From d2d72e28e85cc8f5c56e22322fb68fc510fbf7e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 29 Sep 2024 18:31:46 +0200
Subject: [PATCH] re-use gpg key across tests

---
 ...9B2741C8062D3D3DF1302D8B049E262A5CA255.rev |  29 ++++++++++++++++
 ...3F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key |  15 +++++++++
 .../tests/data/gnupg-home/pubring.kbx         | Bin 0 -> 566 bytes
 .../tests/data/gnupg-home/random_seed         | Bin 0 -> 600 bytes
 .../tests/data/gnupg-home/trustdb.gpg         | Bin 0 -> 1280 bytes
 pkgs/clan-cli/tests/data/gnupg.conf           |   6 ++++
 .../tests/data/password-store/.gpg-id         |   1 +
 pkgs/clan-cli/tests/test_vars.py              |  31 +++++-------------
 8 files changed, 59 insertions(+), 23 deletions(-)
 create mode 100644 pkgs/clan-cli/tests/data/gnupg-home/openpgp-revocs.d/9A9B2741C8062D3D3DF1302D8B049E262A5CA255.rev
 create mode 100644 pkgs/clan-cli/tests/data/gnupg-home/private-keys-v1.d/893F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key
 create mode 100644 pkgs/clan-cli/tests/data/gnupg-home/pubring.kbx
 create mode 100644 pkgs/clan-cli/tests/data/gnupg-home/random_seed
 create mode 100644 pkgs/clan-cli/tests/data/gnupg-home/trustdb.gpg
 create mode 100644 pkgs/clan-cli/tests/data/gnupg.conf
 create mode 100644 pkgs/clan-cli/tests/data/password-store/.gpg-id

diff --git a/pkgs/clan-cli/tests/data/gnupg-home/openpgp-revocs.d/9A9B2741C8062D3D3DF1302D8B049E262A5CA255.rev b/pkgs/clan-cli/tests/data/gnupg-home/openpgp-revocs.d/9A9B2741C8062D3D3DF1302D8B049E262A5CA255.rev
new file mode 100644
index 000000000..c084ed320
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/gnupg-home/openpgp-revocs.d/9A9B2741C8062D3D3DF1302D8B049E262A5CA255.rev
@@ -0,0 +1,29 @@
+This is a revocation certificate for the OpenPGP key:
+
+pub   rsa1024 2024-09-29 [SCEAR]
+      9A9B2741C8062D3D3DF1302D8B049E262A5CA255
+uid          Root Superuser <test@local>
+
+A revocation certificate is a kind of "kill switch" to publicly
+declare that a key shall not anymore be used.  It is not possible
+to retract such a revocation certificate once it has been published.
+
+Use it to revoke this key in case of a compromise or loss of
+the secret key.  However, if the secret key is still accessible,
+it is better to generate a new revocation certificate and give
+a reason for the revocation.  For details see the description of
+of the gpg command "--generate-revocation" in the GnuPG manual.
+
+To avoid an accidental use of this file, a colon has been inserted
+before the 5 dashes below.  Remove this colon with a text editor
+before importing and publishing this revocation certificate.
+
+:-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: This is a revocation certificate
+
+iLYEIAEIACAWIQSamydByAYtPT3xMC2LBJ4mKlyiVQUCZvl/cAIdAAAKCRCLBJ4m
+KlyiVUWOA/9rDw6tSSw7Gh3vlaLZXSQvkftO3x9cJwePn6JPmM2nWLDcaOj+/Cd0
+guyakYt7Fsxa6fqcv5sYV50bPRqAnfOWbR7jRl4DF6pSYNCHPlkWuLghdYsBOBo2
+1MG/J+155aclsB8JQez1eGMe8KcpcJBcrYuZTAMekMGPrfyr9SwDUg==
+=V2Jo
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/pkgs/clan-cli/tests/data/gnupg-home/private-keys-v1.d/893F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key b/pkgs/clan-cli/tests/data/gnupg-home/private-keys-v1.d/893F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key
new file mode 100644
index 000000000..a0873e873
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/gnupg-home/private-keys-v1.d/893F0D3827CC473BAEFE4A6B3E910245CD2CCFF9.key
@@ -0,0 +1,15 @@
+Created: 20240929T162520
+Key: (private-key (rsa (n #00B1BF3E8A8CEA6A68439F67CDCAF5616B50D99A9F88
+ 6D9E879D3FE990854E9ADFC35D7D26DBC5BC1800B3FF7B814F4623C1DFC34CAB4D326C
+ 3E269C6059D567B5144659B3C895B52B428BA7B74CC2FA130D06C689C45B8FF8DA1D7C
+ 7A578C99C0F221189D6BE045AE2EC8D2389423994BA0D650A2EDD2B7664642BFBF9691
+ 495F#)(e #010001#)(d #57605C65AE94F39EF293136BB23842DE06DE19A90FDF573D
+ 723B3F5D5872C626767AE831687B0116498E326AABABE51E61C9564FC3ABCCBC322737
+ DB137E191EB3B012B9C142290050EBD8ADD40BC68CCB577521E3A76DFD668BC6E584C7
+ 0DD3B6CE545CC392B1D893EFB959BE3BD0EB7DF73A1F7AFBD9693353BA4FD3C05AED#)
+ (p #00C169E9E1DF8F39E7B2140FD52723FC5D10CCFC62D8A0876D39641AB00441345C
+ FC239EF8551B5F39CE850EF2DD79B98D70D57AD933648C86B7DD536B1B3AD6CB#)(q
+  #00EB43872BDDA397AC02A32E7CB0061ACB26A30497031D24FA793DE9EE4EFBACB1A4
+ 6BF1444DE47CB63A6E254F2E4928BB0BB1F5C51C5247EEA8FF2D84BE25F13D#)(u
+  #00CEBE9717B5F7B59393065F884ACCA692F64545F492E50DF9070ACA9FBDA8A1EC03
+ 906FDB9C112A97FADBB273E69548C6B17E6BE3BB664B9D02FB2100EF19AF7D#)))
diff --git a/pkgs/clan-cli/tests/data/gnupg-home/pubring.kbx b/pkgs/clan-cli/tests/data/gnupg-home/pubring.kbx
new file mode 100644
index 0000000000000000000000000000000000000000..b07f082d4454f6f4f2c44427255361f62f128632
GIT binary patch
literal 566
zcmZQzU{GLWWMJ}kib!Jsg0!FY1t1J!LjaQ)6C;=v$H2h2gn^MkX4Y(V#}jP2wzeM)
zbh}yRscFS53I(cAfT#zm-~qD!0<kn$gpq*-Dg&orHq7W{0Wld_7&h*=>*{%xmEk-;
z{p_i)iP-@+XU*@(o!36s{^f*LzghPW$JVOdKDtMOVe|j$Mt?WugZB^ntoAj^u~VCq
z5P3CytB70V<`Yx5YCCl=-|lnhmoP8evCbpW{XcHW)>MV}%slW(QDScP1J`wWCoWk`
zQJ(3&;99_<x0kl3xjF6MKW(CCJcA%31LFpu!_y1WA>L)!A{~^UU!o9PT98^)TAW&>
zU{jJ>T;h<EpPZOu2UW@h@lwYn7GXvX1{*O&7HomT$^`Nyv$Q@7D>o+xI}?)<6PqX(
zCkHnZix?9#Ba<9ElXwFI7pDL$G}+9U|5ruI%q^Ke`SPAm_V2fGvHkt{!lV7+cFx;I
zZ)`VYtjb8<d&=BJt5%=OaPh-AeO*;wp5-sqXkG9}FU-E@tQF@~`*&AWH@w+a9Z{}2
z@!md{cJW(oYZseedOG94METPxOm{e5L^xP5-YCgW*xga1va7;}Y0IC~&AktbmYMYK
ky%#L*x`7QG7!0zTW}p9mCaL%OwvDWnPuf;#Z!u&503(gZOaK4?

literal 0
HcmV?d00001

diff --git a/pkgs/clan-cli/tests/data/gnupg-home/random_seed b/pkgs/clan-cli/tests/data/gnupg-home/random_seed
new file mode 100644
index 0000000000000000000000000000000000000000..2f4c89c23d6bdcecccd04678ddcf9a76fd15ccb7
GIT binary patch
literal 600
zcmV-e0;m033=+a0Sb8p8caRDRbNEPQXkFieQQ#`PByMk#t$}Ke!W+sdn)cY}q@3qq
zSJ>gr0mSX38U~$0hLQ%`K~lTJvt@@9Q}Kvp880p<8Hl~LHNTWBC8D+^9rodiOr}fC
zP7b0u$I`~rC4ZdsdjMhgc9{WRV%q*SiS6&HW!jc7e`_e!DMG%PDba@k20kj{4lMFt
zdtGo}CAQ6csNECQ?#<?DHZLA#VJXsQ%`6RItPa$(V@-&J6Hz|$n@>{UXu)VCyQv5V
zf7koTNLq0k`AcPoXNU?ak#NeVKK#{8PBN7(CfdEgT?r%-yo}IQSbPyQ^$jXQ7c=Lf
z3a^O=6%e;qeD*hhm_|9ofDIOF-3HzI#xq9A?6-SvL`(OtNN$U7ZK;K2bfjd66T+3(
znyV*sH%`f}`cMVsY{{Vbqc${{bne`F$?Cf1IdvN)YV!Fi{&l||IO>pb$t?2W3_J6V
zlLkd=Pb>h#uDu>zB2{J|ass<HPK3w(QqufreAo%1!ZE-4em|+=+R>;Igh#d=H6;tg
z37u&C0(SdT?BhcSWY%GY^pzd1O5XD!iyW=IsBb;`WyJN1gj@hmXl53ZU0_JMT_x1o
zUDuT<JfE(B{0E7e{DGO;e*oK`n%;FYPY>x>m!ouN;*(>Y3WKb03znpOhD3vQr90Vf
zSTmOxH(#T_4CDsOytiZs#4*49A9ymN(888M!ue_nbB-z4_*X52A~iRGpMIz}Vkha*
m#UZiSM)M6gj4qv~2MA7k2!Hnm<Ii5So5P#kBxrlm7;f>q1SCrU

literal 0
HcmV?d00001

diff --git a/pkgs/clan-cli/tests/data/gnupg-home/trustdb.gpg b/pkgs/clan-cli/tests/data/gnupg-home/trustdb.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..973814c8e0132991a2bb8a973520639cf4e2b295
GIT binary patch
literal 1280
zcmZQfFGy!*W@Ke#Vqi%7SzpC~9WZiX7sn7CRfiEIV1dzap>w#%VYd$^IvO9akU*se
zd${m0%$lw4c!EvW*7l=;Za2$3HLaLMp==OO$Rqs1%iwRZWmQYeTaRlhYrg6^T(-M;
M>hVmdI)pL?0G!Dej{pDw

literal 0
HcmV?d00001

diff --git a/pkgs/clan-cli/tests/data/gnupg.conf b/pkgs/clan-cli/tests/data/gnupg.conf
new file mode 100644
index 000000000..eaa6ec764
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/gnupg.conf
@@ -0,0 +1,6 @@
+Key-Type: 1
+Key-Length: 1024
+Name-Real: Root Superuser
+Name-Email: test@local
+Expire-Date: 0
+%no-protection
diff --git a/pkgs/clan-cli/tests/data/password-store/.gpg-id b/pkgs/clan-cli/tests/data/password-store/.gpg-id
new file mode 100644
index 000000000..f4fc704e0
--- /dev/null
+++ b/pkgs/clan-cli/tests/data/password-store/.gpg-id
@@ -0,0 +1 @@
+test@local
diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py
index a2fdfc1ef..46d80c448 100644
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -1,5 +1,5 @@
 import json
-import subprocess
+import shutil
 from dataclasses import dataclass
 from io import StringIO
 from pathlib import Path
@@ -9,7 +9,7 @@ from age_keys import SopsSetup
 from clan_cli.clan_uri import FlakeId
 from clan_cli.errors import ClanError
 from clan_cli.machines.machines import Machine
-from clan_cli.nix import nix_eval, nix_shell, run
+from clan_cli.nix import nix_eval, run
 from clan_cli.vars.check import check_vars
 from clan_cli.vars.generate import generate_vars_for_machine
 from clan_cli.vars.list import stringify_all_vars
@@ -238,6 +238,7 @@ def test_generated_shared_secret_sops(
 def test_generate_secret_var_password_store(
     monkeypatch: pytest.MonkeyPatch,
     temporary_home: Path,
+    test_root: Path,
 ) -> None:
     config = nested_dict()
     config["nixpkgs"]["hostPlatform"] = "x86_64-linux"
@@ -258,29 +259,13 @@ def test_generate_secret_var_password_store(
     )
     monkeypatch.chdir(flake.path)
     gnupghome = temporary_home / "gpg"
-    gnupghome.mkdir(mode=0o700)
+    shutil.copytree(test_root / "data" / "gnupg-home", gnupghome)
     monkeypatch.setenv("GNUPGHOME", str(gnupghome))
+
+    password_store_dir = temporary_home / "pass"
+    shutil.copytree(test_root / "data" / "password-store", password_store_dir)
     monkeypatch.setenv("PASSWORD_STORE_DIR", str(temporary_home / "pass"))
-    gpg_key_spec = temporary_home / "gpg_key_spec"
-    gpg_key_spec.write_text(
-        """
-        Key-Type: 1
-        Key-Length: 1024
-        Name-Real: Root Superuser
-        Name-Email: test@local
-        Expire-Date: 0
-        %no-protection
-    """
-    )
-    subprocess.run(
-        nix_shell(
-            ["nixpkgs#gnupg"], ["gpg", "--batch", "--gen-key", str(gpg_key_spec)]
-        ),
-        check=True,
-    )
-    subprocess.run(
-        nix_shell(["nixpkgs#pass"], ["pass", "init", "test@local"]), check=True
-    )
+
     machine = Machine(name="my_machine", flake=FlakeId(str(flake.path)))
     assert not check_vars(machine)
     cli.run(["vars", "generate", "--flake", str(flake.path), "my_machine"])