From db82bcafd43548323a2fdce6774e1137a3c869e7 Mon Sep 17 00:00:00 2001
From: DDoSolitary <DDoSolitary@gmail.com>
Date: Mon, 19 Feb 2024 16:28:05 +0800
Subject: [PATCH] template rendering should only read referenced secrets

Adds an extra check to determine if the placeholder ocurrs in template
content before actually reading the corresponding secret file.
In terms of performance, this adds an extra string search, but removes
possibly unneceassary file reading if the secret is not used in the
template, though both of them should be negligible in most cases.
Fixes Mic92/sops-nix#496.
---
 modules/sops/templates/subs.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/sops/templates/subs.py b/modules/sops/templates/subs.py
index d523719..778b690 100644
--- a/modules/sops/templates/subs.py
+++ b/modules/sops/templates/subs.py
@@ -10,8 +10,9 @@ def substitute(target: str, subst: str) -> str:
 
     for pair in subst_pairs:
         placeholder, path = pair.split()
-        with open(path) as f:
-            content = content.replace(placeholder, f.read())
+        if placeholder in content:
+            with open(path) as f:
+                content = content.replace(placeholder, f.read())
 
     return content