mirror of
https://github.com/ryantm/agenix.git
synced 2024-12-26 01:19:16 +03:00
test: add tests for editing
* regular editing * in presence of bogus id_rsa file
This commit is contained in:
parent
de657061b1
commit
e4f0dcc8d3
2 changed files with 24 additions and 1 deletions
|
@ -1,18 +1,24 @@
|
|||
# Do not copy this! It is insecure. This is only okay because we are testing.
|
||||
{
|
||||
{config, ...}: {
|
||||
system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"];
|
||||
|
||||
system.activationScripts.installSSHHostKeys.text = ''
|
||||
USER1_UID="${toString config.users.users.user1.uid}"
|
||||
USERS_GID="${toString config.users.groups.users.gid}"
|
||||
|
||||
mkdir -p /etc/ssh /home/user1/.ssh
|
||||
chown $USER1_UID:$USERS_GID /home/user1/.ssh
|
||||
(
|
||||
umask u=rw,g=r,o=r
|
||||
cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub
|
||||
cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub
|
||||
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519.pub
|
||||
)
|
||||
(
|
||||
umask u=rw,g=,o=
|
||||
cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key
|
||||
cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519
|
||||
chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519
|
||||
touch /etc/ssh/ssh_host_rsa_key
|
||||
)
|
||||
'';
|
||||
|
|
|
@ -39,6 +39,7 @@ pkgs.nixosTest {
|
|||
user1 = {
|
||||
isNormalUser = true;
|
||||
passwordFile = config.age.secrets.passwordfile-user1.path;
|
||||
uid = 1000;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -78,5 +79,21 @@ pkgs.nixosTest {
|
|||
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
|
||||
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
||||
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
||||
|
||||
# user1 can edit passwordfile-user1.age
|
||||
system1.wait_for_file("/tmp/")
|
||||
system1.send_chars("cd /tmp/secrets; EDITOR=cat agenix -e passwordfile-user1.age\n")
|
||||
system1.send_chars("echo $? >/tmp/exit_code\n")
|
||||
system1.wait_for_file("/tmp/exit_code")
|
||||
assert "0" in system1.succeed("cat /tmp/exit_code")
|
||||
system1.send_chars("rm /tmp/exit_code\n")
|
||||
|
||||
# user1 can edit even if bogus id_rsa present
|
||||
system1.send_chars("echo bogus > ~/.ssh/id_rsa\n")
|
||||
system1.send_chars("cd /tmp/secrets; EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519\n")
|
||||
system1.send_chars("echo $? >/tmp/exit_code\n")
|
||||
system1.wait_for_file("/tmp/exit_code")
|
||||
assert "0" in system1.succeed("cat /tmp/exit_code")
|
||||
system1.send_chars("rm /tmp/exit_code\n")
|
||||
'';
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue