From 948cf4fb71cf1d81b633221fd17b386407c9385d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= <mail@jkroepke.de>
Date: Sat, 9 Sep 2023 10:48:13 +0200
Subject: [PATCH] `secrets+*-import://` added syntax checks

---
 CHANGELOG.md                   |  3 +++
 scripts/commands/downloader.sh | 22 ++++++++++++++++++++++
 tests/unit/template.bats       | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 57 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2ac9d37a..9ef8b72c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- `secrets+*-import://` added syntax checks 
+
 ## [4.5.0] - 2023-08-14
 
 ### Added 
diff --git a/scripts/commands/downloader.sh b/scripts/commands/downloader.sh
index 6338ae54..a9bd7f4a 100755
--- a/scripts/commands/downloader.sh
+++ b/scripts/commands/downloader.sh
@@ -40,6 +40,11 @@ downloader() {
         _key_path=$(printf '%s' "${_key_and_file}" | cut -d '?' -f1)
         file=$(printf '%s' "${_key_and_file}" | cut -d '?' -f2-)
 
+        # check if key file is given
+        if [ "${_key_path}" = "${file}" ]; then
+            fatal "Invalid syntax: secrets+gpg-import://[path to key]?[path secrets.yaml]"
+        fi
+
         if ! _key_location_allowed "${_key_path}"; then
             fatal "Key location '%s' is not allowed" "${_key_path}"
         fi
@@ -67,6 +72,12 @@ downloader() {
 
         _key_location=$(printf '%s' "${_key_and_file}" | cut -d '?' -f1)
         file=$(printf '%s' "${_key_and_file}" | cut -d '?' -f2-)
+
+        # check if key file is given
+        if [ "${_key_location}" = "${file}" ]; then
+            fatal "Invalid syntax: secrets+gpg-import-kubernetes://[path to key]?[path secrets.yaml]"
+        fi
+
         _gpg_init_kubernetes "${_key_location}"
         ;;
     secrets+age-import://*)
@@ -91,6 +102,11 @@ downloader() {
         _key_path=$(printf '%s' "${_key_and_file}" | cut -d '?' -f1)
         file=$(printf '%s' "${_key_and_file}" | cut -d '?' -f2-)
 
+        # check if key file is given
+        if [ "${_key_path}" = "${file}" ]; then
+            fatal "Invalid syntax: secrets+age-import://[path to key]?[path secrets.yaml]"
+        fi
+
         if ! _key_location_allowed "${_key_path}"; then
             fatal "Key location '%s' is not allowed" "${_key_path}"
         fi
@@ -118,6 +134,12 @@ downloader() {
 
         _key_location=$(printf '%s' "${_key_and_file}" | cut -d '?' -f1)
         file=$(printf '%s' "${_key_and_file}" | cut -d '?' -f2-)
+
+        # check if key file is given
+        if [ "${_key_location}" = "${file}" ]; then
+            fatal "Invalid syntax: secrets+age-import-kubernetes://[path to key]?[path secrets.yaml]"
+        fi
+
         _age_init_kubernetes "${_key_location}"
         ;;
     secrets+literal://*)
diff --git a/tests/unit/template.bats b/tests/unit/template.bats
index 80e1bc0f..5e980ced 100755
--- a/tests/unit/template.bats
+++ b/tests/unit/template.bats
@@ -1301,6 +1301,22 @@ load '../bats/extensions/bats-file/load'
     run env GNUPGHOME="${HOME}/${BATS_TEST_NUMBER}" gpgconf --kill gpg-agent
 }
 
+@test "template: helm template w/ chart + secrets.age.yaml + secrets+gpg-import:// + without key file" {
+    if on_windows || ! is_backend "sops"; then
+        skip
+    fi
+
+    VALUES="assets/values/${HELM_SECRETS_BACKEND}/not-found.age.yaml"
+    VALUES_PATH="${TEST_TEMP_DIR}/${VALUES}"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run "${HELM_BIN}" template "$(_winpath "${TEST_TEMP_DIR}/chart")" -f "secrets+gpg-import://${VALUES_PATH}" 2>&1
+
+    assert_output --partial "Invalid syntax: secrets+gpg-import://[path to key]?[path secrets.yaml]"
+    assert_failure
+}
+
 @test "template: helm template w/ chart + secrets.gpg_key.yaml + secrets+gpg-import://git://" {
     if on_windows || ! is_backend "sops"; then
         skip
@@ -1375,6 +1391,22 @@ load '../bats/extensions/bats-file/load'
     assert_success
 }
 
+@test "template: helm template w/ chart + secrets.age.yaml + secrets+age-import:// + without key file" {
+    if on_windows || ! is_backend "sops"; then
+        skip
+    fi
+
+    VALUES="assets/values/${HELM_SECRETS_BACKEND}/not-found.age.yaml"
+    VALUES_PATH="${TEST_TEMP_DIR}/${VALUES}"
+
+    create_chart "${TEST_TEMP_DIR}"
+
+    run "${HELM_BIN}" template "$(_winpath "${TEST_TEMP_DIR}/chart")" -f "secrets+age-import://${VALUES_PATH}" 2>&1
+
+    assert_output --partial "Invalid syntax: secrets+age-import://[path to key]?[path secrets.yaml]"
+    assert_failure
+}
+
 @test "template: helm template w/ chart + secrets.age.yaml + secrets+age-import://git://" {
     if on_windows || ! is_backend "sops"; then
         skip