add admins to batch config

ysmood · Jan 10, 2024 · db72a18 · db72a18
1 parent 0756d41
commit db72a18
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -91,13 +91,20 @@ The input can also be file url.
 
 ### Agent and cache
 
-The agent server is used to cache the private key passphrase, so you don't have to retype it every time.
+The agent server is for caching the private key passphrase, so you don't have to retype it every time.
+To start the agent server, run:
 
 ```bash
 # Add the key to the agent.
 whisper -add ~/.ssh/id_ed25519
 ```
 
+To remove the key from the agent, run:
+
+```bash
+whisper -clear-cache
+```
+
 ### Batch encrypt and decrypt
 
 Create a json file `vault.json` with the content:
@@ -136,15 +143,17 @@ whisper vault/secrets/db.txt.wsp
 If you have a lot of members to manage, the batch config file supports grouping,
 the `$` prefix means a group name:
 
-```json
+```jsonc
 {
   "groups": {
     "$frontend": ["@mike", "@tim"],
-    "$backend": ["$frontend", "@jack"]
+    "$backend": ["$frontend", "@jack"] // group reference can be recursive
   },
+  "admins": ["@ci-robot"], // the users who can decrypt all the files
   "files": {
     "secrets/backend": ["$backend"],
-    "secrets/frontend": ["$frontend", "@tom"]
+    "secrets/frontend": ["$frontend", "@tom"],
+    "secrets/frontend/mongo": ["@joy"] // add the user to the file that is already set by previous line
   },
   "outDir": "vault"
 }

diff --git a/batch.go b/batch.go
@@ -18,6 +18,7 @@ import (
 
 type Batch struct {
 	Groups map[string][]string `json:"groups"`
+	Admins []string            `json:"admins"`
 	Files  map[string][]string `json:"files"`
 	OutDir string              `json:"outDir"`
 
@@ -109,6 +110,7 @@ func (b *Batch) ExpandFiles() (map[string][]string, error) { //nolint: gocognit
 
 	for p, members := range b.Files {
 		expanded := []string{}
+		members = append(members, b.Admins...)
 		for _, member := range members {
 			if strings.HasPrefix(member, "$") {
 				if _, ok := groups[member]; !ok {
@@ -150,14 +152,14 @@ func (b *Batch) ExpandFiles() (map[string][]string, error) { //nolint: gocognit
 					return err
 				}
 
-				expanded[path] = members
+				expanded[path] = append(expanded[path], members...)
 				return nil
 			})
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			expanded[p] = members
+			expanded[p] = append(expanded[p], members...)
 		}
 	}
 

diff --git a/lib/whisper.go b/lib/whisper.go
@@ -12,7 +12,7 @@ import (
 )
 
 const (
-	APIVersion        = "v0.8.1"
+	APIVersion        = "v0.8.2"
 	WireFormatVersion = byte(7)
 )