Remote mode and dangerous flag, other tweaks

* Add remote mode for harvesting a remote machine via a local workstation (no need to install enroll remotely) Optionally use `--no-sudo` if you don't want the remote user to have passwordless sudo when conducting the harvest, albeit you'll end up with less useful data (same as if running `enroll harvest` on a machine without sudo) * Add `--dangerous` flag to capture even sensitive data (use at your own risk!) * Do a better job at capturing other config files in `/etc/<package>/` even if that package doesn't normally ship or manage those files.
2025-12-17 17:02:16 +11:00 · 2025-12-17 17:02:16 +11:00 · 6a36a9d2d5
commit 6a36a9d2d5
parent 026416d158
13 changed files with 1083 additions and 155 deletions
--- a/tests/test_manifest.py
+++ b/tests/test_manifest.py
@ -223,3 +223,29 @@ def test_manifest_site_mode_creates_host_inventory_and_raw_files(tmp_path: Path)
    assert (
        out / "inventory" / "host_vars" / fqdn / "foo" / ".files" / "etc" / "foo.conf"
    ).exists()
+
+
+def test_copy2_replace_overwrites_readonly_destination(tmp_path: Path):
+    """Merging into an existing manifest should tolerate read-only files.
+
+    Some harvested artifacts (e.g. private keys) may be mode 0400. If a previous
+    run copied them into the destination tree, a subsequent run must still be
+    able to update/replace them.
+    """
+
+    import os
+    import stat
+
+    from enroll.manifest import _copy2_replace
+
+    src = tmp_path / "src"
+    dst = tmp_path / "dst"
+    src.write_text("new", encoding="utf-8")
+    dst.write_text("old", encoding="utf-8")
+    os.chmod(dst, 0o400)
+
+    _copy2_replace(str(src), str(dst))
+
+    assert dst.read_text(encoding="utf-8") == "new"
+    mode = stat.S_IMODE(dst.stat().st_mode)
+    assert mode & stat.S_IWUSR  # destination should remain mergeable