Jörg Thalheim
f0f97baa65
All checks were successful
buildbot/nix-build .#checks.x86_64-linux.clan-dep-git Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-bash Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-fakeroot Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-e2fsprogs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-age Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-nix Build done.
buildbot/nix-build .#checks.x86_64-linux.check-for-breakpoints Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.borgbackup Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-docs Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-flash-installer Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.renderClanOptions Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-qemu" Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-mypy" Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sshpass Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sops Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-tor Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-zbar Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-vm-manager-no-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-vm-manager-pytest Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-openssh Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-rsync Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-default Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-webview-ui Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-example-valid Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-vm-manager Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-without-core Build done.
buildbot/nix-build .#checks.x86_64-linux.deltachat Build done.
buildbot/nix-build .#checks.x86_64-linux.matrix-synapse Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-ts-api Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-vm-manager Build done.
buildbot/nix-build .#checks.x86_64-linux.package-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
buildbot/nix-build .#checks.x86_64-linux.package-default Build done.
buildbot/nix-build .#checks.x86_64-linux.module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.container Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-apk Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-archlinux Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-deb Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-rpm Build done.
buildbot/nix-build .#checks.x86_64-linux.package-impure-checks Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-nix-unit-tests Build done.
buildbot/nix-build .#checks.x86_64-linux.package-merge-after-ci Build done.
buildbot/nix-build .#checks.x86_64-linux.package-moonlight-sunshine-accept Build done.
buildbot/nix-build .#checks.x86_64-linux.package-pending-reviews Build done.
buildbot/nix-build .#checks.x86_64-linux.package-tea-create-pr Build done.
buildbot/nix-build .#checks.x86_64-linux.package-wayland-proxy-virtwl Build done.
buildbot/nix-build .#checks.x86_64-linux.package-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotier-members Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-with-core Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotierone Build done.
buildbot/nix-build .#checks.x86_64-linux.package-editor Build done.
buildbot/nix-build .#checks.x86_64-linux.package-deploy-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-function-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.secrets Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.package-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.wayland-proxy-virtwl Build done.
buildbot/nix-build .#checks.x86_64-linux.syncthing Build done.
buildbot/nix-build .#checks.x86_64-linux.test-backups Build done.
buildbot/nix-build .#checks.x86_64-linux.test-installation Build done.
buildbot/nix-eval Build done.
checks / checks-impure (pull_request) Successful in 2m23s
They get shadowed by subargparser options.
529 lines
13 KiB
Python
529 lines
13 KiB
Python
import logging
|
|
import os
|
|
from collections.abc import Iterator
|
|
from contextlib import contextmanager
|
|
from typing import TYPE_CHECKING
|
|
|
|
import pytest
|
|
from cli import Cli
|
|
from fixtures_flakes import FlakeForTest
|
|
|
|
from clan_cli.errors import ClanError
|
|
|
|
if TYPE_CHECKING:
|
|
from age_keys import KeyPair
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
|
|
def _test_identities(
|
|
what: str,
|
|
test_flake: FlakeForTest,
|
|
capsys: pytest.CaptureFixture,
|
|
age_keys: list["KeyPair"],
|
|
) -> None:
|
|
cli = Cli()
|
|
sops_folder = test_flake.path / "sops"
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
what,
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"foo",
|
|
age_keys[0].pubkey,
|
|
]
|
|
)
|
|
assert (sops_folder / what / "foo" / "key.json").exists()
|
|
|
|
with pytest.raises(ClanError): # raises "foo already exists"
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
what,
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"foo",
|
|
age_keys[0].pubkey,
|
|
]
|
|
)
|
|
|
|
# rotate the key
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
what,
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"-f",
|
|
"foo",
|
|
age_keys[1].privkey,
|
|
]
|
|
)
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
what,
|
|
"get",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"foo",
|
|
]
|
|
)
|
|
out = capsys.readouterr() # empty the buffer
|
|
assert age_keys[1].pubkey in out.out
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", what, "list", "--flake", str(test_flake.path)])
|
|
out = capsys.readouterr() # empty the buffer
|
|
assert "foo" in out.out
|
|
|
|
cli.run(["secrets", what, "remove", "--flake", str(test_flake.path), "foo"])
|
|
assert not (sops_folder / what / "foo" / "key.json").exists()
|
|
|
|
with pytest.raises(ClanError): # already removed
|
|
cli.run(["secrets", what, "remove", "--flake", str(test_flake.path), "foo"])
|
|
|
|
capsys.readouterr()
|
|
cli.run(["secrets", what, "list", "--flake", str(test_flake.path)])
|
|
out = capsys.readouterr()
|
|
assert "foo" not in out.out
|
|
|
|
|
|
def test_users(
|
|
test_flake: FlakeForTest, capsys: pytest.CaptureFixture, age_keys: list["KeyPair"]
|
|
) -> None:
|
|
_test_identities("users", test_flake, capsys, age_keys)
|
|
|
|
|
|
def test_machines(
|
|
test_flake: FlakeForTest, capsys: pytest.CaptureFixture, age_keys: list["KeyPair"]
|
|
) -> None:
|
|
_test_identities("machines", test_flake, capsys, age_keys)
|
|
|
|
|
|
def test_groups(
|
|
test_flake: FlakeForTest, capsys: pytest.CaptureFixture, age_keys: list["KeyPair"]
|
|
) -> None:
|
|
cli = Cli()
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "groups", "list", "--flake", str(test_flake.path)])
|
|
assert capsys.readouterr().out == ""
|
|
|
|
with pytest.raises(ClanError): # machine does not exist yet
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-machine",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"group1",
|
|
"machine1",
|
|
]
|
|
)
|
|
with pytest.raises(ClanError): # user does not exist yet
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-user",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"groupb1",
|
|
"user1",
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"machines",
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"machine1",
|
|
age_keys[0].pubkey,
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-machine",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"group1",
|
|
"machine1",
|
|
]
|
|
)
|
|
|
|
# Should this fail?
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-machine",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"group1",
|
|
"machine1",
|
|
]
|
|
)
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"users",
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"user1",
|
|
age_keys[0].pubkey,
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-user",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"group1",
|
|
"user1",
|
|
]
|
|
)
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "groups", "list", "--flake", str(test_flake.path)])
|
|
out = capsys.readouterr().out
|
|
assert "user1" in out
|
|
assert "machine1" in out
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"remove-user",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"group1",
|
|
"user1",
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"remove-machine",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"group1",
|
|
"machine1",
|
|
]
|
|
)
|
|
groups = os.listdir(test_flake.path / "sops" / "groups")
|
|
assert len(groups) == 0
|
|
|
|
|
|
@contextmanager
|
|
def use_key(key: str, monkeypatch: pytest.MonkeyPatch) -> Iterator[None]:
|
|
old_key = os.environ["SOPS_AGE_KEY_FILE"]
|
|
monkeypatch.delenv("SOPS_AGE_KEY_FILE")
|
|
monkeypatch.setenv("SOPS_AGE_KEY", key)
|
|
try:
|
|
yield
|
|
finally:
|
|
monkeypatch.delenv("SOPS_AGE_KEY")
|
|
monkeypatch.setenv("SOPS_AGE_KEY_FILE", old_key)
|
|
|
|
|
|
def test_secrets(
|
|
test_flake: FlakeForTest,
|
|
capsys: pytest.CaptureFixture,
|
|
monkeypatch: pytest.MonkeyPatch,
|
|
age_keys: list["KeyPair"],
|
|
) -> None:
|
|
cli = Cli()
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "list", "--flake", str(test_flake.path)])
|
|
assert capsys.readouterr().out == ""
|
|
|
|
monkeypatch.setenv("SOPS_NIX_SECRET", "foo")
|
|
monkeypatch.setenv("SOPS_AGE_KEY_FILE", str(test_flake.path / ".." / "age.key"))
|
|
cli.run(["secrets", "key", "generate", "--flake", str(test_flake.path)])
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "key", "show", "--flake", str(test_flake.path)])
|
|
key = capsys.readouterr().out
|
|
assert key.startswith("age1")
|
|
cli.run(
|
|
["secrets", "users", "add", "--flake", str(test_flake.path), "testuser", key]
|
|
)
|
|
|
|
with pytest.raises(ClanError): # does not exist yet
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "nonexisting"])
|
|
cli.run(["secrets", "set", "--flake", str(test_flake.path), "initialkey"])
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "initialkey"])
|
|
assert capsys.readouterr().out == "foo"
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "users", "list", "--flake", str(test_flake.path)])
|
|
users = capsys.readouterr().out.rstrip().split("\n")
|
|
assert len(users) == 1, f"users: {users}"
|
|
owner = users[0]
|
|
|
|
monkeypatch.setenv("EDITOR", "cat")
|
|
cli.run(["secrets", "set", "--edit", "--flake", str(test_flake.path), "initialkey"])
|
|
monkeypatch.delenv("EDITOR")
|
|
|
|
cli.run(["secrets", "rename", "--flake", str(test_flake.path), "initialkey", "key"])
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "list", "--flake", str(test_flake.path)])
|
|
assert capsys.readouterr().out == "key\n"
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "list", "--flake", str(test_flake.path), "nonexisting"])
|
|
assert capsys.readouterr().out == ""
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "list", "--flake", str(test_flake.path), "key"])
|
|
assert capsys.readouterr().out == "key\n"
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"machines",
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"machine1",
|
|
age_keys[1].pubkey,
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"machines",
|
|
"add-secret",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"machine1",
|
|
"key",
|
|
]
|
|
)
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "machines", "list", "--flake", str(test_flake.path)])
|
|
assert capsys.readouterr().out == "machine1\n"
|
|
|
|
with use_key(age_keys[1].privkey, monkeypatch):
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
|
|
|
|
assert capsys.readouterr().out == "foo"
|
|
|
|
# rotate machines key
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"machines",
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"-f",
|
|
"machine1",
|
|
age_keys[0].privkey,
|
|
]
|
|
)
|
|
|
|
# should also rotate the encrypted secret
|
|
with use_key(age_keys[0].privkey, monkeypatch):
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
|
|
|
|
assert capsys.readouterr().out == "foo"
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"machines",
|
|
"remove-secret",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"machine1",
|
|
"key",
|
|
]
|
|
)
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"users",
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"user1",
|
|
age_keys[1].pubkey,
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"users",
|
|
"add-secret",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"user1",
|
|
"key",
|
|
]
|
|
)
|
|
capsys.readouterr()
|
|
with use_key(age_keys[1].privkey, monkeypatch):
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
|
|
assert capsys.readouterr().out == "foo"
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"users",
|
|
"remove-secret",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"user1",
|
|
"key",
|
|
]
|
|
)
|
|
|
|
with pytest.raises(ClanError): # does not exist yet
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-secret",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"admin-group",
|
|
"key",
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-user",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"admin-group",
|
|
"user1",
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-user",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"admin-group",
|
|
owner,
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-secret",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"admin-group",
|
|
"key",
|
|
]
|
|
)
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"set",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"--group",
|
|
"admin-group",
|
|
"key2",
|
|
]
|
|
)
|
|
|
|
with use_key(age_keys[1].privkey, monkeypatch):
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
|
|
assert capsys.readouterr().out == "foo"
|
|
|
|
# extend group will update secrets
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"users",
|
|
"add",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"user2",
|
|
age_keys[2].pubkey,
|
|
]
|
|
)
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"add-user",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"admin-group",
|
|
"user2",
|
|
]
|
|
)
|
|
|
|
with use_key(age_keys[2].privkey, monkeypatch): # user2
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
|
|
assert capsys.readouterr().out == "foo"
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"remove-user",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"admin-group",
|
|
"user2",
|
|
]
|
|
)
|
|
with pytest.raises(ClanError), use_key(age_keys[2].privkey, monkeypatch):
|
|
# user2 is not in the group anymore
|
|
capsys.readouterr()
|
|
cli.run(["secrets", "get", "--flake", str(test_flake.path), "key"])
|
|
print(capsys.readouterr().out)
|
|
|
|
cli.run(
|
|
[
|
|
"secrets",
|
|
"groups",
|
|
"remove-secret",
|
|
"--flake",
|
|
str(test_flake.path),
|
|
"admin-group",
|
|
"key",
|
|
]
|
|
)
|
|
|
|
cli.run(["secrets", "remove", "--flake", str(test_flake.path), "key"])
|
|
cli.run(["secrets", "remove", "--flake", str(test_flake.path), "key2"])
|
|
|
|
capsys.readouterr() # empty the buffer
|
|
cli.run(["secrets", "list", "--flake", str(test_flake.path)])
|
|
assert capsys.readouterr().out == ""
|