Merge pull request 'improve clan vars fix command' (#2596) from sandbox into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/2596
2024-12-11 15:50:06 +00:00
parent 23fab6155c 7d7e0c0714
commit 90eeef80ef
2 changed files with 13 additions and 5 deletions
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
@@ -85,7 +85,9 @@ class SecretStore(StoreBase):
        self, key_dir: Path, generator: Generator, secret_name: str
    ) -> bool:
        secret_path = self.secret_path(generator, secret_name)
-        return sops.SopsKey.load_dir(key_dir) in sops.get_recipients(secret_path)
+        recipient = sops.SopsKey.load_dir(key_dir)
+        recipients = sops.get_recipients(secret_path)
+        return recipient in recipients

    def secret_path(self, generator: Generator, secret_name: str) -> Path:
        return self.directory(generator, secret_name)
@@ -221,9 +223,10 @@ class SecretStore(StoreBase):
        recipients_to_add = wanted_recipients - current_recipients
        var_id = f"{generator.name}/{name}"
        msg = (
-            f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted. "
-            f"This could have been a malicious actor trying to add their keys, please investigate. "
-            f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}"
+            f"One or more recipient keys were added to secret{' shared' if generator.share else ''} var '{var_id}', but it was never re-encrypted.\n"
+            f"This could have been a malicious actor trying to add their keys, please investigate.\n"
+            f"Added keys: {', '.join(f"{r.key_type.name}:{r.pubkey}" for r in recipients_to_add)}\n"
+            f"If this is intended, run 'clan vars fix' to re-encrypt the secret."
        )
        return needs_update, msg

@@ -246,6 +249,8 @@ class SecretStore(StoreBase):
                        file_found = True
                    else:
                        continue
+                if not file.secret:
+                    continue

                secret_path = self.secret_path(generator, file.name)
                update_keys(
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -177,7 +177,10 @@ def test_generate_secret_var_sops_with_default_group(
    config["clan"]["core"]["sops"]["defaultGroups"] = ["my_group"]
    my_generator = config["clan"]["core"]["vars"]["generators"]["my_generator"]
    my_generator["files"]["my_secret"]["secret"] = True
-    my_generator["script"] = "echo hello > $out/my_secret"
+    my_generator["files"]["my_public"]["secret"] = False
+    my_generator["script"] = (
+        "echo hello > $out/my_secret && echo hello > $out/my_public"
+    )
    flake.refresh()
    monkeypatch.chdir(flake.path)
    sops_setup.init()