mirrors/sops-nix
1
0
Fork 0
mirror of https://github.com/Mic92/sops-nix.git synced 2024-12-15 17:50:51 +00:00
Code Activity

go files for darwin

Browse source 
fixup
This commit is contained in:
Pogobanane 2022-07-10 13:12:14 +02:00
parent 68d25e682b
commit 4f3d45c058
5 changed files with 121 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
default.nix
View file

@ -7,6 +7,7 @@
inherit vendorSha256; inherit vendorSha256;
}; };
in rec { in rec {
inherit sops-install-secrets;
sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {}; sops-init-gpg-key = pkgs.callPackage ./pkgs/sops-init-gpg-key {};
sops-pgp-hook = pkgs.lib.warn '' sops-pgp-hook = pkgs.lib.warn ''
sops-pgp-hook is deprecated, use sops-import-keys-hook instead. sops-pgp-hook is deprecated, use sops-import-keys-hook instead.
@ -23,8 +24,6 @@ in rec {
}; };
unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix {}; unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix {};
} // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux { } // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
inherit sops-install-secrets;
lint = pkgs.callPackage ./pkgs/lint.nix { lint = pkgs.callPackage ./pkgs/lint.nix {
inherit sops-install-secrets; inherit sops-install-secrets;
}; };

48
pkgs/sops-install-secrets/darwin.go Normal file
View file

@ -0,0 +1,48 @@
//go:build darwin
// +build darwin
package main
func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
//fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
//if err != nil {
// return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
//}
//defer unix.Close(fd)
//buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
//n, err := unix.Readlinkat(fd, "", buf)
//if err != nil {
// return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
//}
//if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
// return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
//}
//err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
//if err != nil {
// return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
//}
return nil
}
func MountSecretFs(mountpoint string, keysGid int) error {
//if err := os.MkdirAll(mountpoint, 0751); err != nil {
// return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
//}
//buf := unix.Statfs_t{}
//if err := unix.Statfs(mountpoint, &buf); err != nil {
// return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
//}
//if int32(buf.Type) != RAMFS_MAGIC {
// if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
// return fmt.Errorf("Cannot mount: %s", err)
// }
//}
//if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
// return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %w", mountpoint, keysGid, err)
//}
return nil
}

2
pkgs/sops-install-secrets/default.nix
View file

@ -33,6 +33,6 @@ buildGoModule {
homepage = "https://github.com/Mic92/sops-nix"; homepage = "https://github.com/Mic92/sops-nix";
license = licenses.mit; license = licenses.mit;
maintainers = with maintainers; [ mic92 ]; maintainers = with maintainers; [ mic92 ];
platforms = platforms.linux; platforms = platforms.linux ++ platforms.darwin;
}; };
} }

69
pkgs/sops-install-secrets/linux.go Normal file
View file

@ -0,0 +1,69 @@
//go:build linux
// +build linux
package main
import (
"fmt"
"os"
"golang.org/x/sys/unix"
)
func RuntimeDir() (string, error) {
rundir, ok := os.LookupEnv("XDG_RUNTIME_DIR")
if !ok {
return "", fmt.Errorf("$XDG_RUNTIME_DIR is not set!")
}
return rundir, nil
}
func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
// fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
if err != nil {
return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
}
defer unix.Close(fd)
buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
n, err := unix.Readlinkat(fd, "", buf)
if err != nil {
return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
}
if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
}
err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
if err != nil {
return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
}
return nil
}
func MountSecretFs(mountpoint string, keysGid int, userMode bool) error {
if err := os.MkdirAll(mountpoint, 0751); err != nil {
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
}
// We can't create a ramfs as user
if userMode {
return nil
}
buf := unix.Statfs_t{}
if err := unix.Statfs(mountpoint, &buf); err != nil {
return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
}
if int32(buf.Type) != RAMFS_MAGIC {
if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
return fmt.Errorf("Cannot mount: %s", err)
}
}
if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %w", mountpoint, keysGid, err)
}
return nil
}

55
pkgs/sops-install-secrets/main.go
View file

@ -1,5 +1,3 @@
// +build linux
package main package main
import ( import (
@ -133,28 +131,6 @@ type appContext struct {
ignorePasswd bool ignorePasswd bool
} }
func secureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int) error {
fd, err := unix.Open(symlinkToCheck, unix.O_CLOEXEC|unix.O_PATH|unix.O_NOFOLLOW, 0)
if err != nil {
return fmt.Errorf("Failed to open %s: %w", symlinkToCheck, err)
}
defer unix.Close(fd)
buf := make([]byte, len(expectedTarget)+1) // oversize by one to detect trunc
n, err := unix.Readlinkat(fd, "", buf)
if err != nil {
return fmt.Errorf("couldn't readlinkat %s", symlinkToCheck)
}
if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
}
err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
if err != nil {
return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)
}
return nil
}
func readManifest(path string) (*manifest, error) { func readManifest(path string) (*manifest, error) {
file, err := os.Open(path) file, err := os.Open(path)
if err != nil { if err != nil {
@ -188,7 +164,7 @@ func symlinkSecret(targetFile string, secret *secret, userMode bool) error {
return fmt.Errorf("Cannot create symlink '%s': %w", secret.Path, err) return fmt.Errorf("Cannot create symlink '%s': %w", secret.Path, err)
} }
if !userMode { if !userMode {
if err := secureSymlinkChown(secret.Path, targetFile, secret.owner, secret.group); err != nil { if err := SecureSymlinkChown(secret.Path, targetFile, secret.owner, secret.group); err != nil {
return fmt.Errorf("Cannot chown symlink '%s': %w", secret.Path, err) return fmt.Errorf("Cannot chown symlink '%s': %w", secret.Path, err)
} }
} }
@ -331,33 +307,6 @@ func decryptSecrets(secrets []secret) error {
const RAMFS_MAGIC int32 = -2054924042 const RAMFS_MAGIC int32 = -2054924042
func mountSecretFs(mountpoint string, keysGid int, userMode bool) error {
if err := os.MkdirAll(mountpoint, 0751); err != nil {
return fmt.Errorf("Cannot create directory '%s': %w", mountpoint, err)
}
// We can't create a ramfs as user
if userMode {
return nil
}
buf := unix.Statfs_t{}
if err := unix.Statfs(mountpoint, &buf); err != nil {
return fmt.Errorf("Cannot get statfs for directory '%s': %w", mountpoint, err)
}
if int32(buf.Type) != RAMFS_MAGIC {
if err := unix.Mount("none", mountpoint, "ramfs", unix.MS_NODEV|unix.MS_NOSUID, "mode=0751"); err != nil {
return fmt.Errorf("Cannot mount: %s", err)
}
}
if err := os.Chown(mountpoint, 0, int(keysGid)); err != nil {
return fmt.Errorf("Cannot change owner/group of '%s' to 0/%d: %w", mountpoint, keysGid, err)
}
return nil
}
func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) { func prepareSecretsDir(secretMountpoint string, linkName string, keysGid int, userMode bool) (*string, error) {
var generation uint64 var generation uint64
linkTarget, err := os.Readlink(linkName) linkTarget, err := os.Readlink(linkName)
@ -973,7 +922,7 @@ func installSecrets(args []string) error {
isDry := os.Getenv("NIXOS_ACTION") == "dry-activate" isDry := os.Getenv("NIXOS_ACTION") == "dry-activate"
if err := mountSecretFs(manifest.SecretsMountPoint, keysGid, manifest.UserMode); err != nil { if err := MountSecretFs(manifest.SecretsMountPoint, keysGid, manifest.UserMode); err != nil {
return fmt.Errorf("Failed to mount filesystem for secrets: %w", err) return fmt.Errorf("Failed to mount filesystem for secrets: %w", err)
} }