🐛 Fix env force bug

Author: bdsoha

cmd/info/version.go

@@ -1,3 +1,3 @@
 package info
 
-var Version = "0.0.41"
+var Version = "0.0.42"

cmd/secrets/vault.go

@@ -2,6 +2,7 @@ package secrets
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 
 	internalSecrets "github.com/kloudkit/ws-cli/internals/secrets"
@@ -71,16 +72,27 @@ func init() {
 	vaultCmd.Flags().Bool("stdout", false, "Output decrypted values to stdout")
 }
 
+func sortedKeys(m map[string]string) []string {
+	keys := make([]string, 0, len(m))
+	for k := range m {
+		keys = append(keys, k)
+	}
+	slices.Sort(keys)
+	return keys
+}
+
 func printStdoutResults(cmd *cobra.Command, results map[string]string, raw bool) {
-	for key, value := range results {
+	for _, key := range sortedKeys(results) {
+		value := results[key]
 		output := internalSecrets.FormatSecretForStdout(key, value, raw)
 		fmt.Fprint(cmd.OutOrStdout(), output)
 	}
 }
 
 func printVaultSuccess(cmd *cobra.Command, results map[string]string) {
 	fmt.Fprintln(cmd.OutOrStdout(), styles.Success().Render("✓ Vault processed successfully"))
-	for key, dest := range results {
+	for _, key := range sortedKeys(results) {
+		dest := results[key]
 		displayDest := dest
 		if after, ok := strings.CutPrefix(dest, "env:"); ok {
 			displayDest = fmt.Sprintf("env:%s", after)

internals/secrets/vault.go

@@ -183,6 +183,7 @@ func GetSecretKeys(vault *Vault, requestedKeys []string) []string {
 	for key := range vault.Secrets {
 		keys = append(keys, key)
 	}
+	slices.Sort(keys)
 
 	return keys
 }
@@ -210,6 +211,8 @@ func ProcessVault(vault *Vault, opts ProcessOptions) (map[string]string, error)
 			return nil, err
 		}
 
+		effectiveForce := opts.Force || secret.Force
+
 		encryptedValue := NormalizeEncrypted(secret.Encrypted)
 
 		decrypted, err := Decrypt(encryptedValue, opts.MasterKey)
@@ -228,12 +231,12 @@ func ProcessVault(vault *Vault, opts ProcessOptions) (map[string]string, error)
 		}
 
 		if secret.Type == TypeEnv {
-			if err := ProcessEnvSecret(secret.Destination, decrypted, opts.Force); err != nil {
+			if err := ProcessEnvSecret(secret.Destination, decrypted, effectiveForce); err != nil {
 				return nil, fmt.Errorf("failed to process env secret %q: %w", key, err)
 			}
 			results[key] = fmt.Sprintf("env:%s", secret.Destination)
 		} else {
-			if err := internalIO.WriteSecureFile(secret.Destination, decrypted, mode, opts.Force); err != nil {
+			if err := internalIO.WriteSecureFile(secret.Destination, decrypted, mode, effectiveForce); err != nil {
 				return nil, fmt.Errorf("failed to write secret %q: %w", key, err)
 			}
 			results[key] = secret.Destination

internals/secrets/vault_test.go

@@ -253,6 +253,9 @@ func TestGetSecretKeys(t *testing.T) {
 	t.Run("AllKeys", func(t *testing.T) {
 		keys := GetSecretKeys(vault, []string{})
 		assert.Equal(t, 3, len(keys))
+		for i := 1; i < len(keys); i++ {
+			assert.Assert(t, keys[i-1] < keys[i], "keys should be sorted alphabetically")
+		}
 	})
 
 	t.Run("SpecificKeys", func(t *testing.T) {
@@ -503,3 +506,116 @@ func TestProcessEnvSecret(t *testing.T) {
 		assert.Equal(t, 1, len(lines))
 	})
 }
+
+func TestDeterministicOrdering(t *testing.T) {
+	t.Run("GetSecretKeysReturnsSorted", func(t *testing.T) {
+		vault := &Vault{
+			Secrets: map[string]VaultSecret{
+				"zebra":   {},
+				"alpha":   {},
+				"charlie": {},
+				"bravo":   {},
+			},
+		}
+
+		keys := GetSecretKeys(vault, []string{})
+		assert.Equal(t, 4, len(keys))
+		assert.Equal(t, "alpha", keys[0])
+		assert.Equal(t, "bravo", keys[1])
+		assert.Equal(t, "charlie", keys[2])
+		assert.Equal(t, "zebra", keys[3])
+	})
+
+	t.Run("MultipleRunsProduceSameOrder", func(t *testing.T) {
+		vault := &Vault{
+			Secrets: map[string]VaultSecret{
+				"secret3": {},
+				"secret1": {},
+				"secret2": {},
+			},
+		}
+
+		firstRun := GetSecretKeys(vault, []string{})
+		secondRun := GetSecretKeys(vault, []string{})
+		thirdRun := GetSecretKeys(vault, []string{})
+
+		assert.DeepEqual(t, firstRun, secondRun)
+		assert.DeepEqual(t, secondRun, thirdRun)
+	})
+
+	t.Run("RequestedKeysPreserveOrder", func(t *testing.T) {
+		vault := &Vault{
+			Secrets: map[string]VaultSecret{
+				"zebra":   {},
+				"alpha":   {},
+				"charlie": {},
+			},
+		}
+
+		requested := []string{"zebra", "alpha"}
+		keys := GetSecretKeys(vault, requested)
+		assert.DeepEqual(t, requested, keys)
+	})
+}
+
+func TestPerSecretForce(t *testing.T) {
+	t.Run("SecretForceOverwritesEnv", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		envFile := filepath.Join(tmpDir, ".zshenv")
+		t.Setenv("HOME", tmpDir)
+
+		existingContent := `export TEST_VAR="old_value"
+`
+		err := os.WriteFile(envFile, []byte(existingContent), 0644)
+		assert.NilError(t, err)
+
+		err = ProcessEnvSecret("TEST_VAR", []byte("new_value"), true)
+		assert.NilError(t, err)
+
+		content, err := os.ReadFile(envFile)
+		assert.NilError(t, err)
+
+		contentStr := string(content)
+		assert.Assert(t, strings.Contains(contentStr, `export TEST_VAR="new_value"`))
+		assert.Assert(t, !strings.Contains(contentStr, "old_value"))
+	})
+
+	t.Run("SecretWithoutForceFailsOnExisting", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		envFile := filepath.Join(tmpDir, ".zshenv")
+		t.Setenv("HOME", tmpDir)
+
+		existingContent := `export TEST_VAR="old_value"
+`
+		err := os.WriteFile(envFile, []byte(existingContent), 0644)
+		assert.NilError(t, err)
+
+		err = ProcessEnvSecret("TEST_VAR", []byte("new_value"), false)
+		assert.ErrorContains(t, err, `environment variable "TEST_VAR" already exists, use --force to overwrite`)
+	})
+
+	t.Run("MixedForceInVault", func(t *testing.T) {
+		tmpDir := t.TempDir()
+		envFile := filepath.Join(tmpDir, ".zshenv")
+		t.Setenv("HOME", tmpDir)
+
+		existingContent := `export VAR1="old1"
+export VAR2="old2"
+`
+		err := os.WriteFile(envFile, []byte(existingContent), 0644)
+		assert.NilError(t, err)
+
+		err = ProcessEnvSecret("VAR1", []byte("new1"), true)
+		assert.NilError(t, err)
+
+		err = ProcessEnvSecret("VAR2", []byte("new2"), false)
+		assert.ErrorContains(t, err, `environment variable "VAR2" already exists, use --force to overwrite`)
+
+		content, err := os.ReadFile(envFile)
+		assert.NilError(t, err)
+
+		contentStr := string(content)
+		assert.Assert(t, strings.Contains(contentStr, `export VAR1="new1"`))
+		assert.Assert(t, strings.Contains(contentStr, `export VAR2="old2"`))
+	})
+}