sops: prioritize SOPS_AGE_KEY_FILE over local key

... instead of loading both keys and raise an error This is important for testing when one wants to override SOPS_AGE_KEY_FILE New prio: `SOPS_AGE_KEY` > `SOPS_AGE_KEY_FILE` > `~/.config/sops/age/keys.txt`
2025-04-08 20:18:11 +07:00
parent 77ab4f7208
commit 476dcb4140
3 changed files with 22 additions and 17 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -50,17 +50,6 @@ class KeyType(enum.Enum):
        keyring: list[str] = []

        if self == self.AGE:
-            if keys := os.environ.get("SOPS_AGE_KEY"):
-                # SOPS_AGE_KEY is fed into age.ParseIdentities by Sops, and
-                # reads identities line by line. See age/keysource.go in
-                # Sops, and age/parse.go in Age.
-                for private_key in keys.strip().splitlines():
-                    public_key = get_public_age_key(private_key)
-                    log.info(
-                        f"Found age public key from a private key "
-                        f"in the environment (SOPS_AGE_KEY): {public_key}"
-                    )
-                    keyring.append(public_key)

            def maybe_read_from_path(key_path: Path) -> None:
                try:
@@ -78,10 +67,23 @@ class KeyType(enum.Enum):
                except Exception as ex:
                    log.warning(f"Could not read age keys from {key_path}", exc_info=ex)

+            if keys := os.environ.get("SOPS_AGE_KEY"):
+                # SOPS_AGE_KEY is fed into age.ParseIdentities by Sops, and
+                # reads identities line by line. See age/keysource.go in
+                # Sops, and age/parse.go in Age.
+                for private_key in keys.strip().splitlines():
+                    public_key = get_public_age_key(private_key)
+                    log.info(
+                        f"Found age public key from a private key "
+                        f"in the environment (SOPS_AGE_KEY): {public_key}"
+                    )
+                    keyring.append(public_key)
+
            # Sops will try every location, see age/keysource.go
-            if key_path := os.environ.get("SOPS_AGE_KEY_FILE"):
+            elif key_path := os.environ.get("SOPS_AGE_KEY_FILE"):
                maybe_read_from_path(Path(key_path))
-            maybe_read_from_path(user_config_dir() / "sops/age/keys.txt")
+            else:
+                maybe_read_from_path(user_config_dir() / "sops/age/keys.txt")

            return keyring