From f33ef127e3d59251b8795ca39d72f9361826e441 Mon Sep 17 00:00:00 2001
From: Pierre Beucher <pierre@crafteo.io>
Date: Wed, 27 Dec 2023 12:08:44 +0100
Subject: [PATCH] doc: sops additional_flags

---
 docs/src/config/sops.md | 32 ++++++++++++++++++++++++++++++--
 src/modules/sops.rs     | 23 ++++++++++++++---------
 2 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/docs/src/config/sops.md b/docs/src/config/sops.md
index 33ddb8c..76b4a63 100644
--- a/docs/src/config/sops.md
+++ b/docs/src/config/sops.md
@@ -2,9 +2,10 @@
 
 Load SOPS encryped values as files or environment variables.
 
-- [Decryption](#decryption)
+- [Requirements](#requirements)
 - [Load a single value](#load-a-single-value)
 - [Load entire file as dotenv](#load-entire-file-as-dotenv)
+- [Pass additional flags to SOPS](#pass-additional-flags-to-sops)
 
 Example below consider example files:
 
@@ -21,7 +22,9 @@ APP_TOKEN: secret
 APP_PASSWORD: xxx
 ```
 
-## Decryption
+## Requirements
+
+You need `sops` CLI available locally as Novops will wrap calls to `sops --decrypt` under the hood. 
 
 All SOPS decryptions methods are supported as would be done using CLI command `sops --decrypt`. See [SOPS official doc](https://github.com/getsops/sops) for details. 
 
@@ -83,3 +86,28 @@ environments:
 
 _Note: SOPS won't be able to decrypt complex or nested values (this is a SOPS limitation). Only dotenv-compatible files or file parts with extract can be used this way._
 
+## Pass additional flags to SOPS 
+
+By default Novops will load SOPS secrets using `sops` CLI such as `sops --decrypt [FILE]`. It's possible to pass additional flags with `additional_flags`.
+
+**Warning:** it may break Novops loading mechanism if output is not as expected by Novops. Only use this if an equivalent feature is not already provided by a module option. Feel free to [create an issue](https://github.com/PierreBeucher/novops/issues) or [contribute](https://github.com/PierreBeucher/novops/blob/main/CONTRIBUTING.md) to add missing feature !
+
+Example: enable SOPS verbose output
+
+```yaml
+environments: 
+  dev:
+    variables:
+      - name: SOPS_VALUE_WITH_ADDITIONAL_FLAGS
+        value:
+          sops:
+            file: path/to/encrypted.yml
+            extract: '["nested"]["data"]["nestedKey"]'
+            additional_flags: [ "--verbose" ]
+```
+
+Novops `debug` logging will show `sops` stdout and stderr:
+
+```
+
+```
\ No newline at end of file
diff --git a/src/modules/sops.rs b/src/modules/sops.rs
index b73f9af..18a1ad1 100644
--- a/src/modules/sops.rs
+++ b/src/modules/sops.rs
@@ -33,7 +33,7 @@ pub struct SopsValueFromFile {
     * Additional flags passed to sops
     * after --decrypt --extract
     */
-    additional_flag: Option<Vec<String>>,
+    additional_flags: Option<Vec<String>>,
 }
 
 /**
@@ -52,7 +52,7 @@ pub struct SopsDotenvInput {
     /**
      * Additional flags passed to sops
      */
-    additional_flag: Option<Vec<String>>,
+    additional_flags: Option<Vec<String>>,
 
     /**
     * Extract a specific field via --extract flag
@@ -68,15 +68,18 @@ impl core::ResolveTo<String> for SopsValueInput {
           return Ok(format!("RESULT:{:}:{:}", &self.sops.file, &self.sops.extract.clone().unwrap_or(String::from(""))));
         }
 
-        let mut args = vec![
-          String::from("--decrypt")
-        ];
+        let mut args = vec![];
         
         // add --extract flag if specidief in input
         self.sops.extract.clone().map(|e| {
           args.push(String::from("--extract"));
           args.push(e);
         });
+
+        // Add additional flags if any
+        self.sops.additional_flags.clone().map(|af| {
+          args.extend(af);
+        });
         
         let output = run_sops_decrypt(args, &self.sops.file).with_context(|| "Error running sops command.")?;
 
@@ -92,12 +95,11 @@ impl core::ResolveTo<Vec<VariableOutput>> for SopsDotenvInput {
         if ctx.dry_run {          
           return Ok(vec![VariableOutput {
             name: String::from("RESULT"),
-            value: format!("{}:{}", &self.file, &self.additional_flag.clone().unwrap_or(vec![]).join("-"))
+            value: format!("{}:{}", &self.file, &self.additional_flags.clone().unwrap_or(vec![]).join("-"))
           }]);
         }
 
         let mut args = vec![
-          String::from("--decrypt"),
           String::from("--output-type"),
           String::from("dotenv")
         ];
@@ -108,7 +110,8 @@ impl core::ResolveTo<Vec<VariableOutput>> for SopsDotenvInput {
           args.push(e);
         });
 
-        self.additional_flag.clone().map(|af| {
+        // Add additional flags if any
+        self.additional_flags.clone().map(|af| {
           args.extend(af);
         });
 
@@ -145,7 +148,6 @@ pub fn run_sops_decrypt(additional_args: Vec<String>, file: &str) -> Result<Stri
 
   debug!("Running sops command with args: {:?}", &final_args);
 
-
   let output = Command::new("sops")
     .args(&final_args)
     .output()
@@ -157,6 +159,9 @@ pub fn run_sops_decrypt(additional_args: Vec<String>, file: &str) -> Result<Stri
   let stderr = std::str::from_utf8(&output.stderr)
     .with_context(|| format!("Couldn't decode stderr as UTF-8 for sops command with args: {:?}", &final_args))?;
 
+  // sops should not output any secret 
+  debug!("sops stderr: '{:}'", &stderr);
+
   if ! output.status.success() {
     return Err(anyhow!("sops command returned non-0 exit code. args: {:?}, stderr: '{:?}'", &final_args, &stderr));
   };