diff --git a/pkgs/clan-cli/clan_cli/tests/test_vars.py b/pkgs/clan-cli/clan_cli/tests/test_vars.py index 1943fb936..cc26b6253 100644 --- a/pkgs/clan-cli/clan_cli/tests/test_vars.py +++ b/pkgs/clan-cli/clan_cli/tests/test_vars.py @@ -420,7 +420,11 @@ def test_generated_shared_secret_sops( ] shared_generator["share"] = True shared_generator["files"]["my_shared_secret"]["secret"] = True - shared_generator["script"] = 'echo hello > "$out"/my_shared_secret' + shared_generator["files"]["no_deploy_secret"]["secret"] = True + shared_generator["files"]["no_deploy_secret"]["deploy"] = False + shared_generator["script"] = ( + 'echo hello > "$out"/my_shared_secret; echo no_hello > "$out"/no_deploy_secret' + ) m2_config = flake.machines["machine2"] = create_test_machine_config() m2_config["clan"]["core"]["vars"]["generators"]["my_shared_generator"] = ( shared_generator.copy() @@ -482,13 +486,21 @@ def test_generated_shared_secret_sops( ) assert m1_sops_store.exists(generator_m1, "my_shared_secret") + assert m1_sops_store.exists(generator_m1, "no_deploy_secret") assert m2_sops_store.exists(generator_m2, "my_shared_secret") + assert m2_sops_store.exists(generator_m2, "no_deploy_secret") assert m1_sops_store.machine_has_access( generator_m1, "my_shared_secret", "machine1" ) assert m2_sops_store.machine_has_access( generator_m2, "my_shared_secret", "machine2" ) + assert not m1_sops_store.machine_has_access( + generator_m1, "no_deploy_secret", "machine1" + ) + assert not m2_sops_store.machine_has_access( + generator_m2, "no_deploy_secret", "machine2" + ) @pytest.mark.with_core diff --git a/pkgs/clan-cli/clan_cli/vars/check.py b/pkgs/clan-cli/clan_cli/vars/check.py index 70de575a6..a9fb779fe 100644 --- a/pkgs/clan-cli/clan_cli/vars/check.py +++ b/pkgs/clan-cli/clan_cli/vars/check.py @@ -90,6 +90,7 @@ def vars_status( if ( isinstance(machine.secret_vars_store, sops.SecretStore) and generator.share + and file.deploy and file.exists and not machine.secret_vars_store.machine_has_access( generator=generator, diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py index c96a2e1d8..c09358d10 100644 --- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py +++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py @@ -354,7 +354,10 @@ class SecretStore(StoreBase): ClanError: If the specified file_name is not found """ - from clan_cli.secrets.secrets import update_keys # noqa: PLC0415 + from clan_cli.secrets.secrets import ( # noqa: PLC0415 + disallow_member, + update_keys, + ) if generators is None: from clan_cli.vars.generator import Generator # noqa: PLC0415 @@ -389,6 +392,12 @@ class SecretStore(StoreBase): age_plugins=age_plugins, ) + # Cleanup: if this is a shared var not marked for deployment + if generator.share and not file.deploy: + machine_link = secret_path / "machines" / machine + if machine_link.exists(): + disallow_member(secret_path / "machines", machine, age_plugins) + update_keys( secret_path, collect_keys_for_path(secret_path), diff --git a/pkgs/clan-cli/clan_lib/vars/generate.py b/pkgs/clan-cli/clan_lib/vars/generate.py index 41ad4951e..8670cbbd4 100644 --- a/pkgs/clan-cli/clan_lib/vars/generate.py +++ b/pkgs/clan-cli/clan_lib/vars/generate.py @@ -187,7 +187,7 @@ def run_generators( for generator in all_generators: if generator.share: for file in generator.files: - if not file.secret or not file.exists: + if not file.secret or not file.exists or not file.deploy: continue machine.secret_vars_store.ensure_machine_has_access( generator,