clan-cli: filter any sops recipients set in the environment for encryption

This forces sops to use our config file, otherwise if any of the environment variables set to specify recipients is present then `--config` will be ignored (see [env_check]). That's simple enough, still I ended up refactoring how we call sops for correctness, and to align with its behavior. The code now distinguishes between public and private keys explicitly. `secrets.decrypt_secret` does not try to lookup for public and private keys anymore. With this changeset, some people might have to adjust their environment as public age and PGP keys will be discovered like sops would do. In particular if multiple public keys are discovered, then the user will have to specify which one to use for the clan. This also makes the following changes: - try to use `/dev/shm` when swapping a secret (it's what [pass] does fwiw); - alias immediate values for readability; - remove some float comparison that could never succeed, and use sops' exit status instead; - remove unused function `maybe_get_sops_key`. [env_check]: 8c567aa8a7/cmd/sops/main.go (L2229) [pass]: http://passwordstore.org/
2024-10-14 17:06:52 -07:00
parent 0bad1c79f4
commit 67c7876629
4 changed files with 255 additions and 123 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/secrets.py
+++ b/pkgs/clan-cli/clan_cli/secrets/secrets.py
@@ -28,7 +28,12 @@ from .folders import (
    sops_secrets_folder,
    sops_users_folder,
 )
-from .sops import decrypt_file, encrypt_file, ensure_admin_key, read_key, update_keys
+from .sops import (
+    decrypt_file,
+    encrypt_file,
+    read_key,
+    update_keys,
+)
 from .types import VALID_SECRET_NAME, secret_name_type

 log = logging.getLogger(__name__)
@@ -101,9 +106,13 @@ def encrypt_secret(
        add_machines = []
    if add_users is None:
        add_users = []
-    key = ensure_admin_key(flake_dir)
+    key = sops.ensure_admin_public_key(flake_dir)
    recipient_keys = set()

+    # encrypt_secret can be called before the secret has been created
+    # so don't try to call sops.update_keys on a non-existent file:
+    do_update_keys = False
+
    files_to_commit = []
    for user in add_users:
        files_to_commit.extend(
@@ -111,7 +120,7 @@ def encrypt_secret(
                users_folder(secret_path),
                sops_users_folder(flake_dir),
                user,
-                False,
+                do_update_keys,
            )
        )

@@ -121,7 +130,7 @@ def encrypt_secret(
                machines_folder(secret_path),
                sops_machines_folder(flake_dir),
                machine,
-                False,
+                do_update_keys,
            )
        )

@@ -131,7 +140,7 @@ def encrypt_secret(
                groups_folder(secret_path),
                sops_groups_folder(flake_dir),
                group,
-                False,
+                do_update_keys,
            )
        )

@@ -144,7 +153,7 @@ def encrypt_secret(
                users_folder(secret_path),
                sops_users_folder(flake_dir),
                key.username,
-                False,
+                do_update_keys,
            )
        )

@@ -296,7 +305,10 @@ def list_command(args: argparse.Namespace) -> None:


 def decrypt_secret(flake_dir: Path, secret_path: Path) -> str:
-    ensure_admin_key(flake_dir)
+    # I can't think of a good way to ensure that we have the private key for
+    # the secret. I mean we could collect all private keys we could find and
+    # then make sure we have the one for the secret, but that seems
+    # complicated for little ux gain?
    path = secret_path / "secret"
    if not path.exists():
        msg = f"Secret '{secret_path!s}' does not exist"