If filename is provided for exec-file, use it without random suffix.

Signed-off-by: Felix Fontein <[email protected]>
getsops · Mar 27, 2024 · 78f758d · 78f758d
1 parent d8e8809
commit 78f758d
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 9 deletions.
diff --git a/cmd/sops/main.go b/cmd/sops/main.go
@@ -237,7 +237,7 @@ func main() {
  },
  cli.StringFlag{
  Name: "filename",
- Usage: "filename for the temporarily file (default: tmp-file)",
+ Usage: fmt.Sprintf("filename for the temporarily file (default: %s)", exec.FallbackFilename),
  },
  }, keyserviceFlags...),
  Action: func(c *cli.Context) error {
@@ -272,11 +272,6 @@ func main() {
  return toExitError(err)
  }
 
- filename := c.String("filename")
- if filename == "" {
- filename = "tmp-file"
- }
-
  if c.Bool("background") {
  log.Warn("exec-file's --background option is deprecated and will be removed in a future version of sops")
  }
@@ -287,7 +282,7 @@ func main() {
  Background: c.Bool("background"),
  Fifo: !c.Bool("no-fifo"),
  User: c.String("user"),
- Filename: filename,
+ Filename: c.String("filename"),
  }); err != nil {
  return toExitError(err)
  }

diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go
@@ -3,6 +3,7 @@ package exec
 import (
  "bytes"
  "os"
+ "path/filepath"
  "runtime"
  "strings"
 
@@ -11,6 +12,10 @@ import (
  "github.com/sirupsen/logrus"
 )
 
+const (
+ FallbackFilename = "tmp-file"
+)
+
 var log *logrus.Logger
 
 func init() {
@@ -28,10 +33,23 @@ type ExecOpts struct {
 }
 
 func GetFile(dir, filename string) *os.File {
- handle, err := os.CreateTemp(dir, filename)
+ // If no filename is provided, create a random one based on FallbackFilename
+ if filename == "" {
+ handle, err := os.CreateTemp(dir, FallbackFilename)
+ if err != nil {
+ log.Fatal(err)
+ }
+ return handle
+ }
+ // If a filename is provided, use that one
+ handle, err := os.Create(filepath.Join(dir, filename))
  if err != nil {
  log.Fatal(err)
  }
+ // read+write for owner only
+ if err = handle.Chmod(0600); err != nil {
+ log.Fatal(err)
+ }
  return handle
 }
 
@@ -55,7 +73,11 @@ func ExecWithFile(opts ExecOpts) error {
  if opts.Fifo {
  // fifo handling needs to be async, even opening to write
  // will block if there is no reader present
- filename = GetPipe(dir, opts.Filename)
+ filename = opts.Filename
+ if filename == "" {
+ filename = FallbackFilename
+ }
+ filename = GetPipe(dir, filename)
  go WritePipe(filename, opts.Plaintext)
  } else {
  handle := GetFile(dir, opts.Filename)

diff --git a/functional-tests/src/lib.rs b/functional-tests/src/lib.rs
@@ -949,4 +949,47 @@ bar: |-
 }"#
  );
  }
+
+ #[test]
+ fn exec_file_filename() {
+ let file_path = prepare_temp_file(
+ "test_exec_file_filename.yaml",
+ r#"foo: bar
+bar: |-
+ baz
+ bam
+"#
+ .as_bytes(),
+ );
+ assert!(
+ Command::new(SOPS_BINARY_PATH)
+ .arg("-e")
+ .arg("-i")
+ .arg(file_path.clone())
+ .output()
+ .expect("Error running sops")
+ .status
+ .success(),
+ "sops didn't exit successfully"
+ );
+ let output = Command::new(SOPS_BINARY_PATH)
+ .arg("exec-file")
+ .arg("--no-fifo")
+ .arg("--filename")
+ .arg("foobar")
+ .arg(file_path.clone())
+ .arg("echo {}")
+ .output()
+ .expect("Error running sops");
+ assert!(output.status.success(), "sops didn't exit successfully");
+ println!(
+ "stdout: {}, stderr: {}",
+ String::from_utf8_lossy(&output.stdout),
+ String::from_utf8_lossy(&output.stderr)
+ );
+ assert!(
+ String::from_utf8_lossy(&output.stdout).ends_with("foobar\n"),
+ "filename did not end with 'foobar'"
+ );
+ }
 }