From dddc664d4a2fedfe647cc1f4b7eaa337d3f6ed98 Mon Sep 17 00:00:00 2001
From: Felix Scheinost <fesc@symentis.com>
Date: Fri, 25 Oct 2024 14:55:28 +0200
Subject: [PATCH] feat: rekey only specific identity
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently rekey re-encrypts all files.

For my personal use-case, agenix would ideally only files that require rekeying, i.e. files where the identities changed.
But I don’t think there’s an (easy) way to achieve that with `age` currently, as there’s no way to get the current recipients from an encrypted file?

This change would allow the user to manually specifiy that only secrets that contain a given identity should be rekeyed.

In my use-case this is handy as when I add a new server I want all secrets that are shared between servers (where the new identity was added) to be rekeyed, but I don’t want all secrets that are personal to different servers to also be rekeyed.
---
 pkgs/agenix.sh | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/pkgs/agenix.sh b/pkgs/agenix.sh
index 3d0415e..1d14575 100644
--- a/pkgs/agenix.sh
+++ b/pkgs/agenix.sh
@@ -13,7 +13,7 @@ function show_help () {
   echo '-h, --help                show help'
   # shellcheck disable=SC2016
   echo '-e, --edit FILE           edits FILE using $EDITOR'
-  echo '-r, --rekey               re-encrypts all secrets with specified recipients'
+  echo '-r, --rekey [PUBLIC_KEY]  re-encrypts all secrets with specified recipients'
   echo '-d, --decrypt FILE        decrypts FILE to STDOUT'
   echo '-i, --identity            identity to use when decrypting'
   echo '-v, --verbose             verbose output'
@@ -46,6 +46,7 @@ function err() {
 test $# -eq 0 && (show_help && exit 1)
 
 REKEY=0
+REKEY_PUBLIC_KEY=
 DECRYPT_ONLY=0
 DEFAULT_DECRYPT=(--decrypt)
 
@@ -77,6 +78,10 @@ while test $# -gt 0; do
       ;;
     -r|--rekey)
       shift
+      if test $# -gt 0; then
+        REKEY_PUBLIC_KEY="$1"
+        shift
+      fi
       REKEY=1
       ;;
     -d|--decrypt)
@@ -189,7 +194,22 @@ function edit {
 }
 
 function rekey {
-    FILES=$( (@nixInstantiate@ --json --eval -E "(let rules = import $RULES; in builtins.attrNames rules)"  | @jqBin@ -r .[]) || exit 1)
+    if test ! -z "$REKEY_PUBLIC_KEY"; then
+        FILTER_EXPRESSION="builtins.elem \"$REKEY_PUBLIC_KEY\" rules.\${file}.publicKeys";
+    else
+        FILTER_EXPRESSION="true";
+    fi
+
+    RULES_EXPRESSION=$(cat <<EOF
+let 
+    rules = import $RULES;
+    filter = file: $FILTER_EXPRESSION;
+in 
+    builtins.filter filter (builtins.attrNames rules)
+EOF
+)
+
+    FILES=$( (@nixInstantiate@ --json --eval -E "$RULES_EXPRESSION"  | @jqBin@ -r .[]) || exit 1)
 
     for FILE in $FILES
     do