0318f6423f
Turn the agent-install playbook into a full provisioning + maintenance path. Solves the bootstrap chicken-and-egg: first contact uses an operator-supplied password (one run, never stored), which creates a dedicated `steward` login account with NOPASSWD sudo + Steward's managed public key. Every run thereafter connects as `steward` with the managed key — fully unattended (scheduled prune, agent updates). - core/crypto: generate_ssh_keypair() — ed25519, OpenSSH formats. - settings: ansible.ssh_public_key (non-secret, displayed) + ansible.ssh_user (default steward); to_ansible_cfg extended. - settings UI + route: "Generate managed key" (private encrypted, public shown to copy) + SSH-user field. - executor: build_bootstrap() writes a 0600 vars file (-e @file) for the per-run user/password — never argv, never DB, never logged; drops the managed key when a bootstrap password is given; --user floor from the global ssh_user when no override. - runner.trigger_run: pass-through `connection` kwarg, deliberately NOT persisted on AnsibleRun.params (password stays out of the DB). - bundled/host_agent/provision.yml: create steward user + authorized_keys + /etc/sudoers.d/steward (visudo-validated) + agent install. - host_agent: /provision route + "Provision a fresh host" card (bootstrap user/password; injects pubkey + user + token as space-safe JSON hostvars). - Dockerfile: add sshpass (Ansible shells out to it for password SSH). - tests: keypair generation + build_bootstrap (secret stays off argv). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
70 lines
2.0 KiB
Python
70 lines
2.0 KiB
Python
"""Unit tests for settings encryption-at-rest (Fernet)."""
|
|
from steward.core.crypto import (
|
|
ENC_PREFIX,
|
|
decrypt_secret,
|
|
encrypt_secret,
|
|
generate_ssh_keypair,
|
|
init_crypto,
|
|
is_encrypted,
|
|
)
|
|
|
|
|
|
def setup_function():
|
|
init_crypto("unit-test-secret-key")
|
|
|
|
|
|
def test_roundtrip():
|
|
tok = encrypt_secret("hunter2")
|
|
assert tok.startswith(ENC_PREFIX)
|
|
assert tok != "hunter2"
|
|
assert is_encrypted(tok)
|
|
assert decrypt_secret(tok) == "hunter2"
|
|
|
|
|
|
def test_empty_passes_through():
|
|
assert encrypt_secret("") == ""
|
|
assert is_encrypted("") is False
|
|
|
|
|
|
def test_plaintext_decrypt_passthrough():
|
|
assert decrypt_secret("not-encrypted") == "not-encrypted"
|
|
|
|
|
|
def test_is_encrypted_type_guard():
|
|
assert is_encrypted(encrypt_secret("x")) is True
|
|
assert is_encrypted("plain") is False
|
|
assert is_encrypted(None) is False
|
|
assert is_encrypted(123) is False
|
|
|
|
|
|
def test_wrong_key_does_not_reveal_plaintext():
|
|
init_crypto("key-A")
|
|
tok = encrypt_secret("secret")
|
|
init_crypto("key-B")
|
|
# Wrong key -> InvalidToken -> token returned unchanged, never the plaintext.
|
|
assert decrypt_secret(tok) != "secret"
|
|
init_crypto("key-A")
|
|
assert decrypt_secret(tok) == "secret"
|
|
|
|
|
|
# ── Managed SSH keypair generation ────────────────────────────────────────────
|
|
|
|
def test_generate_ssh_keypair_formats():
|
|
priv, pub = generate_ssh_keypair()
|
|
assert priv.startswith("-----BEGIN OPENSSH PRIVATE KEY-----")
|
|
assert priv.rstrip().endswith("-----END OPENSSH PRIVATE KEY-----")
|
|
assert pub.startswith("ssh-ed25519 ")
|
|
assert pub.endswith(" steward-managed")
|
|
|
|
|
|
def test_generate_ssh_keypair_is_unique():
|
|
p1, _ = generate_ssh_keypair()
|
|
p2, _ = generate_ssh_keypair()
|
|
assert p1 != p2
|
|
|
|
|
|
def test_generate_ssh_keypair_custom_comment():
|
|
_, pub = generate_ssh_keypair(comment="host-x")
|
|
assert pub.endswith(" host-x")
|
|
assert len(pub.split()) == 3 # type, key, comment
|