From 63e9da1737d97ec236d86dd7e7339bc42f42ecac Mon Sep 17 00:00:00 2001
From: Ryan Mulligan <ryan@ryantm.com>
Date: Mon, 20 Feb 2023 12:03:14 -0800
Subject: [PATCH] test: add tests for one-way encrypted secrets

---
 test/fixtures/one-way/secrets.nix |  5 +++++
 test/install_ssh_host_keys.nix    |  4 ++++
 test/integration.nix              | 13 +++++++++++--
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 test/fixtures/one-way/secrets.nix

diff --git a/test/fixtures/one-way/secrets.nix b/test/fixtures/one-way/secrets.nix
new file mode 100644
index 0000000..4e81ad5
--- /dev/null
+++ b/test/fixtures/one-way/secrets.nix
@@ -0,0 +1,5 @@
+let
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+in {
+  "one-way.age".publicKeys = [system1];
+}
diff --git a/test/install_ssh_host_keys.nix b/test/install_ssh_host_keys.nix
index 72d82ee..fe6ad37 100644
--- a/test/install_ssh_host_keys.nix
+++ b/test/install_ssh_host_keys.nix
@@ -24,5 +24,9 @@
     cp -r "${../example}" /tmp/secrets
     chmod -R u+rw /tmp/secrets
     chown -R $USER1_UID:$USERS_GID /tmp/secrets
+
+    cp -r "${./fixtures/one-way}" /tmp/secrets-one-way
+    chmod -R u+rw /tmp/secrets-one-way
+    chown -R $USER1_UID:$USERS_GID /tmp/secrets-one-way
   '';
 }
diff --git a/test/integration.nix b/test/integration.nix
index ff1bbac..0dbe5d0 100644
--- a/test/integration.nix
+++ b/test/integration.nix
@@ -66,7 +66,8 @@ pkgs.nixosTest {
     system1.wait_for_file("/tmp/1")
     assert "${user}" in system1.succeed("cat /tmp/1")
 
-    userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
+    userDir = "/tmp/secrets"
+    userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd {userDir}; {input}'"
 
     before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
     print(system1.succeed(userDo('agenix -r -i /home/user1/.ssh/id_ed25519')))
@@ -89,7 +90,15 @@ pkgs.nixosTest {
     system1.succeed(userDo("rm ~/.ssh/id_rsa"))
 
     # user1 can edit a secret by piping in contents
-    system1.succeed(userDo("echo 'secret1234' | agenix -e passwordfile-user1.age"))
+    system1.succeed(userDo("echo secret1234 | agenix -e passwordfile-user1.age"))
     assert "secret1234" in system1.succeed(userDo("EDITOR=cat agenix -e passwordfile-user1.age"))
+
+    # user1 can make a one-way secret, but cannot see the contents, and host can decrypt
+    userDir = "/tmp/secrets-one-way"
+    system1.succeed(userDo("echo eye1234 | agenix -e one-way.age"))
+    system1.fail(userDo("EDITOR=cat agenix -e one-way.age"))
+    assert "eye1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
+    system1.succeed(userDo("echo nose1234 | agenix -e one-way.age"))
+    assert "nose1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
   '';
 }