From 20c2a79808a8e66631f631091eb92d9eae0599b9 Mon Sep 17 00:00:00 2001
From: LeeW <lee.watson@netgo.de>
Date: Thu, 30 Jan 2025 17:35:51 +0100
Subject: [PATCH] automates creation+verification of sops config

---
 README.md        |  6 +++---
 __update_sops.sh | 26 ++++++++++++++++++++++----
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 243dd9b..185ab4e 100644
--- a/README.md
+++ b/README.md
@@ -22,10 +22,10 @@ GPG_TTY=$(tty) sops secrets.yaml
 #!/usr/bin/env bash
 set -ueo pipefail
 # demo: create a file with a mock secret, src: https://bash-org-archive.com/?244321
-yq -n '.demo.credentials.secret = "hunter2"' > secret.yaml
+yq -n '.demo.credentials.secret = "hunter2"' > mock_secrets.yaml
 # encrypt
-sops -e -i secret.yaml
+sops -e -i mock_secrets.yaml
 
 # decript, print to console
-sops -d secret.yaml
+sops -d mock_secrets.yaml
 ```
\ No newline at end of file
diff --git a/__update_sops.sh b/__update_sops.sh
index 2fc0e34..b947a69 100755
--- a/__update_sops.sh
+++ b/__update_sops.sh
@@ -1,7 +1,6 @@
 #/usr/bin/env bash
-# Purpose: manage .sops.yaml based on gpg keys in the same dir
+# Purpose: manage .sops.yaml based on gpg keys in the same dir _and_ verify correct configuration
 set -euo pipefail
-# sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
 
 sops_config=".sops.yaml"
 
@@ -26,7 +25,8 @@ function fn_extract_uid(){
 }
 
 function fn_update_sops_config(){
-  # CAVEAT: dirty hacks, just get it done. Not DRY at all.
+  # sops.yaml doc: https://github.com/getsops/sops?tab=readme-ov-file#using-sops-yaml-conf-to-select-kms-pgp-and-age-for-new-files
+  # CAVEAT: dirty hacks, just get it done. Not DRY, very WET.
 
   echo "# Fingerprint | User Type | User ID"
   for gpgkeyfile in *automation*gpg.pub; do
@@ -57,4 +57,22 @@ EOM
   done
 }
 
-(fn_update_sops_config) >> "${sops_config}"
+# UPDATE SOPS CONFIG
+(fn_update_sops_config) > "${sops_config}"
+
+# VERIFY
+fn_verify_sops_config(){
+  sops_enc_file="${1}";shift;
+  # update keys in mock secret file
+  # prereq: create a file with a mock secret, src: https://bash-org-archive.com/?244321
+  test -e mock_secrets.yaml || (yq -n '.demo.credentials.secret = "hunter2"' > mock_secrets.yaml && sops -e -i mock_secrets.yaml )
+
+  # "update the keys of SOPS files using the config file"
+  sops updatekeys mock_secrets.yaml
+
+  # dump secrets, GPG_TTY src: https://www.varokas.com/secrets-in-code-with-mozilla-sops/
+  GPG_TTY=$(tty) sops -d mock_secrets.yaml
+}
+fn_verify_sops_config
+
+echo "# SUCESS: all users with keys in this dir should have functional keys"