-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathsecrets.js
92 lines (79 loc) · 3 KB
/
secrets.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
const crypto = require("crypto");
const PBKDF2_ROUNDS = process.env.GITOPS_SECRETS_PBKDF2_ROUNDS || 1000000;
const PBKDF2_KEYLEN = 32;
const PBKDF2_DIGEST = "sha256";
const ALGORITHM = "aes-256-gcm";
const AES_AUTH_TAG_BYTES = 16;
const AES_IV_BYTES = 12;
const AES_SALT_BYTES = 8;
const ENCODING = "base64";
const TEXT_ENCODING = "utf8";
function masterKey() {
if (!process.env.GITOPS_SECRETS_MASTER_KEY || process.env.GITOPS_SECRETS_MASTER_KEY.length < 16) {
throw new Error(`The 'GITOPS_SECRETS_MASTER_KEY' environment variable must be set to a string of 16 characters or more`);
}
return process.env.GITOPS_SECRETS_MASTER_KEY;
}
/**
* Encrypt secrets from Object to JSON format
* @param {string} secrets
* @returns {string}
*/
function encrypt(secrets) {
const salt = crypto.randomBytes(AES_SALT_BYTES);
const iv = crypto.randomBytes(AES_IV_BYTES);
const key = crypto.pbkdf2Sync(masterKey(), salt, PBKDF2_ROUNDS, PBKDF2_KEYLEN, PBKDF2_DIGEST);
const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
const cipherText = Buffer.concat([cipher.update(JSON.stringify(secrets), TEXT_ENCODING), cipher.final()]);
const authTag = cipher.getAuthTag();
const combinedData = Buffer.concat([cipherText, authTag]);
return `${ENCODING}:${PBKDF2_ROUNDS}:${salt.toString(ENCODING)}:${iv.toString(ENCODING)}:${combinedData.toString(ENCODING)}`;
}
/**
* Decrypt secrets in JSON format to Object
* @param {string} secrets
* @returns {string}
*/
function decrypt(secrets) {
secrets = secrets.substring(`${ENCODING}:`.length);
// Decode file contents
const parts = secrets.split(":");
if (parts.length !== 4) {
throw new Error(`Encrypted payload invalid. Expected 4 sections but only got ${parts.length}`);
}
const rounds = parseInt(Buffer.from(parts[0], TEXT_ENCODING), 10);
const salt = Buffer.from(parts[1], ENCODING);
const iv = Buffer.from(parts[2], ENCODING);
const data = Buffer.from(parts[3], ENCODING);
const cipherText = data.slice(0, data.length - AES_AUTH_TAG_BYTES);
const authTag = data.slice(data.length - AES_AUTH_TAG_BYTES);
// construct key
const key = crypto.pbkdf2Sync(masterKey(), salt, rounds, PBKDF2_KEYLEN, PBKDF2_DIGEST);
// decrypt cipher text
const decipher = crypto.createDecipheriv(ALGORITHM, key, iv).setAuthTag(authTag);
const decrypted = decipher.update(cipherText, "binary", TEXT_ENCODING) + decipher.final("utf8");
return JSON.parse(decrypted);
}
/**
* Merge the payload object with process.env
* @param {Record<string, any>} payload
*/
function populateEnv(payload) {
process.env = { ...process.env, ...payload };
return payload;
}
/**
* Decrypt secrets and supply a `populateEnv` method for convenience
* @param {string} cipherText
* @returns {Record<string, any>}
*/
function loadSecretsFromCipher(cipherText) {
const payload = decrypt(cipherText);
return { ...payload, populateEnv: () => populateEnv(payload) };
}
module.exports = {
encrypt: encrypt,
decrypt: decrypt,
populateEnv: populateEnv,
loadSecretsFromCipher: loadSecretsFromCipher,
};