Test rekeying via agenix CLI

This test copies the example `secrets.nix` and age files and uses the
user key to rekey them. It compares the hash before and after to ensure
that the age file is actually being changed.
This commit is contained in:
Nathan Henrie 2023-02-16 14:19:42 -07:00
parent 9e361f8b39
commit 0b5c4b8c8f

View file

@ -64,5 +64,19 @@ pkgs.nixosTest {
system1.send_chars("whoami > /tmp/1\n")
system1.wait_for_file("/tmp/1")
assert "${user}" in system1.succeed("cat /tmp/1")
system1.succeed('cp -a "${../example}/." /tmp/secrets')
system1.succeed('chmod u+w /tmp/secrets/*.age')
before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
# Ensure we actually have hashes
for h in [before_hash, after_hash]:
assert len(h) == 2, "hash should be [hash, filename]"
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
assert len(h[0].strip()) == 64, "hash length is incorrect"
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
'';
}