-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathsecrets.js
211 lines (181 loc) · 6.02 KB
/
secrets.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
const crypto = require("crypto");
const fs = require("fs");
const path = require("path");
const dotenv = require("dotenv");
const { log } = require("./utils.js");
const PBKDF2_ROUNDS = 50000;
const PBKDF2_KEYLEN = 32;
const PBKDF2_DIGEST = "sha256";
const ALGORITHM = "aes-256-gcm";
const AES_AUTH_TAG_BYTES = 16;
const AES_IV_BYTES = 12;
const AES_SALT_BYTES = 8;
const ENCODING = "base64";
const ENCODING_PREFIX = "base64:";
function masterKey() {
if (!process.env.GITOPS_SECRETS_MASTER_KEY || process.env.GITOPS_SECRETS_MASTER_KEY.length < 16) {
throw `The 'GITOPS_SECRETS_MASTER_KEY' environment variable must be set to a string of 16 characters or more`;
}
return process.env.GITOPS_SECRETS_MASTER_KEY;
}
/**
* Encrypt secrets
* @param {string} secrets
* @returns {string}
*/
function encrypt(secrets) {
const salt = crypto.randomBytes(AES_SALT_BYTES);
const iv = crypto.randomBytes(AES_IV_BYTES);
// construct key
const key = crypto.pbkdf2Sync(masterKey(), salt, PBKDF2_ROUNDS, PBKDF2_KEYLEN, PBKDF2_DIGEST);
const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
const cipherText = Buffer.concat([cipher.update(secrets, "utf8"), cipher.final()]);
const authTag = cipher.getAuthTag();
const combinedData = Buffer.concat([cipherText, authTag]);
return `${ENCODING_PREFIX}${salt.toString("base64")}-${iv.toString("base64")}-${combinedData.toString("base64")}`;
}
/**
* Encrypt contents to a file
* @param {string} encryptedFile
* @param {string} secrets
*/
function encryptToFile(encryptedFile, secrets) {
writeFileContents(encryptedFile, encrypt(secrets), "encrypted");
}
/**
* Encrypt a file. Overwrites the unencrypted file if the encryptedFile is not supplied.
* @param {string} unencryptedFile
* @param {string} [encryptedFile]
*/
function encryptFile(unencryptedFile, encryptedFile) {
encryptedFile = encryptedFile || unencryptedFile;
try {
const fileContents = readFileContents(unencryptedFile, "unencrypted");
const encryptedSecrets = encrypt(fileContents);
writeFileContents(encryptedFile, encryptedSecrets, "encrypted");
} catch (error) {
log(`Unable to encrypt ${unencryptedFile}`);
throw error;
}
log(`Encrypted ${unencryptedFile} to ${encryptedFile}`);
return encryptedFile;
}
/**
* Decrypt secrets
* @param {string} secrets
* @returns {string}
*/
function decrypt(secrets) {
secrets = secrets.substring(ENCODING_PREFIX.length);
// decode file contents
const parts = secrets.split("-");
const salt = Buffer.from(parts[0], ENCODING);
const iv = Buffer.from(parts[1], ENCODING);
const data = Buffer.from(parts[2], ENCODING);
const cipherText = data.slice(0, data.length - AES_AUTH_TAG_BYTES);
const authTag = data.slice(data.length - AES_AUTH_TAG_BYTES);
// construct key
const key = crypto.pbkdf2Sync(masterKey(), salt, PBKDF2_ROUNDS, PBKDF2_KEYLEN, PBKDF2_DIGEST);
// decrypt cipher text
const decipher = crypto.createDecipheriv(ALGORITHM, key, iv).setAuthTag(authTag);
const decrypted = decipher.update(cipherText, "binary", "utf8") + decipher.final("utf8");
return decrypted;
}
/**
* return decrypted file contents
* @param {string} encryptedFile
* @param {string} secrets
*/
function decryptFromFile(encryptedFile) {
return decrypt(readFileContents(encryptedFile, "decrypted"));
}
/**
* Decrypt a file. Overwrites the encrypted file if decryptedFile is not supplied.
* @param {string} encryptedFile
* @param {string} [decryptedFile]
*/
function decryptFile(encryptedFile, decryptedFile) {
decryptedFile = decryptedFile || encryptedFile;
try {
const secretsFileContents = readFileContents(encryptedFile, "encrypted");
const decryptedSecrets = decrypt(secretsFileContents);
writeFileContents(decryptedFile, decryptedSecrets, "decrypted");
} catch (error) {
log(`Unable to decrypt ${encryptedFile}`);
throw error;
}
log(`Decrypted ${encryptedFile} to ${decryptedFile}`);
return decryptedFile;
}
/**
* Parse encrypted .env file and return as Key-Value object
* @param {string} filePath
* @param {{populateEnv: boolean}} [options={ populateEnv: false }]
* @returns {object}}
*/
function decryptEnvFile(filePath, options = { populateEnv: false }) {
const data = dotenv.parse(decryptFromFile(path.resolve(filePath)));
if (options.populateEnv) {
process.env = { ...process.env, ...data };
}
return data;
}
/**
* Return parsed decrypted JSON file
* @param {string} filePath
* @param {{populateEnv: boolean}} [options={ populateEnv: false }]
* @returns {object}
*/
function decryptJSON(filePath, options = { populateEnv: false }) {
const data = JSON.parse(decryptFromFile(filePath));
if (options.populateEnv) {
process.env = { ...process.env, ...data };
}
return data;
}
/**
* Read the contents of a file
* @param {string} filePath
* @param {string} form encrypted | unencrypted
* @returns
*/
function readFileContents(filePath, form) {
filePath = path.resolve(filePath);
log(`Reading ${form} secrets = require(${filePath}`);
let fileContents = null;
try {
// eslint-disable-next-line security/detect-non-literal-fs-filename
fileContents = fs.readFileSync(filePath, { encoding: "utf-8" });
} catch (error) {
log(`Unable to read ${form} secrets = require(${filePath}`);
throw error;
}
return fileContents;
}
/**
* Write the contents to a file
* @param {string} filePath
* @param {string} fileContents
* @param {string} form encrypted | unencrypted
*/
function writeFileContents(filePath, fileContents, form) {
filePath = path.resolve(filePath);
log(`Writing ${form} secrets to ${filePath}`);
try {
// eslint-disable-next-line security/detect-non-literal-fs-filename
fs.writeFileSync(filePath, fileContents, { encoding: "utf-8" });
} catch (error) {
log(`Unable to write ${form} secrets = require(${filePath}`);
throw error;
}
}
module.exports = {
encrypt: encrypt,
encryptToFile: encryptToFile,
encryptFile: encryptFile,
decrypt: decrypt,
decryptFromFile: decryptFromFile,
decryptFile: decryptFile,
decryptEnvFile: decryptEnvFile,
decryptJSON: decryptJSON,
};