@dotenvx/dotenvx 1.4.0 → 1.6.0

package/src/lib/helpers/smartDotenvPrivateKey.js

@@ -2,27 +2,85 @@ const fs = require('fs')
 const path = require('path')
 const dotenv = require('dotenv')
 
-const guessPrivateKeyName = require('./guessPrivateKeyName')
+const ENCODING = 'utf8'
+const PUBLIC_KEY_SCHEMA = 'DOTENV_PUBLIC_KEY'
+const PRIVATE_KEY_SCHEMA = 'DOTENV_PRIVATE_KEY'
 
-function smartDotenvPrivateKey (envFilepath) {
-  const privateKeyName = guessPrivateKeyName(envFilepath) // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
+const guessPrivateKeyName = require('./guessPrivateKeyName')
 
-  // process.env wins
+function searchProcessEnv (privateKeyName) {
   if (process.env[privateKeyName] && process.env[privateKeyName].length > 0) {
     return process.env[privateKeyName]
   }
+}
 
-  // fallback to presence of .env.keys - path/to/.env.keys
+function searchKeysFile (privateKeyName, envFilepath) {
   const directory = path.dirname(envFilepath)
   const envKeysFilepath = path.resolve(directory, '.env.keys')
+
   if (fs.existsSync(envKeysFilepath)) {
-    const keysSrc = fs.readFileSync(envKeysFilepath)
+    const keysSrc = fs.readFileSync(envKeysFilepath, { encoding: ENCODING })
     const keysParsed = dotenv.parse(keysSrc)
 
     if (keysParsed[privateKeyName] && keysParsed[privateKeyName].length > 0) {
       return keysParsed[privateKeyName]
     }
   }
+}
+
+function invertForPrivateKeyName (envFilepath) {
+  if (!fs.existsSync(envFilepath)) {
+    return null
+  }
+
+  const envSrc = fs.readFileSync(envFilepath, { encoding: ENCODING })
+  const envParsed = dotenv.parse(envSrc)
+
+  let publicKeyName
+  for (const keyName of Object.keys(envParsed)) {
+    if (keyName === PUBLIC_KEY_SCHEMA || keyName.startsWith(PUBLIC_KEY_SCHEMA)) {
+      publicKeyName = keyName // find DOTENV_PUBLIC_KEY* in filename
+    }
+  }
+
+  if (publicKeyName) {
+    return publicKeyName.replace(PUBLIC_KEY_SCHEMA, PRIVATE_KEY_SCHEMA) // return inverted (DOTENV_PUBLIC_KEY* -> DOTENV_PRIVATE_KEY*) if found
+  }
+
+  return null
+}
+
+function smartDotenvPrivateKey (envFilepath) {
+  let privateKey = null
+  let privateKeyName = guessPrivateKeyName(envFilepath) // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
+
+  // 1. attempt process.env first
+  privateKey = searchProcessEnv(privateKeyName)
+  if (privateKey) {
+    return privateKey
+  }
+
+  // 2. attempt .env.keys second (path/to/.env.keys)
+  privateKey = searchKeysFile(privateKeyName, envFilepath)
+  if (privateKey) {
+    return privateKey
+  }
+
+  // 3. attempt inverting `DOTENV_PUBLIC_KEY*` name inside file (unlocks custom filenames not matching .env.${ENVIRONMENT} pattern)
+  privateKeyName = invertForPrivateKeyName(envFilepath)
+  if (privateKeyName) {
+    // 3.1 attempt process.env first
+    privateKey = searchProcessEnv(privateKeyName)
+    if (privateKey) {
+      return privateKey
+    }
+
+    // 3.2. attempt .env.keys second (path/to/.env.keys)
+    privateKey = searchKeysFile(privateKeyName, envFilepath)
+    if (privateKey) {
+      return privateKey
+    }
+  }
 
   return null
 }

package/src/lib/main.js

@@ -10,6 +10,7 @@ const Run = require('./services/run')
 const Sets = require('./services/sets')
 const Status = require('./services/status')
 const Encrypt = require('./services/encrypt')
+const Decrypt = require('./services/decrypt')
 const Genexample = require('./services/genexample')
 const Settings = require('./services/settings')
 const VaultEncrypt = require('./services/vaultEncrypt')
@@ -162,11 +163,6 @@ const parse = function (src) {
   return dotenv.parse(src)
 }
 
-/** @type {import('./main').vaultEncrypt} */
-const vaultEncrypt = function (directory, envFile) {
-  return new VaultEncrypt(directory, envFile).run()
-}
-
 /** @type {import('./main').ls} */
 const ls = function (directory, envFile) {
   return new Ls(directory, envFile).run()
@@ -198,6 +194,11 @@ const encrypt = function (envFile, key) {
   return new Encrypt(envFile, key).run()
 }
 
+/** @type {import('./main').encrypt} */
+const decrypt = function (envFile, key) {
+  return new Decrypt(envFile, key).run()
+}
+
 /** @type {import('./main').status} */
 const status = function (directory) {
   return new Status(directory).run()
@@ -211,8 +212,8 @@ const settings = function (key = null) {
 
 // misc/cleanup
 
-/** @type {import('./main').decrypt} */
-const decrypt = function (encrypted, keyStr) {
+/** @type {import('./main').vaultDecrypt} */
+const vaultDecrypt = function (encrypted, keyStr) {
   try {
     return dotenv.decrypt(encrypted, keyStr)
   } catch (e) {
@@ -236,6 +237,11 @@ const decrypt = function (encrypted, keyStr) {
   }
 }
 
+/** @type {import('./main').vaultEncrypt} */
+const vaultEncrypt = function (directory, envFile) {
+  return new VaultEncrypt(directory, envFile).run()
+}
+
 module.exports = {
   // dotenv proxies
   config,
@@ -243,7 +249,7 @@ module.exports = {
   parse,
   // actions related
   encrypt,
-  vaultEncrypt,
+  decrypt,
   ls,
   get,
   set,
@@ -252,5 +258,6 @@ module.exports = {
   // settings
   settings,
   // misc/cleanup
-  decrypt
+  vaultEncrypt,
+  vaultDecrypt
 }

package/src/lib/services/decrypt.js

@@ -2,124 +2,105 @@ const fs = require('fs')
 const path = require('path')
 const dotenv = require('dotenv')
 
-const ENCODING = 'utf8'
+const smartDotenvPrivateKey = require('./../helpers/smartDotenvPrivateKey')
+const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
+const decryptValue = require('./../helpers/decryptValue')
+const isEncrypted = require('./../helpers/isEncrypted')
+const replace = require('./../helpers/replace')
 
-const libDecrypt = require('./../../lib/helpers/decrypt')
+const ENCODING = 'utf8'
 
 class Decrypt {
-  constructor (directory = '.', environment) {
-    this.directory = directory
-    this.environment = environment
-
-    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
-    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
-
-    this.processedEnvs = []
-    this.changedFilenames = new Set()
-    this.unchangedFilenames = new Set()
+  constructor (envFile = '.env', key = []) {
+    this.envFile = envFile
+    this.key = key
+    this.processedEnvFiles = []
+    this.changedFilepaths = new Set()
+    this.unchangedFilepaths = new Set()
   }
 
   run () {
-    if (!fs.existsSync(this.envVaultFilepath)) {
-      const code = 'MISSING_ENV_VAULT_FILE'
-      const message = `missing .env.vault (${this.envVaultFilepath})`
-      const help = `? generate one with [dotenvx encrypt ${this.directory}]`
-
-      const error = new Error(message)
-      error.code = code
-      error.help = help
-      throw error
-    }
-
-    if (!fs.existsSync(this.envKeysFilepath)) {
-      const code = 'MISSING_ENV_KEYS_FILE'
-      const message = `missing .env.keys (${this.envKeysFilepath})`
-      const help = '? a .env.keys file must be present in order to decrypt your .env.vault contents to .env file(s)'
-
-      const error = new Error(message)
-      error.code = code
-      error.help = help
-      throw error
-    }
-
-    const dotenvKeys = dotenv.configDotenv({ path: this.envKeysFilepath }).parsed
-    const dotenvVault = dotenv.configDotenv({ path: this.envVaultFilepath }).parsed
-    const environments = this._environments()
-
-    if (environments.length > 0) {
-      // iterate over the environments
-      for (const environment of environments) {
-        const value = dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
-        const row = this._processRow(value, dotenvVault, environment)
-
-        this.processedEnvs.push(row)
+    const envFilepaths = this._envFilepaths()
+    const keys = this._keys()
+    for (const envFilepath of envFilepaths) {
+      const filepath = path.resolve(envFilepath)
+
+      const row = {}
+      row.keys = []
+      row.filepath = filepath
+      row.envFilepath = envFilepath
+
+      try {
+        // get the src
+        let src = fs.readFileSync(filepath, { encoding: ENCODING })
+
+        // if DOTENV_PRIVATE_KEY_* already set in process.env then use it
+        const privateKey = smartDotenvPrivateKey(envFilepath)
+        row.privateKey = privateKey
+        row.privateKeyName = guessPrivateKeyName(filepath)
+
+        // track possible changes
+        row.changed = false
+
+        // iterate over all non-encrypted values and encrypt them
+        const parsed = dotenv.parse(src)
+        for (const [key, value] of Object.entries(parsed)) {
+          if (keys.length < 1 || keys.includes(key)) { // optionally control which key to decrypt
+            const encrypted = isEncrypted(key, value)
+            if (encrypted) {
+              row.keys.push(key) // track key(s)
+
+              const plainValue = decryptValue(value, privateKey)
+              // once newSrc is built write it out
+              src = replace(src, key, plainValue)
+
+              row.changed = true // track change
+            }
+          }
+        }
+
+        if (row.changed) {
+          row.envSrc = src
+          this.changedFilepaths.add(envFilepath)
+        } else {
+          row.envSrc = src
+          this.unchangedFilepaths.add(envFilepath)
+        }
+      } catch (e) {
+        if (e.code === 'ENOENT') {
+          const error = new Error(`missing ${envFilepath} file (${filepath})`)
+          error.code = 'MISSING_ENV_FILE'
+
+          row.error = error
+        } else {
+          row.error = e
+        }
       }
-    } else {
-      for (const [dotenvKey, value] of Object.entries(dotenvKeys)) {
-        const environment = dotenvKey.replace('DOTENV_KEY_', '').toLowerCase()
-        const row = this._processRow(value, dotenvVault, environment)
 
-        this.processedEnvs.push(row)
-      }
+      this.processedEnvFiles.push(row)
     }
 
     return {
-      processedEnvs: this.processedEnvs,
-      changedFilenames: [...this.changedFilenames],
-      unchangedFilenames: [...this.unchangedFilenames]
+      processedEnvFiles: this.processedEnvFiles,
+      changedFilepaths: [...this.changedFilepaths],
+      unchangedFilepaths: [...this.unchangedFilepaths]
     }
   }
 
-  _processRow (value, dotenvVault, environment) {
-    environment = environment.toLowerCase() // important so we don't later write .env.DEVELOPMENT for example
-    const vaultKey = `DOTENV_VAULT_${environment.toUpperCase()}`
-    const ciphertext = dotenvVault[vaultKey] // attempt to find ciphertext
-
-    const row = {}
-    row.environment = environment
-    row.dotenvKey = value ? value.trim() : value
-    row.ciphertext = ciphertext
-
-    if (ciphertext && ciphertext.length >= 1) {
-      // Decrypt
-      const decrypted = libDecrypt(ciphertext, value.trim())
-      row.decrypted = decrypted
-
-      // envFilename
-      // replace _ with . to support filenames like .env.development.local
-      let envFilename = `.env.${environment.replace('_', '.')}`
-      if (environment === 'development') {
-        envFilename = '.env'
-      }
-      row.filename = envFilename
-      row.filepath = path.resolve(this.directory, envFilename)
-
-      // check if exists and is changing
-      if (fs.existsSync(row.filepath) && (fs.readFileSync(row.filepath, { encoding: ENCODING }).toString() === decrypted)) {
-        this.unchangedFilenames.add(envFilename)
-      } else {
-        row.shouldWrite = true
-        this.changedFilenames.add(envFilename)
-      }
-    } else {
-      const message = `${vaultKey} missing in .env.vault: ${this.envVaultFilepath}`
-      const warning = new Error(message)
-      row.warning = warning
+  _envFilepaths () {
+    if (!Array.isArray(this.envFile)) {
+      return [this.envFile]
     }
 
-    return row
+    return this.envFile
   }
 
-  _environments () {
-    if (this.environment === undefined) {
-      return []
-    }
-
-    if (!Array.isArray(this.environment)) {
-      return [this.environment]
+  _keys () {
+    if (!Array.isArray(this.key)) {
+      return [this.key]
     }
 
-    return this.environment
+    return this.key
   }
 }
 

package/src/lib/services/encrypt.js

@@ -6,6 +6,7 @@ const findOrCreatePublicKey = require('./../helpers/findOrCreatePublicKey')
 const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
 const encryptValue = require('./../helpers/encryptValue')
 const isEncrypted = require('./../helpers/isEncrypted')
+const isPublicKey = require('./../helpers/isPublicKey')
 const replace = require('./../helpers/replace')
 
 const ENCODING = 'utf8'
@@ -37,25 +38,29 @@ class Encrypt {
         const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
         const {
           envSrc,
+          keysSrc,
           publicKey,
           privateKey,
+          publicKeyAdded,
           privateKeyAdded
         } = findOrCreatePublicKey(filepath, envKeysFilepath)
+
+        // handle .env.keys write
+        fs.writeFileSync(envKeysFilepath, keysSrc)
+
+        src = envSrc // src was potentially modified by findOrCreatePublicKey so we set it again here
+
+        row.changed = publicKeyAdded // track change
         row.publicKey = publicKey
         row.privateKey = privateKey
-        row.privateKeyName = guessPrivateKeyName(filepath)
         row.privateKeyAdded = privateKeyAdded
-
-        src = envSrc // src was potentially changed by findOrCreatePublicKey so we set it again here
-
-        // track possible changes
-        row.changed = false
+        row.privateKeyName = guessPrivateKeyName(filepath)
 
         // iterate over all non-encrypted values and encrypt them
         const parsed = dotenv.parse(src)
         for (const [key, value] of Object.entries(parsed)) {
           if (keys.length < 1 || keys.includes(key)) { // optionally control which key to encrypt
-            const encrypted = isEncrypted(key, value)
+            const encrypted = isEncrypted(key, value) || isPublicKey(key, value)
             if (!encrypted) {
               row.keys.push(key) // track key(s)
 

package/src/lib/services/sets.js

@@ -43,14 +43,21 @@ class Sets {
           const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
           const {
             envSrc,
+            keysSrc,
             publicKey,
             privateKey,
+            publicKeyAdded,
             privateKeyAdded
           } = findOrCreatePublicKey(filepath, envKeysFilepath)
-          src = envSrc // overwrite the original read (because findOrCreatePublicKey) rewrite to it
+
+          // handle .env.keys write
+          fs.writeFileSync(envKeysFilepath, keysSrc)
+
+          src = envSrc // src was potentially modified by findOrCreatePublicKey so we set it again here
+
           value = encryptValue(value, publicKey)
 
-          row.changed = true // track change
+          row.changed = publicKeyAdded // track change
           row.encryptedValue = value
           row.publicKey = publicKey
           row.privateKey = privateKey

package/src/lib/services/status.js

@@ -4,7 +4,7 @@ const diff = require('diff')
 const chalk = require('chalk')
 
 const Ls = require('./ls')
-const Decrypt = require('./decrypt')
+const VaultDecrypt = require('./vaultDecrypt')
 
 const containsDirectory = require('./../helpers/containsDirectory')
 const guessEnvironment = require('./../helpers/guessEnvironment')
@@ -60,7 +60,7 @@ class Status {
       row.raw = fs.readFileSync(filepath, { encoding: ENCODING })
 
       // grab decrypted
-      const { processedEnvs } = new Decrypt(this.directory, row.environment).run()
+      const { processedEnvs } = new VaultDecrypt(this.directory, row.environment).run()
       const result = processedEnvs[0]
 
       // handle warnings

package/src/lib/services/vaultDecrypt.js

@@ -0,0 +1,126 @@
+const fs = require('fs')
+const path = require('path')
+const dotenv = require('dotenv')
+
+const ENCODING = 'utf8'
+
+const libDecrypt = require('./../../lib/helpers/decrypt')
+
+class VaultDecrypt {
+  constructor (directory = '.', environment) {
+    this.directory = directory
+    this.environment = environment
+
+    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
+    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
+
+    this.processedEnvs = []
+    this.changedFilenames = new Set()
+    this.unchangedFilenames = new Set()
+  }
+
+  run () {
+    if (!fs.existsSync(this.envVaultFilepath)) {
+      const code = 'MISSING_ENV_VAULT_FILE'
+      const message = `missing .env.vault (${this.envVaultFilepath})`
+      const help = `? generate one with [dotenvx encrypt ${this.directory}]`
+
+      const error = new Error(message)
+      error.code = code
+      error.help = help
+      throw error
+    }
+
+    if (!fs.existsSync(this.envKeysFilepath)) {
+      const code = 'MISSING_ENV_KEYS_FILE'
+      const message = `missing .env.keys (${this.envKeysFilepath})`
+      const help = '? a .env.keys file must be present in order to decrypt your .env.vault contents to .env file(s)'
+
+      const error = new Error(message)
+      error.code = code
+      error.help = help
+      throw error
+    }
+
+    const dotenvKeys = dotenv.configDotenv({ path: this.envKeysFilepath }).parsed
+    const dotenvVault = dotenv.configDotenv({ path: this.envVaultFilepath }).parsed
+    const environments = this._environments()
+
+    if (environments.length > 0) {
+      // iterate over the environments
+      for (const environment of environments) {
+        const value = dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
+        const row = this._processRow(value, dotenvVault, environment)
+
+        this.processedEnvs.push(row)
+      }
+    } else {
+      for (const [dotenvKey, value] of Object.entries(dotenvKeys)) {
+        const environment = dotenvKey.replace('DOTENV_KEY_', '').toLowerCase()
+        const row = this._processRow(value, dotenvVault, environment)
+
+        this.processedEnvs.push(row)
+      }
+    }
+
+    return {
+      processedEnvs: this.processedEnvs,
+      changedFilenames: [...this.changedFilenames],
+      unchangedFilenames: [...this.unchangedFilenames]
+    }
+  }
+
+  _processRow (value, dotenvVault, environment) {
+    environment = environment.toLowerCase() // important so we don't later write .env.DEVELOPMENT for example
+    const vaultKey = `DOTENV_VAULT_${environment.toUpperCase()}`
+    const ciphertext = dotenvVault[vaultKey] // attempt to find ciphertext
+
+    const row = {}
+    row.environment = environment
+    row.dotenvKey = value ? value.trim() : value
+    row.ciphertext = ciphertext
+
+    if (ciphertext && ciphertext.length >= 1) {
+      // Decrypt
+      const decrypted = libDecrypt(ciphertext, value.trim())
+      row.decrypted = decrypted
+
+      // envFilename
+      // replace _ with . to support filenames like .env.development.local
+      let envFilename = `.env.${environment.replace('_', '.')}`
+      if (environment === 'development') {
+        envFilename = '.env'
+      }
+      row.filename = envFilename
+      row.filepath = path.resolve(this.directory, envFilename)
+
+      // check if exists and is changing
+      if (fs.existsSync(row.filepath) && (fs.readFileSync(row.filepath, { encoding: ENCODING }).toString() === decrypted)) {
+        this.unchangedFilenames.add(envFilename)
+      } else {
+        row.shouldWrite = true
+        this.changedFilenames.add(envFilename)
+      }
+    } else {
+      const message = `${vaultKey} missing in .env.vault: ${this.envVaultFilepath}`
+      const warning = new Error(message)
+      row.warning = warning
+    }
+
+    return row
+  }
+
+  _environments () {
+    if (this.environment === undefined) {
+      return []
+    }
+
+    if (!Array.isArray(this.environment)) {
+      return [this.environment]
+    }
+
+    return this.environment
+  }
+}
+
+module.exports = VaultDecrypt

package/src/shared/logger.js

@@ -9,7 +9,6 @@ const transports = winston.transports
 const packageJson = require('./../lib/helpers/packageJson')
 
 const levels = {
-  blank0: 0,
   error: 0,
   errorv: 0,
   errorvp: 0,
@@ -47,8 +46,6 @@ const dotenvxFormat = printf(({ level, message, label, timestamp }) => {
   const formattedMessage = typeof message === 'object' ? JSON.stringify(message) : message
 
   switch (level.toLowerCase()) {
-    case 'blank0': // special blank that always displays - even with quiet flag (for use with get action)
-      return formattedMessage
     case 'error':
       return error(formattedMessage)
     case 'errorv':