clan/clan-core
11
2
Fork 13
Code Issues 88 Pull Requests 6 Actions Packages Projects 1 Releases Wiki Activity

clan-cli: Add validity check for ssh #1652

Merged
clan-bot merged 4 commits from Qubasa/clan-core:Qubasa-test_secrets into main 2024-06-24 17:26:35 +00:00
Conversation 0 Commits 4 Files Changed 5 +11 -17
2 changed files with 11 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit eac869dde5 - Show all commits

5
pkgs/clan-cli/tests/test_flake_with_core/flake.nix
View File

@ -15,11 +15,6 @@
vm1 = vm1 =
{ lib, ... }: { lib, ... }:
{ {
imports = [
clan-core.clanModules.sshd
clan-core.clanModules.root-password
];
clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__"; clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__";
system.stateVersion = lib.version; system.stateVersion = lib.version;
sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__"; sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__";

23
pkgs/clan-cli/tests/test_secrets_generate.py
View File

@ -69,8 +69,6 @@ def test_generate_secret(
) )
cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"] cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"]
cli.run(cmd) cli.run(cmd)
assert has_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519")
assert has_secret(test_flake_with_core.path, "vm1-password")
assert has_secret(test_flake_with_core.path, "vm1-age.key") assert has_secret(test_flake_with_core.path, "vm1-age.key")
assert has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret") assert has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret")
network_id = machine_get_fact( network_id = machine_get_fact(
@ -87,16 +85,10 @@ def test_generate_secret(
age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key") age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key")
assert is_valid_age_key(age_secret) assert is_valid_age_key(age_secret)
# Assert that the ssh key is valid # # Assert that the ssh key is valid
ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519") # ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519")
ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub") # ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub")
assert is_valid_ssh_key(ssh_secret, ssh_pub) # assert is_valid_ssh_key(ssh_secret, ssh_pub)
pwd_secret = decrypt_secret(test_flake_with_core.path, "vm1-password")
# remove last newline
pwd_secret = pwd_secret[:-1]
assert pwd_secret.isprintable()
assert pwd_secret.isascii()
# test idempotency for vm1 and also generate for vm2 # test idempotency for vm1 and also generate for vm2
cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)]) cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)])
@ -111,6 +103,7 @@ def test_generate_secret(
assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519")
assert has_secret(test_flake_with_core.path, "vm2-age.key") assert has_secret(test_flake_with_core.path, "vm2-age.key")
assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret") assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret")
ip = machine_get_fact(test_flake_with_core.path, "vm1", "zerotier-ip") ip = machine_get_fact(test_flake_with_core.path, "vm1", "zerotier-ip")
assert ipaddress.IPv6Address(ip).is_private assert ipaddress.IPv6Address(ip).is_private
@ -122,3 +115,9 @@ def test_generate_secret(
ssh_secret = decrypt_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519") ssh_secret = decrypt_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519")
ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub") ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub")
assert is_valid_ssh_key(ssh_secret, ssh_pub) assert is_valid_ssh_key(ssh_secret, ssh_pub)
pwd_secret = decrypt_secret(test_flake_with_core.path, "vm2-password")
# remove last newline
pwd_secret = pwd_secret[:-1]
assert pwd_secret.isprintable()
assert pwd_secret.isascii()