From 298853290938786d4eb165d534e2dab1dc752af6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 8 Aug 2023 19:40:35 +0200
Subject: [PATCH] allow to set groups/admins/users when setting secrets

---
 pkgs/clan-cli/clan_cli/secrets/secrets.py | 41 ++++++++++++++++++-----
 pkgs/clan-cli/tests/test_secrets.py       | 18 +++++++++-
 2 files changed, 50 insertions(+), 9 deletions(-)

diff --git a/pkgs/clan-cli/clan_cli/secrets/secrets.py b/pkgs/clan-cli/clan_cli/secrets/secrets.py
index 420fc672..db869b07 100644
--- a/pkgs/clan-cli/clan_cli/secrets/secrets.py
+++ b/pkgs/clan-cli/clan_cli/secrets/secrets.py
@@ -3,7 +3,6 @@ import getpass
 import os
 import shutil
 import sys
-from io import StringIO
 from pathlib import Path
 from typing import IO, Union
 
@@ -171,14 +170,19 @@ def get_command(args: argparse.Namespace) -> None:
 
 
 def set_command(args: argparse.Namespace) -> None:
-    secret_value = os.environ.get("SOPS_NIX_SECRET")
-    if secret_value:
-        encrypt_secret(sops_secrets_folder() / args.secret, StringIO(secret_value))
+    env_value = os.environ.get("SOPS_NIX_SECRET")
+    secret_value: Union[str, IO[str]] = sys.stdin
+    if env_value:
+        secret_value = env_value
     elif tty.is_interactive():
-        secret = getpass.getpass(prompt="Paste your secret: ")
-        encrypt_secret(sops_secrets_folder() / args.secret, StringIO(secret))
-    else:
-        encrypt_secret(sops_secrets_folder() / args.secret, sys.stdin)
+        secret_value = getpass.getpass(prompt="Paste your secret: ")
+    encrypt_secret(
+        sops_secrets_folder() / args.secret,
+        secret_value,
+        args.user,
+        args.machine,
+        args.group,
+    )
 
 
 def register_secrets_parser(subparser: argparse._SubParsersAction) -> None:
@@ -191,6 +195,27 @@ def register_secrets_parser(subparser: argparse._SubParsersAction) -> None:
 
     parser_set = subparser.add_parser("set", help="set a secret")
     add_secret_argument(parser_set)
+    parser_set.add_argument(
+        "--group",
+        type=str,
+        action="append",
+        default=[],
+        help="the group to import the secrets to",
+    )
+    parser_set.add_argument(
+        "--machine",
+        type=str,
+        action="append",
+        default=[],
+        help="the machine to import the secrets to",
+    )
+    parser_set.add_argument(
+        "--user",
+        type=str,
+        action="append",
+        default=[],
+        help="the user to import the secrets to",
+    )
     parser_set.set_defaults(func=set_command)
 
     parser_delete = subparser.add_parser("remove", help="remove a secret")
diff --git a/pkgs/clan-cli/tests/test_secrets.py b/pkgs/clan-cli/tests/test_secrets.py
index d944f816..50c9f7b7 100644
--- a/pkgs/clan-cli/tests/test_secrets.py
+++ b/pkgs/clan-cli/tests/test_secrets.py
@@ -122,6 +122,11 @@ def test_secrets(clan_flake: Path, capsys: pytest.CaptureFixture) -> None:
         capsys.readouterr()
         cli.run(["get", "key"])
         assert capsys.readouterr().out == "foo"
+        capsys.readouterr()
+        cli.run(["users", "list"])
+        users = capsys.readouterr().out.rstrip().split("\n")
+        assert len(users) == 1, f"users: {users}"
+        owner = users[0]
 
         capsys.readouterr()  # empty the buffer
         cli.run(["list"])
@@ -147,8 +152,12 @@ def test_secrets(clan_flake: Path, capsys: pytest.CaptureFixture) -> None:
         with pytest.raises(ClanError):  # does not exist yet
             cli.run(["groups", "add-secret", "admin-group", "key"])
         cli.run(["groups", "add-user", "admin-group", "user1"])
+        cli.run(["groups", "add-user", "admin-group", owner])
         cli.run(["groups", "add-secret", "admin-group", "key"])
 
+        capsys.readouterr()  # empty the buffer
+        cli.run(["set", "--group", "admin-group", "key2"])
+
         with mock_env(SOPS_AGE_KEY=PRIVKEY_2, SOPS_AGE_KEY_FILE=""):
             capsys.readouterr()
             cli.run(["get", "key"])
@@ -156,6 +165,7 @@ def test_secrets(clan_flake: Path, capsys: pytest.CaptureFixture) -> None:
         cli.run(["groups", "remove-secret", "admin-group", "key"])
 
     cli.run(["remove", "key"])
+    cli.run(["remove", "key2"])
 
     capsys.readouterr()  # empty the buffer
     cli.run(["list"])
@@ -169,7 +179,8 @@ def test_import_sops(
 
     with mock_env(SOPS_AGE_KEY=PRIVKEY_2):
         cli.run(["machines", "add", "machine1", PUBKEY])
-        cli.run(["users", "add", "user1", PUBKEY_3])
+        cli.run(["users", "add", "user1", PUBKEY_2])
+        cli.run(["users", "add", "user2", PUBKEY_3])
 
         # To edit:
         # SOPS_AGE_KEY=AGE-SECRET-KEY-1U5ENXZQAY62NC78Y2WC0SEGRRMAEEKH79EYY5TH4GPFWJKEAY0USZ6X7YQ sops --age age14tva0txcrl0zes05x7gkx56qd6wd9q3nwecjac74xxzz4l47r44sv3fz62 ./data/secrets.yaml
@@ -183,6 +194,11 @@ def test_import_sops(
                 str(test_root.joinpath("data", "secrets.yaml")),
             ]
         )
+        capsys.readouterr()
+        cli.run(["users", "list"])
+        users = sorted(capsys.readouterr().out.rstrip().split())
+        assert users == ["user1", "user2"]
+
         capsys.readouterr()
         cli.run(["get", "secret-key"])
         assert capsys.readouterr().out == "secret-value"