dotsec 0.10.0 → 0.10.1-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +163 -60
- package/dist/cli.js.map +3 -3
- package/dist/esm/cli.js +188 -82
- package/dist/esm/cli.js.map +3 -3
- package/package.json +4 -2
package/dist/esm/cli.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
var __defProp = Object.defineProperty;
|
|
2
|
+
var __defProps = Object.defineProperties;
|
|
3
|
+
var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
|
|
2
4
|
var __getOwnPropSymbols = Object.getOwnPropertySymbols;
|
|
3
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
4
6
|
var __propIsEnum = Object.prototype.propertyIsEnumerable;
|
|
@@ -14,6 +16,7 @@ var __spreadValues = (a, b) => {
|
|
|
14
16
|
}
|
|
15
17
|
return a;
|
|
16
18
|
};
|
|
19
|
+
var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
|
|
17
20
|
var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
|
|
18
21
|
var __export = (target, all) => {
|
|
19
22
|
__markAsModule(target);
|
|
@@ -60,8 +63,7 @@ var commonCliOptions = {
|
|
|
60
63
|
},
|
|
61
64
|
envFile: {
|
|
62
65
|
string: true,
|
|
63
|
-
describe: ".env file"
|
|
64
|
-
default: ".env"
|
|
66
|
+
describe: ".env file"
|
|
65
67
|
},
|
|
66
68
|
ignoreMissingEnvFile: {
|
|
67
69
|
boolean: true,
|
|
@@ -84,6 +86,14 @@ var commonCliOptions = {
|
|
|
84
86
|
boolean: true,
|
|
85
87
|
describe: "Be verbose"
|
|
86
88
|
},
|
|
89
|
+
encryptedSecretsFile: {
|
|
90
|
+
string: true,
|
|
91
|
+
describe: "filename of json file for reading encrypted secrets"
|
|
92
|
+
},
|
|
93
|
+
jsonFilter: {
|
|
94
|
+
string: true,
|
|
95
|
+
describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
|
|
96
|
+
},
|
|
87
97
|
yes: {
|
|
88
98
|
boolean: true,
|
|
89
99
|
describe: "Proceeds without confirmation"
|
|
@@ -310,11 +320,11 @@ __export(decryptSecCommand_exports, {
|
|
|
310
320
|
desc: () => desc2,
|
|
311
321
|
handler: () => handler2
|
|
312
322
|
});
|
|
313
|
-
import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
|
|
314
|
-
import { redBright } from "chalk";
|
|
315
|
-
import { parse } from "dotenv";
|
|
316
323
|
import fs from "node:fs";
|
|
317
324
|
import path from "node:path";
|
|
325
|
+
import { KMSClient as KMSClient2, DecryptCommand } from "@aws-sdk/client-kms";
|
|
326
|
+
import { redBright } from "chalk";
|
|
327
|
+
import { parse } from "dotenv";
|
|
318
328
|
|
|
319
329
|
// src/utils/io.ts
|
|
320
330
|
import { stat } from "fs/promises";
|
|
@@ -346,6 +356,30 @@ var promptOverwriteIfFileExists = async ({
|
|
|
346
356
|
return overwriteResponse;
|
|
347
357
|
};
|
|
348
358
|
|
|
359
|
+
// src/utils/kms.ts
|
|
360
|
+
import {
|
|
361
|
+
DescribeKeyCommand,
|
|
362
|
+
KMSClient
|
|
363
|
+
} from "@aws-sdk/client-kms";
|
|
364
|
+
var getKMSClient = ({
|
|
365
|
+
configuration
|
|
366
|
+
}) => {
|
|
367
|
+
const kmsClient = new KMSClient(configuration);
|
|
368
|
+
return kmsClient;
|
|
369
|
+
};
|
|
370
|
+
var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
|
|
371
|
+
var _a, _b;
|
|
372
|
+
const describeKeyCommand = new DescribeKeyCommand({
|
|
373
|
+
KeyId: awsKeyAlias
|
|
374
|
+
});
|
|
375
|
+
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
376
|
+
const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
|
|
377
|
+
if (encryptionAlgorithm === void 0) {
|
|
378
|
+
throw new Error(`Could not determine encryption algorithm`);
|
|
379
|
+
}
|
|
380
|
+
return encryptionAlgorithm;
|
|
381
|
+
};
|
|
382
|
+
|
|
349
383
|
// src/commands/decryptSecCommand.ts
|
|
350
384
|
var command2 = "decrypt-sec";
|
|
351
385
|
var desc2 = "Decrypts a dotsec file";
|
|
@@ -354,7 +388,7 @@ var builder2 = {
|
|
|
354
388
|
"aws-region": commonCliOptions.awsRegion,
|
|
355
389
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
356
390
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
357
|
-
"env-file": commonCliOptions.envFile,
|
|
391
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
|
|
358
392
|
"sec-file": commonCliOptions.secFile,
|
|
359
393
|
verbose: commonCliOptions.verbose
|
|
360
394
|
};
|
|
@@ -370,15 +404,16 @@ var handler2 = async (argv) => {
|
|
|
370
404
|
return;
|
|
371
405
|
}
|
|
372
406
|
const parsedSec = parse(fs.readFileSync(secSource, { encoding: "utf8" }));
|
|
373
|
-
const kmsClient = new
|
|
407
|
+
const kmsClient = new KMSClient2({
|
|
374
408
|
credentials: credentialsAndOrigin.value,
|
|
375
409
|
region: regionAndOrigin.value
|
|
376
410
|
});
|
|
411
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
377
412
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
378
413
|
const decryptCommand = new DecryptCommand({
|
|
379
414
|
KeyId: argv.awsKeyAlias,
|
|
380
415
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
381
|
-
EncryptionAlgorithm:
|
|
416
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
382
417
|
});
|
|
383
418
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
384
419
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -405,22 +440,11 @@ __export(decryptSecretsJson_exports, {
|
|
|
405
440
|
desc: () => desc3,
|
|
406
441
|
handler: () => handler3
|
|
407
442
|
});
|
|
408
|
-
import { DecryptCommand as DecryptCommand2, DescribeKeyCommand } from "@aws-sdk/client-kms";
|
|
409
|
-
import { redBright as redBright2 } from "chalk";
|
|
410
|
-
import flat from "flat";
|
|
411
443
|
import fs2 from "node:fs";
|
|
412
444
|
import path2 from "node:path";
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
import
|
|
416
|
-
var getKMSClient = ({
|
|
417
|
-
configuration
|
|
418
|
-
}) => {
|
|
419
|
-
const kmsClient = new KMSClient2(configuration);
|
|
420
|
-
return kmsClient;
|
|
421
|
-
};
|
|
422
|
-
|
|
423
|
-
// src/commands/decryptSecretsJson.ts
|
|
445
|
+
import { DecryptCommand as DecryptCommand2, DescribeKeyCommand as DescribeKeyCommand2 } from "@aws-sdk/client-kms";
|
|
446
|
+
import { redBright as redBright2 } from "chalk";
|
|
447
|
+
import flat from "flat";
|
|
424
448
|
var command3 = "decrypt-secrets-json";
|
|
425
449
|
var desc3 = "Derypts an encrypted file";
|
|
426
450
|
var builder3 = {
|
|
@@ -432,11 +456,9 @@ var builder3 = {
|
|
|
432
456
|
describe: "filename of json file writing secrets",
|
|
433
457
|
default: "secrets.json"
|
|
434
458
|
},
|
|
435
|
-
"encrypted-secrets-file": {
|
|
436
|
-
string: true,
|
|
437
|
-
describe: "filename of json file for reading encrypted secrets",
|
|
459
|
+
"encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
|
|
438
460
|
default: "secrets.encrypted.json"
|
|
439
|
-
},
|
|
461
|
+
}),
|
|
440
462
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
441
463
|
verbose: commonCliOptions.verbose,
|
|
442
464
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
@@ -467,17 +489,18 @@ var handler3 = async (argv) => {
|
|
|
467
489
|
});
|
|
468
490
|
if (argv.verbose) {
|
|
469
491
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
470
|
-
const describeKeyCommand = new
|
|
492
|
+
const describeKeyCommand = new DescribeKeyCommand2({
|
|
471
493
|
KeyId: argv.awsKeyAlias
|
|
472
494
|
});
|
|
473
495
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
474
496
|
console.log("describeKeyResult", { describeKeyResult });
|
|
475
497
|
}
|
|
498
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
476
499
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
477
500
|
const decryptCommand = new DecryptCommand2({
|
|
478
501
|
KeyId: argv.awsKeyAlias,
|
|
479
502
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
480
|
-
EncryptionAlgorithm:
|
|
503
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
481
504
|
});
|
|
482
505
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
483
506
|
if (!decryptionResult.Plaintext) {
|
|
@@ -519,12 +542,37 @@ __export(defaultCommand_exports, {
|
|
|
519
542
|
desc: () => desc4,
|
|
520
543
|
handler: () => handler4
|
|
521
544
|
});
|
|
522
|
-
import
|
|
523
|
-
import
|
|
545
|
+
import fs4 from "node:fs";
|
|
546
|
+
import path4 from "node:path";
|
|
524
547
|
import { KMSClient as KMSClient3, DecryptCommand as DecryptCommand3 } from "@aws-sdk/client-kms";
|
|
525
|
-
import { redBright as
|
|
548
|
+
import { redBright as redBright4 } from "chalk";
|
|
549
|
+
import { constantCase } from "constant-case";
|
|
526
550
|
import { spawn } from "cross-spawn";
|
|
527
551
|
import { parse as parse2 } from "dotenv";
|
|
552
|
+
import flat2 from "flat";
|
|
553
|
+
|
|
554
|
+
// src/lib/encryptedSecrets.ts
|
|
555
|
+
import fs3 from "fs";
|
|
556
|
+
import path3 from "path";
|
|
557
|
+
import { redBright as redBright3 } from "chalk";
|
|
558
|
+
var loadEncryptedSecrets = async ({
|
|
559
|
+
encryptedSecretsFile
|
|
560
|
+
}) => {
|
|
561
|
+
const encryptedSecretsPath = path3.resolve(process.cwd(), encryptedSecretsFile);
|
|
562
|
+
if (!await fileExists(encryptedSecretsPath)) {
|
|
563
|
+
throw new Error(`Could not open ${redBright3(encryptedSecretsPath)}`);
|
|
564
|
+
}
|
|
565
|
+
const encryptedSecrets = JSON.parse(fs3.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
566
|
+
if (!encryptedSecrets) {
|
|
567
|
+
throw new Error(`No encrypted secrets found in ${redBright3(encryptedSecretsPath)}`);
|
|
568
|
+
}
|
|
569
|
+
if (!encryptedSecrets.encryptedParameters) {
|
|
570
|
+
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
571
|
+
}
|
|
572
|
+
return encryptedSecrets;
|
|
573
|
+
};
|
|
574
|
+
|
|
575
|
+
// src/commands/defaultCommand.ts
|
|
528
576
|
var command4 = "$0 <command>";
|
|
529
577
|
var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
|
|
530
578
|
var builder4 = {
|
|
@@ -536,6 +584,8 @@ var builder4 = {
|
|
|
536
584
|
"ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
|
|
537
585
|
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
538
586
|
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
587
|
+
"encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
|
|
588
|
+
"json-filter": commonCliOptions.jsonFilter,
|
|
539
589
|
verbose: commonCliOptions.verbose,
|
|
540
590
|
command: { string: true, required: true }
|
|
541
591
|
};
|
|
@@ -545,21 +595,69 @@ var handleSec = async ({
|
|
|
545
595
|
regionAndOrigin,
|
|
546
596
|
awsKeyAlias
|
|
547
597
|
}) => {
|
|
548
|
-
const secSource =
|
|
598
|
+
const secSource = path4.resolve(process.cwd(), secFile);
|
|
549
599
|
if (!await fileExists(secSource)) {
|
|
550
|
-
console.error(`Could not open ${
|
|
600
|
+
console.error(`Could not open ${redBright4(secSource)}`);
|
|
551
601
|
return;
|
|
552
602
|
}
|
|
553
|
-
const parsedSec = parse2(
|
|
603
|
+
const parsedSec = parse2(fs4.readFileSync(secSource, { encoding: "utf8" }));
|
|
554
604
|
const kmsClient = new KMSClient3({
|
|
555
605
|
credentials: credentialsAndOrigin.value,
|
|
556
606
|
region: regionAndOrigin.value
|
|
557
607
|
});
|
|
608
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
558
609
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
559
610
|
const decryptCommand = new DecryptCommand3({
|
|
560
611
|
KeyId: awsKeyAlias,
|
|
561
612
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
562
|
-
EncryptionAlgorithm:
|
|
613
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
614
|
+
});
|
|
615
|
+
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
616
|
+
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
617
|
+
throw new Error(`No: ${JSON.stringify({
|
|
618
|
+
key,
|
|
619
|
+
cipherText,
|
|
620
|
+
decryptCommand
|
|
621
|
+
})}`);
|
|
622
|
+
}
|
|
623
|
+
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
624
|
+
return [key, value];
|
|
625
|
+
}));
|
|
626
|
+
const env = Object.fromEntries(envEntries);
|
|
627
|
+
return env;
|
|
628
|
+
};
|
|
629
|
+
var handleEncryptedJson = async ({
|
|
630
|
+
encryptedSecretsFile,
|
|
631
|
+
jsonFilter,
|
|
632
|
+
credentialsAndOrigin,
|
|
633
|
+
regionAndOrigin,
|
|
634
|
+
awsKeyAlias
|
|
635
|
+
}) => {
|
|
636
|
+
const encryptedSecrets = await loadEncryptedSecrets({
|
|
637
|
+
encryptedSecretsFile
|
|
638
|
+
});
|
|
639
|
+
const flattened = flat2.flatten(encryptedSecrets.encryptedParameters, {
|
|
640
|
+
delimiter: "__",
|
|
641
|
+
transformKey: (key) => {
|
|
642
|
+
return constantCase(key);
|
|
643
|
+
}
|
|
644
|
+
});
|
|
645
|
+
const kmsClient = new KMSClient3({
|
|
646
|
+
credentials: credentialsAndOrigin.value,
|
|
647
|
+
region: regionAndOrigin.value
|
|
648
|
+
});
|
|
649
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
650
|
+
const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => constantCase(part)).join("__");
|
|
651
|
+
const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
|
|
652
|
+
if (filterKey) {
|
|
653
|
+
return key.indexOf(filterKey) === 0;
|
|
654
|
+
}
|
|
655
|
+
return true;
|
|
656
|
+
}).map(async ([key, cipherText]) => {
|
|
657
|
+
const decryptCommand = new DecryptCommand3({
|
|
658
|
+
KeyId: awsKeyAlias,
|
|
659
|
+
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
660
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
563
661
|
});
|
|
564
662
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
565
663
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -581,7 +679,7 @@ var handler4 = async (argv) => {
|
|
|
581
679
|
let awsEnv;
|
|
582
680
|
try {
|
|
583
681
|
if (argv.envFile) {
|
|
584
|
-
env = parse2(
|
|
682
|
+
env = parse2(fs4.readFileSync(argv.envFile, { encoding: "utf8" }));
|
|
585
683
|
if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
|
|
586
684
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
587
685
|
argv: __spreadValues({}, argv),
|
|
@@ -610,12 +708,22 @@ var handler4 = async (argv) => {
|
|
|
610
708
|
if (argv.verbose) {
|
|
611
709
|
console.log({ credentialsAndOrigin, regionAndOrigin });
|
|
612
710
|
}
|
|
613
|
-
|
|
614
|
-
|
|
615
|
-
|
|
616
|
-
|
|
617
|
-
|
|
618
|
-
|
|
711
|
+
if (argv.encryptedSecretsFile) {
|
|
712
|
+
env = await handleEncryptedJson({
|
|
713
|
+
encryptedSecretsFile: argv.encryptedSecretsFile,
|
|
714
|
+
jsonFilter: argv.jsonFilter,
|
|
715
|
+
credentialsAndOrigin,
|
|
716
|
+
regionAndOrigin,
|
|
717
|
+
awsKeyAlias: argv.awsKeyAlias
|
|
718
|
+
});
|
|
719
|
+
} else {
|
|
720
|
+
env = await handleSec({
|
|
721
|
+
secFile: argv.secFile,
|
|
722
|
+
credentialsAndOrigin,
|
|
723
|
+
regionAndOrigin,
|
|
724
|
+
awsKeyAlias: argv.awsKeyAlias
|
|
725
|
+
});
|
|
726
|
+
}
|
|
619
727
|
}
|
|
620
728
|
} catch (e) {
|
|
621
729
|
if (argv.ignoreMissingEnvFile !== true) {
|
|
@@ -643,18 +751,18 @@ __export(encryptEnvCommand_exports, {
|
|
|
643
751
|
desc: () => desc5,
|
|
644
752
|
handler: () => handler5
|
|
645
753
|
});
|
|
646
|
-
import
|
|
647
|
-
import
|
|
754
|
+
import fs5 from "node:fs";
|
|
755
|
+
import path5 from "node:path";
|
|
756
|
+
import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand } from "@aws-sdk/client-kms";
|
|
757
|
+
import { redBright as redBright5 } from "chalk";
|
|
648
758
|
import { parse as parse3 } from "dotenv";
|
|
649
|
-
import fs4 from "node:fs";
|
|
650
|
-
import path4 from "node:path";
|
|
651
759
|
var command5 = "encrypt-env";
|
|
652
760
|
var desc5 = "Encrypts a dotenv file";
|
|
653
761
|
var builder5 = {
|
|
654
762
|
"aws-profile": commonCliOptions.awsProfile,
|
|
655
763
|
"aws-region": commonCliOptions.awsRegion,
|
|
656
764
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
657
|
-
"env-file": commonCliOptions.envFile,
|
|
765
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
|
|
658
766
|
"sec-file": commonCliOptions.secFile,
|
|
659
767
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
660
768
|
verbose: commonCliOptions.verbose
|
|
@@ -666,12 +774,12 @@ var handler5 = async (argv) => {
|
|
|
666
774
|
argv: __spreadValues({}, argv),
|
|
667
775
|
env: __spreadValues({}, process.env)
|
|
668
776
|
});
|
|
669
|
-
const envSource =
|
|
777
|
+
const envSource = path5.resolve(process.cwd(), argv.envFile);
|
|
670
778
|
if (!await fileExists(envSource)) {
|
|
671
|
-
error(`Could not open ${
|
|
779
|
+
error(`Could not open ${redBright5(envSource)}`);
|
|
672
780
|
return;
|
|
673
781
|
}
|
|
674
|
-
const parsedEnv = parse3(
|
|
782
|
+
const parsedEnv = parse3(fs5.readFileSync(envSource, { encoding: "utf8" }));
|
|
675
783
|
const kmsClient = getKMSClient({
|
|
676
784
|
configuration: {
|
|
677
785
|
credentials: credentialsAndOrigin.value,
|
|
@@ -679,9 +787,10 @@ var handler5 = async (argv) => {
|
|
|
679
787
|
},
|
|
680
788
|
verbose: argv.verbose
|
|
681
789
|
});
|
|
790
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
682
791
|
if (argv.verbose) {
|
|
683
792
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
684
|
-
const describeKeyCommand = new
|
|
793
|
+
const describeKeyCommand = new DescribeKeyCommand3({
|
|
685
794
|
KeyId: argv.awsKeyAlias
|
|
686
795
|
});
|
|
687
796
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
@@ -691,7 +800,7 @@ var handler5 = async (argv) => {
|
|
|
691
800
|
const encryptCommand = new EncryptCommand({
|
|
692
801
|
KeyId: argv.awsKeyAlias,
|
|
693
802
|
Plaintext: Buffer.from(value),
|
|
694
|
-
EncryptionAlgorithm:
|
|
803
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
695
804
|
});
|
|
696
805
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
697
806
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -707,7 +816,7 @@ var handler5 = async (argv) => {
|
|
|
707
816
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
708
817
|
return `${key}="${cipherText}"`;
|
|
709
818
|
}))).join("\n");
|
|
710
|
-
|
|
819
|
+
fs5.writeFileSync(path5.resolve(process.cwd(), argv.secFile), sec);
|
|
711
820
|
} catch (e) {
|
|
712
821
|
error(e);
|
|
713
822
|
}
|
|
@@ -721,11 +830,11 @@ __export(encryptSecretsJson_exports, {
|
|
|
721
830
|
desc: () => desc6,
|
|
722
831
|
handler: () => handler6
|
|
723
832
|
});
|
|
724
|
-
import
|
|
725
|
-
import
|
|
726
|
-
import { DescribeKeyCommand as
|
|
727
|
-
import { redBright as
|
|
728
|
-
import
|
|
833
|
+
import fs6 from "node:fs";
|
|
834
|
+
import path6 from "node:path";
|
|
835
|
+
import { DescribeKeyCommand as DescribeKeyCommand4, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
|
|
836
|
+
import { redBright as redBright6 } from "chalk";
|
|
837
|
+
import flat3 from "flat";
|
|
729
838
|
var command6 = "encrypt-secrets-json";
|
|
730
839
|
var desc6 = "Encrypts an unencrypted file";
|
|
731
840
|
var builder6 = {
|
|
@@ -753,16 +862,16 @@ var handler6 = async (argv) => {
|
|
|
753
862
|
argv: __spreadValues({}, argv),
|
|
754
863
|
env: __spreadValues({}, process.env)
|
|
755
864
|
});
|
|
756
|
-
const secretsPath =
|
|
865
|
+
const secretsPath = path6.resolve(process.cwd(), argv.secretsFile);
|
|
757
866
|
if (!await fileExists(secretsPath)) {
|
|
758
|
-
error(`Could not open ${
|
|
867
|
+
error(`Could not open ${redBright6(secretsPath)}`);
|
|
759
868
|
return;
|
|
760
869
|
}
|
|
761
|
-
const secrets = JSON.parse(
|
|
870
|
+
const secrets = JSON.parse(fs6.readFileSync(secretsPath, { encoding: "utf8" }));
|
|
762
871
|
if (!secrets.parameters) {
|
|
763
872
|
throw new Error(`Expected 'parameters' property, but got none`);
|
|
764
873
|
}
|
|
765
|
-
const flatParameters =
|
|
874
|
+
const flatParameters = flat3(secrets.parameters, { delimiter: "/" });
|
|
766
875
|
if (argv.verbose) {
|
|
767
876
|
console.log(flatParameters);
|
|
768
877
|
}
|
|
@@ -775,17 +884,18 @@ var handler6 = async (argv) => {
|
|
|
775
884
|
});
|
|
776
885
|
if (argv.verbose) {
|
|
777
886
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
778
|
-
const describeKeyCommand = new
|
|
887
|
+
const describeKeyCommand = new DescribeKeyCommand4({
|
|
779
888
|
KeyId: argv.awsKeyAlias
|
|
780
889
|
});
|
|
781
890
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
782
891
|
console.log("describeKeyResult", { describeKeyResult });
|
|
783
892
|
}
|
|
893
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
784
894
|
const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
|
|
785
895
|
const encryptCommand = new EncryptCommand2({
|
|
786
896
|
KeyId: argv.awsKeyAlias,
|
|
787
897
|
Plaintext: Buffer.from(parameter),
|
|
788
|
-
EncryptionAlgorithm:
|
|
898
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
789
899
|
});
|
|
790
900
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
791
901
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -801,18 +911,18 @@ var handler6 = async (argv) => {
|
|
|
801
911
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
802
912
|
return [parameterName, cipherText];
|
|
803
913
|
})));
|
|
804
|
-
const encryptedParameters =
|
|
914
|
+
const encryptedParameters = flat3.unflatten(encryptedFlatParameters, { delimiter: "/" });
|
|
805
915
|
const encryptedSecrets = {
|
|
806
916
|
config: secrets.config,
|
|
807
917
|
encryptedParameters
|
|
808
918
|
};
|
|
809
|
-
const encryptedSecretsPath =
|
|
919
|
+
const encryptedSecretsPath = path6.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
810
920
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
811
921
|
filePath: encryptedSecretsPath,
|
|
812
922
|
skip: argv.yes
|
|
813
923
|
});
|
|
814
924
|
if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
|
|
815
|
-
|
|
925
|
+
fs6.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
|
|
816
926
|
}
|
|
817
927
|
} catch (e) {
|
|
818
928
|
error(e);
|
|
@@ -827,12 +937,12 @@ __export(offloadToSSMCommand_exports, {
|
|
|
827
937
|
desc: () => desc7,
|
|
828
938
|
handler: () => handler7
|
|
829
939
|
});
|
|
830
|
-
import
|
|
940
|
+
import fs7 from "node:fs";
|
|
941
|
+
import path7 from "node:path";
|
|
942
|
+
import { DecryptCommand as DecryptCommand4 } from "@aws-sdk/client-kms";
|
|
831
943
|
import { PutParameterCommand } from "@aws-sdk/client-ssm";
|
|
832
|
-
import { redBright as
|
|
833
|
-
import
|
|
834
|
-
import fs6 from "node:fs";
|
|
835
|
-
import path6 from "node:path";
|
|
944
|
+
import { redBright as redBright7 } from "chalk";
|
|
945
|
+
import flat4 from "flat";
|
|
836
946
|
var command7 = "offload-secrets-json-to-ssm";
|
|
837
947
|
var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
|
|
838
948
|
var builder7 = {
|
|
@@ -855,16 +965,16 @@ var handler7 = async (argv) => {
|
|
|
855
965
|
argv: __spreadValues({}, argv),
|
|
856
966
|
env: __spreadValues({}, process.env)
|
|
857
967
|
});
|
|
858
|
-
const encryptedSecretsPath =
|
|
968
|
+
const encryptedSecretsPath = path7.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
859
969
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
860
|
-
error(`Could not open ${
|
|
970
|
+
error(`Could not open ${redBright7(encryptedSecretsPath)}`);
|
|
861
971
|
return;
|
|
862
972
|
}
|
|
863
|
-
const encryptedSecrets = JSON.parse(
|
|
973
|
+
const encryptedSecrets = JSON.parse(fs7.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
864
974
|
if (!encryptedSecrets.encryptedParameters) {
|
|
865
975
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
866
976
|
}
|
|
867
|
-
const flatEncryptedParameters =
|
|
977
|
+
const flatEncryptedParameters = flat4(encryptedSecrets.encryptedParameters, { delimiter: "/" });
|
|
868
978
|
const kmsClient = getKMSClient({
|
|
869
979
|
configuration: {
|
|
870
980
|
credentials: credentialsAndOrigin.value,
|
|
@@ -874,17 +984,13 @@ var handler7 = async (argv) => {
|
|
|
874
984
|
});
|
|
875
985
|
if (argv.verbose) {
|
|
876
986
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
877
|
-
const describeKeyCommand = new DescribeKeyCommand4({
|
|
878
|
-
KeyId: argv.awsKeyAlias
|
|
879
|
-
});
|
|
880
|
-
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
881
|
-
console.log("describeKeyResult", { describeKeyResult });
|
|
882
987
|
}
|
|
988
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
883
989
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
884
990
|
const decryptCommand = new DecryptCommand4({
|
|
885
991
|
KeyId: argv.awsKeyAlias,
|
|
886
992
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
887
|
-
EncryptionAlgorithm:
|
|
993
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
888
994
|
});
|
|
889
995
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
890
996
|
if (!decryptionResult.Plaintext) {
|