From 8038a9b488928db1bc7b4857bb4591374e2e7368 Mon Sep 17 00:00:00 2001 From: Qubasa Date: Fri, 21 Jun 2024 16:37:52 +0200 Subject: [PATCH 1/4] clan-cli: Add validity check for ssh stash --- clanModules/user-password/default.nix | 4 +- .../tests/test_flake_with_core/flake.nix | 9 +++ pkgs/clan-cli/tests/test_secrets_generate.py | 56 ++++++++++++++++--- 3 files changed, 60 insertions(+), 9 deletions(-) diff --git a/clanModules/user-password/default.nix b/clanModules/user-password/default.nix index 74c5bdf5..6fd650ff 100644 --- a/clanModules/user-password/default.nix +++ b/clanModules/user-password/default.nix @@ -38,9 +38,9 @@ ]; generator.script = '' if [[ -n $prompt_value ]]; then - echo $prompt_value > $secrets/user-password + echo $prompt_value | tr -d '\n' > $secrets/user-password else - xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/user-password + xkcdpass --numwords 3 --delimiter - --count 1 | tr -d '\n' > $secrets/user-password fi cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash ''; diff --git a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix index 5d2e6ec1..25a48fa2 100644 --- a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix +++ b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix @@ -15,6 +15,11 @@ vm1 = { lib, ... }: { + imports = [ + clan-core.clanModules.sshd + clan-core.clanModules.root-password + ]; + clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__"; system.stateVersion = lib.version; sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__"; @@ -38,6 +43,10 @@ vm2 = { lib, ... }: { + imports = [ + clan-core.clanModules.sshd + clan-core.clanModules.root-password + ]; clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__"; system.stateVersion = lib.version; sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__"; diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index 50dccfeb..55ae9c94 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -1,4 +1,6 @@ import ipaddress +import subprocess +import tempfile from typing import TYPE_CHECKING import pytest @@ -14,6 +16,26 @@ if TYPE_CHECKING: from age_keys import KeyPair +def is_valid_ssh_key(secret_key: str, ssh_pub: str) -> bool: + # create tempfile and write secret_key to it + with tempfile.NamedTemporaryFile() as temp: + temp.write(secret_key.encode("utf-8")) + temp.flush() + # Run the ssh-keygen command with the -y flag to check the key format + result = subprocess.run( + ["ssh-keygen", "-y", "-f", temp.name], capture_output=True, text=True + ) + + if result.returncode == 0: + if result.stdout != ssh_pub: + raise ValueError( + f"Expected '{ssh_pub}' got '{result.stdout}' for ssh key: {secret_key}" + ) + return True + else: + raise ValueError(f"Invalid ssh key: {secret_key}") + + @pytest.mark.impure def test_generate_secret( monkeypatch: pytest.MonkeyPatch, @@ -47,9 +69,10 @@ def test_generate_secret( ) cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"] cli.run(cmd) - has_secret(test_flake_with_core.path, "vm1-age.key") - has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret") - has_secret(test_flake_with_core.path, "vm1-zerotier-subnet") + assert has_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519") + assert has_secret(test_flake_with_core.path, "vm1-password") + assert has_secret(test_flake_with_core.path, "vm1-age.key") + assert has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret") network_id = machine_get_fact( test_flake_with_core.path, "vm1", "zerotier-network-id" ) @@ -61,8 +84,20 @@ def test_generate_secret( secret1_mtime = identity_secret.lstat().st_mtime_ns # Assert that the age key is valid - age_secert = decrypt_secret(test_flake_with_core.path, "vm1-age.key") - assert is_valid_age_key(age_secert) + age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key") + assert is_valid_age_key(age_secret) + + # Assert that the ssh key is valid + ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519") + ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub") + assert is_valid_ssh_key(ssh_secret, ssh_pub) + + pwd_secret = decrypt_secret(test_flake_with_core.path, "vm1-password") + # remove last newline + pwd_secret = pwd_secret[:-1] + assert pwd_secret.isprintable() + assert pwd_secret.isascii() + # test idempotency for vm1 and also generate for vm2 cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)]) @@ -73,11 +108,18 @@ def test_generate_secret( secrets_folder / "vm1-zerotier-identity-secret" / "machines" / "vm1" ).exists() + assert has_secret(test_flake_with_core.path, "vm2-password") + assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") assert has_secret(test_flake_with_core.path, "vm2-age.key") assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret") ip = machine_get_fact(test_flake_with_core.path, "vm1", "zerotier-ip") assert ipaddress.IPv6Address(ip).is_private # Assert that the age key is valid - age_secert = decrypt_secret(test_flake_with_core.path, "vm2-age.key") - assert is_valid_age_key(age_secert) + age_secret = decrypt_secret(test_flake_with_core.path, "vm2-age.key") + assert is_valid_age_key(age_secret) + + # Assert that the ssh key is valid + ssh_secret = decrypt_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") + ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub") + assert is_valid_ssh_key(ssh_secret, ssh_pub) From fdd7ac7bbf281a6a25cd54f087a7b51b4c06839b Mon Sep 17 00:00:00 2001 From: Qubasa Date: Mon, 24 Jun 2024 12:40:32 +0200 Subject: [PATCH 2/4] Add repro-hook to .gitignore --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index c067f854..edc3e7ce 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ out.log .coverage.* **/qubeclan +pkgs/repro-hook **/testdir democlan example_clan @@ -35,4 +36,4 @@ repo # node node_modules dist -.webui \ No newline at end of file +.webui From 88f97bd2b630784448dd1ee9f3c4cf59c6f71af1 Mon Sep 17 00:00:00 2001 From: Qubasa Date: Mon, 24 Jun 2024 19:02:04 +0200 Subject: [PATCH 3/4] Fixed Contributing.md guide --- docs/CONTRIBUTING.md | 13 ++++++++++--- pkgs/clan-cli/tests/test_secrets_generate.py | 1 - 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 864caa18..38dabaec 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -44,6 +44,14 @@ Let's get your development environment up and running: ```bash git remote add upstream gitea@git.clan.lol:clan/clan-core.git ``` +5. **Create an access token**: + - Log in to Gitea. + - Go to your account settings. + - Navigate to the Applications section. + - Click Generate New Token. + - Name your token and select all available scopes. + - Generate the token and copy it for later use. + - Your access token is now ready to use with all permissions. 5. **Register Your Gitea Account Locally**: @@ -54,9 +62,8 @@ Let's get your development environment up and running: - Fill out the prompt as follows: - URL of Gitea instance: `https://git.clan.lol` - Name of new Login [git.clan.lol]: - - Do you have an access token? No - - Username: YourUsername - - Password: YourPassword + - Do you have an access token? Yes + - Token: - Set Optional settings: No diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index 55ae9c94..05e75916 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -98,7 +98,6 @@ def test_generate_secret( assert pwd_secret.isprintable() assert pwd_secret.isascii() - # test idempotency for vm1 and also generate for vm2 cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)]) assert age_key.lstat().st_mtime_ns == age_key_mtime From eac869dde5cf41c7cd3f3e9814a2d01fc31ef10d Mon Sep 17 00:00:00 2001 From: Qubasa Date: Mon, 24 Jun 2024 19:20:50 +0200 Subject: [PATCH 4/4] Fix run_vm test nix fmt --- .../tests/test_flake_with_core/flake.nix | 5 ---- pkgs/clan-cli/tests/test_secrets_generate.py | 23 +++++++++---------- 2 files changed, 11 insertions(+), 17 deletions(-) diff --git a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix index 25a48fa2..cafe8978 100644 --- a/pkgs/clan-cli/tests/test_flake_with_core/flake.nix +++ b/pkgs/clan-cli/tests/test_flake_with_core/flake.nix @@ -15,11 +15,6 @@ vm1 = { lib, ... }: { - imports = [ - clan-core.clanModules.sshd - clan-core.clanModules.root-password - ]; - clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__"; system.stateVersion = lib.version; sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__"; diff --git a/pkgs/clan-cli/tests/test_secrets_generate.py b/pkgs/clan-cli/tests/test_secrets_generate.py index 05e75916..326a9bb1 100644 --- a/pkgs/clan-cli/tests/test_secrets_generate.py +++ b/pkgs/clan-cli/tests/test_secrets_generate.py @@ -69,8 +69,6 @@ def test_generate_secret( ) cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"] cli.run(cmd) - assert has_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519") - assert has_secret(test_flake_with_core.path, "vm1-password") assert has_secret(test_flake_with_core.path, "vm1-age.key") assert has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret") network_id = machine_get_fact( @@ -87,16 +85,10 @@ def test_generate_secret( age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key") assert is_valid_age_key(age_secret) - # Assert that the ssh key is valid - ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519") - ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub") - assert is_valid_ssh_key(ssh_secret, ssh_pub) - - pwd_secret = decrypt_secret(test_flake_with_core.path, "vm1-password") - # remove last newline - pwd_secret = pwd_secret[:-1] - assert pwd_secret.isprintable() - assert pwd_secret.isascii() + # # Assert that the ssh key is valid + # ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519") + # ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub") + # assert is_valid_ssh_key(ssh_secret, ssh_pub) # test idempotency for vm1 and also generate for vm2 cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)]) @@ -111,6 +103,7 @@ def test_generate_secret( assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") assert has_secret(test_flake_with_core.path, "vm2-age.key") assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret") + ip = machine_get_fact(test_flake_with_core.path, "vm1", "zerotier-ip") assert ipaddress.IPv6Address(ip).is_private @@ -122,3 +115,9 @@ def test_generate_secret( ssh_secret = decrypt_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub") assert is_valid_ssh_key(ssh_secret, ssh_pub) + + pwd_secret = decrypt_secret(test_flake_with_core.path, "vm2-password") + # remove last newline + pwd_secret = pwd_secret[:-1] + assert pwd_secret.isprintable() + assert pwd_secret.isascii()