Merge pull request #526 from mozilla/revert-exec-command

ajvb · web-flow · commit 14a22d7a7060 · 2019-09-12T13:52:35.000-07:00
Revert exec command for 3.4.0 release
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -7,7 +7,6 @@ Features:
 
     * `sops publish`, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault
     * Support for multiple Azure authentication mechanisms
-    * `sops exec-env` and `sops exec-file`, two new commands for utilizing sops secrets within a temporary file or env vars
     * Azure Keyvault support to the sops config file
     * `encrypted_regex` option to the sops config file
 
diff --git a/README.rst b/README.rst
@@ -803,104 +803,6 @@ By default ``sops`` just dumps all the output to the standard output. We can use
 ``--output`` flag followed by a filename to save the output to the file specified.
 Beware using both ``--in-place`` and ``--output`` flags will result in an error.
 
-Passing Secrets to Other Processes
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-In addition to writing secrets to standard output and to files on disk, ``sops``
-has two commands for passing decrypted secrets to a new process: ``exec-env``
-and ``exec-file``. These commands will place all output into the environment of
-a child process and into a temporary file, respectively. For example, if a
-program looks for credentials in its environment, ``exec-env`` can be used to
-ensure that the decrypted contents are available only to this process and never
-written to disk.
-
-.. code:: bash
-
-   # print secrets to stdout to confirm values
-   $ sops -d out.json
-   {
-           "database_password": "jf48t9wfw094gf4nhdf023r",
-           "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
-           "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-   }
-   
-   # decrypt out.json and run a command
-   # the command prints the environment variable and runs a script that uses it
-   $ sops exec-env out.json 'echo secret: $database_password; ./database-import'
-   secret: jf48t9wfw094gf4nhdf023r
-   
-   # launch a shell with the secrets available in its environment
-   $ sops exec-env out.json 'sh'
-   sh-3.2# echo $database_password
-   jf48t9wfw094gf4nhdf023r
-   
-   # the secret is not accessible anywhere else
-   sh-3.2$ exit
-   $ echo your password: $database_password
-   your password: 
-
-
-If the command you want to run only operates on files, you can use ``exec-file``
-instead. By default ``sops`` will use a FIFO to pass the contents of the
-decrypted file to the new program. Using a FIFO, secrets are only passed in
-memory which has two benefits: the plaintext secrets never touch the disk, and
-the child process can only read the secrets once. In contexts where this won't
-work, such as platforms where FIFOs are not available or secret files need to be
-available to the child process longer term, the ``--no-fifo`` flag can be used
-to instruct ``sops`` to use a traditional temporary file that will get cleaned
-up once the process is finished executing. ``exec-file`` behaves similar to
-``find(1)`` in that ``{}`` is used as a placeholder in the command which will be
-substituted with the temporary file path (whether a FIFO or an actual file).
-
-.. code:: bash
-
-   # operating on the same file as before, but as a file this time
-   $ sops exec-file out.json 'echo your temporary file: {}; cat {}'
-   your temporary file: /tmp/.sops894650499/tmp-file
-   {
-           "database_password": "jf48t9wfw094gf4nhdf023r",
-           "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
-           "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-   }
-   
-   # launch a shell with a variable TMPFILE pointing to the temporary file
-   $ sops exec-file --no-fifo out.json 'TMPFILE={} sh'
-   sh-3.2$ echo $TMPFILE
-   /tmp/.sops506055069/tmp-file291138648
-   sh-3.2$ cat $TMPFILE
-   {
-           "database_password": "jf48t9wfw094gf4nhdf023r",
-           "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
-           "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-   }
-   sh-3.2$ ./program --config $TMPFILE
-   sh-3.2$ exit
-
-   # try to open the temporary file from earlier
-   $ cat /tmp/.sops506055069/tmp-file291138648
-   cat: /tmp/.sops506055069/tmp-file291138648: No such file or directory
-
-Additionally, both ``exec-env`` and ``exec-file`` support dropping privileges
-before executing the new program via the ``--user <username>`` flag. This is
-particularly useful in cases where the encrypted file is only readable by root,
-but the target program does not need root privileges to function. This flag
-should be used where possible for added security.
-
-.. code:: bash
-
-   # the encrypted file can't be read by the current user
-   $ cat out.json
-   cat: out.json: Permission denied
-   
-   # execute sops as root, decrypt secrets, then drop privileges
-   $ sudo sops exec-env --user nobody out.json 'sh'
-   sh-3.2$ echo $database_password
-   jf48t9wfw094gf4nhdf023r
-
-   # dropped privileges, still can't load the original file
-   sh-3.2$ id
-   uid=4294967294(nobody) gid=4294967294(nobody) groups=4294967294(nobody)
-   sh-3.2$ cat out.json
-   cat: out.json: Permission denied
 
 Using the publish command
 ~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/cmd/sops/main.go b/cmd/sops/main.go
@@ -19,7 +19,6 @@ import (
 	"go.mozilla.org/sops/azkv"
 	"go.mozilla.org/sops/cmd/sops/codes"
 	"go.mozilla.org/sops/cmd/sops/common"
-	"go.mozilla.org/sops/cmd/sops/subcommand/exec"
 	"go.mozilla.org/sops/cmd/sops/subcommand/groups"
 	keyservicecmd "go.mozilla.org/sops/cmd/sops/subcommand/keyservice"
 	publishcmd "go.mozilla.org/sops/cmd/sops/subcommand/publish"
@@ -107,111 +106,6 @@ func main() {
    For more information, see the README at github.com/mozilla/sops`
 	app.EnableBashCompletion = true
 	app.Commands = []cli.Command{
-		{
-			Name:	  "exec-env",
-			Usage:	  "execute a command with decrypted values inserted into the environment",
-			ArgsUsage: "[file to decrypt] [command to run]",
-			Flags: append([]cli.Flag{
-				cli.BoolFlag{
-					Name: "background",
-					Usage: "background the process and don't wait for it to complete",
-				},
-				cli.StringFlag{
-					Name: "user",
-					Usage: "the user to run the command as",
-				},
-			}, keyserviceFlags...),
-			Action: func(c *cli.Context) error {
-				if len(c.Args()) != 2 {
-					return common.NewExitError(fmt.Errorf("error: missing file to decrypt"), codes.ErrorGeneric)
-				}
-
-				fileName := c.Args()[0]
-				command := c.Args()[1]
-
-				inputStore := inputStore(c, fileName)
-
-
-				svcs := keyservices(c)
-				opts := decryptOpts{
-					OutputStore: &dotenv.Store{},
-					InputStore:  inputStore,
-					InputPath:   fileName,
-					Cipher:	  aes.NewCipher(),
-					KeyServices: svcs,
-					IgnoreMAC:   c.Bool("ignore-mac"),
-				}
-
-				output, err := decrypt(opts)
-				if err != nil {
-					return toExitError(err)
-				}
-
-				exec.ExecWithEnv(exec.ExecOpts{
-					Command: command,
-					Plaintext: output,
-					Background: c.Bool("background"),
-					User: c.String("user"),
-				})
-
-				return nil
-			},
-		},
-		{
-			Name:	  "exec-file",
-			Usage:	  "execute a command with the decrypted contents as a temporary file",
-			ArgsUsage: "[file to decrypt] [command to run]",
-			Flags: append([]cli.Flag{
-				cli.BoolFlag{
-					Name: "background",
-					Usage: "background the process and don't wait for it to complete",
-				},
-				cli.BoolFlag{
-					Name: "no-fifo",
-					Usage: "use a regular file instead of a fifo to temporarily hold the decrypted contents",
-				},
-				cli.StringFlag{
-					Name: "user",
-					Usage: "the user to run the command as",
-				},
-			}, keyserviceFlags...),
-			Action: func(c *cli.Context) error {
-				if len(c.Args()) != 2 {
-					return common.NewExitError(fmt.Errorf("error: missing file to decrypt"), codes.ErrorGeneric)
-				}
-
-				fileName := c.Args()[0]
-				command := c.Args()[1]
-
-				inputStore := inputStore(c, fileName)
-				outputStore := outputStore(c, fileName)
-
-				svcs := keyservices(c)
-				opts := decryptOpts{
-					OutputStore: outputStore,
-					InputStore:  inputStore,
-					InputPath:   fileName,
-					Cipher:	  aes.NewCipher(),
-					KeyServices: svcs,
-					IgnoreMAC:   c.Bool("ignore-mac"),
-				}
-
-				output, err := decrypt(opts)
-				if err != nil {
-					return toExitError(err)
-				}
-
-				exec.ExecWithFile(exec.ExecOpts{
-					Command: command,
-					Plaintext: output,
-					Background: c.Bool("background"),
-					Fifo: !c.Bool("no-fifo"),
-					User: c.String("user"),
-				})
-
-				return nil
-			},
-		},
 		{
 			Name:      "publish",
 			Usage:     "Publish sops file to a configured destination",
@@ -812,7 +706,6 @@ func main() {
 		}
 
 		outputFile := os.Stdout
-
 		if c.String("output") != "" {
 			file, err := os.Create(c.String("output"))
 			if err != nil {
diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go
