From effb43cb633bd102e3c33fc4d5dc729a6eb6d111 Mon Sep 17 00:00:00 2001 From: Nathan Henrie Date: Mon, 13 Feb 2023 11:50:59 -0700 Subject: [PATCH 1/4] Use new-style tests --- test/integration.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/test/integration.nix b/test/integration.nix index 2ec2f3e..8f7ae48 100644 --- a/test/integration.nix +++ b/test/integration.nix @@ -6,13 +6,12 @@ config = {}; }, system ? builtins.currentSystem, -} @ args: -import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: { +}: +pkgs.nixosTest { name = "agenix-integration"; - nodes.system1 = { config, - lib, + pkgs, options, ... }: { @@ -62,5 +61,4 @@ import "${nixpkgs}/nixos/tests/make-test-python.nix" ({pkgs, ...}: { system1.wait_for_file("/tmp/1") assert "${user}" in system1.succeed("cat /tmp/1") ''; -}) -args +} From 0efac6bcf098101d5993a83ba9896568b9a93fa9 Mon Sep 17 00:00:00 2001 From: Nathan Henrie Date: Thu, 16 Feb 2023 14:18:54 -0700 Subject: [PATCH 2/4] Add user key, since it has access to all 3 secrets --- test/install_ssh_host_keys.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/test/install_ssh_host_keys.nix b/test/install_ssh_host_keys.nix index b431173..927619c 100644 --- a/test/install_ssh_host_keys.nix +++ b/test/install_ssh_host_keys.nix @@ -3,13 +3,17 @@ system.activationScripts.agenixInstall.deps = ["installSSHHostKeys"]; system.activationScripts.installSSHHostKeys.text = '' - mkdir -p /etc/ssh - (umask u=rw,g=r,o=r; cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub) + mkdir -p /etc/ssh /home/user1/.ssh + ( + umask u=rw,g=r,o=r + cp ${../example_keys/system1.pub} /etc/ssh/ssh_host_ed25519_key.pub + cp ${../example_keys/user1.pub} /home/user1/.ssh/id_ed25519.pub + ) ( umask u=rw,g=,o= cp ${../example_keys/system1} /etc/ssh/ssh_host_ed25519_key + cp ${../example_keys/user1} /home/user1/.ssh/id_ed25519 touch /etc/ssh/ssh_host_rsa_key ) - ''; } From 9e361f8b39f448182c48019ff22002c06a061170 Mon Sep 17 00:00:00 2001 From: Nathan Henrie Date: Thu, 16 Feb 2023 14:19:28 -0700 Subject: [PATCH 3/4] Install agenix CLI --- test/integration.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/integration.nix b/test/integration.nix index 8f7ae48..fc5629f 100644 --- a/test/integration.nix +++ b/test/integration.nix @@ -28,6 +28,10 @@ pkgs.nixosTest { age.identityPaths = options.age.identityPaths.default ++ ["/etc/ssh/this_key_wont_exist"]; + environment.systemPackages = [ + (pkgs.callPackage ../pkgs/agenix.nix {}) + ]; + users = { mutableUsers = false; From 0b5c4b8c8f4cc8cfcf56ae1532355c7eb634d04b Mon Sep 17 00:00:00 2001 From: Nathan Henrie Date: Thu, 16 Feb 2023 14:19:42 -0700 Subject: [PATCH 4/4] Test rekeying via agenix CLI This test copies the example `secrets.nix` and age files and uses the user key to rekey them. It compares the hash before and after to ensure that the age file is actually being changed. --- test/integration.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/test/integration.nix b/test/integration.nix index fc5629f..772adea 100644 --- a/test/integration.nix +++ b/test/integration.nix @@ -64,5 +64,19 @@ pkgs.nixosTest { system1.send_chars("whoami > /tmp/1\n") system1.wait_for_file("/tmp/1") assert "${user}" in system1.succeed("cat /tmp/1") + + system1.succeed('cp -a "${../example}/." /tmp/secrets') + system1.succeed('chmod u+w /tmp/secrets/*.age') + + before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split() + print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519')) + after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split() + + # Ensure we actually have hashes + for h in [before_hash, after_hash]: + assert len(h) == 2, "hash should be [hash, filename]" + assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect" + assert len(h[0].strip()) == 64, "hash length is incorrect" + assert before_hash[0] != after_hash[0], "hash did not change with rekeying" ''; }