Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow nested secrets in secrets.json #328

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Conversation

srid
Copy link

@srid srid commented May 8, 2023

Prior to this change, if secrets.json had nested secrets (example) we would see this error:

sops-install-secrets: Manifest is not valid: secret jenkins-nix-ci/cachix-auth-token/description in /nix/store/wxm763za3rbrpiijfbgss9g5ll0sd29z-secrets.json is not valid: Key 'jenkins-nix-ci' does not refer to a dictionary

The reason happens to be that introspecting the map key to be interface fails, when it is in fact a string. This PR makes it so that we always expect the key to be a string (what else could it be?). It also improves the error message, by telling the user what the actual value type is.

Prior to this change, if secrets.json had nested secrets we would see
this error (example):

```
sops-install-secrets: Manifest is not valid: secret jenkins-nix-ci/cachix-auth-token/description in /nix/store/wxm763za3rbrpiijfbgss9g5ll0sd29z-secrets.json is not valid: Key 'jenkins-nix-ci' does not refer to a dictionary
```

The reason is that introspecting the map key to be `interface` fails,
when it is in fact a string.
@srid srid changed the title Allow nested secrets in secrets.json Allow nested secrets in secrets.json May 8, 2023
@srid

This comment was marked as resolved.

currentData[key.(string)] = value
// The 'if' here is to deal with key type discrepancy between YAML and
// JSON. With YAML, it is 'interface {}'; with JSON, it is 'string'.
if format == Json {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Can you also extend one of our tests to have a nested key?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mic92 What's the best way to do that? I don't really understand the test infrastructure in this repo. Especially what's going on with the Go tests. nixos-tests.nix seems more pratical; but how do you edit secrets.json? Running nix run . pkgs/sops-install-secrets/test-assets/secrets.json throws:

fingerprint: 26F82B82FDFFA024E08B9C8B67936C83AAC837D4
mv: cannot stat '/root/.gnupg': Permission denied

@shivaraj-bh
Copy link

I am trying to write the test for this. Here's how the nixos-test.nix looks:

nested-json = makeTest {
    name = "sops-nested-json-secrets";
    nodes.server = {
      imports = [ ../../modules/sops ];
      sops = {
        age.keyFile = ./test-assets/age-keys.txt;
        defaultSopsFile = ./test-assets/secrets.json;
        secrets."nested/test/file" = { };
      };
    };

    testScript = ''
      start_all()
      server.succeed("cat /run/secrets/nested/test/file | grep -q 'another value'")
    '';
  } {
    inherit pkgs;
    inherit (pkgs) system;
  };

Expected: testScript should fail with Key 'nested' does not refer to a dictionary
Actual: Test passes
On the other hand, if I try to run nix build .#nixosConfigurations.actual.config.system.build.toplevel on @srid 's nixos-config with sops-nix.url pointing to github:Mic92/sops-nix, I am able to reproduce the same error.
@Mic92 Is there something that's happening under-the-hood in nixos-test.nix that I might be missing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants