allow to set groups/admins/users when setting secrets

2023-08-08 19:40:35 +02:00 · 2023-08-08 19:40:35 +02:00 · 2988532909
commit 2988532909
parent 5ee620b77b
2 changed files with 50 additions and 9 deletions
--- a/pkgs/clan-cli/clan_cli/secrets/secrets.py
+++ b/pkgs/clan-cli/clan_cli/secrets/secrets.py
@ -3,7 +3,6 @@ import getpass
 import os
 import shutil
 import sys
-from io import StringIO
 from pathlib import Path
 from typing import IO, Union

@ -171,14 +170,19 @@ def get_command(args: argparse.Namespace) -> None:


 def set_command(args: argparse.Namespace) -> None:
-    secret_value = os.environ.get("SOPS_NIX_SECRET")
-    if secret_value:
-        encrypt_secret(sops_secrets_folder() / args.secret, StringIO(secret_value))
+    env_value = os.environ.get("SOPS_NIX_SECRET")
+    secret_value: Union[str, IO[str]] = sys.stdin
+    if env_value:
+        secret_value = env_value
    elif tty.is_interactive():
-        secret = getpass.getpass(prompt="Paste your secret: ")
-        encrypt_secret(sops_secrets_folder() / args.secret, StringIO(secret))
-    else:
-        encrypt_secret(sops_secrets_folder() / args.secret, sys.stdin)
+        secret_value = getpass.getpass(prompt="Paste your secret: ")
+    encrypt_secret(
+        sops_secrets_folder() / args.secret,
+        secret_value,
+        args.user,
+        args.machine,
+        args.group,
+    )


 def register_secrets_parser(subparser: argparse._SubParsersAction) -> None:
@ -191,6 +195,27 @@ def register_secrets_parser(subparser: argparse._SubParsersAction) -> None:

    parser_set = subparser.add_parser("set", help="set a secret")
    add_secret_argument(parser_set)
+    parser_set.add_argument(
+        "--group",
+        type=str,
+        action="append",
+        default=[],
+        help="the group to import the secrets to",
+    )
+    parser_set.add_argument(
+        "--machine",
+        type=str,
+        action="append",
+        default=[],
+        help="the machine to import the secrets to",
+    )
+    parser_set.add_argument(
+        "--user",
+        type=str,
+        action="append",
+        default=[],
+        help="the user to import the secrets to",
+    )
    parser_set.set_defaults(func=set_command)

    parser_delete = subparser.add_parser("remove", help="remove a secret")
--- a/pkgs/clan-cli/tests/test_secrets.py
+++ b/pkgs/clan-cli/tests/test_secrets.py
@ -122,6 +122,11 @@ def test_secrets(clan_flake: Path, capsys: pytest.CaptureFixture) -> None:
        capsys.readouterr()
        cli.run(["get", "key"])
        assert capsys.readouterr().out == "foo"
+        capsys.readouterr()
+        cli.run(["users", "list"])
+        users = capsys.readouterr().out.rstrip().split("\n")
+        assert len(users) == 1, f"users: {users}"
+        owner = users[0]

        capsys.readouterr()  # empty the buffer
        cli.run(["list"])
@ -147,8 +152,12 @@ def test_secrets(clan_flake: Path, capsys: pytest.CaptureFixture) -> None:
        with pytest.raises(ClanError):  # does not exist yet
            cli.run(["groups", "add-secret", "admin-group", "key"])
        cli.run(["groups", "add-user", "admin-group", "user1"])
+        cli.run(["groups", "add-user", "admin-group", owner])
        cli.run(["groups", "add-secret", "admin-group", "key"])

+        capsys.readouterr()  # empty the buffer
+        cli.run(["set", "--group", "admin-group", "key2"])
+
        with mock_env(SOPS_AGE_KEY=PRIVKEY_2, SOPS_AGE_KEY_FILE=""):
            capsys.readouterr()
            cli.run(["get", "key"])
@ -156,6 +165,7 @@ def test_secrets(clan_flake: Path, capsys: pytest.CaptureFixture) -> None:
        cli.run(["groups", "remove-secret", "admin-group", "key"])

    cli.run(["remove", "key"])
+    cli.run(["remove", "key2"])

    capsys.readouterr()  # empty the buffer
    cli.run(["list"])
@ -169,7 +179,8 @@ def test_import_sops(

    with mock_env(SOPS_AGE_KEY=PRIVKEY_2):
        cli.run(["machines", "add", "machine1", PUBKEY])
-        cli.run(["users", "add", "user1", PUBKEY_3])
+        cli.run(["users", "add", "user1", PUBKEY_2])
+        cli.run(["users", "add", "user2", PUBKEY_3])

        # To edit:
        # SOPS_AGE_KEY=AGE-SECRET-KEY-1U5ENXZQAY62NC78Y2WC0SEGRRMAEEKH79EYY5TH4GPFWJKEAY0USZ6X7YQ sops --age age14tva0txcrl0zes05x7gkx56qd6wd9q3nwecjac74xxzz4l47r44sv3fz62 ./data/secrets.yaml
@ -183,6 +194,11 @@ def test_import_sops(
                str(test_root.joinpath("data", "secrets.yaml")),
            ]
        )
+        capsys.readouterr()
+        cli.run(["users", "list"])
+        users = sorted(capsys.readouterr().out.rstrip().split())
+        assert users == ["user1", "user2"]
+
        capsys.readouterr()
        cli.run(["get", "secret-key"])
        assert capsys.readouterr().out == "secret-value"