@dotenvx/dotenvx 0.4.0 → 0.5.0

package/README.md

@@ -158,7 +158,7 @@ $ dotenvx run --env-file=.env.local --env-file=.env -- node index.js
 ## Encrypt Your Env Files
 
 ```
-dotenvx encrypt
+$ dotenvx encrypt
 ```
 
 > This will encrypt your `.env` file to a `.env.vault` file. Commit your `.env.vault` file safely to code.

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.4.0",
+  "version": "0.5.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/cli/dotenvx.js

@@ -2,7 +2,6 @@
 
 const fs = require('fs')
 const { Command } = require('commander')
-const dotenv = require('dotenv')
 const program = new Command()
 
 // constants
@@ -59,40 +58,97 @@ program.command('run')
     logger.debug('configuring options')
     logger.debug(options)
 
-    // convert to array if needed
-    let optionEnvFile = options.envFile
-    if (!Array.isArray(optionEnvFile)) {
-      optionEnvFile = [optionEnvFile]
-    }
+    // load from .env.vault file
+    if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
+      const filepath = helpers.resolvePath('.env.vault')
+
+      if (!fs.existsSync(filepath)) {
+        logger.error(`you set DOTENV_KEY but your .env.vault file is missing: ${filepath}`)
+      } else {
+        logger.verbose(`injecting encrypted env from ${filepath}`)
+
+        try {
+          logger.debug(`reading encrypted env from ${filepath}`)
+          const src = fs.readFileSync(filepath, { encoding: ENCODING })
+
+          logger.debug(`parsing encrypted env from ${filepath}`)
+          const parsedVault = main.parse(src)
+
+          logger.debug(`decrypting encrypted env from ${filepath}`)
+          // handle scenario for comma separated keys - for use with key rotation
+          // example: DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenv.org/vault/.env.vault?environment=prod"
+          const dotenvKeys = process.env.DOTENV_KEY.split(',')
+          const length = dotenvKeys.length
+
+          let decrypted
+          for (let i = 0; i < length; i++) {
+            try {
+              // Get full dotenvKey
+              const dotenvKey = dotenvKeys[i].trim()
+
+              const key = helpers._parseEncryptionKeyFromDotenvKey(dotenvKey)
+              const ciphertext = helpers._parseCipherTextFromDotenvKeyAndParsedVault(dotenvKey, parsedVault)
+
+              // Decrypt
+              decrypted = main.decrypt(ciphertext, key)
+
+              break
+            } catch (error) {
+              // last key
+              if (i + 1 >= length) {
+                throw error
+              }
+              // try next key
+            }
+          }
+          logger.debug(decrypted)
+
+          logger.debug(`parsing decrypted env from ${filepath}`)
+          const parsed = main.parse(decrypted)
+
+          logger.debug(`writing decrypted env from ${filepath}`)
+          const result = main.write(process.env, parsed, options.overload)
+
+          logger.info(`injecting ${result.written.size} environment ${helpers.pluralize('variable', result.written.size)} from encrypted .env.vault`)
+        } catch (e) {
+          logger.error(e)
+        }
+      }
+    } else {
+      // convert to array if needed
+      let optionEnvFile = options.envFile
+      if (!Array.isArray(optionEnvFile)) {
+        optionEnvFile = [optionEnvFile]
+      }
 
-    const env = {}
-    const readableFilepaths = new Set()
-    const written = new Set()
+      const readableFilepaths = new Set()
+      const written = new Set()
 
-    for (const envFilepath of optionEnvFile) {
-      const filepath = helpers.resolvePath(envFilepath)
+      for (const envFilepath of optionEnvFile) {
+        const filepath = helpers.resolvePath(envFilepath)
 
-      logger.verbose(`injecting env from ${filepath}`)
+        logger.verbose(`injecting env from ${filepath}`)
 
-      try {
-        logger.debug(`reading env from ${filepath}`)
-        const src = fs.readFileSync(filepath, { encoding: ENCODING })
+        try {
+          logger.debug(`reading env from ${filepath}`)
+          const src = fs.readFileSync(filepath, { encoding: ENCODING })
 
-        logger.debug(`parsing env from ${filepath}`)
-        const parsed = main.parse(src)
+          logger.debug(`parsing env from ${filepath}`)
+          const parsed = main.parse(src)
 
-        logger.debug(`writing env from ${filepath}`)
-        const result = main.write(process.env, parsed, options.overload)
+          logger.debug(`writing env from ${filepath}`)
+          const result = main.write(process.env, parsed, options.overload)
 
-        readableFilepaths.add(envFilepath)
-        result.written.forEach(key => written.add(key))
-      } catch (e) {
-        logger.warn(e)
+          readableFilepaths.add(envFilepath)
+          result.written.forEach(key => written.add(key))
+        } catch (e) {
+          logger.warn(e)
+        }
       }
-    }
 
-    if (readableFilepaths.size > 0) {
-      logger.info(`injecting ${written.size} environment ${helpers.pluralize('variable', written.size)} from ${[...readableFilepaths]}`)
+      if (readableFilepaths.size > 0) {
+        logger.info(`injecting ${written.size} environment ${helpers.pluralize('variable', written.size)} from ${[...readableFilepaths]}`)
+      }
     }
 
     // Extract command and arguments after '--'
@@ -103,7 +159,7 @@ program.command('run')
     } else {
       const subCommand = process.argv.slice(commandIndex + 1)
 
-      helpers.executeCommand(subCommand, env)
+      helpers.executeCommand(subCommand, process.env)
     }
   })
 
@@ -124,7 +180,7 @@ program.command('encrypt')
     try {
       logger.verbose(`generating .env.keys from ${optionEnvFile}`)
 
-      const dotenvKeys = (dotenv.configDotenv({ path: '.env.keys' }).parsed || {})
+      const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
 
       for (const envFilepath of optionEnvFile) {
         const filepath = helpers.resolvePath(envFilepath)
@@ -169,8 +225,8 @@ program.command('encrypt')
     try {
       logger.verbose(`generating .env.vault from ${optionEnvFile}`)
 
-      const dotenvKeys = (dotenv.configDotenv({ path: '.env.keys' }).parsed || {})
-      const dotenvVaults = (dotenv.configDotenv({ path: '.env.vault' }).parsed || {})
+      const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
+      const dotenvVaults = (main.configDotenv({ path: '.env.vault' }).parsed || {})
 
       for (const envFilepath of optionEnvFile) {
         const filepath = helpers.resolvePath(envFilepath)
@@ -211,8 +267,6 @@ program.command('encrypt')
     }
 
     logger.info(`encrypted ${optionEnvFile} to .env.vault`)
-
-    // logger.info(`encrypting`)
   })
 
 program.parse(process.argv)

package/src/cli/helpers.js

@@ -4,6 +4,7 @@ const crypto = require('crypto')
 const { spawn } = require('child_process')
 const xxhash = require('xxhashjs')
 const XXHASH_SEED = 0xABCD
+const NONCE_BYTES = 12
 
 const main = require('./../lib/main')
 
@@ -69,17 +70,17 @@ const generateDotenvKey = function (environment) {
 }
 
 const encryptFile = function (filepath, dotenvKey, encoding) {
-  const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+  const key = _parseEncryptionKeyFromDotenvKey(dotenvKey)
   const message = fs.readFileSync(filepath, encoding)
 
-  const ciphertext = this.encrypt(key, message)
+  const ciphertext = encrypt(key, message)
 
   return ciphertext
 }
 
 const encrypt = function (key, message) {
   // set up nonce
-  const nonce = this._generateNonce()
+  const nonce = crypto.randomBytes(NONCE_BYTES)
 
   // set up cipher
   const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce)
@@ -98,11 +99,11 @@ const encrypt = function (key, message) {
 }
 
 const changed = function (ciphertext, dotenvKey, filepath, encoding) {
-  const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+  const key = _parseEncryptionKeyFromDotenvKey(dotenvKey)
   const decrypted = main.decrypt(ciphertext, key)
   const raw = fs.readFileSync(filepath, encoding)
 
-  return this.hash(decrypted) !== this.hash(raw)
+  return hash(decrypted) !== hash(raw)
 }
 
 const hash = function (str) {
@@ -111,7 +112,12 @@ const hash = function (str) {
 
 const _parseEncryptionKeyFromDotenvKey = function (dotenvKey) {
   // Parse DOTENV_KEY. Format is a URI
-  const uri = new URL(dotenvKey)
+  let uri
+  try {
+    uri = new URL(dotenvKey)
+  } catch (e) {
+    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
+  }
 
   // Get decrypt key
   const key = uri.password
@@ -122,12 +128,29 @@ const _parseEncryptionKeyFromDotenvKey = function (dotenvKey) {
   return Buffer.from(key.slice(-64), 'hex')
 }
 
-const _generateNonce = function () {
-  return crypto.randomBytes(this._nonceBytes())
-}
+const _parseCipherTextFromDotenvKeyAndParsedVault = function (dotenvKey, parsedVault) {
+  // Parse DOTENV_KEY. Format is a URI
+  let uri
+  try {
+    uri = new URL(dotenvKey)
+  } catch (e) {
+    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
+  }
 
-const _nonceBytes = function () {
-  return 12
+  // Get environment
+  const environment = uri.searchParams.get('environment')
+  if (!environment) {
+    throw new Error('INVALID_DOTENV_KEY: Missing environment part')
+  }
+
+  // Get ciphertext payload
+  const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`
+  const ciphertext = parsedVault[environmentKey] // DOTENV_VAULT_PRODUCTION
+  if (!ciphertext) {
+    throw new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: cannot locate environment ${environmentKey} in your .env.vault file`)
+  }
+
+  return ciphertext
 }
 
 module.exports = {
@@ -142,6 +165,5 @@ module.exports = {
   changed,
   hash,
   _parseEncryptionKeyFromDotenvKey,
-  _generateNonce,
-  _nonceBytes
+  _parseCipherTextFromDotenvKeyAndParsedVault
 }

package/src/lib/main.js

@@ -9,6 +9,10 @@ const decrypt = function (encrypted, keyStr) {
   return dotenv.decrypt(encrypted, keyStr)
 }
 
+const configDotenv = function (options) {
+  return dotenv.configDotenv(options)
+}
+
 const parse = function (src) {
   const result = dotenv.parse(src)
 
@@ -57,6 +61,7 @@ const write = function (processEnv = {}, parsed = {}, overload = false) {
 
 module.exports = {
   config,
+  configDotenv,
   decrypt,
   parse,
   write