yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request 'improve clan vars fix command' (#2596) from sandbox into main

Browse Source 
Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/2596
This commit is contained in:
Mic92
2024-12-11 15:50:06 +00:00
parent 23fab6155c 7d7e0c0714
commit 90eeef80ef
2 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
View File

@@ -85,7 +85,9 @@ class SecretStore(StoreBase):
self, key_dir: Path, generator: Generator, secret_name: str self, key_dir: Path, generator: Generator, secret_name: str
) -> bool: ) -> bool:
secret_path = self.secret_path(generator, secret_name) secret_path = self.secret_path(generator, secret_name)
return sops.SopsKey.load_dir(key_dir) in sops.get_recipients(secret_path) recipient = sops.SopsKey.load_dir(key_dir)
recipients = sops.get_recipients(secret_path)
return recipient in recipients
def secret_path(self, generator: Generator, secret_name: str) -> Path: def secret_path(self, generator: Generator, secret_name: str) -> Path:
return self.directory(generator, secret_name) return self.directory(generator, secret_name)
@@ -221,9 +223,10 @@ class SecretStore(StoreBase):
recipients_to_add = wanted_recipients - current_recipients recipients_to_add = wanted_recipients - current_recipients
var_id = f"{generator.name}/{name}" var_id = f"{generator.name}/{name}"
msg = ( msg = (
f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted. " f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted.\n"
f"This could have been a malicious actor trying to add their keys, please investigate. " f"This could have been a malicious actor trying to add their keys, please investigate.\n"
f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}" f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}\n"
f"If this is intended, run 'clan vars fix' to re-encrypt the secret."
) )
return needs_update, msg return needs_update, msg
@@ -246,6 +249,8 @@ class SecretStore(StoreBase):
file_found = True file_found = True
else: else:
continue continue
if not file.secret:
continue
secret_path = self.secret_path(generator, file.name) secret_path = self.secret_path(generator, file.name)
update_keys( update_keys(

5
pkgs/clan-cli/tests/test_vars.py
View File

@@ -177,7 +177,10 @@ def test_generate_secret_var_sops_with_default_group(
config["clan"]["core"]["sops"]["defaultGroups"] = ["my_group"] config["clan"]["core"]["sops"]["defaultGroups"] = ["my_group"]
my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"] my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
my_generator["files"]["my_secret"]["secret"] = True my_generator["files"]["my_secret"]["secret"] = True
my_generator["script"] = "echo hello > $out/my_secret" my_generator["files"]["my_public"]["secret"] = False
my_generator["script"] = (
"echo hello > $out/my_secret && echo hello > $out/my_public"
)
flake.refresh() flake.refresh()
monkeypatch.chdir(flake.path) monkeypatch.chdir(flake.path)
sops_setup.init() sops_setup.init()