From fe7f6360e806efd470cd6d9a9d930a1c37c36572 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 14 Jul 2020 11:20:35 +0100
Subject: [PATCH] add integration test for sops-pgp-hook

---
 .github/workflows/test.yml                    |   6 +-
 default.nix                                   |   1 +
 pkgs/sops-pgp-hook/default.nix                |   6 +-
 pkgs/sops-pgp-hook/hook_test.go               |  54 ++++++++++++++++++
 pkgs/sops-pgp-hook/sops-pgp-hook.bash         |  12 +++-
 .../test-assets/existing-key.gpg              | Bin 0 -> 1815 bytes
 pkgs/sops-pgp-hook/test-assets/keys/key.asc   |   1 +
 pkgs/sops-pgp-hook/test-assets/keys/key.gpg   | Bin 0 -> 1815 bytes
 pkgs/sops-pgp-hook/test-assets/shell.nix      |  14 +++++
 shell.nix                                     |   1 +
 10 files changed, 87 insertions(+), 8 deletions(-)
 create mode 100644 pkgs/sops-pgp-hook/hook_test.go
 create mode 100644 pkgs/sops-pgp-hook/test-assets/existing-key.gpg
 create mode 120000 pkgs/sops-pgp-hook/test-assets/keys/key.asc
 create mode 100644 pkgs/sops-pgp-hook/test-assets/keys/key.gpg
 create mode 100644 pkgs/sops-pgp-hook/test-assets/shell.nix

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fe0aa40..e007430 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -28,5 +28,7 @@ jobs:
       run: nix run nixpkgs.nix-build-uncached -c nix-build-uncached default.nix
     - name: Add keys group (needed for go tests)
       run: sudo groupadd keys
-    - name: Run go tests
-      run: nix-shell --run "sudo unshare --mount --fork go test ./pkgs/sops-install-secrets"
+    - name: Run sops-install-secrets tests
+      run: nix-shell --pure --run "$(command -v sudo) unshare --mount --fork go test ./pkgs/sops-install-secrets"
+    - name: Run sops-pgp-hook tests
+      run: nix-shell --pure --run "NIX_PATH=nixpkgs=$(nix-instantiate --find-file nixpkgs) go test ./pkgs/sops-pgp-hook"
diff --git a/default.nix b/default.nix
index 2b67a87..9b97904 100644
--- a/default.nix
+++ b/default.nix
@@ -6,6 +6,7 @@ in rec {
     inherit vendorSha256;
   };
   sops-pgp-hook = pkgs.callPackage ./pkgs/sops-pgp-hook {};
+
   ssh-to-pgp = pkgs.callPackage ./pkgs/ssh-to-pgp {
     inherit vendorSha256;
   };
diff --git a/pkgs/sops-pgp-hook/default.nix b/pkgs/sops-pgp-hook/default.nix
index 9384123..56241d4 100644
--- a/pkgs/sops-pgp-hook/default.nix
+++ b/pkgs/sops-pgp-hook/default.nix
@@ -1,8 +1,8 @@
-{ makeSetupHook, gnupg, sops }:
+{ stdenv, makeSetupHook, gnupg, sops, go, nix }:
 
-makeSetupHook {
+(makeSetupHook {
   substitutions = {
     gpg = "${gnupg}/bin/gpg";
   };
   deps = [ sops gnupg ];
-} ./sops-pgp-hook.bash
+} ./sops-pgp-hook.bash)
diff --git a/pkgs/sops-pgp-hook/hook_test.go b/pkgs/sops-pgp-hook/hook_test.go
new file mode 100644
index 0000000..6d4f8f2
--- /dev/null
+++ b/pkgs/sops-pgp-hook/hook_test.go
@@ -0,0 +1,54 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+)
+
+// ok fails the test if an err is not nil.
+func ok(tb testing.TB, err error) {
+	if err != nil {
+		_, file, line, _ := runtime.Caller(1)
+		fmt.Printf("\033[31m%s:%d: unexpected error: %s\033[39m\n\n", filepath.Base(file), line, err.Error())
+		tb.FailNow()
+	}
+}
+
+func TestShellHook(t *testing.T) {
+	_, filename, _, _ := runtime.Caller(0)
+	assets := path.Join(path.Dir(filename), "test-assets")
+	tempdir, err := ioutil.TempDir("", "testdir")
+	ok(t, err)
+	defer os.RemoveAll(tempdir)
+
+	cmd := exec.Command("nix-shell", "shell.nix", "--run", "echo SOPS_PGP_FP=$SOPS_PGP_FP")
+	cmd.Env = append(os.Environ(), fmt.Sprintf("GNUPGHOME=%s", tempdir))
+	var stdoutBuf, stderrBuf bytes.Buffer
+	cmd.Stdout = &stdoutBuf
+	cmd.Stderr = &stderrBuf
+	cmd.Dir = assets
+	err = cmd.Run()
+	stdout := string(stdoutBuf.Bytes())
+	stderr := string(stderrBuf.Bytes())
+	fmt.Printf("$ %s\nstdout: \n%s\nstderr: \n%s\n", strings.Join(cmd.Args, " "), stdout, stderr)
+	ok(t, err)
+
+	expectedStdout := "SOPS_PGP_FP=C6DA56E69A7C756564A8AFEB4A6B05B714D13EFD,4EC40F8E04A945339F7F7C0032C5225271038E3F,7FB89715AADA920D65D25E63F9BA9DEBD03F57C0"
+	if strings.Index(stdout, expectedStdout) == -1 {
+		t.Fatalf("'%v' not in '%v'", expectedStdout, stdout)
+	}
+
+	expectedStderr := "./non-existing-key.gpg does not exists"
+	if strings.Index(stderr, expectedStderr) == -1 {
+		t.Fatalf("'%v' not in '%v'", expectedStderr, stdout)
+	}
+
+}
diff --git a/pkgs/sops-pgp-hook/sops-pgp-hook.bash b/pkgs/sops-pgp-hook/sops-pgp-hook.bash
index dbbd539..5bb0097 100644
--- a/pkgs/sops-pgp-hook/sops-pgp-hook.bash
+++ b/pkgs/sops-pgp-hook/sops-pgp-hook.bash
@@ -3,18 +3,24 @@ _sopsAddKey() {
   local fpr
   fpr=$(@gpg@ --with-fingerprint --with-colons --show-key "$key" \
          | awk -F: '$1 == "fpr" { print $10;}')
-  export SOPS_PGP_FP=''${SOPS_PGP_FP}''${SOPS_PGP_FP:+','}$fpr
+  if [[ $fpr != "" ]]; then
+      export SOPS_PGP_FP=''${SOPS_PGP_FP}''${SOPS_PGP_FP:+','}$fpr
+  fi
 }
 
 sopsPGPHook() {
   local key dir
   for key in $sopsPGPKeys; do
-    _sopsAddKey "$key"
+    if [[ -f "$key" ]]; then
+        _sopsAddKey "$key"
+    else
+        echo "$key does not exists" >&2
+    fi
   done
   for dir in $sopsPGPKeyDirs; do
     while IFS= read -r -d '' key; do
       _sopsAddKey "$key"
-    done < <(find "$dir" -type f -name '*.gpg' -o -name '*.asc' -print0)
+    done < <(find -L "$dir" -type f \( -name '*.gpg' -o -name '*.asc' \) -print0)
   done
 }
 
diff --git a/pkgs/sops-pgp-hook/test-assets/existing-key.gpg b/pkgs/sops-pgp-hook/test-assets/existing-key.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..eba373876ddadb4d792d45c1b0e633a50bd7044d
GIT binary patch
literal 1815
zcmX?lWCjZZ0|Nsi55q;R29Esm+Ty3CxJ;fXB);;UsNJ4#A{uulp4eh}p8e>l!@Bz}
z*gwtS&DvspNBJ>>+JuAKrY!%sGJ2xllzfir>Z83Ghr^dfMf&M!Ed8$D_M<J*)#T8>
z1qWW-U%bwBeZlIhzZItU&diwoq3m4N#XX`uqBk|g7vGwA<wwEE`2sw}!GCzdOs~FJ
z>HJ%MWpr!j)}(^cMF#{j*qv9L|8VB*F{gKuC&O=8Pdl%aa?2;MBG>z%GQV|_zQ0^z
z<Nm4AfzvGR7@m*_4L>*Crr`SFCD-NF^|4Q~Fn{{o_10p~Edn1_8kYS!zC6cmUd)sf
zuh}~m%Jqi*>(!Was;AUz{cVMRhIvIoYfa2ruP?apKvO4tqU}ka%_rV{4ZE-Q>&B4@
zUw+HX{=b}krAb3#STozMrJHUYpMNMM#cI{wGjY5PoRwd7B_u9(v9oV>d(->CPgbGq
zM${`Yb{+cz*B>18^yH51xPOW3)1ui^w?9$eyhdMV{ZW@&yr;5G_og|ooqT9oxP+R5
z@21<=Lm31a85kLO7!H1^V!Cly-@dV4GK7=s!ky(VVjMEJw;l1Ud-@}g=cAxA=R`l2
zB%zhl{5#HN^~_CB?bS}<pFC&Pau?6e7Y-Z61T5z$30-eKmS!lb^WuMqyGBsHXYI{1
zFH#H^6uG~?zk6-toOH27(SmDTCc18X8Q=c4bJ(9P+byv$b;*^T&u$leE1b8-I<bg3
zBy;omz`)yIgYvKY&kqlkmR)b9p%z~KqdaZLL4g-6oXh#MA5401*&?W*JI7M4{#o$i
zvjN`z1#Pm=Qi6Ego|eQ5|J=Y+C31ga!dus)*Yxeq6uwLCJgc&O(fxvBwPJ>>%GY+w
zdmVp&e2%fmwZ*x=Ev6sR4(I3WD?7rq`hU}mh)?yB!p~DJ1LSOzRc6eY_G8^U*>9?9
zH;yDdoVmCvrQ*J}wrsBAO_BNHTbfTTzgkjepRlg$%t6l7wjZ3Yvw~OV331Mwm6FKs
zxy)&QgLT>2S)OV&>=7k?rB@ktJu;o?ZmoQcvD#FyF2L-Nyv~Mlch@~9&-}YEJLkny
zHik>>x;_U5)_$&D7QVP_;u<%b?wMcAl_u6-zJBaUmy=d;3^T_RIicTsSI_Y2JRn}T
z?(81R<i^nFhqv&3%Ds6l<VQI(f1Tp7#@d}io7&HK{BC=d_^jt~3y1seP3!-?*_-hD
z=<8)E=QIzm<BKwSViKkE;-%XUrl7k$H_9^33%u<8AGPPgBloG#`3+)swD72_dB{z(
zm8rZavrMG=|GKv^KNOY<eA)BceMWqP{jrah<{nn8zB#HMN7J<ZB8orU>{#?>GaJLd
z2xk4sN8A^xop9NpRcX+d_s1^d=tQGueSK!XFBnUFyQNvQ<<sAfNuOu2=vgrvKb+e#
zQEAi8#Q8~DmOF1-uXlfK$Um2#QGM3(S?T9|OB|;ymihcvI_Hn`5f|wND@3nMv9&wB
zH}Lcn%i6Q^cCDPa+c0tR1Pzr*^4GMM2M2H2dvi_V|9wsA-8xCSlePb)pI(}_*v{rf
z<Mq#T%%qhUS6_Hu_*1-_$!LYKGsibatrY@+9bd1zytdm{Klha1yOarY?XR;jZ2so7
z!_GO?Y!gSVkNM^^&9b+4Tv1Ptd;BWztox4RD_8WHY0FPxP+ffe-R_Tm?{<jvh|0h7
z*fh~*ec|h_0-cVgC^hf<WqJKu)C;$Cu2qVa-tuBa)7<1uA&=fA+HNg$`)78~QR}x-
zzMgedoXl2{4Auu*qFgS%Pfhy1=9|O@Bb5w$UX6!ZOBi0S39<g^^O;w?W?RhP*|L)*
zC3T+i+^t{qu$#l8D$F@tZC7rm^zwtZC+o9W?zkR$$2R&;DZ8z~DgP^<&x#i1=a(qh
zfJld&{N%)(jQrvfyF&*au?RDAFo>}-feKzu0k3S<?IIWL{xV7PGf6TsFwEY?!?1Tn
zz|r}WD@>VJxqg^up#45I&ERd~FTI-$O&U|4zP7h_^)gZDpFVX(f=%0=ICcLWv3EHl
zvUIj>+{V0kDf`T7+wQ2vGa|3;Z{KkDU~G)Xh1dF<mw%|b@{}`BO+0@4iiHby{?S-}
zv25n{4L8hM*G+N!^H}69kMzE+)qZu&9ZGAJZmNZQWyRYR)EzSE&MoEsCVccl=XVb7
zOn<ej@6S$}-!ASaaet-z?&dwOoldoz3w+|@{-iAN#&Ld99ee2kfr8mF9Ko7K6`KEc
zxwC)DU-@OW-+8}(iWclzJw{C;6NP{8+)-G|RcCoO(>~uh!pLiSj*{@wjHeex*S48H
zwylfJTcv#>hD-l~?~O;5=e2ScTj)>cj%NQJy=Kk(z$1FoJ6ASopZAlzeRGrioN2xP
zc9nK)mklg-h;W%+!N1)6ri~fL%cZ^^s~(G|GQ|si)luB}&1?CI#A>yRyCN61TX6W?
qpCBFj_(}WBj)mVEHdt-xY`$rj`&*;5<|NCeZpX`V)r;0Q>;(X;rDsh5

literal 0
HcmV?d00001

diff --git a/pkgs/sops-pgp-hook/test-assets/keys/key.asc b/pkgs/sops-pgp-hook/test-assets/keys/key.asc
new file mode 120000
index 0000000..34bc240
--- /dev/null
+++ b/pkgs/sops-pgp-hook/test-assets/keys/key.asc
@@ -0,0 +1 @@
+../../../sops-install-secrets/test-assets/key.asc
\ No newline at end of file
diff --git a/pkgs/sops-pgp-hook/test-assets/keys/key.gpg b/pkgs/sops-pgp-hook/test-assets/keys/key.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..c168d7400078d06ffc04e81b851b888c91ee3ae3
GIT binary patch
literal 1815
zcmX?lWCjZZ0|Nsi55uNR@kmyUh@X}!&D(R%Y}1QkUO6j7O1fQn_G0#$^bajh-oBZ(
zK{m5zW=dJegTUw|PbW^~Si72Mk5KdV(%8dK)_zi&K6x)k*wRm*Z7zi_aKCxdx~l2l
zIr-do51xBo3Eq@lbpGbepo+_XUM0_{@>IH~$=p1RFFs2^Du7+MP<zn^BhMzWzzqkk
zXxrD9U-}%bzITfugUQsA!?6Ylv!8VJ3Vi=ocK2=L^VVy!R^6YLF$PX!V`^lqyb_+h
zslrs^^OPOwDQBELH^l|L*(iCYD6aoKr_r1JBEL6yo^)q4l}mqcI&I0Noc#KO`>dIH
zJ$JQO9C5W$d={ZO$x(Fgr8j1MmRx_%JpHox#KYH9mu?mMdjEe+rJuu0t955vSG_s0
zV2hFbSC0vEPAW^bCp+D_durz;W|Lw)d&8UmBJy3ISZ}*^LcI8!{~3i1iDyh>yv?_~
z%FJBk$?v&A_f>x2@{TV7f0dT-JYNv+v{UVm**7~G)f*4<Se#FGovwdaa3pZm<o}y~
z`Ri#i2r@D-GVm~LTo=S2=`e5cxk)noAM$+cxO4YJZ9ci7X|LL$-i_S#g58dD^#hM&
zN=q$`e<Auf;MxE6O6~4qOYGHT6R)|nT)8>>Zs8&m|6hw|TH8Nc78M-QdPsPON}1)K
zx7Jr{j$Etqd{k;N`-$=E!%wf<9A>#X@#~)B`kd>N?n*4L`7-GPyKSxeBo!goYST#v
zF4pqbI^Ua|bZA}J1~(&r>-(>r*x$9k*!@9-`Ma)=LCMb9nj%Lf3$9A0d$;~O@b!qk
zZ<i}ey37AJPPf+_jZ%JnXW5$YwmCOVs-K$Qin4etCTZtz=>LwS*x=IJ-zO!{+H3A>
zr0|Dlj?h_krh{4+#ixIq@vt|wVD7SI9Jl5w{57`FSvU2?VWSfH>jh3>2|vV_i*GP#
zy{}Mj!m;b5;7Q#{lkywiIBG5S6<Wc2yYu{utJe(rnti0-U74h3^LtfXM~KMnOD8*|
zOqlXo{<ixkW%C%HU%lG>|CL!Ly2~%M7PQO@np)``+IC@ul3dq*@$(WF53c*+;UcyC
zA{)cSYUPOuKh@UFZOG=<lHF9a_A*mIWrEfmz2}$xDwtod@2{_C%v|*8=Uk_$dET<m
zr#u&mJraETbMU|KCM$9dMgDF2)^o5)?8lj<H##RNN|bh&ygC|qbT+%w@kfhel{(IG
z>YkBQRw(E7eX;oerkJ)c&)_g)iQWr~|F=!tc4tZ5e|wYOU#p*7H1ZEsv|9A$x5b&6
zzdqbwxp42q2fUM;XRQ{<;L%Wa{SiCWUG2tpmOE=tMZftGQ&wabzWNQr>VMtY`MPWj
zx7g>p24CH<?!E69<3L5Djfp4DE{~6zdb95@&&wpW>E=nfEx&feE?*-5;rv3M6~YO&
z^10!y3r*`e>;!zfE=|3BC!xf1LZ{=$$VtYM>W4Iv&+?aLFL-k7q4Wb=Zm*hm?ay9y
zD9xBvy{_lvm8XAeFKyHlpMU@HyhObpHkYyw`fNFxsW!v&@WaC_6IAT}`Isg?dA@Dw
zd@c9rRfb<LY+oksS$}KCnN6E!+4Cl*edDw$6_0*+)~xc}^}m~SMQ&YHoNbZI#?U4m
zzGKsa0waU$IH{<DmW12Cj|z2c$>v&>m3u#8(f@^A%Svsoq`N!Tf86=)y_isfp?l7Q
z+5J{GeqUag`EJ9D#OviJVv9cSS-@yKc^B8Mty3l+`SL1c%j|g8_4E15y(}GtZwjxH
zvGhr)fBB%>zIUnlf(}88Xjj&}{FhftCv^rW8LHgzt)KR!Eh*wji13>Tt%lFh6?cO=
z7+&4qk{ojPiluY%TebQ&4%MW~95S~9+iyCh{K)*sSmS#A2G6SY2_bi$?Kvx2l%HRs
zU;`o@a`KZCb29RaOY9CEc*G*i$iX1S$^<HSIR%W4Dg_lX_t`T^^D{{@GB7xC@-X;#
z9la52!)xaH>y*r|%<CIE{*|p;#FPDv(<;tD>Wb~_E0xb)Ovp2??K9!rd%?-0X`TPY
zr=MHdxFVLC`3H2(*{j%dY|hTFE6N|vjt;uL#&XgHrJ#?=Gj<lgc$gO$J@L7l{PTt*
z;pg1E)|`rF>Up%SwXDU0ZEl|{+liyQVr7p7Pm+|Z@%(jaUABbT%UZ+cmYeSLcIHP(
zf4k9SY-AbppmG8Wt8+$u16w}pvCSIu<y0lL{@>WcvAX>3qTt@$-cP*J*QSLjFudWm
zGI>97Mzb96)OSf7v+_$$D^2-qe`Q6mq175u!KdL9AE>cdYlZIM|8I0Xhr4{uQeM7&
zdk&unQwpA~{&?;?hw8AatedVV=h<`HG`yWTMLV74sbPi3oJM0g!5;^Wmh5|VC{j^9
z=B!LaLy&0O^KX?K-{@(ta+~7WIWusnfWr~tFZ!;vt%sN#KdgQmoA=-K*q8sVmL^e)
rEv46<=eGDWH)=s#v{6M@H^a=7lQzpjRzyF^@Y(ct=Fy(F=jQ<c$h38k

literal 0
HcmV?d00001

diff --git a/pkgs/sops-pgp-hook/test-assets/shell.nix b/pkgs/sops-pgp-hook/test-assets/shell.nix
new file mode 100644
index 0000000..628a019
--- /dev/null
+++ b/pkgs/sops-pgp-hook/test-assets/shell.nix
@@ -0,0 +1,14 @@
+# shell.nix
+with import <nixpkgs> {};
+mkShell {
+  sopsPGPKeyDirs = [
+    "./keys"
+  ];
+  sopsPGPKeys = [
+    "./existing-key.gpg"
+    "./non-existing-key.gpg"
+  ];
+  nativeBuildInputs = [
+    (pkgs.callPackage ../../.. {}).sops-pgp-hook
+  ];
+}
diff --git a/shell.nix b/shell.nix
index 7b695f2..7f1bda6 100644
--- a/shell.nix
+++ b/shell.nix
@@ -6,6 +6,7 @@ pkgs.mkShell {
     delve
     gnupg
     utillinux
+    nix
   ];
   # delve does not compile with hardening enabled
   hardeningDisable = [ "all" ];