From 38c02334969ad916672102db6ea54ba49188289c Mon Sep 17 00:00:00 2001
From: Qubasa <consulting@qube.email>
Date: Mon, 24 Jun 2024 20:08:02 +0200
Subject: [PATCH] clan-cli: Fix user-password without user-prompt. Remove
 newlines from user-password and root-password. Improve test_generate_secret

---
 clanModules/root-password/default.nix         |  4 ++--
 clanModules/user-password/default.nix         |  8 ++++----
 .../tests/test_flake_with_core/flake.nix      |  3 +++
 pkgs/clan-cli/tests/test_secrets_generate.py  | 19 +++++++++++++++++--
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/clanModules/root-password/default.nix b/clanModules/root-password/default.nix
index ca512e60..38cc9f89 100644
--- a/clanModules/root-password/default.nix
+++ b/clanModules/root-password/default.nix
@@ -13,8 +13,8 @@
       mkpasswd
     ];
     generator.script = ''
-      xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/password
-      cat $secrets/password | mkpasswd -s -m sha-512 > $secrets/password-hash
+      xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/password
+      cat $secrets/password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/password-hash
     '';
   };
 }
diff --git a/clanModules/user-password/default.nix b/clanModules/user-password/default.nix
index 6fd650ff..f76c7f39 100644
--- a/clanModules/user-password/default.nix
+++ b/clanModules/user-password/default.nix
@@ -37,12 +37,12 @@
         mkpasswd
       ];
       generator.script = ''
-        if [[ -n $prompt_value ]]; then
-          echo $prompt_value | tr -d '\n' > $secrets/user-password
+        if [[ -n ''${prompt_value-} ]]; then
+          echo $prompt_value | tr -d "\n" > $secrets/user-password
         else
-          xkcdpass --numwords 3 --delimiter - --count 1 | tr -d '\n' > $secrets/user-password
+          xkcdpass --numwords 3 --delimiter - --count 1 | tr -d "\n" > $secrets/user-password
         fi
-        cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash
+        cat $secrets/user-password | mkpasswd -s -m sha-512 | tr -d "\n" > $secrets/user-password-hash
       '';
     };
   };
diff --git a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix
index cafe8978..140deea7 100644
--- a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix
+++ b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix
@@ -41,7 +41,10 @@
               imports = [
                 clan-core.clanModules.sshd
                 clan-core.clanModules.root-password
+                clan-core.clanModules.user-password
               ];
+              clan.user-password.user = "alice";
+              clan.user-password.prompt = false;
               clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__";
               system.stateVersion = lib.version;
               sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__";
diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py
index 326a9bb1..1306cc35 100644
--- a/pkgs/clan-cli/tests/test_secrets_generate.py
+++ b/pkgs/clan-cli/tests/test_secrets_generate.py
@@ -83,6 +83,7 @@ def test_generate_secret(
 
     # Assert that the age key is valid
     age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key")
+    assert age_secret.isprintable()
     assert is_valid_age_key(age_secret)
 
     # # Assert that the ssh key is valid
@@ -100,6 +101,9 @@ def test_generate_secret(
     ).exists()
 
     assert has_secret(test_flake_with_core.path, "vm2-password")
+    assert has_secret(test_flake_with_core.path, "vm2-password-hash")
+    assert has_secret(test_flake_with_core.path, "vm2-user-password")
+    assert has_secret(test_flake_with_core.path, "vm2-user-password-hash")
     assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519")
     assert has_secret(test_flake_with_core.path, "vm2-age.key")
     assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret")
@@ -109,6 +113,7 @@ def test_generate_secret(
 
     # Assert that the age key is valid
     age_secret = decrypt_secret(test_flake_with_core.path, "vm2-age.key")
+    assert age_secret.isprintable()
     assert is_valid_age_key(age_secret)
 
     # Assert that the ssh key is valid
@@ -116,8 +121,18 @@ def test_generate_secret(
     ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub")
     assert is_valid_ssh_key(ssh_secret, ssh_pub)
 
+    # Assert that root-password is valid
     pwd_secret = decrypt_secret(test_flake_with_core.path, "vm2-password")
-    # remove last newline
-    pwd_secret = pwd_secret[:-1]
     assert pwd_secret.isprintable()
     assert pwd_secret.isascii()
+    pwd_hash = decrypt_secret(test_flake_with_core.path, "vm2-password-hash")
+    assert pwd_hash.isprintable()
+    assert pwd_hash.isascii()
+
+    # Assert that user-password is valid
+    pwd_secret = decrypt_secret(test_flake_with_core.path, "vm2-user-password")
+    assert pwd_secret.isprintable()
+    assert pwd_secret.isascii()
+    pwd_hash = decrypt_secret(test_flake_with_core.path, "vm2-user-password-hash")
+    assert pwd_hash.isprintable()
+    assert pwd_hash.isascii()