2021-09-02 11:00:57 +02:00
|
|
|
{ makeTest ? import <nixpkgs/nixos/tests/make-test-python.nix>, pkgs ? (import <nixpkgs> {}) }:
|
2020-07-12 16:59:20 +01:00
|
|
|
{
|
2020-07-12 13:50:55 +01:00
|
|
|
ssh-keys = makeTest {
|
2021-09-30 21:08:38 +02:00
|
|
|
name = "sops-ssh-keys";
|
|
|
|
|
nodes.server = { ... }: {
|
|
|
|
|
imports = [ ../../modules/sops ];
|
|
|
|
|
services.openssh.enable = true;
|
|
|
|
|
services.openssh.hostKeys = [{
|
|
|
|
|
type = "rsa";
|
|
|
|
|
bits = 4096;
|
|
|
|
|
path = ./test-assets/ssh-key;
|
|
|
|
|
}];
|
|
|
|
|
sops.defaultSopsFile = ./test-assets/secrets.yaml;
|
|
|
|
|
sops.secrets.test_key = {};
|
|
|
|
|
};
|
2020-07-12 13:50:55 +01:00
|
|
|
|
2021-09-30 21:08:38 +02:00
|
|
|
testScript = ''
|
|
|
|
|
start_all()
|
|
|
|
|
server.succeed("cat /run/secrets/test_key | grep -q test_value")
|
|
|
|
|
'';
|
2020-07-12 16:59:20 +01:00
|
|
|
} {
|
|
|
|
|
inherit pkgs;
|
2021-01-26 14:20:27 +01:00
|
|
|
inherit (pkgs) system;
|
2020-07-12 13:50:55 +01:00
|
|
|
};
|
|
|
|
|
|
2021-08-27 00:49:58 +02:00
|
|
|
age-keys = makeTest {
|
2021-09-30 21:08:38 +02:00
|
|
|
name = "sops-age-keys";
|
|
|
|
|
machine = {
|
|
|
|
|
imports = [ ../../modules/sops ];
|
|
|
|
|
sops = {
|
|
|
|
|
age.keyFile = ./test-assets/age-keys.txt;
|
|
|
|
|
defaultSopsFile = ./test-assets/secrets.yaml;
|
|
|
|
|
secrets.test_key = {};
|
|
|
|
|
};
|
|
|
|
|
};
|
2021-08-27 00:49:58 +02:00
|
|
|
|
2021-09-30 21:08:38 +02:00
|
|
|
testScript = ''
|
|
|
|
|
start_all()
|
|
|
|
|
machine.succeed("cat /run/secrets/test_key | grep -q test_value")
|
|
|
|
|
'';
|
2021-08-27 20:09:28 +02:00
|
|
|
} {
|
|
|
|
|
inherit pkgs;
|
|
|
|
|
inherit (pkgs) system;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
age-ssh-keys = makeTest {
|
|
|
|
|
name = "sops-age-ssh-keys";
|
|
|
|
|
machine = {
|
|
|
|
|
imports = [ ../../modules/sops ];
|
2021-08-28 12:37:10 +02:00
|
|
|
services.openssh.enable = true;
|
|
|
|
|
services.openssh.hostKeys = [{
|
|
|
|
|
type = "ed25519";
|
|
|
|
|
path = ./test-assets/ssh-ed25519-key;
|
|
|
|
|
}];
|
2021-08-27 20:09:28 +02:00
|
|
|
sops = {
|
|
|
|
|
defaultSopsFile = ./test-assets/secrets.yaml;
|
|
|
|
|
secrets.test_key = {};
|
2021-09-30 15:28:39 +02:00
|
|
|
# Generate a key and append it to make sure it appending doesn't break anything
|
|
|
|
|
age = {
|
|
|
|
|
keyFile = "/tmp/testkey";
|
|
|
|
|
generateKey = true;
|
|
|
|
|
};
|
2021-08-27 20:09:28 +02:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
|
start_all()
|
|
|
|
|
machine.succeed("cat /run/secrets/test_key | grep -q test_value")
|
|
|
|
|
'';
|
|
|
|
|
} {
|
|
|
|
|
inherit pkgs;
|
|
|
|
|
inherit (pkgs) system;
|
|
|
|
|
};
|
2021-08-27 00:49:58 +02:00
|
|
|
|
2020-07-12 17:43:23 +01:00
|
|
|
pgp-keys = makeTest {
|
2020-07-12 17:48:37 +01:00
|
|
|
name = "sops-pgp-keys";
|
2020-07-19 21:04:58 +01:00
|
|
|
nodes.server = { pkgs, lib, config, ... }: {
|
|
|
|
|
imports = [
|
|
|
|
|
../../modules/sops
|
|
|
|
|
];
|
|
|
|
|
|
2021-09-17 21:08:34 +02:00
|
|
|
users.users.someuser = {
|
|
|
|
|
isSystemUser = true;
|
|
|
|
|
group = "nogroup";
|
|
|
|
|
};
|
2020-07-19 21:04:58 +01:00
|
|
|
|
2021-08-27 13:35:53 +02:00
|
|
|
sops.gnupg.home = "/run/gpghome";
|
2020-07-19 21:04:58 +01:00
|
|
|
sops.defaultSopsFile = ./test-assets/secrets.yaml;
|
|
|
|
|
sops.secrets.test_key.owner = config.users.users.someuser.name;
|
2021-09-10 12:02:38 +02:00
|
|
|
sops.secrets."nested/test/file".owner = config.users.users.someuser.name;
|
2020-07-19 23:23:38 +01:00
|
|
|
sops.secrets.existing-file = {
|
|
|
|
|
key = "test_key";
|
|
|
|
|
path = "/run/existing-file";
|
|
|
|
|
};
|
2020-07-19 21:04:58 +01:00
|
|
|
# must run before sops
|
|
|
|
|
system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
|
|
|
|
|
cp -r ${./test-assets/gnupghome} /run/gpghome
|
|
|
|
|
chmod -R 700 /run/gpghome
|
2020-07-19 23:23:38 +01:00
|
|
|
|
|
|
|
|
touch /run/existing-file
|
2020-07-19 21:04:58 +01:00
|
|
|
'';
|
|
|
|
|
# Useful for debugging
|
|
|
|
|
#environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
|
|
|
|
|
#environment.variables = {
|
|
|
|
|
# GNUPGHOME = "/run/gpghome";
|
|
|
|
|
# SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
|
|
|
|
|
# SOPSFILE = "${./test-assets/secrets.yaml}";
|
|
|
|
|
#};
|
|
|
|
|
};
|
|
|
|
|
testScript = ''
|
2020-07-19 23:23:38 +01:00
|
|
|
def assertEqual(exp: str, act: str) -> None:
|
|
|
|
|
if exp != act:
|
|
|
|
|
raise Exception(f"'{exp}' != '{act}'")
|
|
|
|
|
|
|
|
|
|
|
2020-07-19 21:04:58 +01:00
|
|
|
start_all()
|
2020-07-19 23:23:38 +01:00
|
|
|
|
|
|
|
|
value = server.succeed("cat /run/secrets/test_key")
|
|
|
|
|
assertEqual("test_value", value)
|
|
|
|
|
|
2021-07-03 08:20:25 +02:00
|
|
|
server.succeed("runuser -u someuser -- cat /run/secrets/test_key >&2")
|
2021-09-10 12:02:38 +02:00
|
|
|
value = server.succeed("cat /run/secrets/nested/test/file")
|
|
|
|
|
assertEqual(value, "another value")
|
2020-07-19 23:23:38 +01:00
|
|
|
|
|
|
|
|
target = server.succeed("readlink -f /run/existing-file")
|
|
|
|
|
assertEqual("/run/secrets.d/1/existing-file", target.strip())
|
2020-07-19 21:04:58 +01:00
|
|
|
'';
|
2020-07-12 16:59:20 +01:00
|
|
|
} {
|
|
|
|
|
inherit pkgs;
|
2021-01-26 14:20:27 +01:00
|
|
|
inherit (pkgs) system;
|
2020-07-12 13:50:55 +01:00
|
|
|
};
|
2021-09-02 11:00:57 +02:00
|
|
|
|
|
|
|
|
} // pkgs.lib.optionalAttrs (pkgs.lib.versionAtLeast (pkgs.lib.versions.majorMinor pkgs.lib.version) "21.11") {
|
|
|
|
|
|
|
|
|
|
restart-and-reload = makeTest {
|
|
|
|
|
name = "sops-restart-and-reload";
|
|
|
|
|
machine = { pkgs, lib, config, ... }: {
|
|
|
|
|
imports = [
|
|
|
|
|
../../modules/sops
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
sops = {
|
|
|
|
|
age.keyFile = ./test-assets/age-keys.txt;
|
|
|
|
|
defaultSopsFile = ./test-assets/secrets.yaml;
|
|
|
|
|
secrets.test_key = {
|
|
|
|
|
restartUnits = [ "restart-unit.service" "reload-unit.service" ];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services."restart-unit" = {
|
|
|
|
|
description = "Restart unit";
|
|
|
|
|
# not started on boot
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
ExecStart = "/bin/sh -c 'echo ok > /restarted'";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
systemd.services."reload-unit" = {
|
|
|
|
|
description = "Restart unit";
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
reloadIfChanged = true;
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
Type = "oneshot";
|
|
|
|
|
RemainAfterExit = true;
|
|
|
|
|
ExecStart = "/bin/sh -c true";
|
|
|
|
|
ExecReload = "/bin/sh -c 'echo ok > /reloaded'";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
testScript = ''
|
|
|
|
|
machine.wait_for_unit("multi-user.target")
|
|
|
|
|
machine.fail("test -f /restarted")
|
|
|
|
|
machine.fail("test -f /reloaded")
|
|
|
|
|
|
|
|
|
|
# Nothing is to be restarted after boot
|
|
|
|
|
machine.fail("ls /run/nixos/*-list")
|
|
|
|
|
|
|
|
|
|
# Nothing happens when the secret is not changed
|
|
|
|
|
machine.succeed("/run/current-system/bin/switch-to-configuration test")
|
|
|
|
|
machine.fail("test -f /restarted")
|
|
|
|
|
machine.fail("test -f /reloaded")
|
|
|
|
|
|
|
|
|
|
# Ensure the secret is changed
|
|
|
|
|
machine.succeed(": > /run/secrets/test_key")
|
|
|
|
|
|
|
|
|
|
# The secret is changed, now something should happen
|
|
|
|
|
machine.succeed("/run/current-system/bin/switch-to-configuration test")
|
|
|
|
|
|
|
|
|
|
# Ensure something happened
|
|
|
|
|
machine.succeed("test -f /restarted")
|
|
|
|
|
machine.succeed("test -f /reloaded")
|
|
|
|
|
|
|
|
|
|
with subtest("change detection"):
|
|
|
|
|
machine.succeed("rm /run/secrets/test_key")
|
|
|
|
|
out = machine.succeed("/run/current-system/bin/switch-to-configuration test")
|
|
|
|
|
if "adding secret" not in out:
|
|
|
|
|
raise Exception("Addition detection does not work")
|
|
|
|
|
|
|
|
|
|
machine.succeed(": > /run/secrets/test_key")
|
|
|
|
|
out = machine.succeed("/run/current-system/bin/switch-to-configuration test")
|
|
|
|
|
if "modifying secret" not in out:
|
|
|
|
|
raise Exception("Modification detection does not work")
|
|
|
|
|
|
|
|
|
|
machine.succeed(": > /run/secrets/another_key")
|
|
|
|
|
out = machine.succeed("/run/current-system/bin/switch-to-configuration test")
|
|
|
|
|
if "removing secret" not in out:
|
|
|
|
|
raise Exception("Removal detection does not work")
|
|
|
|
|
|
|
|
|
|
with subtest("dry activation"):
|
|
|
|
|
machine.succeed("rm /run/secrets/test_key")
|
|
|
|
|
machine.succeed(": > /run/secrets/another_key")
|
|
|
|
|
out = machine.succeed("/run/current-system/bin/switch-to-configuration dry-activate")
|
|
|
|
|
if "would add secret" not in out:
|
|
|
|
|
raise Exception("Dry addition detection does not work")
|
|
|
|
|
if "would remove secret" not in out:
|
|
|
|
|
raise Exception("Dry removal detection does not work")
|
|
|
|
|
|
|
|
|
|
machine.fail("test -f /run/secrets/test_key")
|
|
|
|
|
machine.succeed("test -f /run/secrets/another_key")
|
|
|
|
|
|
|
|
|
|
machine.succeed("/run/current-system/bin/switch-to-configuration test")
|
|
|
|
|
machine.succeed("test -f /run/secrets/test_key")
|
|
|
|
|
machine.succeed("rm /restarted /reloaded")
|
|
|
|
|
machine.fail("test -f /run/secrets/another_key")
|
|
|
|
|
|
|
|
|
|
machine.succeed(": > /run/secrets/test_key")
|
|
|
|
|
out = machine.succeed("/run/current-system/bin/switch-to-configuration dry-activate")
|
|
|
|
|
if "would modify secret" not in out:
|
|
|
|
|
raise Exception("Dry modification detection does not work")
|
|
|
|
|
machine.succeed("[ $(cat /run/secrets/test_key | wc -c) = 0 ]")
|
|
|
|
|
|
|
|
|
|
machine.fail("test -f /restarted") # not done in dry mode
|
|
|
|
|
machine.fail("test -f /reloaded") # not done in dry mode
|
|
|
|
|
'';
|
|
|
|
|
} {
|
|
|
|
|
inherit pkgs;
|
|
|
|
|
inherit (pkgs) system;
|
|
|
|
|
};
|
2020-07-12 13:50:55 +01:00
|
|
|
}
|
