2021-05-10 00:22:48 +03:00
|
|
|
{
|
2023-01-29 19:36:01 +03:00
|
|
|
nixpkgs ? <nixpkgs>,
|
|
|
|
pkgs ?
|
|
|
|
import <nixpkgs> {
|
|
|
|
inherit system;
|
|
|
|
config = {};
|
|
|
|
},
|
|
|
|
system ? builtins.currentSystem,
|
2023-02-13 21:50:59 +03:00
|
|
|
}:
|
|
|
|
pkgs.nixosTest {
|
2021-05-10 00:22:48 +03:00
|
|
|
name = "agenix-integration";
|
2023-01-29 19:36:01 +03:00
|
|
|
nodes.system1 = {
|
|
|
|
config,
|
2023-02-13 21:50:59 +03:00
|
|
|
pkgs,
|
2023-02-11 17:19:01 +03:00
|
|
|
options,
|
2023-01-29 19:36:01 +03:00
|
|
|
...
|
|
|
|
}: {
|
2021-05-10 00:22:48 +03:00
|
|
|
imports = [
|
|
|
|
../modules/age.nix
|
|
|
|
./install_ssh_host_keys.nix
|
|
|
|
];
|
|
|
|
|
|
|
|
services.openssh.enable = true;
|
|
|
|
|
|
|
|
age.secrets.passwordfile-user1 = {
|
|
|
|
file = ../example/passwordfile-user1.age;
|
|
|
|
};
|
|
|
|
|
2023-02-11 17:19:01 +03:00
|
|
|
age.identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"];
|
|
|
|
|
2023-02-17 00:19:28 +03:00
|
|
|
environment.systemPackages = [
|
|
|
|
(pkgs.callPackage ../pkgs/agenix.nix {})
|
|
|
|
];
|
|
|
|
|
2021-05-10 00:22:48 +03:00
|
|
|
users = {
|
|
|
|
mutableUsers = false;
|
|
|
|
|
|
|
|
users = {
|
|
|
|
user1 = {
|
|
|
|
isNormalUser = true;
|
|
|
|
passwordFile = config.age.secrets.passwordfile-user1.path;
|
2023-02-18 22:45:57 +03:00
|
|
|
uid = 1000;
|
2021-05-10 00:22:48 +03:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2023-01-29 19:36:01 +03:00
|
|
|
testScript = let
|
2021-05-10 00:22:48 +03:00
|
|
|
user = "user1";
|
|
|
|
password = "password1234";
|
|
|
|
in ''
|
|
|
|
system1.wait_for_unit("multi-user.target")
|
|
|
|
system1.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
|
|
|
|
system1.sleep(2)
|
|
|
|
system1.send_key("alt-f2")
|
2021-12-04 17:49:07 +03:00
|
|
|
system1.wait_until_succeeds("[ $(fgconsole) = 2 ]")
|
|
|
|
system1.wait_for_unit("getty@tty2.service")
|
|
|
|
system1.wait_until_succeeds("pgrep -f 'agetty.*tty2'")
|
2023-01-09 13:25:24 +03:00
|
|
|
system1.wait_until_tty_matches("2", "login: ")
|
2021-05-10 00:22:48 +03:00
|
|
|
system1.send_chars("${user}\n")
|
2023-01-09 13:25:24 +03:00
|
|
|
system1.wait_until_tty_matches("2", "login: ${user}")
|
2021-05-10 00:22:48 +03:00
|
|
|
system1.wait_until_succeeds("pgrep login")
|
|
|
|
system1.sleep(2)
|
|
|
|
system1.send_chars("${password}\n")
|
|
|
|
system1.send_chars("whoami > /tmp/1\n")
|
|
|
|
system1.wait_for_file("/tmp/1")
|
|
|
|
assert "${user}" in system1.succeed("cat /tmp/1")
|
2023-02-17 00:19:42 +03:00
|
|
|
|
2023-02-19 21:20:07 +03:00
|
|
|
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
|
2023-02-17 00:19:42 +03:00
|
|
|
|
2023-02-19 21:20:07 +03:00
|
|
|
before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
|
|
|
|
print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
|
|
|
|
after_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
|
2023-02-17 00:19:42 +03:00
|
|
|
|
|
|
|
# Ensure we actually have hashes
|
|
|
|
for h in [before_hash, after_hash]:
|
|
|
|
assert len(h) == 2, "hash should be [hash, filename]"
|
2023-02-19 21:20:07 +03:00
|
|
|
assert h[1] == "passwordfile-user1.age", "filename is incorrect"
|
2023-02-17 00:19:42 +03:00
|
|
|
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
|
|
|
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
2023-02-18 22:45:57 +03:00
|
|
|
|
|
|
|
# user1 can edit passwordfile-user1.age
|
2023-02-18 23:52:13 +03:00
|
|
|
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
2023-02-18 22:45:57 +03:00
|
|
|
|
|
|
|
# user1 can edit even if bogus id_rsa present
|
2023-02-18 23:52:13 +03:00
|
|
|
system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
|
|
|
|
system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
|
|
|
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
|
2023-02-19 21:20:07 +03:00
|
|
|
system1.succeed(userDo("rm ~/.ssh/id_rsa"))
|
|
|
|
|
|
|
|
# user1 can edit a secret by piping in contents
|
|
|
|
system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
|
2023-02-21 04:15:37 +03:00
|
|
|
|
|
|
|
# and get it back out via --decrypt
|
|
|
|
assert "secret1234" in system1.succeed(userDo("agenix -d passwordfile-user1.age"))
|
|
|
|
|
|
|
|
# finally, the plain text should not linger around anywhere in the filesystem.
|
|
|
|
system1.fail("grep -r secret1234 /tmp")
|
2021-05-10 00:22:48 +03:00
|
|
|
'';
|
2023-02-13 21:50:59 +03:00
|
|
|
}
|