git-crypt 0.1.4

A Rust implementation of git-crypt for transparent encryption of files in a git repository
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

#![cfg(feature = "ssh")]

mod common;

use common::{create_git_repo, git_crypt_cmd};
use predicates::prelude::*;
use std::fs;

const TEST_SSH_ED25519_PUB: &str =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsKLqeplhpW+uObz5dvMgjz1OxfM/XXUB+VHtZ6isGN alice@rust";
const TEST_SSH_ED25519_SK: &str = r#"-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACB7Ci6nqZYaVvrjm8+XbzII89TsXzP111AflR7WeorBjQAAAJCfEwtqnxML
agAAAAtzc2gtZWQyNTUxOQAAACB7Ci6nqZYaVvrjm8+XbzII89TsXzP111AflR7WeorBjQ
AAAEADBJvjZT8X6JRJI8xVq/1aU8nMVgOtVnmdwqWwrSlXG3sKLqeplhpW+uObz5dvMgjz
1OxfM/XXUB+VHtZ6isGNAAAADHN0cjRkQGNhcmJvbgE=
-----END OPENSSH PRIVATE KEY-----"#;

#[test]
fn add_ssh_user_and_import_age_key_round_trip() {
    // Producer repository creates the shared key
    let producer = create_git_repo();
    git_crypt_cmd()
        .arg("init")
        .current_dir(producer.path())
        .assert()
        .success();

    let pub_path = producer.path().join("alice.pub");
    fs::write(&pub_path, TEST_SSH_ED25519_PUB).unwrap();

    git_crypt_cmd()
        .args([
            "add-ssh-user",
            "--ssh-key",
            pub_path.to_str().unwrap(),
            "--alias",
            "alice",
        ])
        .current_dir(producer.path())
        .assert()
        .success()
        .stdout(predicate::str::contains("Encrypted key saved"));

    let shared_age_key = producer.path().join(".git/git-crypt/keys/age/alice.age");
    assert!(shared_age_key.exists());

    // Consumer repository imports the key using their SSH identity
    let consumer = create_git_repo();
    git_crypt_cmd()
        .arg("init")
        .current_dir(consumer.path())
        .assert()
        .success();

    let age_copy = consumer.path().join("alice.age");
    fs::copy(&shared_age_key, &age_copy).unwrap();
    let identity_path = consumer.path().join("alice");
    fs::write(&identity_path, TEST_SSH_ED25519_SK).unwrap();

    git_crypt_cmd()
        .args([
            "import-age-key",
            "--input",
            age_copy.to_str().unwrap(),
            "--identity",
            identity_path.to_str().unwrap(),
        ])
        .current_dir(consumer.path())
        .assert()
        .success()
        .stdout(predicate::str::contains("imported successfully"));

    assert!(consumer.path().join(".git/git-crypt/keys/default").exists());
}

#[test]
fn add_ssh_user_requires_ssh_key_argument() {
    let repo = create_git_repo();
    git_crypt_cmd()
        .arg("init")
        .current_dir(repo.path())
        .assert()
        .success();

    git_crypt_cmd()
        .args(["add-ssh-user", "--alias", "test"])
        .current_dir(repo.path())
        .assert()
        .failure()
        .stderr(predicate::str::contains("<SSH_KEY>"));
}

#[test]
fn add_ssh_user_rejects_invalid_ssh_key() {
    let repo = create_git_repo();
    git_crypt_cmd()
        .arg("init")
        .current_dir(repo.path())
        .assert()
        .success();

    let bogus_key = repo.path().join("invalid.pub");
    fs::write(&bogus_key, "this is not an ssh key").unwrap();

    git_crypt_cmd()
        .args([
            "add-ssh-user",
            "--ssh-key",
            bogus_key.to_str().unwrap(),
            "--alias",
            "invalid",
        ])
        .current_dir(repo.path())
        .assert()
        .failure()
        .stderr(predicate::str::contains("Invalid SSH recipient"));
}