clan-cli: Add validity check for ssh #1652
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -3,6 +3,7 @@
|
|||
out.log
|
||||
.coverage.*
|
||||
**/qubeclan
|
||||
pkgs/repro-hook
|
||||
**/testdir
|
||||
democlan
|
||||
example_clan
|
||||
|
@ -35,4 +36,4 @@ repo
|
|||
# node
|
||||
node_modules
|
||||
dist
|
||||
.webui
|
||||
.webui
|
||||
|
|
|
@ -38,9 +38,9 @@
|
|||
];
|
||||
generator.script = ''
|
||||
if [[ -n $prompt_value ]]; then
|
||||
echo $prompt_value > $secrets/user-password
|
||||
echo $prompt_value | tr -d '\n' > $secrets/user-password
|
||||
else
|
||||
xkcdpass --numwords 3 --delimiter - --count 1 > $secrets/user-password
|
||||
xkcdpass --numwords 3 --delimiter - --count 1 | tr -d '\n' > $secrets/user-password
|
||||
fi
|
||||
cat $secrets/user-password | mkpasswd -s -m sha-512 > $secrets/user-password-hash
|
||||
'';
|
||||
|
|
|
@ -44,6 +44,14 @@ Let's get your development environment up and running:
|
|||
```bash
|
||||
git remote add upstream gitea@git.clan.lol:clan/clan-core.git
|
||||
```
|
||||
5. **Create an access token**:
|
||||
- Log in to Gitea.
|
||||
- Go to your account settings.
|
||||
- Navigate to the Applications section.
|
||||
- Click Generate New Token.
|
||||
- Name your token and select all available scopes.
|
||||
- Generate the token and copy it for later use.
|
||||
- Your access token is now ready to use with all permissions.
|
||||
|
||||
5. **Register Your Gitea Account Locally**:
|
||||
|
||||
|
@ -54,9 +62,8 @@ Let's get your development environment up and running:
|
|||
- Fill out the prompt as follows:
|
||||
- URL of Gitea instance: `https://git.clan.lol`
|
||||
- Name of new Login [git.clan.lol]:
|
||||
- Do you have an access token? No
|
||||
- Username: YourUsername
|
||||
- Password: YourPassword
|
||||
- Do you have an access token? Yes
|
||||
- Token: <yourtoken>
|
||||
- Set Optional settings: No
|
||||
|
||||
|
||||
|
|
|
@ -38,6 +38,10 @@
|
|||
vm2 =
|
||||
{ lib, ... }:
|
||||
{
|
||||
imports = [
|
||||
clan-core.clanModules.sshd
|
||||
clan-core.clanModules.root-password
|
||||
];
|
||||
clan.networking.targetHost = "__CLAN_TARGET_ADDRESS__";
|
||||
system.stateVersion = lib.version;
|
||||
sops.age.keyFile = "__CLAN_SOPS_KEY_PATH__";
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
import ipaddress
|
||||
import subprocess
|
||||
import tempfile
|
||||
from typing import TYPE_CHECKING
|
||||
|
||||
import pytest
|
||||
|
@ -14,6 +16,26 @@ if TYPE_CHECKING:
|
|||
from age_keys import KeyPair
|
||||
|
||||
|
||||
def is_valid_ssh_key(secret_key: str, ssh_pub: str) -> bool:
|
||||
# create tempfile and write secret_key to it
|
||||
with tempfile.NamedTemporaryFile() as temp:
|
||||
temp.write(secret_key.encode("utf-8"))
|
||||
temp.flush()
|
||||
# Run the ssh-keygen command with the -y flag to check the key format
|
||||
result = subprocess.run(
|
||||
["ssh-keygen", "-y", "-f", temp.name], capture_output=True, text=True
|
||||
)
|
||||
|
||||
if result.returncode == 0:
|
||||
if result.stdout != ssh_pub:
|
||||
raise ValueError(
|
||||
f"Expected '{ssh_pub}' got '{result.stdout}' for ssh key: {secret_key}"
|
||||
)
|
||||
return True
|
||||
else:
|
||||
raise ValueError(f"Invalid ssh key: {secret_key}")
|
||||
|
||||
|
||||
@pytest.mark.impure
|
||||
def test_generate_secret(
|
||||
monkeypatch: pytest.MonkeyPatch,
|
||||
|
@ -47,9 +69,8 @@ def test_generate_secret(
|
|||
)
|
||||
cmd = ["facts", "generate", "--flake", str(test_flake_with_core.path), "vm1"]
|
||||
cli.run(cmd)
|
||||
has_secret(test_flake_with_core.path, "vm1-age.key")
|
||||
has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret")
|
||||
has_secret(test_flake_with_core.path, "vm1-zerotier-subnet")
|
||||
assert has_secret(test_flake_with_core.path, "vm1-age.key")
|
||||
assert has_secret(test_flake_with_core.path, "vm1-zerotier-identity-secret")
|
||||
network_id = machine_get_fact(
|
||||
test_flake_with_core.path, "vm1", "zerotier-network-id"
|
||||
)
|
||||
|
@ -61,8 +82,13 @@ def test_generate_secret(
|
|||
secret1_mtime = identity_secret.lstat().st_mtime_ns
|
||||
|
||||
# Assert that the age key is valid
|
||||
age_secert = decrypt_secret(test_flake_with_core.path, "vm1-age.key")
|
||||
assert is_valid_age_key(age_secert)
|
||||
age_secret = decrypt_secret(test_flake_with_core.path, "vm1-age.key")
|
||||
assert is_valid_age_key(age_secret)
|
||||
|
||||
# # Assert that the ssh key is valid
|
||||
# ssh_secret = decrypt_secret(test_flake_with_core.path, "vm1-ssh.id_ed25519")
|
||||
# ssh_pub = machine_get_fact(test_flake_with_core.path, "vm1", "ssh.id_ed25519.pub")
|
||||
# assert is_valid_ssh_key(ssh_secret, ssh_pub)
|
||||
|
||||
# test idempotency for vm1 and also generate for vm2
|
||||
cli.run(["facts", "generate", "--flake", str(test_flake_with_core.path)])
|
||||
|
@ -73,11 +99,25 @@ def test_generate_secret(
|
|||
secrets_folder / "vm1-zerotier-identity-secret" / "machines" / "vm1"
|
||||
).exists()
|
||||
|
||||
assert has_secret(test_flake_with_core.path, "vm2-password")
|
||||
assert has_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519")
|
||||
assert has_secret(test_flake_with_core.path, "vm2-age.key")
|
||||
assert has_secret(test_flake_with_core.path, "vm2-zerotier-identity-secret")
|
||||
|
||||
ip = machine_get_fact(test_flake_with_core.path, "vm1", "zerotier-ip")
|
||||
assert ipaddress.IPv6Address(ip).is_private
|
||||
|
||||
# Assert that the age key is valid
|
||||
age_secert = decrypt_secret(test_flake_with_core.path, "vm2-age.key")
|
||||
assert is_valid_age_key(age_secert)
|
||||
age_secret = decrypt_secret(test_flake_with_core.path, "vm2-age.key")
|
||||
assert is_valid_age_key(age_secret)
|
||||
|
||||
# Assert that the ssh key is valid
|
||||
ssh_secret = decrypt_secret(test_flake_with_core.path, "vm2-ssh.id_ed25519")
|
||||
ssh_pub = machine_get_fact(test_flake_with_core.path, "vm2", "ssh.id_ed25519.pub")
|
||||
assert is_valid_ssh_key(ssh_secret, ssh_pub)
|
||||
|
||||
pwd_secret = decrypt_secret(test_flake_with_core.path, "vm2-password")
|
||||
# remove last newline
|
||||
pwd_secret = pwd_secret[:-1]
|
||||
assert pwd_secret.isprintable()
|
||||
assert pwd_secret.isascii()
|
||||
|
|
Loading…
Reference in New Issue
Block a user