#!/usr/bin/env bash # PURPOSE: Test to verify update_sops.sh script set -ueo pipefail test_dir="$(realpath $(dirname "${BASH_SOURCE[0]}"))" cd "${test_dir}" # opinionated: keys located in current repo, one level up keys_dir="$(dirname "${test_dir}")" # deliberate: just "dot" for current dir sops_cfg_dir=. secrets_file="mock_secrets.yaml" # prerequisite: for verification of sops config, idempotent create file with a mock secret, src: https://bash-org-archive.com/?244321 test -e "${secrets_file}" || (yq -n '.demo.credentials.secret = "hunter2"' > "${secrets_file}" && sops -e -i "${secrets_file}" ) # Special Case: Add caveat header cat < .sops.yaml.tmp # PURPOSE: BLUEPRINT for .sops.yaml config # CAVEAT: DO NOT USE THIS FILE AS-IS in another project; copy it and remove the unauthorised users $( cat .sops.yaml ) EOM mv .sops.yaml.tmp .sops.yaml # TESTCASES # define "fixture" repo_root="$(git rev-parse --show-toplevel)" # --- if [[ 1 -eq 1 ]]; then >&2 echo -e "# ---\n# TEST: create sops cfg in default dir: ${repo_root}" set -x rm "${PWD}/.sops.yaml" || : # note: fail if for any reason sops config defined at top level; this repo should not have this! test ! -e "${repo_root}/.sops.yaml" ../bin/update_sops.sh -s "${secrets_file}" > /dev/null 2>&1 test ! -e "${PWD}/.sops.yaml" test -e "${repo_root}/.sops.yaml" set +x # teardown # enmesh: restore, since this particular one is checked in git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1 rm "${repo_root}/.sops.yaml" else >&2 echo "# INFO: skipping ...." fi # --- if [[ 1 -eq 1 ]]; then >&2 echo -e "# ---\n# TEST: create sops cfg in curdir: ${PWD}" set -x # note: fail if for any reason sops config defined at top level; this repo should not have this! test ! -e "${repo_root}/.sops.yaml" rm "${PWD}/.sops.yaml" || : # minimal operation: update .sops.yaml, update keys in encrypted file ../bin/update_sops.sh -c "${PWD}" "${secrets_file}" > /dev/null 2>&1 test -e "${PWD}/.sops.yaml" test ! -e "${repo_root}/.sops.yaml" set +x # teardown # not necessary, all tracked in git # enmesh: restore, since this particular one is checked in git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1 else >&2 echo "# INFO: skipping ...." fi # --- if [[ 1 -eq 1 ]]; then >&2 echo -e "# ---\n# TEST: Full Args: specify path to each, also for secrets, mix specified and positional params" set -x ../bin/update_sops.sh -k "${keys_dir}" -c "${sops_cfg_dir}" -s "${secrets_file}" "${secrets_file}" > /dev/null 2>&1 set +x # teardown # not necessary, all tracked in git # enmesh: restore, since this particular one is checked in git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1 else >&2 echo "# INFO: skipping ...." fi # --- if [[ 1 -eq 1 ]]; then >&2 echo -e "# ---\n# TEST: auto-find secrets files" # SETUP _tmp_mock_secrets_filepath_1='mock_hierarchy/one/secrets.yaml' mkdir -p "$(dirname "${_tmp_mock_secrets_filepath_1}")" touch "${_tmp_mock_secrets_filepath_1}" _tmp_mock_secrets_filepath_2='mock_hierarchy/two/secrets.yaml' mkdir -p "$(dirname "${_tmp_mock_secrets_filepath_2}")" touch "${_tmp_mock_secrets_filepath_2}" # RUN # set -x # suspend strict: check output for errors set +e # move 'set -x' within the sub-shell, otherwise all output dumped to tty # ... bug: stderr still gets printed, not sure why. E.g. '# RUN: sops updatekeys mock_secrets.yaml' _out="$(set -x; ../bin/update_sops.sh --find_secrets -s "${secrets_file}" 2>&1 )" echo "$_out}" # re-enable strict set -e set +x grep "${_tmp_mock_secrets_filepath_1}" <<< "${_out}" grep "${_tmp_mock_secrets_filepath_2}" <<< "${_out}" grep "${secrets_file}" <<< "${_out}" set -e # TEARDOWN rm -rf "${_tmp_mock_secrets_filepath_1}" rm -rf "${_tmp_mock_secrets_filepath_2}" # enmesh: restore, since this particular one is checked in git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1 else >&2 echo "# INFO: skipping ...." fi # --- if [[ 1 -eq 1 ]]; then >&2 echo -e "# ---\n# TEST: induce error: invalid file" # dev note: ':' is a noop operator; could also just temporarily disable strict errors set -x ../bin/update_sops.sh "${secrets_file}" -s non_existing_secrets.yaml > /dev/null 2>&1 || : set +x # teardown # not necessary, all tracked in git # enmesh: restore, since this particular one is checked in git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1 else >&2 echo "# INFO: skipping ...." fi # --- echo "TESTCASES PASSED" exit 0