feat: implement file template function
#394
Conversation
|
@mflendrich @rainest How does this implementation look to you? I'm looking for some early feedback. I intend to add tests for this once this approach looks good. |
Codecov Report
@@ Coverage Diff @@
## main #394 +/- ##
==========================================
- Coverage 53.59% 47.06% -6.54%
==========================================
Files 62 87 +25
Lines 5034 6440 +1406
==========================================
+ Hits 2698 3031 +333
- Misses 2037 3043 +1006
- Partials 299 366 +67
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
I think that allowing arbitrary FS access is a big deal from the security perspective: I am not convinced that benefits outweigh the security opportunity cost, considering the following alternative solution:
You can achieve the equivalent result using #286 by reading the file into an environment variable
env "DECK_FILE_AAA=$(cat /my/file.pem)" "DECK_FILE_BBB=$(cat /my/other/file.pem)" deck sync ...and then using the env substitution function. This should be enough for CI use.
The solution described above seems to solve the problem pointed out in #91, at the same time not permitting unbounded FS access for a user who controls the decK file.
That's a -1 from me for implementing of file template function, because of that security concern.
|
Does loading them into environment variables change anything? The user running deck needs read permissions to the file whether they're cat-ing them into the environment before invoking deck or having deck load them in via the template. While env loading can achieve the same, it could be a bit unwieldy with large numbers of certs. |
|
Holding off on this for now. |
Fix #91