96cc83437b
This rabbit hole of a task lead me to: - Introduce a hardcoded secret module that is a secret provider for tests. - Update LDAP and SSO modules to use the secret contract. - Refactor the replaceSecrets library function to correctly fail when a secret file could not be read.
294 lines
9.6 KiB
Nix
294 lines
9.6 KiB
Nix
{ pkgs, lib }:
|
|
let
|
|
inherit (builtins) isAttrs hasAttr;
|
|
inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList;
|
|
in
|
|
rec {
|
|
# Replace secrets in a file.
|
|
# - userConfig is an attrset that will produce a config file.
|
|
# - resultPath is the location the config file should have on the filesystem.
|
|
# - generator is a function taking two arguments name and value and returning path in the nix
|
|
# nix store where the
|
|
replaceSecrets = { userConfig, resultPath, generator, user ? null, permissions ? "u=r,g=r,o=" }:
|
|
let
|
|
configWithTemplates = withReplacements userConfig;
|
|
|
|
nonSecretConfigFile = generator "template" configWithTemplates;
|
|
|
|
replacements = getReplacements userConfig;
|
|
in
|
|
replaceSecretsScript {
|
|
file = nonSecretConfigFile;
|
|
inherit resultPath replacements;
|
|
inherit user permissions;
|
|
};
|
|
|
|
replaceSecretsFormatAdapter = format: format.generate;
|
|
replaceSecretsGeneratorAdapter = generator: name: value: pkgs.writeText "generator " (generator value);
|
|
|
|
template = file: newPath: replacements: replaceSecretsScript {
|
|
inherit file replacements;
|
|
resultPath = newPath;
|
|
};
|
|
|
|
replaceSecretsScript = { file, resultPath, replacements, user ? null, permissions ? "u=r,g=r,o=" }:
|
|
let
|
|
templatePath = resultPath + ".template";
|
|
|
|
t = { transform ? null, ... }: if isNull transform then x: x else transform;
|
|
|
|
genReplacement = secret:
|
|
lib.attrsets.nameValuePair (secretName secret.name) ((t secret) "$(cat ${toString secret.source})");
|
|
|
|
# We check that the files containing the secrets have the
|
|
# correct permissions for us to read them in this separate
|
|
# step. Otherwise, the $(cat ...) commands inside the sed
|
|
# replacements could fail but not fail individually but
|
|
# not fail the whole script.
|
|
checkPermissions = concatMapStringsSep "\n" (pattern: "cat ${pattern.source} > /dev/null") replacements;
|
|
|
|
sedPatterns = concatMapStringsSep " " (pattern: "-e \"s|${pattern.name}|${pattern.value}|\"") (map genReplacement replacements);
|
|
|
|
sedCmd = if replacements == []
|
|
then "cat"
|
|
else "${pkgs.gnused}/bin/sed ${sedPatterns}";
|
|
in
|
|
''
|
|
set -euo pipefail
|
|
|
|
${checkPermissions}
|
|
|
|
mkdir -p $(dirname ${templatePath})
|
|
ln -fs ${file} ${templatePath}
|
|
rm -f ${resultPath}
|
|
touch ${resultPath}
|
|
'' + (lib.optionalString (user != null) ''
|
|
chown ${user} ${resultPath}
|
|
'') + ''
|
|
${sedCmd} ${templatePath} > ${resultPath}
|
|
chmod ${permissions} ${resultPath}
|
|
'';
|
|
|
|
secretFileType = lib.types.submodule {
|
|
options = {
|
|
source = lib.mkOption {
|
|
type = lib.types.path;
|
|
description = "File containing the value.";
|
|
};
|
|
|
|
transform = lib.mkOption {
|
|
type = lib.types.raw;
|
|
description = "An optional function to transform the secret.";
|
|
default = null;
|
|
example = lib.literalExpression ''
|
|
v: "prefix-$${v}-suffix"
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
secretName = names:
|
|
"%SECRET${lib.strings.toUpper (lib.strings.concatMapStrings (s: "_" + s) names)}%";
|
|
|
|
withReplacements = attrs:
|
|
let
|
|
valueOrReplacement = name: value:
|
|
if !(builtins.isAttrs value && value ? "source")
|
|
then value
|
|
else secretName name;
|
|
in
|
|
mapAttrsRecursiveCond (v: ! v ? "source") valueOrReplacement attrs;
|
|
|
|
getReplacements = attrs:
|
|
let
|
|
addNameField = name: value:
|
|
if !(builtins.isAttrs value && value ? "source")
|
|
then value
|
|
else value // { name = name; };
|
|
|
|
secretsWithName = mapAttrsRecursiveCond (v: ! v ? "source") addNameField attrs;
|
|
in
|
|
collect (v: builtins.isAttrs v && v ? "source") secretsWithName;
|
|
|
|
# Inspired lib.attrsets.mapAttrsRecursiveCond but also recurses on lists.
|
|
mapAttrsRecursiveCond =
|
|
# A function, given the attribute set the recursion is currently at, determine if to recurse deeper into that attribute set.
|
|
cond:
|
|
# A function, given a list of attribute names and a value, returns a new value.
|
|
f:
|
|
# Attribute set or list to recursively map over.
|
|
set:
|
|
let
|
|
recurse = path: val:
|
|
if builtins.isAttrs val && cond val
|
|
then lib.attrsets.mapAttrs (n: v: recurse (path ++ [n]) v) val
|
|
else if builtins.isList val && cond val
|
|
then lib.lists.imap0 (i: v: recurse (path ++ [(builtins.toString i)]) v) val
|
|
else f path val;
|
|
in recurse [] set;
|
|
|
|
# Like lib.attrsets.collect but also recurses on lists.
|
|
collect =
|
|
# Given an attribute's value, determine if recursion should stop.
|
|
pred:
|
|
# The attribute set to recursively collect.
|
|
attrs:
|
|
if pred attrs then
|
|
[ attrs ]
|
|
else if builtins.isAttrs attrs then
|
|
lib.lists.concatMap (collect pred) (lib.attrsets.attrValues attrs)
|
|
else if builtins.isList attrs then
|
|
lib.lists.concatMap (collect pred) attrs
|
|
else
|
|
[];
|
|
|
|
# Generator for XML
|
|
formatXML = {
|
|
enclosingRoot ? null
|
|
}: {
|
|
type = with lib.types; let
|
|
valueType = nullOr (oneOf [
|
|
bool
|
|
int
|
|
float
|
|
str
|
|
path
|
|
(attrsOf valueType)
|
|
(listOf valueType)
|
|
]) // {
|
|
description = "XML value";
|
|
};
|
|
in valueType;
|
|
|
|
generate = name: value: pkgs.callPackage ({ runCommand, python3 }: runCommand "config" {
|
|
value = builtins.toJSON (
|
|
if enclosingRoot == null then
|
|
value
|
|
else
|
|
{ ${enclosingRoot} = value; });
|
|
passAsFile = [ "value" ];
|
|
} (pkgs.writers.writePython3 "dict2xml" {
|
|
libraries = with python3.pkgs; [ python dict2xml ];
|
|
} ''
|
|
import os
|
|
import json
|
|
from dict2xml import dict2xml
|
|
|
|
with open(os.environ["valuePath"]) as f:
|
|
content = json.loads(f.read())
|
|
if content is None:
|
|
print("Could not parse env var valuePath as json")
|
|
os.exit(2)
|
|
with open(os.environ["out"], "w") as out:
|
|
out.write(dict2xml(content))
|
|
'')) {};
|
|
|
|
};
|
|
|
|
parseXML = xml:
|
|
let
|
|
xmlToJsonFile = pkgs.callPackage ({ runCommand, python3 }: runCommand "config" {
|
|
inherit xml;
|
|
passAsFile = [ "xml" ];
|
|
} (pkgs.writers.writePython3 "xml2json" {
|
|
libraries = with python3.pkgs; [ python ];
|
|
} ''
|
|
import os
|
|
import json
|
|
from collections import ChainMap
|
|
from xml.etree import ElementTree
|
|
|
|
|
|
def xml_to_dict_recursive(root):
|
|
all_descendants = list(root)
|
|
if len(all_descendants) == 0:
|
|
return {root.tag: root.text}
|
|
else:
|
|
merged_dict = ChainMap(*map(xml_to_dict_recursive, all_descendants))
|
|
return {root.tag: dict(merged_dict)}
|
|
|
|
|
|
with open(os.environ["xmlPath"]) as f:
|
|
root = ElementTree.XML(f.read())
|
|
xml = xml_to_dict_recursive(root)
|
|
j = json.dumps(xml)
|
|
|
|
with open(os.environ["out"], "w") as out:
|
|
out.write(j)
|
|
'')) {};
|
|
in
|
|
builtins.fromJSON (builtins.readFile xmlToJsonFile);
|
|
|
|
renameAttrName = attrset: from: to:
|
|
(lib.attrsets.filterAttrs (name: v: name == from) attrset) // {
|
|
${to} = attrset.${from};
|
|
};
|
|
|
|
# Taken from https://github.com/antifuchs/nix-flake-tests/blob/main/default.nix
|
|
# with a nicer diff display function.
|
|
check = { pkgs, tests }:
|
|
let
|
|
formatValue = val:
|
|
if (builtins.isList val || builtins.isAttrs val) then builtins.toJSON val
|
|
else builtins.toString val;
|
|
|
|
resultToString = { name, expected, result }:
|
|
builtins.readFile (pkgs.runCommand "nix-flake-tests-error" {
|
|
expected = formatValue expected;
|
|
result = formatValue result;
|
|
passAsFile = [ "expected" "result" ];
|
|
} ''
|
|
echo "${name} failed (- expected, + result)" > $out
|
|
cp ''${expectedPath} ''${expectedPath}.json
|
|
cp ''${resultPath} ''${resultPath}.json
|
|
${pkgs.deepdiff}/bin/deep diff ''${expectedPath}.json ''${resultPath}.json >> $out
|
|
'');
|
|
|
|
results = pkgs.lib.runTests tests;
|
|
in
|
|
if results != [ ] then
|
|
builtins.throw (concatStringsSep "\n" (map resultToString (lib.traceValSeqN 3 results)))
|
|
else
|
|
pkgs.runCommand "nix-flake-tests-success" { } "echo > $out";
|
|
|
|
|
|
genConfigOutOfBandSystemd = { config, configLocation, generator, user ? null, permissions ? "u=r,g=r,o=" }:
|
|
{
|
|
loadCredentials = getLoadCredentials "source" config;
|
|
preStart = lib.mkBefore (replaceSecrets {
|
|
userConfig = updateToLoadCredentials "source" "$CREDENTIALS_DIRECTORY" config;
|
|
resultPath = configLocation;
|
|
inherit generator;
|
|
inherit user permissions;
|
|
});
|
|
};
|
|
|
|
updateToLoadCredentials = sourceField: rootDir: attrs:
|
|
let
|
|
hasPlaceholderField = v: isAttrs v && hasAttr sourceField v;
|
|
|
|
valueOrLoadCredential = path: value:
|
|
if ! (hasPlaceholderField value)
|
|
then value
|
|
else value // { ${sourceField} = rootDir + "/" + concatStringsSep "_" path; };
|
|
in
|
|
mapAttrsRecursiveCond (v: ! (hasPlaceholderField v)) valueOrLoadCredential attrs;
|
|
|
|
getLoadCredentials = sourceField: attrs:
|
|
let
|
|
hasPlaceholderField = v: isAttrs v && hasAttr sourceField v;
|
|
|
|
addPathField = path: value:
|
|
if ! (hasPlaceholderField value)
|
|
then value
|
|
else value // { inherit path; };
|
|
|
|
secretsWithPath = mapAttrsRecursiveCond (v: ! (hasPlaceholderField v)) addPathField attrs;
|
|
|
|
allSecrets = collect (v: hasPlaceholderField v) secretsWithPath;
|
|
|
|
genLoadCredentials = secret:
|
|
"${concatStringsSep "_" secret.path}:${secret.${sourceField}}";
|
|
in
|
|
map genLoadCredentials allSecrets;
|
|
}
|