mirror of
https://github.com/Mic92/sops-nix.git
synced 2025-03-31 04:14:37 +00:00
fix user manifest validation in sandbox
we should not lookup users there
This commit is contained in:
Jörg Thalheim
parent
30ea9d3738
commit
59803f7530
2 changed files with 51 additions and 43 deletions
|
|
@ -45,7 +45,7 @@ type manifest struct {
|
|||
GnupgHome string `json:"gnupgHome"`
|
||||
}
|
||||
|
||||
type secretFile struct {
|
||||
type secretFile struct {
|
||||
cipherText []byte
|
||||
keys map[string]interface{}
|
||||
/// First secret that defined this secretFile, used for error messages
|
||||
|
|
@ -324,25 +324,28 @@ func (app *appContext) validateSecret(secret *secret) error {
|
|||
}
|
||||
secret.mode = os.FileMode(mode)
|
||||
|
||||
owner, err := user.Lookup(secret.Owner)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to lookup user '%s': %s", secret.Owner, err)
|
||||
}
|
||||
ownerNr, err := strconv.ParseUint(owner.Uid, 10, 64)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot parse uid %s: %s", owner.Uid, err)
|
||||
}
|
||||
secret.owner = int(ownerNr)
|
||||
if app.checkMode == Off {
|
||||
// we only access to the user/group during deployment
|
||||
owner, err := user.Lookup(secret.Owner)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to lookup user '%s': %s", secret.Owner, err)
|
||||
}
|
||||
ownerNr, err := strconv.ParseUint(owner.Uid, 10, 64)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot parse uid %s: %s", owner.Uid, err)
|
||||
}
|
||||
secret.owner = int(ownerNr)
|
||||
|
||||
group, err := user.LookupGroup(secret.Group)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to lookup group '%s': %s", secret.Group, err)
|
||||
group, err := user.LookupGroup(secret.Group)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Failed to lookup group '%s': %s", secret.Group, err)
|
||||
}
|
||||
groupNr, err := strconv.ParseUint(group.Gid, 10, 64)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot parse gid %s: %s", group.Gid, err)
|
||||
}
|
||||
secret.group = int(groupNr)
|
||||
}
|
||||
groupNr, err := strconv.ParseUint(group.Gid, 10, 64)
|
||||
if err != nil {
|
||||
return fmt.Errorf("Cannot parse gid %s: %s", group.Gid, err)
|
||||
}
|
||||
secret.group = int(groupNr)
|
||||
|
||||
if secret.Format == "" {
|
||||
secret.Format = "yaml"
|
||||
|
|
|
|||
|
|
@ -24,31 +24,36 @@
|
|||
|
||||
pgp-keys = makeTest {
|
||||
name = "sops-pgp-keys";
|
||||
nodes.server = { pkgs, lib, ... }: {
|
||||
imports = [ ../../modules/sops ];
|
||||
sops.gnupgHome = "/run/gpghome";
|
||||
sops.defaultSopsFile = ./test-assets/secrets.yaml;
|
||||
sops.secrets.test_key.owner = "nobody";
|
||||
# must run before sops
|
||||
system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
|
||||
cp -r ${./test-assets/gnupghome} /run/gpghome
|
||||
chmod -R 700 /run/gpghome
|
||||
'';
|
||||
# Useful for debugging
|
||||
#environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
|
||||
#environment.variables = {
|
||||
# GNUPGHOME = "/run/gpghome";
|
||||
# SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
|
||||
# SOPSFILE = "${./test-assets/secrets.yaml}";
|
||||
#};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
server.succeed("cat /run/secrets/test_key | grep -q test_value")
|
||||
server.succeed("runuser -u nobody -G keys -- cat /run/secrets/test_key >&2")
|
||||
# should have no permission to read the file
|
||||
server.fail("runuser -u nobody -- cat /run/secrets/test_key >&2")
|
||||
'';
|
||||
nodes.server = { pkgs, lib, config, ... }: {
|
||||
imports = [
|
||||
../../modules/sops
|
||||
];
|
||||
|
||||
users.users.someuser.isSystemUser = true;
|
||||
|
||||
sops.gnupgHome = "/run/gpghome";
|
||||
sops.defaultSopsFile = ./test-assets/secrets.yaml;
|
||||
sops.secrets.test_key.owner = config.users.users.someuser.name;
|
||||
# must run before sops
|
||||
system.activationScripts.gnupghome = lib.stringAfter [ "etc" ] ''
|
||||
cp -r ${./test-assets/gnupghome} /run/gpghome
|
||||
chmod -R 700 /run/gpghome
|
||||
'';
|
||||
# Useful for debugging
|
||||
#environment.systemPackages = [ pkgs.gnupg pkgs.sops ];
|
||||
#environment.variables = {
|
||||
# GNUPGHOME = "/run/gpghome";
|
||||
# SOPS_GPG_EXEC="${pkgs.gnupg}/bin/gpg";
|
||||
# SOPSFILE = "${./test-assets/secrets.yaml}";
|
||||
#};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
server.succeed("cat /run/secrets/test_key | grep -q test_value")
|
||||
server.succeed("runuser -u someuser -G keys -- cat /run/secrets/test_key >&2")
|
||||
# should have no permission to read the file
|
||||
server.fail("runuser -u someuser -- cat /run/secrets/test_key >&2")
|
||||
'';
|
||||
} {
|
||||
inherit pkgs;
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue