search

twpayne / chezmoi

Manage your dotfiles across multiple diverse machines, securely.
https://www.chezmoi.io/
MIT License
12.9k stars 478 forks source link

Cannot delete secret from MacOS Keyring using `chezmoi secret keyring delete` #3025

Closed owittek closed 1 year ago

owittek commented 1 year ago

Describe the bug

When setting a secret as described in the docs I can both get and set the secret but I can't delete it since "it does not exist" and I can't use it within a template for the same reason.

To reproduce

First bug:

  1. chezmoi secret keyring set --service=service --user=user
  2. chezmoi secret keyring delete --service=service --user=user

Second bug:

  1. chezmoi secret keyring set --service=service --user=user
  2. Create a .tmpl file with the following content: 
    test = {{ .service.user }}
test2 = {{ keyring "service" .service.user }}

Expected behavior

  1. I would expect that I can delete the secret that I have created

  2. I expect that either test or test2 is being detected since both of them are ways to access the keyring value if the docs are up to date.

Output of command with the --verbose flag

$ cat dot_myfile.tmpl | chezmoi --verbose execute-template 
chezmoi: template: stdin:2:18: executing "stdin" at <.service.user>: map has no entry for key "service"

$ chezmoi --verbose secret keyring delete --service service --user user
chezmoi: secret not found in keyring

Output of chezmoi doctor

$ chezmoi doctor

RESULT    CHECK                MESSAGE
ok        version              v2.33.6, commit 5bea2f925fc2b6fcf2ee116a20bae68869746787, built at 2023-05-15T17:36:14Z, built by Homebrew
ok        latest-version       v2.33.6
ok        os-arch              darwin/arm64
ok        uname                Darwin workBook.fritz.box 22.5.0 Darwin Kernel Version 22.5.0: Mon Apr 24 20:53:19 PDT 2023; root:xnu-8796.121.2~5/RELEASE_ARM64_T6020 arm64
ok        go-version           go1.20.4 (gc)
ok        executable           /opt/homebrew/bin/chezmoi
ok        upgrade-method       brew-upgrade
ok        config-file          no config file found
warning   source-dir           ~/.local/share/chezmoi is a git working tree (dirty)
warning   suspicious-entries   ~/.local/share/chezmoi/.chezmoi.toml
warning   working-tree         ~/.local/share/chezmoi is a git working tree (dirty)
ok        dest-dir             ~ is a directory
ok        umask                022
ok        cd-command           found /bin/zsh
ok        cd-args              /bin/zsh
info      diff-command         not set
ok        edit-command         found /opt/homebrew/bin/nvim
ok        edit-args            /opt/homebrew/bin/nvim
ok        git-command          found /usr/bin/git, version 2.39.2
ok        merge-command        found /usr/bin/vimdiff
ok        shell-command        found /bin/zsh
ok        shell-args           /bin/zsh
info      age-command          age not found in $PATH
ok        gpg-command          found /usr/local/MacGPG2/bin/gpg, version 2.2.41
info      pinentry-command     not set
info      1password-command    op not found in $PATH
info      bitwarden-command    bw not found in $PATH
info      dashlane-command     dcli not found in $PATH
info      gopass-command       gopass not found in $PATH
info      keepassxc-command    keepassxc-cli not found in $PATH
info      keepassxc-db         not set
info      keeper-command       keeper not found in $PATH
info      lastpass-command     lpass not found in $PATH
info      pass-command         pass not found in $PATH
info      passhole-command     ph not found in $PATH
info      rbw-command          rbw not found in $PATH
info      vault-command        vault not found in $PATH
info      secret-command       not set

Additional context

when I show the value in the console it seems like some kind of broken character is being appended to the value as my console shows a red box:

image
halostatue commented 1 year ago

I can reproduce the inability to delete from the secret with 2.33.6:

$ chezmoi secret keyring set --service service --user user
Value: test
$ chezmoi secret keyring get --service service --user user
test␤
$ chezmoi secret keyring delete --service service --user user
chezmoi: secret not found in keyring
$ chezmoi execute-template '{{ keyring "service" "user" }}`
test␤
$ chezmoi secret keyring get --service service --user user | xxd
00000000: 7465 7374                                test

The character is a newline character added by my shell (fish). The red box on your console / shell is an indicator that it has added a newline because the value output by chezmoi does not include such. See the last line of the output (xxd).

What you’re seeing as the second error is an error in your template specification:

$ cat dot_myfile.tmpl | chezmoi --verbose execute-template 
chezmoi: template: stdin:2:18: executing "stdin" at <.service.user>: map has no entry for key "service"

This indicates that your chezmoi data ([data] in chezmoi.toml or values in .chezmoidata.toml or chezmoidata/service.toml) does not have a service key, so .service.user simply fails out because normal map reference resolution requires that all intermediate keys/structures exist and there’s nothing like .service?.user to have conditional success work (you can use the sprig dig function, but that has its own issues, too).

owittek commented 1 year ago

Hey, thanks for the quick response!

I in fact have not defined any data since I thought that setting the secret was enough.

Is there documentation on that which I have missed? In my opinion the documentation about the keyring is either insufficient or should at least link to a page that explains data since the template definitions I've tried are all the docs provide.

twpayne commented 1 year ago

Thank you for spotting this and thank you to @halostatue for the fast and accurate response :)

chezmoi was not parsing the --service and --user flags to chezmoi secret keyring delete correctly. #3027 should fix this.

In my opinion the documentation about the keyring is either insufficient or should at least link to a page that explains data since the template definitions I've tried are all the docs provide.

Could you be more specific about what you believe is missing? Have you seen chezmoi's templating guide? Even better, would you be able to submit a PR to improve the documentation?

halostatue commented 1 year ago

Hey, thanks for the quick response!

I in fact have not defined any data since I thought that setting the secret was enough.

It is, for a template that looks like {{ keyring "service" "user" }} using literal references. If you want to use variable references, you need to define the data as chezmoi data, which is what the .service.user notation means.

Is there documentation on that which I have missed? In my opinion the documentation about the keyring is either insufficient or should at least link to a page that explains data since the template definitions I've tried are all the docs provide.

We’ve had similar comments in the past, but I cannot think of how one would make parts of the documentation clearer, since the use of template functions that provide external data sources (like keyring) is "advanced" usage. Overall chezmoi templating starts with the [data] section of your chezmoi.toml, chezmoi.json, or chezmoi.yaml configuration file and is later put into .chezmoidata.$FORMAT or (as of recently) .chezmoi/KEY.$FORMAT files as needed…or pulled from external data sources.

The documentation example provided:

[github]
    user = {{ .github.user | quote }}
    token = {{ keyring "github" .github.user | quote }}

is expected to have been read after Templating > Template Data‡ so that it’s clear that .github.user would be defined as:

# ~/.config/chezmoi/chezmoi.toml
[data.github]
user = "halostatue"

I could maybe see the argument for an example that uses literal values, but ultimately I’m not sure that such an example would add sufficient value as to warrant its inclusion (especially as such a change would need to be considered for every external data function).

If you do have suggestions on either specific or overall improvements to the documentation, I encourage you to submit a new ticket or a PR with the changes, because we want the documentation to be accessible to all users.

‡ Although we do need to update the Template Data section to include notices about .chezmoidata/$KEY.$FORMAT files now…

owittek commented 1 year ago

I would love to help improving the docs but it's quite hard to do it if I don't even understand how to do something properly.

I think the confusing part in this section for me was that it is using both the data notation as well as the new keyring notation as well as mixing them both. It makes perfect sense to me now that you've explained it but I think the issue is that I assumed the notation meaning .service.user as I thought that chezmoi secret keyring might just save the key-value to data.

Maybe adding an example just using the keyring might help in that case.

I have also went through the templating section and tried to define my own data in chezmoi.toml but it straight up didn't work for me as I understood it. But as mentioned above I don't even understand why it didn't work for me so it's impossible to improve the sections that I find troubling.