fix rotating keys with sops

pkgs/clan-cli/tests/test_secrets.py

@@ -23,6 +23,9 @@ class SecretCli:
 PUBKEY = "age1dhwqzkah943xzc34tc3dlmfayyevcmdmxzjezdgdy33euxwf59vsp3vk3c"
 PRIVKEY = "AGE-SECRET-KEY-1KF8E3SR3TTGL6M476SKF7EEMR4H9NF7ZWYSLJUAK8JX276JC7KUSSURKFK"
 
+PUBKEY_2 = "age14tva0txcrl0zes05x7gkx56qd6wd9q3nwecjac74xxzz4l47r44sv3fz62"
+PRIVKEY_2 = "AGE-SECRET-KEY-1U5ENXZQAY62NC78Y2WC0SEGRRMAEEKH79EYY5TH4GPFWJKEAY0USZ6X7YQ"
+
 
 def _test_identities(
     what: str, clan_flake: Path, capsys: pytest.CaptureFixture
@@ -123,6 +126,34 @@ def test_secrets(
         cli.run(["list"])
         assert capsys.readouterr().out == "key\n"
 
+        cli.run(["machines", "add", "machine1", PUBKEY])
+        cli.run(["machines", "add-secret", "machine1", "key"])
+
+        with mock_env(SOPS_AGE_KEY=PRIVKEY, SOPS_AGE_KEY_FILE=""):
+            capsys.readouterr()
+            cli.run(["get", "key"])
+            assert capsys.readouterr().out == "foo"
+        cli.run(["machines", "remove-secret", "machine1", "key"])
+
+        cli.run(["users", "add", "user1", PUBKEY_2])
+        cli.run(["users", "add-secret", "user1", "key"])
+        with mock_env(SOPS_AGE_KEY=PRIVKEY_2, SOPS_AGE_KEY_FILE=""):
+            capsys.readouterr()
+            cli.run(["get", "key"])
+            assert capsys.readouterr().out == "foo"
+        cli.run(["users", "remove-secret", "user1", "key"])
+
+        with pytest.raises(ClanError):  # does not exist yet
+            cli.run(["groups", "add-secret", "admin-group", "key"])
+        cli.run(["groups", "add-user", "admin-group", "user1"])
+        cli.run(["groups", "add-secret", "admin-group", "key"])
+
+        with mock_env(SOPS_AGE_KEY=PRIVKEY_2, SOPS_AGE_KEY_FILE=""):
+            capsys.readouterr()
+            cli.run(["get", "key"])
+            assert capsys.readouterr().out == "foo"
+        cli.run(["groups", "remove-secret", "admin-group", "key"])
+
     cli.run(["remove", "key"])
 
     capsys.readouterr()  # empty the buffer