initial commit

tests/fixtures/nix-secrets/age_key.txt

@@ -0,0 +1,3 @@
+# created: 2025-02-07T09:27:05+08:00
+# public key: age1uq2uymv63r4h5r47vkuhjz3hcz9rv48df8u5jt8zeejgt2wzme3qz3se8y
+AGE-SECRET-KEY-1Z7AENV0K5VRCV87EDK2XYE4ZWJ3G39W7J3TEAWQSX2F46NGWL4FQ6QKGLE

tests/fixtures/nix-secrets/sops.yaml

@@ -0,0 +1,11 @@
+keys:
+  users:
+    - &alice_testbox USER_KEY_1
+  hosts:
+    - &testbox age1v8v79wlsjnwvxaa6eulqx3zft0m5srj7etgk4v3rg80j42uzecxs26gaxz
+  creation_rules:
+  - path_regex: shared\.yaml$
+    key_groups:
+      - age:
+          - *alice_testbox
+          - *testbox

tests/helpers/test_helper.bash

@@ -0,0 +1,9 @@
+setup() {
+	TEST_TEMP="$(mktemp -d)"
+	FIXTURES_DIR="$(dirname "$BATS_TEST_DIRNAME")/tests/fixtures"
+	export TEST_TEMP
+	export FIXTURES_DIR
+}
+teardown() {
+	rm -rf "$TEST_TEMP"
+}

tests/sops.bats

@@ -0,0 +1,102 @@
+AGE_TEST_KEY_1="age1v8v79wlsjnwvxaa6eulqx3zft0m5srj7etgk4v3rg80j42uzecxs26gaxz"
+AGE_TEST_KEY_2="age1zmplxr8x2h3tk4fd3zkleyspa7vtnyz5pyrj7zlf5vsl3fquhqvsp8n4k0"
+AGE_TEST_KEY_3="age1zrjsjhsuwhqkdn2psjpukrsgjh5qls9023gructewn9skz4ya9gskncgmq"
+AGE_TEST_KEY_4="age1e4zy6wcl0a8teaudtmsujkuupf56vkqdul0gljlssdqftrx3uphqqfx8p7"
+
+# This key has a real associated private key in the fixtures
+AGE_STATIC_HOST_KEY="age1uq2uymv63r4h5r47vkuhjz3hcz9rv48df8u5jt8zeejgt2wzme3qz3se8y"
+
+setup_sops() {
+	load 'helpers/test_helper'
+	setup
+	mkdir -p "$TEST_TEMP"
+	cp -R "$FIXTURES_DIR"/nix-secrets/*.yaml "$TEST_TEMP"
+	mv "$TEST_TEMP/sops.yaml" "$TEST_TEMP/.sops.yaml"
+	NIX_SECRETS_DIR="$TEST_TEMP"
+	export NIX_SECRETS_DIR
+	# shellcheck disable=SC1091
+	source "$BATS_TEST_DIRNAME/../scripts/helpers.sh"
+}
+
+@test "add sops user anchor" {
+	setup_sops
+
+	sops_update_age_key users alice_testbox "${AGE_TEST_KEY_2}"
+
+	run grep -c "&alice_testbox" "$NIX_SECRETS_DIR"/.sops.yaml
+	[ "$status" -eq 0 ]
+	[ "$output" = "1" ]
+
+	run grep "${AGE_TEST_KEY_2}" "$NIX_SECRETS_DIR"/.sops.yaml
+	[ "$status" -eq 0 ]
+
+	teardown
+}
+
+@test "add sops host anchor" {
+	setup_sops
+
+	sops_update_age_key hosts testbox "${AGE_TEST_KEY_1}"
+
+	run grep -c "&testbox" "$NIX_SECRETS_DIR"/.sops.yaml
+	[ "$status" -eq 0 ]
+	[ "$output" = "1" ]
+
+	run grep "${AGE_TEST_KEY_1}" "$NIX_SECRETS_DIR"/.sops.yaml
+	[ "$status" -eq 0 ]
+
+	teardown
+}
+
+@test "update shared creation rules" {
+	setup_sops
+
+	sops_update_age_key users bob_deadbeef "${AGE_TEST_KEY_3}"
+	sops_update_age_key hosts deadbeef "${AGE_TEST_KEY_4}"
+	sops_add_shared_creation_rules bob deadbeef
+
+	yq '.creation_rules' "$NIX_SECRETS_DIR"/.sops.yaml >"$TEST_TEMP/creation_rules"
+	run grep "bob" "$TEST_TEMP/creation_rules"
+	[ "$status" -eq 0 ]
+
+	run grep "deadbeef" "$TEST_TEMP/creation_rules"
+	[ "$status" -eq 0 ]
+
+	teardown
+}
+
+@test "add host creation rules to sops" {
+	setup_sops
+
+	sops_update_age_key users bob_deadbeef "${AGE_TEST_KEY_1}"
+	sops_update_age_key hosts deadbeef "${AGE_TEST_KEY_2}"
+	sops_update_age_key users "$(whoami)_$(hostname)" "${AGE_STATIC_HOST_KEY}"
+	sops_update_age_key hosts "$(hostname)" "${AGE_STATIC_HOST_KEY}"
+	sops_add_host_creation_rules bob deadbeef
+
+	yq '.creation_rules' "$NIX_SECRETS_DIR"/.sops.yaml >"$TEST_TEMP/creation_rules"
+	run grep "bob" "$TEST_TEMP/creation_rules"
+	[ "$status" -eq 0 ]
+
+	run grep "deadbeef" "$TEST_TEMP/creation_rules"
+	[ "$status" -eq 0 ]
+
+	teardown
+}
+
+@test "add host.yaml file" {
+	setup_sops
+
+	sops_update_age_key users bob_deadbeef "${AGE_TEST_KEY_1}"
+	sops_update_age_key hosts deadbeef "${AGE_TEST_KEY_2}"
+	sops_update_age_key users "$(whoami)_$(hostname)" "${AGE_STATIC_HOST_KEY}"
+	sops_update_age_key hosts "$(hostname)" "${AGE_STATIC_HOST_KEY}"
+	sops_add_host_creation_rules bob deadbeef
+
+	# Create a new <host>.yaml file and verify it holds the correct entry
+	export SOPS_AGE_KEY_FILE="$BATS_TEST_DIRNAME/fixtures/nix-secrets/age_key.txt"
+	run sops_setup_user_age_key "deadbeef" "bob"
+	[ "$status" -eq 0 ]
+
+	teardown
+}