Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: pipe cleartext into agenix -e #154

Merged
merged 1 commit into from
Feb 20, 2023
Merged

feature: pipe cleartext into agenix -e #154

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions pkgs/agenix.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ function show_help () {
echo ' '
echo 'EDITOR environment variable of editor to use when editing FILE'
echo ' '
echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
echo ' '
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
echo "Defaults to './secrets.nix'"
echo ' '
Expand Down Expand Up @@ -124,6 +126,8 @@ function edit {
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
fi

[ -t 0 ] || EDITOR='cp /dev/stdin'

$EDITOR "$CLEARTEXT_FILE"

if [ ! -f "$CLEARTEXT_FILE" ]
Expand Down
3 changes: 3 additions & 0 deletions test/install_ssh_host_keys.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,8 @@
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
touch /etc/ssh/ssh_host_rsa_key
)
cp -r "${../example}" /tmp/secrets
chmod -R u+rw /tmp/secrets
chown -R $USER1_UID:$USERS_GID /tmp/secrets
'';
}
18 changes: 10 additions & 8 deletions test/integration.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,28 +66,30 @@ pkgs.nixosTest {
system1.wait_for_file("/tmp/1")
assert "${user}" in system1.succeed("cat /tmp/1")

system1.succeed('cp -a "${../example}/." /tmp/secrets')
system1.succeed('chmod u+w /tmp/secrets/*.age')
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"

before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
after_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()

# Ensure we actually have hashes
for h in [before_hash, after_hash]:
assert len(h) == 2, "hash should be [hash, filename]"
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
assert h[1] == "passwordfile-user1.age", "filename is incorrect"
assert len(h[0].strip()) == 64, "hash length is incorrect"
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"

userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"

# user1 can edit passwordfile-user1.age
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))

# user1 can edit even if bogus id_rsa present
system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
system1.succeed(userDo("rm ~/.ssh/id_rsa"))

# user1 can edit a secret by piping in contents
system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
assert "secret1234" in system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
'';
}