@naturalcycles/nodejs-lib 12.66.0 → 12.68.0

package/dist/bin/secrets-decrypt.js

@@ -6,18 +6,22 @@ const colors_1 = require("../colors");
 const script_1 = require("../script");
 const secrets_decrypt_util_1 = require("../secret/secrets-decrypt.util");
 (0, script_1.runScript)(() => {
-    const { dir, encKey, del } = getDecryptCLIOptions();
-    (0, secrets_decrypt_util_1.secretsDecrypt)(dir, encKey, del);
+    const { dir, file, encKey, del, jsonMode } = getDecryptCLIOptions();
+    (0, secrets_decrypt_util_1.secretsDecrypt)(dir, file, encKey, del, jsonMode);
 });
 function getDecryptCLIOptions() {
     require('dotenv').config();
-    let { dir, encKey, encKeyVar, del } = yargs.options({
+    let { dir, file, encKey, encKeyVar, del, jsonMode } = yargs.options({
         dir: {
             type: 'array',
             desc: 'Directory with secrets. Can be many',
             // demandOption: true,
             default: './secret',
         },
+        file: {
+            type: 'string',
+            desc: 'Single file to decrypt. Useful in jsonMode',
+        },
         encKey: {
             type: 'string',
             desc: 'Encryption key',
@@ -37,6 +41,11 @@ function getDecryptCLIOptions() {
             type: 'boolean',
             desc: 'Delete source files after encryption/decryption. Be careful!',
         },
+        jsonMode: {
+            type: 'boolean',
+            desc: 'JSON mode. Encrypts only json values, not the whole file',
+            default: false,
+        },
     }).argv;
     if (!encKey) {
         encKey = process.env[encKeyVar];
@@ -48,5 +57,5 @@ function getDecryptCLIOptions() {
         }
     }
     // `as any` because @types/yargs can't handle string[] type properly
-    return { dir: dir, encKey, del };
+    return { dir: dir, file, encKey, del, jsonMode };
 }

package/dist/bin/secrets-encrypt.js

@@ -6,12 +6,12 @@ const colors_1 = require("../colors");
 const script_1 = require("../script");
 const secrets_encrypt_util_1 = require("../secret/secrets-encrypt.util");
 (0, script_1.runScript)(() => {
-    const { pattern, encKey, del } = getEncryptCLIOptions();
-    (0, secrets_encrypt_util_1.secretsEncrypt)(pattern, encKey, del);
+    const { pattern, file, encKey, del, jsonMode } = getEncryptCLIOptions();
+    (0, secrets_encrypt_util_1.secretsEncrypt)(pattern, file, encKey, del, jsonMode);
 });
 function getEncryptCLIOptions() {
     require('dotenv').config();
-    let { pattern, encKey, encKeyVar, del } = yargs.options({
+    let { pattern, file, encKey, encKeyVar, del, jsonMode } = yargs.options({
         pattern: {
             type: 'string',
             array: true,
@@ -19,6 +19,10 @@ function getEncryptCLIOptions() {
             // demandOption: true,
             default: './secret/**',
         },
+        file: {
+            type: 'string',
+            desc: 'Single file to decrypt. Useful in jsonMode',
+        },
         encKey: {
             type: 'string',
             desc: 'Encryption key',
@@ -37,6 +41,12 @@ function getEncryptCLIOptions() {
         del: {
             type: 'boolean',
             desc: 'Delete source files after encryption/decryption. Be careful!',
+            default: false,
+        },
+        jsonMode: {
+            type: 'boolean',
+            desc: 'JSON mode. Encrypts only json values, not the whole file',
+            default: false,
         },
     }).argv;
     if (!encKey) {
@@ -49,5 +59,5 @@ function getEncryptCLIOptions() {
         }
     }
     // `as any` because @types/yargs can't handle string[] type properly
-    return { pattern: pattern, encKey, del };
+    return { pattern: pattern, file, encKey, del, jsonMode };
 }

package/dist/secret/secrets-decrypt.util.d.ts

@@ -1,11 +1,12 @@
 export interface DecryptCLIOptions {
     dir: string[];
+    file?: string;
     encKey: string;
-    algorithm?: string;
     del?: boolean;
+    jsonMode?: boolean;
 }
 /**
  * Decrypts all files in given directory (*.enc), saves decrypted versions without ending `.enc`.
  * Using provided encKey.
  */
-export declare function secretsDecrypt(dir: string[], encKey: string, del?: boolean): void;
+export declare function secretsDecrypt(dir: string[], file: string | undefined, encKey: string, del?: boolean, jsonMode?: boolean): void;

package/dist/secret/secrets-decrypt.util.js

@@ -2,22 +2,37 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.secretsDecrypt = void 0;
 const path = require("path");
+const js_lib_1 = require("@naturalcycles/js-lib");
 const fs = require("fs-extra");
 const globby = require("globby");
 const colors_1 = require("../colors");
 const crypto_util_1 = require("../security/crypto.util");
+// Debug it like this:
+// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets2.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+// yarn tsn ./src/bin/secrets-encrypt.ts --file ./src/test/secrets2.plain.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
 /**
  * Decrypts all files in given directory (*.enc), saves decrypted versions without ending `.enc`.
  * Using provided encKey.
  */
-function secretsDecrypt(dir, encKey, del) {
-    const patterns = dir.map(d => `${d}/**/*.enc`);
+function secretsDecrypt(dir, file, encKey, del = false, jsonMode = false) {
+    // If `file` is provided - only this one file is used
+    const patterns = file ? [file] : dir.map(d => `${d}/**/*.enc`);
     const filenames = globby.sync(patterns);
     filenames.forEach(filename => {
-        const enc = fs.readFileSync(filename);
-        const plain = (0, crypto_util_1.decryptRandomIVBuffer)(enc, encKey);
-        const plainFilename = filename.slice(0, filename.length - '.enc'.length);
-        fs.writeFileSync(plainFilename, plain);
+        let plainFilename;
+        if (jsonMode) {
+            (0, js_lib_1._assert)(filename.endsWith('.json'), `${path.basename(filename)} MUST end with '.json'`);
+            (0, js_lib_1._assert)(!filename.endsWith('.plain.json'), `${path.basename(filename)} MUST NOT end with '.plain.json'`);
+            plainFilename = filename.replace('.json', '.plain.json');
+            const json = (0, crypto_util_1.decryptObject)(JSON.parse(fs.readFileSync(filename, 'utf8')), encKey);
+            fs.writeFileSync(plainFilename, JSON.stringify(json, null, 2));
+        }
+        else {
+            const enc = fs.readFileSync(filename);
+            const plain = (0, crypto_util_1.decryptRandomIVBuffer)(enc, encKey);
+            plainFilename = filename.slice(0, filename.length - '.enc'.length);
+            fs.writeFileSync(plainFilename, plain);
+        }
         if (del) {
             fs.unlinkSync(filename);
         }

package/dist/secret/secrets-encrypt.util.d.ts

@@ -1,11 +1,12 @@
 export interface EncryptCLIOptions {
     pattern: string[];
+    file?: string;
     encKey: string;
-    algorithm?: string;
     del?: boolean;
+    jsonMode?: boolean;
 }
 /**
  * Encrypts all files in given directory (except *.enc), saves encrypted versions as filename.ext.enc.
  * Using provided encKey.
  */
-export declare function secretsEncrypt(pattern: string[], encKey: string, del?: boolean): void;
+export declare function secretsEncrypt(pattern: string[], file: string | undefined, encKey: string, del?: boolean, jsonMode?: boolean): void;

package/dist/secret/secrets-encrypt.util.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.secretsEncrypt = void 0;
 const path = require("path");
+const js_lib_1 = require("@naturalcycles/js-lib");
 const fs = require("fs-extra");
 const globby = require("globby");
 const colors_1 = require("../colors");
@@ -10,17 +11,28 @@ const crypto_util_1 = require("../security/crypto.util");
  * Encrypts all files in given directory (except *.enc), saves encrypted versions as filename.ext.enc.
  * Using provided encKey.
  */
-function secretsEncrypt(pattern, encKey, del) {
-    const patterns = [
-        ...pattern,
-        `!**/*.enc`, // excluding already encoded
-    ];
+function secretsEncrypt(pattern, file, encKey, del = false, jsonMode = false) {
+    const patterns = file
+        ? [file]
+        : [
+            ...pattern,
+            `!**/*.enc`, // excluding already encoded
+        ];
     const filenames = globby.sync(patterns);
+    let encFilename;
     filenames.forEach(filename => {
-        const plain = fs.readFileSync(filename);
-        const enc = (0, crypto_util_1.encryptRandomIVBuffer)(plain, encKey);
-        const encFilename = `${filename}.enc`;
-        fs.writeFileSync(encFilename, enc);
+        if (jsonMode) {
+            (0, js_lib_1._assert)(filename.endsWith('.plain.json'), `${path.basename(filename)} MUST end with '.plain.json'`);
+            encFilename = filename.replace('.plain', '');
+            const json = (0, crypto_util_1.encryptObject)(JSON.parse(fs.readFileSync(filename, 'utf8')), encKey);
+            fs.writeFileSync(encFilename, JSON.stringify(json, null, 2));
+        }
+        else {
+            const plain = fs.readFileSync(filename);
+            const enc = (0, crypto_util_1.encryptRandomIVBuffer)(plain, encKey);
+            encFilename = `${filename}.enc`;
+            fs.writeFileSync(encFilename, enc);
+        }
         if (del) {
             fs.unlinkSync(filename);
         }

package/dist/security/crypto.util.d.ts

@@ -1,4 +1,5 @@
 /// <reference types="node" />
+import { StringMap } from '@naturalcycles/js-lib';
 /**
  * Using aes-256-cbc
  */
@@ -7,6 +8,12 @@ export declare function encryptRandomIVBuffer(input: Buffer, secretKeyBase64: st
  * Using aes-256-cbc
  */
 export declare function decryptRandomIVBuffer(input: Buffer, secretKeyBase64: string): Buffer;
+/**
+ * Decrypts all object values.
+ * Returns object with decrypted values.
+ */
+export declare function decryptObject(obj: StringMap, secretKey: string): StringMap;
+export declare function encryptObject(obj: StringMap, secretKey: string): StringMap;
 /**
  * Using aes-256-cbc
  */

package/dist/security/crypto.util.js

@@ -1,17 +1,18 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.encryptString = exports.decryptString = exports.decryptRandomIVBuffer = exports.encryptRandomIVBuffer = void 0;
+exports.encryptString = exports.decryptString = exports.encryptObject = exports.decryptObject = exports.decryptRandomIVBuffer = exports.encryptRandomIVBuffer = void 0;
 const crypto = require("crypto");
+const js_lib_1 = require("@naturalcycles/js-lib");
 const hash_util_1 = require("./hash.util");
 const algorithm = 'aes-256-cbc';
 /**
  * Using aes-256-cbc
  */
 function encryptRandomIVBuffer(input, secretKeyBase64) {
-    const key = aes256Key(secretKeyBase64);
+    // md5 to match aes-256 key length of 32 bytes
+    const key = (0, hash_util_1.md5)(Buffer.from(secretKeyBase64, 'base64'));
     // Random iv to achieve non-deterministic encryption (but deterministic decryption)
-    // const iv = await randomBytes(16)
-    const iv = crypto.randomBytes(16); // use sync method here for speed
+    const iv = crypto.randomBytes(16);
     const cipher = crypto.createCipheriv(algorithm, key, iv);
     return Buffer.concat([iv, cipher.update(input), cipher.final()]);
 }
@@ -20,7 +21,8 @@ exports.encryptRandomIVBuffer = encryptRandomIVBuffer;
  * Using aes-256-cbc
  */
 function decryptRandomIVBuffer(input, secretKeyBase64) {
-    const key = aes256Key(secretKeyBase64);
+    // md5 to match aes-256 key length of 32 bytes
+    const key = (0, hash_util_1.md5)(Buffer.from(secretKeyBase64, 'base64'));
     // iv is first 16 bytes of encrypted buffer, the rest is payload
     const iv = input.slice(0, 16);
     const payload = input.slice(16);
@@ -28,32 +30,50 @@ function decryptRandomIVBuffer(input, secretKeyBase64) {
     return Buffer.concat([decipher.update(payload), decipher.final()]);
 }
 exports.decryptRandomIVBuffer = decryptRandomIVBuffer;
+/**
+ * Decrypts all object values.
+ * Returns object with decrypted values.
+ */
+function decryptObject(obj, secretKey) {
+    const { key, iv } = getCryptoParams(secretKey);
+    const r = {};
+    (0, js_lib_1._stringMapEntries)(obj).forEach(([k, v]) => {
+        const decipher = crypto.createDecipheriv(algorithm, key, iv);
+        r[k] = decipher.update(v, 'base64', 'utf8') + decipher.final('utf8');
+    });
+    return r;
+}
+exports.decryptObject = decryptObject;
+function encryptObject(obj, secretKey) {
+    const { key, iv } = getCryptoParams(secretKey);
+    const r = {};
+    (0, js_lib_1._stringMapEntries)(obj).forEach(([k, v]) => {
+        const cipher = crypto.createCipheriv(algorithm, key, iv);
+        r[k] = cipher.update(v, 'utf8', 'base64') + cipher.final('base64');
+    });
+    return r;
+}
+exports.encryptObject = encryptObject;
 /**
  * Using aes-256-cbc
  */
 function decryptString(str, secretKey) {
-    const { algorithm, key, iv } = getCryptoParams(secretKey);
+    const { key, iv } = getCryptoParams(secretKey);
     const decipher = crypto.createDecipheriv(algorithm, key, iv);
-    let decrypted = decipher.update(str, 'base64', 'utf8');
-    return (decrypted += decipher.final('utf8'));
+    return decipher.update(str, 'base64', 'utf8') + decipher.final('utf8');
 }
 exports.decryptString = decryptString;
 /**
  * Using aes-256-cbc
  */
 function encryptString(str, secretKey) {
-    const { algorithm, key, iv } = getCryptoParams(secretKey);
+    const { key, iv } = getCryptoParams(secretKey);
     const cipher = crypto.createCipheriv(algorithm, key, iv);
-    let encrypted = cipher.update(str, 'utf8', 'base64');
-    return (encrypted += cipher.final('base64'));
+    return cipher.update(str, 'utf8', 'base64') + cipher.final('base64');
 }
 exports.encryptString = encryptString;
 function getCryptoParams(secretKey) {
     const key = (0, hash_util_1.md5)(secretKey);
     const iv = (0, hash_util_1.md5)(secretKey + key).slice(0, 16);
-    return { algorithm, key, iv };
-}
-function aes256Key(secretKeyBase64) {
-    // md5 to match aes-256 key length of 32 bytes
-    return (0, hash_util_1.md5)(Buffer.from(secretKeyBase64, 'base64'));
+    return { key, iv };
 }

package/dist/security/secret.util.js

@@ -69,11 +69,9 @@ exports.loadSecretsFromEncryptedJsonFile = loadSecretsFromEncryptedJsonFile;
  */
 function loadSecretsFromEncryptedJsonFileValues(filePath, secretEncryptionKey) {
     (0, js_lib_1._assert)(fs.existsSync(filePath), `loadSecretsFromEncryptedJsonFileValues() cannot load from path: ${filePath}`);
-    const secrets = JSON.parse(fs.readFileSync(filePath, 'utf8'));
+    let secrets = JSON.parse(fs.readFileSync(filePath, 'utf8'));
     if (secretEncryptionKey) {
-        (0, js_lib_1._stringMapEntries)(secrets).forEach(([k, enc]) => {
-            secrets[k] = (0, crypto_util_1.decryptString)(enc, secretEncryptionKey);
-        });
+        secrets = (0, crypto_util_1.decryptObject)(secrets, secretEncryptionKey);
     }
     Object.entries(secrets).forEach(([k, v]) => (secretMap[k.toUpperCase()] = v));
     loaded = true;

package/dist/util/lruMemoCache.d.ts

@@ -1,7 +1,6 @@
 import { MemoCache } from '@naturalcycles/js-lib';
 import LRUCache = require('lru-cache');
-export interface LRUMemoCacheOptions<KEY, VALUE> extends Partial<LRUCache.Options<KEY, VALUE>> {
-}
+export declare type LRUMemoCacheOptions<KEY, VALUE> = Partial<LRUCache.Options<KEY, VALUE>>;
 /**
  * @example
  * Use it like this:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naturalcycles/nodejs-lib",
-  "version": "12.66.0",
+  "version": "12.68.0",
   "scripts": {
     "prepare": "husky install",
     "docs-serve": "vuepress dev docs",

package/src/bin/secrets-decrypt.ts

@@ -6,21 +6,25 @@ import { runScript } from '../script'
 import { DecryptCLIOptions, secretsDecrypt } from '../secret/secrets-decrypt.util'
 
 runScript(() => {
-  const { dir, encKey, del } = getDecryptCLIOptions()
+  const { dir, file, encKey, del, jsonMode } = getDecryptCLIOptions()
 
-  secretsDecrypt(dir, encKey, del)
+  secretsDecrypt(dir, file, encKey, del, jsonMode)
 })
 
 function getDecryptCLIOptions(): DecryptCLIOptions {
   require('dotenv').config()
 
-  let { dir, encKey, encKeyVar, del } = yargs.options({
+  let { dir, file, encKey, encKeyVar, del, jsonMode } = yargs.options({
     dir: {
       type: 'array',
       desc: 'Directory with secrets. Can be many',
       // demandOption: true,
       default: './secret',
     },
+    file: {
+      type: 'string',
+      desc: 'Single file to decrypt. Useful in jsonMode',
+    },
     encKey: {
       type: 'string',
       desc: 'Encryption key',
@@ -40,6 +44,11 @@ function getDecryptCLIOptions(): DecryptCLIOptions {
       type: 'boolean',
       desc: 'Delete source files after encryption/decryption. Be careful!',
     },
+    jsonMode: {
+      type: 'boolean',
+      desc: 'JSON mode. Encrypts only json values, not the whole file',
+      default: false,
+    },
   }).argv
 
   if (!encKey) {
@@ -55,5 +64,5 @@ function getDecryptCLIOptions(): DecryptCLIOptions {
   }
 
   // `as any` because @types/yargs can't handle string[] type properly
-  return { dir: dir as any, encKey, del }
+  return { dir: dir as any, file, encKey, del, jsonMode }
 }

package/src/bin/secrets-encrypt.ts

@@ -6,15 +6,15 @@ import { runScript } from '../script'
 import { EncryptCLIOptions, secretsEncrypt } from '../secret/secrets-encrypt.util'
 
 runScript(() => {
-  const { pattern, encKey, del } = getEncryptCLIOptions()
+  const { pattern, file, encKey, del, jsonMode } = getEncryptCLIOptions()
 
-  secretsEncrypt(pattern, encKey, del)
+  secretsEncrypt(pattern, file, encKey, del, jsonMode)
 })
 
 function getEncryptCLIOptions(): EncryptCLIOptions {
   require('dotenv').config()
 
-  let { pattern, encKey, encKeyVar, del } = yargs.options({
+  let { pattern, file, encKey, encKeyVar, del, jsonMode } = yargs.options({
     pattern: {
       type: 'string',
       array: true,
@@ -22,6 +22,10 @@ function getEncryptCLIOptions(): EncryptCLIOptions {
       // demandOption: true,
       default: './secret/**',
     },
+    file: {
+      type: 'string',
+      desc: 'Single file to decrypt. Useful in jsonMode',
+    },
     encKey: {
       type: 'string',
       desc: 'Encryption key',
@@ -40,6 +44,12 @@ function getEncryptCLIOptions(): EncryptCLIOptions {
     del: {
       type: 'boolean',
       desc: 'Delete source files after encryption/decryption. Be careful!',
+      default: false,
+    },
+    jsonMode: {
+      type: 'boolean',
+      desc: 'JSON mode. Encrypts only json values, not the whole file',
+      default: false,
     },
   }).argv
 
@@ -56,5 +66,5 @@ function getEncryptCLIOptions(): EncryptCLIOptions {
   }
 
   // `as any` because @types/yargs can't handle string[] type properly
-  return { pattern: pattern as any, encKey, del }
+  return { pattern: pattern as any, file, encKey, del, jsonMode }
 }

package/src/secret/secrets-decrypt.util.ts

@@ -1,31 +1,58 @@
 import * as path from 'path'
+import { _assert } from '@naturalcycles/js-lib'
 import * as fs from 'fs-extra'
 import globby = require('globby')
 import { dimGrey, yellow } from '../colors'
-import { decryptRandomIVBuffer } from '../security/crypto.util'
+import { decryptObject, decryptRandomIVBuffer } from '../security/crypto.util'
 
 export interface DecryptCLIOptions {
   dir: string[]
+  file?: string
   encKey: string
-  algorithm?: string
   del?: boolean
+  jsonMode?: boolean
 }
 
+// Debug it like this:
+// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets2.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+// yarn tsn ./src/bin/secrets-encrypt.ts --file ./src/test/secrets2.plain.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+
 /**
  * Decrypts all files in given directory (*.enc), saves decrypted versions without ending `.enc`.
  * Using provided encKey.
  */
-export function secretsDecrypt(dir: string[], encKey: string, del?: boolean): void {
-  const patterns = dir.map(d => `${d}/**/*.enc`)
+export function secretsDecrypt(
+  dir: string[],
+  file: string | undefined,
+  encKey: string,
+  del = false,
+  jsonMode = false,
+): void {
+  // If `file` is provided - only this one file is used
+  const patterns = file ? [file] : dir.map(d => `${d}/**/*.enc`)
 
   const filenames = globby.sync(patterns)
 
   filenames.forEach(filename => {
-    const enc = fs.readFileSync(filename)
-    const plain = decryptRandomIVBuffer(enc, encKey)
+    let plainFilename
+
+    if (jsonMode) {
+      _assert(filename.endsWith('.json'), `${path.basename(filename)} MUST end with '.json'`)
+      _assert(
+        !filename.endsWith('.plain.json'),
+        `${path.basename(filename)} MUST NOT end with '.plain.json'`,
+      )
+      plainFilename = filename.replace('.json', '.plain.json')
 
-    const plainFilename = filename.slice(0, filename.length - '.enc'.length)
-    fs.writeFileSync(plainFilename, plain)
+      const json = decryptObject(JSON.parse(fs.readFileSync(filename, 'utf8')), encKey)
+
+      fs.writeFileSync(plainFilename, JSON.stringify(json, null, 2))
+    } else {
+      const enc = fs.readFileSync(filename)
+      const plain = decryptRandomIVBuffer(enc, encKey)
+      plainFilename = filename.slice(0, filename.length - '.enc'.length)
+      fs.writeFileSync(plainFilename, plain)
+    }
 
     if (del) {
       fs.unlinkSync(filename)

package/src/secret/secrets-encrypt.util.ts

@@ -1,33 +1,55 @@
 import * as path from 'path'
+import { _assert } from '@naturalcycles/js-lib'
 import * as fs from 'fs-extra'
 import globby = require('globby')
 import { dimGrey, yellow } from '../colors'
-import { encryptRandomIVBuffer } from '../security/crypto.util'
+import { encryptObject, encryptRandomIVBuffer } from '../security/crypto.util'
 
 export interface EncryptCLIOptions {
   pattern: string[]
+  file?: string
   encKey: string
-  algorithm?: string
   del?: boolean
+  jsonMode?: boolean
 }
 
 /**
  * Encrypts all files in given directory (except *.enc), saves encrypted versions as filename.ext.enc.
  * Using provided encKey.
  */
-export function secretsEncrypt(pattern: string[], encKey: string, del?: boolean): void {
-  const patterns = [
-    ...pattern,
-    `!**/*.enc`, // excluding already encoded
-  ]
+export function secretsEncrypt(
+  pattern: string[],
+  file: string | undefined,
+  encKey: string,
+  del = false,
+  jsonMode = false,
+): void {
+  const patterns = file
+    ? [file]
+    : [
+        ...pattern,
+        `!**/*.enc`, // excluding already encoded
+      ]
   const filenames = globby.sync(patterns)
+  let encFilename
 
   filenames.forEach(filename => {
-    const plain = fs.readFileSync(filename)
-    const enc = encryptRandomIVBuffer(plain, encKey)
+    if (jsonMode) {
+      _assert(
+        filename.endsWith('.plain.json'),
+        `${path.basename(filename)} MUST end with '.plain.json'`,
+      )
+      encFilename = filename.replace('.plain', '')
 
-    const encFilename = `${filename}.enc`
-    fs.writeFileSync(encFilename, enc)
+      const json = encryptObject(JSON.parse(fs.readFileSync(filename, 'utf8')), encKey)
+
+      fs.writeFileSync(encFilename, JSON.stringify(json, null, 2))
+    } else {
+      const plain = fs.readFileSync(filename)
+      const enc = encryptRandomIVBuffer(plain, encKey)
+      encFilename = `${filename}.enc`
+      fs.writeFileSync(encFilename, enc)
+    }
 
     if (del) {
       fs.unlinkSync(filename)

package/src/security/crypto.util.ts

@@ -1,4 +1,5 @@
 import * as crypto from 'crypto'
+import { _stringMapEntries, StringMap } from '@naturalcycles/js-lib'
 import { md5 } from './hash.util'
 
 const algorithm = 'aes-256-cbc'
@@ -7,12 +8,11 @@ const algorithm = 'aes-256-cbc'
  * Using aes-256-cbc
  */
 export function encryptRandomIVBuffer(input: Buffer, secretKeyBase64: string): Buffer {
-  const key = aes256Key(secretKeyBase64)
+  // md5 to match aes-256 key length of 32 bytes
+  const key = md5(Buffer.from(secretKeyBase64, 'base64'))
 
   // Random iv to achieve non-deterministic encryption (but deterministic decryption)
-  // const iv = await randomBytes(16)
-  const iv = crypto.randomBytes(16) // use sync method here for speed
-
+  const iv = crypto.randomBytes(16)
   const cipher = crypto.createCipheriv(algorithm, key, iv)
 
   return Buffer.concat([iv, cipher.update(input), cipher.final()])
@@ -22,7 +22,8 @@ export function encryptRandomIVBuffer(input: Buffer, secretKeyBase64: string): B
  * Using aes-256-cbc
  */
 export function decryptRandomIVBuffer(input: Buffer, secretKeyBase64: string): Buffer {
-  const key = aes256Key(secretKeyBase64)
+  // md5 to match aes-256 key length of 32 bytes
+  const key = md5(Buffer.from(secretKeyBase64, 'base64'))
 
   // iv is first 16 bytes of encrypted buffer, the rest is payload
   const iv = input.slice(0, 16)
@@ -33,33 +34,52 @@ export function decryptRandomIVBuffer(input: Buffer, secretKeyBase64: string): B
   return Buffer.concat([decipher.update(payload), decipher.final()])
 }
 
+/**
+ * Decrypts all object values.
+ * Returns object with decrypted values.
+ */
+export function decryptObject(obj: StringMap, secretKey: string): StringMap {
+  const { key, iv } = getCryptoParams(secretKey)
+
+  const r: StringMap = {}
+  _stringMapEntries(obj).forEach(([k, v]) => {
+    const decipher = crypto.createDecipheriv(algorithm, key, iv)
+    r[k] = decipher.update(v, 'base64', 'utf8') + decipher.final('utf8')
+  })
+  return r
+}
+
+export function encryptObject(obj: StringMap, secretKey: string): StringMap {
+  const { key, iv } = getCryptoParams(secretKey)
+
+  const r: StringMap = {}
+  _stringMapEntries(obj).forEach(([k, v]) => {
+    const cipher = crypto.createCipheriv(algorithm, key, iv)
+    r[k] = cipher.update(v, 'utf8', 'base64') + cipher.final('base64')
+  })
+  return r
+}
+
 /**
  * Using aes-256-cbc
  */
 export function decryptString(str: string, secretKey: string): string {
-  const { algorithm, key, iv } = getCryptoParams(secretKey)
+  const { key, iv } = getCryptoParams(secretKey)
   const decipher = crypto.createDecipheriv(algorithm, key, iv)
-  let decrypted = decipher.update(str, 'base64', 'utf8')
-  return (decrypted += decipher.final('utf8'))
+  return decipher.update(str, 'base64', 'utf8') + decipher.final('utf8')
 }
 
 /**
  * Using aes-256-cbc
  */
 export function encryptString(str: string, secretKey: string): string {
-  const { algorithm, key, iv } = getCryptoParams(secretKey)
+  const { key, iv } = getCryptoParams(secretKey)
   const cipher = crypto.createCipheriv(algorithm, key, iv)
-  let encrypted = cipher.update(str, 'utf8', 'base64')
-  return (encrypted += cipher.final('base64'))
+  return cipher.update(str, 'utf8', 'base64') + cipher.final('base64')
 }
 
-function getCryptoParams(secretKey: string): { algorithm: string; key: string; iv: string } {
+function getCryptoParams(secretKey: string): { key: string; iv: string } {
   const key = md5(secretKey)
   const iv = md5(secretKey + key).slice(0, 16)
-  return { algorithm, key, iv }
-}
-
-function aes256Key(secretKeyBase64: string): string {
-  // md5 to match aes-256 key length of 32 bytes
-  return md5(Buffer.from(secretKeyBase64, 'base64'))
+  return { key, iv }
 }

package/src/security/secret.util.ts

@@ -1,7 +1,7 @@
 import * as fs from 'fs'
-import { _assert, _stringMapEntries, StringMap } from '@naturalcycles/js-lib'
+import { _assert, StringMap } from '@naturalcycles/js-lib'
 import { base64ToString } from '..'
-import { decryptRandomIVBuffer, decryptString } from './crypto.util'
+import { decryptObject, decryptRandomIVBuffer } from './crypto.util'
 
 let loaded = false
 
@@ -93,12 +93,10 @@ export function loadSecretsFromEncryptedJsonFileValues(
     `loadSecretsFromEncryptedJsonFileValues() cannot load from path: ${filePath}`,
   )
 
-  const secrets: StringMap = JSON.parse(fs.readFileSync(filePath, 'utf8'))
+  let secrets: StringMap = JSON.parse(fs.readFileSync(filePath, 'utf8'))
 
   if (secretEncryptionKey) {
-    _stringMapEntries(secrets).forEach(([k, enc]) => {
-      secrets[k] = decryptString(enc, secretEncryptionKey)
-    })
+    secrets = decryptObject(secrets, secretEncryptionKey)
   }
 
   Object.entries(secrets).forEach(([k, v]) => (secretMap[k.toUpperCase()] = v))

package/src/util/lruMemoCache.ts

@@ -2,7 +2,7 @@ import { MemoCache } from '@naturalcycles/js-lib'
 import LRUCache = require('lru-cache')
 
 // Partial, to be able to provide default `max`
-export interface LRUMemoCacheOptions<KEY, VALUE> extends Partial<LRUCache.Options<KEY, VALUE>> {}
+export type LRUMemoCacheOptions<KEY, VALUE> = Partial<LRUCache.Options<KEY, VALUE>>
 
 /**
  * @example