From 7a08b8c898bb594f271bbabd3972af2c89d68b11 Mon Sep 17 00:00:00 2001
From: Jess <jess@jessie.cafe>
Date: Sun, 23 Mar 2025 12:32:46 +1300
Subject: [PATCH] rclone: correctly escape whitespace in secrets

---
 modules/programs/rclone.nix                        |  2 +-
 tests/integration/standalone/rclone/default.nix    | 14 ++++++++++++++
 .../standalone/rclone/secrets-with-whitespace.conf |  5 +++++
 .../standalone/rclone/secrets-with-whitespace.nix  | 13 +++++++++++++
 4 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 tests/integration/standalone/rclone/secrets-with-whitespace.conf
 create mode 100644 tests/integration/standalone/rclone/secrets-with-whitespace.nix

diff --git a/modules/programs/rclone.nix b/modules/programs/rclone.nix
index d9b7e83d..55b2bf99 100644
--- a/modules/programs/rclone.nix
+++ b/modules/programs/rclone.nix
@@ -124,7 +124,7 @@ in {
           lib.mapAttrsToList (secret: secretFile: ''
             ${lib.getExe cfg.package} config update \
               ${remote.name} config_refresh_token=false \
-              ${secret} $(cat ${secretFile}) \
+              ${secret} "$(cat ${secretFile})" \
               --quiet > /dev/null
           '') remote.value.secrets or { };
 
diff --git a/tests/integration/standalone/rclone/default.nix b/tests/integration/standalone/rclone/default.nix
index 067be8c2..de4684ef 100644
--- a/tests/integration/standalone/rclone/default.nix
+++ b/tests/integration/standalone/rclone/default.nix
@@ -84,6 +84,20 @@
         ./with-secrets-in-store.conf
       } /home/alice/.config/rclone/rclone.conf")
 
+    with subtest("Secrets with spaces"):
+      succeed_as_alice("install -m644 ${
+        ./secrets-with-whitespace.nix
+      } /home/alice/.config/home-manager/test-remote.nix")
+
+      actual = succeed_as_alice("home-manager switch")
+      expected = "Activating createRcloneConfig"
+      assert expected in actual, \
+        f"expected home-manager switch to contain {expected}, but got {actual}"
+
+      succeed_as_alice("diff -u ${
+        ./secrets-with-whitespace.conf
+      } /home/alice/.config/rclone/rclone.conf")
+
     # TODO: verify correct activation order with the agenix and sops hm modules
 
     logout_alice()
diff --git a/tests/integration/standalone/rclone/secrets-with-whitespace.conf b/tests/integration/standalone/rclone/secrets-with-whitespace.conf
new file mode 100644
index 00000000..8506d12c
--- /dev/null
+++ b/tests/integration/standalone/rclone/secrets-with-whitespace.conf
@@ -0,0 +1,5 @@
+[alices-cool-remote-v3]
+description = alices speeedy remote
+type = memory
+spaces-secret = This is a secret with spaces, it has single spaces,                  and lots of spaces :3
+
diff --git a/tests/integration/standalone/rclone/secrets-with-whitespace.nix b/tests/integration/standalone/rclone/secrets-with-whitespace.nix
new file mode 100644
index 00000000..860778c2
--- /dev/null
+++ b/tests/integration/standalone/rclone/secrets-with-whitespace.nix
@@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  programs.rclone.remotes = {
+    alices-cool-remote-v3 = {
+      config = {
+        type = "memory";
+        description = "alices speeedy remote";
+      };
+      secrets.spaces-secret = "${pkgs.writeText "secret" ''
+        This is a secret with spaces, it has single spaces,                  and lots of spaces :3
+      ''}";
+    };
+  };
+}