Dark-Alex-17/gman
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Full support for secret injection into configuration files

Browse Source
This commit is contained in:
Alex Clarke
2025-09-10 20:53:10 -06:00
parent 8ae9b19567
commit 17eba4413d
13 changed files with 647 additions and 377 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/bin/gman/command.rs
+82 -82
View File
@@ -1,104 +1,104 @@
use std::borrow::Cow;
use std::ffi::{OsStr};
use std::ffi::OsStr;
use std::process::Command;
pub fn preview_command(cmd: &Command) -> String {
#[cfg(unix)]
{
let mut parts: Vec<String> = Vec::new();
#[cfg(unix)]
{
let mut parts: Vec<String> = Vec::new();
for (k, vopt) in cmd.get_envs() {
match vopt {
Some(v) => parts.push(format!(
"{}={}",
sh_escape(k),
sh_escape(v),
)),
None => parts.push(format!("unset {}", sh_escape(k))),
}
}
for (k, vopt) in cmd.get_envs() {
match vopt {
Some(v) => parts.push(format!("{}={}", sh_escape(k), sh_escape(v),)),
None => parts.push(format!("unset {}", sh_escape(k))),
}
}
parts.push(sh_escape(cmd.get_program()).into_owned());
parts.extend(cmd.get_args().map(|a| sh_escape(a).into_owned()));
parts.join(" ")
}
parts.push(sh_escape(cmd.get_program()).into_owned());
parts.extend(cmd.get_args().map(|a| sh_escape(a).into_owned()));
parts.join(" ")
}
#[cfg(windows)]
{
let mut parts: Vec<String> = Vec::new();
#[cfg(windows)]
{
let mut parts: Vec<String> = Vec::new();
let mut env_bits = Vec::new();
for (k, vopt) in cmd.get_envs() {
match vopt {
Some(v) => env_bits.push(format!("set {}={}", ps_quote(k), ps_quote(v))),
None => env_bits.push(format!("set {}=", ps_quote(k))),
}
}
if !env_bits.is_empty() {
parts.push(env_bits.join(" && "));
parts.push("&&".to_owned());
}
let mut env_bits = Vec::new();
for (k, vopt) in cmd.get_envs() {
match vopt {
Some(v) => env_bits.push(format!("set {}={}", ps_quote(k), ps_quote(v))),
None => env_bits.push(format!("set {}=", ps_quote(k))),
}
}
if !env_bits.is_empty() {
parts.push(env_bits.join(" && "));
parts.push("&&".to_owned());
}
parts.push(win_quote(cmd.get_program()));
parts.extend(cmd.get_args().map(win_quote));
parts.join(" ")
}
parts.push(win_quote(cmd.get_program()));
parts.extend(cmd.get_args().map(win_quote));
parts.join(" ")
}
}
#[cfg(unix)]
fn sh_escape(s: &OsStr) -> Cow<'_, str> {
let s = s.to_string_lossy();
if s.is_empty() || s.chars().any(|c| c.is_whitespace() || "!\"#$&'()*;<>?`\\|[]{}".contains(c))
{
let mut out = String::from("'");
for ch in s.chars() {
if ch == '\'' {
out.push_str("'\\''");
} else {
out.push(ch);
}
}
out.push('\'');
Cow::Owned(out)
} else {
Cow::Owned(s.into_owned())
}
let s = s.to_string_lossy();
if s.is_empty()
|| s.chars()
.any(|c| c.is_whitespace() || "!\"#$&'()*;<>?`\\|[]{}".contains(c))
{
let mut out = String::from("'");
for ch in s.chars() {
if ch == '\'' {
out.push_str("'\\''");
} else {
out.push(ch);
}
}
out.push('\'');
Cow::Owned(out)
} else {
Cow::Owned(s.into_owned())
}
}
#[cfg(windows)]
fn win_quote(s: &OsStr) -> String {
let s = s.to_string_lossy();
if !s.contains([' ', '\t', '"', '\\']) {
return s.into_owned();
}
let mut out = String::from("\"");
let mut backslashes = 0;
for ch in s.chars() {
match ch {
'\\' => backslashes += 1,
'"' => {
out.extend(std::iter::repeat('\\').take(backslashes * 2 + 1));
out.push('"');
backslashes = 0;
}
_ => {
out.extend(std::iter::repeat('\\').take(backslashes));
backslashes = 0;
out.push(ch);
}
}
}
out.extend(std::iter::repeat('\\').take(backslashes));
out.push('"');
out
let s = s.to_string_lossy();
if !s.contains([' ', '\t', '"', '\\']) {
return s.into_owned();
}
let mut out = String::from("\"");
let mut backslashes = 0;
for ch in s.chars() {
match ch {
'\\' => backslashes += 1,
'"' => {
out.extend(std::iter::repeat('\\').take(backslashes * 2 + 1));
out.push('"');
backslashes = 0;
}
_ => {
out.extend(std::iter::repeat('\\').take(backslashes));
backslashes = 0;
out.push(ch);
}
}
}
out.extend(std::iter::repeat('\\').take(backslashes));
out.push('"');
out
}
#[cfg(windows)]
fn ps_quote(s: &OsStr) -> String {
let s = s.to_string_lossy();
if s.chars().any(|c| c.is_whitespace() || r#"'&|<>()^"%!;"#.contains(c)) {
format!("'{}'", s.replace('\'', "''"))
} else {
s.into_owned()
}
let s = s.to_string_lossy();
if s.chars()
.any(|c| c.is_whitespace() || r#"'&|<>()^"%!;"#.contains(c))
{
format!("'{}'", s.replace('\'', "''"))
} else {
s.into_owned()
}
}
src/bin/gman/main.rs
+137 -39
View File
@@ -13,18 +13,20 @@ use gman::config::{Config, RunConfig};
use gman::providers::local::LocalProvider;
use gman::providers::{SecretProvider, SupportedProvider};
use heck::ToSnakeCase;
use log::debug;
use log::{debug, error};
use regex::Regex;
use std::io::{self, IsTerminal, Read, Write};
use std::panic;
use std::panic::PanicHookInfo;
use std::path::PathBuf;
use std::process::Command;
use std::{fs, panic};
use validator::Validate;
mod command;
mod utils;
const ARG_FORMAT_PLACEHOLDER_KEY: &str = "{key}";
const ARG_FORMAT_PLACEHOLDER_VALUE: &str = "{value}";
const ARG_FORMAT_PLACEHOLDER_KEY: &str = "{{key}}";
const ARG_FORMAT_PLACEHOLDER_VALUE: &str = "{{value}}";
#[derive(Debug, Clone, ValueEnum)]
enum OutputFormat {
@@ -41,7 +43,7 @@ pub enum ProviderKind {
impl From<ProviderKind> for SupportedProvider {
fn from(k: ProviderKind) -> Self {
match k {
ProviderKind::Local => SupportedProvider::Local(LocalProvider::default()),
ProviderKind::Local => SupportedProvider::Local(LocalProvider),
}
}
}
@@ -182,12 +184,11 @@ fn main() -> Result<()> {
}
Commands::Delete { name } => {
let snake_case_name = name.to_snake_case().to_uppercase();
secrets_provider
.delete_secret(&snake_case_name)
.map(|_| match cli.output {
None => println!("✓ Secret '{snake_case_name}' deleted from the vault."),
Some(_) => (),
})?;
secrets_provider.delete_secret(&snake_case_name).map(|_| {
if cli.output.is_none() {
println!("✓ Secret '{snake_case_name}' deleted from the vault.")
}
})?;
}
Commands::List {} => {
let secrets = secrets_provider.list_secrets()?;
@@ -216,12 +217,11 @@ fn main() -> Result<()> {
}
}
Commands::Sync {} => {
secrets_provider
.sync(&mut config)
.map(|_| match cli.output {
None => println!("✓ Secrets synchronized with remote"),
Some(_) => (),
})?;
secrets_provider.sync(&mut config).map(|_| {
if cli.output.is_none() {
println!("✓ Secrets synchronized with remote")
}
})?;
}
Commands::External(tokens) => {
wrap_and_run_command(secrets_provider, &config, tokens, cli.profile, cli.dry_run)?;
@@ -245,7 +245,7 @@ fn load_config(cli: &Cli) -> Result<Config> {
if let Some(provider_kind) = &cli.provider {
let provider: SupportedProvider = provider_kind.clone().into();
config.provider = provider.into();
config.provider = provider;
}
Ok(config)
@@ -274,20 +274,19 @@ pub fn wrap_and_run_command(
});
if let Some(run_cfg) = run_config_opt {
let secrets_result =
run_cfg
.secrets
.as_ref()
.expect("no secrets configured for run profile")
.iter()
.map(|key| {
let secret_name = key.to_snake_case().to_uppercase();
debug!(
"Retrieving secret '{secret_name}' for run profile '{}'",
run_config_profile_name
);
secrets_provider
.get_secret(&config, key.to_snake_case().to_uppercase().as_str())
let secrets_result = run_cfg
.secrets
.as_ref()
.expect("no secrets configured for run profile")
.iter()
.map(|key| {
let secret_name = key.to_snake_case().to_uppercase();
debug!(
"Retrieving secret '{secret_name}' for run profile '{}'",
run_config_profile_name
);
secrets_provider
.get_secret(config, key.to_snake_case().to_uppercase().as_str())
.ok()
.map_or_else(
|| {
@@ -299,13 +298,15 @@ pub fn wrap_and_run_command(
)),
)
},
|value| if dry_run {
(key.to_uppercase(), Ok("*****".into()))
} else {
(key.to_uppercase(), Ok(value))
},
|value| {
if dry_run {
(key.to_uppercase(), Ok("*****".into()))
} else {
(key.to_uppercase(), Ok(value))
}
},
)
});
});
let err = secrets_result
.clone()
.filter(|(_, r)| r.is_err())
@@ -328,7 +329,69 @@ pub fn wrap_and_run_command(
if run_cfg.flag.is_some() {
let args = parse_args(args, run_cfg, secrets.clone(), dry_run)?;
run_cmd(&mut cmd_def.args(&args), dry_run)?;
run_cmd(cmd_def.args(&args), dry_run)?;
} else if run_cfg.files.is_some() {
let injected_files = generate_files_secret_injections(secrets.clone(), run_cfg)
.with_context(|| "failed to inject secrets into files")?;
for (file, original_content, new_content) in &injected_files {
if dry_run {
println!("Would inject secrets into file '{}'", file.display());
} else {
match fs::write(file, new_content).with_context(|| {
format!(
"failed to write injected content to file '{}'",
file.display()
)
}) {
Ok(_) => {
debug!("Injected secrets into file '{}'", file.display());
}
Err(e) => {
error!(
"Failed to inject secrets into file '{}': {}",
file.display(),
e
);
debug!("Restoring original content to file '{}'", file.display());
fs::write(file, original_content)
.with_context(|| format!("failed to restore original content to file '{}' after injection failure: {}", file.display(), e))?;
return Err(e);
}
}
}
}
match run_cmd(cmd_def.args(args), dry_run) {
Ok(_) => {
if !dry_run {
for (file, original_content, _) in &injected_files {
debug!("Restoring original content to file '{}'", file.display());
fs::write(file, original_content).with_context(|| {
format!(
"failed to restore original content to file '{}'",
file.display()
)
})?;
}
}
}
Err(e) => {
if !dry_run {
for (file, original_content, _) in &injected_files {
error!(
"Command execution failed, restoring original content to file '{}'",
file.display()
);
debug!("Restoring original content to file '{}'", file.display());
fs::write(file, original_content)
.with_context(|| format!("failed to restore original content to file '{}' after command execution failure: {}", file.display(), e))?;
}
}
return Err(e);
}
}
} else {
run_cmd(cmd_def.args(args).envs(secrets), dry_run)?;
}
@@ -342,6 +405,41 @@ pub fn wrap_and_run_command(
Ok(())
}
fn generate_files_secret_injections(
secrets: HashMap<String, String>,
run_config: &RunConfig,
) -> Result<Vec<(&PathBuf, String, String)>> {
let re = Regex::new(r"\{\{([A-Za-z0-9_]+)\}\}")?;
let mut results = Vec::new();
for file in run_config
.files
.as_ref()
.with_context(|| "no files configured for run profile")?
{
debug!(
"Generating file with injected secrets for '{}'",
file.display()
);
let original_content = fs::read_to_string(file).with_context(|| {
format!(
"failed to read file for secrets injection: '{}'",
file.display()
)
})?;
let new_content = re.replace_all(&original_content, |caps: &regex::Captures| {
secrets
.get(&caps[1].to_snake_case().to_uppercase())
.map(|s| s.as_str())
.unwrap_or(&caps[0])
.to_string()
});
results.push((file, original_content.to_string(), new_content.to_string()));
}
Ok(results)
}
fn run_cmd(cmd: &mut Command, dry_run: bool) -> Result<()> {
if dry_run {
eprintln!("Command to be executed: {}", preview_command(cmd));
src/bin/gman/utils.rs
+31 -31
View File
@@ -1,43 +1,43 @@
use std::fs;
use std::path::PathBuf;
use log::LevelFilter;
use log4rs::append::file::FileAppender;
use log4rs::config::{Appender, Root};
use log4rs::encode::pattern::PatternEncoder;
use log::LevelFilter;
use std::fs;
use std::path::PathBuf;
pub fn init_logging_config() -> log4rs::Config {
let logfile = FileAppender::builder()
.encoder(Box::new(PatternEncoder::new(
"{d(%Y-%m-%d %H:%M:%S%.3f)(utc)} <{i}> [{l}] {f}:{L} - {m}{n}",
)))
.build(get_log_path())
.unwrap();
let logfile = FileAppender::builder()
.encoder(Box::new(PatternEncoder::new(
"{d(%Y-%m-%d %H:%M:%S%.3f)(utc)} <{i}> [{l}] {f}:{L} - {m}{n}",
)))
.build(get_log_path())
.unwrap();
log4rs::Config::builder()
.appender(Appender::builder().build("logfile", Box::new(logfile)))
.build(
Root::builder()
.appender("logfile")
.build(LevelFilter::Debug),
)
.unwrap()
log4rs::Config::builder()
.appender(Appender::builder().build("logfile", Box::new(logfile)))
.build(
Root::builder()
.appender("logfile")
.build(LevelFilter::Debug),
)
.unwrap()
}
pub fn get_log_path() -> PathBuf {
let mut log_path = if cfg!(target_os = "linux") {
dirs::cache_dir().unwrap_or_else(|| PathBuf::from("~/.cache"))
} else if cfg!(target_os = "macos") {
dirs::home_dir().unwrap().join("Library/Logs")
} else {
dirs::data_local_dir().unwrap_or_else(|| PathBuf::from("C:\\Logs"))
};
let mut log_path = if cfg!(target_os = "linux") {
dirs::cache_dir().unwrap_or_else(|| PathBuf::from("~/.cache"))
} else if cfg!(target_os = "macos") {
dirs::home_dir().unwrap().join("Library/Logs")
} else {
dirs::data_local_dir().unwrap_or_else(|| PathBuf::from("C:\\Logs"))
};
log_path.push("gman");
log_path.push("gman");
if let Err(e) = fs::create_dir_all(&log_path) {
eprintln!("Failed to create log directory: {e:?}");
}
if let Err(e) = fs::create_dir_all(&log_path) {
eprintln!("Failed to create log directory: {e:?}");
}
log_path.push("gman.log");
log_path
}
log_path.push("gman.log");
log_path
}
src/config.rs
+34 -17
View File
@@ -9,11 +9,13 @@ use validator::{Validate, ValidationError};
#[derive(Debug, Clone, Validate, Serialize, Deserialize, PartialEq, Eq)]
#[validate(schema(function = "flags_or_none", skip_on_field_errors = false))]
#[validate(schema(function = "flags_or_files"))]
pub struct RunConfig {
#[validate(required)]
pub name: Option<String>,
#[validate(required)]
pub secrets: Option<Vec<String>>,
pub files: Option<Vec<PathBuf>>,
pub flag: Option<String>,
#[validate(range(min = 1))]
pub flag_position: Option<usize>,
@@ -27,19 +29,21 @@ fn flags_or_none(run_config: &RunConfig) -> Result<(), ValidationError> {
&run_config.arg_format,
) {
(Some(_), Some(_), Some(format)) => {
let has_key = format.contains("{key}");
let has_value = format.contains("{value}");
if has_key && has_value {
Ok(())
} else {
let mut err = ValidationError::new("missing_placeholders");
err.message = Some(Cow::Borrowed("must contain both '{key}' and '{value}' (with the '{' and '}' characters) in the arg_format"));
err.add_param(Cow::Borrowed("has_key"), &has_key);
err.add_param(Cow::Borrowed("has_value"), &has_value);
Err(err)
}
},
(None, None, None) => Ok(()),
let has_key = format.contains("{{key}}");
let has_value = format.contains("{{value}}");
if has_key && has_value {
Ok(())
} else {
let mut err = ValidationError::new("missing_placeholders");
err.message = Some(Cow::Borrowed(
"must contain both '{{key}}' and '{{value}}' (with the '{{' and '}}' characters) in the arg_format",
));
err.add_param(Cow::Borrowed("has_key"), &has_key);
err.add_param(Cow::Borrowed("has_value"), &has_value);
Err(err)
}
}
(None, None, None) => Ok(()),
_ => {
let mut err = ValidationError::new("both_or_none");
err.message = Some(Cow::Borrowed(
@@ -50,6 +54,19 @@ fn flags_or_none(run_config: &RunConfig) -> Result<(), ValidationError> {
}
}
fn flags_or_files(run_config: &RunConfig) -> Result<(), ValidationError> {
match (&run_config.flag, &run_config.files) {
(Some(_), Some(_)) => {
let mut err = ValidationError::new("flag_and_file");
err.message = Some(Cow::Borrowed(
"Cannot specify both 'flag' and 'file' in the same run configuration",
));
Err(err)
}
_ => Ok(()),
}
}
#[serde_as]
#[derive(Debug, Clone, Validate, Serialize, Deserialize, PartialEq, Eq)]
pub struct Config {
@@ -93,10 +110,10 @@ impl Config {
pub fn local_provider_password_file() -> Option<PathBuf> {
let mut path = dirs::home_dir().map(|p| p.join(".gman_password"));
if let Some(p) = &path {
if !p.exists() {
path = None;
}
if let Some(p) = &path
&& !p.exists()
{
path = None;
}
path
src/lib.rs
+21 -23
View File
@@ -1,29 +1,29 @@
use anyhow::{anyhow, bail, Context, Result};
use anyhow::{Context, Result, anyhow, bail};
use argon2::{
password_hash::{rand_core::RngCore, SaltString},
Algorithm, Argon2, Params, Version,
Algorithm, Argon2, Params, Version,
password_hash::{SaltString, rand_core::RngCore},
};
use base64::{engine::general_purpose::STANDARD as B64, Engine as _};
use base64::{Engine as _, engine::general_purpose::STANDARD as B64};
use chacha20poly1305::{
aead::{Aead, KeyInit, OsRng},
Key, XChaCha20Poly1305, XNonce,
Key, XChaCha20Poly1305, XNonce,
aead::{Aead, KeyInit, OsRng},
};
use secrecy::{ExposeSecret, SecretString};
use zeroize::Zeroize;
pub mod providers;
pub mod config;
pub mod providers;
pub (in crate) const HEADER: &str = "$VAULT";
pub (in crate) const VERSION: &str = "v1";
pub (in crate) const KDF: &str = "argon2id";
pub(crate) const HEADER: &str = "$VAULT";
pub(crate) const VERSION: &str = "v1";
pub(crate) const KDF: &str = "argon2id";
pub (in crate) const ARGON_M_COST_KIB: u32 = 19_456;
pub (in crate) const ARGON_T_COST: u32 = 2;
pub (in crate) const ARGON_P: u32 = 1;
pub(crate) const ARGON_M_COST_KIB: u32 = 19_456;
pub(crate) const ARGON_T_COST: u32 = 2;
pub(crate) const ARGON_P: u32 = 1;
pub (in crate) const SALT_LEN: usize = 16;
pub (in crate) const NONCE_LEN: usize = 24;
pub (in crate) const KEY_LEN: usize = 32;
pub(crate) const SALT_LEN: usize = 16;
pub(crate) const NONCE_LEN: usize = 24;
pub(crate) const KEY_LEN: usize = 32;
fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
let params = Params::new(ARGON_M_COST_KIB, ARGON_T_COST, ARGON_P, Some(KEY_LEN))
@@ -32,14 +32,10 @@ fn derive_key(password: &SecretString, salt: &[u8]) -> Result<Key> {
let mut key_bytes = [0u8; KEY_LEN];
argon
.hash_password_into(
password.expose_secret().as_bytes(),
salt,
&mut key_bytes,
)
.hash_password_into(password.expose_secret().as_bytes(), salt, &mut key_bytes)
.map_err(|e| anyhow!("argon2 into error: {:?}", e))?;
let cloned_key_bytes = key_bytes.clone();
let cloned_key_bytes = key_bytes;
let key = Key::from_slice(&cloned_key_bytes);
key_bytes.zeroize();
Ok(*key)
@@ -211,7 +207,9 @@ mod tests {
let env = encrypt_string(pw.clone(), msg).unwrap();
let mut parts: Vec<&str> = env.split(';').collect();
let ct_b64 = parts[6].strip_prefix("ct=").unwrap();
let mut ct = base64::engine::general_purpose::STANDARD.decode(ct_b64).unwrap();
let mut ct = base64::engine::general_purpose::STANDARD
.decode(ct_b64)
.unwrap();
ct[0] ^= 0x01; // Flip a bit
let new_ct_b64 = base64::engine::general_purpose::STANDARD.encode(&ct);
let new_ct_part = format!("ct={}", new_ct_b64);
src/providers/git_sync.rs
+11 -13
View File
@@ -89,7 +89,7 @@ fn resolve_git_username(git: &Path, name: Option<&String>) -> Result<String> {
return Ok(name.to_string());
}
run_git_config_capture(&git, &["config", "user.name"])
run_git_config_capture(git, &["config", "user.name"])
.with_context(|| "unable to determine git username")
}
@@ -99,7 +99,7 @@ fn resolve_git_email(git: &Path, email: Option<&String>) -> Result<String> {
return Ok(email.to_string());
}
run_git_config_capture(&git, &["config", "user.email"])
run_git_config_capture(git, &["config", "user.email"])
.with_context(|| "unable to determine git user email")
}
@@ -210,17 +210,15 @@ fn set_origin(git: &Path, repo: &Path, url: &str) -> Result<()> {
if has_origin {
run_git(git, repo, &["remote", "set-url", "origin", url])?;
} else {
if Confirm::with_theme(&ColorfulTheme::default())
.with_prompt(format!("Have you already created the remote origin '{url}' on the Git host so we can push to it?"))
.default(false)
.interact()?
{
run_git(git, repo, &["remote", "add", "origin", url])?;
} else {
return Err(anyhow!("Remote origin does not yet exist. Please create remote origin before synchronizing, then try again"));
}
}
} else if Confirm::with_theme(&ColorfulTheme::default())
.with_prompt(format!("Have you already created the remote origin '{url}' on the Git host so we can push to it?"))
.default(false)
.interact()?
{
run_git(git, repo, &["remote", "add", "origin", url])?;
} else {
return Err(anyhow!("Remote origin does not yet exist. Please create remote origin before synchronizing, then try again"));
}
Ok(())
}
src/providers/local.rs
+4 -4
View File
@@ -54,7 +54,7 @@ impl SecretProvider for LocalProvider {
.get(key)
.with_context(|| format!("key '{key}' not found in the vault"))?;
let password = get_password(&config)?;
let password = get_password(config)?;
let plaintext = decrypt_string(&password, envelope)?;
drop(password);
@@ -70,7 +70,7 @@ impl SecretProvider for LocalProvider {
bail!("key '{key}' already exists");
}
let password = get_password(&config)?;
let password = get_password(config)?;
let envelope = encrypt_string(&password, value)?;
drop(password);
@@ -82,7 +82,7 @@ impl SecretProvider for LocalProvider {
fn update_secret(&self, config: &Config, key: &str, value: &str) -> Result<()> {
let mut vault: HashMap<String, String> = confy::load("gman", "vault").unwrap_or_default();
let password = get_password(&config)?;
let password = get_password(config)?;
let envelope = encrypt_string(&password, value)?;
drop(password);
@@ -317,7 +317,7 @@ fn decrypt_string(password: &SecretString, envelope: &str) -> Result<String> {
fn get_password(config: &Config) -> Result<SecretString> {
if let Some(password_file) = &config.password_file {
let password = SecretString::new(
fs::read_to_string(&password_file)
fs::read_to_string(password_file)
.with_context(|| format!("failed to read password file {:?}", password_file))?
.trim()
.to_string()