diff --git a/default.nix b/default.nix index 63abb9b..3546d4f 100644 --- a/default.nix +++ b/default.nix @@ -17,10 +17,6 @@ rec { # backwards compatibility inherit (pkgs) ssh-to-pgp; - # used in the CI only - sops-pgp-hook-test = pkgs.callPackage ./pkgs/sops-pgp-hook-test.nix { - inherit vendorHash; - }; unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix { }; } // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux { diff --git a/pkgs/sops-pgp-hook-test.nix b/pkgs/sops-pgp-hook-test.nix deleted file mode 100644 index 7f9f7df..0000000 --- a/pkgs/sops-pgp-hook-test.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ buildGoModule, vendorHash }: - -buildGoModule { - name = "sops-pgp-hook-test"; - src = ../.; - inherit vendorHash; - buildPhase = '' - go test -c ./pkgs/sops-pgp-hook - install -D sops-pgp-hook.test $out/bin/sops-pgp-hook.test - ''; -} diff --git a/pkgs/sops-pgp-hook/default.nix b/pkgs/sops-pgp-hook/default.nix deleted file mode 100644 index 300b3c4..0000000 --- a/pkgs/sops-pgp-hook/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - makeSetupHook, - gnupg, - sops, - lib, -}: - -let - # FIXME: drop after 23.05 - propagatedBuildInputs = - if (lib.versionOlder (lib.versions.majorMinor lib.version) "23.05") then - "deps" - else - "propagatedBuildInputs"; -in -(makeSetupHook { - name = "sops-pgp-hook"; - substitutions = { - gpg = "${gnupg}/bin/gpg"; - }; - ${propagatedBuildInputs} = [ - sops - gnupg - ]; -} ./sops-pgp-hook.bash) diff --git a/pkgs/sops-pgp-hook/hook_test.go b/pkgs/sops-pgp-hook/hook_test.go deleted file mode 100644 index 452611e..0000000 --- a/pkgs/sops-pgp-hook/hook_test.go +++ /dev/null @@ -1,70 +0,0 @@ -package main - -import ( - "bytes" - "fmt" - "os" - "os/exec" - "path" - "runtime" - "strings" - "testing" -) - -// ok fails the test if an err is not nil. -func ok(tb testing.TB, err error) { - tb.Helper() - - if err != nil { - fmt.Printf("\033[31munexpected error: %s\033[39m\n\n", err.Error()) - tb.FailNow() - } -} - -func TestShellHook(t *testing.T) { - t.Parallel() - - assets := os.Getenv("TEST_ASSETS") - if assets == "" { - _, filename, _, _ := runtime.Caller(0) - assets = path.Join(path.Dir(filename), "test-assets") - } - tempdir, err := os.MkdirTemp("", "testdir") - ok(t, err) - defer os.RemoveAll(tempdir) - - cmd := exec.Command("nix-shell", "shell.nix", "--run", "echo SOPS_PGP_FP=$SOPS_PGP_FP") - cmd.Env = append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", tempdir)) - var stdoutBuf, stderrBuf bytes.Buffer - cmd.Stdout = &stdoutBuf - cmd.Stderr = &stderrBuf - cmd.Dir = assets - err = cmd.Run() - stdout := stdoutBuf.String() - stderr := stderrBuf.String() - fmt.Printf("$ %s\nstdout: \n%s\nstderr: \n%s\n", strings.Join(cmd.Args, " "), stdout, stderr) - ok(t, err) - - expectedKeys := []string{ - "C6DA56E69A7C756564A8AFEB4A6B05B714D13EFD", - "4EC40F8E04A945339F7F7C0032C5225271038E3F", - "7FB89715AADA920D65D25E63F9BA9DEBD03F57C0", - "E3B7464FBE89F5378ED4BC60FC925B42FC8B773D", - } - for _, key := range expectedKeys { - if !strings.Contains(stdout, key) { - t.Fatalf("'%v' not in '%v'", key, stdout) - } - } - - // it should ignore subkeys from ./keys/key-with-subkeys.asc - subkey := "94F174F588090494E73D0835A79B1680BC4D9A54" - if strings.Contains(stdout, subkey) { - t.Fatalf("subkey found in %s", stdout) - } - - expectedStderr := "./non-existing-key.gpg does not exists" - if !strings.Contains(stderr, expectedStderr) { - t.Fatalf("'%v' not in '%v'", expectedStderr, stdout) - } -} diff --git a/pkgs/sops-pgp-hook/sops-pgp-hook.bash b/pkgs/sops-pgp-hook/sops-pgp-hook.bash deleted file mode 100644 index e0ced80..0000000 --- a/pkgs/sops-pgp-hook/sops-pgp-hook.bash +++ /dev/null @@ -1,32 +0,0 @@ -_sopsAddKey() { - @gpg@ --quiet --import "$key" - local fpr - # only add the first fingerprint, this way we ignore subkeys - fpr=$(@gpg@ --with-fingerprint --with-colons --show-key "$key" \ - | awk -F: '$1 == "fpr" { print $10; exit }') - if [[ $fpr != "" ]]; then - export SOPS_PGP_FP=''${SOPS_PGP_FP-}''${SOPS_PGP_FP:+','}$fpr - fi -} - -sopsPGPHook() { - local key dir - for key in ${sopsPGPKeys-}; do - if [[ -f "$key" ]]; then - _sopsAddKey "$key" - else - echo "$key does not exists" >&2 - fi - done - for dir in ${sopsPGPKeyDirs-}; do - while IFS= read -r -d '' key; do - _sopsAddKey "$key" - done < <(find -L "$dir" -type f \( -name '*.gpg' -o -name '*.asc' \) -print0) - done -} - -if [ -z "${shellHook-}" ]; then - shellHook=sopsPGPHook -else - shellHook="sopsPGPHook;${shellHook}" -fi diff --git a/pkgs/sops-pgp-hook/test-assets/existing-key.gpg b/pkgs/sops-pgp-hook/test-assets/existing-key.gpg deleted file mode 100644 index eba3738..0000000 Binary files a/pkgs/sops-pgp-hook/test-assets/existing-key.gpg and /dev/null differ diff --git a/pkgs/sops-pgp-hook/test-assets/keys/key-with-subkeys.asc b/pkgs/sops-pgp-hook/test-assets/keys/key-with-subkeys.asc deleted file mode 100644 index 71f5405..0000000 --- a/pkgs/sops-pgp-hook/test-assets/keys/key-with-subkeys.asc +++ /dev/null @@ -1,61 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQENBF8YRjUBCACfdPLn/dUxr3SHZR2p6+aFgnu0jFA1KESBAgqA5TzDNIjaecff -MV2nP7Z+vmcyRq2oJb7zAd2UfavjH0jPzRJi+TP6NvJepfMj8SaflKEh8kZN6Gv0 -Zl0Fr6WtTPuenATuesAYvFDW+b2ZYRIs/XzEI+HP96XaW4MCWgTPwMPP8gMPZO3c -Cv+A5T9p1RHZjezfHktA0z+3F07IDquIT9K5d5Iapy0illnV7TziCdN6EbPUQZis -FqAP1kxgWUzJvYLswIncGb9WAw8T49GMVUtP8hoBiw3g0mNfnvzJUTBjYQr/e5X2 -+ZnGM4qqdrMTdTHFdQtzKHlsh3S1EI9Z5qB9ABEBAAG0H0pvaG4gRG9lIDxqb2hu -LmRvZUB0aGFsaGVpbS5pbz6JAU4EEwEIADgWIQTjt0ZPvon1N47UvGD8kltC/It3 -PQUCXxhGNQIbAQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRD8kltC/It3PTqF -B/9fbQmuDb0mg+rt8ALndJUXkiUK3osGTcmPhBXWPZpViCRsP4nOmBsM0yv5aA2y -Gsei+dHfLXK48UDkUFo/bt2ACEywCE+7QFBrhCnQFKS5sbPpE6EcqKF3eWzfR0I/ -PnzXQNA/igryuvaPxvQN9lIdY/Gzfi/erhv+f4/PgR53TzIhXYw2f2rwD4dCoiH3 -QkmKez3tasTc8zq7nwhlZ0d1pnbFn0qlCJCntrQT6caCkcWh9IiutrK0ozxfoa9H -Yqt/FdTWuRgEG1vj+/0RG2pggqE9D2LSkX6+gW0vai2OzTCn1a8VlrX2uYmDnXVF -b/bQBlAFW6wyGC6HhH+xckmHuQENBF8YRk0BCADCB2ov5gXA6X388bBeJ7YwWTMr -YuSAe2PZzZ3GipuQ4PRIpFvSLXHx4G4NT60J0G48cFL8M6dZCyJbCe+dZPyCEYLl -3V+5txpN0dYcbUTiG07uEAyDbuhkuda9goSJlfvJF8vUxGPNNHbYWPOO3hLsGQse -aQVGHSqu8WlRCWSDtNEyc11cOlty/zhEv3M5ZtBrJTahfy0u5RrCzk/x9SRea+MV -0xhYd1cKfi5ud/mNpQnnrbLuD+Gy9YgcqJUyxi6zvdfoCDYR4Sv7Rf0fxafxDkNZ -GQlqmPkaEuw21eedczmwUqMC57ZJz3avgDxKcLZG8uFC+6DY4thTSERPRb85ABEB -AAGJAmwEGAEIACAWIQTjt0ZPvon1N47UvGD8kltC/It3PQUCXxhGTQIbAgFACRD8 -kltC/It3PcB0IAQZAQgAHRYhBJTxdPWICQSU5z0INaebFoC8TZpUBQJfGEZNAAoJ -EKebFoC8TZpUWpQH/3de056tFqVIvsFjkYUW3oGylexVQEXeQljoqYx7NWsSxNX6 -NMEwYYJdNWgwXhL4CD8Tn0/3sVx/mMUDtbgQnQ8rKMB3lXZ3U6yzGghh5RdSmhAk -EQGhiYkZhIONce46i7rk+AE+hGi57p1IqsZ0UketOKoWN7rVYXbVLPf78cphD7G+ -Q7v7KWJYx8i3VkXDHJXP3wRlhbkbqVJAyUTmi63c7femOB+mDPJMBHBFmw6Opxt4 -AZR+qYczOLAyJCGA2MBx2U/26mVztkMYl5rJ80VKgUe/CEb8kD/uaOBYXeokGfqh -i6TV9fQxYokkmSU/4SIa+F+VcTu0xfRC46+EosL2Pwf+NpMRgpWihbF9EEh6RqX4 -NUxN4IVV/6frG19AJD8XNq0E8+bXvKVhHEy/Ea68ILKaJb/SIpcFY0aIJ3tHC0b2 -mh97nm5FdyRXRUNXoQ/u2wsOcD+HGK3P/jdrJDkNETuLTNr4Uff5Nn1Y6XydKviK -i7UwexDtX+wmyr1JxRdu7AJhdSi3rWY2lQxMMem7+9xyyqZ8uY2SixroMjcV/DL/ -7AjvfucWL6e/pESpvTp29sAKM5PUtMWqjm/vgapiFVLhXIEYWqe6OowXQ+smlkah -zQ00HJxLILNy3Mu2Vic543OVbLNRoWlJYQ1/zAqMxU5GLmdZA1hwncQT/3UCZ5zI -L7kBDQRfGEZvAQgAoPiXUlpQFLISXSHobzPtUwx1O3x+hN7XH57+VV0Hktz94+gb -NMj+3UBd67NZeseqUG6PMQ1ztEAuht7UX/LjLlmcBwmTD7iFeT8Y+hlo1+7AeKE6 -a3RGycTMOm5HFra1n3KcQqkmh6RMlTPxcpvb5wXHJXIiWvoW/k7C3nbFbJlzVZtK -dW2x4tcU/INsk2qgpir4Ou2nCwAXOOb91E/SDR+isPj4lYOp69AZa266YvShX1/X -UObG5UXSsPGs7CbZC9i+DcgJFhGjicrjgoEbAhPBmAdUwWaFiMls2WXmIkq9utv+ -uxQmQixEXL+/OQgXPJGzCmGaq4h/2JC9nCf5swARAQABiQE2BBgBCAAgFiEE47dG -T76J9TeO1Lxg/JJbQvyLdz0FAl8YRm8CGwwACgkQ/JJbQvyLdz01cAf9EsfZye6j -p7GuxInoZaJBblWW3tbJjOOH3GdeOhcY8ygImsRDcYFRIsp9QLp91eCRxGsT/EMz -q0vgQk4zsZOyTXMcK4TUMgUtsRY6zmiHSRez7sw0CA919KY/PAbMfB5F0qkuR5FL -auoAeYOUY1oYpiE7AG5rdtNNI1PC+EUeiivs+raczH3kLJr71fwjFD6Jnh9FDgPZ -QsYaWIe6t0quho6cNaL8DYfXtdJZh2vKgWX8h/qu5dUB/aHx18rWTvcQ7zmQ/ADn -oweTR94hbSL9O9mm3LoWogr/vtUGWvs8LlIYjFDUXj4TRx2svclcBdKI0qrjrCDx -Ed+ons5QiTE1LLkBDQRfGEaGAQgArDpYiwBV9Xml93knxoGVFi+rj0YL35gdVraT -ZqbeN+s0t9QPshzVpZz0jyqZSxFE/ojUmO7WMrH/Jb8nLVGvm/fq/jLEMfnbpJnb -Cu6ym7ed1QP7Y2JDMYJorlcS8BQCOSGSe2QRRD6h0nvgygrg70XKnkIhH6YfGCLt -pC96WWdbEr78d/dMloPRIW1Tsp58bXVkTfIseXpdCB5zVGj58GBtelWibvIms+/T -SRzw7QU9uiPjcrl5iZ8UMcRlE4mdMEBhlZ+eZaKgRdDNNDpcsd38xtktA52hs3uY -AgFKUGQ+PxY9cG9haVyCwwYwCVKo24/hTreTL1DydFLmAxaonQARAQABiQE2BBgB -CAAgFiEE47dGT76J9TeO1Lxg/JJbQvyLdz0FAl8YRoYCGyAACgkQ/JJbQvyLdz1d -gggAj+Gcxy6irGlkX9mxoq+sZv9WzRjXRT8xkB8H10tzqqOLQ0uzXeob07vDi3MC -6dBahE8sJq4ByOruy4hNhKUa/vtBm/G4ijTDNFzS/fmafDxZ+FObUDz6gLHGVbf0 -/NpwOmfcc/UeDCgI5t3TRcbQ9PugwCfw7A7eCYS34NspS549WJfzdNj8FcNBzsbi -yx1/wnXb7Eq5+kvZaPR1vodAW7YptYrUQCbCbioFGwq+zd1SHPXMS2h2D0ncMNbP -+C/y/AXliH+P08WRJ6kazSkSHv93UNM2nOt6x04vlk652WejLDc0t3wWNQEp0Q4U -W1YR5NNzw2GqjhH3nhj/SnUwXg== -=jshU ------END PGP PUBLIC KEY BLOCK----- diff --git a/pkgs/sops-pgp-hook/test-assets/keys/key.asc b/pkgs/sops-pgp-hook/test-assets/keys/key.asc deleted file mode 120000 index 34bc240..0000000 --- a/pkgs/sops-pgp-hook/test-assets/keys/key.asc +++ /dev/null @@ -1 +0,0 @@ -../../../sops-install-secrets/test-assets/key.asc \ No newline at end of file diff --git a/pkgs/sops-pgp-hook/test-assets/keys/key.gpg b/pkgs/sops-pgp-hook/test-assets/keys/key.gpg deleted file mode 100644 index c168d74..0000000 Binary files a/pkgs/sops-pgp-hook/test-assets/keys/key.gpg and /dev/null differ diff --git a/pkgs/sops-pgp-hook/test-assets/shell.nix b/pkgs/sops-pgp-hook/test-assets/shell.nix deleted file mode 100644 index 71173fd..0000000 --- a/pkgs/sops-pgp-hook/test-assets/shell.nix +++ /dev/null @@ -1,14 +0,0 @@ -# shell.nix -with import { }; -mkShell { - sopsPGPKeyDirs = [ - "./keys" - ]; - sopsPGPKeys = [ - "./existing-key.gpg" - "./non-existing-key.gpg" - ]; - nativeBuildInputs = [ - (pkgs.callPackage ../../.. { }).sops-pgp-hook - ]; -} diff --git a/pkgs/unit-tests.nix b/pkgs/unit-tests.nix index f3d3678..9fc14fc 100644 --- a/pkgs/unit-tests.nix +++ b/pkgs/unit-tests.nix @@ -5,17 +5,14 @@ let sopsPkgs = import ../. { inherit pkgs; }; in pkgs.stdenv.mkDerivation { - name = "env"; - nativeBuildInputs = - with pkgs; - [ - bashInteractive - gnupg - util-linux - nix - sopsPkgs.sops-pgp-hook-test - ] - ++ pkgs.lib.optional (pkgs.stdenv.isLinux) sopsPkgs.sops-install-secrets.unittest; + name = "unit-tests"; + nativeBuildInputs = with pkgs; [ + bashInteractive + gnupg + util-linux + nix + sopsPkgs.sops-install-secrets.unittest + ]; # allow to prefetch shell dependencies in build phase dontUnpack = true; installPhase = '' @@ -23,11 +20,7 @@ pkgs.stdenv.mkDerivation { ''; shellHook = '' set -x - NIX_PATH=nixpkgs=${toString pkgs.path} TEST_ASSETS=$(realpath ./pkgs/sops-pgp-hook/test-assets) \ - sops-pgp-hook.test - ${pkgs.lib.optionalString (pkgs.stdenv.isLinux) '' - sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \ - unshare --mount --fork sops-install-secrets.test - ''} + sudo TEST_ASSETS=$(realpath ./pkgs/sops-install-secrets/test-assets) \ + unshare --mount --fork sops-install-secrets.test ''; }