fix replace existing files

2024-12-14 11:57:52 +00:00 · 2020-07-19 23:23:38 +01:00 · 2020-07-19 23:23:38 +01:00 · bffb0afb48
commit bffb0afb48
parent 04b33fdb9e
3 changed files with 36 additions and 6 deletions
--- a/pkgs/sops-install-secrets/main.go
+++ b/pkgs/sops-install-secrets/main.go
@ -115,16 +115,24 @@ func readManifest(path string) (*manifest, error) {

 func symlinkSecret(targetFile string, secret *secret) error {
 	for {
-		currentLinkTarget, err := os.Readlink(secret.Path)
+		stat, err := os.Lstat(secret.Path)
 		if os.IsNotExist(err) {
 			if err := os.Symlink(targetFile, secret.Path); err != nil {
 				return fmt.Errorf("Cannot create symlink '%s': %s", secret.Path, err)
 			}
 			return nil
 		} else if err != nil {
-			return fmt.Errorf("Cannot read symlink: '%s'", err)
-		} else if currentLinkTarget == targetFile {
-			return nil
+			return fmt.Errorf("Cannot stat '%s'", err)
+		}
+		if stat.Mode()&os.ModeSymlink == os.ModeSymlink {
+			linkTarget, err := os.Readlink(secret.Path)
+			if os.IsNotExist(err) {
+				continue
+			} else if err != nil {
+				return fmt.Errorf("Cannot read symlink: '%s'", err)
+			} else if linkTarget == targetFile {
+				return nil
+			}
 		}
 		if err := os.Remove(secret.Path); err != nil {
 			return fmt.Errorf("Cannot override %s", secret.Path)
--- a/pkgs/sops-install-secrets/main_test.go
+++ b/pkgs/sops-install-secrets/main_test.go
@ -186,13 +186,18 @@ func testSSHKey(t *testing.T) {
 	testdir := newTestDir(t)
 	defer testdir.Remove()

+	target := path.Join(testdir.path, "existing-target")
+	file, err := os.Create(target)
+	ok(t, err)
+	file.Close()
+
 	s := secret{
 		Name:            "test",
 		Key:             "test_key",
 		Owner:           "nobody",
 		Group:           "nogroup",
 		SopsFile:        path.Join(assets, "secrets.yaml"),
-		Path:            path.Join(testdir.path, "test-target"),
+		Path:            target,
 		Mode:            "0400",
 		RestartServices: []string{"affected-service"},
 		ReloadServices:  make([]string, 0),
--- a/pkgs/sops-install-secrets/nixos-test.nix
+++ b/pkgs/sops-install-secrets/nixos-test.nix
@ -34,10 +34,16 @@
     sops.gnupgHome = "/run/gpghome";
     sops.defaultSopsFile = ./test-assets/secrets.yaml;
     sops.secrets.test_key.owner = config.users.users.someuser.name;
+     sops.secrets.existing-file = {
+       key = "test_key";
+       path = "/run/existing-file";
+     };
     # must run before sops
     system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
       cp -r ${./test-assets/gnupghome} /run/gpghome
       chmod -R 700 /run/gpghome
+
+       touch /run/existing-file
     '';
     # Useful for debugging
     #environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
@ -48,11 +54,22 @@
     #};
  };
  testScript = ''
+    def assertEqual(exp: str, act: str) -> None:
+        if exp != act:
+            raise Exception(f"'{exp}' != '{act}'")
+
+
    start_all()
-    server.succeed("cat /run/secrets/test_key | grep -q test_value")
+
+    value = server.succeed("cat /run/secrets/test_key")
+    assertEqual("test_value", value)
+
    server.succeed("runuser -u someuser -G keys -- cat /run/secrets/test_key >&2")
    # should have no permission to read the file
    server.fail("runuser -u someuser -- cat /run/secrets/test_key >&2")
+
+    target = server.succeed("readlink -f /run/existing-file")
+    assertEqual("/run/secrets.d/1/existing-file", target.strip())
  '';
 } {
   inherit pkgs;