Merge pull request 'sops: fix compatibility with new format' (#3242) from directory-context into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/3242
2025-04-08 16:05:43 +00:00
parent 96db83a08b 259983c99f
commit b7cf63344c
2 changed files with 17 additions and 12 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -36,11 +36,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1743598667,
-        "narHash": "sha256-ViE7NoFWytYO2uJONTAX35eGsvTYXNHjWALeHAg8OQY=",
+        "lastModified": 1744126564,
+        "narHash": "sha256-v1XPivS/Rvo9BBvF2Rh59HxUpucMsuOCGVrkIObF/bc=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "329d3d7e8bc63dd30c39e14e6076db590a6eabe6",
+        "rev": "8f806681d781ca250ddaafd262d6b6c89d79d9ef",
        "type": "github"
      },
      "original": {
--- a/pkgs/clan-cli/clan_cli/secrets/sops.py
+++ b/pkgs/clan-cli/clan_cli/secrets/sops.py
@@ -449,15 +449,20 @@ def decrypt_file(secret_path: Path) -> str:

 def get_recipients(secret_path: Path) -> set[SopsKey]:
    sops_attrs = json.loads((secret_path / "secret").read_text())["sops"]
-    return {
+    keys = set()
+    for key_type in KeyType:
+        recipients = sops_attrs.get(key_type.name.lower())
+        if not recipients:
+            continue
+        for recipient in recipients:
+            keys.add(
                SopsKey(
                    pubkey=recipient[key_type.sops_recipient_attr],
                    username="",
                    key_type=key_type,
                )
-        for key_type in KeyType
-        for recipient in sops_attrs[key_type.name.lower()] or []
-    }
+            )
+    return keys


 def get_meta(secret_path: Path) -> dict: