Merge pull request #154 from ryantm/rtm-2-19-pipe

feature: pipe cleartext into agenix -e
ryantm · Feb 20, 2023 · 5f66c8a · 5f66c8a
2 parents 53da86e + 344c8e4
commit 5f66c8a
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 8 deletions.
diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh
@@ -23,6 +23,8 @@ function show_help () {
   echo ' '
   echo 'EDITOR environment variable of editor to use when editing FILE'
   echo ' '
+  echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
+  echo ' '
   echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
   echo "Defaults to './secrets.nix'"
   echo ' '
@@ -124,6 +126,8 @@ function edit {
         cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
     fi
 
+    [ -t 0 ] || EDITOR='cp /dev/stdin'
+
     $EDITOR "$CLEARTEXT_FILE"
 
     if [ ! -f "$CLEARTEXT_FILE" ]

diff --git a/test/install_ssh_host_keys.nix b/test/install_ssh_host_keys.nix
@@ -21,5 +21,8 @@
       chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
       touch /etc/ssh/ssh_host_rsa_key
     )
+    cp -r "${../example}" /tmp/secrets
+    chmod -R u+rw /tmp/secrets
+    chown -R $USER1_UID:$USERS_GID /tmp/secrets
   '';
 }
diff --git a/test/integration.nix b/test/integration.nix
@@ -66,28 +66,30 @@ pkgs.nixosTest {
     system1.wait_for_file("/tmp/1")
     assert "${user}" in system1.succeed("cat /tmp/1")
 
-    system1.succeed('cp -a "${../example}/." /tmp/secrets')
-    system1.succeed('chmod u+w /tmp/secrets/*.age')
+    userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
 
-    before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
-    print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
-    after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
+    before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
+    print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
+    after_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
 
     # Ensure we actually have hashes
     for h in [before_hash, after_hash]:
         assert len(h) == 2, "hash should be [hash, filename]"
-        assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
+        assert h[1] == "passwordfile-user1.age", "filename is incorrect"
         assert len(h[0].strip()) == 64, "hash length is incorrect"
     assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
 
-    userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
-
     # user1 can edit passwordfile-user1.age
     system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
 
     # user1 can edit even if bogus id_rsa present
     system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
     system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
     system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
+    system1.succeed(userDo("rm ~/.ssh/id_rsa"))
+
+    # user1 can edit a secret by piping in contents
+    system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
+    assert "secret1234" in system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
   '';
 }