Merge pull request #251 from secrethub/release/v0.35.0

Release v0.35.0

Author: florisvdg

.circleci/config.yml

@@ -2,7 +2,7 @@ version: 2
 jobs:
   test:
     docker:
-      - image: circleci/golang:1.12
+      - image: circleci/golang:1.13
     steps:
       - checkout
       - restore_cache:

.gitlab-ci.yml

@@ -0,0 +1,6 @@
+release:
+  trigger: secrethub/operations/cli-releaser
+  variables:
+    SECRETHUB_CLI_VERSION: $CI_COMMIT_TAG
+  only:
+    - tags

.goreleaser.yml

@@ -65,19 +65,6 @@ brews:
     homepage: https://secrethub.io
     description: Command-line interface for SecretHub
 
-snapcrafts:
-  - name: secrethub-cli
-    builds:
-      - default
-    publish: true
-    summary: Command-line interface for SecretHub
-    description: SecretHub is a developer tool to help you keep database passwords, API tokens, and other secrets out of IT automation scripts. It enables you to securely share passwords and other secrets with your team and infrastructure.
-    apps:
-      secrethub:
-        plugs:
-          - home
-          - network
-
 scoop:
   name: secrethub-cli
   bucket:

go.mod

@@ -1,6 +1,6 @@
 module github.com/secrethub/secrethub-cli
 
-go 1.12
+go 1.13
 
 require (
 	bitbucket.org/zombiezen/cardcpx v0.0.0-20150417151802-902f68ff43ef

internals/cli/env.go

@@ -103,12 +103,12 @@ func (a *App) isExtraEnvVar(key string) bool {
 // of environment variables are not printed out for security reasons. The list
 // is limited to variables that are actually set in the environment. Setting
 // verbose to true will also include all known variables that are not set.
-func (a *App) PrintEnv(w io.Writer, verbose bool) error {
+func (a *App) PrintEnv(w io.Writer, verbose bool, osEnv func() []string) error {
 	tabWriter := tabwriter.NewWriter(w, 0, 4, 4, ' ', 0)
 	fmt.Fprintf(tabWriter, "%s\t%s\n", "NAME", "STATUS")
 
 	envVarStatus := make(map[string]string)
-	for _, envVar := range os.Environ() {
+	for _, envVar := range osEnv() {
 		key, _, match := splitVar(a.name, a.separator, envVar)
 		key = strings.ToUpper(key)
 		if match {

internals/secrethub/inject.go

@@ -34,6 +34,7 @@ type InjectCommand struct {
 	useClipboard                  bool
 	clearClipboardAfter           time.Duration
 	clipper                       clip.Clipper
+	osEnv                         []string
 	newClient                     newClientFunc
 	templateVars                  map[string]string
 	templateVersion               string
@@ -44,6 +45,7 @@ type InjectCommand struct {
 func NewInjectCommand(io ui.IO, newClient newClientFunc) *InjectCommand {
 	return &InjectCommand{
 		clipper:             clip.NewClipboard(),
+		osEnv:               os.Environ(),
 		clearClipboardAfter: defaultClearClipboardAfter,
 		io:                  io,
 		newClient:           newClient,
@@ -99,7 +101,7 @@ func (cmd *InjectCommand) Run() error {
 		}
 	}
 
-	osEnv, _ := parseKeyValueStringsToMap(os.Environ())
+	osEnv, _ := parseKeyValueStringsToMap(cmd.osEnv)
 
 	var templateVariableReader tpl.VariableReader
 	templateVariableReader, err = newVariableReader(osEnv, cmd.templateVars)

internals/secrethub/printenv.go

@@ -1,6 +1,8 @@
 package secrethub
 
 import (
+	"os"
+
 	"github.com/secrethub/secrethub-cli/internals/cli"
 	"github.com/secrethub/secrethub-cli/internals/cli/ui"
 	"github.com/secrethub/secrethub-cli/internals/secrethub/command"
@@ -10,20 +12,22 @@ import (
 type PrintEnvCommand struct {
 	app     *cli.App
 	io      ui.IO
+	osEnv   func() []string
 	verbose bool
 }
 
 // NewPrintEnvCommand creates a new PrintEnvCommand.
 func NewPrintEnvCommand(app *cli.App, io ui.IO) *PrintEnvCommand {
 	return &PrintEnvCommand{
-		app: app,
-		io:  io,
+		app:   app,
+		io:    io,
+		osEnv: os.Environ,
 	}
 }
 
 // Run prints out debug statements about all environment variables.
 func (cmd *PrintEnvCommand) Run() error {
-	err := cmd.app.PrintEnv(cmd.io.Stdout(), cmd.verbose)
+	err := cmd.app.PrintEnv(cmd.io.Stdout(), cmd.verbose, cmd.osEnv)
 	if err != nil {
 		return err
 	}

internals/secrethub/run.go

@@ -49,6 +49,9 @@ const (
 	// templateVarEnvVarPrefix is used to prefix environment variables
 	// that should be used as template variables.
 	templateVarEnvVarPrefix = "SECRETHUB_VAR_"
+	// prefix of the values of environment variables that will be
+	// substituted with secrets
+	secretReferencePrefix = "secrethub://"
 )
 
 // RunCommand runs a program and passes environment variables to it that are
@@ -57,6 +60,7 @@ const (
 type RunCommand struct {
 	command                      []string
 	io                           ui.IO
+	osEnv                        []string
 	envar                        map[string]string
 	envFile                      string
 	templateVars                 map[string]string
@@ -73,6 +77,7 @@ type RunCommand struct {
 func NewRunCommand(io ui.IO, newClient newClientFunc) *RunCommand {
 	return &RunCommand{
 		io:           io,
+		osEnv:        os.Environ(),
 		envar:        make(map[string]string),
 		templateVars: make(map[string]string),
 		newClient:    newClient,
@@ -110,6 +115,11 @@ func (cmd *RunCommand) Run() error {
 	// Parse
 	envSources := []EnvSource{}
 
+	osEnv, passthroughEnv := parseKeyValueStringsToMap(cmd.osEnv)
+
+	referenceEnv := newReferenceEnv(osEnv)
+	envSources = append(envSources, referenceEnv)
+
 	// TODO: Validate the flags when parsing by implementing the Flag interface for EnvFlags.
 	flagSource, err := NewEnvFlags(cmd.envar)
 	if err != nil {
@@ -129,11 +139,6 @@ func (cmd *RunCommand) Run() error {
 		}
 	}
 
-	osEnv, passthroughEnv := parseKeyValueStringsToMap(os.Environ())
-	if err != nil {
-		return err
-	}
-
 	if cmd.envFile != "" {
 		templateVariableReader, err := newVariableReader(osEnv, cmd.templateVars)
 		if err != nil {
@@ -233,14 +238,14 @@ func (cmd *RunCommand) Run() error {
 		}
 	}
 
-	maskedStdout := masker.NewMaskedWriter(os.Stdout, valuesToMask, maskString, cmd.maskingTimeout)
+	maskedStdout := masker.NewMaskedWriter(cmd.io.Stdout(), valuesToMask, maskString, cmd.maskingTimeout)
 	maskedStderr := masker.NewMaskedWriter(os.Stderr, valuesToMask, maskString, cmd.maskingTimeout)
 
 	command := exec.Command(cmd.command[0], cmd.command[1:]...)
 	command.Env = append(passthroughEnv, mapToKeyValueStrings(environment)...)
 	command.Stdin = os.Stdin
 	if cmd.noMasking {
-		command.Stdout = os.Stdout
+		command.Stdout = cmd.io.Stdout()
 		command.Stderr = os.Stderr
 	} else {
 		command.Stdout = maskedStdout
@@ -422,6 +427,44 @@ func ReadEnvFile(filepath string, varReader tpl.VariableReader, parser tpl.Parse
 	}, nil
 }
 
+// referenceEnv is an environment with secrets configured with the
+// secrethub:// syntax in the os environment variables.
+type referenceEnv struct {
+	envVars map[string]string
+}
+
+// newReferenceEnv returns an environment with secrets configured in the
+// os environment with the secrethub:// syntax.
+func newReferenceEnv(osEnv map[string]string) *referenceEnv {
+	envVars := make(map[string]string)
+	for key, value := range osEnv {
+		if strings.HasPrefix(value, secretReferencePrefix) {
+			envVars[key] = strings.TrimPrefix(value, secretReferencePrefix)
+		}
+	}
+	return &referenceEnv{
+		envVars: envVars,
+	}
+}
+
+// Env returns a map of key value pairs with the secrets configured with the
+// secrethub:// syntax.
+func (env *referenceEnv) Env(_ map[string]string, secretReader tpl.SecretReader) (map[string]string, error) {
+	envVarsWithSecrets := make(map[string]string)
+	for key, path := range env.envVars {
+		secret, err := secretReader.ReadSecret(path)
+		if err != nil {
+			return nil, err
+		}
+		envVarsWithSecrets[key] = secret
+	}
+	return envVarsWithSecrets, nil
+}
+
+func (env *referenceEnv) Secrets() []string {
+	return nil
+}
+
 // EnvFile contains an environment that is read from a file.
 type EnvFile struct {
 	path string