Compare commits
3 commits
main
...
rtm-2-20-p
| Author | SHA1 | Date | |
|---|---|---|---|
|
b720b35bd7 | ||
|
|
63e9da1737 | ||
|
|
8db34521db |
5 changed files with 24 additions and 4 deletions
|
|
@ -499,6 +499,8 @@ PRIVATE_KEY a path to a private SSH key used to decrypt file
|
|||
|
||||
EDITOR environment variable of editor to use when editing FILE
|
||||
|
||||
If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"
|
||||
|
||||
RULES environment variable with path to Nix file specifying recipient public keys.
|
||||
Defaults to './secrets.nix'
|
||||
```
|
||||
|
|
|
|||
|
|
@ -114,7 +114,7 @@ function edit {
|
|||
CLEARTEXT_DIR=$(@mktempBin@ -d)
|
||||
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
|
||||
|
||||
if [ -f "$FILE" ]
|
||||
if [ -f "$FILE" ] && [ -t 0 ]
|
||||
then
|
||||
DECRYPT=("${DEFAULT_DECRYPT[@]}")
|
||||
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
|
||||
|
|
@ -142,7 +142,7 @@ function edit {
|
|||
warn "$FILE wasn't created."
|
||||
return
|
||||
fi
|
||||
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
|
||||
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && [ -f "$CLEARTEXT_FILE.before" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
|
||||
|
||||
ENCRYPT=()
|
||||
while IFS= read -r key
|
||||
|
|
|
|||
5
test/fixtures/one-way/secrets.nix
vendored
Normal file
5
test/fixtures/one-way/secrets.nix
vendored
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
let
|
||||
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
|
||||
in {
|
||||
"one-way.age".publicKeys = [system1];
|
||||
}
|
||||
|
|
@ -24,5 +24,9 @@
|
|||
cp -r "${../example}" /tmp/secrets
|
||||
chmod -R u+rw /tmp/secrets
|
||||
chown -R $USER1_UID:$USERS_GID /tmp/secrets
|
||||
|
||||
cp -r "${./fixtures/one-way}" /tmp/secrets-one-way
|
||||
chmod -R u+rw /tmp/secrets-one-way
|
||||
chown -R $USER1_UID:$USERS_GID /tmp/secrets-one-way
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
|
|
@ -66,7 +66,8 @@ pkgs.nixosTest {
|
|||
system1.wait_for_file("/tmp/1")
|
||||
assert "${user}" in system1.succeed("cat /tmp/1")
|
||||
|
||||
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
|
||||
userDir = "/tmp/secrets"
|
||||
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd {userDir}; {input}'"
|
||||
|
||||
before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
|
||||
print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
|
||||
|
|
@ -89,7 +90,15 @@ pkgs.nixosTest {
|
|||
system1.succeed(userDo("rm ~/.ssh/id_rsa"))
|
||||
|
||||
# user1 can edit a secret by piping in contents
|
||||
system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
|
||||
system1.succeed(userDo("echo secret1234 | agenix -e passwordfile-user1.age"))
|
||||
assert "secret1234" in system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
|
||||
|
||||
# user1 can make a one-way secret, but cannot see the contents, and host can decrypt
|
||||
userDir = "/tmp/secrets-one-way"
|
||||
system1.succeed(userDo("echo eye1234 | agenix -e one-way.age"))
|
||||
system1.fail(userDo("EDITOR=cat agenix -e one-way.age"))
|
||||
assert "eye1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
|
||||
system1.succeed(userDo("echo nose1234 | agenix -e one-way.age"))
|
||||
assert "nose1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
|
||||
'';
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue