@dotenvx/dotenvx 0.3.9 → 0.5.0

package/README.md

@@ -157,7 +157,12 @@ $ dotenvx run --env-file=.env.local --env-file=.env -- node index.js
 
 ## Encrypt Your Env Files
 
-WIP
+```
+$ dotenvx encrypt
+```
+
+> This will encrypt your `.env` file to a `.env.vault` file. Commit your `.env.vault` file safely to code.
+> This will also generate a `.env.keys` file. Do NOT commit this file to code. Keep your `.env.keys` secret. 🤫
 
  
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.3.9",
+  "version": "0.5.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -26,7 +26,8 @@
   "dependencies": {
     "commander": "^11.1.0",
     "dotenv": "^16.3.1",
-    "winston": "^3.11.0"
+    "winston": "^3.11.0",
+    "xxhashjs": "^0.2.2"
   },
   "devDependencies": {
     "jest": "^29.7.0",

package/src/cli/dotenvx.js

@@ -23,7 +23,7 @@ program
 
     if (options.logLevel) {
       logger.level = options.logLevel
-      logger.debug(`Setting log level to ${options.logLevel}`)
+      logger.debug(`setting log level to ${options.logLevel}`)
     }
 
     // --quiet overides --log-level. only errors will be shown
@@ -48,63 +48,225 @@ program
   .description(packageJson.description)
   .version(packageJson.version)
 
+// dotenvx run -- node index.js
 program.command('run')
   .description('inject env variables into your application process')
-  .option('-f, --env-file <paths...>', 'path to your env file', '.env')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', '.env')
   .option('-o, --overload', 'override existing env variables')
   .action(function () {
-    // injecting 1 environment variable from ${options.envFile}
     const options = this.opts()
-    logger.debug('Configuring options')
+    logger.debug('configuring options')
     logger.debug(options)
 
-    // convert to array if needed
-    let optionEnvFile = options.envFile
-    if (!Array.isArray(optionEnvFile)) {
-      optionEnvFile = [optionEnvFile]
-    }
+    // load from .env.vault file
+    if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
+      const filepath = helpers.resolvePath('.env.vault')
+
+      if (!fs.existsSync(filepath)) {
+        logger.error(`you set DOTENV_KEY but your .env.vault file is missing: ${filepath}`)
+      } else {
+        logger.verbose(`injecting encrypted env from ${filepath}`)
+
+        try {
+          logger.debug(`reading encrypted env from ${filepath}`)
+          const src = fs.readFileSync(filepath, { encoding: ENCODING })
+
+          logger.debug(`parsing encrypted env from ${filepath}`)
+          const parsedVault = main.parse(src)
+
+          logger.debug(`decrypting encrypted env from ${filepath}`)
+          // handle scenario for comma separated keys - for use with key rotation
+          // example: DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenv.org/vault/.env.vault?environment=prod"
+          const dotenvKeys = process.env.DOTENV_KEY.split(',')
+          const length = dotenvKeys.length
 
-    const env = {}
-    const readableFilepaths = new Set()
-    const populated = new Set()
+          let decrypted
+          for (let i = 0; i < length; i++) {
+            try {
+              // Get full dotenvKey
+              const dotenvKey = dotenvKeys[i].trim()
 
-    for (const envFilepath of optionEnvFile) {
-      const filepath = helpers.resolvePath(envFilepath)
+              const key = helpers._parseEncryptionKeyFromDotenvKey(dotenvKey)
+              const ciphertext = helpers._parseCipherTextFromDotenvKeyAndParsedVault(dotenvKey, parsedVault)
 
-      logger.verbose(`Loading env from ${filepath}`)
+              // Decrypt
+              decrypted = main.decrypt(ciphertext, key)
 
-      try {
-        logger.debug(`Reading env from ${filepath}`)
-        const src = fs.readFileSync(filepath, { encoding: ENCODING })
+              break
+            } catch (error) {
+              // last key
+              if (i + 1 >= length) {
+                throw error
+              }
+              // try next key
+            }
+          }
+          logger.debug(decrypted)
 
-        logger.debug(`Parsing env from ${filepath}`)
-        const parsed = main.parse(src)
+          logger.debug(`parsing decrypted env from ${filepath}`)
+          const parsed = main.parse(decrypted)
 
-        logger.debug(`Populating env from ${filepath}`)
-        const result = main.populate(process.env, parsed, options.overload)
+          logger.debug(`writing decrypted env from ${filepath}`)
+          const result = main.write(process.env, parsed, options.overload)
 
-        readableFilepaths.add(envFilepath)
-        result.populated.forEach(key => populated.add(key))
-      } catch (e) {
-        logger.warn(e)
+          logger.info(`injecting ${result.written.size} environment ${helpers.pluralize('variable', result.written.size)} from encrypted .env.vault`)
+        } catch (e) {
+          logger.error(e)
+        }
       }
-    }
+    } else {
+      // convert to array if needed
+      let optionEnvFile = options.envFile
+      if (!Array.isArray(optionEnvFile)) {
+        optionEnvFile = [optionEnvFile]
+      }
+
+      const readableFilepaths = new Set()
+      const written = new Set()
+
+      for (const envFilepath of optionEnvFile) {
+        const filepath = helpers.resolvePath(envFilepath)
+
+        logger.verbose(`injecting env from ${filepath}`)
+
+        try {
+          logger.debug(`reading env from ${filepath}`)
+          const src = fs.readFileSync(filepath, { encoding: ENCODING })
 
-    if (readableFilepaths.size > 0) {
-      logger.info(`Injecting ${populated.size} environment variables from ${[...readableFilepaths]}`)
+          logger.debug(`parsing env from ${filepath}`)
+          const parsed = main.parse(src)
+
+          logger.debug(`writing env from ${filepath}`)
+          const result = main.write(process.env, parsed, options.overload)
+
+          readableFilepaths.add(envFilepath)
+          result.written.forEach(key => written.add(key))
+        } catch (e) {
+          logger.warn(e)
+        }
+      }
+
+      if (readableFilepaths.size > 0) {
+        logger.info(`injecting ${written.size} environment ${helpers.pluralize('variable', written.size)} from ${[...readableFilepaths]}`)
+      }
     }
 
     // Extract command and arguments after '--'
     const commandIndex = process.argv.indexOf('--')
     if (commandIndex === -1 || commandIndex === process.argv.length - 1) {
-      logger.error('At least one argument is required after the run command, received 0.')
-      logger.error('Exiting')
+      logger.error('at least one argument is required after the run command, received 0.')
       process.exit(1)
     } else {
       const subCommand = process.argv.slice(commandIndex + 1)
 
-      helpers.executeCommand(subCommand, env)
+      helpers.executeCommand(subCommand, process.env)
+    }
+  })
+
+// dotenvx encrypt
+program.command('encrypt')
+  .description('encrypt .env.* to .env.vault')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', helpers.findEnvFiles('./'))
+  .action(function () {
+    const options = this.opts()
+    logger.debug('configuring options')
+    logger.debug(options)
+
+    let optionEnvFile = options.envFile
+    if (!Array.isArray(optionEnvFile)) {
+      optionEnvFile = [optionEnvFile]
+    }
+
+    try {
+      logger.verbose(`generating .env.keys from ${optionEnvFile}`)
+
+      const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
+
+      for (const envFilepath of optionEnvFile) {
+        const filepath = helpers.resolvePath(envFilepath)
+        if (!fs.existsSync(filepath)) {
+          throw new Error(`file does not exist: ${filepath}`)
+        }
+
+        const environment = helpers.guessEnvironment(filepath)
+        const key = `DOTENV_KEY_${environment.toUpperCase()}`
+
+        let value = dotenvKeys[key]
+
+        // first time seeing new DOTENV_KEY_${environment}
+        if (!value || value.length === 0) {
+          logger.verbose(`generating ${key}`)
+          value = helpers.generateDotenvKey(environment)
+          logger.debug(`generating ${key} as ${value}`)
+
+          dotenvKeys[key] = value
+        } else {
+          logger.verbose(`existing ${key}`)
+          logger.debug(`existing ${key} as ${value}`)
+        }
+      }
+
+      let keysData = `#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
+  #/   DOTENV_KEYs. DO NOT commit to source control   /
+  #/   [how it works](https://dotenv.org/env-keys)    /
+  #/--------------------------------------------------/\n`
+
+      for (const key in dotenvKeys) {
+        const value = dotenvKeys[key]
+        keysData += `${key}="${value}"\n`
+      }
+
+      fs.writeFileSync('.env.keys', keysData)
+    } catch (e) {
+      logger.error(e)
+      process.exit(1)
     }
+
+    try {
+      logger.verbose(`generating .env.vault from ${optionEnvFile}`)
+
+      const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
+      const dotenvVaults = (main.configDotenv({ path: '.env.vault' }).parsed || {})
+
+      for (const envFilepath of optionEnvFile) {
+        const filepath = helpers.resolvePath(envFilepath)
+        const environment = helpers.guessEnvironment(filepath)
+        const vault = `DOTENV_VAULT_${environment.toUpperCase()}`
+
+        let ciphertext = dotenvVaults[vault]
+        const dotenvKey = dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
+
+        if (!ciphertext || ciphertext.length === 0 || helpers.changed(ciphertext, dotenvKey, filepath, ENCODING)) {
+          logger.verbose(`encrypting ${vault}`)
+          ciphertext = helpers.encryptFile(filepath, dotenvKey, ENCODING)
+          logger.verbose(`encrypting ${vault} as ${ciphertext}`)
+
+          dotenvVaults[vault] = ciphertext
+        } else {
+          logger.verbose(`existing ${vault}`)
+          logger.debug(`existing ${vault} as ${ciphertext}`)
+        }
+      }
+
+      let vaultData = `#/-------------------.env.vault---------------------/
+#/         cloud-agnostic vaulting standard         /
+#/   [how it works](https://dotenv.org/env-vault)   /
+#/--------------------------------------------------/\n\n`
+
+      for (const vault in dotenvVaults) {
+        const value = dotenvVaults[vault]
+        const environment = vault.replace('DOTENV_VAULT_', '').toLowerCase()
+        vaultData += `# ${environment}\n`
+        vaultData += `${vault}="${value}"\n\n`
+      }
+
+      fs.writeFileSync('.env.vault', vaultData)
+    } catch (e) {
+      logger.error(e)
+      process.exit(1)
+    }
+
+    logger.info(`encrypted ${optionEnvFile} to .env.vault`)
   })
 
 program.parse(process.argv)

package/src/cli/helpers.js

@@ -1,5 +1,14 @@
+const fs = require('fs')
 const path = require('path')
+const crypto = require('crypto')
 const { spawn } = require('child_process')
+const xxhash = require('xxhashjs')
+const XXHASH_SEED = 0xABCD
+const NONCE_BYTES = 12
+
+const main = require('./../lib/main')
+
+const RESERVED_ENV_FILES = ['.env.vault', '.env.projects', '.env.keys', '.env.me', '.env.x']
 
 // resolve path based on current running process location
 const resolvePath = function (filepath) {
@@ -22,7 +31,139 @@ const executeCommand = function (subCommand, env) {
   })
 }
 
+const pluralize = function (word, count) {
+  // simple pluralization: add 's' at the end
+  if (count === 0 || count > 1) {
+    return word + 's'
+  } else {
+    return word
+  }
+}
+
+const findEnvFiles = function (directory) {
+  const files = fs.readdirSync(directory)
+
+  const envFiles = files.filter(file =>
+    file.startsWith('.env') &&
+    !file.endsWith('.previous') &&
+    !RESERVED_ENV_FILES.includes(file)
+  )
+
+  return envFiles
+}
+
+const guessEnvironment = function (file) {
+  const splitFile = file.split('.')
+  const possibleEnvironment = splitFile[2] // ['', 'env', environment']
+
+  if (!possibleEnvironment || possibleEnvironment.length === 0) {
+    return 'development'
+  }
+
+  return possibleEnvironment
+}
+
+const generateDotenvKey = function (environment) {
+  const rand = crypto.randomBytes(32).toString('hex')
+
+  return `dotenv://:key_${rand}@dotenvx.com/vault/.env.vault?environment=${environment.toLowerCase()}`
+}
+
+const encryptFile = function (filepath, dotenvKey, encoding) {
+  const key = _parseEncryptionKeyFromDotenvKey(dotenvKey)
+  const message = fs.readFileSync(filepath, encoding)
+
+  const ciphertext = encrypt(key, message)
+
+  return ciphertext
+}
+
+const encrypt = function (key, message) {
+  // set up nonce
+  const nonce = crypto.randomBytes(NONCE_BYTES)
+
+  // set up cipher
+  const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce)
+
+  // generate ciphertext
+  let ciphertext = ''
+  ciphertext += cipher.update(message, 'utf8', 'hex')
+  ciphertext += cipher.final('hex')
+  ciphertext += cipher.getAuthTag().toString('hex')
+
+  // prepend nonce
+  ciphertext = nonce.toString('hex') + ciphertext
+
+  // base64 encode output
+  return Buffer.from(ciphertext, 'hex').toString('base64')
+}
+
+const changed = function (ciphertext, dotenvKey, filepath, encoding) {
+  const key = _parseEncryptionKeyFromDotenvKey(dotenvKey)
+  const decrypted = main.decrypt(ciphertext, key)
+  const raw = fs.readFileSync(filepath, encoding)
+
+  return hash(decrypted) !== hash(raw)
+}
+
+const hash = function (str) {
+  return xxhash.h32(str, XXHASH_SEED).toString(16)
+}
+
+const _parseEncryptionKeyFromDotenvKey = function (dotenvKey) {
+  // Parse DOTENV_KEY. Format is a URI
+  let uri
+  try {
+    uri = new URL(dotenvKey)
+  } catch (e) {
+    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
+  }
+
+  // Get decrypt key
+  const key = uri.password
+  if (!key) {
+    throw new Error('INVALID_DOTENV_KEY: Missing key part')
+  }
+
+  return Buffer.from(key.slice(-64), 'hex')
+}
+
+const _parseCipherTextFromDotenvKeyAndParsedVault = function (dotenvKey, parsedVault) {
+  // Parse DOTENV_KEY. Format is a URI
+  let uri
+  try {
+    uri = new URL(dotenvKey)
+  } catch (e) {
+    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
+  }
+
+  // Get environment
+  const environment = uri.searchParams.get('environment')
+  if (!environment) {
+    throw new Error('INVALID_DOTENV_KEY: Missing environment part')
+  }
+
+  // Get ciphertext payload
+  const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`
+  const ciphertext = parsedVault[environmentKey] // DOTENV_VAULT_PRODUCTION
+  if (!ciphertext) {
+    throw new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: cannot locate environment ${environmentKey} in your .env.vault file`)
+  }
+
+  return ciphertext
+}
+
 module.exports = {
   resolvePath,
-  executeCommand
+  executeCommand,
+  pluralize,
+  findEnvFiles,
+  guessEnvironment,
+  generateDotenvKey,
+  encryptFile,
+  encrypt,
+  changed,
+  hash,
+  _parseEncryptionKeyFromDotenvKey,
+  _parseCipherTextFromDotenvKeyAndParsedVault
 }

package/src/lib/main.js

@@ -5,6 +5,14 @@ const config = function (options) {
   return dotenv.config(options)
 }
 
+const decrypt = function (encrypted, keyStr) {
+  return dotenv.decrypt(encrypted, keyStr)
+}
+
+const configDotenv = function (options) {
+  return dotenv.configDotenv(options)
+}
+
 const parse = function (src) {
   const result = dotenv.parse(src)
 
@@ -13,12 +21,12 @@ const parse = function (src) {
   return result
 }
 
-const populate = function (processEnv = {}, parsed = {}, overload = false) {
+const write = function (processEnv = {}, parsed = {}, overload = false) {
   if (typeof parsed !== 'object') {
-    throw new Error('OBJECT_REQUIRED: Please check the parsed argument being passed to populate')
+    throw new Error('OBJECT_REQUIRED: Please check the parsed argument being passed to write')
   }
 
-  const populated = new Set()
+  const written = new Set()
   const preExisting = new Set()
 
   // set processEnv
@@ -26,7 +34,7 @@ const populate = function (processEnv = {}, parsed = {}, overload = false) {
     if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
       if (overload === true) {
         processEnv[key] = parsed[key]
-        populated.add(key)
+        written.add(key)
 
         logger.verbose(`${key} set`)
         logger.debug(`${key} set to ${parsed[key]}`)
@@ -38,7 +46,7 @@ const populate = function (processEnv = {}, parsed = {}, overload = false) {
       }
     } else {
       processEnv[key] = parsed[key]
-      populated.add(key)
+      written.add(key)
 
       logger.verbose(`${key} set`)
       logger.debug(`${key} set to ${parsed[key]}`)
@@ -46,13 +54,15 @@ const populate = function (processEnv = {}, parsed = {}, overload = false) {
   }
 
   return {
-    populated,
+    written,
     preExisting
   }
 }
 
 module.exports = {
   config,
+  configDotenv,
+  decrypt,
   parse,
-  populate
+  write
 }

package/src/shared/logger.js

@@ -7,10 +7,14 @@ const transports = winston.transports
 
 const packageJson = require('./packageJson')
 
+function pad (word) {
+  return word.padEnd(9, ' ')
+}
+
 const dotenvxFormat = printf(({ level, message, label, timestamp }) => {
   const formattedMessage = typeof message === 'object' ? JSON.stringify(message) : message
 
-  return `[dotenvx@${packageJson.version}][${level.toUpperCase()}] ${formattedMessage}`
+  return `[dotenvx@${packageJson.version}]${pad(`[${level.toUpperCase()}]`)} ${formattedMessage}`
 })
 
 const logger = createLogger({