clan/clan-core
12
4
Fork 18
Code Issues 99 Pull Requests 2 Actions Packages Projects 1 Releases Wiki Activity

Merge pull request 'secrets: add git support when updating secrets' (#862) from Mic92-target_host into main
All checks were successful
checks-impure / test (push) Successful in 1m55s
Details
checks / test (push) Successful in 2m47s
Details

Browse Source
This commit is contained in:
clan-bot 2024-02-20 11:45:13 +00:00
commit 7091b09fa7
1 changed files with 40 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
pkgs/clan-cli/clan_cli/secrets/secrets.py
View File

@ -8,6 +8,7 @@ from typing import IO
from .. import tty from .. import tty
from ..errors import ClanError from ..errors import ClanError
from ..git import commit_files
from .folders import ( from .folders import (
list_objects, list_objects,
sops_groups_folder, sops_groups_folder,
@ -63,42 +64,58 @@ def encrypt_secret(
key = ensure_sops_key(flake_dir) key = ensure_sops_key(flake_dir)
keys = set([]) keys = set([])
files_to_commit = []
for user in add_users: for user in add_users:
files_to_commit.append(
allow_member( allow_member(
users_folder(flake_dir, secret.name), users_folder(flake_dir, secret.name),
sops_users_folder(flake_dir), sops_users_folder(flake_dir),
user, user,
False, False,
) )
)
for machine in add_machines: for machine in add_machines:
files_to_commit.append(
allow_member( allow_member(
machines_folder(flake_dir, secret.name), machines_folder(flake_dir, secret.name),
sops_machines_folder(flake_dir), sops_machines_folder(flake_dir),
machine, machine,
False, False,
) )
)
for group in add_groups: for group in add_groups:
files_to_commit.append(
allow_member( allow_member(
groups_folder(flake_dir, secret.name), groups_folder(flake_dir, secret.name),
sops_groups_folder(flake_dir), sops_groups_folder(flake_dir),
group, group,
False, False,
) )
)
keys = collect_keys_for_path(secret) keys = collect_keys_for_path(secret)
if key.pubkey not in keys: if key.pubkey not in keys:
keys.add(key.pubkey) keys.add(key.pubkey)
files_to_commit.append(
allow_member( allow_member(
users_folder(flake_dir, secret.name), users_folder(flake_dir, secret.name),
sops_users_folder(flake_dir), sops_users_folder(flake_dir),
key.username, key.username,
False, False,
) )
)
encrypt_file(secret / "secret", value, list(sorted(keys))) secret_path = secret / "secret"
encrypt_file(secret_path, value, list(sorted(keys)))
files_to_commit.append(secret_path)
commit_files(
files_to_commit,
flake_dir,
f"Update secret {secret.name}",
)
def remove_secret(flake_dir: Path, secret: str) -> None: def remove_secret(flake_dir: Path, secret: str) -> None:
@ -139,7 +156,7 @@ def list_directory(directory: Path) -> str:
def allow_member( def allow_member(
group_folder: Path, source_folder: Path, name: str, do_update_keys: bool = True group_folder: Path, source_folder: Path, name: str, do_update_keys: bool = True
) -> None: ) -> Path:
source = source_folder / name source = source_folder / name
if not source.exists(): if not source.exists():
msg = f"Cannot encrypt {group_folder.parent.name} for '{name}' group. '{name}' group does not exist in {source_folder}: " msg = f"Cannot encrypt {group_folder.parent.name} for '{name}' group. '{name}' group does not exist in {source_folder}: "
@ -160,6 +177,7 @@ def allow_member(
group_folder.parent, group_folder.parent,
list(sorted(collect_keys_for_path(group_folder.parent))), list(sorted(collect_keys_for_path(group_folder.parent))),
) )
return user_target
def disallow_member(group_folder: Path, name: str) -> None: def disallow_member(group_folder: Path, name: str) -> None: