yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

feat: configure age plugins for SOPS in buildClan

Browse Source
This commit is contained in:
Brian McGee
2025-04-28 12:54:27 +01:00
committed by Michael Hoang
parent d3e1c0b4e4
commit a438fe77a7
13 changed files with 357 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pkgs/clan-cli/clan_cli/tests/test_import_sops_cli.py
View File

@@ -10,9 +10,10 @@ if TYPE_CHECKING:
from .age_keys import KeyPair
@pytest.mark.with_core
def test_import_sops(
test_root: Path,
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
monkeypatch: pytest.MonkeyPatch,
age_keys: list["KeyPair"],
@@ -24,7 +25,7 @@ def test_import_sops(
"machines",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"machine1",
age_keys[0].pubkey,
]
@@ -35,7 +36,7 @@ def test_import_sops(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"user1",
age_keys[1].pubkey,
]
@@ -46,7 +47,7 @@ def test_import_sops(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"user2",
age_keys[2].pubkey,
]
@@ -57,7 +58,7 @@ def test_import_sops(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"user1",
]
@@ -68,7 +69,7 @@ def test_import_sops(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"user2",
]
@@ -80,7 +81,7 @@ def test_import_sops(
"secrets",
"import-sops",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"--group",
"group1",
"--machine",
@@ -90,11 +91,13 @@ def test_import_sops(
cli.run(cmd)
with capture_output as output:
cli.run(["secrets", "users", "list", "--flake", str(test_flake.path)])
cli.run(["secrets", "users", "list", "--flake", str(test_flake_with_core.path)])
users = sorted(output.out.rstrip().split())
assert users == ["user1", "user2"]
with capture_output as output:
cli.run(["secrets", "get", "--flake", str(test_flake.path), "secret-key"])
cli.run(
["secrets", "get", "--flake", str(test_flake_with_core.path), "secret-key"]
)
assert output.out == "secret-value"

301
pkgs/clan-cli/clan_cli/tests/test_secrets_cli.py
View File

@@ -22,14 +22,15 @@ if TYPE_CHECKING:
log = logging.getLogger(__name__)
@pytest.mark.with_core
def _test_identities(
what: str,
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
age_keys: list["KeyPair"],
monkeypatch: pytest.MonkeyPatch,
) -> None:
sops_folder = test_flake.path / "sops"
sops_folder = test_flake_with_core.path / "sops"
what_singular = what[:-1]
test_secret_name = f"{what_singular}_secret"
@@ -45,7 +46,7 @@ def _test_identities(
what,
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"foo",
age_keys[0].pubkey,
]
@@ -58,7 +59,7 @@ def _test_identities(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin",
admin_age_key.pubkey,
]
@@ -71,7 +72,7 @@ def _test_identities(
what,
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"foo",
age_keys[0].pubkey,
]
@@ -86,7 +87,7 @@ def _test_identities(
"secrets",
"set",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
f"--{what_singular}",
"foo",
test_secret_name,
@@ -94,7 +95,7 @@ def _test_identities(
)
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
test_secret_name,
expected_age_recipients_keypairs=[age_keys[0], admin_age_key],
)
@@ -107,14 +108,14 @@ def _test_identities(
what,
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"-f",
"foo",
age_keys[1].privkey,
]
)
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
test_secret_name,
expected_age_recipients_keypairs=[age_keys[1], admin_age_key],
)
@@ -126,24 +127,35 @@ def _test_identities(
what,
"get",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"foo",
]
)
assert age_keys[1].pubkey in output.out
with capture_output as output:
cli.run(["secrets", what, "list", "--flake", str(test_flake.path)])
cli.run(["secrets", what, "list", "--flake", str(test_flake_with_core.path)])
assert "foo" in output.out
cli.run(["secrets", what, "remove", "--flake", str(test_flake.path), "foo"])
cli.run(
["secrets", what, "remove", "--flake", str(test_flake_with_core.path), "foo"]
)
assert not (sops_folder / what / "foo" / "key.json").exists()
with pytest.raises(ClanError): # already removed
cli.run(["secrets", what, "remove", "--flake", str(test_flake.path), "foo"])
cli.run(
[
"secrets",
what,
"remove",
"--flake",
str(test_flake_with_core.path),
"foo",
]
)
with capture_output as output:
cli.run(["secrets", what, "list", "--flake", str(test_flake.path)])
cli.run(["secrets", what, "list", "--flake", str(test_flake_with_core.path)])
assert "foo" not in output.out
user_or_machine_symlink = sops_folder / "secrets" / test_secret_name / what / "foo"
@@ -155,23 +167,27 @@ def _test_identities(
assert not user_or_machine_symlink.exists(follow_symlinks=False), err_msg
@pytest.mark.with_core
def test_users(
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
age_keys: list["KeyPair"],
monkeypatch: pytest.MonkeyPatch,
) -> None:
with monkeypatch.context():
_test_identities("users", test_flake, capture_output, age_keys, monkeypatch)
_test_identities(
"users", test_flake_with_core, capture_output, age_keys, monkeypatch
)
@pytest.mark.with_core
def test_multiple_user_keys(
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
age_keys: list["KeyPair"],
monkeypatch: pytest.MonkeyPatch,
) -> None:
sops_folder = test_flake.path / "sops"
sops_folder = test_flake_with_core.path / "sops"
users_keys = {
"bob": {age_keys[0], age_keys[1]},
@@ -187,7 +203,7 @@ def test_multiple_user_keys(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
user,
*[f"--age-key={key.pubkey}" for key in user_keys],
]
@@ -196,7 +212,16 @@ def test_multiple_user_keys(
# check they are returned in get
with capture_output as output:
cli.run(["secrets", "users", "get", "--flake", str(test_flake.path), user])
cli.run(
[
"secrets",
"users",
"get",
"--flake",
str(test_flake_with_core.path),
user,
]
)
for user_key in user_keys:
assert user_key.pubkey in output.out
@@ -220,14 +245,14 @@ def test_multiple_user_keys(
"secrets",
"set",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
secret_name,
]
)
# check the secret has each of our user's keys as a recipient
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=[*user_keys],
)
@@ -235,7 +260,13 @@ def test_multiple_user_keys(
# check we can get the secret
with capture_output as output:
cli.run(
["secrets", "get", "--flake", str(test_flake.path), secret_name]
[
"secrets",
"get",
"--flake",
str(test_flake_with_core.path),
secret_name,
]
)
assert secret_value in output.out
@@ -259,7 +290,7 @@ def test_multiple_user_keys(
"users",
"remove-key",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
user,
key_to_remove.pubkey,
]
@@ -267,7 +298,7 @@ def test_multiple_user_keys(
# check the secret has been updated
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=list({*user_keys} - {key_to_remove}),
)
@@ -279,7 +310,7 @@ def test_multiple_user_keys(
"users",
"add-key",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
user,
key_to_remove.pubkey,
]
@@ -287,29 +318,35 @@ def test_multiple_user_keys(
# check the secret has been updated
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=user_keys,
)
@pytest.mark.with_core
def test_machines(
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
age_keys: list["KeyPair"],
monkeypatch: pytest.MonkeyPatch,
) -> None:
_test_identities("machines", test_flake, capture_output, age_keys, monkeypatch)
_test_identities(
"machines", test_flake_with_core, capture_output, age_keys, monkeypatch
)
@pytest.mark.with_core
def test_groups(
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
age_keys: list["KeyPair"],
monkeypatch: pytest.MonkeyPatch,
) -> None:
with capture_output as output:
cli.run(["secrets", "groups", "list", "--flake", str(test_flake.path)])
cli.run(
["secrets", "groups", "list", "--flake", str(test_flake_with_core.path)]
)
assert output.out == ""
machine1_age_key = age_keys[0]
@@ -323,7 +360,7 @@ def test_groups(
"groups",
"add-machine",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"machine1",
]
@@ -335,7 +372,7 @@ def test_groups(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"groupb1",
"user1",
]
@@ -346,7 +383,7 @@ def test_groups(
"machines",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"machine1",
machine1_age_key.pubkey,
]
@@ -357,7 +394,7 @@ def test_groups(
"groups",
"add-machine",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"machine1",
]
@@ -370,7 +407,7 @@ def test_groups(
"groups",
"add-machine",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"machine1",
]
@@ -382,7 +419,7 @@ def test_groups(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"user1",
user1_age_key.pubkey,
]
@@ -393,7 +430,7 @@ def test_groups(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin",
admin_age_key.pubkey,
]
@@ -404,14 +441,16 @@ def test_groups(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"user1",
]
)
with capture_output as output:
cli.run(["secrets", "groups", "list", "--flake", str(test_flake.path)])
cli.run(
["secrets", "groups", "list", "--flake", str(test_flake_with_core.path)]
)
out = output.out
assert "user1" in out
assert "machine1" in out
@@ -427,7 +466,7 @@ def test_groups(
"secrets",
"set",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"--group",
"group1",
secret_name,
@@ -435,7 +474,7 @@ def test_groups(
)
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=[
machine1_age_key,
@@ -454,13 +493,13 @@ def test_groups(
"groups",
"remove-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"user1",
]
)
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=[machine1_age_key, admin_age_key],
err_msg=(
@@ -476,13 +515,13 @@ def test_groups(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"user1",
]
)
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=[
machine1_age_key,
@@ -498,12 +537,12 @@ def test_groups(
"users",
"remove",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"user1",
]
)
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=[machine1_age_key, admin_age_key],
err_msg=(
@@ -518,13 +557,13 @@ def test_groups(
"groups",
"remove-machine",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"group1",
"machine1",
]
)
assert_secrets_file_recipients(
test_flake.path,
test_flake_with_core.path,
secret_name,
expected_age_recipients_keypairs=[admin_age_key],
err_msg=(
@@ -533,11 +572,11 @@ def test_groups(
),
)
first_group = next((test_flake.path / "sops" / "groups").iterdir(), None)
first_group = next((test_flake_with_core.path / "sops" / "groups").iterdir(), None)
assert first_group is None
# Check if the symlink to the group was removed from our foo test secret:
group_symlink = test_flake.path / "sops/secrets/foo/groups/group1"
group_symlink = test_flake_with_core.path / "sops/secrets/foo/groups/group1"
err_msg = (
"Symlink to group1's key in foo secret "
"was not cleaned up after group1 was removed"
@@ -574,25 +613,30 @@ def use_gpg_key(key: GpgKey, monkeypatch: pytest.MonkeyPatch) -> Iterator[None]:
monkeypatch.setenv("SOPS_AGE_KEY", old_key)
@pytest.mark.with_core
def test_secrets(
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
monkeypatch: pytest.MonkeyPatch,
gpg_key: GpgKey,
age_keys: list["KeyPair"],
) -> None:
with capture_output as output:
cli.run(["secrets", "list", "--flake", str(test_flake.path)])
cli.run(["secrets", "list", "--flake", str(test_flake_with_core.path)])
assert output.out == ""
# Generate a new key for the clan
monkeypatch.setenv("SOPS_AGE_KEY_FILE", str(test_flake.path / ".." / "age.key"))
monkeypatch.setenv(
"SOPS_AGE_KEY_FILE", str(test_flake_with_core.path / ".." / "age.key")
)
with capture_output as output:
cli.run(["secrets", "key", "generate", "--flake", str(test_flake.path)])
cli.run(
["secrets", "key", "generate", "--flake", str(test_flake_with_core.path)]
)
assert "age private key" in output.out
# Read the key that was generated
with capture_output as output:
cli.run(["secrets", "key", "show", "--flake", str(test_flake.path)])
cli.run(["secrets", "key", "show", "--flake", str(test_flake_with_core.path)])
key = json.loads(output.out)
assert key["publickey"].startswith("age1")
@@ -603,41 +647,71 @@ def test_secrets(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"testuser",
key["publickey"],
]
)
with pytest.raises(ClanError): # does not exist yet
cli.run(["secrets", "get", "--flake", str(test_flake.path), "nonexisting"])
cli.run(
["secrets", "get", "--flake", str(test_flake_with_core.path), "nonexisting"]
)
monkeypatch.setenv("SOPS_NIX_SECRET", "foo")
cli.run(["secrets", "set", "--flake", str(test_flake.path), "initialkey"])
cli.run(["secrets", "set", "--flake", str(test_flake_with_core.path), "initialkey"])
with capture_output as output:
cli.run(["secrets", "get", "--flake", str(test_flake.path), "initialkey"])
cli.run(
["secrets", "get", "--flake", str(test_flake_with_core.path), "initialkey"]
)
assert output.out == "foo"
with capture_output as output:
cli.run(["secrets", "users", "list", "--flake", str(test_flake.path)])
cli.run(["secrets", "users", "list", "--flake", str(test_flake_with_core.path)])
users = output.out.rstrip().split("\n")
assert len(users) == 1, f"users: {users}"
owner = users[0]
monkeypatch.setenv("EDITOR", "cat")
cli.run(["secrets", "set", "--edit", "--flake", str(test_flake.path), "initialkey"])
cli.run(
[
"secrets",
"set",
"--edit",
"--flake",
str(test_flake_with_core.path),
"initialkey",
]
)
monkeypatch.delenv("EDITOR")
cli.run(["secrets", "rename", "--flake", str(test_flake.path), "initialkey", "key"])
cli.run(
[
"secrets",
"rename",
"--flake",
str(test_flake_with_core.path),
"initialkey",
"key",
]
)
with capture_output as output:
cli.run(["secrets", "list", "--flake", str(test_flake.path)])
cli.run(["secrets", "list", "--flake", str(test_flake_with_core.path)])
assert output.out == "key\n"
with capture_output as output:
cli.run(["secrets", "list", "--flake", str(test_flake.path), "nonexisting"])
cli.run(
[
"secrets",
"list",
"--flake",
str(test_flake_with_core.path),
"nonexisting",
]
)
assert output.out == ""
with capture_output as output:
cli.run(["secrets", "list", "--flake", str(test_flake.path), "key"])
cli.run(["secrets", "list", "--flake", str(test_flake_with_core.path), "key"])
assert output.out == "key\n"
# using the `age_keys` KeyPair, add a machine and rotate its key
@@ -648,7 +722,7 @@ def test_secrets(
"machines",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"machine1",
age_keys[1].pubkey,
]
@@ -659,18 +733,22 @@ def test_secrets(
"machines",
"add-secret",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"machine1",
"key",
]
)
with capture_output as output:
cli.run(["secrets", "machines", "list", "--flake", str(test_flake.path)])
cli.run(
["secrets", "machines", "list", "--flake", str(test_flake_with_core.path)]
)
assert output.out == "machine1\n"
with use_age_key(age_keys[1].privkey, monkeypatch):
with capture_output as output:
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
cli.run(
["secrets", "get", "--flake", str(test_flake_with_core.path), "key"]
)
assert output.out == "foo"
# rotate machines key
@@ -680,7 +758,7 @@ def test_secrets(
"machines",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"-f",
"machine1",
age_keys[0].privkey,
@@ -690,7 +768,9 @@ def test_secrets(
# should also rotate the encrypted secret
with use_age_key(age_keys[0].privkey, monkeypatch):
with capture_output as output:
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
cli.run(
["secrets", "get", "--flake", str(test_flake_with_core.path), "key"]
)
assert output.out == "foo"
cli.run(
@@ -699,7 +779,7 @@ def test_secrets(
"machines",
"remove-secret",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"machine1",
"key",
]
@@ -711,7 +791,7 @@ def test_secrets(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"user1",
age_keys[1].pubkey,
]
@@ -722,13 +802,13 @@ def test_secrets(
"users",
"add-secret",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"user1",
"key",
]
)
with capture_output as output, use_age_key(age_keys[1].privkey, monkeypatch):
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
cli.run(["secrets", "get", "--flake", str(test_flake_with_core.path), "key"])
assert output.out == "foo"
cli.run(
[
@@ -736,7 +816,7 @@ def test_secrets(
"users",
"remove-secret",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"user1",
"key",
]
@@ -749,7 +829,7 @@ def test_secrets(
"groups",
"add-secret",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin-group",
"key",
]
@@ -760,7 +840,7 @@ def test_secrets(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin-group",
"user1",
]
@@ -771,7 +851,7 @@ def test_secrets(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin-group",
owner,
]
@@ -782,7 +862,7 @@ def test_secrets(
"groups",
"add-secret",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin-group",
"key",
]
@@ -793,7 +873,7 @@ def test_secrets(
"secrets",
"set",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"--group",
"admin-group",
"key2",
@@ -802,7 +882,9 @@ def test_secrets(
with use_age_key(age_keys[1].privkey, monkeypatch):
with capture_output as output:
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
cli.run(
["secrets", "get", "--flake", str(test_flake_with_core.path), "key"]
)
assert output.out == "foo"
# Add an user with a GPG key
@@ -812,7 +894,7 @@ def test_secrets(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"--pgp-key",
gpg_key.fingerprint,
"user2",
@@ -826,7 +908,7 @@ def test_secrets(
"groups",
"add-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin-group",
"user2",
]
@@ -834,7 +916,9 @@ def test_secrets(
with use_gpg_key(gpg_key, monkeypatch): # user2
with capture_output as output:
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
cli.run(
["secrets", "get", "--flake", str(test_flake_with_core.path), "key"]
)
assert output.out == "foo"
cli.run(
@@ -843,7 +927,7 @@ def test_secrets(
"groups",
"remove-user",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin-group",
"user2",
]
@@ -854,7 +938,7 @@ def test_secrets(
capture_output as output,
):
# user2 is not in the group anymore
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
cli.run(["secrets", "get", "--flake", str(test_flake_with_core.path), "key"])
print(output.out)
cli.run(
@@ -863,22 +947,23 @@ def test_secrets(
"groups",
"remove-secret",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"admin-group",
"key",
]
)
cli.run(["secrets", "remove", "--flake", str(test_flake.path), "key"])
cli.run(["secrets", "remove", "--flake", str(test_flake.path), "key2"])
cli.run(["secrets", "remove", "--flake", str(test_flake_with_core.path), "key"])
cli.run(["secrets", "remove", "--flake", str(test_flake_with_core.path), "key2"])
with capture_output as output:
cli.run(["secrets", "list", "--flake", str(test_flake.path)])
cli.run(["secrets", "list", "--flake", str(test_flake_with_core.path)])
assert output.out == ""
@pytest.mark.with_core
def test_secrets_key_generate_gpg(
test_flake: FlakeForTest,
test_flake_with_core: FlakeForTest,
capture_output: CaptureOutput,
monkeypatch: pytest.MonkeyPatch,
gpg_key: GpgKey,
@@ -893,14 +978,16 @@ def test_secrets_key_generate_gpg(
"key",
"generate",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
]
)
assert "age private key" not in output.out
assert re.match(r"PGP key.+is already set", output.err) is not None
with capture_output as output:
cli.run(["secrets", "key", "show", "--flake", str(test_flake.path)])
cli.run(
["secrets", "key", "show", "--flake", str(test_flake_with_core.path)]
)
key = json.loads(output.out)
assert key["type"] == "pgp"
assert key["publickey"] == gpg_key.fingerprint
@@ -912,7 +999,7 @@ def test_secrets_key_generate_gpg(
"users",
"add",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"--pgp-key",
gpg_key.fingerprint,
"testuser",
@@ -926,7 +1013,7 @@ def test_secrets_key_generate_gpg(
"users",
"get",
"--flake",
str(test_flake.path),
str(test_flake_with_core.path),
"testuser",
]
)
@@ -940,9 +1027,23 @@ def test_secrets_key_generate_gpg(
with monkeypatch.context() as m:
m.setenv("SOPS_NIX_SECRET", "secret-value")
cli.run(["secrets", "set", "--flake", str(test_flake.path), "secret-name"])
cli.run(
[
"secrets",
"set",
"--flake",
str(test_flake_with_core.path),
"secret-name",
]
)
with capture_output as output:
cli.run(
["secrets", "get", "--flake", str(test_flake.path), "secret-name"]
[
"secrets",
"get",
"--flake",
str(test_flake_with_core.path),
"secret-name",
]
)
assert output.out == "secret-value"