remove sops-pgp-hook

2025-12-26 14:14:58 +08:00 · 2024-11-17 18:43:59 +01:00 · 2024-11-17 18:43:59 +01:00 · 3ba597a5e6
commit 3ba597a5e6
parent 9190dee408
11 changed files with 10 additions and 235 deletions
--- a/default.nix
+++ b/default.nix
@ -17,10 +17,6 @@ rec {
  # backwards compatibility
  inherit (pkgs) ssh-to-pgp;

-  # used in the CI only
-  sops-pgp-hook-test = pkgs.callPackage ./pkgs/sops-pgp-hook-test.nix {
-    inherit vendorHash;
-  };
  unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix { };
 }
 // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
--- a/pkgs/sops-pgp-hook-test.nix
+++ b/pkgs/sops-pgp-hook-test.nix
@ -1,11 +0,0 @@
-{ buildGoModule, vendorHash }:
-
-buildGoModule {
-  name = "sops-pgp-hook-test";
-  src = ../.;
-  inherit vendorHash;
-  buildPhase = ''
-    go test -c ./pkgs/sops-pgp-hook
-    install -D sops-pgp-hook.test $out/bin/sops-pgp-hook.test
-  '';
-}
--- a/pkgs/sops-pgp-hook/default.nix
+++ b/pkgs/sops-pgp-hook/default.nix
@ -1,25 +0,0 @@
-{
-  makeSetupHook,
-  gnupg,
-  sops,
-  lib,
-}:
-
-let
-  # FIXME: drop after 23.05
-  propagatedBuildInputs =
-    if (lib.versionOlder (lib.versions.majorMinor lib.version) "23.05") then
-      "deps"
-    else
-      "propagatedBuildInputs";
-in
-(makeSetupHook {
-  name = "sops-pgp-hook";
-  substitutions = {
-    gpg = "${gnupg}/bin/gpg";
-  };
-  ${propagatedBuildInputs} = [
-    sops
-    gnupg
-  ];
-} ./sops-pgp-hook.bash)
--- a/pkgs/sops-pgp-hook/hook_test.go
+++ b/pkgs/sops-pgp-hook/hook_test.go
@ -1,70 +0,0 @@
-package main
-
-import (
-	"bytes"
-	"fmt"
-	"os"
-	"os/exec"
-	"path"
-	"runtime"
-	"strings"
-	"testing"
-)
-
-// ok fails the test if an err is not nil.
-func ok(tb testing.TB, err error) {
-	tb.Helper()
-
-	if err != nil {
-		fmt.Printf("\033[31munexpected error: %s\033[39m\n\n", err.Error())
-		tb.FailNow()
-	}
-}
-
-func TestShellHook(t *testing.T) {
-	t.Parallel()
-
-	assets := os.Getenv("TEST_ASSETS")
-	if assets == "" {
-		_, filename, _, _ := runtime.Caller(0)
-		assets = path.Join(path.Dir(filename), "test-assets")
-	}
-	tempdir, err := os.MkdirTemp("", "testdir")
-	ok(t, err)
-	defer os.RemoveAll(tempdir)
-
-	cmd := exec.Command("nix-shell", "shell.nix", "--run", "echo SOPS_PGP_FP=$SOPS_PGP_FP")
-	cmd.Env = append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", tempdir))
-	var stdoutBuf, stderrBuf bytes.Buffer
-	cmd.Stdout = &stdoutBuf
-	cmd.Stderr = &stderrBuf
-	cmd.Dir = assets
-	err = cmd.Run()
-	stdout := stdoutBuf.String()
-	stderr := stderrBuf.String()
-	fmt.Printf("$ %s\nstdout: \n%s\nstderr: \n%s\n", strings.Join(cmd.Args, " "), stdout, stderr)
-	ok(t, err)
-
-	expectedKeys := []string{
-		"C6DA56E69A7C756564A8AFEB4A6B05B714D13EFD",
-		"4EC40F8E04A945339F7F7C0032C5225271038E3F",
-		"7FB89715AADA920D65D25E63F9BA9DEBD03F57C0",
-		"E3B7464FBE89F5378ED4BC60FC925B42FC8B773D",
-	}
-	for _, key := range expectedKeys {
-		if !strings.Contains(stdout, key) {
-			t.Fatalf("'%v' not in '%v'", key, stdout)
-		}
-	}
-
-	// it should ignore subkeys from ./keys/key-with-subkeys.asc
-	subkey := "94F174F588090494E73D0835A79B1680BC4D9A54"
-	if strings.Contains(stdout, subkey) {
-		t.Fatalf("subkey found in %s", stdout)
-	}
-
-	expectedStderr := "./non-existing-key.gpg does not exists"
-	if !strings.Contains(stderr, expectedStderr) {
-		t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
-	}
-}
--- a/pkgs/sops-pgp-hook/sops-pgp-hook.bash
+++ b/pkgs/sops-pgp-hook/sops-pgp-hook.bash
@ -1,32 +0,0 @@
-_sopsAddKey() {
-  @gpg@ --quiet --import "$key"
-  local fpr
-  # only add the first fingerprint, this way we ignore subkeys
-  fpr=$(@gpg@ --with-fingerprint --with-colons --show-key "$key" \
-         | awk -F: '$1 == "fpr" { print $10; exit }')
-  if [[ $fpr != "" ]]; then
-      export SOPS_PGP_FP=''${SOPS_PGP_FP-}''${SOPS_PGP_FP:+','}$fpr
-  fi
-}
-
-sopsPGPHook() {
-  local key dir
-  for key in ${sopsPGPKeys-}; do
-    if [[ -f "$key" ]]; then
-        _sopsAddKey "$key"
-    else
-        echo "$key does not exists" >&2
-    fi
-  done
-  for dir in ${sopsPGPKeyDirs-}; do
-    while IFS= read -r -d '' key; do
-      _sopsAddKey "$key"
-    done < <(find -L "$dir" -type f \( -name '*.gpg' -o -name '*.asc' \) -print0)
-  done
-}
-
-if [ -z "${shellHook-}" ]; then
-  shellHook=sopsPGPHook
-else
-  shellHook="sopsPGPHook;${shellHook}"
-fi
--- a/pkgs/sops-pgp-hook/test-assets/existing-key.gpg
+++ b/pkgs/sops-pgp-hook/test-assets/existing-key.gpg
--- a/pkgs/sops-pgp-hook/test-assets/keys/key-with-subkeys.asc
+++ b/pkgs/sops-pgp-hook/test-assets/keys/key-with-subkeys.asc
@ -1,61 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQENBF8YRjUBCACfdPLn/dUxr3SHZR2p6+aFgnu0jFA1KESBAgqA5TzDNIjaecff
-MV2nP7Z+vmcyRq2oJb7zAd2UfavjH0jPzRJi+TP6NvJepfMj8SaflKEh8kZN6Gv0
-Zl0Fr6WtTPuenATuesAYvFDW+b2ZYRIs/XzEI+HP96XaW4MCWgTPwMPP8gMPZO3c
-Cv+A5T9p1RHZjezfHktA0z+3F07IDquIT9K5d5Iapy0illnV7TziCdN6EbPUQZis
-FqAP1kxgWUzJvYLswIncGb9WAw8T49GMVUtP8hoBiw3g0mNfnvzJUTBjYQr/e5X2
-+ZnGM4qqdrMTdTHFdQtzKHlsh3S1EI9Z5qB9ABEBAAG0H0pvaG4gRG9lIDxqb2hu
-LmRvZUB0aGFsaGVpbS5pbz6JAU4EEwEIADgWIQTjt0ZPvon1N47UvGD8kltC/It3
-PQUCXxhGNQIbAQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRD8kltC/It3PTqF
-B/9fbQmuDb0mg+rt8ALndJUXkiUK3osGTcmPhBXWPZpViCRsP4nOmBsM0yv5aA2y
-Gsei+dHfLXK48UDkUFo/bt2ACEywCE+7QFBrhCnQFKS5sbPpE6EcqKF3eWzfR0I/
-PnzXQNA/igryuvaPxvQN9lIdY/Gzfi/erhv+f4/PgR53TzIhXYw2f2rwD4dCoiH3
-QkmKez3tasTc8zq7nwhlZ0d1pnbFn0qlCJCntrQT6caCkcWh9IiutrK0ozxfoa9H
-Yqt/FdTWuRgEG1vj+/0RG2pggqE9D2LSkX6+gW0vai2OzTCn1a8VlrX2uYmDnXVF
-b/bQBlAFW6wyGC6HhH+xckmHuQENBF8YRk0BCADCB2ov5gXA6X388bBeJ7YwWTMr
-YuSAe2PZzZ3GipuQ4PRIpFvSLXHx4G4NT60J0G48cFL8M6dZCyJbCe+dZPyCEYLl
-3V+5txpN0dYcbUTiG07uEAyDbuhkuda9goSJlfvJF8vUxGPNNHbYWPOO3hLsGQse
-aQVGHSqu8WlRCWSDtNEyc11cOlty/zhEv3M5ZtBrJTahfy0u5RrCzk/x9SRea+MV
-0xhYd1cKfi5ud/mNpQnnrbLuD+Gy9YgcqJUyxi6zvdfoCDYR4Sv7Rf0fxafxDkNZ
-GQlqmPkaEuw21eedczmwUqMC57ZJz3avgDxKcLZG8uFC+6DY4thTSERPRb85ABEB
-AAGJAmwEGAEIACAWIQTjt0ZPvon1N47UvGD8kltC/It3PQUCXxhGTQIbAgFACRD8
-kltC/It3PcB0IAQZAQgAHRYhBJTxdPWICQSU5z0INaebFoC8TZpUBQJfGEZNAAoJ
-EKebFoC8TZpUWpQH/3de056tFqVIvsFjkYUW3oGylexVQEXeQljoqYx7NWsSxNX6
-NMEwYYJdNWgwXhL4CD8Tn0/3sVx/mMUDtbgQnQ8rKMB3lXZ3U6yzGghh5RdSmhAk
-EQGhiYkZhIONce46i7rk+AE+hGi57p1IqsZ0UketOKoWN7rVYXbVLPf78cphD7G+
-Q7v7KWJYx8i3VkXDHJXP3wRlhbkbqVJAyUTmi63c7femOB+mDPJMBHBFmw6Opxt4
-AZR+qYczOLAyJCGA2MBx2U/26mVztkMYl5rJ80VKgUe/CEb8kD/uaOBYXeokGfqh
-i6TV9fQxYokkmSU/4SIa+F+VcTu0xfRC46+EosL2Pwf+NpMRgpWihbF9EEh6RqX4
-NUxN4IVV/6frG19AJD8XNq0E8+bXvKVhHEy/Ea68ILKaJb/SIpcFY0aIJ3tHC0b2
-mh97nm5FdyRXRUNXoQ/u2wsOcD+HGK3P/jdrJDkNETuLTNr4Uff5Nn1Y6XydKviK
-i7UwexDtX+wmyr1JxRdu7AJhdSi3rWY2lQxMMem7+9xyyqZ8uY2SixroMjcV/DL/
-7AjvfucWL6e/pESpvTp29sAKM5PUtMWqjm/vgapiFVLhXIEYWqe6OowXQ+smlkah
-zQ00HJxLILNy3Mu2Vic543OVbLNRoWlJYQ1/zAqMxU5GLmdZA1hwncQT/3UCZ5zI
-L7kBDQRfGEZvAQgAoPiXUlpQFLISXSHobzPtUwx1O3x+hN7XH57+VV0Hktz94+gb
-NMj+3UBd67NZeseqUG6PMQ1ztEAuht7UX/LjLlmcBwmTD7iFeT8Y+hlo1+7AeKE6
-a3RGycTMOm5HFra1n3KcQqkmh6RMlTPxcpvb5wXHJXIiWvoW/k7C3nbFbJlzVZtK
-dW2x4tcU/INsk2qgpir4Ou2nCwAXOOb91E/SDR+isPj4lYOp69AZa266YvShX1/X
-UObG5UXSsPGs7CbZC9i+DcgJFhGjicrjgoEbAhPBmAdUwWaFiMls2WXmIkq9utv+
-uxQmQixEXL+/OQgXPJGzCmGaq4h/2JC9nCf5swARAQABiQE2BBgBCAAgFiEE47dG
-T76J9TeO1Lxg/JJbQvyLdz0FAl8YRm8CGwwACgkQ/JJbQvyLdz01cAf9EsfZye6j
-p7GuxInoZaJBblWW3tbJjOOH3GdeOhcY8ygImsRDcYFRIsp9QLp91eCRxGsT/EMz
-q0vgQk4zsZOyTXMcK4TUMgUtsRY6zmiHSRez7sw0CA919KY/PAbMfB5F0qkuR5FL
-auoAeYOUY1oYpiE7AG5rdtNNI1PC+EUeiivs+raczH3kLJr71fwjFD6Jnh9FDgPZ
-QsYaWIe6t0quho6cNaL8DYfXtdJZh2vKgWX8h/qu5dUB/aHx18rWTvcQ7zmQ/ADn
-oweTR94hbSL9O9mm3LoWogr/vtUGWvs8LlIYjFDUXj4TRx2svclcBdKI0qrjrCDx
-Ed+ons5QiTE1LLkBDQRfGEaGAQgArDpYiwBV9Xml93knxoGVFi+rj0YL35gdVraT
-ZqbeN+s0t9QPshzVpZz0jyqZSxFE/ojUmO7WMrH/Jb8nLVGvm/fq/jLEMfnbpJnb
-Cu6ym7ed1QP7Y2JDMYJorlcS8BQCOSGSe2QRRD6h0nvgygrg70XKnkIhH6YfGCLt
-pC96WWdbEr78d/dMloPRIW1Tsp58bXVkTfIseXpdCB5zVGj58GBtelWibvIms+/T
-SRzw7QU9uiPjcrl5iZ8UMcRlE4mdMEBhlZ+eZaKgRdDNNDpcsd38xtktA52hs3uY
-AgFKUGQ+PxY9cG9haVyCwwYwCVKo24/hTreTL1DydFLmAxaonQARAQABiQE2BBgB
-CAAgFiEE47dGT76J9TeO1Lxg/JJbQvyLdz0FAl8YRoYCGyAACgkQ/JJbQvyLdz1d
-gggAj+Gcxy6irGlkX9mxoq+sZv9WzRjXRT8xkB8H10tzqqOLQ0uzXeob07vDi3MC
-6dBahE8sJq4ByOruy4hNhKUa/vtBm/G4ijTDNFzS/fmafDxZ+FObUDz6gLHGVbf0
-/NpwOmfcc/UeDCgI5t3TRcbQ9PugwCfw7A7eCYS34NspS549WJfzdNj8FcNBzsbi
-yx1/wnXb7Eq5+kvZaPR1vodAW7YptYrUQCbCbioFGwq+zd1SHPXMS2h2D0ncMNbP
-+C/y/AXliH+P08WRJ6kazSkSHv93UNM2nOt6x04vlk652WejLDc0t3wWNQEp0Q4U
-W1YR5NNzw2GqjhH3nhj/SnUwXg==
-=jshU
-----END PGP PUBLIC KEY BLOCK-----
--- a/pkgs/sops-pgp-hook/test-assets/keys/key.asc
+++ b/pkgs/sops-pgp-hook/test-assets/keys/key.asc
@ -1 +0,0 @@
-../../../sops-install-secrets/test-assets/key.asc
--- a/pkgs/sops-pgp-hook/test-assets/keys/key.gpg
+++ b/pkgs/sops-pgp-hook/test-assets/keys/key.gpg
--- a/pkgs/sops-pgp-hook/test-assets/shell.nix
+++ b/pkgs/sops-pgp-hook/test-assets/shell.nix
@ -1,14 +0,0 @@
-# shell.nix
-with import <nixpkgs> { };
-mkShell {
-  sopsPGPKeyDirs = [
-    "./keys"
-  ];
-  sopsPGPKeys = [
-    "./existing-key.gpg"
-    "./non-existing-key.gpg"
-  ];
-  nativeBuildInputs = [
-    (pkgs.callPackage ../../.. { }).sops-pgp-hook
-  ];
-}
--- a/pkgs/unit-tests.nix
+++ b/pkgs/unit-tests.nix
@ -5,17 +5,14 @@ let
  sopsPkgs = import ../. { inherit pkgs; };
 in
 pkgs.stdenv.mkDerivation {
-  name = "env";
-  nativeBuildInputs =
-    with pkgs;
-    [
-      bashInteractive
-      gnupg
-      util-linux
-      nix
-      sopsPkgs.sops-pgp-hook-test
-    ]
-    ++ pkgs.lib.optional (pkgs.stdenv.isLinux) sopsPkgs.sops-install-secrets.unittest;
+  name = "unit-tests";
+  nativeBuildInputs = with pkgs; [
+    bashInteractive
+    gnupg
+    util-linux
+    nix
+    sopsPkgs.sops-install-secrets.unittest
+  ];
  # allow to prefetch shell dependencies in build phase
  dontUnpack = true;
  installPhase = ''
@ -23,11 +20,7 @@ pkgs.stdenv.mkDerivation {
  '';
  shellHook = ''
    set -x
-    NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \
-      sops-pgp-hook.test
-    ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) ''
-      sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
-        unshare --mount --fork sops-install-secrets.test
-    ''}
+    sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \
+      unshare --mount --fork sops-install-secrets.test
  '';
 }
				`@ -1 +0,0 @@`
				`../../../sops-install-secrets/test-assets/key.asc`