don't add user to a secret if they already can access the secret

If the user is part of a group we don't need to add them explicitly
2023-08-09 10:17:11 +02:00
parent 0f32aa79e4
commit 68905fc233
7 changed files with 168 additions and 118 deletions
--- a/pkgs/clan-cli/tests/test_import_sops.py
+++ b/pkgs/clan-cli/tests/test_import_sops.py
@@ -0,0 +1,46 @@
+from pathlib import Path
+from typing import TYPE_CHECKING
+
+import pytest
+from environment import mock_env
+from secret_cli import SecretCli
+
+if TYPE_CHECKING:
+    from test_keys import KeyPair
+
+
+def test_import_sops(
+    test_root: Path,
+    clan_flake: Path,
+    capsys: pytest.CaptureFixture,
+    test_keys: list["KeyPair"],
+) -> None:
+    cli = SecretCli()
+
+    with mock_env(SOPS_AGE_KEY=test_keys[1].privkey):
+        cli.run(["machines", "add", "machine1", test_keys[0].pubkey])
+        cli.run(["users", "add", "user1", test_keys[1].pubkey])
+        cli.run(["users", "add", "user2", test_keys[2].pubkey])
+        cli.run(["groups", "add-user", "group1", "user1"])
+        cli.run(["groups", "add-user", "group1", "user2"])
+
+        # To edit:
+        # SOPS_AGE_KEY=AGE-SECRET-KEY-1U5ENXZQAY62NC78Y2WC0SEGRRMAEEKH79EYY5TH4GPFWJKEAY0USZ6X7YQ sops --age age14tva0txcrl0zes05x7gkx56qd6wd9q3nwecjac74xxzz4l47r44sv3fz62 ./data/secrets.yaml
+        cli.run(
+            [
+                "import-sops",
+                "--group",
+                "group1",
+                "--machine",
+                "machine1",
+                str(test_root.joinpath("data", "secrets.yaml")),
+            ]
+        )
+        capsys.readouterr()
+        cli.run(["users", "list"])
+        users = sorted(capsys.readouterr().out.rstrip().split())
+        assert users == ["user1", "user2"]
+
+        capsys.readouterr()
+        cli.run(["get", "secret-key"])
+        assert capsys.readouterr().out == "secret-value"