mynix/agenix
1
0
Fork 0
mirror of https://github.com/ryantm/agenix.git synced 2024-11-22 09:40:47 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #152 from ryantm/rtm-2-18-fix-bogus-id-rsa

Browse source
This commit is contained in:
Nathan Henrie 2023-02-18 16:00:27 -07:00 committed by GitHub
commit 78a22dbc0d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
pkgs/agenix.sh
View file

@ -107,11 +107,13 @@ function edit {
if [ -f "$FILE" ] if [ -f "$FILE" ]
then then
DECRYPT=("${DEFAULT_DECRYPT[@]}") DECRYPT=("${DEFAULT_DECRYPT[@]}")
if [ -f "$HOME/.ssh/id_rsa" ]; then if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
DECRYPT+=(--identity "$HOME/.ssh/id_rsa") if [ -f "$HOME/.ssh/id_rsa" ]; then
fi DECRYPT+=(--identity "$HOME/.ssh/id_rsa")
if [ -f "$HOME/.ssh/id_ed25519" ]; then fi
DECRYPT+=(--identity "$HOME/.ssh/id_ed25519") if [ -f "$HOME/.ssh/id_ed25519" ]; then
DECRYPT+=(--identity "$HOME/.ssh/id_ed25519")
fi
fi fi
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
echo "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file." echo "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file."

8
test/install_ssh_host_keys.nix
View file

@ -1,18 +1,24 @@
# Do not copy this! It is insecure. This is only okay because we are testing. # Do not copy this! It is insecure. This is only okay because we are testing.
{ {config, ...}: {
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"]; system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
system.activationScripts.installSSHHostKeys.text = '' system.activationScripts.installSSHHostKeys.text = ''
USER1_UID="${toString config.users.users.user1.uid}"
USERS_GID="${toString config.users.groups.users.gid}"
mkdir -p /etc/ssh /home/user1/.ssh mkdir -p /etc/ssh /home/user1/.ssh
chown $USER1_UID:$USERS_GID /home/user1/.ssh
( (
umask u=rw,g=r,o=r umask u=rw,g=r,o=r
cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519.pub
) )
( (
umask u=rw,g=,o= umask u=rw,g=,o=
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519 cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
touch /etc/ssh/ssh_host_rsa_key touch /etc/ssh/ssh_host_rsa_key
) )
''; '';

11
test/integration.nix
View file

@ -39,6 +39,7 @@ pkgs.nixosTest {
user1 = { user1 = {
isNormalUser = true; isNormalUser = true;
passwordFile = config.age.secrets.passwordfile-user1.path; passwordFile = config.age.secrets.passwordfile-user1.path;
uid = 1000;
}; };
}; };
}; };
@ -78,5 +79,15 @@ pkgs.nixosTest {
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect" assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
assert len(h[0].strip()) == 64, "hash length is incorrect" assert len(h[0].strip()) == 64, "hash length is incorrect"
assert before_hash[0] != after_hash[0], "hash did not change with rekeying" assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
# user1 can edit passwordfile-user1.age
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
# user1 can edit even if bogus id_rsa present
system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa"))
system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519"))
''; '';
} }