@dotenvx/dotenvx 1.55.0 → 1.56.0

package/src/lib/services/sets.js

@@ -4,27 +4,36 @@ const path = require('path')
 const TYPE_ENV_FILE = 'envFile'
 
 const Errors = require('./../helpers/errors')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
-const guessPublicKeyName = require('./../helpers/guessPublicKeyName')
-const encryptValue = require('./../helpers/encryptValue')
-const decryptKeyValue = require('./../helpers/decryptKeyValue')
+
+const {
+  determine
+} = require('./../helpers/envResolution')
+
+const {
+  keyNames,
+  keyValues
+} = require('./../helpers/keyResolution')
+
+const {
+  encryptValue,
+  decryptKeyValue,
+  isEncrypted,
+  provision,
+  provisionWithPrivateKey
+} = require('./../helpers/cryptography')
+
 const replace = require('./../helpers/replace')
 const dotenvParse = require('./../helpers/dotenvParse')
 const detectEncoding = require('./../helpers/detectEncoding')
-const determineEnvs = require('./../helpers/determineEnvs')
-const { findPrivateKey } = require('./../helpers/findPrivateKey')
-const findPublicKey = require('./../helpers/findPublicKey')
-const keypair = require('./../helpers/keypair')
-const truncate = require('./../helpers/truncate')
-const isEncrypted = require('./../helpers/isEncrypted')
 
 class Sets {
-  constructor (key, value, envs = [], encrypt = true, envKeysFilepath = null) {
-    this.envs = determineEnvs(envs, process.env)
+  constructor (key, value, envs = [], encrypt = true, envKeysFilepath = null, opsOn = false) {
+    this.envs = determine(envs, process.env)
     this.key = key
     this.value = value
     this.encrypt = encrypt
     this.envKeysFilepath = envKeysFilepath
+    this.opsOn = opsOn
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
@@ -57,14 +66,13 @@ class Sets {
     row.value = this.value || null
     row.type = TYPE_ENV_FILE
 
-    const filename = path.basename(envFilepath)
     const filepath = path.resolve(envFilepath)
     row.filepath = filepath
     row.envFilepath = envFilepath
     row.changed = false
 
     try {
-      const encoding = this._detectEncoding(filepath)
+      const encoding = detectEncoding(filepath)
       let envSrc = fsx.readFileX(filepath, { encoding })
       const envParsed = dotenvParse(envSrc)
       row.originalValue = envParsed[row.key] || null
@@ -75,86 +83,28 @@ class Sets {
         let publicKey
         let privateKey
 
-        const publicKeyName = guessPublicKeyName(envFilepath)
-        const privateKeyName = guessPrivateKeyName(envFilepath)
-        const existingPublicKey = findPublicKey(envFilepath)
-        const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath, false, existingPublicKey)
-
-        let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
-        if (this.envKeysFilepath) {
-          envKeysFilepath = path.resolve(this.envKeysFilepath)
-        }
-        const relativeFilepath = path.relative(path.dirname(filepath), envKeysFilepath)
-
-        if (existingPrivateKey) {
-          const kp = keypair(existingPrivateKey)
-          publicKey = kp.publicKey
-          privateKey = kp.privateKey
+        const { publicKeyName, privateKeyName } = keyNames(filepath)
+        const { publicKeyValue, privateKeyValue } = keyValues(filepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+
+        // first pass - provision
+        if (!privateKeyValue && !publicKeyValue) {
+          const prov = provision({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+          envSrc = prov.envSrc
+          publicKey = prov.publicKey
+          privateKey = prov.privateKey
+          row.privateKeyAdded = prov.privateKeyAdded
+          row.envKeysFilepath = prov.envKeysFilepath
+        } else if (privateKeyValue) {
+          const prov = provisionWithPrivateKey({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, privateKeyValue, publicKeyValue, publicKeyName })
+          publicKey = prov.publicKey
+          privateKey = prov.privateKey
+          envSrc = prov.envSrc
 
           if (row.originalValue) {
             row.originalValue = decryptKeyValue(row.key, row.originalValue, privateKeyName, privateKey)
           }
-
-          // if derivation doesn't match what's in the file (or preset in env)
-          if (existingPublicKey && existingPublicKey !== publicKey) {
-            const error = new Error(`derived public key (${truncate(publicKey)}) does not match the existing public key (${truncate(existingPublicKey)})`)
-            error.code = 'INVALID_DOTENV_PRIVATE_KEY'
-            error.help = `debug info: ${privateKeyName}=${truncate(existingPrivateKey)} (derived ${publicKeyName}=${truncate(publicKey)} vs existing ${publicKeyName}=${truncate(existingPublicKey)})`
-            throw error
-          }
-
-          // typical scenario when encrypting a monorepo second .env file from a prior generated -fk .env.keys file
-          if (!existingPublicKey) {
-            const ps = this._preserveShebang(envSrc)
-            const firstLinePreserved = ps.firstLinePreserved
-            envSrc = ps.envSrc
-
-            const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
-
-            envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
-          }
-        } else if (existingPublicKey) {
-          publicKey = existingPublicKey
-        } else {
-          // .env.keys
-          let keysSrc = ''
-          if (fsx.existsSync(envKeysFilepath)) {
-            keysSrc = fsx.readFileX(envKeysFilepath)
-          }
-
-          const ps = this._preserveShebang(envSrc)
-          const firstLinePreserved = ps.firstLinePreserved
-          envSrc = ps.envSrc
-
-          const kp = keypair() // generates a fresh keypair in memory
-          publicKey = kp.publicKey
-          privateKey = kp.privateKey
-
-          const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
-
-          // privateKey
-          const firstTimeKeysSrc = [
-            '#/------------------!DOTENV_PRIVATE_KEYS!-------------------/',
-            '#/ private decryption keys. DO NOT commit to source control /',
-            '#/     [how it works](https://dotenvx.com/encryption)       /',
-            // '#/           backup with: `dotenvx ops backup`              /',
-            '#/----------------------------------------------------------/'
-          ].join('\n')
-          const appendPrivateKey = [
-            `# ${filename}`,
-            `${privateKeyName}=${privateKey}`,
-            ''
-          ].join('\n')
-
-          envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
-          keysSrc = keysSrc.length > 1 ? keysSrc : `${firstTimeKeysSrc}\n`
-          keysSrc = `${keysSrc}\n${appendPrivateKey}`
-
-          // write to .env.keys
-          fsx.writeFileX(envKeysFilepath, keysSrc)
-
-          row.privateKeyAdded = true
-          row.envKeysFilepath = this.envKeysFilepath || path.join(path.dirname(envFilepath), path.basename(envKeysFilepath))
+        } else if (publicKeyValue) {
+          publicKey = publicKeyValue
         }
 
         row.publicKey = publicKey
@@ -184,40 +134,6 @@ class Sets {
 
     this.processedEnvs.push(row)
   }
-
-  _detectEncoding (filepath) {
-    return detectEncoding(filepath)
-  }
-
-  _prependPublicKey (publicKeyName, publicKey, filename, relativeFilepath = '.env.keys') {
-    const comment = relativeFilepath === '.env.keys' ? '' : ` # -fk ${relativeFilepath}`
-
-    return [
-      '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
-      '#/            public-key encryption for .env files          /',
-      '#/       [how it works](https://dotenvx.com/encryption)     /',
-      '#/----------------------------------------------------------/',
-      `${publicKeyName}="${publicKey}"${comment}`,
-      '',
-      `# ${filename}`
-    ].join('\n')
-  }
-
-  _preserveShebang (envSrc) {
-    // preserve shebang
-    const [firstLine, ...remainingLines] = envSrc.split('\n')
-    let firstLinePreserved = ''
-
-    if (firstLine.startsWith('#!')) {
-      firstLinePreserved = firstLine + '\n'
-      envSrc = remainingLines.join('\n')
-    }
-
-    return {
-      firstLinePreserved,
-      envSrc
-    }
-  }
 }
 
 module.exports = Sets

package/src/lib/helpers/decrypt.js

@@ -1,31 +0,0 @@
-const dotenv = require('dotenv')
-
-const parseEncryptionKeyFromDotenvKey = require('./parseEncryptionKeyFromDotenvKey')
-
-function decrypt (ciphertext, dotenvKey) {
-  const key = parseEncryptionKeyFromDotenvKey(dotenvKey)
-
-  try {
-    return dotenv.decrypt(ciphertext, key)
-  } catch (e) {
-    if (e.code === 'DECRYPTION_FAILED') {
-      const error = new Error('[DECRYPTION_FAILED] Unable to decrypt .env.vault with DOTENV_KEY.')
-      error.code = 'DECRYPTION_FAILED'
-      error.help = '[DECRYPTION_FAILED] Run with debug flag [dotenvx run --debug -- yourcommand] or manually run [echo $DOTENV_KEY] to compare it to the one in .env.keys.'
-      error.debug = `[DECRYPTION_FAILED] DOTENV_KEY is ${dotenvKey}`
-      throw error
-    }
-
-    if (e.code === 'ERR_CRYPTO_INVALID_AUTH_TAG') {
-      const error = new Error('[INVALID_CIPHERTEXT] Unable to decrypt what appears to be invalid ciphertext.')
-      error.code = 'INVALID_CIPHERTEXT'
-      error.help = '[INVALID_CIPHERTEXT] Run with debug flag [dotenvx run --debug -- yourcommand] or manually check .env.vault.'
-      error.debug = `[INVALID_CIPHERTEXT] ciphertext is '${ciphertext}'`
-      throw error
-    }
-
-    throw e
-  }
-}
-
-module.exports = decrypt

package/src/lib/helpers/deprecationNotice.js

@@ -1,17 +0,0 @@
-const { logger } = require('./../../shared/logger')
-
-class DeprecationNotice {
-  constructor (options = {}) {
-    this.DOTENV_KEY = options.DOTENV_KEY || process.env.DOTENV_KEY
-  }
-
-  dotenvKey () {
-    if (this.DOTENV_KEY) {
-      logger.warn('[DEPRECATION NOTICE] Setting DOTENV_KEY with .env.vault is deprecated.')
-      logger.warn('[DEPRECATION NOTICE] Run [dotenvx ext vault migrate] for instructions on converting your .env.vault file to encrypted .env files (using public key encryption algorithm secp256k1)')
-      logger.warn('[DEPRECATION NOTICE] Read more at [https://github.com/dotenvx/dotenvx/blob/main/CHANGELOG.md#0380]')
-    }
-  }
-}
-
-module.exports = DeprecationNotice

package/src/lib/helpers/determineEnvs.js

@@ -1,65 +0,0 @@
-const dotenvPrivateKeyNames = require('./dotenvPrivateKeyNames')
-const guessPrivateKeyFilename = require('./guessPrivateKeyFilename')
-
-const TYPE_ENV_FILE = 'envFile'
-const TYPE_ENV_VAULT_FILE = 'envVaultFile'
-const DEFAULT_ENVS = [{ type: TYPE_ENV_FILE, value: '.env' }]
-const DEFAULT_ENV_VAULTS = [{ type: TYPE_ENV_VAULT_FILE, value: '.env.vault' }]
-
-function determineEnvsFromDotenvPrivateKey (privateKeyNames) {
-  const envs = []
-
-  for (const privateKeyName of privateKeyNames) {
-    const filename = guessPrivateKeyFilename(privateKeyName)
-    envs.push({ type: TYPE_ENV_FILE, value: filename })
-  }
-
-  return envs
-}
-
-function determineEnvs (envs = [], processEnv, DOTENV_KEY = '') {
-  const privateKeyNames = dotenvPrivateKeyNames(processEnv)
-  if (!envs || envs.length <= 0) {
-    // if process.env.DOTENV_PRIVATE_KEY or process.env.DOTENV_PRIVATE_KEY_${environment} is set, assume inline encryption methodology
-    if (privateKeyNames.length > 0) {
-      return determineEnvsFromDotenvPrivateKey(privateKeyNames)
-    }
-
-    if (DOTENV_KEY.length > 0) {
-      // if DOTENV_KEY is set then default to look for .env.vault file
-      return DEFAULT_ENV_VAULTS
-    } else {
-      return DEFAULT_ENVS // default to .env file expectation
-    }
-  } else {
-    let fileAlreadySpecified = false // can be .env or .env.vault type
-
-    for (const env of envs) {
-      // if DOTENV_KEY set then we are checking if a .env.vault file is already specified
-      if (DOTENV_KEY.length > 0 && env.type === TYPE_ENV_VAULT_FILE) {
-        fileAlreadySpecified = true
-      }
-
-      // if DOTENV_KEY not set then we are checking if a .env file is already specified
-      if (DOTENV_KEY.length <= 0 && env.type === TYPE_ENV_FILE) {
-        fileAlreadySpecified = true
-      }
-    }
-
-    // return early since envs array objects already contain 1 .env.vault or .env file
-    if (fileAlreadySpecified) {
-      return envs
-    }
-
-    // no .env.vault or .env file specified as a flag so we assume either .env.vault (if dotenv key is set) or a .env file
-    if (DOTENV_KEY.length > 0) {
-      // if DOTENV_KEY is set then default to look for .env.vault file
-      return [...DEFAULT_ENV_VAULTS, ...envs]
-    } else {
-      // if no DOTENV_KEY then default to look for .env file
-      return [...DEFAULT_ENVS, ...envs]
-    }
-  }
-}
-
-module.exports = determineEnvs

package/src/lib/helpers/encrypt.js

@@ -1,29 +0,0 @@
-const crypto = require('crypto')
-
-const parseEncryptionKeyFromDotenvKey = require('./parseEncryptionKeyFromDotenvKey')
-
-const NONCE_BYTES = 12
-
-function encrypt (raw, dotenvKey) {
-  const key = parseEncryptionKeyFromDotenvKey(dotenvKey)
-
-  // set up nonce
-  const nonce = crypto.randomBytes(NONCE_BYTES)
-
-  // set up cipher
-  const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce)
-
-  // generate ciphertext
-  let ciphertext = ''
-  ciphertext += cipher.update(raw, 'utf8', 'hex')
-  ciphertext += cipher.final('hex')
-  ciphertext += cipher.getAuthTag().toString('hex')
-
-  // prepend nonce
-  ciphertext = nonce.toString('hex') + ciphertext
-
-  // base64 encode output
-  return Buffer.from(ciphertext, 'hex').toString('base64')
-}
-
-module.exports = encrypt

package/src/lib/helpers/findPrivateKey.js

@@ -1,25 +0,0 @@
-// helpers
-const guessPrivateKeyName = require('./guessPrivateKeyName')
-const findPublicKey = require('./findPublicKey')
-
-// services
-const Keypair = require('./../services/keypair')
-const Ops = require('./../services/ops')
-
-function findPrivateKey (envFilepath, envKeysFilepath = null, opsOn = false, publicKey = null) {
-  // use path/to/.env.${environment} to generate privateKeyName
-  const privateKeyName = guessPrivateKeyName(envFilepath)
-
-  if (opsOn) {
-    const resolvedPublicKey = publicKey || findPublicKey(envFilepath)
-    const opsPrivateKey = new Ops().keypair(resolvedPublicKey)
-    if (opsPrivateKey) {
-      return opsPrivateKey
-    }
-  }
-
-  const keypairs = new Keypair(envFilepath, envKeysFilepath).run()
-  return keypairs[privateKeyName]
-}
-
-module.exports = { findPrivateKey }

package/src/lib/helpers/findPublicKey.js

@@ -1,15 +0,0 @@
-// helpers
-const guessPublicKeyName = require('./guessPublicKeyName')
-
-// services
-const Keypair = require('./../services/keypair')
-
-function findPublicKey (envFilepath) {
-  const publicKeyName = guessPublicKeyName(envFilepath)
-
-  const keypairs = new Keypair(envFilepath).run()
-
-  return keypairs[publicKeyName]
-}
-
-module.exports = findPublicKey

package/src/lib/helpers/guessPrivateKeyName.js

@@ -1,18 +0,0 @@
-const path = require('path')
-const guessEnvironment = require('./guessEnvironment')
-
-function guessPrivateKeyName (filepath) {
-  const filename = path.basename(filepath).toLowerCase()
-
-  // .env
-  if (filename === '.env') {
-    return 'DOTENV_PRIVATE_KEY'
-  }
-
-  // .env.ENVIRONMENT
-  const environment = guessEnvironment(filename)
-
-  return `DOTENV_PRIVATE_KEY_${environment.toUpperCase()}`
-}
-
-module.exports = guessPrivateKeyName

package/src/lib/helpers/guessPublicKeyName.js

@@ -1,18 +0,0 @@
-const path = require('path')
-const guessEnvironment = require('./guessEnvironment')
-
-function guessPublicKeyName (filepath) {
-  const filename = path.basename(filepath).toLowerCase()
-
-  // .env
-  if (filename === '.env') {
-    return 'DOTENV_PUBLIC_KEY'
-  }
-
-  // .env.ENVIRONMENT
-  const environment = guessEnvironment(filename)
-
-  return `DOTENV_PUBLIC_KEY_${environment.toUpperCase()}`
-}
-
-module.exports = guessPublicKeyName

package/src/lib/helpers/parseEncryptionKeyFromDotenvKey.js

@@ -1,19 +0,0 @@
-function parseEncryptionKeyFromDotenvKey (dotenvKey) {
-  // Parse DOTENV_KEY. Format is a URI
-  let uri
-  try {
-    uri = new URL(dotenvKey)
-  } catch (e) {
-    throw new Error('INVALID_DOTENV_KEY: Incomplete format. It should be a dotenv uri. (dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=development)')
-  }
-
-  // Get decrypt key
-  const key = uri.password
-  if (!key) {
-    throw new Error('INVALID_DOTENV_KEY: Missing key part')
-  }
-
-  return Buffer.from(key.slice(-64), 'hex')
-}
-
-module.exports = parseEncryptionKeyFromDotenvKey

package/src/lib/helpers/parseEnvironmentFromDotenvKey.js

@@ -1,19 +0,0 @@
-function parseEnvironmentFromDotenvKey (dotenvKey) {
-  // Parse DOTENV_KEY. Format is a URI
-  let uri
-  try {
-    uri = new URL(dotenvKey)
-  } catch (e) {
-    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
-  }
-
-  // Get environment
-  const environment = uri.searchParams.get('environment')
-  if (!environment) {
-    throw new Error('INVALID_DOTENV_KEY: Missing environment part')
-  }
-
-  return environment
-}
-
-module.exports = parseEnvironmentFromDotenvKey

package/src/lib/helpers/smartDotenvPrivateKey.js

@@ -1,89 +0,0 @@
-const fsx = require('./fsx')
-const path = require('path')
-
-const PUBLIC_KEY_SCHEMA = 'DOTENV_PUBLIC_KEY'
-const PRIVATE_KEY_SCHEMA = 'DOTENV_PRIVATE_KEY'
-
-const dotenvParse = require('./dotenvParse')
-const guessPrivateKeyName = require('./guessPrivateKeyName')
-
-function searchProcessEnv (privateKeyName) {
-  if (process.env[privateKeyName] && process.env[privateKeyName].length > 0) {
-    return process.env[privateKeyName]
-  }
-}
-
-function searchKeysFile (privateKeyName, envFilepath, envKeysFilepath = null) {
-  let keysFilepath = path.resolve(path.dirname(envFilepath), '.env.keys') // typical scenario
-  if (envKeysFilepath) { // user specified -fk flag
-    keysFilepath = path.resolve(envKeysFilepath)
-  }
-
-  if (fsx.existsSync(keysFilepath)) {
-    const keysSrc = fsx.readFileX(keysFilepath)
-    const keysParsed = dotenvParse(keysSrc)
-
-    if (keysParsed[privateKeyName] && keysParsed[privateKeyName].length > 0) {
-      return keysParsed[privateKeyName]
-    }
-  }
-}
-
-function invertForPrivateKeyName (envFilepath) {
-  if (!fsx.existsSync(envFilepath)) {
-    return null
-  }
-
-  const envSrc = fsx.readFileX(envFilepath)
-  const envParsed = dotenvParse(envSrc)
-
-  let publicKeyName
-  for (const keyName of Object.keys(envParsed)) {
-    if (keyName === PUBLIC_KEY_SCHEMA || keyName.startsWith(PUBLIC_KEY_SCHEMA)) {
-      publicKeyName = keyName // find DOTENV_PUBLIC_KEY* in filename
-    }
-  }
-
-  if (publicKeyName) {
-    return publicKeyName.replace(PUBLIC_KEY_SCHEMA, PRIVATE_KEY_SCHEMA) // return inverted (DOTENV_PUBLIC_KEY* -> DOTENV_PRIVATE_KEY*) if found
-  }
-
-  return null
-}
-
-function smartDotenvPrivateKey (envFilepath, envKeysFilepath = null) {
-  let privateKey = null
-  let privateKeyName = guessPrivateKeyName(envFilepath) // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
-
-  // 1. attempt process.env first
-  privateKey = searchProcessEnv(privateKeyName)
-  if (privateKey) {
-    return privateKey
-  }
-
-  // 2. attempt .env.keys second (path/to/.env.keys)
-  privateKey = searchKeysFile(privateKeyName, envFilepath, envKeysFilepath)
-  if (privateKey) {
-    return privateKey
-  }
-
-  // 3. attempt inverting `DOTENV_PUBLIC_KEY*` name inside file (unlocks custom filenames not matching .env.${ENVIRONMENT} pattern)
-  privateKeyName = invertForPrivateKeyName(envFilepath)
-  if (privateKeyName) {
-    // 3.1 attempt process.env first
-    privateKey = searchProcessEnv(privateKeyName)
-    if (privateKey) {
-      return privateKey
-    }
-
-    // 3.2. attempt .env.keys second (path/to/.env.keys)
-    privateKey = searchKeysFile(privateKeyName, envFilepath, envKeysFilepath)
-    if (privateKey) {
-      return privateKey
-    }
-  }
-
-  return null
-}
-
-module.exports = smartDotenvPrivateKey

package/src/lib/helpers/smartDotenvPublicKey.js

@@ -1,42 +0,0 @@
-const fsx = require('./fsx')
-const dotenvParse = require('./dotenvParse')
-
-const guessPublicKeyName = require('./guessPublicKeyName')
-
-function searchProcessEnv (publicKeyName) {
-  if (process.env[publicKeyName] && process.env[publicKeyName].length > 0) {
-    return process.env[publicKeyName]
-  }
-}
-
-function searchEnvFile (publicKeyName, envFilepath) {
-  if (fsx.existsSync(envFilepath)) {
-    const keysSrc = fsx.readFileX(envFilepath)
-    const keysParsed = dotenvParse(keysSrc)
-
-    if (keysParsed[publicKeyName] && keysParsed[publicKeyName].length > 0) {
-      return keysParsed[publicKeyName]
-    }
-  }
-}
-
-function smartDotenvPublicKey (envFilepath) {
-  let publicKey = null
-  const publicKeyName = guessPublicKeyName(envFilepath) // DOTENV_PUBLIC_KEY_${ENVIRONMENT}
-
-  // 1. attempt process.env first
-  publicKey = searchProcessEnv(publicKeyName)
-  if (publicKey) {
-    return publicKey
-  }
-
-  // 2. attempt .env.keys second (path/to/.env.keys)
-  publicKey = searchEnvFile(publicKeyName, envFilepath)
-  if (publicKey) {
-    return publicKey
-  }
-
-  return null
-}
-
-module.exports = smartDotenvPublicKey