Allow specific files to be re-encrypted with --rekey
#149
Conversation
devplayer0
force-pushed
the
add-rekey-one-flag
branch
from
9bece1a
to
58820d9
Compare
There was a problem hiding this comment.
Thanks for doing this! This seems like a useful addition. However, I wonder if --rekey-one is the best name. Actually, you can rekey multiple files. Without thinking too much about it, wouldn't it be possible to make the --rekey option accept the file paths while defaulting to all secrets if no argument is given (to maintain backward compatibility)?
devplayer0
force-pushed
the
add-rekey-one-flag
branch
from
58820d9
to
4f073cf
Compare
Sometimes it's useful to rekey only specific secrets. This change allows paths to be passed to the `--rekey` option in order to only re-encrypt them, defaulting to all as before.
devplayer0
force-pushed
the
add-rekey-one-flag
branch
from
4f073cf
to
1a7fd94
Compare
devplayer0
changed the title
--rekey-one option--rekey
Yeah that's a good point, it's definitely neater that way. I've updated the PR to implement this. |
| @@ -35,10 +35,12 @@ fn build() -> Command { | |||
| ) | |||
| .arg( | |||
| Arg::new("rekey") | |||
| .help("re-encrypts all secrets with specified recipients") | |||
| .help("re-encrypts secrets with specified recipients") | |||
There was a problem hiding this comment.
| .help("re-encrypts secrets with specified recipients") | |
| .help("re-encrypts all or the given secrets with specified recipients") |
| * `-r`, `--rekey`: | ||
| Decrypt all secrets given in the rules configuration file and encrypt them | ||
| with the defined public keys. If a secret file does not exist yet, it is | ||
| * `-r`, `--rekey` [PATH]: |
There was a problem hiding this comment.
Please also add the [PATH] to the synopsis section.
| } else if let Some(paths) = opts.rekey { | ||
| if paths.is_empty() { | ||
| // Option passed but no files specified - rekey all | ||
| ragenix::rekey(&rules, &identities, true, &mut std::io::stdout())?; | ||
| } else { | ||
| let paths_normalized = paths | ||
| .into_iter() | ||
| .map(util::canonicalize_rule_path) | ||
| .collect::<Result<Vec<PathBuf>>>()?; | ||
| let chosen_rules = rules | ||
| .into_iter() | ||
| .filter(|x| paths_normalized.contains(&x.path)) | ||
| .collect::<Vec<ragenix::RagenixRule>>(); | ||
|
|
||
| ragenix::rekey(&chosen_rules, &identities, false, &mut std::io::stdout())?; | ||
| } |
There was a problem hiding this comment.
I think it would be better if you did this in the ragenix module. Since you are already adding a new parameter to rekey, it could be the given paths. Alternatively, adding a new rekey_{some,given,chosen} function is also fine for me.
|
Ah, and also please update the usage section of the README 🙂 |
Sometimes it's useful to rekey only specific secrets. This change allows
paths to be passed to the
--rekeyoption in order to only re-encryptthem, defaulting to all as before.
An example of where this is useful is when adding a new machine to a centralised repo with many secrets, where only a few that are shared between all configs need to be rekeyed.