clan-core/pkgs/clan-cli/tests/test_secrets_password_store.py

import subprocess
from pathlib import Path

import pytest
from cli import Cli
from fixtures_flakes import FlakeForTest
from validator import is_valid_ssh_key

from clan_cli.facts.secret_modules.password_store import SecretStore
from clan_cli.machines.facts import machine_get_fact
from clan_cli.machines.machines import Machine
from clan_cli.nix import nix_shell
from clan_cli.ssh import HostGroup


@pytest.mark.impure
def test_upload_secret(
    monkeypatch: pytest.MonkeyPatch,
    test_flake_with_core_and_pass: FlakeForTest,
    temporary_home: Path,
    host_group: HostGroup,
) -> None:
    monkeypatch.chdir(test_flake_with_core_and_pass.path)
    gnupghome = temporary_home / "gpg"
    gnupghome.mkdir(mode=0o700)
    monkeypatch.setenv("GNUPGHOME", str(gnupghome))
    monkeypatch.setenv("PASSWORD_STORE_DIR", str(temporary_home / "pass"))
    gpg_key_spec = temporary_home / "gpg_key_spec"
    gpg_key_spec.write_text(
        """
        Key-Type: 1
        Key-Length: 1024
        Name-Real: Root Superuser
        Name-Email: test@local
        Expire-Date: 0
        %no-protection
    """
    )
    cli = Cli()
    subprocess.run(
        nix_shell(
            ["nixpkgs#gnupg"], ["gpg", "--batch", "--gen-key", str(gpg_key_spec)]
        ),
        check=True,
    )
    subprocess.run(
        nix_shell(["nixpkgs#pass"], ["pass", "init", "test@local"]), check=True
    )
    cli.run(["facts", "generate", "vm1"])

    store = SecretStore(Machine(name="vm1", flake=test_flake_with_core_and_pass.path))

    network_id = machine_get_fact(
        test_flake_with_core_and_pass.path, "vm1", "zerotier-network-id"
    )
    assert len(network_id) == 16
    identity_secret = (
        temporary_home / "pass" / "machines" / "vm1" / "zerotier-identity-secret.gpg"
    )
    secret1_mtime = identity_secret.lstat().st_mtime_ns

    # test idempotency
    cli.run(["facts", "generate", "vm1"])
    assert identity_secret.lstat().st_mtime_ns == secret1_mtime
    flake = test_flake_with_core_and_pass.path.joinpath("flake.nix")
    host = host_group.hosts[0]
    addr = f"{host.user}@{host.host}:{host.port}?StrictHostKeyChecking=no&UserKnownHostsFile=/dev/null&IdentityFile={host.key}"
    new_text = flake.read_text().replace("__CLAN_TARGET_ADDRESS__", addr)
    flake.write_text(new_text)
    cli.run(["facts", "upload", "vm1"])
    zerotier_identity_secret = (
        test_flake_with_core_and_pass.path / "secrets" / "zerotier-identity-secret"
    )
    assert zerotier_identity_secret.exists()
    assert store.exists("", "zerotier-identity-secret")

    assert store.exists("", "password")
    assert store.exists("", "password-hash")
    assert store.exists("", "user-password")
    assert store.exists("", "user-password-hash")
    assert store.exists("", "ssh.id_ed25519")
    assert store.exists("", "zerotier-identity-secret")

    # Assert that the ssh key is valid
    ssh_secret = store.get("", "ssh.id_ed25519").decode()
    ssh_pub = machine_get_fact(
        test_flake_with_core_and_pass.path, "vm1", "ssh.id_ed25519.pub"
    )
    assert is_valid_ssh_key(ssh_secret, ssh_pub)

    # Assert that root-password is valid
    pwd_secret = store.get("", "password").decode()
    assert pwd_secret.isprintable()
    assert pwd_secret.isascii()
    pwd_hash = store.get("", "password-hash").decode()
    assert pwd_hash.isprintable()
    assert pwd_hash.isascii()

    # Assert that user-password is valid
    pwd_secret = store.get("", "user-password").decode()
    assert pwd_secret.isprintable()
    assert pwd_secret.isascii()
    pwd_hash = store.get("", "user-password-hash").decode()
    assert pwd_hash.isprintable()
    assert pwd_hash.isascii()
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`import subprocess`
			`from pathlib import Path`

			`import pytest`
			`from cli import Cli`
Fixed cyclic dependencie AND swapped pytest-parallel for pytest-xdist to fix deadlock in tests 2023-10-16 13:03:53 +00:00			`from fixtures_flakes import FlakeForTest`
clan-cli: Acutally test SecretStore for age and password-store. 2024-06-24 19:41:16 +00:00			`from validator import is_valid_ssh_key`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00
clan-cli: Acutally test SecretStore for age and password-store. 2024-06-24 19:41:16 +00:00			`from clan_cli.facts.secret_modules.password_store import SecretStore`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`from clan_cli.machines.facts import machine_get_fact`
clan-cli: Acutally test SecretStore for age and password-store. 2024-06-24 19:41:16 +00:00			`from clan_cli.machines.machines import Machine`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`from clan_cli.nix import nix_shell`
			`from clan_cli.ssh import HostGroup`


			`@pytest.mark.impure`
			`def test_upload_secret(`
			`monkeypatch: pytest.MonkeyPatch,`
Fixed cyclic dependencie AND swapped pytest-parallel for pytest-xdist to fix deadlock in tests 2023-10-16 13:03:53 +00:00			`test_flake_with_core_and_pass: FlakeForTest,`
Fixing a multitude of tests 2023-10-23 20:31:12 +00:00			`temporary_home: Path,`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`host_group: HostGroup,`
			`) -> None:`
Added flake_name:str argument everywhere, nix fmt doesn't complain anymore 2023-10-14 12:57:36 +00:00			`monkeypatch.chdir(test_flake_with_core_and_pass.path)`
Fixing a multitude of tests 2023-10-23 20:31:12 +00:00			`gnupghome = temporary_home / "gpg"`
test_secrets_password_store: create gpghome with save permissions 2023-10-04 17:56:18 +00:00			`gnupghome.mkdir(mode=0o700)`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`monkeypatch.setenv("GNUPGHOME", str(gnupghome))`
Fixing a multitude of tests 2023-10-23 20:31:12 +00:00			`monkeypatch.setenv("PASSWORD_STORE_DIR", str(temporary_home / "pass"))`
			`gpg_key_spec = temporary_home / "gpg_key_spec"`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`gpg_key_spec.write_text(`
			`"""`
			`Key-Type: 1`
			`Key-Length: 1024`
			`Name-Real: Root Superuser`
			`Name-Email: test@local`
			`Expire-Date: 0`
			`%no-protection`
			`"""`
			`)`
			`cli = Cli()`
			`subprocess.run(`
prefix nixpkgs# explicitly in nix_shell This makes the function usage less confusing (you can now tell from the call side what are flags and what is passed to nix-shell) and allows to use different flakes to download packages. 2023-12-08 14:00:11 +00:00			`nix_shell(`
			`["nixpkgs#gnupg"], ["gpg", "--batch", "--gen-key", str(gpg_key_spec)]`
			`),`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`check=True,`
			`)`
prefix nixpkgs# explicitly in nix_shell This makes the function usage less confusing (you can now tell from the call side what are flags and what is passed to nix-shell) and allows to use different flakes to download packages. 2023-12-08 14:00:11 +00:00			`subprocess.run(`
			`nix_shell(["nixpkgs#pass"], ["pass", "init", "test@local"]), check=True`
			`)`
refactor secrets & facts -> secret_facts & public_facts 2024-03-23 04:05:31 +00:00			`cli.run(["facts", "generate", "vm1"])`
clan-cli: Acutally test SecretStore for age and password-store. 2024-06-24 19:41:16 +00:00
			`store = SecretStore(Machine(name="vm1", flake=test_flake_with_core_and_pass.path))`

Added flake_name:str argument everywhere, nix fmt doesn't complain anymore 2023-10-14 12:57:36 +00:00			`network_id = machine_get_fact(`
clan_cli: flake_name -> flake_dir 2023-11-15 13:28:40 +00:00			`test_flake_with_core_and_pass.path, "vm1", "zerotier-network-id"`
Added flake_name:str argument everywhere, nix fmt doesn't complain anymore 2023-10-14 12:57:36 +00:00			`)`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`assert len(network_id) == 16`
			`identity_secret = (`
Fixing a multitude of tests 2023-10-23 20:31:12 +00:00			`temporary_home / "pass" / "machines" / "vm1" / "zerotier-identity-secret.gpg"`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`)`
			`secret1_mtime = identity_secret.lstat().st_mtime_ns`

			`# test idempotency`
refactor secrets & facts -> secret_facts & public_facts 2024-03-23 04:05:31 +00:00			`cli.run(["facts", "generate", "vm1"])`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`assert identity_secret.lstat().st_mtime_ns == secret1_mtime`
Added flake_name:str argument everywhere, nix fmt doesn't complain anymore 2023-10-14 12:57:36 +00:00			`flake = test_flake_with_core_and_pass.path.joinpath("flake.nix")`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`host = host_group.hosts[0]`
			`addr = f"{host.user}@{host.host}:{host.port}?StrictHostKeyChecking=no&UserKnownHostsFile=/dev/null&IdentityFile={host.key}"`
rename deployment address to target address This is a prepares having a build server for deployment 2024-02-02 04:32:48 +00:00			`new_text = flake.read_text().replace("__CLAN_TARGET_ADDRESS__", addr)`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`flake.write_text(new_text)`
refactor secrets & facts -> secret_facts & public_facts 2024-03-23 04:05:31 +00:00			`cli.run(["facts", "upload", "vm1"])`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`zerotier_identity_secret = (`
Added flake_name:str argument everywhere, nix fmt doesn't complain anymore 2023-10-14 12:57:36 +00:00			`test_flake_with_core_and_pass.path / "secrets" / "zerotier-identity-secret"`
tests: add test_secrets_password_store 2023-09-29 16:31:05 +00:00			`)`
			`assert zerotier_identity_secret.exists()`
clan-cli: Acutally test SecretStore for age and password-store. 2024-06-24 19:41:16 +00:00			`assert store.exists("", "zerotier-identity-secret")`

			`assert store.exists("", "password")`
			`assert store.exists("", "password-hash")`
			`assert store.exists("", "user-password")`
			`assert store.exists("", "user-password-hash")`
			`assert store.exists("", "ssh.id_ed25519")`
			`assert store.exists("", "zerotier-identity-secret")`

			`# Assert that the ssh key is valid`
			`ssh_secret = store.get("", "ssh.id_ed25519").decode()`
			`ssh_pub = machine_get_fact(`
			`test_flake_with_core_and_pass.path, "vm1", "ssh.id_ed25519.pub"`
			`)`
			`assert is_valid_ssh_key(ssh_secret, ssh_pub)`

			`# Assert that root-password is valid`
			`pwd_secret = store.get("", "password").decode()`
			`assert pwd_secret.isprintable()`
			`assert pwd_secret.isascii()`
			`pwd_hash = store.get("", "password-hash").decode()`
			`assert pwd_hash.isprintable()`
			`assert pwd_hash.isascii()`

			`# Assert that user-password is valid`
			`pwd_secret = store.get("", "user-password").decode()`
			`assert pwd_secret.isprintable()`
			`assert pwd_secret.isascii()`
			`pwd_hash = store.get("", "user-password-hash").decode()`
			`assert pwd_hash.isprintable()`
			`assert pwd_hash.isascii()`