Initial templating with autoPush or autoCommit

Question

Initial templating with autoPush or autoCommit

Closed this issue a month ago · 2 comments

lakkeger commented a month ago

Is your feature request related to a problem? Please describe.

Given a chezmoi setup which would autoCommit or autoPush changes leaves the user without either of the following:

By adding any files as a template to chezmoi, no option provided to add any templating before commit
By editing a not managed file, no option provided to add this file to chezmoi as a template

Currently there is no trivial workflow for any of the above or not communicated well enough in the docs.

Describe the solution you'd like

By adding a file as a template I'd like the chance to remove any secrets it might contain or implement any logic I'd like since most of the time the file already exists in the system. ie chezmoi add --template .mydotfile should open the file for editing if the autoPush or autoCommit option is set.
Or by editing a (unmanaged) file which might contains secrets I'd like the option to convert it into a template. ie chezmoi edit --template .mydotfile would modify the file to dot_mydotfile.tmpl from dot_mydotfile

Describe alternatives you've considered

Provide clear documentation on how to add an existing file which might contains secrets.

Answer 1 · 2024-05-01T16:23:35.000Z

chezmoi add already includes secret scanning from https://github.com/gitleaks/gitleaks, and will warn you by default if it detects any secrets. You can set add.secrets to error to cause chezmoi to terminate with an error instead.

By adding a file as a template I'd like the chance to remove any secrets it might contain or implement any logic I'd like since most of the time the file already exists in the system. ie chezmoi add --template .mydotfile should open the file for editing if the autoPush or autoCommit option is set.

This adds extra workflow steps that all users would have to suffer, and does not solve the problem of secrets in non-template files.

Or by editing a (unmanaged) file which might contains secrets I'd like the option to convert it into a template. ie chezmoi edit --template .mydotfile would modify the file to dot_mydotfile.tmpl from dot_mydotfile

Use chezmoi add --template .mydotfile for this, then run chezmoi edit .mydotfile.

But, if you're concerned about leaking secrets, simply don't use git.autoPush. Use git.autoCommit instead, check the diffs before you push them, and then run chezmoi git push.

Answer 2 · 2024-05-02T06:55:43.000Z

Hi @twpayne,
Great pieces of information, this will definitely gives the desired behaviour. Thank you.

tl;dr

However, let me push this topic just a tiny bit further. Just for the sake of mental gymnastics on UX and security.

This adds extra workflow steps that all users would have to suffer, and does not solve the problem of secrets in non-template files.

In the first line of your response you just described the feature that could prevent the extra step with git.autoPush/git.autoCommit on. Combining the secret scanning and the error throwing as default behaviour for these switches would make a security measure/feature. I could imagine the workflow something like this:

Add file
Check for secrets, then:
- If there is no secret, good, let chezmoi push/commit.
- If you have a secret in the file and it's detected, as a default behaviour chezmoi could/should throw an error or ask for user input if the user wants to edit the file.

Alternatively, perhaps there could be an --interactive switch for editing the template directly, so chezmoi's workflow saves the extra step for the user who adds a file that must be edited.

Use chezmoi add --template .mydotfile for this, then run chezmoi edit .mydotfile.

This could work with an already added file, but for unmanaged ones there is an error raised.
As a result, one can't add unmanaged files with secrets in them with git.autoCommit=true/git.autoPush=true again as it's stored immediately with chezmoi add.
From a security perspective, even just committing anything containing a secret still implies a security concern as the secret is visible in the git history, simply by modifying after and commiting the file again is not enough. One must go extra steps.
For a first time user, especially for a relatively beginner one, this is an issue if the mentioned user thinks he could use chezmoi in an "edit and forget" manner with git.autoPush=true and from a user perspective why he shouldn't, since there is a provided great feature for that.

But, if you're concerned about leaking secrets, simply don't use git.autoPush. Use git.autoCommit instead, check the diffs before you push them, and then run chezmoi git push.

With git.autoCommit the user is in the same situation. His life won't be easy as every time he has to add a file with a secret he must do the following workflow:

add a file, which is being committed automatically
then the user needs to edit the file manually without chezmoi, as the edit command would result in another commit, hence the secret would be still in the git history
amend the commit manually
and then push.

So instead of being able to straight away edit the file then commit-push with git.autoPush, the given user instead of a 1 step workflow is forced to do 3 extra steps.
In the end, basically you left with 1 option, to use autoAdd, then commit, push, so the UX then still as cumbersome as before.