From 344c8e41d2c6d828413c821d4abe7fa5537ee564 Mon Sep 17 00:00:00 2001 From: Ryan Mulligan Date: Sun, 19 Feb 2023 10:20:07 -0800 Subject: [PATCH] feature: pipe cleartext into agenix -e If STDIN is not interactive, change EDITOR to `cp /dev/stdin`. fixes #33 --- pkgs/agenix.sh | 4 ++++ test/install_ssh_host_keys.nix | 3 +++ test/integration.nix | 18 ++++++++++-------- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh index 7a0f0ff..e627124 100644 --- a/pkgs/agenix.sh +++ b/pkgs/agenix.sh @@ -23,6 +23,8 @@ function show_help () { echo ' ' echo 'EDITOR environment variable of editor to use when editing FILE' echo ' ' + echo 'If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"' + echo ' ' echo 'RULES environment variable with path to Nix file specifying recipient public keys.' echo "Defaults to './secrets.nix'" echo ' ' @@ -124,6 +126,8 @@ function edit { cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before" fi + [ -t 0 ] || EDITOR='cp /dev/stdin' + $EDITOR "$CLEARTEXT_FILE" if [ ! -f "$CLEARTEXT_FILE" ] diff --git a/test/install_ssh_host_keys.nix b/test/install_ssh_host_keys.nix index 06f1bbb..72d82ee 100644 --- a/test/install_ssh_host_keys.nix +++ b/test/install_ssh_host_keys.nix @@ -21,5 +21,8 @@ chown $USER1_UID:$USERS_GID /home/user1/.ssh/id_ed25519 touch /etc/ssh/ssh_host_rsa_key ) + cp -r "${../example}" /tmp/secrets + chmod -R u+rw /tmp/secrets + chown -R $USER1_UID:$USERS_GID /tmp/secrets ''; } diff --git a/test/integration.nix b/test/integration.nix index 4156b5e..ff1bbac 100644 --- a/test/integration.nix +++ b/test/integration.nix @@ -66,22 +66,19 @@ pkgs.nixosTest { system1.wait_for_file("/tmp/1") assert "${user}" in system1.succeed("cat /tmp/1") - system1.succeed('cp -a "${../example}/." /tmp/secrets') - system1.succeed('chmod u+w /tmp/secrets/*.age') + userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'" - before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split() - print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519')) - after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split() + before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split() + print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519'))) + after_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split() # Ensure we actually have hashes for h in [before_hash, after_hash]: assert len(h) == 2, "hash should be [hash, filename]" - assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect" + assert h[1] == "passwordfile-user1.age", "filename is incorrect" assert len(h[0].strip()) == 64, "hash length is incorrect" assert before_hash[0] != after_hash[0], "hash did not change with rekeying" - userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'" - # user1 can edit passwordfile-user1.age system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age")) @@ -89,5 +86,10 @@ pkgs.nixosTest { system1.succeed(userDo("echo bogus > ~/.ssh/id_rsa")) system1.fail(userDo("EDITOR=cat agenix -e passwordfile-user1.age")) system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age -i /home/user1/.ssh/id_ed25519")) + system1.succeed(userDo("rm ~/.ssh/id_rsa")) + + # user1 can edit a secret by piping in contents + system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age")) + assert "secret1234" in system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age")) ''; }