Support working directory for container and file credential hooks.

2025-02-14 19:35:12 -08:00 · 2025-02-14 19:35:12 -08:00 · e02a0e6322
commit e02a0e6322
parent 2ca23b629c
4 changed files with 41 additions and 2 deletions
--- a/borgmatic/hooks/credential/container.py
+++ b/borgmatic/hooks/credential/container.py
@ -29,7 +29,9 @@ def load_credential(hook_config, config, credential_parameters):
    try:
        with open(
            os.path.join(
-                (hook_config or {}).get('secrets_directory', DEFAULT_SECRETS_DIRECTORY), secret_name
+                config.get('working_directory', ''),
+                (hook_config or {}).get('secrets_directory', DEFAULT_SECRETS_DIRECTORY),
+                secret_name,
            )
        ) as secret_file:
            return secret_file.read().rstrip(os.linesep)
--- a/borgmatic/hooks/credential/file.py
+++ b/borgmatic/hooks/credential/file.py
@ -18,7 +18,9 @@ def load_credential(hook_config, config, credential_parameters):
        raise ValueError(f'Cannot load invalid credential: "{' '.join(credential_parameters)}"')

    try:
-        with open(credential_path) as credential_file:
+        with open(
+            os.path.join(config.get('working_directory', ''), credential_path)
+        ) as credential_file:
            return credential_file.read().rstrip(os.linesep)
    except (FileNotFoundError, OSError) as error:
        logger.warning(error)
--- a/tests/unit/hooks/credential/test_container.py
+++ b/tests/unit/hooks/credential/test_container.py
@ -49,6 +49,23 @@ def test_load_credential_with_custom_secrets_directory_looks_there_for_secret_fi
    )


+def test_load_credential_with_custom_secrets_directory_prefixes_it_with_working_directory():
+    config = {'container': {'secrets_directory': 'secrets'}, 'working_directory': '/working'}
+    credential_stream = io.StringIO('password')
+    credential_stream.name = '/working/secrets/mysecret'
+    builtins = flexmock(sys.modules['builtins'])
+    builtins.should_receive('open').with_args('/working/secrets/mysecret').and_return(
+        credential_stream
+    )
+
+    assert (
+        module.load_credential(
+            hook_config=config['container'], config=config, credential_parameters=('mysecret',)
+        )
+        == 'password'
+    )
+
+
 def test_load_credential_with_file_not_found_error_raises():
    builtins = flexmock(sys.modules['builtins'])
    builtins.should_receive('open').with_args('/run/secrets/mysecret').and_raise(FileNotFoundError)
--- a/tests/unit/hooks/credential/test_file.py
+++ b/tests/unit/hooks/credential/test_file.py
@ -38,6 +38,24 @@ def test_load_credential_reads_named_credential_from_file():
    )


+def test_load_credential_reads_named_credential_from_file_using_working_directory():
+    credential_stream = io.StringIO('password')
+    credential_stream.name = '/working/credentials/mycredential'
+    builtins = flexmock(sys.modules['builtins'])
+    builtins.should_receive('open').with_args('/working/credentials/mycredential').and_return(
+        credential_stream
+    )
+
+    assert (
+        module.load_credential(
+            hook_config={},
+            config={'working_directory': '/working'},
+            credential_parameters=('credentials/mycredential',),
+        )
+        == 'password'
+    )
+
+
 def test_load_credential_with_file_not_found_error_raises():
    builtins = flexmock(sys.modules['builtins'])
    builtins.should_receive('open').with_args('/credentials/mycredential').and_raise(