Make key for seal/unseal positional argument

* No current users so not a breaking change.
* Easier UX with less typing required.

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <[email protected]>

Author: alexellis

commands/secret_seal.go

@@ -10,42 +10,38 @@ import (
 )
 
 var (
-	sealPublicKeyPath string
-	sealKeyID         string
-	sealOutput        string
-	sealFromLiteral   []string
-	sealFromFile      []string
+	sealKeyID       string
+	sealOutput      string
+	sealFromLiteral []string
+	sealFromFile    []string
 )
 
 var secretSealCmd = &cobra.Command{
-	Use:   "seal",
+	Use:   "seal [public-key-file]",
 	Short: "Seal build secrets into an encrypted file",
 	Long:  "Seal key/value pairs using a public key. The output file can be included in a build tar or committed to git.",
 	Example: `  # Seal literal values
-  faas-cli secret seal \
-    --public-key ./key.pub \
+  faas-cli secret seal key.pub \
     --from-literal pip_token=s3cr3t \
     --from-literal npm_token=tok123
 
   # Seal from files (binary-safe)
-  faas-cli secret seal \
-    --public-key ./key.pub \
+  faas-cli secret seal key.pub \
     --from-file ca.crt=./certs/ca.crt \
     --from-literal api_key=sk-1234
 
   # Specify key ID and output path
-  faas-cli secret seal \
-    --public-key ./key.pub \
+  faas-cli secret seal key.pub \
     --key-id builder-key-1 \
     --from-literal token=s3cr3t \
     -o ./build/com.openfaas.secrets
 `,
+	Args:    cobra.ExactArgs(1),
 	RunE:    runSecretSeal,
 	PreRunE: preRunSecretSeal,
 }
 
 func init() {
-	secretSealCmd.Flags().StringVar(&sealPublicKeyPath, "public-key", "", "Path to the recipient's public key file")
 	secretSealCmd.Flags().StringVar(&sealKeyID, "key-id", "", "Key ID for rotation tracking (optional)")
 	secretSealCmd.Flags().StringVarP(&sealOutput, "output", "o", "com.openfaas.secrets", "Output file path")
 	secretSealCmd.Flags().StringArrayVar(&sealFromLiteral, "from-literal", nil, "Literal secret in key=value format (can be repeated)")
@@ -55,10 +51,6 @@ func init() {
 }
 
 func preRunSecretSeal(cmd *cobra.Command, args []string) error {
-	if sealPublicKeyPath == "" {
-		return fmt.Errorf("--public-key is required")
-	}
-
 	if len(sealFromLiteral) == 0 && len(sealFromFile) == 0 {
 		return fmt.Errorf("provide at least one secret via --from-literal or --from-file")
 	}
@@ -67,7 +59,7 @@ func preRunSecretSeal(cmd *cobra.Command, args []string) error {
 }
 
 func runSecretSeal(cmd *cobra.Command, args []string) error {
-	pubKey, err := os.ReadFile(sealPublicKeyPath)
+	pubKey, err := os.ReadFile(args[0])
 	if err != nil {
 		return fmt.Errorf("reading public key: %w", err)
 	}

commands/secret_seal_test.go

@@ -23,13 +23,12 @@ func TestSecretSealFromLiteral(t *testing.T) {
 
 	outPath := filepath.Join(dir, "com.openfaas.secrets")
 
-	sealPublicKeyPath = pubPath
 	sealKeyID = "test-key"
 	sealOutput = outPath
 	sealFromLiteral = []string{"pip_token=s3cr3t", "npm_token=tok123"}
 	sealFromFile = nil
 
-	if err := runSecretSeal(nil, nil); err != nil {
+	if err := runSecretSeal(nil, []string{pubPath}); err != nil {
 		t.Fatalf("runSecretSeal: %v", err)
 	}
 
@@ -73,13 +72,12 @@ func TestSecretSealFromFile(t *testing.T) {
 
 	outPath := filepath.Join(dir, "com.openfaas.secrets")
 
-	sealPublicKeyPath = pubPath
 	sealKeyID = ""
 	sealOutput = outPath
 	sealFromLiteral = []string{"token=abc"}
 	sealFromFile = []string{"ca.crt=" + certPath}
 
-	if err := runSecretSeal(nil, nil); err != nil {
+	if err := runSecretSeal(nil, []string{pubPath}); err != nil {
 		t.Fatalf("runSecretSeal: %v", err)
 	}
 
@@ -102,15 +100,9 @@ func TestSecretSealFromFile(t *testing.T) {
 }
 
 func TestSecretSealPreRunValidation(t *testing.T) {
-	sealPublicKeyPath = ""
 	sealFromLiteral = nil
 	sealFromFile = nil
 
-	if err := preRunSecretSeal(nil, nil); err == nil {
-		t.Fatal("expected error when --public-key is missing")
-	}
-
-	sealPublicKeyPath = "some.pub"
 	if err := preRunSecretSeal(nil, nil); err == nil {
 		t.Fatal("expected error when no secrets provided")
 	}

commands/secret_unseal.go

@@ -0,0 +1,70 @@
+package commands
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/openfaas/go-sdk/seal"
+	"github.com/spf13/cobra"
+)
+
+var (
+	unsealInput string
+	unsealKey   string
+)
+
+var secretUnsealCmd = &cobra.Command{
+	Use:   "unseal [private-key-file]",
+	Short: "Unseal and inspect a sealed secrets file",
+	Long:  "Decrypt a sealed secrets file using a private key and print the key/value pairs",
+	Example: `  # Print all secrets
+  faas-cli secret unseal key
+
+  # Print a single secret value
+  faas-cli secret unseal key --key pip_token
+
+  # Specify a different sealed file
+  faas-cli secret unseal key --in ./build/com.openfaas.secrets
+`,
+	Args: cobra.ExactArgs(1),
+	RunE: runSecretUnseal,
+}
+
+func init() {
+	secretUnsealCmd.Flags().StringVar(&unsealInput, "in", "com.openfaas.secrets", "Path to the sealed secrets file")
+	secretUnsealCmd.Flags().StringVar(&unsealKey, "key", "", "Unseal a single key (omit to print all)")
+
+	secretCmd.AddCommand(secretUnsealCmd)
+}
+
+func runSecretUnseal(cmd *cobra.Command, args []string) error {
+	privKey, err := os.ReadFile(args[0])
+	if err != nil {
+		return fmt.Errorf("reading private key: %w", err)
+	}
+
+	envelope, err := os.ReadFile(unsealInput)
+	if err != nil {
+		return fmt.Errorf("reading sealed file: %w", err)
+	}
+
+	if unsealKey != "" {
+		value, err := seal.UnsealKey(privKey, envelope, unsealKey)
+		if err != nil {
+			return err
+		}
+		fmt.Print(string(value))
+		return nil
+	}
+
+	values, err := seal.Unseal(privKey, envelope)
+	if err != nil {
+		return err
+	}
+
+	for k, v := range values {
+		fmt.Printf("%s=%s\n", k, string(v))
+	}
+
+	return nil
+}

commands/secret_unseal_test.go

@@ -0,0 +1,107 @@
+package commands
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/openfaas/go-sdk/seal"
+)
+
+func TestSecretUnsealAll(t *testing.T) {
+	dir := t.TempDir()
+
+	pub, priv, err := seal.GenerateKeyPair()
+	if err != nil {
+		t.Fatalf("GenerateKeyPair: %v", err)
+	}
+
+	privPath := filepath.Join(dir, "key")
+	if err := os.WriteFile(privPath, priv, 0600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	sealed, err := seal.Seal(pub, map[string][]byte{
+		"token": []byte("s3cr3t"),
+		"url":   []byte("https://example.com"),
+	}, "test")
+	if err != nil {
+		t.Fatalf("Seal: %v", err)
+	}
+
+	sealedPath := filepath.Join(dir, "com.openfaas.secrets")
+	if err := os.WriteFile(sealedPath, sealed, 0600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	unsealInput = sealedPath
+	unsealKey = ""
+
+	if err := runSecretUnseal(nil, []string{privPath}); err != nil {
+		t.Fatalf("runSecretUnseal: %v", err)
+	}
+}
+
+func TestSecretUnsealSingleKey(t *testing.T) {
+	dir := t.TempDir()
+
+	pub, priv, err := seal.GenerateKeyPair()
+	if err != nil {
+		t.Fatalf("GenerateKeyPair: %v", err)
+	}
+
+	privPath := filepath.Join(dir, "key")
+	if err := os.WriteFile(privPath, priv, 0600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	sealed, err := seal.Seal(pub, map[string][]byte{
+		"token": []byte("s3cr3t"),
+	}, "")
+	if err != nil {
+		t.Fatalf("Seal: %v", err)
+	}
+
+	sealedPath := filepath.Join(dir, "com.openfaas.secrets")
+	if err := os.WriteFile(sealedPath, sealed, 0600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	unsealInput = sealedPath
+	unsealKey = "token"
+
+	if err := runSecretUnseal(nil, []string{privPath}); err != nil {
+		t.Fatalf("runSecretUnseal: %v", err)
+	}
+}
+
+func TestSecretUnsealMissingKey(t *testing.T) {
+	dir := t.TempDir()
+
+	pub, priv, err := seal.GenerateKeyPair()
+	if err != nil {
+		t.Fatalf("GenerateKeyPair: %v", err)
+	}
+
+	privPath := filepath.Join(dir, "key")
+	if err := os.WriteFile(privPath, priv, 0600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	sealed, err := seal.Seal(pub, map[string][]byte{"a": []byte("b")}, "")
+	if err != nil {
+		t.Fatalf("Seal: %v", err)
+	}
+
+	sealedPath := filepath.Join(dir, "com.openfaas.secrets")
+	if err := os.WriteFile(sealedPath, sealed, 0600); err != nil {
+		t.Fatalf("WriteFile: %v", err)
+	}
+
+	unsealInput = sealedPath
+	unsealKey = "nonexistent"
+
+	if err := runSecretUnseal(nil, []string{privPath}); err == nil {
+		t.Fatal("expected error for missing key")
+	}
+}