ryantm · ryantm · Feb 20, 2023 · Feb 20, 2023
diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh
@@ -130,7 +130,7 @@ function decrypt {
         err "There is no rule for $FILE in $RULES."
     fi
 
-    if [ -f "$FILE" ]
+    if [ -f "$FILE" ] && [ -t 0 ]
     then
         DECRYPT=("${DEFAULT_DECRYPT[@]}")
         if [[ "${DECRYPT[*]}" != *"--identity"* ]]; then
@@ -171,7 +171,7 @@ function edit {
       warn "$FILE wasn't created."
       return
     fi
-    [ -f "$FILE" ] && [ "$EDITOR" != ":" ] && @diffBin@ -q -- "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
+    [ -f "$FILE" ] && [ "$EDITOR" != ":" ]  && [ -f "$CLEARTEXT_FILE.before" ] && @diffBin@ -q "$CLEARTEXT_FILE.before" "$CLEARTEXT_FILE" && warn "$FILE wasn't changed, skipping re-encryption." && return
 
     ENCRYPT=()
     if [[ "$ARMOR" == "true" ]]; then

diff --git a/test/fixtures/one-way/secrets.nix b/test/fixtures/one-way/secrets.nix
@@ -0,0 +1,6 @@
+let
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+in
+{
+  "one-way.age".publicKeys = [ system1 ];
+}
diff --git a/test/install_ssh_host_keys.nix b/test/install_ssh_host_keys.nix
@@ -25,5 +25,9 @@
     cp -r "${../example}" /tmp/secrets
     chmod -R u+rw /tmp/secrets
     chown -R $USER1_UID:$USERS_GID /tmp/secrets
+
+    cp -r "${./fixtures/one-way}" /tmp/secrets-one-way
+    chmod -R u+rw /tmp/secrets-one-way
+    chown -R $USER1_UID:$USERS_GID /tmp/secrets-one-way
   '';
 }
diff --git a/test/integration.nix b/test/integration.nix
@@ -108,6 +108,9 @@ pkgs.nixosTest {
 
       assert "${hyphen-secret}" in system1.succeed("cat /run/agenix/leading-hyphen")
 
+      userDir = "/tmp/secrets"
+      userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd {userDir}; {input}'"
+
       userDo = lambda input : f"sudo -u user1 -- bash -c 'set -eou pipefail; cd /tmp/secrets; {input}'"
 
       before_hash = system1.succeed(userDo('sha256sum passwordfile-user1.age')).split()
@@ -138,5 +141,13 @@ pkgs.nixosTest {
 
       # finally, the plain text should not linger around anywhere in the filesystem.
       system1.fail("grep -r secret1234 /tmp")
+
+      # user1 can make a one-way secret, but cannot see the contents, and host can decrypt
+      userDir = "/tmp/secrets-one-way"
+      system1.succeed(userDo("echo eye1234 | agenix -e one-way.age"))
+      system1.fail(userDo("EDITOR=cat agenix -e one-way.age"))
+      assert "eye1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
+      system1.succeed(userDo("echo nose1234 | agenix -e one-way.age"))
+      assert "nose1234" in system1.succeed(f"cd {userDir};EDITOR=cat agenix -e one-way.age -i /etc/ssh/ssh_host_ed25519_key")
     '';
 }