From 85676bc44febda8ca08d6a1403519a0d68bd7ff4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 11 Dec 2024 16:03:18 +0100 Subject: [PATCH 1/2] improve error message if sops secret contains unknown key --- pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py index 2e571c8f7..251f23e0d 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py @@ -221,9 +221,10 @@ class SecretStore(StoreBase): recipients_to_add = wanted_recipients - current_recipients var_id = f"{generator.name}/{name}" msg = ( - f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted. " - f"This could have been a malicious actor trying to add their keys, please investigate. " - f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}" + f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted.\n" + f"This could have been a malicious actor trying to add their keys, please investigate.\n" + f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}\n" + f"If this is intended, run 'clan vars fix' to re-encrypt the secret." ) return needs_update, msg From 7d7e0c071418478a1893fb28961f808e2c0f26cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 11 Dec 2024 15:54:46 +0100 Subject: [PATCH 2/2] fix clan vars for public vars --- pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py | 6 +++++- pkgs/clan-cli/tests/test_vars.py | 5 ++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py index 251f23e0d..5b1b8182f 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py @@ -85,7 +85,9 @@ class SecretStore(StoreBase): self, key_dir: Path, generator: Generator, secret_name: str ) -> bool: secret_path = self.secret_path(generator, secret_name) - return sops.SopsKey.load_dir(key_dir) in sops.get_recipients(secret_path) + recipient = sops.SopsKey.load_dir(key_dir) + recipients = sops.get_recipients(secret_path) + return recipient in recipients def secret_path(self, generator: Generator, secret_name: str) -> Path: return self.directory(generator, secret_name) @@ -247,6 +249,8 @@ class SecretStore(StoreBase): file_found = True else: continue + if not file.secret: + continue secret_path = self.secret_path(generator, file.name) update_keys( diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py index 24ef8b4e4..25cde260a 100644 --- a/pkgs/clan-cli/tests/test_vars.py +++ b/pkgs/clan-cli/tests/test_vars.py @@ -177,7 +177,10 @@ def test_generate_secret_var_sops_with_default_group( config["clan"]["core"]["sops"]["defaultGroups"] = ["my_group"] my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"] my_generator["files"]["my_secret"]["secret"] = True - my_generator["script"] = "echo hello > $out/my_secret" + my_generator["files"]["my_public"]["secret"] = False + my_generator["script"] = ( + "echo hello > $out/my_secret && echo hello > $out/my_public" + ) flake.refresh() monkeypatch.chdir(flake.path) sops_setup.init()