shipper-cli 0.4.0

CLI adapter for Shipper; install the user-facing `shipper` package unless embedding the adapter.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96

//! State-encryption configuration check.

use shipper_core::types::RuntimeOptions;

use crate::doctor::findings::{Finding, FindingLevel};

#[derive(Debug, serde::Serialize)]
pub(in crate::doctor) struct EncryptionCheck {
    pub enabled: bool,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub key_source: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub env_var: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub key_present: Option<bool>,
    pub findings: Vec<Finding>,
}

pub(in crate::doctor) fn check(opts: &RuntimeOptions) -> Vec<Finding> {
    let check = inspect(opts);
    if check.enabled {
        println!();
        println!("encryption: enabled");
        if let Some(key_source) = &check.key_source {
            match key_source.as_str() {
                "config" => println!("encryption_key_source: config"),
                "env" => {
                    if let Some(env_var) = &check.env_var {
                        println!("encryption_key_source: env ({})", env_var);
                    }
                    if let Some(present) = check.key_present {
                        println!("encryption_key_present: {}", present);
                    }
                }
                _ => {}
            }
        }
    }
    check.findings
}

pub(in crate::doctor) fn inspect(opts: &RuntimeOptions) -> EncryptionCheck {
    let mut findings = Vec::new();
    if !opts.encryption.enabled {
        return EncryptionCheck {
            enabled: false,
            key_source: None,
            env_var: None,
            key_present: None,
            findings,
        };
    }

    if opts.encryption.passphrase.is_some() {
        return EncryptionCheck {
            enabled: true,
            key_source: Some("config".to_string()),
            env_var: None,
            key_present: Some(true),
            findings,
        };
    } else if let Some(ref env_var) = opts.encryption.env_var {
        let present = std::env::var(env_var).is_ok();
        if !present {
            findings.push(Finding {
                id: "encryption-key-missing",
                severity: FindingLevel::Blocked,
                status: FindingLevel::Blocked,
                title: "state encryption key is missing",
                why_it_matters:
                    "encrypted state cannot be written or resumed unless the configured key source is present",
                evidence: format!("encryption_key_present: false ({env_var})"),
                try_next: vec![
                    "set the configured encryption environment variable",
                    "or disable state encryption for this run",
                    "rerun `shipper doctor`",
                ],
                docs: Some("docs/configuration.md"),
            });
        }
        return EncryptionCheck {
            enabled: true,
            key_source: Some("env".to_string()),
            env_var: Some(env_var.clone()),
            key_present: Some(present),
            findings,
        };
    }
    EncryptionCheck {
        enabled: true,
        key_source: None,
        env_var: None,
        key_present: None,
        findings,
    }
}