mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-25 19:18:28 +03:00
Test rekeying via agenix CLI
This test copies the example `secrets.nix` and age files and uses the user key to rekey them. It compares the hash before and after to ensure that the age file is actually being changed.
This commit is contained in:
parent
9e361f8b39
commit
0b5c4b8c8f
1 changed files with 14 additions and 0 deletions
|
@ -64,5 +64,19 @@ pkgs.nixosTest {
|
||||||
system1.send_chars("whoami > /tmp/1\n")
|
system1.send_chars("whoami > /tmp/1\n")
|
||||||
system1.wait_for_file("/tmp/1")
|
system1.wait_for_file("/tmp/1")
|
||||||
assert "${user}" in system1.succeed("cat /tmp/1")
|
assert "${user}" in system1.succeed("cat /tmp/1")
|
||||||
|
|
||||||
|
system1.succeed('cp -a "${../example}/." /tmp/secrets')
|
||||||
|
system1.succeed('chmod u+w /tmp/secrets/*.age')
|
||||||
|
|
||||||
|
before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
||||||
|
print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
|
||||||
|
after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
|
||||||
|
|
||||||
|
# Ensure we actually have hashes
|
||||||
|
for h in [before_hash, after_hash]:
|
||||||
|
assert len(h) == 2, "hash should be [hash, filename]"
|
||||||
|
assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
|
||||||
|
assert len(h[0].strip()) == 64, "hash length is incorrect"
|
||||||
|
assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue