Merge pull request #168879 from aidalgol/pass-secret-service-systemd-unit

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

@@ -341,6 +341,15 @@
           Add udev rules for the Teensy family of microcontrollers.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The <literal>pass-secret-service</literal> package now
+          includes systemd units from upstream, so adding it to the
+          NixOS <literal>services.dbus.packages</literal> option will
+          make it start automatically as a systemd user service when an
+          application tries to talk to the libsecret D-Bus API.
+        </para>
+      </listitem>
       <listitem>
         <para>
           There is a new module for the <literal>thunar</literal>

nixos/doc/manual/release-notes/rl-2211.section.md

@@ -128,6 +128,8 @@ Use `configure.packages` instead.
 
 - Add udev rules for the Teensy family of microcontrollers.
 
+- The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.
+
 - There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed.
 
 - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.

nixos/modules/module-list.nix

@@ -1002,6 +1002,7 @@
   ./services/security/oauth2_proxy.nix
   ./services/security/oauth2_proxy_nginx.nix
   ./services/security/opensnitch.nix
+  ./services/security/pass-secret-service.nix
   ./services/security/privacyidea.nix
   ./services/security/physlock.nix
   ./services/security/shibboleth-sp.nix

nixos/modules/services/security/pass-secret-service.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.passSecretService;
+in
+{
+  options.services.passSecretService = {
+    enable = mkEnableOption "pass secret service";
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.pass-secret-service;
+      defaultText = literalExpression "pkgs.pass-secret-service";
+      description = "Which pass-secret-service package to use.";
+      example = literalExpression "pkgs.pass-secret-service.override { python3 = pkgs.python310 }";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.packages = [ cfg.package ];
+    services.dbus.packages = [ cfg.package ];
+  };
+
+  meta.maintainers = with maintainers; [ aidalgol ];
+}

nixos/tests/all-tests.nix

@@ -413,6 +413,7 @@ in {
   pam-oath-login = handleTest ./pam/pam-oath-login.nix {};
   pam-u2f = handleTest ./pam/pam-u2f.nix {};
   pam-ussh = handleTest ./pam/pam-ussh.nix {};
+  pass-secret-service = handleTest ./pass-secret-service.nix {};
   pantalaimon = handleTest ./matrix/pantalaimon.nix {};
   pantheon = handleTest ./pantheon.nix {};
   paperless = handleTest ./paperless.nix {};

nixos/tests/pass-secret-service.nix

@@ -0,0 +1,69 @@
+import ./make-test-python.nix ({ pkgs, lib, ... }: {
+  name = "pass-secret-service";
+  meta.maintainers = with lib; [ aidalgol ];
+
+  nodes.machine = { nodes, pkgs, ... }:
+    {
+      imports = [ ./common/user-account.nix ];
+
+      services.passSecretService.enable = true;
+
+      environment.systemPackages = [
+        # Create a script that tries to make a request to the D-Bus secrets API.
+        (pkgs.writers.writePython3Bin "secrets-dbus-init"
+          {
+            libraries = [ pkgs.python3Packages.secretstorage ];
+          } ''
+          import secretstorage
+          print("Initializing dbus connection...")
+          connection = secretstorage.dbus_init()
+          print("Requesting default collection...")
+          collection = secretstorage.get_default_collection(connection)
+          print("Done!  dbus-org.freedesktop.secrets should now be active.")
+        '')
+        pkgs.pass
+      ];
+
+      programs.gnupg = {
+        agent.enable = true;
+        agent.pinentryFlavor = "tty";
+        dirmngr.enable = true;
+      };
+    };
+
+  # Some of the commands are run via a virtual console because they need to be
+  # run under a real login session, with D-Bus running in the environment.
+  testScript = { nodes, ... }:
+    let
+      user = nodes.machine.config.users.users.alice;
+      gpg-uid = "alice@example.net";
+      gpg-pw = "foobar9000";
+      ready-file = "/tmp/secrets-dbus-init.done";
+    in
+    ''
+      # Initialise the pass(1) storage.
+      machine.succeed("""
+        sudo -u alice gpg --pinentry-mode loopback --batch --passphrase ${gpg-pw} \
+        --quick-gen-key ${gpg-uid} \
+      """)
+      machine.succeed("sudo -u alice pass init ${gpg-uid}")
+
+      with subtest("Service is not running on login"):
+          machine.wait_until_tty_matches("1", "login: ")
+          machine.send_chars("alice\n")
+          machine.wait_until_tty_matches("1", "login: alice")
+          machine.wait_until_succeeds("pgrep login")
+          machine.wait_until_tty_matches("1", "Password: ")
+          machine.send_chars("${user.password}\n")
+          machine.wait_until_succeeds("pgrep -u alice bash")
+
+          _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice")
+          assert "Active: inactive (dead)" in output
+
+      with subtest("Service starts after a client tries to talk to the D-Bus API"):
+          machine.send_chars("secrets-dbus-init; touch ${ready-file}\n")
+          machine.wait_for_file("${ready-file}")
+          _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice")
+          assert "Active: active (running)" in output
+    '';
+})

pkgs/applications/misc/pass-secret-service/default.nix

@@ -1,26 +1,50 @@
-{ lib, fetchFromGitHub, python3, dbus, gnupg }:
+{ lib
+, fetchFromGitHub
+, python3
+, dbus
+, gnupg
+, coreutils
+, nixosTests
+}:
 
 python3.pkgs.buildPythonApplication rec {
   pname = "pass-secret-service";
   # PyPI has old alpha version. Since then the project has switched from using a
   # seemingly abandoned D-Bus package pydbus and started using maintained
   # dbus-next. So let's use latest from GitHub.
-  version = "unstable-2020-04-12";
+  version = "unstable-2022-03-21";
 
   src = fetchFromGitHub {
     owner = "mdellweg";
     repo = "pass_secret_service";
-    rev = "f6fbca6ac3ccd16bfec407d845ed9257adf74dfa";
+    rev = "149f8557e07098eee2f46561eea61e83255ac59b";
-    sha256 = "0rm4pbx1fiwds1v7f99khhh7x3inv9yniclwd95mrbgljk3cc6a4";
+    sha256 = "sha256-+/pFi6+K8rl0Ihm6cp/emUQVtau6+Apl8/VEr9AI0Xs=";
   };
 
+  patches = [
+    # Only needed until https://github.com/mdellweg/pass_secret_service/pull/30
+    # is merged.
+    ./int_from_bytes-deprecation-fix.patch
+  ];
 
   # Need to specify session.conf file for tests because it won't be found under
   # /etc/ in check phase.
   postPatch = ''
     substituteInPlace Makefile \
       --replace "dbus-run-session" "dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf" \
-      --replace '-p $(relpassstore)' '-p $(PASSWORD_STORE_DIR)'
+      --replace '-p $(relpassstore)' '-p $(PASSWORD_STORE_DIR)' \
+      --replace 'pytest-3' 'pytest'
+
+    substituteInPlace systemd/org.freedesktop.secrets.service \
+      --replace "/bin/false" "${coreutils}/bin/false"
+    substituteInPlace systemd/dbus-org.freedesktop.secrets.service \
+      --replace "/usr/local" "$out"
+  '';
+
+  postInstall = ''
+    mkdir -p "$out/share/dbus-1/services/" "$out/lib/systemd/user/"
+    cp systemd/org.freedesktop.secrets.service "$out/share/dbus-1/services/"
+    cp systemd/dbus-org.freedesktop.secrets.service "$out/lib/systemd/user/"
   '';
 
   propagatedBuildInputs = with python3.pkgs; [
@@ -44,17 +68,15 @@ python3.pkgs.buildPythonApplication rec {
       ps.pypass
     ];
 
-  checkPhase = ''
+  checkTarget = "test";
-    runHook preCheck
+
-    make test
+  passthru.tests.pass-secret-service = nixosTests.pass-secret-service;
-    runHook postCheck
-  '';
 
   meta = {
     description = "Libsecret D-Bus API with pass as the backend";
     homepage = "https://github.com/mdellweg/pass_secret_service/";
     license = lib.licenses.gpl3Only;
     platforms = lib.platforms.all;
-    maintainers = with lib.maintainers; [ jluttine ];
+    maintainers = with lib.maintainers; [ jluttine aidalgol ];
   };
 }

pkgs/applications/misc/pass-secret-service/int_from_bytes-deprecation-fix.patch

@@ -0,0 +1,22 @@
+--- a/pass_secret_service/interfaces/session.py
++++ b/pass_secret_service/interfaces/session.py
+@@ -4,7 +4,6 @@
+ import os
+ import hmac
+ from hashlib import sha256
+-from cryptography.utils import int_from_bytes
+ from cryptography.hazmat.backends import default_backend
+ from cryptography.hazmat.primitives.ciphers import Cipher
+ from cryptography.hazmat.primitives.ciphers.modes import CBC
+@@ -27,9 +26,9 @@ class Session(ServiceInterface, SerialMixin):
+     @classmethod
+     @run_in_executor
+     def _create_dh(cls, input):
+-        priv_key = int_from_bytes(os.urandom(0x80), "big")
++        priv_key = int.from_bytes(os.urandom(0x80), "big")
+         pub_key = pow(2, priv_key, dh_prime)
+-        shared_secret = pow(int_from_bytes(input, "big"), priv_key, dh_prime)
++        shared_secret = pow(int.from_bytes(input, "big"), priv_key, dh_prime)
+         salt = b"\x00" * 0x20
+         shared_key = hmac.new(salt, shared_secret.to_bytes(0x80, "big"), sha256).digest()
+         aes_key = hmac.new(shared_key, b"\x01", sha256).digest()[:0x10]