From 0b5c4b8c8f4cc8cfcf56ae1532355c7eb634d04b Mon Sep 17 00:00:00 2001
From: Nathan Henrie <nate@n8henrie.com>
Date: Thu, 16 Feb 2023 14:19:42 -0700
Subject: [PATCH] Test rekeying via agenix CLI

This test copies the example `secrets.nix` and age files and uses the
user key to rekey them. It compares the hash before and after to ensure
that the age file is actually being changed.
---
 test/integration.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/test/integration.nix b/test/integration.nix
index fc5629f..772adea 100644
--- a/test/integration.nix
+++ b/test/integration.nix
@@ -64,5 +64,19 @@ pkgs.nixosTest {
     system1.send_chars("whoami > /tmp/1\n")
     system1.wait_for_file("/tmp/1")
     assert "${user}" in system1.succeed("cat /tmp/1")
+
+    system1.succeed('cp -a "${../example}/." /tmp/secrets')
+    system1.succeed('chmod u+w /tmp/secrets/*.age')
+
+    before_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
+    print(system1.succeed('cd /tmp/secrets; agenix -r -i /home/user1/.ssh/id_ed25519'))
+    after_hash = system1.succeed('sha256sum /tmp/secrets/passwordfile-user1.age').split()
+
+    # Ensure we actually have hashes
+    for h in [before_hash, after_hash]:
+        assert len(h) == 2, "hash should be [hash, filename]"
+        assert h[1] == "/tmp/secrets/passwordfile-user1.age", "filename is incorrect"
+        assert len(h[0].strip()) == 64, "hash length is incorrect"
+    assert before_hash[0] != after_hash[0], "hash did not change with rekeying"
   '';
 }