-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorporate Unix Commands to Secrets Subcommand - pk secrets *
#32
Comments
pk secrets *
With regards to Here are some examples:
Note that
As well as the ability to use
At this point, one might argue that one should enable
Which would take over from the However I'm not sure I really like the usage of Consider that we also need another command that one can just use to put a secret in without the need to wire up other commands.
And as we have talked about before, we need 3 ways:
I propose a special command for this:
So then But still one more command that allows one to write a secret in easily. Here are our 3 candidates.
From these 3, I quite like |
Some commands here due to usage over GRPC will involve client streaming or even duplex streaming. Deadlines will be important here. And if a command gets cut in the middle, the data written to EFS should be removed. That might be good idea to per-vault lock to do this. Until of course we can create a "vault"/efs snapshot. The beginnings of a vault/efs snapshot is already done in MatrixAI/js-encryptedfs#49 but it would need to be exposed to the PK vaults system. Perhaps that can help with enabling COW for the vaults MatrixAI/Polykey#172 MatrixAI/Polykey#180. |
Now that MatrixAI/Polykey#266 has fixed up vaults related commands, the next step is a proper review of all the secret commands, and hopefully finish up our |
@CryptoTotalWar this is relevant for your review of PK CLI on Mac. |
Proposal for Streamlining Secrets Creation Using Unix Piping ParadigmsConcept:Leverage Unix-like command paradigms to streamline the process of creating secrets directly into the vault, bypassing the need to first create a file on the local filesystem. This would enhance the functionality of Polykey by allowing direct input of secrets via standard input (stdin), aligning with Unix principles of simplicity and flexibility. Details:Instead of the current method where a file must exist beforehand, we could introduce functionality where users can pipe data directly into a Polykey secret path. This approach avoids unnecessary steps and strengthens security by not requiring sensitive data to touch the filesystem. Suggested Command Enhancement Example:echo 'your_secret_data' | polykey secrets write vaultName:/path/to/secret This command would take the output from echo and directly write it to the specified secret path in the vault. It simplifies the workflow, especially in scripting and automation scenarios, where secrets need to be dynamically generated and stored. Benefits
I believe this enhancement would significantly improve the user experience by making secret management more seamless and integrated with standard command line operations. It encourages best practices in handling sensitive data. |
I'm adding this to the |
It would be great if we could just use an off the shelf implementation of these commands such as shelljs mentioned above. But there is too much under the hood stuff going on there to make it viable. The main problem is that we need to send any local FS contents over the RPC to do anything with it. So we'd need a fs interface that works over the RPC which seems like a really hacky way to handle that. You also mentioned that the solutions like So we'll have to make our own implementations of these commands. And since some of these commands are pretty well featured we'd have to make a simpler version of each. Even something simple like |
No shelljs we implement this directly. Focus on the basic command first. In fact most Unix options are non standard - we can prefer the basic busybox standard. Get to it, no short cuts.
|
I was arguing against using |
pk secrets *
pk secrets *
pk secrets *
pk secrets *
I tested the ~$ polykey secrets edit my-new-vault:my-new-secret 2:28:12
ErrorPolykeyRemote: Remote error from RPC call
localHost ::1
localPort 51127
remoteHost ::1
remotePort 50053
command vaultsSecretsGet
timestamp Fri Jul 26 2024 02:28:50 GMT+0100 (Western European Summer Time)
cause: ErrorSecretsSecretUndefined: Secret does not exist - Secret with name: my-new-secret does not exist
cause: {"type":"ErrorEncryptedFSError","data":{"message":"ENOENT: no such file or directory, my-new-secret","timestamp":"2024-07-26T01:28:50.388Z","data":{},"stack":"ErrorEncryptedFSError: ENOENT: no such file or directory, my-new-secret\n at f._open (/Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2158:117625)\n at async /Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2158:115345\n at async Object.maybeCallback (/Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2155:21076)\n at async /Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2158:120774\n at async Object.maybeCallback (/Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2155:21076)\n at async /Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2283:135663\n at async /Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2246:8712\n at async withF (/Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:7:9819)\n at async Object.getSecret (/Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2283:135640)\n at async /Users/rulerpablo/.nvm/versions/node/v20.8.1/lib/node_modules/polykey-cli/dist/polykey.js:2283:142996","_errno":34,"_code":"ENOENT","_description":"no such file or directory","_syscall":"open"}}
~$
Current Command Behavior:
Suggested Feature:
Example of Expected Behavior / FunctionalityUsage of
|
You're being a little too verbose here. This can be condensed down into two points.
I do think we'll still need an So yeah, we probably want to keep the |
Generally speaking you rely on an environment variable: https://unix.stackexchange.com/questions/4859/visual-vs-editor-what-s-the-difference The "default" depends on some magic. Here's our list depending on the OS.
If the defaults cannot be found, you need to error out, indicating that no default editor could be found, and users can instead choose to set VISUAL, EDITOR or pass in the "editor" program with Furthermore it is important that the temporary being created can only be edited by the same user as the user who ran |
@tegefaulkes the spec is missing updating And it needs to be more intelligent about finding the Plus I think this is a bit more important than |
This issue has been made into a project, so this issue is now redundant. Closing. |
@aryanjassal can you also remove old commands like |
The |
Yep we should remove the |
I think based on the revaluation of secrets commands project spec, you should start being able to refactor the core architecture of the PK CLI and PK stuff too and not just on the outside. |
Specification
Standard unix commands include things like
cp
,mv
andls
.This allows users to interact with secret vaults as if they were real filesystems. (And they sort of are).
Imagine (IN ORDER OF PRIORITY):
I believe some of these commands were already implemented before in the old PK codebase. You have things like
pk secrets create
andpk secrets delete
.I believe there's a problem with doing this. We are reinventing the wheel, and we'll never cover all the commands that Unix already has.
This has the benefit of reusing context that developers already know and remember when interacting with a Unix shell.
But how do we do this without having to rewrite all the code? Luckily it seems someone has already done this.
See: https://github.com/shelljs/shelljs
It has implemented all the major Unix shell commands in raw JS.
The only problem that their command source code currently directly imports the native Node fs:
https://github.com/shelljs/shelljs/blob/79ae14d30d7ce4064de05d41c7889885326b6754/src/ls.js#L2
If we would want to use the
shelljs
library, we would need to globally mock the fs as described here: shelljs/shelljs#747 (comment)However that may be dangerous if that leaks into other places of the FS.
There is another alternative: https://github.com/dthree/cash. The difference between the 2 are: https://github.com/dthree/cash#doesnt-shelljs-do-this However I think it's even less integratable compared to
shelljs
.So it seems we would need to "extract" the command code from
shelljs
and place it into PK directly and thus enable us to change thefs
object to our Vault EFS.Note that we do not need all shell commands, just the major ones that relate to files, and doesn't change cwd context since we don't use that. Nothing that changes permissions is relevant to us. Process control is also not relevant.
One major difference is that our commands will have to traverse both vault filesystems and the real filesystem. For example
pk secrets mv vault1:/a ./a
which has to take a file from a vault to the real fs. The functionality to achieve this will also end up being used to do commands between vaults. Because theefs.mv
won't work between EFS instances anyway.Additional context
pk secrets ed
commandpk secrets env
command for meeting Development Environment Usecase #31 - Thepk secrets env
command is similar concept here replicating the Unix commandenv
pk secrets cat
command and composition of PK to other commandsSub issues
secrets write
command #242secrets cat
command #243secrets touch
command #244secrets ls
command #245secrets mkdir
command #246secrets rm
command #247secrets mv
command #248secrets cp
command #249Tasks
The text was updated successfully, but these errors were encountered: