Add standard newline/quoting behavior to dotenv store

[scjudd]

Rationale

The dotenv store as it exists right now performs splitting on newlines to determine where a new key-value pair or comment begins. This works remarkably well, up until you need to handle values that contain newlines.

While I couldn't find an offical dotenv file format spec, I sampled a number of open-source dotenv parsers and it seems that they typically apply the following rules:

Newline handling:

• If a value is unquoted and contains a literal \n (0x5c6e), it is interpretted literally and NOT converted to an actual newline (0x0a).

• If a value is single-quoted and contains a literal \n (0x5c6e), it is interpretted literally and NOT converted to an actual newline (0x0a).

• If a value is double-quoted and contains a literal \n (0x5c6e), it is converted to an actual newline (0x0a).

• If a value is either single- or double-quoted, it may contain an actual newline (0x0a).

Whitespace trimming:

• If a value is unquoted and contains any leading or trailing whitespace, it is trimmed.

• If a value is either single- or double-quoted and contains any leading or trailing whitespace, it is left untrimmed.

Quotation handling:

• Because quotations around values have special meaning, they are interpretted and are not included in the parsed value. Literal quotes may be included within a quoted string either by escaping them or using the opposite quotation mark.

Because single- and double-quoted values may contain actual newlines, we cannot split our input data on newlines as this may be in the middle of a quoted value. This, along with the other rules around handling quoted values, prompted me to try and implement a more robust parsing solution. This commit is my first stab at that.

Special Considerations

This is not a backwards-compatible change:

• The dotenv files produced by this version of SOPS cannot be read by an earlier version.

• The dotenv files produced by an earlier version of SOPS can be read by this version, with the understanding that the semantics around quotations and newlines have changed.

Examples

The below examples show how double-quoted values are passed to the running environment:

$ echo 'FOO="foo\\nbar\\nbaz"' > plaintext.env
$ sops -e --output ciphertext.env plaintext.env
$ sops exec-env ciphertext.env 'env | grep FOO | xxd'
00000000: 464f 4f3d 666f 6f5c 6e62 6172 5c6e 6261  FOO=foo\nbar\nba
00000010: 7a0a                                     z.

$ echo 'FOO="foo\nbar\nbaz"' > plaintext.env
$ sops -e --output ciphertext.env plaintext.env
$ sops exec-env ciphertext.env 'env | grep -A2 FOO | xxd'
00000000: 464f 4f3d 666f 6f0a 6261 720a 6261 7a0a  FOO=foo.bar.baz.

[codecov-io]

Codecov Report

Merging #622 into develop will increase coverage by 2.14%.
The diff coverage is 84.1%.

@@             Coverage Diff             @@
##           develop     #622      +/-   ##
===========================================
+ Coverage    36.98%   39.13%   +2.14%     
===========================================
  Files           21       22       +1     
  Lines         2893     3023     +130     
===========================================
+ Hits          1070     1183     +113     
- Misses        1728     1735       +7     
- Partials        95      105      +10

Impacted Files	Coverage Δ
stores/dotenv/store.go	25% <100%> (-7.46%)	⬇️
stores/dotenv/parser.go	83.33% <83.33%> (ø)
stores/flatten.go	91.52% <0%> (+4.23%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1634350...fe789bf. Read the comment docs.

[scjudd]

Alright, this is now to a point where I'm content with the quality of it and I promise to not push anymore unless someone requests changes. 😄

[scjudd]

Okay so I lied. I added whitespace trimming to comments.

[ajvb]

Left some comments, but overall this looks awesome @scjudd! Thank you very much.

[autrilla]

The code itself LGTM.

What parsers did you look at? Could we have the parser in a separate repository, perhaps? It might be useful to other people.

[scjudd]

Hey @autrilla, I can't remember all of the different parsers I looked at, but the rules defined for https://github.com/motdotla/dotenv#rules are what I based a lot of this on.

As far as breaking this out into a separate repo, I'm not opposed to that, but right now it is very purpose-built for SOPS. If you have any suggestions on what changes you'd like to see, I'm down to push this forward a little further. We need to land something along these lines to fix the issue for newlines and exec-env.

[scjudd]

Hey @autrilla, just checking in on this. Is there anything I can do to help get this landed?

[autrilla]

Sorry, I forgot about this. LGTM, thanks for the patch!

[mltsy]

Turns out this is a pseudo-breaking change for people using the dotenv format (including me), because the previous version of sops doesn't know what to do with the new quoted values (so in our build pipeline, which uses sops 3.5.0, it's unable to parse the new format coming from our local environments as people start upgrading to 3.6.0)

I'm not sure if there's a good place to put these notes. Ideally they wouldn't have been pointed out more prominently in the changelog - maybe I'll put in an issue to request a flag for --omit-dotenv-quotes or something in case others are encountering this issue...

[patricknelson]

Is this at all related to my issue at #784?

In my use case, I was loading environment variables which contain multiple lines (stored in encrypted JSON and YAML). It appears to be interpreted properly when viewing/editing directly within sops itself but not when loaded into environment variables via exec-env.

[mltsy]

Don't think it's related to this (this was only present in 3.5.0) - except that it's probably related to the dotenv encoder. Commented on your issue.

[patricknelson]

I think you're right @mltsy, I see the operative line that affects my use case were reverted in 5d32d9a. However, I will say that investigating my issue which is related via the shared use of the dotenv output formatting, I found a possible issue with how the dotenv output format encodes/decodes environment variables (i.e. it'll add \n's even though the variable in it's raw form may already contain \n's, meaning it is mixing unencoded content with encoded content and potentially mangling things). I have more details in my other comment.

Basically, I recommend using something like joho/godotenv to encode/decode dotenv values and then separating that process from the process used for calling os.StartProcess which may accept an entirely different environment variable encoding (something I don't know, since I'm totally new to golang).