Merge pull request #235 from secrethub/feature/prompt-missing-template-vars

Prompt missing template variables

Author: SimonBarendse

internals/secrethub/app.go

@@ -177,7 +177,7 @@ func (app *App) registerCommands() {
 	NewInspectCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 	NewAuditCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 	NewInjectCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
-	NewRunCommand(app.clientFactory.NewClient).Register(app.cli)
+	NewRunCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 	NewPrintEnvCommand(app.cli, app.io).Register(app.cli)
 
 	// Hidden commands

internals/secrethub/inject.go

@@ -5,14 +5,14 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
-	"strings"
 	"time"
 
+	"github.com/secrethub/secrethub-cli/internals/secrethub/tpl"
+
 	"github.com/secrethub/secrethub-cli/internals/cli/clip"
 	"github.com/secrethub/secrethub-cli/internals/cli/filemode"
 	"github.com/secrethub/secrethub-cli/internals/cli/posix"
 	"github.com/secrethub/secrethub-cli/internals/cli/ui"
-	"github.com/secrethub/secrethub-cli/internals/cli/validation"
 	"github.com/secrethub/secrethub-cli/internals/secrethub/command"
 
 	"github.com/docker/go-units"
@@ -26,17 +26,18 @@ var (
 
 // InjectCommand is a command to read a secret.
 type InjectCommand struct {
-	outFile             string
-	inFile              string
-	fileMode            filemode.FileMode
-	force               bool
-	io                  ui.IO
-	useClipboard        bool
-	clearClipboardAfter time.Duration
-	clipper             clip.Clipper
-	newClient           newClientFunc
-	templateVars        map[string]string
-	templateVersion     string
+	outFile                       string
+	inFile                        string
+	fileMode                      filemode.FileMode
+	force                         bool
+	io                            ui.IO
+	useClipboard                  bool
+	clearClipboardAfter           time.Duration
+	clipper                       clip.Clipper
+	newClient                     newClientFunc
+	templateVars                  map[string]string
+	templateVersion               string
+	dontPromptMissingTemplateVars bool
 }
 
 // NewInjectCommand creates a new InjectCommand.
@@ -67,6 +68,7 @@ func (cmd *InjectCommand) Register(r command.Registerer) {
 	clause.Flag("file-mode", "Set filemode for the output file if it does not yet exist. Defaults to 0600 (read and write for current user) and is ignored without the --out-file flag.").Default("0600").SetValue(&cmd.fileMode)
 	clause.Flag("var", "Define the value for a template variable with `VAR=VALUE`, e.g. --var env=prod").Short('v').StringMapVar(&cmd.templateVars)
 	clause.Flag("template-version", "The template syntax version to be used. The options are v1, v2, latest or auto to automatically detect the version.").Default("auto").StringVar(&cmd.templateVersion)
+	clause.Flag("no-prompt", "Do not prompt when a template variable is missing and return an error instead.").BoolVar(&cmd.dontPromptMissingTemplateVars)
 	registerForceFlag(clause).BoolVar(&cmd.force)
 
 	command.BindAction(clause, cmd.Run)
@@ -97,25 +99,16 @@ func (cmd *InjectCommand) Run() error {
 		}
 	}
 
-	templateVars := make(map[string]string)
-
 	osEnv, _ := parseKeyValueStringsToMap(os.Environ())
 
-	for k, v := range osEnv {
-		if strings.HasPrefix(k, templateVarEnvVarPrefix) {
-			k = strings.TrimPrefix(k, templateVarEnvVarPrefix)
-			templateVars[strings.ToLower(k)] = v
-		}
-	}
-
-	for k, v := range cmd.templateVars {
-		templateVars[strings.ToLower(k)] = v
+	var templateVariableReader tpl.VariableReader
+	templateVariableReader, err = newVariableReader(osEnv, cmd.templateVars)
+	if err != nil {
+		return err
 	}
 
-	for k := range templateVars {
-		if !validation.IsEnvarNamePosix(k) {
-			return ErrInvalidTemplateVar(k)
-		}
+	if !cmd.dontPromptMissingTemplateVars {
+		templateVariableReader = newPromptMissingVariableReader(templateVariableReader, cmd.io)
 	}
 
 	parser, err := getTemplateParser(raw, cmd.templateVersion)
@@ -128,7 +121,7 @@ func (cmd *InjectCommand) Run() error {
 		return err
 	}
 
-	injected, err := template.Evaluate(templateVars, newSecretReader(cmd.newClient))
+	injected, err := template.Evaluate(templateVariableReader, newSecretReader(cmd.newClient))
 	if err != nil {
 		return err
 	}

internals/secrethub/run.go

@@ -16,6 +16,8 @@ import (
 	"time"
 	"unicode"
 
+	"github.com/secrethub/secrethub-cli/internals/cli/ui"
+
 	"github.com/secrethub/secrethub-cli/internals/cli/masker"
 	"github.com/secrethub/secrethub-cli/internals/cli/validation"
 	"github.com/secrethub/secrethub-cli/internals/secrethub/command"
@@ -53,21 +55,24 @@ const (
 // defined with --envar or --env-file flags and secrets.yml files.
 // The yml files write to .secretsenv/<env-name> when running the set command.
 type RunCommand struct {
-	command              []string
-	envar                map[string]string
-	envFile              string
-	templateVars         map[string]string
-	templateVersion      string
-	env                  string
-	noMasking            bool
-	maskingTimeout       time.Duration
-	newClient            newClientFunc
-	ignoreMissingSecrets bool
+	command                      []string
+	io                           ui.IO
+	envar                        map[string]string
+	envFile                      string
+	templateVars                 map[string]string
+	templateVersion              string
+	env                          string
+	noMasking                    bool
+	maskingTimeout               time.Duration
+	newClient                    newClientFunc
+	ignoreMissingSecrets         bool
+	dontPromptMissingTemplateVar bool
 }
 
 // NewRunCommand creates a new RunCommand.
-func NewRunCommand(newClient newClientFunc) *RunCommand {
+func NewRunCommand(io ui.IO, newClient newClientFunc) *RunCommand {
 	return &RunCommand{
+		io:           io,
 		envar:        make(map[string]string),
 		templateVars: make(map[string]string),
 		newClient:    newClient,
@@ -94,6 +99,7 @@ func (cmd *RunCommand) Register(r command.Registerer) {
 	clause.Flag("masking-timeout", "The maximum time output is buffered. Warning: lowering this value increases the chance of secrets not being masked.").Default("1s").DurationVar(&cmd.maskingTimeout)
 	clause.Flag("template-version", "The template syntax version to be used. The options are v1, v2, latest or auto to automatically detect the version.").Default("auto").StringVar(&cmd.templateVersion)
 	clause.Flag("ignore-missing-secrets", "Do not return an error when a secret does not exist and use an empty value instead.").BoolVar(&cmd.ignoreMissingSecrets)
+	clause.Flag("no-prompt", "Do not prompt when a template variable is missing and return an error instead.").BoolVar(&cmd.dontPromptMissingTemplateVar)
 
 	command.BindAction(clause, cmd.Run)
 }
@@ -128,26 +134,16 @@ func (cmd *RunCommand) Run() error {
 		return err
 	}
 
-	templateVars := make(map[string]string)
-
-	for k, v := range osEnv {
-		if strings.HasPrefix(k, templateVarEnvVarPrefix) {
-			k = strings.TrimPrefix(k, templateVarEnvVarPrefix)
-			templateVars[strings.ToLower(k)] = v
+	if cmd.envFile != "" {
+		templateVariableReader, err := newVariableReader(osEnv, cmd.templateVars)
+		if err != nil {
+			return err
 		}
-	}
-
-	for k, v := range cmd.templateVars {
-		templateVars[strings.ToLower(k)] = v
-	}
 
-	for k := range templateVars {
-		if !validation.IsEnvarNamePosix(k) {
-			return ErrInvalidTemplateVar(k)
+		if !cmd.dontPromptMissingTemplateVar {
+			templateVariableReader = newPromptMissingVariableReader(templateVariableReader, cmd.io)
 		}
-	}
 
-	if cmd.envFile != "" {
 		raw, err := ioutil.ReadFile(cmd.envFile)
 		if err != nil {
 			return ErrCannotReadFile(cmd.envFile, err)
@@ -158,7 +154,7 @@ func (cmd *RunCommand) Run() error {
 			return err
 		}
 
-		envFile, err := ReadEnvFile(cmd.envFile, templateVars, parser)
+		envFile, err := ReadEnvFile(cmd.envFile, templateVariableReader, parser)
 		if err != nil {
 			return err
 		}
@@ -356,8 +352,8 @@ type EnvSource interface {
 }
 
 type envTemplate struct {
-	envVars      []envvarTpls
-	templateVars map[string]string
+	envVars           []envvarTpls
+	templateVarReader tpl.VariableReader
 }
 
 type envvarTpls struct {
@@ -377,7 +373,7 @@ func (sr secretReaderNotAllowed) ReadSecret(path string) (string, error) {
 func (t envTemplate) Env(secrets map[string]string, sr tpl.SecretReader) (map[string]string, error) {
 	result := make(map[string]string)
 	for _, tpls := range t.envVars {
-		key, err := tpls.key.Evaluate(t.templateVars, secretReaderNotAllowed{})
+		key, err := tpls.key.Evaluate(t.templateVarReader, secretReaderNotAllowed{})
 		if err != nil {
 			return nil, err
 		}
@@ -387,7 +383,7 @@ func (t envTemplate) Env(secrets map[string]string, sr tpl.SecretReader) (map[st
 			return nil, templateError(tpls.lineNo, err)
 		}
 
-		value, err := tpls.value.Evaluate(t.templateVars, sr)
+		value, err := tpls.value.Evaluate(t.templateVarReader, sr)
 		if err != nil {
 			return nil, err
 		}
@@ -411,12 +407,12 @@ func (t envTemplate) Secrets() []string {
 }
 
 // ReadEnvFile reads and parses a .env file.
-func ReadEnvFile(filepath string, vars map[string]string, parser tpl.Parser) (EnvFile, error) {
+func ReadEnvFile(filepath string, varReader tpl.VariableReader, parser tpl.Parser) (EnvFile, error) {
 	r, err := os.Open(filepath)
 	if err != nil {
 		return EnvFile{}, ErrCannotReadFile(filepath, err)
 	}
-	env, err := NewEnv(r, vars, parser)
+	env, err := NewEnv(r, varReader, parser)
 	if err != nil {
 		return EnvFile{}, ErrParsingTemplate(filepath, err)
 	}
@@ -448,7 +444,7 @@ func (e EnvFile) Secrets() []string {
 
 // NewEnv loads an environment of key-value pairs from a string.
 // The format of the string can be `key: value` or `key=value` pairs.
-func NewEnv(r io.Reader, vars map[string]string, parser tpl.Parser) (EnvSource, error) {
+func NewEnv(r io.Reader, varReader tpl.VariableReader, parser tpl.Parser) (EnvSource, error) {
 	env, err := parseEnvironment(r)
 	if err != nil {
 		return nil, err
@@ -479,8 +475,8 @@ func NewEnv(r io.Reader, vars map[string]string, parser tpl.Parser) (EnvSource,
 	}
 
 	return envTemplate{
-		envVars:      secretTemplates,
-		templateVars: vars,
+		envVars:           secretTemplates,
+		templateVarReader: varReader,
 	}, nil
 }
 

internals/secrethub/run_test.go

@@ -359,11 +359,11 @@ func TestParseYML(t *testing.T) {
 
 func TestNewEnv(t *testing.T) {
 	cases := map[string]struct {
-		raw          string
-		replacements map[string]string
-		templateVars map[string]string
-		expected     map[string]string
-		err          error
+		raw               string
+		replacements      map[string]string
+		templateVarReader tpl.VariableReader
+		expected          map[string]string
+		err               error
 	}{
 		"success": {
 			raw: "foo=bar\nbaz={{path/to/secret}}",
@@ -380,8 +380,10 @@ func TestNewEnv(t *testing.T) {
 			replacements: map[string]string{
 				"company/application/db/pass": "secret",
 			},
-			templateVars: map[string]string{
-				"app": "company/application",
+			templateVarReader: fakes.FakeVariableReader{
+				Variables: map[string]string{
+					"app": "company/application",
+				},
 			},
 			expected: map[string]string{
 				"foo": "bar",
@@ -390,8 +392,10 @@ func TestNewEnv(t *testing.T) {
 		},
 		"success with var in key": {
 			raw: "${var}=value",
-			templateVars: map[string]string{
-				"var": "key",
+			templateVarReader: fakes.FakeVariableReader{
+				Variables: map[string]string{
+					"var": "key",
+				},
 			},
 			expected: map[string]string{
 				"key": "value",
@@ -434,7 +438,7 @@ func TestNewEnv(t *testing.T) {
 			parser, err := getTemplateParser([]byte(tc.raw), "auto")
 			assert.OK(t, err)
 
-			env, err := NewEnv(strings.NewReader(tc.raw), tc.templateVars, parser)
+			env, err := NewEnv(strings.NewReader(tc.raw), tc.templateVarReader, parser)
 			if err != nil {
 				assert.Equal(t, err, tc.err)
 			} else {
@@ -522,6 +526,7 @@ func TestRunCommand_Run(t *testing.T) {
 		},
 		"invalid template var: start with a number": {
 			command: RunCommand{
+				envFile: "secrethub.env",
 				templateVars: map[string]string{
 					"0foo": "value",
 				},
@@ -531,6 +536,7 @@ func TestRunCommand_Run(t *testing.T) {
 		},
 		"invalid template var: illegal character": {
 			command: RunCommand{
+				envFile: "secrethub.env",
 				templateVars: map[string]string{
 					"foo@bar": "value",
 				},

internals/secrethub/tpl/fakes/variable_reader.go

@@ -0,0 +1,15 @@
+package fakes
+
+import "errors"
+
+type FakeVariableReader struct {
+	Variables map[string]string
+}
+
+func (r FakeVariableReader) ReadVariable(name string) (string, error) {
+	variable, ok := r.Variables[name]
+	if !ok {
+		return "", errors.New("variable not found: " + name)
+	}
+	return variable, nil
+}

internals/secrethub/tpl/template.go

@@ -20,7 +20,7 @@ type Parser interface {
 type Template interface {
 	// Evaluate renders a template. It replaces all variable- and secret tags in the template.
 	// The supplied variables should have lowercase keys.
-	Evaluate(vars map[string]string, sr SecretReader) (string, error)
+	Evaluate(varReader VariableReader, sr SecretReader) (string, error)
 }
 
 // NewParser returns a parser for the latest template syntax.

internals/secrethub/tpl/v1.go

@@ -4,11 +4,6 @@ import (
 	"github.com/secrethub/secrethub-cli/internals/tpl"
 )
 
-// Errors
-var (
-	ErrTemplateVarsNotSupported = tplError.Code("template_vars_not_supported").Error("the v1 template syntax does not support template variables")
-)
-
 // NewV1Parser returns a parser for the v1 template syntax.
 //
 // V1 templates can contain secret paths between ${}:
@@ -40,11 +35,7 @@ func (p parserV1) Parse(raw string, _, _ int) (Template, error) {
 
 // InjectVars takes a map of template variables with their corresponding values. It replaces
 // the template variables with their values in the template.
-func (t templateV1) Evaluate(vars map[string]string, sr SecretReader) (string, error) {
-	if len(vars) > 0 {
-		return "", ErrTemplateVarsNotSupported
-	}
-
+func (t templateV1) Evaluate(_ VariableReader, sr SecretReader) (string, error) {
 	keys := t.template.Keys()
 	secrets := make(map[string]string, len(keys))
 	for _, path := range keys {