Merge pull request #40 from ryantm/test

add a NixOS test for setting a user's passwordFile with agenix; and some features/fixes this required
This commit is contained in:
Ryan Mulligan 2021-05-10 10:44:18 -07:00 committed by GitHub
commit b25c37a869
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 91 additions and 5 deletions

View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 KLPP8w s1DYZRlZuSsyhmZCF1lFB+E9vB8bZ/+ZhBRlx8nprwE
nmYVCsVBrX2CFXXPU+D+bbkkIe/foofp+xoUrg9DHZw
-> ssh-ed25519 V3XmEA Pwv3oCwcY0DX8rY48UNfsj9RumWsn4dbgorYHCwObgI
FKxRYkL3JHtJxUwymWDF0rAtJ33BivDI6IfPsfumM90
-> V'v(/u$-grease em/Vgf 2qDuk
7I3iiQLPGi1COML9u/JeYkr7EqbSLoU
--- 57WJRigUGtmcObrssS3s4PvmR8wgh1AOC/ijJn1s3xI
<EFBFBD>'K©Æ·Y&7GÆOÝòFj±kÆXç«BnuJöê:9Ê(ÙÏX¬#¼AíÄÞÃÚ§j,ê_ÈþÝ?ÝZ“¥vœ¹V96]oks~%£c Îe^CÅ%JQ5€<H¢z}îCý,°pŒ¿*!W§§ÈA±º­Ò…dC¼K)¿¢-žy

View file

@ -5,4 +5,5 @@ in
{ {
"secret1.age".publicKeys = [ user1 system1 ]; "secret1.age".publicKeys = [ user1 system1 ];
"secret2.age".publicKeys = [ user1 ]; "secret2.age".publicKeys = [ user1 ];
"passwordfile-user1.age".publicKeys = [ user1 system1 ];
} }

View file

@ -25,10 +25,13 @@ let
mv -f "$TMP_FILE" '${secretType.path}' mv -f "$TMP_FILE" '${secretType.path}'
''; '';
rootOwnedSecrets = builtins.filter (st: st.owner == "root" && st.group == "root") (builtins.attrValues cfg.secrets); isRootSecret = st: (st.owner == "root" || st.owner == "0") && (st.group == "root" || st.group == "0");
isNotRootSecret = st: !(isRootSecret st);
rootOwnedSecrets = builtins.filter isRootSecret (builtins.attrValues cfg.secrets);
installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets)); installRootOwnedSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting root secrets...'" ] ++ (map installSecret rootOwnedSecrets));
nonRootSecrets = builtins.filter (st: st.owner != "root" || st.group != "root") (builtins.attrValues cfg.secrets); nonRootSecrets = builtins.filter isNotRootSecret (builtins.attrValues cfg.secrets);
installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets)); installNonRootSecrets = builtins.concatStringsSep "\n" ([ "echo '[agenix] decrypting non-root secrets...'" ] ++ (map installSecret nonRootSecrets));
secretType = types.submodule ({ config, ... }: { secretType = types.submodule ({ config, ... }: {
@ -62,14 +65,14 @@ let
}; };
owner = mkOption { owner = mkOption {
type = types.str; type = types.str;
default = "root"; default = "0";
description = '' description = ''
User of the file. User of the file.
''; '';
}; };
group = mkOption { group = mkOption {
type = types.str; type = types.str;
default = users.${config.owner}.group; default = users.${config.owner}.group or "0";
description = '' description = ''
Group of the file. Group of the file.
''; '';
@ -105,7 +108,7 @@ in
# Secrets with root owner and group can be installed before users # Secrets with root owner and group can be installed before users
# exist. This allows user password files to be encrypted. # exist. This allows user password files to be encrypted.
system.activationScripts.agenixRoot = installRootOwnedSecrets; system.activationScripts.agenixRoot.text = installRootOwnedSecrets;
system.activationScripts.users.deps = [ "agenixRoot" ]; system.activationScripts.users.deps = [ "agenixRoot" ];
# Other secrets need to wait for users and groups to exist. # Other secrets need to wait for users and groups to exist.

View file

@ -0,0 +1,15 @@
# Do not copy this! It is insecure. This is only okay because we are testing.
{
system.activationScripts.agenixRoot.deps = [ "installSSHHostKeys" ];
system.activationScripts.installSSHHostKeys.text = ''
mkdir -p /etc/ssh
(umask u=rw,g=r,o=r; cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub)
(
umask u=rw,g=,o=
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
touch /etc/ssh/ssh_host_rsa_key
)
'';
}

58
test/integration.nix Normal file
View file

@ -0,0 +1,58 @@
{
nixpkgs ? <nixpkgs>,
pkgs ? import <nixpkgs> { inherit system; config = {}; },
system ? builtins.currentSystem
} @args:
import "${nixpkgs}/nixos/tests/make-test-python.nix" ({ pkgs, ...}: {
name = "agenix-integration";
nodes.system1 = { config, lib, ... }: {
imports = [
../modules/age.nix
./install_ssh_host_keys.nix
];
services.openssh.enable = true;
age.secrets.passwordfile-user1 = {
file = ../example/passwordfile-user1.age;
};
users = {
mutableUsers = false;
users = {
user1 = {
isNormalUser = true;
passwordFile = config.age.secrets.passwordfile-user1.path;
};
};
};
};
testScript =
let
user = "user1";
password = "password1234";
in ''
system1.wait_for_unit("multi-user.target")
system1.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
system1.sleep(2)
system1.send_key("alt-f2")
system1.wait_until_succeeds(f"[ $(fgconsole) = 2 ]")
system1.wait_for_unit(f"getty@tty2.service")
system1.wait_until_succeeds(f"pgrep -f 'agetty.*tty2'")
system1.wait_until_tty_matches(2, "login: ")
system1.send_chars("${user}\n")
system1.wait_until_tty_matches(2, "login: ${user}")
system1.wait_until_succeeds("pgrep login")
system1.sleep(2)
system1.send_chars("${password}\n")
system1.send_chars("whoami > /tmp/1\n")
system1.wait_for_file("/tmp/1")
assert "${user}" in system1.succeed("cat /tmp/1")
'';
}) args