Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

env var with $ (dollar sign) is gobbled up from sops #1278

Open
asmod3us opened this issue May 19, 2024 · 0 comments
Open

env var with $ (dollar sign) is gobbled up from sops #1278

asmod3us opened this issue May 19, 2024 · 0 comments
Labels
Bug

Comments

@asmod3us
Copy link

asmod3us commented May 19, 2024
edited

Describe the bug
Hello, I'm attempting to load an env var from sops. It's the output of argon2 key derivation, and contains dollar signs. E.g. (this is from a vaultwarden setup guide):

echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
# Output: $argon2id$v=19$m=65540,t=3,p=4$bXBGMENBZUVzT3VUSFErTzQzK25Jck1BN2Z0amFuWjdSdVlIQVZqYzAzYz0$T9m73OdD2mz9+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0

When set up with sops, this env var's value with a $ (dollar sign) is gobbled up somewhere between sops and direnv. I'm not entirely sure where the problem is, a few observations:

  • sops almost always strips quotes from literals in yaml. If you would use ' or " to quote the value, these are removed but I believe still correctly echoed by sops --decrypt. I suspect direnv dotenv bash /dev/stdin might be responsible for messing it up.

  • quoting the var with three single quotes '''$foo''' in sops yaml works:

TOKEN: '''$argon2id$v=19$m=65540,t=3,p=4$bXBGMENBZUVzT3VUSFErTzQzK25Jck1BN2Z0amFuWjdSdVlIQVZqYzAzYz0$T9m73OdD2mz9+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0'''

To Reproduce

Using age, sops and direnv with the use_sops helper function.

PUB_K=$(age-keygen -o key.txt 2>&1| awk '/Public key:/ { print $3 }'
export SOPS_AGE_KEY_FILE="$PWD/key.txt"
cat <<'EOF' > foo.yaml
TOKEN: $argon2id$v=19$m=65540,t=3,p=4$bXBGMENBZUVzT3VUSFErTzQzK25Jck1BN2Z0amFuWjdSdVlIQVZqYzAzYz0$T9m73OdD2mz9+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0
EOF
export SOPS_AGE_RECIPIENTS=$PUB_K
sops -e -i foo.yaml

cat <<EOF > .envrc
use sops foo.yaml
EOF
direnv allow
echo $TOKEN

Observe the output:

=19=65540,t=3,p=4+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0

sops dotenv output looks like this:

sops --decrypt --output-type dotenv foo.yaml
TOKEN=$argon2id$v=19$m=65540,t=3,p=4$bXBGMENBZUVzT3VUSFErTzQzK25Jck1BN2Z0amFuWjdSdVlIQVZqYzAzYz0$T9m73OdD2mz9+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0

Expected behavior

I would like some input and propose documentation on how to properly quote this. While I have figured out a way with ''' I'm not even sure how exactly it works... Probably due to direnv dotenv using $'' style strings and ''' works like a quoted single quote in it?

Should loading direnv from stdin have a literal option?

Otherwise, what kind of quoting would work? I have attempted to just quote the dollar sign, e.g. with \$ in yaml, that did not work.

Environment

  • OS: macOs
  • Shell: zsh
  • Direnv version 2.34.0
@asmod3us asmod3us added the Bug label May 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Milestone
No milestone
Development

No branches or pull requests
1 participant
@asmod3us