Allow nested secrets in secrets.json
#328
Conversation
Prior to this change, if secrets.json had nested secrets we would see this error (example): ``` sops-install-secrets: Manifest is not valid: secret jenkins-nix-ci/cachix-auth-token/description in /nix/store/wxm763za3rbrpiijfbgss9g5ll0sd29z-secrets.json is not valid: Key 'jenkins-nix-ci' does not refer to a dictionary ``` The reason is that introspecting the map key to be `interface` fails, when it is in fact a string.
srid
changed the title
secrets.json
This comment was marked as resolved.
This comment was marked as resolved.
Because the map's key type is different for both.
| currentData[key.(string)] = value | ||
| // The 'if' here is to deal with key type discrepancy between YAML and | ||
| // JSON. With YAML, it is 'interface {}'; with JSON, it is 'string'. | ||
| if format == Json { |
There was a problem hiding this comment.
Looks good. Can you also extend one of our tests to have a nested key?
There was a problem hiding this comment.
@Mic92 What's the best way to do that? I don't really understand the test infrastructure in this repo. Especially what's going on with the Go tests. nixos-tests.nix seems more pratical; but how do you edit secrets.json? Running nix run . pkgs/sops-install-secrets/test-assets/secrets.json throws:
fingerprint: 26F82B82FDFFA024E08B9C8B67936C83AAC837D4
mv: cannot stat '/root/.gnupg': Permission denied
|
I am trying to write the test for this. Here's how the nested-json = makeTest {
name = "sops-nested-json-secrets";
nodes.server = {
imports = [ ../../modules/sops ];
sops = {
age.keyFile = ./test-assets/age-keys.txt;
defaultSopsFile = ./test-assets/secrets.json;
secrets."nested/test/file" = { };
};
};
testScript = ''
start_all()
server.succeed("cat /run/secrets/nested/test/file | grep -q 'another value'")
'';
} {
inherit pkgs;
inherit (pkgs) system;
};
|
Prior to this change, if
secrets.jsonhad nested secrets (example) we would see this error:The reason happens to be that introspecting the map key to be
interfacefails, when it is in fact a string. This PR makes it so that we always expect the key to be a string (what else could it be?). It also improves the error message, by telling the user what the actual value type is.