🐛 Fix env force bug

Author: bdsoha

cmd/info/version.go

@@ -1,3 +1,3 @@
 package info
 
-var Version = "0.0.41"
+var Version = "0.0.42"

cmd/secrets/secrets_test.go

@@ -57,7 +57,7 @@ func TestSecretsCommand(t *testing.T) {
 		assert.NilError(t, err)
 
 		output := strings.TrimSpace(buffer.String())
-		assert.Assert(t, strings.Count(output, "$") == 2)
+		assert.Assert(t, strings.Count(output, "$") == 1)
 		assert.Assert(t, !strings.Contains(output, "Encrypted"))
 	})
 
@@ -112,9 +112,9 @@ func TestSecretsCommand(t *testing.T) {
 
 		encrypted := strings.TrimSpace(encryptBuffer.String())
 		parts := strings.Split(encrypted, "$")
-		assert.Equal(t, 3, len(parts))
+		assert.Equal(t, 2, len(parts))
 
-		multilineEncrypted := parts[0] + "\n  \t$" + parts[1] + "\n  \t$" + parts[2] + "\n"
+		multilineEncrypted := parts[0] + "\n  \t$" + parts[1] + "\n"
 
 		resetCommandFlags(SecretsCmd)
 

cmd/secrets/vault.go

@@ -2,6 +2,7 @@ package secrets
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 
 	internalSecrets "github.com/kloudkit/ws-cli/internals/secrets"
@@ -71,16 +72,27 @@ func init() {
 	vaultCmd.Flags().Bool("stdout", false, "Output decrypted values to stdout")
 }
 
+func sortedKeys(m map[string]string) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	slices.Sort(keys)
+	return keys
+}
+
 func printStdoutResults(cmd *cobra.Command, results map[string]string, raw bool) {
-	for key, value := range results {
+	for _, key := range sortedKeys(results) {
+		value := results[key]
 		output := internalSecrets.FormatSecretForStdout(key, value, raw)
 		fmt.Fprint(cmd.OutOrStdout(), output)
 	}
 }
 
 func printVaultSuccess(cmd *cobra.Command, results map[string]string) {
 	fmt.Fprintln(cmd.OutOrStdout(), styles.Success().Render("✓ Vault processed successfully"))
-	for key, dest := range results {
+	for _, key := range sortedKeys(results) {
+		dest := results[key]
 		displayDest := dest
 		if after, ok := strings.CutPrefix(dest, "env:"); ok {
 			displayDest = fmt.Sprintf("env:%s", after)

internals/secrets/crypto.go

@@ -39,8 +39,7 @@ func Encrypt(plainText []byte, masterKey []byte) (string, error) {
 
 	cipherText := aesGCM.Seal(nonce, nonce, plainText, nil)
 
-	return fmt.Sprintf("%d$%s$%s",
-		argon2.Version,
+	return fmt.Sprintf("%s$%s",
 		base64.RawStdEncoding.EncodeToString(salt),
 		base64.RawStdEncoding.EncodeToString(cipherText)), nil
 }
@@ -56,21 +55,16 @@ func NormalizeEncrypted(encrypted string) string {
 
 func Decrypt(encodedValue string, masterKey []byte) ([]byte, error) {
 	parts := strings.Split(encodedValue, "$")
-	if len(parts) != 3 {
+	if len(parts) != 2 {
 		return nil, fmt.Errorf("invalid encrypted format")
 	}
 
-	expectedVersion := fmt.Sprintf("%d", argon2.Version)
-	if parts[0] != expectedVersion {
-		return nil, fmt.Errorf("unsupported algorithm version: %s (expected %s)", parts[0], expectedVersion)
-	}
-
-	salt, err := base64.RawStdEncoding.DecodeString(parts[1])
+	salt, err := base64.RawStdEncoding.DecodeString(parts[0])
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode salt: %w", err)
 	}
 
-	cipherTextWithNonce, err := base64.RawStdEncoding.DecodeString(parts[2])
+	cipherTextWithNonce, err := base64.RawStdEncoding.DecodeString(parts[1])
 	if err != nil {
 		return nil, fmt.Errorf("failed to decode ciphertext: %w", err)
 	}

internals/secrets/crypto_test.go

@@ -13,7 +13,7 @@ func TestEncryptDecrypt(t *testing.T) {
 
 	encrypted, err := Encrypt([]byte(plainText), masterKey)
 	assert.NilError(t, err)
-	assert.Assert(t, strings.Count(encrypted, "$") == 2)
+	assert.Assert(t, strings.Count(encrypted, "$") == 1)
 
 	decrypted, err := Decrypt(encrypted, masterKey)
 	assert.NilError(t, err)
@@ -53,15 +53,6 @@ func TestDecryptErrors(t *testing.T) {
 	}
 }
 
-func TestDecryptUnsupportedVersion(t *testing.T) {
-	masterKey := make([]byte, 32)
-
-	encryptedValue := "999$dGVzdA$dGVzdA"
-
-	_, err := Decrypt(encryptedValue, masterKey)
-	assert.ErrorContains(t, err, "unsupported algorithm version")
-}
-
 func TestHashPasswordForWorkspace(t *testing.T) {
 	hash, err := HashPasswordForWorkspace("testpassword123")
 	assert.NilError(t, err)

internals/secrets/vault.go

@@ -183,6 +183,7 @@ func GetSecretKeys(vault *Vault, requestedKeys []string) []string {
 	for key := range vault.Secrets {
 		keys = append(keys, key)
 	}
+	slices.Sort(keys)
 
 	return keys
 }
@@ -210,6 +211,8 @@ func ProcessVault(vault *Vault, opts ProcessOptions) (map[string]string, error)
 			return nil, err
 		}
 
+		effectiveForce := opts.Force || secret.Force
+
 		encryptedValue := NormalizeEncrypted(secret.Encrypted)
 
 		decrypted, err := Decrypt(encryptedValue, opts.MasterKey)
@@ -228,12 +231,12 @@ func ProcessVault(vault *Vault, opts ProcessOptions) (map[string]string, error)
 		}
 
 		if secret.Type == TypeEnv {
-			if err := ProcessEnvSecret(secret.Destination, decrypted, opts.Force); err != nil {
+			if err := ProcessEnvSecret(secret.Destination, decrypted, effectiveForce); err != nil {
 				return nil, fmt.Errorf("failed to process env secret %q: %w", key, err)
 			}
 			results[key] = fmt.Sprintf("env:%s", secret.Destination)
 		} else {
-			if err := internalIO.WriteSecureFile(secret.Destination, decrypted, mode, opts.Force); err != nil {
+			if err := internalIO.WriteSecureFile(secret.Destination, decrypted, mode, effectiveForce); err != nil {
 				return nil, fmt.Errorf("failed to write secret %q: %w", key, err)
 			}
 			results[key] = secret.Destination