & 0 deletions b/‎.gitlab-ci.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.goreleaser.yml‎
Lines changed: 4 additions & 15 deletions b/‎.goreleaser.yml‎
Lines changed: 4 additions & 15 deletions
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 3 additions & 2 deletions b/‎go.sum‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎internals/cli/env.go‎
Lines changed: 17 additions & 2 deletions b/‎internals/cli/env.go‎
Lines changed: 17 additions & 2 deletions
diff --git a/‎internals/secrethub/acl_check.go‎
Lines changed: 33 additions & 6 deletions b/‎internals/secrethub/acl_check.go‎
Lines changed: 33 additions & 6 deletions
diff --git a/‎internals/secrethub/app.go‎
Lines changed: 2 additions & 1 deletion b/‎internals/secrethub/app.go‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎internals/secrethub/env.go‎
Lines changed: 28 additions & 0 deletions b/‎internals/secrethub/env.go‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎internals/secrethub/env_ls.go‎
Lines changed: 51 additions & 0 deletions b/‎internals/secrethub/env_ls.go‎
Lines changed: 51 additions & 0 deletions
@@ -2,7 +2,7 @@ version: 2
 jobs:
   test:
     docker:
-      - image: circleci/golang:1.12
+      - image: circleci/golang:1.13
     steps:
       - checkout
       - restore_cache:
@@ -16,7 +16,7 @@ jobs:
       - run: make test
   verify-goreleaser:
     docker:
-      - image: goreleaser/goreleaser:v0.117
+      - image: goreleaser/goreleaser:v0.127
     steps:
       - checkout
       - run: goreleaser check
 
@@ -0,0 +1,6 @@
+release:
+  trigger: secrethub/operations/cli-releaser
+  variables:
+    SECRETHUB_CLI_VERSION: $CI_COMMIT_TAG
+  only:
+    - tags
@@ -52,6 +52,9 @@ archives:
 checksum:
   name_template: "secrethub-{{ .Tag }}-checksums.txt"
 
+release:
+  draft: true
+
 brews:
   - name: secrethub-cli
     ids:
@@ -65,19 +68,6 @@ brews:
     homepage: https://secrethub.io
     description: Command-line interface for SecretHub
 
-snapcrafts:
-  - name: secrethub-cli
-    builds:
-      - default
-    publish: true
-    summary: Command-line interface for SecretHub
-    description: SecretHub is a developer tool to help you keep database passwords, API tokens, and other secrets out of IT automation scripts. It enables you to securely share passwords and other secrets with your team and infrastructure.
-    apps:
-      secrethub:
-        plugs:
-          - home
-          - network
-
 scoop:
   name: secrethub-cli
   bucket:
@@ -90,7 +80,7 @@ scoop:
   license: Apache-2.0
 
 nfpms:
-  - name_template: "secrethub-{{ .Tag }}-{{ .Os }}-{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
+  - file_name_template: "secrethub-{{ .Tag }}-{{ .Os }}-{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}"
     builds:
       - without-bin-dir
     vendor: SecretHub
@@ -109,4 +99,3 @@ nfpms:
     scripts:
       postinstall: "scripts/post-install.sh"
       postremove: "scripts/post-remove.sh"
-
@@ -1,6 +1,6 @@
 module github.com/secrethub/secrethub-cli
 
-go 1.12
+go 1.13
 
 require (
 	bitbucket.org/zombiezen/cardcpx v0.0.0-20150417151802-902f68ff43ef
@@ -16,7 +16,7 @@ require (
 	github.com/mitchellh/mapstructure v1.1.2
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
 	github.com/secrethub/demo-app v0.1.0
-	github.com/secrethub/secrethub-go v0.23.1-0.20200107095959-f2362c5fc32f
+	github.com/secrethub/secrethub-go v0.26.0
 	github.com/zalando/go-keyring v0.0.0-20190208082241-fbe81aec3a07
 	golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a
 	golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223
 
@@ -18,6 +18,7 @@ github.com/atotto/clipboard v0.1.2 h1:YZCtFu5Ie8qX2VmVTBnrqLSiU9XOWwqNRmdT3gIQzb
 github.com/atotto/clipboard v0.1.2/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aws/aws-sdk-go v1.19.38 h1:WKjobgPO4Ua1ww2NJJl2/zQNreUZxvqmEzwMlRjjm9g=
 github.com/aws/aws-sdk-go v1.19.38/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.25.49 h1:j5R2Ey+g8qaiy2NJ9iH+KWzDWS4SjXRCjhc22EeQVE4=
 github.com/aws/aws-sdk-go v1.25.49/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/danieljoos/wincred v1.0.2 h1:zf4bhty2iLuwgjgpraD2E9UbvO+fe54XXGJbOwe23fU=
 github.com/danieljoos/wincred v1.0.2/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U=
@@ -73,10 +74,10 @@ github.com/secrethub/demo-app v0.1.0 h1:HwPPxuiSvx4TBE7Qppzu3A9eHqmsBrIz4Ko8u8pq
 github.com/secrethub/demo-app v0.1.0/go.mod h1:ymjm8+WXTSDTFqsGVBNVmHSnwtZMYi7KptHvpo/fLH4=
 github.com/secrethub/secrethub-cli v0.30.0/go.mod h1:dC0wd40v+iQdV83/0rUrOa01LYq+8Yj2AtJB1vzh2ao=
 github.com/secrethub/secrethub-go v0.21.0/go.mod h1:rc2IfKKBJ4L0wGec0u4XnF5/pe0FFPE4Q1MWfrFso7s=
-github.com/secrethub/secrethub-go v0.23.1-0.20200107095959-f2362c5fc32f h1:DcbipEDRfHpTES7Zwk7LyDuUUa7r6H8itIL+cUGaDp4=
-github.com/secrethub/secrethub-go v0.23.1-0.20200107095959-f2362c5fc32f/go.mod h1:zJp3b1ebz9art/Li1jOxkb+Sn+Dw/Y7+OMOFtNvK5Aw=
 github.com/secrethub/secrethub-go v0.25.0 h1:cpYmkLRurrrw6NNE4PagPNDOn7kvY6UMrnnDxrvuI1M=
 github.com/secrethub/secrethub-go v0.25.0/go.mod h1:rc2IfKKBJ4L0wGec0u4XnF5/pe0FFPE4Q1MWfrFso7s=
+github.com/secrethub/secrethub-go v0.26.0 h1:BonMEvD3rdAQyY3L91Ze7Mkq0KXXhB3Esn/cDUq3qYc=
+github.com/secrethub/secrethub-go v0.26.0/go.mod h1:Wr4gXWrk8OvBHiCttjLq7wFdKSm07rlEhq5OSYPemtI=
 github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 
@@ -103,12 +103,12 @@ func (a *App) isExtraEnvVar(key string) bool {
 // of environment variables are not printed out for security reasons. The list
 // is limited to variables that are actually set in the environment. Setting
 // verbose to true will also include all known variables that are not set.
-func (a *App) PrintEnv(w io.Writer, verbose bool) error {
+func (a *App) PrintEnv(w io.Writer, verbose bool, osEnv func() []string) error {
 	tabWriter := tabwriter.NewWriter(w, 0, 4, 4, ' ', 0)
 	fmt.Fprintf(tabWriter, "%s\t%s\n", "NAME", "STATUS")
 
 	envVarStatus := make(map[string]string)
-	for _, envVar := range os.Environ() {
+	for _, envVar := range osEnv() {
 		key, _, match := splitVar(a.name, a.separator, envVar)
 		key = strings.ToUpper(key)
 		if match {
@@ -148,6 +148,21 @@ func (a *App) PrintEnv(w io.Writer, verbose bool) error {
 	return nil
 }
 
+// CheckStrictEnv checks that every environment variable that starts with the app name is recognized by the application.
+func (a *App) CheckStrictEnv() error {
+	for _, envVar := range os.Environ() {
+		key, _, match := splitVar(a.name, a.separator, envVar)
+		if match {
+			key = strings.ToUpper(key)
+			_, isKnown := a.knownEnvVars[key]
+			if !(isKnown || a.isExtraEnvVar(key)) {
+				return fmt.Errorf("environment variable set, but not recognized: %s", key)
+			}
+		}
+	}
+	return nil
+}
+
 // CommandClause represents a command clause in a command0-line application.
 type CommandClause struct {
 	*kingpin.CmdClause
 
@@ -5,6 +5,8 @@ import (
 	"sort"
 	"text/tabwriter"
 
+	"github.com/secrethub/secrethub-go/pkg/secretpath"
+
 	"github.com/secrethub/secrethub-cli/internals/cli/ui"
 	"github.com/secrethub/secrethub-cli/internals/secrethub/command"
 
@@ -38,12 +40,7 @@ func (cmd *ACLCheckCommand) Register(r command.Registerer) {
 
 // Run prints the access level(s) on the given directory.
 func (cmd *ACLCheckCommand) Run() error {
-	client, err := cmd.newClient()
-	if err != nil {
-		return err
-	}
-
-	levels, err := client.AccessRules().ListLevels(cmd.path.Value())
+	levels, err := cmd.listLevels()
 	if err != nil {
 		return err
 	}
@@ -79,3 +76,33 @@ func (cmd *ACLCheckCommand) Run() error {
 
 	return nil
 }
+
+func (cmd *ACLCheckCommand) listLevels() ([]*api.AccessLevel, error) {
+	client, err := cmd.newClient()
+	if err != nil {
+		return nil, err
+	}
+
+	path := cmd.path.Value()
+
+	levels, listLevelsErr := client.AccessRules().ListLevels(path)
+	if listLevelsErr == nil {
+		return levels, nil
+	}
+	if !api.IsErrNotFound(listLevelsErr) {
+		return nil, listLevelsErr
+	}
+
+	isSecret, isSecretErr := client.Secrets().Exists(path)
+	if isSecretErr != nil {
+		return nil, listLevelsErr
+	}
+	if isSecret {
+		levels, err = client.AccessRules().ListLevels(secretpath.Parent(path))
+		if err != nil {
+			return nil, err
+		}
+		return levels, nil
+	}
+	return nil, listLevelsErr
+}
@@ -163,6 +163,7 @@ func (app *App) registerCommands() {
 	NewAccountCommand(app.io, app.clientFactory.NewClient, app.credentialStore).Register(app.cli)
 	NewCredentialCommand(app.io, app.clientFactory, app.credentialStore).Register(app.cli)
 	NewConfigCommand(app.io, app.credentialStore).Register(app.cli)
+	NewEnvCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 
 	// Commands
 	NewInitCommand(app.io, app.clientFactory.NewUnauthenticatedClient, app.clientFactory.NewClientWithCredentials, app.credentialStore).Register(app.cli)
@@ -177,7 +178,7 @@ func (app *App) registerCommands() {
 	NewInspectCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 	NewAuditCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 	NewInjectCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
-	NewRunCommand(app.clientFactory.NewClient).Register(app.cli)
+	NewRunCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 	NewPrintEnvCommand(app.cli, app.io).Register(app.cli)
 
 	// Hidden commands
 
@@ -0,0 +1,28 @@
+package secrethub
+
+import (
+	"github.com/secrethub/secrethub-cli/internals/cli/ui"
+	"github.com/secrethub/secrethub-cli/internals/secrethub/command"
+)
+
+// EnvCommand handles operations regarding environment variables.
+type EnvCommand struct {
+	io        ui.IO
+	newClient newClientFunc
+}
+
+// NewEnvCommand creates a new EnvCommand.
+func NewEnvCommand(io ui.IO, newClient newClientFunc) *EnvCommand {
+	return &EnvCommand{
+		io:        io,
+		newClient: newClient,
+	}
+}
+
+// Register registers the command and its sub-commands on the provided Registerer.
+func (cmd *EnvCommand) Register(r command.Registerer) {
+	clause := r.Command("env", "[BETA] Manage environment variables.").Hidden()
+	clause.HelpLong("This command is hidden because it is still in beta. Future versions may break.")
+	NewEnvReadCommand(cmd.io, cmd.newClient).Register(clause)
+	NewEnvListCommand(cmd.io).Register(clause)
+}
@@ -0,0 +1,51 @@
+package secrethub
+
+import (
+	"fmt"
+
+	"github.com/secrethub/secrethub-cli/internals/cli/ui"
+	"github.com/secrethub/secrethub-cli/internals/secrethub/command"
+)
+
+// EnvListCommand is a command to list all environment variable keys set in the process of `secrethub run`.
+type EnvListCommand struct {
+	io          ui.IO
+	environment *environment
+}
+
+// NewEnvListCommand creates a new EnvListCommand.
+func NewEnvListCommand(io ui.IO) *EnvListCommand {
+	return &EnvListCommand{
+		io:          io,
+		environment: newEnvironment(io),
+	}
+}
+
+// Register adds a CommandClause and it's args and flags to a Registerer.
+func (cmd *EnvListCommand) Register(r command.Registerer) {
+	clause := r.Command("ls", "[BETA] List environment variable names that will be populated with secrets.")
+	clause.HelpLong("This command is hidden because it is still in beta. Future versions may break.")
+	clause.Alias("list")
+
+	cmd.environment.register(clause)
+
+	command.BindAction(clause, cmd.Run)
+}
+
+// Run executes the command.
+func (cmd *EnvListCommand) Run() error {
+	env, err := cmd.environment.env()
+	if err != nil {
+		return err
+	}
+
+	for key, value := range env {
+		// For now only environment variables in which a secret is loaded are printed.
+		// TODO: Make this behavior configurable.
+		if value.containsSecret() {
+			fmt.Fprintln(cmd.io.Stdout(), key)
+		}
+	}
+
+	return nil
+}