gitea-admin
/
communication-keys
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
add_pubkey_Andreas_Rother
key_change
add_pubkey_Christos-Adalis
add_pubkey_Daryl-SauerNeumann
ADP-231_group_argocd-os-nso-adp-dev
ADP-216-wrapup
ADP-216-uat-sops-step2_003
ADP-216-uat-sops-step2_002
ADP-216-uat-sops-step1
ADP-216-uat-sops-step2
ADP-216-uat-sops-onboarding
ADP-216_sops_automation
ADP-179_doc_sops
ADP-179_sops_manage_keys
gpg-key-peichhorn
feature/gpg_key_tobias_Stroehl
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a552532c40'
${ noResults }
communication-keys/verify/test.sh

127 lines
4.1 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# PURPOSE: Test to verify update_sops.sh script
set -ueo pipefail
test_dir="$(realpath $(dirname "${BASH_SOURCE[0]}"))"
cd "${test_dir}"
# opinionated: keys located in current repo, one level up
keys_dir="$(dirname "${test_dir}")"
# deliberate: just "dot" for current dir
sops_cfg_dir=.
secrets_file="mock_secrets.yaml"
# prerequisite: for verification of sops config, idempotent create file with a mock secret, src: https://bash-org-archive.com/?244321
test -e "${secrets_file}" || (yq -n '.demo.credentials.secret = "hunter2"' > "${secrets_file}" && sops -e -i "${secrets_file}" )
# Special Case: Add caveat header
cat <<EOM > .sops.yaml.tmp
# PURPOSE: BLUEPRINT for .sops.yaml config
# CAVEAT: DO NOT USE THIS FILE AS-IS in another project; copy it and remove the unauthorised users
$( cat .sops.yaml )
EOM
mv .sops.yaml.tmp .sops.yaml
# TESTCASES
# define "fixture"
repo_root="$(git rev-parse --show-toplevel)"
# ---
if [[ 1 -eq 1 ]]; then
>&2 echo -e "# ---\n# TEST: create sops cfg in default dir: ${repo_root}"
set -x
rm "${PWD}/.sops.yaml" || :
# note: fail if for any reason sops config defined at top level; this repo should not have this!
test ! -e "${repo_root}/.sops.yaml"
../bin/update_sops.sh -s "${secrets_file}" > /dev/null 2>&1
test ! -e "${PWD}/.sops.yaml"
test -e "${repo_root}/.sops.yaml"
set +x
# teardown
# enmesh: restore, since this particular one is checked in
git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
rm "${repo_root}/.sops.yaml"
else
>&2 echo "# INFO: skipping ...."
fi
# ---
if [[ 1 -eq 1 ]]; then
>&2 echo -e "# ---\n# TEST: create sops cfg in curdir: ${PWD}"
set -x
# note: fail if for any reason sops config defined at top level; this repo should not have this!
test ! -e "${repo_root}/.sops.yaml"
rm "${PWD}/.sops.yaml" || :
# minimal operation: update .sops.yaml, update keys in encrypted file
../bin/update_sops.sh -c "${PWD}" "${secrets_file}" > /dev/null 2>&1
test -e "${PWD}/.sops.yaml"
test ! -e "${repo_root}/.sops.yaml"
set +x
# teardown
# not necessary, all tracked in git
# enmesh: restore, since this particular one is checked in
git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
else
>&2 echo "# INFO: skipping ...."
fi
# ---
if [[ 1 -eq 1 ]]; then
>&2 echo -e "# ---\n# TEST: Full Args: specify path to each, also for secrets, mix specified and positional params"
set -x
../bin/update_sops.sh -k "${keys_dir}" -c "${sops_cfg_dir}" -s "${secrets_file}" "${secrets_file}" > /dev/null 2>&1
set +x
# teardown
# not necessary, all tracked in git
# enmesh: restore, since this particular one is checked in
git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
else
>&2 echo "# INFO: skipping ...."
fi
# ---
if [[ 1 -eq 1 ]]; then
>&2 echo -e "# ---\n# TEST: auto-find secrets files"
# SETUP
_tmp_mock_secrets_filepath='mock_hierarchy/secrets.yaml'
mkdir -p "$(dirname "${_tmp_mock_secrets_filepath}")"
touch "${_tmp_mock_secrets_filepath}"
# RUN
# set -x
# suspend strict: check output for errors
set +e
# move 'set -x' within the sub-shell, otherwise all output dumped to tty
# ... bug: stderr still gets printed, not sure why. E.g. '# RUN: sops updatekeys mock_secrets.yaml'
_out="$(set -x; ../bin/update_sops.sh -c "${PWD}" --find_secrets "${secrets_file}" 2>&1 )"
# re-enable strict
set -e
set +x
grep "${_tmp_mock_secrets_filepath}" <<< "${_out}"
grep "${secrets_file}" <<< "${_out}"
set -e
# TEARDOWN
rm -rf "${_tmp_mock_secrets_filepath}"
# enmesh: restore, since this particular one is checked in
git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
else
>&2 echo "# INFO: skipping ...."
fi
# ---
if [[ 1 -eq 1 ]]; then
>&2 echo -e "# ---\n# TEST: induce error: invalid file"
# dev note: ':' is a noop operator; could also just temporarily disable strict errors
set -x
../bin/update_sops.sh "${secrets_file}" -s non_existing_secrets.yaml > /dev/null 2>&1 || :
set +x
# teardown
# not necessary, all tracked in git
# enmesh: restore, since this particular one is checked in
git checkout "${PWD}/.sops.yaml" > /dev/null 2>&1
else
>&2 echo "# INFO: skipping ...."
fi
# ---
echo "TESTCASES PASSED"
exit 0
Reference in New Issue View Git Blame Copy Permalink