* blackbox_postdeploy should accept an optional parameter for chgrp.

* blackbox_postdeploy should 'cd' to $BASEDIR or the base VCS directory.
* Add unit tests to confidence_test.sh to cover chgrp functionality.

bin/blackbox_postdeploy

@@ -4,15 +4,33 @@
 # blackbox_postdeploy.sh -- Decrypt all blackbox files.
 #
 
+# Usage:
+#   blackbox_postdeploy.sh [GROUP]
+#       GROUP is optional.  If supplied, the resulting files
+#       are chgrp'ed to that group.
+
 # Since this is often run in a security-critical situation, we
 # force /usr/bin and /bin to the front of the PATH.
 export PATH=/usr/bin:/bin:"$PATH"
 
 . _blackbox_common.sh
 
-# If we aren't in a repo, assume /etc/puppet.
+if [[ "$1" == "" ]]; then
-if [[ "$REPOBASE" = "/dev/null" ]]; then
+  FILE_GROUP=""
-  REPOBASE=/etc/puppet
+else
+  FILE_GROUP="$1"
+fi
+
+# If BASEDIR is not set, use REPOBASE.
+if [[ "$BASEDIR" = "" ]]; then
+  BASEDIR="$REPOBASE"
+fi
+
+if [[ "$BASEDIR" = "/dev/null" ]]; then
+  echo 'WARNING: Not in a VCS repo.  Not changing directory.'
+else
+  echo "CDing to $BASEDIR"
+  cd "$BASEDIR"
 fi
 
 prepare_keychain
@@ -23,5 +41,8 @@ while read unencrypted_file; do
   encrypted_file=$(get_encrypted_filename "$unencrypted_file")
   decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
   chmod g+r,o-rwx "$unencrypted_file"
+  if [[ ! -z "$FILE_GROUP" ]]; then
+    chgrp $FILE_GROUP "$unencrypted_file"
+  fi
 done <"$BB_FILES"
 echo '========== Decrypting new/changed files: DONE'

tools/confidence_test.sh

@@ -30,10 +30,21 @@ function assert_file_exists() {
 function assert_file_md5hash() {
   local file="$1"
   local wanted="$2"
-  local found=$(md5sum <"$file" | cut -d' ' -f1 )
   assert_file_exists "$file"
+  local found=$(md5sum <"$file" | cut -d' ' -f1 )
   if [[ "$wanted" != "$found" ]]; then
-    echo "ASSERT FAILED: $file hash wanted=$desired found=$found"
+    echo "ASSERT FAILED: $file hash wanted=$wanted found=$found"
+    exit 1
+  fi
+}
+function assert_file_group() {
+  local file="$1"
+  local wanted="$2"
+  assert_file_exists "$file"
+  local found=$(ls -l "$file" | awk '{ print $4 }')
+  # NB(tlim): We could do this with 'stat' but it would break on BSD-style OSs.
+  if [[ "$wanted" != "$found" ]]; then
+    echo "ASSERT FAILED: $file chgrp wanted=$wanted found=$found"
     exit 1
   fi
 }
@@ -168,11 +179,27 @@ PHASE 'Bob makes sure he has all new keys.'
 
 gpg --import keyrings/live/pubring.gpg
 
-PHASE 'Bob postdeploys.'
+# Pick a GID to use:
+TEST_GID_NUM=$(id -G | fmt -1 | tail -n +2 | grep -xv $(id -u) | head -n 1)
+TEST_GID_NAME=$(getent group "$TEST_GID_NUM" | cut -d: -f1)
+DEFAULT_GID_NAME=$(getent group $(id -u) | cut -d: -f1)
+echo TEST_GID_NUM=$TEST_GID_NUM
+echo TEST_GID_NAME=$TEST_GID_NAME
+echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME
+
+PHASE 'Bob postdeploys... default.'
 blackbox_postdeploy
 assert_file_exists secret.txt
 assert_file_exists secret.txt.gpg
 assert_file_md5hash secret.txt "08a3fa763a05c018a38e9924363b97e7"
+assert_file_group secret.txt "$DEFAULT_GID_NAME"
+
+PHASE 'Bob postdeploys... with a GID.'
+blackbox_postdeploy $TEST_GID_NUM
+assert_file_exists secret.txt
+assert_file_exists secret.txt.gpg
+assert_file_md5hash secret.txt "08a3fa763a05c018a38e9924363b97e7"
+assert_file_group secret.txt "$TEST_GID_NAME"
 
 PHASE 'Bob cleans up the secret.'
 rm secret.txt