YAML support - Githubissues

Shopify / ejson

EJSON is a small library to manage encrypted secrets using asymmetric encryption.

MIT License

1.36k stars 62 forks source link

YAML support #175

Open mihai-stancu opened 3 weeks ago

mihai-stancu commented 3 weeks ago

Hello,

I saw a tentative successor app that was eventually abandoned back in 2021 ecfg. Are there any (further) plans or alternatives for YAML support?

Currently a few design choices are making working with a wrapper script much harder:

not taking input via stdin
encrypt not writing output to stdout
overall not easy to write a series of pipes as yq -ojson . my.eyaml | ejson encrypt | yq -oyaml . | sponge my.eyaml

So "on the fly conversion" from an eyaml file to ejson to be used with this tool requires a temporary file + writing back into the original file (when encrypting).

Thank you, Mihai

mihai-stancu commented 3 weeks ago

Example wrapper script for YAML:

#!/bin/bash -e

declare -A map;
args=("$@")
for i in "${!args[@]}"; do
  arg="${args[i]}";

  # Guard clause: Skip if not an eYAML file
  [[ ! -f "$arg" ]] && [[ ! $arg =~ *.eyml ]] && [[ ! $arg =~ *.eyml ]] && continue;

  # Temporarily convert eYAML to eJSON
  tmp=$(mktemp eyaml_XXXXXX.ejson);
  trap 'rm -f "$tmp"' EXIT;
  yq -ojson . "$arg" > "$tmp";

  # Replace eYAML file with eJSON file
  args[i]="$tmp";
  map["$arg"]="$tmp";
done

case "$*" in
  # Convert eJSON files back to eYAML
  *"encrypt "*|*" encrypt"*|*" encrypt "*)
    ejson "${args[@]}";
    STATUS="$?";

    for original in "${!map[@]}"; do
        yq -P "${map[$original]}" > "$original";
    done

    exit $STATUS;
  ;;

  # Convert JSON output to YAML
  *"decrypt "*|*" decrypt"*|*" decrypt "*)
    ejson "${args[@]}" | yq -P .;
 ;;

  *)
    ejson "${args[@]}";
  ;;
esac

thepwagner commented 3 weeks ago

👋 there's nothing planned, but if these features are guarded by new flags/arguments PRs are welcome!

https://github.com/getsops/sops/ supports YAML+JSON among other formats, might be worth checking out.

mihai-stancu commented 3 weeks ago

Thank you for the prompt reply & the sops suggestion.

sops doesn't appear to allow team members to add new values, it has a checksum over the entire file and assumes the file will be decrypted when editing (with their handy sops edit somefile.yml).

I'll take a look at the ejson main package to see how hard adding yaml support would be.

Thank you!

mihai-stancu commented 2 weeks ago

From the architecture of the package I notice that there's a JSON walker implementation meant to take entries in the order they are found (to avoid randomizing the order of the output).

With that in mind an eyaml implementation would either

require a YAML walker implementation that fits the same interface, or
load the YAML file into memory, parse it & convert it to JSON, hand it over to the JSON walker implementation

The walker approach seems to dig fairly "deep" into the implementation. But the in-memory YAML & conversion seems wasteful.

Do you have a go/no-go for either of these?