From 173436632db72a3f6b29030df6d348d1327aa539 Mon Sep 17 00:00:00 2001
From: DavHau <d.hauer.it@gmail.com>
Date: Tue, 26 Nov 2024 17:01:42 +0700
Subject: [PATCH] vars: fix migration - secrets end up in public store

---
 pkgs/clan-cli/clan_cli/vars/generate.py | 11 ++++++++---
 pkgs/clan-cli/tests/test_vars.py        | 11 ++++++++++-
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/pkgs/clan-cli/clan_cli/vars/generate.py b/pkgs/clan-cli/clan_cli/vars/generate.py
index c431c97e6..138627fc8 100644
--- a/pkgs/clan-cli/clan_cli/vars/generate.py
+++ b/pkgs/clan-cli/clan_cli/vars/generate.py
@@ -274,9 +274,14 @@ def _migrate_file(
         old_value = machine.public_facts_store.get(service_name, fact_name)
     is_shared = machine.vars_generators[generator_name]["share"]
     is_deployed = machine.vars_generators[generator_name]["files"][var_name]["deploy"]
-    machine.public_vars_store.set(
-        generator_name, var_name, old_value, shared=is_shared, deployed=is_deployed
-    )
+    if is_secret:
+        machine.secret_vars_store.set(
+            generator_name, var_name, old_value, shared=is_shared, deployed=is_deployed
+        )
+    else:
+        machine.public_vars_store.set(
+            generator_name, var_name, old_value, shared=is_shared, deployed=is_deployed
+        )
 
 
 def _migrate_files(
diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py
index 4de343b9c..48bd44d91 100644
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -782,9 +782,13 @@ def test_migration(
     config["nixpkgs"]["hostPlatform"] = "x86_64-linux"
     my_service = config["clan"]["core"]["facts"]["services"]["my_service"]
     my_service["public"]["my_value"] = {}
-    my_service["generator"]["script"] = "echo -n hello > $facts/my_value"
+    my_service["secret"]["my_secret"] = {}
+    my_service["generator"]["script"] = (
+        "echo -n hello > $facts/my_value && echo -n hello > $secrets/my_secret"
+    )
     my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
     my_generator["files"]["my_value"]["secret"] = False
+    my_generator["files"]["my_secret"]["secret"] = True
     my_generator["migrateFact"] = "my_service"
     my_generator["script"] = "echo -n world > $out/my_value"
     flake.refresh()
@@ -795,8 +799,13 @@ def test_migration(
     in_repo_store = in_repo.FactStore(
         Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     )
+    sops_store = sops.SecretStore(
+        Machine(name="my_machine", flake=FlakeId(str(flake.path)))
+    )
     assert in_repo_store.exists("my_generator", "my_value")
     assert in_repo_store.get("my_generator", "my_value").decode() == "hello"
+    assert sops_store.exists("my_generator", "my_secret")
+    assert sops_store.get("my_generator", "my_secret").decode() == "hello"
 
 
 @pytest.mark.impure