Merge pull request #243 from secrethub/feature/env-var-references

Substitute os env vars with the 'secrethub://' prefix

Author: florisvdg

internals/secrethub/inject.go

@@ -34,7 +34,7 @@ type InjectCommand struct {
 	useClipboard                  bool
 	clearClipboardAfter           time.Duration
 	clipper                       clip.Clipper
-	osEnv                         func() []string
+	osEnv                         []string
 	newClient                     newClientFunc
 	templateVars                  map[string]string
 	templateVersion               string
@@ -45,7 +45,7 @@ type InjectCommand struct {
 func NewInjectCommand(io ui.IO, newClient newClientFunc) *InjectCommand {
 	return &InjectCommand{
 		clipper:             clip.NewClipboard(),
-		osEnv:               os.Environ,
+		osEnv:               os.Environ(),
 		clearClipboardAfter: defaultClearClipboardAfter,
 		io:                  io,
 		newClient:           newClient,
@@ -101,7 +101,7 @@ func (cmd *InjectCommand) Run() error {
 		}
 	}
 
-	osEnv, _ := parseKeyValueStringsToMap(cmd.osEnv())
+	osEnv, _ := parseKeyValueStringsToMap(cmd.osEnv)
 
 	var templateVariableReader tpl.VariableReader
 	templateVariableReader, err = newVariableReader(osEnv, cmd.templateVars)

internals/secrethub/run.go

@@ -49,6 +49,9 @@ const (
 	// templateVarEnvVarPrefix is used to prefix environment variables
 	// that should be used as template variables.
 	templateVarEnvVarPrefix = "SECRETHUB_VAR_"
+	// prefix of the values of environment variables that will be
+	// substituted with secrets
+	secretReferencePrefix = "secrethub://"
 )
 
 // RunCommand runs a program and passes environment variables to it that are
@@ -57,7 +60,7 @@ const (
 type RunCommand struct {
 	command                      []string
 	io                           ui.IO
-	osEnv                        func() []string
+	osEnv                        []string
 	envar                        map[string]string
 	envFile                      string
 	templateVars                 map[string]string
@@ -74,7 +77,7 @@ type RunCommand struct {
 func NewRunCommand(io ui.IO, newClient newClientFunc) *RunCommand {
 	return &RunCommand{
 		io:           io,
-		osEnv:        os.Environ,
+		osEnv:        os.Environ(),
 		envar:        make(map[string]string),
 		templateVars: make(map[string]string),
 		newClient:    newClient,
@@ -112,6 +115,11 @@ func (cmd *RunCommand) Run() error {
 	// Parse
 	envSources := []EnvSource{}
 
+	osEnv, passthroughEnv := parseKeyValueStringsToMap(cmd.osEnv)
+
+	referenceEnv := newReferenceEnv(osEnv)
+	envSources = append(envSources, referenceEnv)
+
 	// TODO: Validate the flags when parsing by implementing the Flag interface for EnvFlags.
 	flagSource, err := NewEnvFlags(cmd.envar)
 	if err != nil {
@@ -131,11 +139,6 @@ func (cmd *RunCommand) Run() error {
 		}
 	}
 
-	osEnv, passthroughEnv := parseKeyValueStringsToMap(cmd.osEnv())
-	if err != nil {
-		return err
-	}
-
 	if cmd.envFile != "" {
 		templateVariableReader, err := newVariableReader(osEnv, cmd.templateVars)
 		if err != nil {
@@ -424,6 +427,44 @@ func ReadEnvFile(filepath string, varReader tpl.VariableReader, parser tpl.Parse
 	}, nil
 }
 
+// referenceEnv is an environment with secrets configured with the
+// secrethub:// syntax in the os environment variables.
+type referenceEnv struct {
+	envVars map[string]string
+}
+
+// newReferenceEnv returns an environment with secrets configured in the
+// os environment with the secrethub:// syntax.
+func newReferenceEnv(osEnv map[string]string) *referenceEnv {
+	envVars := make(map[string]string)
+	for key, value := range osEnv {
+		if strings.HasPrefix(value, secretReferencePrefix) {
+			envVars[key] = strings.TrimPrefix(value, secretReferencePrefix)
+		}
+	}
+	return &referenceEnv{
+		envVars: envVars,
+	}
+}
+
+// Env returns a map of key value pairs with the secrets configured with the
+// secrethub:// syntax.
+func (env *referenceEnv) Env(_ map[string]string, secretReader tpl.SecretReader) (map[string]string, error) {
+	envVarsWithSecrets := make(map[string]string)
+	for key, path := range env.envVars {
+		secret, err := secretReader.ReadSecret(path)
+		if err != nil {
+			return nil, err
+		}
+		envVarsWithSecrets[key] = secret
+	}
+	return envVarsWithSecrets, nil
+}
+
+func (env *referenceEnv) Secrets() []string {
+	return nil
+}
+
 // EnvFile contains an environment that is read from a file.
 type EnvFile struct {
 	path string

internals/secrethub/run_test.go

@@ -458,13 +458,11 @@ func TestRunCommand_Run(t *testing.T) {
 	}{
 		"success, no secrets": {
 			command: RunCommand{
-				osEnv:   func() []string { return []string{} },
 				command: []string{"echo", "test"},
 			},
 		},
 		"missing secret": {
 			command: RunCommand{
-				osEnv:   func() []string { return []string{} },
 				command: []string{"echo", "test"},
 				envar: map[string]string{
 					"missing": "path/to/unexisting/secret",
@@ -486,7 +484,6 @@ func TestRunCommand_Run(t *testing.T) {
 		},
 		"missing secret ignored": {
 			command: RunCommand{
-				osEnv:   func() []string { return []string{} },
 				command: []string{"echo", "test"},
 				envar: map[string]string{
 					"missing": "path/to/unexisting/secret",
@@ -508,7 +505,6 @@ func TestRunCommand_Run(t *testing.T) {
 		},
 		"repo does not exist ignored": {
 			command: RunCommand{
-				osEnv:   func() []string { return []string{} },
 				command: []string{"echo", "test"},
 				envar: map[string]string{
 					"missing": "unexisting/repo/secret",
@@ -530,7 +526,6 @@ func TestRunCommand_Run(t *testing.T) {
 		},
 		"invalid template var: start with a number": {
 			command: RunCommand{
-				osEnv:   func() []string { return []string{} },
 				envFile: "secrethub.env",
 				templateVars: map[string]string{
 					"0foo": "value",
@@ -541,7 +536,6 @@ func TestRunCommand_Run(t *testing.T) {
 		},
 		"invalid template var: illegal character": {
 			command: RunCommand{
-				osEnv:   func() []string { return []string{} },
 				envFile: "secrethub.env",
 				templateVars: map[string]string{
 					"foo@bar": "value",
@@ -550,6 +544,42 @@ func TestRunCommand_Run(t *testing.T) {
 			},
 			err: ErrInvalidTemplateVar("foo@bar"),
 		},
+		"os env secret not found": {
+			command: RunCommand{
+				osEnv:   []string{"TEST=secrethub://nonexistent/secret/path"},
+				command: []string{"echo", "test"},
+				newClient: func() (secrethub.ClientInterface, error) {
+					return fakeclient.Client{
+						SecretService: &fakeclient.SecretService{
+							VersionService: &fakeclient.SecretVersionService{
+								WithDataGetter: fakeclient.WithDataGetter{
+									Err: api.ErrSecretNotFound,
+								},
+							},
+						},
+					}, nil
+				},
+			},
+			err: api.ErrSecretNotFound,
+		},
+		"os env secret not found ignored": {
+			command: RunCommand{
+				osEnv:                []string{"TEST=secrethub://nonexistent/secret/path"},
+				ignoreMissingSecrets: true,
+				command:              []string{"echo", "test"},
+				newClient: func() (secrethub.ClientInterface, error) {
+					return fakeclient.Client{
+						SecretService: &fakeclient.SecretService{
+							VersionService: &fakeclient.SecretVersionService{
+								WithDataGetter: fakeclient.WithDataGetter{
+									Err: api.ErrSecretNotFound,
+								},
+							},
+						},
+					}, nil
+				},
+			},
+		},
 	}
 
 	for name, tc := range cases {