gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-12 15:49:22 -08:00
Code Issues Packages Projects Releases Wiki Activity

chore(test): Move generation of rosenpass keys in integration tests into test script as the frst of two steps to make the nix derivations deterministic

Browse Source
This commit is contained in:
David Niehues
2025-08-26 10:27:23 +02:00
parent 1c85091b6d
commit 7d4ae23db9
1 changed files with 33 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
tests/integration/rpsc-test.nix
View File

@@ -53,23 +53,6 @@ let
peerCWgKeys = peerCWgKeys =
if multiPeer then generateWgKeys "peerC" "COOk7sSt34r3xtwCvOdqQiv2Pf4auKI+Btgyce2fw1w=" else null; if multiPeer then generateWgKeys "peerC" "COOk7sSt34r3xtwCvOdqQiv2Pf4auKI+Btgyce2fw1w=" else null;
generateRPKeys =
name: rosenpassVersion:
let
keyPair = pkgs.runCommand "rp-genkeys-${name}" { } ''
mkdir $out
${rosenpassVersion}/bin/rosenpass gen-keys -p $out/key.pk -s $out/key.sk
'';
in
{
publicKey = "${keyPair}/key.pk";
privateKey = "${keyPair}/key.sk";
};
peerARpKeys = generateRPKeys "peerA" pkgs.rosenpass-peer-a;
peerBRpKeys = generateRPKeys "peerB" pkgs.rosenpass-peer-b;
peerCRpKeys = if multiPeer then generateRPKeys "peerC" pkgs.rosenpass-peer-c else null;
staticConfig = staticConfig =
{ {
peerA = { peerA = {
@@ -383,26 +366,6 @@ in
security.pam.services.sshd.allowNullPassword = true; security.pam.services.sshd.allowNullPassword = true;
environment.systemPackages = [ environment.systemPackages = [
prepareSshLogin prepareSshLogin
(pkgs.writeSellScriptBin "install-rosenpass-keys" (
''
${pkgs.openssh}/bin/scp ${peerARpKeys.privateKey} peerakeyexchanger:${rosenpassKeyFolder}/self.sk
${pkgs.openssh}/bin/scp ${peerARpKeys.publicKey} peerakeyexchanger:${rosenpassKeyFolder}/self.pk
${pkgs.openssh}/bin/scp ${peerBRpKeys.publicKey} peerakeyexchanger:${rosenpassKeyFolder}/peer-b.pk
${pkgs.openssh}/bin/scp ${peerBRpKeys.privateKey} peerbkeyexchanger:${rosenpassKeyFolder}/self.sk
${pkgs.openssh}/bin/scp ${peerBRpKeys.publicKey} peerbkeyexchanger:${rosenpassKeyFolder}/self.pk
${pkgs.openssh}/bin/scp ${peerARpKeys.publicKey} peerbkeyexchanger:${rosenpassKeyFolder}/peer-a.pk
''
+ lib.optionalString multiPeer ''
${pkgs.openssh}/bin/scp ${peerCRpKeys.privateKey} peerckeyexchanger:${rosenpassKeyFolder}/self.sk
${pkgs.openssh}/bin/scp ${peerCRpKeys.publicKey} peerckeyexchanger:${rosenpassKeyFolder}/self.pk
${pkgs.openssh}/bin/scp ${peerARpKeys.publicKey} peerckeyexchanger:${rosenpassKeyFolder}/peer-a.pk
${pkgs.openssh}/bin/scp ${peerBRpKeys.publicKey} peerckeyexchanger:${rosenpassKeyFolder}/peer-b.pk
${pkgs.openssh}/bin/scp ${peerCRpKeys.publicKey} peerakeyexchanger:${rosenpassKeyFolder}/peer-c.pk
${pkgs.openssh}/bin/scp ${peerCRpKeys.publicKey} peerbkeyexchanger:${rosenpassKeyFolder}/peer-c.pk
''
))
(pkgs.writeShellScriptBin "watch-wg" '' (pkgs.writeShellScriptBin "watch-wg" ''
${pkgs.procps}/bin/watch -n1 \ ${pkgs.procps}/bin/watch -n1 \
${pkgs.wireguard-tools}/bin/wg show all preshared-keys ${pkgs.wireguard-tools}/bin/wg show all preshared-keys
@@ -470,42 +433,53 @@ in
# In admin-reality, this should be done with your favorite secret # In admin-reality, this should be done with your favorite secret
# provisioning/deployment tool # provisioning/deployment tool
# In reality, admins would carefully manage known SSH host keys with
# their favorite secret provisioning/deployment tool
peerA.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerakeyexchanger")
peerB.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerbkeyexchanger")
${lib.optionalString multiPeer ''
peerC.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerckeyexchanger")
''}
peerakeyexchanger.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerbkeyexchanger")
peerbkeyexchanger.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerakeyexchanger")
${lib.optionalString multiPeer ''
peerakeyexchanger.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerckeyexchanger")
peerbkeyexchanger.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerckeyexchanger")
peerckeyexchanger.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerakeyexchanger")
peerckeyexchanger.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerbkeyexchanger")
''}
# Generate the rosenpass key pairs.
peerakeyexchanger.succeed( peerakeyexchanger.succeed(
"cp ${peerARpKeys.privateKey} ${rosenpassKeyFolder}/self.sk" "${pkgs.rosenpass-peer-a}/bin/rosenpass gen-keys -p ${rosenpassKeyFolder}/self.pk -s ${rosenpassKeyFolder}/self.sk"
)
peerakeyexchanger.succeed(
"cp ${peerARpKeys.publicKey} ${rosenpassKeyFolder}/self.pk"
)
peerakeyexchanger.succeed(
"cp ${peerBRpKeys.publicKey} ${rosenpassKeyFolder}/peer-b.pk"
) )
peerbkeyexchanger.succeed( peerbkeyexchanger.succeed(
"cp ${peerBRpKeys.privateKey} ${rosenpassKeyFolder}/self.sk" "${pkgs.rosenpass-peer-b}/bin/rosenpass gen-keys -p ${rosenpassKeyFolder}/self.pk -s ${rosenpassKeyFolder}/self.sk"
)
${lib.optionalString multiPeer ''
peerckeyexchanger.succeed(
"${pkgs.rosenpass-peer-c}/bin/rosenpass gen-keys -p ${rosenpassKeyFolder}/self.pk -s ${rosenpassKeyFolder}/self.sk"
)
''}
peerakeyexchanger.succeed(
"scp ${rosenpassKeyFolder}/self.pk peerbkeyexchanger:${rosenpassKeyFolder}/peer-a.pk"
) )
peerbkeyexchanger.succeed( peerbkeyexchanger.succeed(
"cp ${peerBRpKeys.publicKey} ${rosenpassKeyFolder}/self.pk" "scp ${rosenpassKeyFolder}/self.pk peerakeyexchanger:${rosenpassKeyFolder}/peer-b.pk"
)
peerbkeyexchanger.succeed(
"cp ${peerARpKeys.publicKey} ${rosenpassKeyFolder}/peer-a.pk"
) )
${lib.optionalString multiPeer '' ${lib.optionalString multiPeer ''
peerakeyexchanger.succeed( peerakeyexchanger.succeed(
"cp ${peerCRpKeys.publicKey} ${rosenpassKeyFolder}/peer-c.pk" "scp ${rosenpassKeyFolder}/self.pk peerckeyexchanger:${rosenpassKeyFolder}/peer-a.pk"
) )
peerbkeyexchanger.succeed( peerbkeyexchanger.succeed(
"cp ${peerCRpKeys.publicKey} ${rosenpassKeyFolder}/peer-c.pk" "scp ${rosenpassKeyFolder}/self.pk peerckeyexchanger:${rosenpassKeyFolder}/peer-b.pk"
) )
peerckeyexchanger.succeed( peerckeyexchanger.succeed(
"cp ${peerCRpKeys.privateKey} ${rosenpassKeyFolder}/self.sk" "scp ${rosenpassKeyFolder}/self.pk peerakeyexchanger:${rosenpassKeyFolder}/peer-c.pk"
) )
peerckeyexchanger.succeed( peerckeyexchanger.succeed(
"cp ${peerCRpKeys.publicKey} ${rosenpassKeyFolder}/self.pk" "scp ${rosenpassKeyFolder}/self.pk peerbkeyexchanger:${rosenpassKeyFolder}/peer-c.pk"
)
peerckeyexchanger.succeed(
"cp ${peerARpKeys.publicKey} ${rosenpassKeyFolder}/peer-a.pk"
)
peerckeyexchanger.succeed(
"cp ${peerBRpKeys.publicKey} ${rosenpassKeyFolder}/peer-b.pk"
) )
''} ''}
@@ -525,16 +499,6 @@ in
peerckeyexchanger.wait_for_unit("rp-exchange.service") peerckeyexchanger.wait_for_unit("rp-exchange.service")
''} ''}
# In reality, admins would carefully manage known SSH host keys with
# their favorite secret provisioning/deployment tool
peerA.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerakeyexchanger")
peerB.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerbkeyexchanger")
${lib.optionalString multiPeer ''
peerC.succeed("${prepareSshLogin}/bin/prepare-ssh-login peerckeyexchanger")
''}
# Dump current network config # Dump current network config
peerA.succeed("ip addr 1>&2") peerA.succeed("ip addr 1>&2")
peerA.succeed("ip route 1>&2") peerA.succeed("ip route 1>&2")