Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SM-1129] Run command with secrets #621

Merged
merged 87 commits into from
Aug 16, 2024
Merged

Conversation

tangowithfoxtrot
Copy link
Contributor

@tangowithfoxtrot tangowithfoxtrot commented Feb 21, 2024

Type of change

  • Bug fix
  • New feature development
  • Tech debt (refactoring, code cleanup, dependency upgrades, etc)
  • Build/deploy pipeline (DevOps)
  • Other

Objective

Add a run command to allow running processes with secrets injected.

Example:
bws run 'docker compose up -d', bws run -- docker compose up -d, or from stdin: echo 'docker compose up -d' | bws run

Where the compose file is expecting secrets:

services:
  echo:
    image: hashicorp/http-echo
    container_name: echo
    ports:
      - "127.0.0.1:5678:5678"
    command: [
        "-text",
        "Local DB user: ${LOCAL_DB_USER}\nLocal DB pass: ${LOCAL_DB_PASS}", # secrets from Secrets Manager
      ]

Other examples: bws run -- npm run start, bws run -- 'echo $SECRET_BY_NAME_FROM_SM', etc.

A --shell option is provided to override the default shell (sh on UNIX-like OSes, and powershell on Windows) where the process is executed.

A --no-inherit-env option is provided for additional safety in cases where you want to pass the minimum amount of values into a process. $PATH is always passed though, as omitting it would cause nearly every command to fail.

If duplicate keynames are detected, the run command will error-out and suggest using the --uuids-as-keynames argument. This argument (and equivalent environment variable BWS_UUIDS_AS_KEYNAMES) will use the secret UUID (in POSIX-compliant form; ex _36527bf9_ed6c_41ad_ba49_b11d00b371f4).

Code changes

  • crates/bws/src/command/run.rs: add the run command and associated args
  • crates/bws/src/cli.rs: add args for --shell, --no-inherit-env, and --uuids-as-keynames; add environment variable for BWS_UUIDS_AS_KEYNAMES
  • crates/bws/src/util.rs: add is_valid_posix_name and uuid_to_posix functions
  • crates/bws/src/render.rs: use is_valid_posix_name from util crate
  • crates/bws/Cargo.toml: use which to detect presence of a shell

Before you submit

  • Please add unit tests where it makes sense to do so

@bitwarden-bot
Copy link

bitwarden-bot commented Feb 21, 2024

Logo
Checkmarx One – Scan Summary & Detailsaa37f199-58fd-4f6c-bc86-64192540be05

No New Or Fixed Issues Found

Copy link

codecov bot commented Feb 21, 2024

Codecov Report

Attention: Patch coverage is 21.42857% with 121 lines in your changes missing coverage. Please review.

Project coverage is 58.01%. Comparing base (9e4df97) to head (a0f78a3).

Files Patch % Lines
crates/bws/src/command/run.rs 0.00% 101 Missing ⚠️
crates/bws/src/main.rs 0.00% 16 Missing ⚠️
crates/bws/src/cli.rs 0.00% 3 Missing ⚠️
crates/bws/src/render.rs 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #621      +/-   ##
==========================================
- Coverage   58.43%   58.01%   -0.43%     
==========================================
  Files         195      196       +1     
  Lines       13406    13556     +150     
==========================================
+ Hits         7834     7864      +30     
- Misses       5572     5692     +120     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@differsthecat differsthecat changed the title Run command with secrets [SM-1129] Run command with secrets Mar 6, 2024
crates/bws/src/main.rs Fixed Show fixed Hide fixed
crates/bws/src/main.rs Fixed Show fixed Hide fixed
crates/bws/src/util.rs Outdated Show resolved Hide resolved
Hinton
Hinton previously approved these changes Jul 16, 2024
Copy link
Member

@Hinton Hinton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@@ -144,3 +166,12 @@ pub(crate) enum ProjectCommand {
},
List,
}

#[derive(Subcommand, Debug)]
pub(crate) enum RunCommand {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we use this. Should we ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. I think I missed this when refectoring the command at some point. Removed in f9c9946.

mzieniukbw
mzieniukbw previously approved these changes Jul 16, 2024
Copy link
Contributor

@mzieniukbw mzieniukbw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mzieniukbw
mzieniukbw previously approved these changes Jul 16, 2024
dani-garcia
dani-garcia previously approved these changes Jul 17, 2024
@tangowithfoxtrot tangowithfoxtrot dismissed stale reviews from dani-garcia and mzieniukbw via 87fc76d August 8, 2024 17:00
mzieniukbw
mzieniukbw previously approved these changes Aug 8, 2024
dani-garcia
dani-garcia previously approved these changes Aug 8, 2024
Copy link
Member

@coltonhurst coltonhurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

@tangowithfoxtrot tangowithfoxtrot merged commit 7a18777 into main Aug 16, 2024
60 of 61 checks passed
@tangowithfoxtrot tangowithfoxtrot deleted the run-command-with-secrets branch August 16, 2024 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants