pantheon-systems / terminus-secrets-plugin Goto Github PK

I have installed the secrets plugins but the command doesn't register in terminus 3.

ls -la ~/.terminus/plugins/terminus-secrets-plugin/
total 28
drwxr-xr-x 8 circleci circleci  205 Dec 13 14:24 .
drwxr-xr-x 3 circleci circleci   37 Dec 13 14:24 ..
drwxr-xr-x 2 circleci circleci   49 Feb 22  2019 .circleci
drwxr-xr-x 2 circleci circleci   42 Feb 22  2019 Commands
-rw-r--r-- 1 circleci circleci 1368 Feb 22  2019 composer.json
-rw-r--r-- 1 circleci circleci  571 Dec 13 14:24 composer.lock
-rw-r--r-- 1 circleci circleci 1254 Feb 22  2019 CONTRIBUTING.md
-rw-r--r-- 1 circleci circleci   30 Feb 22  2019 .gitignore
-rw-r--r-- 1 circleci circleci 1075 Feb 22  2019 LICENSE
-rw-r--r-- 1 circleci circleci 4502 Feb 22  2019 README.md
drwxr-xr-x 3 circleci circleci   22 Feb 22  2019 src
drwxr-xr-x 4 circleci circleci   42 Feb 22  2019 tests
drwxr-xr-x 4 circleci circleci   34 Feb 22  2019 tools
drwxr-xr-x 3 circleci circleci   42 Dec 13 14:24 vendor

When I try the secrets namespace

terminus secrets


  Command "secrets" is not defined.

Step to reproduce:

1. Have different versions of secrets.json on live and dev.
2. Ensure you can read the secrets of dev via the terminus plugin.
3. Clone database and files from live to dev.
4. Trying to read secrets via the terminus plugin but fails and return an empty result
5. You can fix the issue by SFTPing into dev and overwriting the
   secrets.json file with anything that has valid json. After this, you will be able to read secrets.json again via terminus.

Result:
https://screencast.com/t/qAoHvpRX7

I didn't get any errors but I'm not sure yet if the empty results when running the secrets.js
could be related to the bug filed by Nicolas Bowers - #10. Updating it via sftp indeed fixed the problem. Something in the file not being read by quicksilver.

The 'Usage' section of the project's README.md presents example commands that do not exactly match the description for those commands: the descriptions use a site name of sitename, and the commands use a site name of site.

Patch forthcoming.

Perhaps this should wait until the 1.0 launch?

A Drupal 8 example problem

Say I want to keep the SMTP Authentication config out of the database to make sure that database dumps do not copy credentials around. (Using Quicksilver to sanitize is good, but still leaves the case of direct DB access). I know that Lockr + the key module is the best approach, but SMTP and many other modules do not support it yet unfortunately.

What if the sites/default/settings.php were to parse the secrets.json for entries like:

{ "drupal_settings": 
    { "smtp.settings": 
        { "smtp_username": "foo", ... }}}

Does this sound like a reasonable way to contain Drupal config to a given Pantheon environment? Am I missing an easier way to do this that is already available?

Right now this is what I get:

Connected to appserver.dev.e8f753e4-afab-460c-9820-610977cba313.drush.in.
Couldn't stat remote file: No such file or directory
File "/srv/bindings/3b30e826a0ae45e6bcd524afb3971c34/files/secrets.json" not found.
Connected to appserver.dev.e8f753e4-afab-460c-9820-610977cba313.drush.in.
Couldn't stat remote file: No such file or directory

Running 0.13.3 on OS X (installed via Homebrew). terminus secrets show throws a fatal error:

PHP Fatal error: Uncaught Error: Class 'Terminus\Models\Collections\Sites' not found in /Users/gchaix/terminus/plugins/terminus-secrets-plugin/Commands/SecretsCommand.php:33

Changing line 10 of SecretsCommand.php from use Terminus\Models\Collections\Sites; to use Terminus\Collections\Sites; resolves the issue.

Currently on Terminus 3.0.6.

When I run the documented install command, terminus self:plugin:install pantheon-systems/terminus-secrets-plugin, I get the following error:

[error] Please update Composer to enable plugin management. Run composer self-update.

Composer has been updated to 2.2.8, but running the install command for the plugin continues to give the error to update Composer.

Problem

Also, be aware that your secrets may be overwritten by filesystem sync operations. For instance, if you check the "pull files and database from Live" option when deploying to TEST, that will overwrite the TEST env with secrets (or a lack thereof) in LIVE. If you intend to use secrets.json for production, make sure you set the same file in all environments to avoid confusion.

Not trying to be negative here, but this is a really bad design/workflow.

1. The Pantheon Dashboard already has both the database and files checked when one decides to clone from live down to dev/test.
2. There's absolutely no messaging on the Dashboard that indicates syncing files could be disastrous to the current workflow.
3. Devs may not know (new) or even remember (old) the special caveat of how syncing down files will overwrite these secrets that were painfully setup.
4. Completely prevents the legitimate need to sync files downstream to other instances.
5. All it takes it one accidental mistake to destroy absolutely everything.

Solution

It's really simple: include the environment in the filename: secrets.{PANTHEON_ENV}.json

secrets.custom-multidev.json
secrets.dev.json
secrets.test.json
secrets.live.json

That way, even if they are synced down, they don't overwrite each other and the plugin always choses the correct one based on the environment being targeted.

I'm running the command and getting the following error:

terminus secrets:set persch-bikes.dev    loader_test_config_id  xxxxxxxxxxxxxxxxxxxxxxxxxxxxx   
receiving file list ... 
1 file to consider
rsync: mkstemp "/private/var/folders/f7/_swx4fg57y50ptr577xbbtsw0000gn/T/phpkMjKlo/../tmp//.secrets.json.pwESEB" failed: No such file or directory (2)
          95 100%   92.77kB/s    0:00:00 (xfer#1, to-check=0/1)

sent 48 bytes  received 190 bytes  52.89 bytes/sec
total size is 95  speedup is 0.40
rsync error: some files could not be transferred (code 23) at /BuildRoot/Library/Caches/com.apple.xbs/Sources/rsync/rsync-47/rsync/main.c(1400) [generator=2.6.9]
 [error]  Command `rsync -rlvz --size-only --ipv4 --progress --exclude=.git -e 'ssh -p 2222' dev.ea21264c-92c4-41db-b0a2-ba0a5714ad3b@appserver.dev.ea21264c-92c4-41db-b0a2-ba0a5714ad3b.drush.in:files/private/secrets.json --temp-dir=../tmp/  /private/var/folders/f7/_swx4fg57y50ptr577xbbtsw0000gn/T/phpkMjKlo` failed with exit code 23 

It looks as though the plugin is attempted to rysnc down to a local directory /private/var/folders/f7/_swx4fg57y50ptr577xbbtsw0000gn/T/phpkMjKlo.

/private/var/folders/f7/_swx4fg57y50ptr577xbbtsw0000gn/T/ exists for me locally but not
/private/var/folders/f7/_swx4fg57y50ptr577xbbtsw0000gn/T/phpkMjKlo

Could this be a permissions issue for me locally? I use this plugin in a few CircleCI scripts without a problem.

The readme say the path for the secrets.json is ~/files/private/secrets.json but while loading it in a php file I found out that it should be /files/private/secrets.json