;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2022 Ludovic Courtès ;;; Copyright © 2023 Janneke Nieuwenhuizen ;;; Copyright © 2023 Nicolas Graves ;;; Copyright © 2023 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu home ser
aboutsummaryrefslogtreecommitdiff
# GNU Guix --- Functional package management for GNU
# Copyright © 2020, 2022, 2024 Ludovic Courtès <ludo@gnu.org>
#
# This file is part of GNU Guix.
#
# GNU Guix is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or (at
# your option) any later version.
#
# GNU Guix is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

#
# Test the 'guix git authenticate' command-line utility.
#

# Skip if we're not in a Git checkout.
[ -d "$abs_top_srcdir/.git" ] || exit 77

# Skip if there's no 'keyring' branch.
guile -c '(use-modules (git))
  (member "refs/heads/keyring" (branch-list (repository-open ".")))' || \
    exit 77

# Keep in sync with '%default-channels' in (guix channels)!
intro_commit="9edb3f66fd807b096b48283debdcddccfea34bad"
intro_signer="BBB0 2DDF 2CEA F6A8 0D1D  E643 A2A0 6DF2 A33A 54FA"

cache_key="test-$$"

# This must fail because the end commit is not a descendant of $intro_commit.
guix git authenticate "$intro_commit" "$intro_signer"	\
     --cache-key="$cache_key" --stats			\
     --end=9549f0283a78fe36f2d4ff2a04ef8ad6b0c02604 && false

# The v1.2.0 commit is a descendant of $intro_commit and it satisfies the
# authorization invariant.
v1_2_0_commit="a099685659b4bfa6b3218f84953cbb7ff9e88063"
guix git authenticate "$intro_commit" "$intro_signer"	\
     --cache-key="$cache_key" --stats			\
     --end="$v1_2_0_commit"

# Check a commit that came soon after v1.2.0.  No need to repeat $intro_commit
# and $intro_signer because it should have been recorded in '.git/config'.
after_v1_2_0="be4d9527b55b6829e33a6e0727496af25927a786"
guix git authenticate				\
     --cache-key="$cache_key" --stats		\
     --end="$v1_2_0_commit"

rm "$XDG_CACHE_HOME/guix/authentication/$cache_key"

# Commit and signer of the 'v1.0.0' tag.
v1_0_0_commit="6298c3ffd9654d3231a6f25390b056483e8f407c"
v1_0_0_signer="3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5" # civodul
v1_0_1_commit="d68de958b60426798ed62797ff7c96c327a672ac"

# This should succeed because v1.0.0 is an ancestor of $intro_commit.
guix git authenticate "$intro_commit" "$intro_signer"	\
     --cache-key="$cache_key" --stats			\
     --end="$v1_0_0_commit"

# This should fail because these commits lack '.guix-authorizations'.
guix git authenticate "$v1_0_0_commit" "$v1_0_0_signer" \
       --cache-key="$cache_key" --end="$v1_0_1_commit" && false

# This should work thanks to '--historical-authorizations'.
guix git authenticate "$v1_0_0_commit" "$v1_0_0_signer" 	\
     --cache-key="$cache_key" --end="$v1_0_1_commit" --stats	\
     --historical-authorizations="$abs_top_srcdir/etc/historical-authorizations"
generated by cgit
append user "@") "") host-name (if (maybe-value-set? port) (string-append ":" (number->string port)) "")))) (define (proxy-command-or-jump-list? x) (or (proxy-command? x) (and (list? x) (every proxy-jump? x)))) (define (serialize-proxy-command-or-jump-list field value) (if (proxy-command? value) (serialize-string 'proxy-command (proxy-command->string value)) (serialize-string-list 'proxy-jump (map proxy-jump->string value)))) (define-maybe proxy-command-or-jump-list) (define (sanitize-proxy-command properties) (lambda (value) (when (maybe-value-set? value) (warn-about-deprecation 'proxy-command properties #:replacement 'proxy)) (unless (maybe-string? value) (configuration-field-error (source-properties->location properties) 'proxy-command value)) value)) (define ssh-match-keywords '(canonical final exec host originalhost user localuser)) (define (match-criteria? str) ;; Rule out the case of "all" keyword. (if (member str '("all" "canonical all" "final all")) #t (let* ((first (string-take str (string-index str #\ ))) (keyword (string->symbol (if (string-prefix? "!" first) (string-drop first 1) first)))) (memq keyword ssh-match-keywords)))) (define (serialize-match-criteria _ value) (string-append "Match " value "\n")) (define-maybe match-criteria) (define-configuration openssh-host (name maybe-string "Name of this host declaration. A @code{openssh-host} must define only @code{name} or @code{match-criteria}. Use host-name @code{\"*\"} for top-level options.") (host-name maybe-string "Host name---e.g., @code{\"foo.example.org\"} or @code{\"192.168.1.2\"}.") (match-criteria maybe-match-criteria "When specified, this string denotes the set of hosts to which the entry applies, superseding the @code{host-name} field. Its first element must be all or one of @code{ssh-match-keywords}. The rest of the elements are arguments for the keyword, or other criteria. A @code{openssh-host} must define only @code{name} or @code{match-criteria}. Other host configuration options will apply to all hosts matching @code{match-criteria}.") (address-family maybe-address-family "Address family to use when connecting to this host: one of @code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only). Additionally, the field can be left unset to allow any address family.") (identity-file maybe-string "The identity file to use---e.g., @code{\"/home/charlie/.ssh/id_ed25519\"}.") (port maybe-natural-number "TCP port number to connect to.") (user maybe-string "User name on the remote host.") (forward-x11? maybe-boolean "Whether to forward remote client connections to the local X11 graphical display.") (forward-x11-trusted? maybe-boolean "Whether remote X11 clients have full access to the original X11 graphical display.") (forward-agent? maybe-boolean "Whether the authentication agent (if any) is forwarded to the remote machine.") (compression? maybe-boolean "Whether to compress data in transit.") (proxy-command maybe-string "The command to use to connect to the server. As an example, a command to connect via an HTTP proxy at 192.0.2.0 would be: @code{\"nc -X connect -x 192.0.2.0:8080 %h %p\"}. Using 'proxy-command' is deprecated, use 'proxy' instead." (sanitizer (sanitize-proxy-command (current-source-location)))) (proxy maybe-proxy-command-or-jump-list "The command to use to connect to the server or a list of SSH hosts to jump through before connecting to the server.") (host-key-algorithms maybe-string-list "The list of accepted host key algorithms---e.g., @code{'(\"ssh-ed25519\")}.") (accepted-key-types maybe-string-list "The list of accepted user public key types.") (extra-content (raw-configuration-string "") "Extra content appended as-is to this @code{Host} block in @file{~/.ssh/config}.")) (define (serialize-openssh-host config) (define (openssh-host-name-or-match-field? field) (or (eq? (configuration-field-name field) 'name) (eq? (configuration-field-name field) 'match-criteria))) (string-append (if (maybe-value-set? (openssh-host-name config)) (if (maybe-value-set? (openssh-host-match-criteria config)) (raise (formatted-message (G_ "define either 'name' or 'match-criteria', not both"))) (string-append "Host " (openssh-host-name config) "\n")) (if (maybe-value-set? (openssh-host-match-criteria config)) (serialize-match-criteria #t (openssh-host-match-criteria config)) (raise (formatted-message (G_ "define either 'name' or 'match-criteria' once"))))) (string-concatenate (map (lambda (field) ((configuration-field-serializer field) (configuration-field-name field) ((configuration-field-getter field) config))) (remove openssh-host-name-or-match-field? openssh-host-fields))))) (define-record-type* home-openssh-configuration make-home-openssh-configuration home-openssh-configuration? (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like (default #f)) (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like (default *unspecified*)) (hosts home-openssh-configuration-hosts ;list of (default '())) (add-keys-to-agent home-openssh-configuration-add-keys-to-agent ;string with limited values (default "no"))) (define (serialize-add-keys-to-agent value) (define (valid-time-string? str) (and (> (string-length str) 0) (equal? str (match:substring (string-match "\ [0-9]+|([0-9]+[Ww])?([0-9]+[Dd])?([0-9]+[Hh])?([0-9]+[Mm])?([0-9]+[Ss])?" str))))) (string-append "AddKeysToAgent " (cond ((member value '("yes" "no" "confirm" "ask")) value) ((valid-time-string? value) value) ((and (string-prefix? "confirm" value) (valid-time-string? (cdr (string-split value #\ )))) value) ;; The 'else' branch is unreachable. (else (raise (formatted-message (G_ "~s: invalid 'add-keys-to-agent' value") value)))))) (define (openssh-configuration->string config) (string-join (cons* (serialize-add-keys-to-agent (home-openssh-configuration-add-keys-to-agent config)) (map serialize-openssh-host (home-openssh-configuration-hosts config))) "\n")) (define* (file-join name files #:optional (delimiter " ")) "Return a file in the store called @var{name} that is the concatenation of all the file-like objects listed in @var{files}, with @var{delimited} inserted after each of them." (computed-file name (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) ;; Support non-ASCII file names. (setenv "GUIX_LOCPATH" #+(file-append (libc-utf8-locales-for-target (%current-system)) "/lib/locale")) (setlocale LC_ALL "en_US.utf8") (call-with-output-file #$output (lambda (output) (for-each (lambda (file) (call-with-input-file file (lambda (input) (dump-port input output))) (display #$delimiter output)) '#$files))))))) (define (openssh-configuration-files config) (let* ((ssh-config (plain-file "ssh.conf" (openssh-configuration->string config))) (known-hosts (home-openssh-configuration-known-hosts config)) (authorized-keys (home-openssh-configuration-authorized-keys config)) (authorized-keys (and authorized-keys (file-join "authorized_keys" authorized-keys "\n")))) `(,@(if authorized-keys `((".ssh/authorized_keys" ,authorized-keys)) '()) ,@(if (unspecified? known-hosts) '() `((".ssh/known_hosts" ,(file-join "known_hosts" known-hosts "\n")))) (".ssh/config" ,ssh-config)))) (define openssh-activation (with-imported-modules (source-module-closure '((gnu build activation))) #~(begin (use-modules (gnu build activation)) ;; Make sure ~/.ssh is #o700. (let* ((home (getenv "HOME")) (dot-ssh (string-append home "/.ssh"))) (mkdir-p/perms dot-ssh (getpw (getuid)) #o700))))) (define home-openssh-service-type (service-type (name 'home-openssh) (extensions (list (service-extension home-files-service-type openssh-configuration-files) (service-extension home-activation-service-type (const openssh-activation)))) (description "Configure the OpenSSH @acronym{SSH, secure shell} client by providing a @file{~/.ssh/config} file, which is honored by the OpenSSH client,@command{ssh}, and by other tools such as @command{guix deploy}.") (default-value (home-openssh-configuration)))) ;;; ;;; Ssh-agent. ;;; (define-record-type* home-ssh-agent-configuration make-home-ssh-agent-configuration home-ssh-agent-configuration? (openssh home-ssh-agent-openssh ;file-like (default openssh)) (socket-directory home-ssh-agent-socket-directory ;string (default #~(string-append %user-runtime-dir "/ssh-agent"))) (extra-options home-ssh-agent-extra-options ;list of string (default '()))) (define (home-ssh-agent-services config) "Return a for an ssh-agent with CONFIG." (match-record config (openssh socket-directory extra-options) (let* ((ssh-agent (file-append openssh "/bin/ssh-agent")) (socket-file #~(string-append #$socket-directory "/socket")) (command #~`(#$ssh-agent "-D" "-a" ,#$socket-file #$@extra-options)) (log-file #~(string-append %user-log-dir "/ssh-agent.log"))) (list (shepherd-service (documentation "Run the ssh-agent.") (provision '(ssh-agent)) (modules '((shepherd support))) ;for '%user-runtime-dir', etc. (start #~(lambda _ (unless (file-exists? #$socket-directory) (mkdir-p #$socket-directory) (chmod #$socket-directory #o700)) (fork+exec-command #$command #:log-file #$log-file))) (stop #~(make-kill-destructor))))))) (define (home-ssh-agent-environment-variables config) '(("SSH_AUTH_SOCK" . "${SSH_AUTH_SOCK-${XDG_RUNTIME_DIR-$HOME/.cache}/ssh-agent/socket}"))) (define home-ssh-agent-service-type (service-type (name 'home-ssh-agent) (default-value (home-ssh-agent-configuration)) (extensions (list (service-extension home-shepherd-service-type home-ssh-agent-services) (service-extension home-environment-variables-service-type home-ssh-agent-environment-variables))) (description "Install and configure @command{ssh-agent} as a Shepherd service.")))