mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-22 01:30:48 +03:00
feature: pipe cleartext into agenix -e
If STDIN is not interactive, change EDITOR to `cp /dev/stdin`. fixes #33
This commit is contained in:
parent
2c56a93426
commit
344c8e41d2
3 changed files with 17 additions and 8 deletions
|
@ -23,6 +23,8 @@ function show_help () {
|
||||||
echo ' '
|
echo ' '
|
||||||
echo 'EDITOR environment variable of editor to use when editing FILE'
|
echo 'EDITOR environment variable of editor to use when editing FILE'
|
||||||
echo ' '
|
echo ' '
|
||||||
|
echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"'
|
||||||
|
echo ' '
|
||||||
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
|
echo 'RULES environment variable with path to Nix file specifying recipient public keys.'
|
||||||
echo "Defaults to './secrets.nix'"
|
echo "Defaults to './secrets.nix'"
|
||||||
echo ' '
|
echo ' '
|
||||||
|
@ -124,6 +126,8 @@ function edit {
|
||||||
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -t 0 ] || EDITOR='cp /dev/stdin'
|
||||||
|
|
||||||
$EDITOR "$CLEARTEXT_FILE"
|
$EDITOR "$CLEARTEXT_FILE"
|
||||||
|
|
||||||
if [ ! -f "$CLEARTEXT_FILE" ]
|
if [ ! -f "$CLEARTEXT_FILE" ]
|
||||||
|
|
|
@ -21,5 +21,8 @@
|
||||||
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
|
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
|
||||||
touch /etc/ssh/ssh_host_rsa_key
|
touch /etc/ssh/ssh_host_rsa_key
|
||||||
)
|
)
|
||||||
|
cp -r "${../example}" /tmp/secrets
|
||||||
|
chmod -R u+rw /tmp/secrets
|
||||||
|
chown -R $USER1_UID:$USERS_GID /tmp/secrets
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
|
@ -66,22 +66,19 @@ pkgs.nixosTest {
|
||||||
system1.wait_for_file("/tmp/1")
|
system1.wait_for_file("/tmp/1")
|
||||||
assert "${user}" in system1.succeed("cat /tmp/1")
|
assert "${user}" in system1.succeed("cat /tmp/1")
|
||||||
|
|
||||||
system1.succeed('cp -a "${../example}/." /tmp/secrets')
|
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
|
||||||
system1.succeed('chmod u+w /tmp/secrets/*.age')
|
|
||||||
|
|
||||||
before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
|
||||||
print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
|
print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
|
||||||
after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
after_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
|
||||||
|
|
||||||
# Ensure we actually have hashes
|
# Ensure we actually have hashes
|
||||||
for h in [before_hash, after_hash]:
|
for h in [before_hash, after_hash]:
|
||||||
assert len(h) == 2, "hash should be [hash, filename]"
|
assert len(h) == 2, "hash should be [hash, filename]"
|
||||||
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
|
assert h[1] == "passwordfile-user1.age", "filename is incorrect"
|
||||||
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
||||||
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
||||||
|
|
||||||
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
|
|
||||||
|
|
||||||
# user1 can edit passwordfile-user1.age
|
# user1 can edit passwordfile-user1.age
|
||||||
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
||||||
|
|
||||||
|
@ -89,5 +86,10 @@ pkgs.nixosTest {
|
||||||
system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
|
system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
|
||||||
system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
||||||
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
|
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
|
||||||
|
system1.succeed(userDo("rm ~/.ssh/id_rsa"))
|
||||||
|
|
||||||
|
# user1 can edit a secret by piping in contents
|
||||||
|
system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
|
||||||
|
assert "secret1234" in system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue