Merge pull request #12 from narenaryan/feat/2

feat(ISSUE-2): Add secure flag (no_env) to pass secrets as args instead of env
cybrota · Nov 4, 2024 · 3c4ff79 · 3c4ff79
2 parents 6151474 + a567c28
commit 3c4ff79
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -54,6 +54,15 @@ env_file: '.env'
 secret_name: <your_secret>
 vault: aws
 ```
+This default configuration will inject fetched secrets into `os.environ` of main process. If your app instead want to receive secrets as STDIN arguments, use `no_env: true` field.
+This is a secure way than default control but app now should parse arguments itself.
+
+```yaml
+env_file: '.env'
+secret_name: <your_secret>
+vault: aws
+no_env: true # Setting true will send KEY1=VAL1 secret pairs as command args
+```
 
 ## Setting Up Your Injectable Secrets
 

diff --git a/src/whispr/__about__.py b/src/whispr/__about__.py
@@ -1 +1 @@
-version = "0.1.1"
+version = "0.2.0"
diff --git a/src/whispr/cli.py b/src/whispr/cli.py
@@ -65,10 +65,9 @@ def run(command):
         return
 
     filled_env_vars = get_filled_secrets(env_file, vault_secrets)
-    os.environ.update(filled_env_vars)
-    logger.info("Secrets have been successfully injected into the environment")
 
-    execute_command(command)
+    no_env = config.get("no_env")
+    execute_command(command, no_env, filled_env_vars)
 
 
 cli.add_command(init)

diff --git a/src/whispr/utils.py b/src/whispr/utils.py
@@ -40,10 +40,24 @@ def prepare_vault_config(vault_name: str) -> dict:
     return config
 
 
-def execute_command(command: tuple):
+def execute_command(command: tuple, no_env: bool, creds: dict):
     """Executes a Unix/Windows command"""
+    if not creds:
+        creds = {}
+
     try:
-        subprocess.run(shlex.split(command[0]), env=os.environ, shell=False, check=True)
+        usr_command = shlex.split(command[0])
+
+        if no_env:
+            # Pass as --env K=V format (secure)
+            usr_command.extend([
+                f"{k}={v}" for k,v in creds.items()
+            ])
+        else:
+            # Pass via environment (slightly insecure)
+            os.environ.update(creds)
+
+        subprocess.run(usr_command, env=os.environ, shell=False, check=True)
     except subprocess.CalledProcessError:
         logger.error(
             f"Encountered a problem while running command: '{command[0]}'. Aborting."
@@ -87,7 +101,6 @@ def get_filled_secrets(env_file: str, vault_secrets: dict) -> dict:
     for key in env_vars:
         if key in vault_secrets:
             filled_secrets[key] = vault_secrets[key]  # Collect the matching secrets
-            os.environ[key] = vault_secrets[key]  # Update the current environment
         else:
             logger.warning(
                 f"The given key: '{key}' is not found in vault. So ignoring it."