os.#Container: mount secrets with a more consistent API

Signed-off-by: Solomon Hykes <solomon@dagger.io>

stdlib/.dagger/env/os-container/.gitignore

@@ -0,0 +1,2 @@
+# dagger state
+state/**

stdlib/.dagger/env/os-container/plan/main.cue

@@ -0,0 +1,27 @@
+package main
+
+import (
+	"dagger.io/dagger"
+	"dagger.io/os"
+)
+
+// Test secret mount
+SimpleSecret: {
+	// 'encrypted' and 'cleartext' must be set from identical values
+	encrypted: dagger.#Secret @dagger(input)
+	cleartext: string         @dagger(input)
+
+	ctr: os.#Container & {
+		secret: "/secret-in": encrypted
+		command: "cat /secret-in > /secret-out"
+	}
+
+	// Decrypted secret
+	decrypted: (os.#File & {
+			from: ctr
+			path: "/secret-out"
+	}).contents @dagger(output)
+
+	// Assertion: decrypted value must match original cleartext
+	decrypted: cleartext
+}

stdlib/.dagger/env/os-container/values.yaml

@@ -0,0 +1,28 @@
+plan:
+    module: .dagger/env/os-container/plan
+name: os-container
+inputs:
+    SimpleSecret.cleartext:
+        text: hello, world!
+    SimpleSecret.encrypted:
+        secret: ENC[AES256_GCM,data:Ps0VwEr1g2VJAkuyvA==,iv:LWWhr6wjWhpiv46VIehkVK0p8gwd8S1atmiFYqWcdLI=,tag:lridOOyvkUlSa6n+e6rMPw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1gxwmtwahzwdmrskhf90ppwlnze30lgpm056kuesrxzeuyclrwvpsupwtpk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SU9NUTRWWTBvZzRWZkNT
+            Tk5TWFBFcHBWMldNSXA4KzU3TlVwTU9pdEZJCkFXNWpMMmZOZGs3WTYxZ3hDZVpv
+            L3lYNVh3Ti9UQXZzaTNWRU9IdGh4UncKLS0tIDFxbE1ZTmlUNElWWmRIN2hSRjk4
+            azJIU2lIVlF4N1VxT2tVWDBPU2RsOEkKqkfxeT/mnnDxdvv/vhXMj2Zl8ogaAHa6
+            xbBUOaCZ8stwj4Zz4/iKdrPspQQKo7/QuxxAcFUfyuK3fULqJHPXPQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2021-06-23T10:38:38Z"
+    mac: ENC[AES256_GCM,data:tI4WNOV4Ck6mLS0inz8SpVWhReofeB1WHExTwhusFYuEFWfKqvJ5Hau1ErLhPla0JURNf2taUgRAcZC4m6ex7CjGhj5/qjtMndWrz6Vf2/6CZkFPiFUd2a19kRoiEU6Mh/3NFUPIJK04lVMvW76glxxxCkqq7bnTovPXOkumdu4=,iv:ov7MKd/4FegjBUTv2hGb1D6VjhuKK3npHXhWUFZVmns=,tag:KvESE0C2xPmuRlQ05OKO5g==,type:str]
+    pgp: []
+    encrypted_suffix: secret
+    version: 3.7.1

stdlib/netlify/netlify.cue

@@ -84,7 +84,7 @@ import (
 			NETLIFY_ACCOUNT: account.name
 		}
 		dir: "/src"
-		mount: "/src": from:                 contents
-		mount: "/run/secrets/token": secret: account.token
+		mount: "/src": from: contents
+		secret: "/run/secrets/token": account.token
 	}
 }

stdlib/os/container.cue

@@ -48,14 +48,14 @@ import (
 
 	// Mount contents from other artifacts.
 	// Mount is active when executing `command`, but not `setup`.
-
 	mount: [string]: {
 		from: dagger.#Artifact
 		// FIXME: support source path
-	} | {
-		secret: dagger.#Secret
 	}
 
+	// Safely mount secrets (in cleartext) as non-persistent files
+	secret: [string]: dagger.#Secret
+
 	// Mount persistent cache directories
 	cache: [string]: true
 
@@ -113,6 +113,9 @@ import (
 						"\(dest)": o
 						// FIXME: support source path
 					}
+					for dest, s in secret {
+						"\(dest)": secret: s
+					}
 					for dest, _ in cache {
 						"\(dest)": "cache"
 					}

stdlib/universe.bats

@@ -29,6 +29,10 @@ setup() {
     dagger -e git up
 }
 
+@test "os.#Container" {
+    dagger -e os-container up
+}
+
 @test "aws: ecr" {
     dagger -e aws-ecr up
 }