Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: enable one-way encrypted secrets #157

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feature: enable one-way encrypted secrets #157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8db3452
doc: update agenix help text in docs
ryantm Feb 20, 2023
63e9da1
test: add tests for one-way encrypted secrets
ryantm Feb 20, 2023
b720b35
feature: enable one-way encrypted secrets
ryantm Feb 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,8 @@ PRIVATE_KEY a path to a private SSH key used to decrypt file

EDITOR environment variable of editor to use when editing FILE

If STDIN is not interactive, EDITOR will be set to "cp /dev/stdin"

RULES environment variable with path to Nix file specifying recipient public keys.
Defaults to './secrets.nix'
```
Expand Down
4 changes: 2 additions & 2 deletions pkgs/agenix.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ function edit {
CLEARTEXT_DIR=$(@mktempBin@ -d)
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"

if [ -f "$FILE" ]
if [ -f "$FILE" ] && [ -t 0 ]
then
DECRYPT=("${DEFAULT_DECRYPT[@]}")
if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
Expand Down Expand Up @@ -142,7 +142,7 @@ function edit {
warn "$FILE wasn't created."
return
fi
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && [ -f "$CLEARTEXT_FILE.before" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return

ENCRYPT=()
while IFS= read -r key
Expand Down
5 changes: 5 additions & 0 deletions test/fixtures/one-way/secrets.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
let
system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
in {
"one-way.age".publicKeys = [system1];
}
4 changes: 4 additions & 0 deletions test/install_ssh_host_keys.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,5 +24,9 @@
cp -r "${../example}" /tmp/secrets
chmod -R u+rw /tmp/secrets
chown -R $USER1_UID:$USERS_GID /tmp/secrets

cp -r "${./fixtures/one-way}" /tmp/secrets-one-way
chmod -R u+rw /tmp/secrets-one-way
chown -R $USER1_UID:$USERS_GID /tmp/secrets-one-way
'';
}
13 changes: 11 additions & 2 deletions test/integration.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@ pkgs.nixosTest {
system1.wait_for_file("/tmp/1")
assert "${user}" in system1.succeed("cat /tmp/1")

userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
userDir = "/tmp/secrets"
userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd {userDir}; {input}'"

before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
Expand All @@ -89,7 +90,15 @@ pkgs.nixosTest {
system1.succeed(userDo("rm ~/.ssh/id_rsa"))

# user1 can edit a secret by piping in contents
system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
system1.succeed(userDo("echo secret1234 | agenix -e passwordfile-user1.age"))
assert "secret1234" in system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))

# user1 can make a one-way secret, but cannot see the contents, and host can decrypt
userDir = "/tmp/secrets-one-way"
system1.succeed(userDo("echo eye1234 | agenix -e one-way.age"))
system1.fail(userDo("EDITOR=cat agenix -e one-way.age"))
assert "eye1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
system1.succeed(userDo("echo nose1234 | agenix -e one-way.age"))
assert "nose1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
'';
}