Bug 77: use ConfigUpdater so comments are kept when editing secrets.

flyingcircusio · Jul 28, 2020 · b252f7a · b252f7a
1 parent b212682
commit b252f7a
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 8 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -4,6 +4,8 @@
 2.1 (unreleased)
 ----------------
 
+- Bug 77: use `ConfigUpdater` to allow editing secrets and keeping comments.
+
 - Bug 1: provide better error message if remote user does not exist.
 
   This is also cleaning up the general error output and we're now hiding

diff --git a/setup.py b/setup.py
@@ -26,6 +26,7 @@ def project_path(*names):
     name='batou',
     version=version,
     install_requires=[
+        'ConfigUpdater',
         'Jinja2',
         'requests',
         'setuptools',

diff --git a/src/batou/requirements.txt b/src/batou/requirements.txt
@@ -1,13 +1,14 @@
 # Generated by buildout
+setuptools==49.2.0
 MarkupSafe==1.1.1
 certifi==2019.6.16
 chardet==3.0.4
 idna==2.8
 urllib3==1.25.3
 apipkg==1.5
+ConfigUpdater==1.1
 Jinja2==2.10.1
 requests==2.22.0
-setuptools==47.3.1
 execnet==1.7.1
 PyYAML==5.1.2
 py==1.8.0
diff --git a/src/batou/secrets/__init__.py b/src/batou/secrets/__init__.py
@@ -41,14 +41,15 @@ def add_secrets_to_environment_override(
                     raise ValueError(
                         'Secret for unknown host: {}'.format(hostname))
                 host = environment.hosts[hostname]
-                for key, value in f.config[section_].items():
+                for key, option in f.config.items(section_):
                     if key.startswith('data-'):
                         key = key.replace('data-', '', 1)
-                        host.data[key] = value
+                        host.data[key] = option.value
             else:
                 component = section_.replace('component:', '')
                 if component not in environment.components:
                     environment.exceptions.append(
                         SuperfluousSecretsSection(component))
                 o = environment.overrides.setdefault(component, {})
-                o.update(f.config.items(section_))
+                o.update(
+                    ((k, o.value) for k, o in f.config.items(section_)))
diff --git a/src/batou/secrets/encryption.py b/src/batou/secrets/encryption.py
@@ -1,8 +1,9 @@
 from batou import FileLockedError
-import configparser
+from configupdater import ConfigUpdater
 import fcntl
 import io
 import os
+import shlex
 import subprocess
 import tempfile
 
@@ -74,7 +75,7 @@ def cleartext(self):
 
     @cleartext.setter
     def cleartext(self, value):
-        self.config = configparser.RawConfigParser()
+        self.config = ConfigUpdater()
         self.config.read_string(value)
         self.set_members(self.get_members())
         s = io.StringIO()
@@ -121,7 +122,7 @@ def _decrypt(self):
             shell=True).decode('utf-8')
 
     def get_members(self):
-        members = self.config.get('batou', 'members').split(',')
+        members = self.config.get('batou', 'members').value.split(',')
         members = [x.strip() for x in members]
         members = [_f for _f in members if _f]
         members.sort()
@@ -139,7 +140,8 @@ def _encrypt(self):
         if not recipients:
             raise ValueError("Need at least one recipient.")
         self.set_members(self.get_members())
-        recipients = ' '.join(['-r {}'.format(r.strip()) for r in recipients])
+        recipients = ' '.join(
+            ['-r {}'.format(shlex.quote(r.strip())) for r in recipients])
         os.rename(self.encrypted_file,
                   self.encrypted_file + '.old')
         try:

diff --git a/src/batou/secrets/tests/fixture/cleartext.cfg b/src/batou/secrets/tests/fixture/cleartext.cfg
@@ -1,3 +1,4 @@
+# Sample secrets file for testing.
 [batou]
 members = ct@gocept.com
 

diff --git a/versions.cfg b/versions.cfg
@@ -128,3 +128,4 @@ wcwidth = 0.1.7
 # Required by:
 # bleach==3.1.0
 webencodings = 0.5.1
+ConfigUpdater = 1.1