From e4f0dcc8d33860d5dd71b9089adeb72a60629e1e Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Sat, 18 Feb 2023 11:45:57 -0800 Subject: [PATCH 1/3] test: add tests for editing * regular editing * in presence of bogus id_rsa file --- test/install_ssh_host_keys.nix | 8 +++++++- test/integration.nix | 17 +++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/test/install_ssh_host_keys.nix b/test/install_ssh_host_keys.nix index 927619c..06f1bbb 100644 --- a/test/install_ssh_host_keys.nix +++ b/test/install_ssh_host_keys.nix @@ -1,18 +1,24 @@ # Do not copy this! It is insecure. This is only okay because we are testing. -{ +{config, ...}: { system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"]; system.activationScripts.installSSHHostKeys.text = '' + USER1_UID="${toString config.users.users.user1.uid}" + USERS_GID="${toString config.users.groups.users.gid}" + mkdir -p /etc/ssh /home/user1/.ssh + chown $USER1_UID:$USERS_GID /home/user1/.ssh ( umask u=rw,g=r,o=r cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub + chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519.pub ) ( umask u=rw,g=,o= cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519 + chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519 touch /etc/ssh/ssh_host_rsa_key ) ''; diff --git a/test/integration.nix b/test/integration.nix index 772adea..5b22fc6 100644 --- a/test/integration.nix +++ b/test/integration.nix @@ -39,6 +39,7 @@ pkgs.nixosTest { user1 = { isNormalUser = true; passwordFile = config.age.secrets.passwordfile-user1.path; + uid = 1000; }; }; }; @@ -78,5 +79,21 @@ pkgs.nixosTest { assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect" assert len(h[0].strip()) == 64, "hash length is incorrect" assert before_hash[0] != after_hash[0], "hash did not change with rekeying" + + # user1 can edit passwordfile-user1.age + system1.wait_for_file("/tmp/") + system1.send_chars("cd /tmp/secrets; EDITOR=cat agenix -e passwordfile-user1.age\n") + system1.send_chars("echo $? >/tmp/exit_code\n") + system1.wait_for_file("/tmp/exit_code") + assert "0" in system1.succeed("cat /tmp/exit_code") + system1.send_chars("rm /tmp/exit_code\n") + + # user1 can edit even if bogus id_rsa present + system1.send_chars("echo bogus > ~/.ssh/id_rsa\n") + system1.send_chars("cd /tmp/secrets; EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519\n") + system1.send_chars("echo $? >/tmp/exit_code\n") + system1.wait_for_file("/tmp/exit_code") + assert "0" in system1.succeed("cat /tmp/exit_code") + system1.send_chars("rm /tmp/exit_code\n") ''; } From ec396f7a769390228c0e42b7a874e263f88482b8 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Sat, 18 Feb 2023 11:55:58 -0800 Subject: [PATCH 2/3] fix: if an identity is specified, don't use the default ones fixes #151 --- pkgs/agenix.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index afbfa4d..7a0f0ff 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -107,11 +107,13 @@ function edit { if [ -f "$FILE" ] then DECRYPT=("${DEFAULT_DECRYPT[@]}") - if [ -f "$HOME/.ssh/id_rsa" ]; then - DECRYPT+=(--identity "$HOME/.ssh/id_rsa") - fi - if [ -f "$HOME/.ssh/id_ed25519" ]; then - DECRYPT+=(--identity "$HOME/.ssh/id_ed25519") + if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then + if [ -f "$HOME/.ssh/id_rsa" ]; then + DECRYPT+=(--identity "$HOME/.ssh/id_rsa") + fi + if [ -f "$HOME/.ssh/id_ed25519" ]; then + DECRYPT+=(--identity "$HOME/.ssh/id_ed25519") + fi fi if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then echo "No identity found to decrypt $FILE. Try adding an SSH key at $HOME/.ssh/id_rsa or $HOME/.ssh/id_ed25519 or using the --identity flag to specify a file." From 16c6ccef097c41950dbb7ffbc48b0bfdbab51c59 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Sat, 18 Feb 2023 12:52:13 -0800 Subject: [PATCH 3/3] test: simplify and speed up editor tests --- test/integration.nix | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/test/integration.nix b/test/integration.nix index 5b22fc6..4156b5e 100644 --- a/test/integration.nix +++ b/test/integration.nix @@ -80,20 +80,14 @@ pkgs.nixosTest { assert len(h[0].strip()) == 64, "hash length is incorrect" assert before_hash[0] != after_hash[0], "hash did not change with rekeying" + userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'" + # user1 can edit passwordfile-user1.age - system1.wait_for_file("/tmp/") - system1.send_chars("cd /tmp/secrets; EDITOR=cat agenix -e passwordfile-user1.age\n") - system1.send_chars("echo $? >/tmp/exit_code\n") - system1.wait_for_file("/tmp/exit_code") - assert "0" in system1.succeed("cat /tmp/exit_code") - system1.send_chars("rm /tmp/exit_code\n") + system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age")) # user1 can edit even if bogus id_rsa present - system1.send_chars("echo bogus > ~/.ssh/id_rsa\n") - system1.send_chars("cd /tmp/secrets; EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519\n") - system1.send_chars("echo $? >/tmp/exit_code\n") - system1.wait_for_file("/tmp/exit_code") - assert "0" in system1.succeed("cat /tmp/exit_code") - system1.send_chars("rm /tmp/exit_code\n") + system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa")) + system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age")) + system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519")) ''; }