Merge pull request #121708 from talyz/replace-secret
treewide: Replace uses of `replace-literal` with `replace-secret` to avoid leaking secrets
This commit is contained in:
Kim Lindberger
GitHub
commit
f131787bb6
@ -233,14 +233,15 @@ in {
|
|||||||
{
|
{
|
||||||
User = "${cfg.user}";
|
User = "${cfg.user}";
|
||||||
ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf";
|
ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon /run/mpd/mpd.conf";
|
||||||
ExecStartPre = pkgs.writeShellScript "mpd-start-pre" ''
|
ExecStartPre = pkgs.writeShellScript "mpd-start-pre" (''
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
install -m 600 ${mpdConf} /run/mpd/mpd.conf
|
install -m 600 ${mpdConf} /run/mpd/mpd.conf
|
||||||
${optionalString (cfg.credentials != [])
|
'' + optionalString (cfg.credentials != [])
|
||||||
"${pkgs.replace}/bin/replace-literal -fe ${
|
(concatStringsSep "\n"
|
||||||
concatStringsSep " -a " (imap0 (i: c: "\"{{password-${toString i}}}\" \"$(cat ${c.passwordFile})\"") cfg.credentials)
|
(imap0
|
||||||
} /run/mpd/mpd.conf"}
|
(i: c: ''${pkgs.replace-secret}/bin/replace-secret '{{password-${toString i}}}' '${c.passwordFile}' /run/mpd/mpd.conf'')
|
||||||
'';
|
cfg.credentials))
|
||||||
|
);
|
||||||
RuntimeDirectory = "mpd";
|
RuntimeDirectory = "mpd";
|
||||||
Type = "notify";
|
Type = "notify";
|
||||||
LimitRTPRIO = 50;
|
LimitRTPRIO = 50;
|
||||||
|
|||||||
@ -59,7 +59,7 @@ let
|
|||||||
|
|
||||||
replaceSecret = secretFile: placeholder: targetFile:
|
replaceSecret = secretFile: placeholder: targetFile:
|
||||||
optionalString (secretFile != null) ''
|
optionalString (secretFile != null) ''
|
||||||
${pkgs.replace}/bin/replace-literal -ef ${placeholder} "$(cat ${secretFile})" ${targetFile}'';
|
${pkgs.replace-secret}/bin/replace-secret '${placeholder}' '${secretFile}' '${targetFile}' '';
|
||||||
|
|
||||||
preStart = pkgs.writeShellScript "mpdscribble-pre-start" ''
|
preStart = pkgs.writeShellScript "mpdscribble-pre-start" ''
|
||||||
cp -f "${cfgTemplate}" "${cfgFile}"
|
cp -f "${cfgTemplate}" "${cfgFile}"
|
||||||
|
|||||||
@ -952,7 +952,7 @@ in {
|
|||||||
path = with pkgs; [
|
path = with pkgs; [
|
||||||
jq
|
jq
|
||||||
openssl
|
openssl
|
||||||
replace
|
replace-secret
|
||||||
git
|
git
|
||||||
];
|
];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
@ -994,8 +994,7 @@ in {
|
|||||||
${optionalString cfg.smtp.enable ''
|
${optionalString cfg.smtp.enable ''
|
||||||
install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
|
install -m u=rw ${smtpSettings} ${cfg.statePath}/config/initializers/smtp_settings.rb
|
||||||
${optionalString (cfg.smtp.passwordFile != null) ''
|
${optionalString (cfg.smtp.passwordFile != null) ''
|
||||||
smtp_password=$(<'${cfg.smtp.passwordFile}')
|
replace-secret '@smtpPassword@' '${cfg.smtp.passwordFile}' '${cfg.statePath}/config/initializers/smtp_settings.rb'
|
||||||
replace-literal -e '@smtpPassword@' "$smtp_password" '${cfg.statePath}/config/initializers/smtp_settings.rb'
|
|
||||||
''}
|
''}
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
|||||||
@ -661,7 +661,7 @@ in
|
|||||||
];
|
];
|
||||||
path = cfg.package.runtimeDeps ++ [
|
path = cfg.package.runtimeDeps ++ [
|
||||||
postgresqlPackage
|
postgresqlPackage
|
||||||
pkgs.replace
|
pkgs.replace-secret
|
||||||
cfg.package.rake
|
cfg.package.rake
|
||||||
];
|
];
|
||||||
environment = cfg.package.runtimeEnv // {
|
environment = cfg.package.runtimeEnv // {
|
||||||
@ -688,10 +688,7 @@ in
|
|||||||
|
|
||||||
mkSecretReplacement = file:
|
mkSecretReplacement = file:
|
||||||
lib.optionalString (file != null) ''
|
lib.optionalString (file != null) ''
|
||||||
(
|
replace-secret '${file}' '${file}' /run/discourse/config/discourse.conf
|
||||||
password=$(<'${file}')
|
|
||||||
replace-literal -fe '${file}' "$password" /run/discourse/config/discourse.conf
|
|
||||||
)
|
|
||||||
'';
|
'';
|
||||||
in ''
|
in ''
|
||||||
set -o errexit -o pipefail -o nounset -o errtrace
|
set -o errexit -o pipefail -o nounset -o errtrace
|
||||||
@ -713,11 +710,12 @@ in
|
|||||||
cfg.siteSettings
|
cfg.siteSettings
|
||||||
"/run/discourse/config/nixos_site_settings.json"
|
"/run/discourse/config/nixos_site_settings.json"
|
||||||
}
|
}
|
||||||
install -T -m 0400 -o discourse ${discourseConf} /run/discourse/config/discourse.conf
|
install -T -m 0600 -o discourse ${discourseConf} /run/discourse/config/discourse.conf
|
||||||
${mkSecretReplacement cfg.database.passwordFile}
|
${mkSecretReplacement cfg.database.passwordFile}
|
||||||
${mkSecretReplacement cfg.mail.outgoing.passwordFile}
|
${mkSecretReplacement cfg.mail.outgoing.passwordFile}
|
||||||
${mkSecretReplacement cfg.redis.passwordFile}
|
${mkSecretReplacement cfg.redis.passwordFile}
|
||||||
${mkSecretReplacement cfg.secretKeyBaseFile}
|
${mkSecretReplacement cfg.secretKeyBaseFile}
|
||||||
|
chmod 0400 /run/discourse/config/discourse.conf
|
||||||
)
|
)
|
||||||
|
|
||||||
discourse-rake db:migrate >>/var/log/discourse/db_migration.log
|
discourse-rake db:migrate >>/var/log/discourse/db_migration.log
|
||||||
|
|||||||
@ -633,6 +633,9 @@ in
|
|||||||
after = databaseServices;
|
after = databaseServices;
|
||||||
bindsTo = databaseServices;
|
bindsTo = databaseServices;
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
path = with pkgs; [
|
||||||
|
replace-secret
|
||||||
|
];
|
||||||
environment = {
|
environment = {
|
||||||
JBOSS_LOG_DIR = "/var/log/keycloak";
|
JBOSS_LOG_DIR = "/var/log/keycloak";
|
||||||
JBOSS_BASE_DIR = "/run/keycloak";
|
JBOSS_BASE_DIR = "/run/keycloak";
|
||||||
@ -653,8 +656,7 @@ in
|
|||||||
install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
|
install -m 0600 ${cfg.package}/standalone/configuration/*.properties /run/keycloak/configuration
|
||||||
install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml
|
install -T -m 0600 ${keycloakConfig} /run/keycloak/configuration/standalone.xml
|
||||||
|
|
||||||
db_password="$(</run/keycloak/secrets/db_password)"
|
replace-secret '@db-password@' '/run/keycloak/secrets/db_password' /run/keycloak/configuration/standalone.xml
|
||||||
${pkgs.replace}/bin/replace-literal -fe '@db-password@' "$db_password" /run/keycloak/configuration/standalone.xml
|
|
||||||
|
|
||||||
export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration
|
export JAVA_OPTS=-Djboss.server.config.user.dir=/run/keycloak/configuration
|
||||||
${cfg.package}/bin/add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'
|
${cfg.package}/bin/add-user-keycloak.sh -u admin -p '${cfg.initialAdminPassword}'
|
||||||
|
|||||||
35
pkgs/build-support/replace-secret/replace-secret.nix
Normal file
35
pkgs/build-support/replace-secret/replace-secret.nix
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
{ stdenv, lib, python3 }:
|
||||||
|
|
||||||
|
stdenv.mkDerivation {
|
||||||
|
name = "replace-secret";
|
||||||
|
buildInputs = [ python3 ];
|
||||||
|
phases = [ "installPhase" "checkPhase" ];
|
||||||
|
installPhase = ''
|
||||||
|
install -D ${./replace-secret.py} $out/bin/replace-secret
|
||||||
|
patchShebangs $out
|
||||||
|
'';
|
||||||
|
doCheck = true;
|
||||||
|
checkPhase = ''
|
||||||
|
install -m 0600 ${./test/input_file} long_test
|
||||||
|
$out/bin/replace-secret "replace this" ${./test/passwd} long_test
|
||||||
|
$out/bin/replace-secret "and this" ${./test/rsa} long_test
|
||||||
|
diff ${./test/expected_long_output} long_test
|
||||||
|
|
||||||
|
install -m 0600 ${./test/input_file} short_test
|
||||||
|
$out/bin/replace-secret "replace this" <(echo "a") short_test
|
||||||
|
$out/bin/replace-secret "and this" <(echo "b") short_test
|
||||||
|
diff ${./test/expected_short_output} short_test
|
||||||
|
'';
|
||||||
|
meta = with lib; {
|
||||||
|
platforms = platforms.all;
|
||||||
|
maintainers = with maintainers; [ talyz ];
|
||||||
|
license = licenses.mit;
|
||||||
|
description = "Replace a string in one file with a secret from a second file";
|
||||||
|
longDescription = ''
|
||||||
|
Replace a string in one file with a secret from a second file.
|
||||||
|
|
||||||
|
Since the secret is read from a file, it won't be leaked through
|
||||||
|
'/proc/<pid>/cmdline', unlike when 'sed' or 'replace' is used.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
28
pkgs/build-support/replace-secret/replace-secret.py
Executable file
28
pkgs/build-support/replace-secret/replace-secret.py
Executable file
@ -0,0 +1,28 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
import argparse
|
||||||
|
from argparse import RawDescriptionHelpFormatter
|
||||||
|
|
||||||
|
description = """
|
||||||
|
Replace a string in one file with a secret from a second file.
|
||||||
|
|
||||||
|
Since the secret is read from a file, it won't be leaked through
|
||||||
|
'/proc/<pid>/cmdline', unlike when 'sed' or 'replace' is used.
|
||||||
|
"""
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser(
|
||||||
|
description=description,
|
||||||
|
formatter_class=RawDescriptionHelpFormatter
|
||||||
|
)
|
||||||
|
parser.add_argument("string_to_replace", help="the string to replace")
|
||||||
|
parser.add_argument("secret_file", help="the file containing the secret")
|
||||||
|
parser.add_argument("file", help="the file to perform the replacement on")
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
with open(args.secret_file) as sf, open(args.file, 'r+') as f:
|
||||||
|
old = f.read()
|
||||||
|
secret = sf.read().strip("\n")
|
||||||
|
new_content = old.replace(args.string_to_replace, secret)
|
||||||
|
f.seek(0)
|
||||||
|
f.write(new_content)
|
||||||
|
f.truncate()
|
||||||
30
pkgs/build-support/replace-secret/test/expected_long_output
Normal file
30
pkgs/build-support/replace-secret/test/expected_long_output
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
beginning
|
||||||
|
middle $6$UcbJUl5g$HRMfKNKsLTfVbcQb.P5o0bmZUfHDYkWseMSuZ8F5jSIGZZcI3Jnit23f8ZeZOGi4KL86HVM9RYqrpYySOu/fl0 not this
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAzrru6v5tfwQl6L+rOUjtLo8kbhMUlCLXP7TYngSGrkzPMWe+
|
||||||
|
0gB04UAmiPZXfBmvj5fPqYiFjIaEDHE/SD41vJB/RJKKtId2gCAIHhBLkbr+4+60
|
||||||
|
yEbLkJci5i4kJC1dt8OKFEzXkaVnwOSgjH+0NwO3bstZ+E70zMXS9+NS71qGsIEb
|
||||||
|
5J1TnacwW/u6CdFyakLljWOXOR14rLIpiPBBFLf+oZiepjIhlWXWHqsxZOb7zMI0
|
||||||
|
T4W5WJ2dwGFsJ8rkYaGZ+A5qzYbi/KmHqaSPaNDsyoi7yJhAhKPByALJU916+8QO
|
||||||
|
xOnqZxWGki3PDzCslRwW4i3mGbZlBQMnlfbN3QIDAQABAoIBAHDn1W7QkFrLmCy6
|
||||||
|
6bf6pVdFZF8d2qJhOPAZRClhTXFKj+pqv+QPzcXr9F/fMr6bhK/G+Oqdnlq2aM4m
|
||||||
|
16oMF+spe+impEyeo1CsreJFghBQcb9o8qFjUPBiKvROBP0hLcscZ4BYy29HSBgo
|
||||||
|
harWYEWfqQJA251q+fYQoP0z0WrZKddOZbRRnJ0ICRxAE7IEtDT6EYt8R9oGi2j4
|
||||||
|
/rpdW+rYGjW3TcmzdR7lpVMJRLlbMbSdR8n6cI6rnfySygcoE5tFX5t/YZSNbBPg
|
||||||
|
GebKCbEHYNTTG8bC1qjUyzlbEQ6XYWvFO7HTKU7105XpjYTQFByeo0IVkin0o5KW
|
||||||
|
t7eQWb0CgYEA6zZUWsYoQ13nXEU6Ky89Q9uhesMfaJ/F2X5ikQSRqRvrR3QR+ULe
|
||||||
|
eNnCl10O9SiFpR4b5gSbLSHMffxGN60P1nEO4CiIKE+gOii8Kdk5htIJFy/dcZUc
|
||||||
|
PuPM+zD9/6Is5sAWUZo45bnT6685h6EjM2+6zNZtx/XMjSfWbHaY+HMCgYEA4QAy
|
||||||
|
6ZEgd6FHnNfM/q2o8XU3d6OCdhcu26u6ydnCalbSpPSKWOi6gnHK4ZnGdryXgIYw
|
||||||
|
hRkvYINfiONkShYytotIh4YxUbgpwdvJRyKa2ZdWhcMmtFzZOcEVzQTKBasFT74C
|
||||||
|
Wo0iybZ++XZh3M0+n7oyyx39aR7diZ+/zq6PnG8CgYB8B1QH4cHNdDDRqPd5WhmW
|
||||||
|
NLQ7xbREOSvc+hYDnkMoxz4TmZL4u1gQpdNEeZ+visSeQvg3HGqvK8lnDaYBKdLW
|
||||||
|
IxvS+8yAZSx6PoyqDI+XFh4RCf5dLGGOkBTAyB7Hs761lsiuEwK5sHmdJ/LQIBot
|
||||||
|
v1bjOJb/AA/yxvT8kLUtHQKBgGIA9iwqXJv/EfRNQytDdS0HQ4vHGtJZMr3YRVoa
|
||||||
|
kcZD3yieo4wqguLCsf4mPv4FE3CWAphW6f39+yTi9xIWLSy56nOtjdnsf7PDCh8E
|
||||||
|
AbL5amSFJly1fKDda6OLjHt/jKa5Osk6ZIa8CP6cA/BrLfXg4rL6cyDQouqJPMDH
|
||||||
|
5CHdAoGBAIChjbTyoYvANkoANCK4SuqLUYeiYREfiM3sqHe1xirK1PPHw03ZLITl
|
||||||
|
ltjo9qE6kPXWcTBVckTKGFlntyCT283FC0/vMmHo8dTdtxF4/wSbkqs3ORuJ3p5J
|
||||||
|
cNtLYGD3vgwLmg6tTur4U60XN+tYDzWGteez8J9GwTMfKJmuS9af
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
end
|
||||||
@ -0,0 +1,4 @@
|
|||||||
|
beginning
|
||||||
|
middle a not this
|
||||||
|
b
|
||||||
|
end
|
||||||
4
pkgs/build-support/replace-secret/test/input_file
Normal file
4
pkgs/build-support/replace-secret/test/input_file
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
beginning
|
||||||
|
middle replace this not this
|
||||||
|
and this
|
||||||
|
end
|
||||||
1
pkgs/build-support/replace-secret/test/passwd
Normal file
1
pkgs/build-support/replace-secret/test/passwd
Normal file
@ -0,0 +1 @@
|
|||||||
|
$6$UcbJUl5g$HRMfKNKsLTfVbcQb.P5o0bmZUfHDYkWseMSuZ8F5jSIGZZcI3Jnit23f8ZeZOGi4KL86HVM9RYqrpYySOu/fl0
|
||||||
27
pkgs/build-support/replace-secret/test/rsa
Normal file
27
pkgs/build-support/replace-secret/test/rsa
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAzrru6v5tfwQl6L+rOUjtLo8kbhMUlCLXP7TYngSGrkzPMWe+
|
||||||
|
0gB04UAmiPZXfBmvj5fPqYiFjIaEDHE/SD41vJB/RJKKtId2gCAIHhBLkbr+4+60
|
||||||
|
yEbLkJci5i4kJC1dt8OKFEzXkaVnwOSgjH+0NwO3bstZ+E70zMXS9+NS71qGsIEb
|
||||||
|
5J1TnacwW/u6CdFyakLljWOXOR14rLIpiPBBFLf+oZiepjIhlWXWHqsxZOb7zMI0
|
||||||
|
T4W5WJ2dwGFsJ8rkYaGZ+A5qzYbi/KmHqaSPaNDsyoi7yJhAhKPByALJU916+8QO
|
||||||
|
xOnqZxWGki3PDzCslRwW4i3mGbZlBQMnlfbN3QIDAQABAoIBAHDn1W7QkFrLmCy6
|
||||||
|
6bf6pVdFZF8d2qJhOPAZRClhTXFKj+pqv+QPzcXr9F/fMr6bhK/G+Oqdnlq2aM4m
|
||||||
|
16oMF+spe+impEyeo1CsreJFghBQcb9o8qFjUPBiKvROBP0hLcscZ4BYy29HSBgo
|
||||||
|
harWYEWfqQJA251q+fYQoP0z0WrZKddOZbRRnJ0ICRxAE7IEtDT6EYt8R9oGi2j4
|
||||||
|
/rpdW+rYGjW3TcmzdR7lpVMJRLlbMbSdR8n6cI6rnfySygcoE5tFX5t/YZSNbBPg
|
||||||
|
GebKCbEHYNTTG8bC1qjUyzlbEQ6XYWvFO7HTKU7105XpjYTQFByeo0IVkin0o5KW
|
||||||
|
t7eQWb0CgYEA6zZUWsYoQ13nXEU6Ky89Q9uhesMfaJ/F2X5ikQSRqRvrR3QR+ULe
|
||||||
|
eNnCl10O9SiFpR4b5gSbLSHMffxGN60P1nEO4CiIKE+gOii8Kdk5htIJFy/dcZUc
|
||||||
|
PuPM+zD9/6Is5sAWUZo45bnT6685h6EjM2+6zNZtx/XMjSfWbHaY+HMCgYEA4QAy
|
||||||
|
6ZEgd6FHnNfM/q2o8XU3d6OCdhcu26u6ydnCalbSpPSKWOi6gnHK4ZnGdryXgIYw
|
||||||
|
hRkvYINfiONkShYytotIh4YxUbgpwdvJRyKa2ZdWhcMmtFzZOcEVzQTKBasFT74C
|
||||||
|
Wo0iybZ++XZh3M0+n7oyyx39aR7diZ+/zq6PnG8CgYB8B1QH4cHNdDDRqPd5WhmW
|
||||||
|
NLQ7xbREOSvc+hYDnkMoxz4TmZL4u1gQpdNEeZ+visSeQvg3HGqvK8lnDaYBKdLW
|
||||||
|
IxvS+8yAZSx6PoyqDI+XFh4RCf5dLGGOkBTAyB7Hs761lsiuEwK5sHmdJ/LQIBot
|
||||||
|
v1bjOJb/AA/yxvT8kLUtHQKBgGIA9iwqXJv/EfRNQytDdS0HQ4vHGtJZMr3YRVoa
|
||||||
|
kcZD3yieo4wqguLCsf4mPv4FE3CWAphW6f39+yTi9xIWLSy56nOtjdnsf7PDCh8E
|
||||||
|
AbL5amSFJly1fKDda6OLjHt/jKa5Osk6ZIa8CP6cA/BrLfXg4rL6cyDQouqJPMDH
|
||||||
|
5CHdAoGBAIChjbTyoYvANkoANCK4SuqLUYeiYREfiM3sqHe1xirK1PPHw03ZLITl
|
||||||
|
ltjo9qE6kPXWcTBVckTKGFlntyCT283FC0/vMmHo8dTdtxF4/wSbkqs3ORuJ3p5J
|
||||||
|
cNtLYGD3vgwLmg6tTur4U60XN+tYDzWGteez8J9GwTMfKJmuS9af
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
@ -13592,6 +13592,8 @@ in
|
|||||||
|
|
||||||
remake = callPackage ../development/tools/build-managers/remake { };
|
remake = callPackage ../development/tools/build-managers/remake { };
|
||||||
|
|
||||||
|
replace-secret = callPackage ../build-support/replace-secret/replace-secret.nix { };
|
||||||
|
|
||||||
replacement = callPackage ../development/tools/misc/replacement { };
|
replacement = callPackage ../development/tools/misc/replacement { };
|
||||||
|
|
||||||
retdec = callPackage ../development/tools/analysis/retdec {
|
retdec = callPackage ../development/tools/analysis/retdec {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user