mirror of
https://github.com/ryantm/agenix.git
synced 2024-11-25 02:58:30 +03:00
Add -c option to create or replace a file without decrypting it first
This commit is contained in:
parent
de96bd907d
commit
a995c0d606
3 changed files with 32 additions and 5 deletions
|
@ -55,6 +55,7 @@ in
|
|||
)
|
||||
|
||||
cd $HOME/secrets
|
||||
echo hello | ${bin} -c secret1.age
|
||||
test $(${bin} -d secret1.age) = "hello"
|
||||
'';
|
||||
|
||||
|
|
|
@ -6,12 +6,15 @@ PACKAGE="agenix"
|
|||
function show_help () {
|
||||
echo "$PACKAGE - edit and rekey age secret files"
|
||||
echo " "
|
||||
echo "$PACKAGE -c FILE"
|
||||
echo "$PACKAGE -e FILE [-i PRIVATE_KEY]"
|
||||
echo "$PACKAGE -r [-i PRIVATE_KEY]"
|
||||
echo ' '
|
||||
echo 'options:'
|
||||
echo '-h, --help show help'
|
||||
# shellcheck disable=SC2016
|
||||
echo '-c, --create FILE create or replace FILE using $EDITOR'
|
||||
# shellcheck disable=SC2016
|
||||
echo '-e, --edit FILE edits FILE using $EDITOR'
|
||||
echo '-r, --rekey re-encrypts all secrets with specified recipients'
|
||||
echo '-d, --decrypt FILE decrypts FILE to STDOUT'
|
||||
|
@ -46,6 +49,7 @@ function err() {
|
|||
test $# -eq 0 && (show_help && exit 1)
|
||||
|
||||
REKEY=0
|
||||
ENCRYPT_ONLY=0
|
||||
DECRYPT_ONLY=0
|
||||
DEFAULT_DECRYPT=(--decrypt)
|
||||
|
||||
|
@ -55,6 +59,17 @@ while test $# -gt 0; do
|
|||
show_help
|
||||
exit 0
|
||||
;;
|
||||
-c|--create)
|
||||
shift
|
||||
ENCRYPT_ONLY=1
|
||||
if test $# -gt 0; then
|
||||
export FILE=$1
|
||||
else
|
||||
echo "no FILE specified"
|
||||
exit 1
|
||||
fi
|
||||
shift
|
||||
;;
|
||||
-e|--edit)
|
||||
shift
|
||||
if test $# -gt 0; then
|
||||
|
@ -153,22 +168,29 @@ function edit {
|
|||
CLEARTEXT_FILE="$CLEARTEXT_DIR/$(basename "$FILE")"
|
||||
DEFAULT_DECRYPT+=(-o "$CLEARTEXT_FILE")
|
||||
|
||||
decrypt "$FILE" "$KEYS" || exit 1
|
||||
|
||||
[ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
||||
# Decrypt file
|
||||
if [ $ENCRYPT_ONLY -eq 0 ]
|
||||
then
|
||||
decrypt "$FILE" "$KEYS" || exit 1
|
||||
[ ! -f "$CLEARTEXT_FILE" ] || cp "$CLEARTEXT_FILE" "$CLEARTEXT_FILE.before"
|
||||
else
|
||||
touch "$CLEARTEXT_FILE.before"
|
||||
fi
|
||||
|
||||
# Prompt file edit
|
||||
[ -t 0 ] || EDITOR='cp /dev/stdin'
|
||||
|
||||
$EDITOR "$CLEARTEXT_FILE"
|
||||
|
||||
# Check file status
|
||||
if [ ! -f "$CLEARTEXT_FILE" ]
|
||||
then
|
||||
warn "$FILE wasn't created."
|
||||
return
|
||||
fi
|
||||
[ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
|
||||
[ $ENCRYPT_ONLY -eq 0 ] && [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
|
||||
|
||||
ENCRYPT=()
|
||||
# Build recipient list
|
||||
while IFS= read -r key
|
||||
do
|
||||
if [ -n "$key" ]; then
|
||||
|
|
|
@ -120,6 +120,10 @@ pkgs.nixosTest {
|
|||
# and get it back out via --decrypt
|
||||
assert "secret1234" in system1.succeed(userDo("agenix -d passwordfile-user1.age"))
|
||||
|
||||
# user1 can recreate the secret without decrypting it
|
||||
system1.succeed(userDo("echo 'secret5678' | agenix -c passwordfile-user1.age"))
|
||||
assert "secret5678" in system1.succeed(userDo("agenix -d passwordfile-user1.age"))
|
||||
|
||||
# finally, the plain text should not linger around anywhere in the filesystem.
|
||||
system1.fail("grep -r secret1234 /tmp")
|
||||
'';
|
||||
|
|
Loading…
Reference in a new issue