Merge pull request 'vars: respect deploy flag for shared secrets' (#5572) from oneingan/clan-core:vars-no-deploy into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/5572

pkgs/clan-cli/clan_cli/tests/test_vars.py

@@ -420,7 +420,11 @@ def test_generated_shared_secret_sops(
     ]
     shared_generator["share"] = True
     shared_generator["files"]["my_shared_secret"]["secret"] = True
-    shared_generator["script"] = 'echo hello > "$out"/my_shared_secret'
+    shared_generator["files"]["no_deploy_secret"]["secret"] = True
+    shared_generator["files"]["no_deploy_secret"]["deploy"] = False
+    shared_generator["script"] = (
+        'echo hello > "$out"/my_shared_secret; echo no_hello > "$out"/no_deploy_secret'
+    )
     m2_config = flake.machines["machine2"] = create_test_machine_config()
     m2_config["clan"]["core"]["vars"]["generators"]["my_shared_generator"] = (
         shared_generator.copy()
@@ -482,13 +486,21 @@ def test_generated_shared_secret_sops(
     )
 
     assert m1_sops_store.exists(generator_m1, "my_shared_secret")
+    assert m1_sops_store.exists(generator_m1, "no_deploy_secret")
     assert m2_sops_store.exists(generator_m2, "my_shared_secret")
+    assert m2_sops_store.exists(generator_m2, "no_deploy_secret")
     assert m1_sops_store.machine_has_access(
         generator_m1, "my_shared_secret", "machine1"
     )
     assert m2_sops_store.machine_has_access(
         generator_m2, "my_shared_secret", "machine2"
     )
+    assert not m1_sops_store.machine_has_access(
+        generator_m1, "no_deploy_secret", "machine1"
+    )
+    assert not m2_sops_store.machine_has_access(
+        generator_m2, "no_deploy_secret", "machine2"
+    )
 
 
 @pytest.mark.with_core

pkgs/clan-cli/clan_cli/vars/check.py

@@ -90,6 +90,7 @@ def vars_status(
                 if (
                     isinstance(machine.secret_vars_store, sops.SecretStore)
                     and generator.share
+                    and file.deploy
                     and file.exists
                     and not machine.secret_vars_store.machine_has_access(
                         generator=generator,

pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py

@@ -354,7 +354,10 @@ class SecretStore(StoreBase):
             ClanError: If the specified file_name is not found
 
         """
-        from clan_cli.secrets.secrets import update_keys  # noqa: PLC0415
+        from clan_cli.secrets.secrets import (  # noqa: PLC0415
+            disallow_member,
+            update_keys,
+        )
 
         if generators is None:
             from clan_cli.vars.generator import Generator  # noqa: PLC0415
@@ -389,6 +392,12 @@ class SecretStore(StoreBase):
                         age_plugins=age_plugins,
                     )
 
+                # Cleanup: if this is a shared var not marked for deployment
+                if generator.share and not file.deploy:
+                    machine_link = secret_path / "machines" / machine
+                    if machine_link.exists():
+                        disallow_member(secret_path / "machines", machine, age_plugins)
+
                 update_keys(
                     secret_path,
                     collect_keys_for_path(secret_path),

pkgs/clan-cli/clan_lib/vars/generate.py

@@ -187,7 +187,7 @@ def run_generators(
         for generator in all_generators:
             if generator.share:
                 for file in generator.files:
-                    if not file.secret or not file.exists:
+                    if not file.secret or not file.exists or not file.deploy:
                         continue
                     machine.secret_vars_store.ensure_machine_has_access(
                         generator,