+9

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

··· 343 343 </listitem> 344 344 <listitem> 345 345 <para> 346 346 + The <literal>pass-secret-service</literal> package now 347 347 + includes systemd units from upstream, so adding it to the 348 348 + NixOS <literal>services.dbus.packages</literal> option will 349 349 + make it start automatically as a systemd user service when an 350 350 + application tries to talk to the libsecret D-Bus API. 351 351 + </para> 352 352 + </listitem> 353 353 + <listitem> 354 354 + <para> 346 355 There is a new module for the <literal>thunar</literal> 347 356 program (the Xfce file manager), which depends on the 348 357 <literal>xfconf</literal> dbus service, and also has a dbus

+2

nixos/doc/manual/release-notes/rl-2211.section.md

··· 128 128 129 129 - Add udev rules for the Teensy family of microcontrollers. 130 130 131 131 + - The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. 132 132 + 131 133 - There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. 132 134 133 135 - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.

+1

nixos/modules/module-list.nix

··· 1002 1002 ./services/security/oauth2_proxy.nix 1003 1003 ./services/security/oauth2_proxy_nginx.nix 1004 1004 ./services/security/opensnitch.nix 1005 1005 + ./services/security/pass-secret-service.nix 1005 1006 ./services/security/privacyidea.nix 1006 1007 ./services/security/physlock.nix 1007 1008 ./services/security/shibboleth-sp.nix

+27

nixos/modules/services/security/pass-secret-service.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + cfg = config.services.passSecretService; 7 7 + in 8 8 + { 9 9 + options.services.passSecretService = { 10 10 + enable = mkEnableOption "pass secret service"; 11 11 + 12 12 + package = mkOption { 13 13 + type = types.package; 14 14 + default = pkgs.pass-secret-service; 15 15 + defaultText = literalExpression "pkgs.pass-secret-service"; 16 16 + description = "Which pass-secret-service package to use."; 17 17 + example = literalExpression "pkgs.pass-secret-service.override { python3 = pkgs.python310 }"; 18 18 + }; 19 19 + }; 20 20 + 21 21 + config = mkIf cfg.enable { 22 22 + systemd.packages = [ cfg.package ]; 23 23 + services.dbus.packages = [ cfg.package ]; 24 24 + }; 25 25 + 26 26 + meta.maintainers = with maintainers; [ aidalgol ]; 27 27 + }

+1

nixos/tests/all-tests.nix

··· 413 413 pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; 414 414 pam-u2f = handleTest ./pam/pam-u2f.nix {}; 415 415 pam-ussh = handleTest ./pam/pam-ussh.nix {}; 416 416 + pass-secret-service = handleTest ./pass-secret-service.nix {}; 416 417 pantalaimon = handleTest ./matrix/pantalaimon.nix {}; 417 418 pantheon = handleTest ./pantheon.nix {}; 418 419 paperless = handleTest ./paperless.nix {};

+69

nixos/tests/pass-secret-service.nix

··· 1 1 + import ./make-test-python.nix ({ pkgs, lib, ... }: { 2 2 + name = "pass-secret-service"; 3 3 + meta.maintainers = with lib; [ aidalgol ]; 4 4 + 5 5 + nodes.machine = { nodes, pkgs, ... }: 6 6 + { 7 7 + imports = [ ./common/user-account.nix ]; 8 8 + 9 9 + services.passSecretService.enable = true; 10 10 + 11 11 + environment.systemPackages = [ 12 12 + # Create a script that tries to make a request to the D-Bus secrets API. 13 13 + (pkgs.writers.writePython3Bin "secrets-dbus-init" 14 14 + { 15 15 + libraries = [ pkgs.python3Packages.secretstorage ]; 16 16 + } '' 17 17 + import secretstorage 18 18 + print("Initializing dbus connection...") 19 19 + connection = secretstorage.dbus_init() 20 20 + print("Requesting default collection...") 21 21 + collection = secretstorage.get_default_collection(connection) 22 22 + print("Done! dbus-org.freedesktop.secrets should now be active.") 23 23 + '') 24 24 + pkgs.pass 25 25 + ]; 26 26 + 27 27 + programs.gnupg = { 28 28 + agent.enable = true; 29 29 + agent.pinentryFlavor = "tty"; 30 30 + dirmngr.enable = true; 31 31 + }; 32 32 + }; 33 33 + 34 34 + # Some of the commands are run via a virtual console because they need to be 35 35 + # run under a real login session, with D-Bus running in the environment. 36 36 + testScript = { nodes, ... }: 37 37 + let 38 38 + user = nodes.machine.config.users.users.alice; 39 39 + gpg-uid = "alice@example.net"; 40 40 + gpg-pw = "foobar9000"; 41 41 + ready-file = "/tmp/secrets-dbus-init.done"; 42 42 + in 43 43 + '' 44 44 + # Initialise the pass(1) storage. 45 45 + machine.succeed(""" 46 46 + sudo -u alice gpg --pinentry-mode loopback --batch --passphrase ${gpg-pw} \ 47 47 + --quick-gen-key ${gpg-uid} \ 48 48 + """) 49 49 + machine.succeed("sudo -u alice pass init ${gpg-uid}") 50 50 + 51 51 + with subtest("Service is not running on login"): 52 52 + machine.wait_until_tty_matches("1", "login: ") 53 53 + machine.send_chars("alice\n") 54 54 + machine.wait_until_tty_matches("1", "login: alice") 55 55 + machine.wait_until_succeeds("pgrep login") 56 56 + machine.wait_until_tty_matches("1", "Password: ") 57 57 + machine.send_chars("${user.password}\n") 58 58 + machine.wait_until_succeeds("pgrep -u alice bash") 59 59 + 60 60 + _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice") 61 61 + assert "Active: inactive (dead)" in output 62 62 + 63 63 + with subtest("Service starts after a client tries to talk to the D-Bus API"): 64 64 + machine.send_chars("secrets-dbus-init; touch ${ready-file}\n") 65 65 + machine.wait_for_file("${ready-file}") 66 66 + _, output = machine.systemctl("status dbus-org.freedesktop.secrets --no-pager", "alice") 67 67 + assert "Active: active (running)" in output 68 68 + ''; 69 69 + })

+33 -11

pkgs/applications/misc/pass-secret-service/default.nix

··· 1 1 - { lib, fetchFromGitHub, python3, dbus, gnupg }: 1 1 + { lib 2 2 + , fetchFromGitHub 3 3 + , python3 4 4 + , dbus 5 5 + , gnupg 6 6 + , coreutils 7 7 + , nixosTests 8 8 + }: 2 9 3 10 python3.pkgs.buildPythonApplication rec { 4 11 pname = "pass-secret-service"; 5 12 # PyPI has old alpha version. Since then the project has switched from using a 6 13 # seemingly abandoned D-Bus package pydbus and started using maintained 7 14 # dbus-next. So let's use latest from GitHub. 8 8 - version = "unstable-2020-04-12"; 15 15 + version = "unstable-2022-03-21"; 9 16 10 17 src = fetchFromGitHub { 11 18 owner = "mdellweg"; 12 19 repo = "pass_secret_service"; 13 13 - rev = "f6fbca6ac3ccd16bfec407d845ed9257adf74dfa"; 14 14 - sha256 = "0rm4pbx1fiwds1v7f99khhh7x3inv9yniclwd95mrbgljk3cc6a4"; 20 20 + rev = "149f8557e07098eee2f46561eea61e83255ac59b"; 21 21 + sha256 = "sha256-+/pFi6+K8rl0Ihm6cp/emUQVtau6+Apl8/VEr9AI0Xs="; 15 22 }; 16 23 24 24 + patches = [ 25 25 + # Only needed until https://github.com/mdellweg/pass_secret_service/pull/30 26 26 + # is merged. 27 27 + ./int_from_bytes-deprecation-fix.patch 28 28 + ]; 17 29 18 30 # Need to specify session.conf file for tests because it won't be found under 19 31 # /etc/ in check phase. 20 32 postPatch = '' 21 33 substituteInPlace Makefile \ 22 34 --replace "dbus-run-session" "dbus-run-session --config-file=${dbus}/share/dbus-1/session.conf" \ 23 23 - --replace '-p $(relpassstore)' '-p $(PASSWORD_STORE_DIR)' 35 35 + --replace '-p $(relpassstore)' '-p $(PASSWORD_STORE_DIR)' \ 36 36 + --replace 'pytest-3' 'pytest' 37 37 + 38 38 + substituteInPlace systemd/org.freedesktop.secrets.service \ 39 39 + --replace "/bin/false" "${coreutils}/bin/false" 40 40 + substituteInPlace systemd/dbus-org.freedesktop.secrets.service \ 41 41 + --replace "/usr/local" "$out" 42 42 + ''; 43 43 + 44 44 + postInstall = '' 45 45 + mkdir -p "$out/share/dbus-1/services/" "$out/lib/systemd/user/" 46 46 + cp systemd/org.freedesktop.secrets.service "$out/share/dbus-1/services/" 47 47 + cp systemd/dbus-org.freedesktop.secrets.service "$out/lib/systemd/user/" 24 48 ''; 25 49 26 50 propagatedBuildInputs = with python3.pkgs; [ ··· 44 68 ps.pypass 45 69 ]; 46 70 47 47 - checkPhase = '' 48 48 - runHook preCheck 49 49 - make test 50 50 - runHook postCheck 51 51 - ''; 71 71 + checkTarget = "test"; 72 72 + 73 73 + passthru.tests.pass-secret-service = nixosTests.pass-secret-service; 52 74 53 75 meta = { 54 76 description = "Libsecret D-Bus API with pass as the backend"; 55 77 homepage = "https://github.com/mdellweg/pass_secret_service/"; 56 78 license = lib.licenses.gpl3Only; 57 79 platforms = lib.platforms.all; 58 58 - maintainers = with lib.maintainers; [ jluttine ]; 80 80 + maintainers = with lib.maintainers; [ jluttine aidalgol ]; 59 81 }; 60 82 }

+22

pkgs/applications/misc/pass-secret-service/int_from_bytes-deprecation-fix.patch

··· 1 1 + --- a/pass_secret_service/interfaces/session.py 2 2 + +++ b/pass_secret_service/interfaces/session.py 3 3 + @@ -4,7 +4,6 @@ 4 4 + import os 5 5 + import hmac 6 6 + from hashlib import sha256 7 7 + -from cryptography.utils import int_from_bytes 8 8 + from cryptography.hazmat.backends import default_backend 9 9 + from cryptography.hazmat.primitives.ciphers import Cipher 10 10 + from cryptography.hazmat.primitives.ciphers.modes import CBC 11 11 + @@ -27,9 +26,9 @@ class Session(ServiceInterface, SerialMixin): 12 12 + @classmethod 13 13 + @run_in_executor 14 14 + def _create_dh(cls, input): 15 15 + - priv_key = int_from_bytes(os.urandom(0x80), "big") 16 16 + + priv_key = int.from_bytes(os.urandom(0x80), "big") 17 17 + pub_key = pow(2, priv_key, dh_prime) 18 18 + - shared_secret = pow(int_from_bytes(input, "big"), priv_key, dh_prime) 19 19 + + shared_secret = pow(int.from_bytes(input, "big"), priv_key, dh_prime) 20 20 + salt = b"\x00" * 0x20 21 21 + shared_key = hmac.new(salt, shared_secret.to_bytes(0x80, "big"), sha256).digest() 22 22 + aes_key = hmac.new(shared_key, b"\x01", sha256).digest()[:0x10]