dotsec 0.10.0 → 0.10.1-alpha.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +314 -97
- package/dist/cli.js.map +3 -3
- package/dist/esm/cli.js +333 -113
- package/dist/esm/cli.js.map +3 -3
- package/dist/esm/index.js +6 -0
- package/dist/esm/index.js.map +3 -3
- package/dist/index.d.ts +13 -1
- package/dist/index.js +24 -0
- package/dist/index.js.map +3 -3
- package/package.json +6 -2
package/dist/esm/cli.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
var __defProp = Object.defineProperty;
|
|
2
|
+
var __defProps = Object.defineProperties;
|
|
3
|
+
var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
|
|
2
4
|
var __getOwnPropSymbols = Object.getOwnPropertySymbols;
|
|
3
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
4
6
|
var __propIsEnum = Object.prototype.propertyIsEnumerable;
|
|
@@ -14,6 +16,7 @@ var __spreadValues = (a, b) => {
|
|
|
14
16
|
}
|
|
15
17
|
return a;
|
|
16
18
|
};
|
|
19
|
+
var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
|
|
17
20
|
var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
|
|
18
21
|
var __export = (target, all) => {
|
|
19
22
|
__markAsModule(target);
|
|
@@ -47,7 +50,6 @@ var commonCliOptions = {
|
|
|
47
50
|
},
|
|
48
51
|
awsKeyAlias: {
|
|
49
52
|
string: true,
|
|
50
|
-
default: "alias/top-secret",
|
|
51
53
|
describe: "AWS KMS key alias"
|
|
52
54
|
},
|
|
53
55
|
awsKeyArn: {
|
|
@@ -60,8 +62,7 @@ var commonCliOptions = {
|
|
|
60
62
|
},
|
|
61
63
|
envFile: {
|
|
62
64
|
string: true,
|
|
63
|
-
describe: ".env file"
|
|
64
|
-
default: ".env"
|
|
65
|
+
describe: ".env file"
|
|
65
66
|
},
|
|
66
67
|
ignoreMissingEnvFile: {
|
|
67
68
|
boolean: true,
|
|
@@ -84,6 +85,14 @@ var commonCliOptions = {
|
|
|
84
85
|
boolean: true,
|
|
85
86
|
describe: "Be verbose"
|
|
86
87
|
},
|
|
88
|
+
encryptedSecretsFile: {
|
|
89
|
+
string: true,
|
|
90
|
+
describe: "filename of json file for reading encrypted secrets"
|
|
91
|
+
},
|
|
92
|
+
jsonFilter: {
|
|
93
|
+
string: true,
|
|
94
|
+
describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
|
|
95
|
+
},
|
|
87
96
|
yes: {
|
|
88
97
|
boolean: true,
|
|
89
98
|
describe: "Proceeds without confirmation"
|
|
@@ -310,11 +319,11 @@ __export(decryptSecCommand_exports, {
|
|
|
310
319
|
desc: () => desc2,
|
|
311
320
|
handler: () => handler2
|
|
312
321
|
});
|
|
313
|
-
import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
|
|
314
|
-
import { redBright } from "chalk";
|
|
315
|
-
import { parse } from "dotenv";
|
|
316
322
|
import fs from "node:fs";
|
|
317
323
|
import path from "node:path";
|
|
324
|
+
import { KMSClient as KMSClient2, DecryptCommand } from "@aws-sdk/client-kms";
|
|
325
|
+
import { redBright } from "chalk";
|
|
326
|
+
import { parse } from "dotenv";
|
|
318
327
|
|
|
319
328
|
// src/utils/io.ts
|
|
320
329
|
import { stat } from "fs/promises";
|
|
@@ -346,6 +355,30 @@ var promptOverwriteIfFileExists = async ({
|
|
|
346
355
|
return overwriteResponse;
|
|
347
356
|
};
|
|
348
357
|
|
|
358
|
+
// src/utils/kms.ts
|
|
359
|
+
import {
|
|
360
|
+
DescribeKeyCommand,
|
|
361
|
+
KMSClient
|
|
362
|
+
} from "@aws-sdk/client-kms";
|
|
363
|
+
var getKMSClient = ({
|
|
364
|
+
configuration
|
|
365
|
+
}) => {
|
|
366
|
+
const kmsClient = new KMSClient(configuration);
|
|
367
|
+
return kmsClient;
|
|
368
|
+
};
|
|
369
|
+
var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
|
|
370
|
+
var _a, _b;
|
|
371
|
+
const describeKeyCommand = new DescribeKeyCommand({
|
|
372
|
+
KeyId: awsKeyAlias
|
|
373
|
+
});
|
|
374
|
+
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
375
|
+
const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
|
|
376
|
+
if (encryptionAlgorithm === void 0) {
|
|
377
|
+
throw new Error(`Could not determine encryption algorithm`);
|
|
378
|
+
}
|
|
379
|
+
return encryptionAlgorithm;
|
|
380
|
+
};
|
|
381
|
+
|
|
349
382
|
// src/commands/decryptSecCommand.ts
|
|
350
383
|
var command2 = "decrypt-sec";
|
|
351
384
|
var desc2 = "Decrypts a dotsec file";
|
|
@@ -354,7 +387,7 @@ var builder2 = {
|
|
|
354
387
|
"aws-region": commonCliOptions.awsRegion,
|
|
355
388
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
356
389
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
357
|
-
"env-file": commonCliOptions.envFile,
|
|
390
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
|
|
358
391
|
"sec-file": commonCliOptions.secFile,
|
|
359
392
|
verbose: commonCliOptions.verbose
|
|
360
393
|
};
|
|
@@ -370,15 +403,16 @@ var handler2 = async (argv) => {
|
|
|
370
403
|
return;
|
|
371
404
|
}
|
|
372
405
|
const parsedSec = parse(fs.readFileSync(secSource, { encoding: "utf8" }));
|
|
373
|
-
const kmsClient = new
|
|
406
|
+
const kmsClient = new KMSClient2({
|
|
374
407
|
credentials: credentialsAndOrigin.value,
|
|
375
408
|
region: regionAndOrigin.value
|
|
376
409
|
});
|
|
410
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
377
411
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
378
412
|
const decryptCommand = new DecryptCommand({
|
|
379
413
|
KeyId: argv.awsKeyAlias,
|
|
380
414
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
381
|
-
EncryptionAlgorithm:
|
|
415
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
382
416
|
});
|
|
383
417
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
384
418
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -405,55 +439,117 @@ __export(decryptSecretsJson_exports, {
|
|
|
405
439
|
desc: () => desc3,
|
|
406
440
|
handler: () => handler3
|
|
407
441
|
});
|
|
408
|
-
import
|
|
442
|
+
import fs3 from "node:fs";
|
|
443
|
+
import path3 from "node:path";
|
|
444
|
+
import { DecryptCommand as DecryptCommand2, DescribeKeyCommand as DescribeKeyCommand2 } from "@aws-sdk/client-kms";
|
|
409
445
|
import { redBright as redBright2 } from "chalk";
|
|
410
446
|
import flat from "flat";
|
|
411
|
-
import fs2 from "node:fs";
|
|
412
|
-
import path2 from "node:path";
|
|
413
447
|
|
|
414
|
-
// src/
|
|
415
|
-
import
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
448
|
+
// src/lib/config.ts
|
|
449
|
+
import fs2 from "fs";
|
|
450
|
+
import path2 from "node:path";
|
|
451
|
+
import { bundleRequire } from "bundle-require";
|
|
452
|
+
import JoyCon from "joycon";
|
|
453
|
+
var defaultConfig = {
|
|
454
|
+
aws: {
|
|
455
|
+
keyAlias: "alias/top-secret"
|
|
456
|
+
}
|
|
457
|
+
};
|
|
458
|
+
function jsoncParse(data) {
|
|
459
|
+
try {
|
|
460
|
+
return new Function("return " + data.trim())();
|
|
461
|
+
} catch {
|
|
462
|
+
return {};
|
|
463
|
+
}
|
|
464
|
+
}
|
|
465
|
+
var loadJson = async (filepath) => {
|
|
466
|
+
try {
|
|
467
|
+
return jsoncParse(await fs2.promises.readFile(filepath, "utf8"));
|
|
468
|
+
} catch (error) {
|
|
469
|
+
if (error instanceof Error) {
|
|
470
|
+
throw new Error(`Failed to parse ${path2.relative(process.cwd(), filepath)}: ${error.message}`);
|
|
471
|
+
} else {
|
|
472
|
+
throw error;
|
|
473
|
+
}
|
|
474
|
+
}
|
|
475
|
+
};
|
|
476
|
+
var getConfig = async () => {
|
|
477
|
+
const cwd = process.cwd();
|
|
478
|
+
const configJoycon = new JoyCon();
|
|
479
|
+
const configPath = await configJoycon.resolve({
|
|
480
|
+
files: [
|
|
481
|
+
"dotsec.config.ts",
|
|
482
|
+
"dotsec.config.js",
|
|
483
|
+
"dotsec.config.cjs",
|
|
484
|
+
"dotsec.config.mjs",
|
|
485
|
+
"dotsec.config.json",
|
|
486
|
+
"package.json"
|
|
487
|
+
],
|
|
488
|
+
cwd,
|
|
489
|
+
stopDir: path2.parse(cwd).root,
|
|
490
|
+
packageKey: "dotsec"
|
|
491
|
+
});
|
|
492
|
+
if (configPath) {
|
|
493
|
+
if (configPath.endsWith(".json")) {
|
|
494
|
+
const rawData = await loadJson(configPath);
|
|
495
|
+
let data;
|
|
496
|
+
if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
|
|
497
|
+
data = rawData.dotsec;
|
|
498
|
+
} else {
|
|
499
|
+
data = rawData;
|
|
500
|
+
}
|
|
501
|
+
return __spreadProps(__spreadValues(__spreadValues({}, defaultConfig), data), {
|
|
502
|
+
aws: __spreadValues(__spreadValues({}, defaultConfig.aws), data.aws)
|
|
503
|
+
});
|
|
504
|
+
}
|
|
505
|
+
const config = await bundleRequire({
|
|
506
|
+
filepath: configPath
|
|
507
|
+
});
|
|
508
|
+
const retrievedConfig = config.mod.dotsec || config.mod.default || config.mod;
|
|
509
|
+
return __spreadValues(__spreadValues({}, defaultConfig), retrievedConfig);
|
|
510
|
+
}
|
|
511
|
+
return __spreadValues({}, defaultConfig);
|
|
421
512
|
};
|
|
422
513
|
|
|
423
514
|
// src/commands/decryptSecretsJson.ts
|
|
424
515
|
var command3 = "decrypt-secrets-json";
|
|
425
516
|
var desc3 = "Derypts an encrypted file";
|
|
426
517
|
var builder3 = {
|
|
427
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
428
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
429
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
430
518
|
"secrets-file": {
|
|
431
519
|
string: true,
|
|
432
520
|
describe: "filename of json file writing secrets",
|
|
433
521
|
default: "secrets.json"
|
|
434
522
|
},
|
|
435
|
-
"encrypted-secrets-file": {
|
|
436
|
-
string: true,
|
|
437
|
-
describe: "filename of json file for reading encrypted secrets",
|
|
523
|
+
"encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
|
|
438
524
|
default: "secrets.encrypted.json"
|
|
439
|
-
},
|
|
440
|
-
"
|
|
525
|
+
}),
|
|
526
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
527
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
528
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
529
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
530
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
441
531
|
verbose: commonCliOptions.verbose,
|
|
442
532
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
443
533
|
};
|
|
444
534
|
var handler3 = async (argv) => {
|
|
445
535
|
const { info, error } = getLogger();
|
|
536
|
+
const config = await getConfig();
|
|
446
537
|
try {
|
|
447
538
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
448
|
-
argv: __spreadValues({}, argv),
|
|
539
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
540
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
541
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
542
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
543
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
544
|
+
}),
|
|
449
545
|
env: __spreadValues({}, process.env)
|
|
450
546
|
});
|
|
451
|
-
const encryptedSecretsPath =
|
|
547
|
+
const encryptedSecretsPath = path3.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
452
548
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
453
549
|
error(`Could not open ${redBright2(encryptedSecretsPath)}`);
|
|
454
550
|
return;
|
|
455
551
|
}
|
|
456
|
-
const encryptedSecrets = JSON.parse(
|
|
552
|
+
const encryptedSecrets = JSON.parse(fs3.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
457
553
|
if (!encryptedSecrets.encryptedParameters) {
|
|
458
554
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
459
555
|
}
|
|
@@ -465,19 +561,21 @@ var handler3 = async (argv) => {
|
|
|
465
561
|
},
|
|
466
562
|
verbose: argv.verbose
|
|
467
563
|
});
|
|
564
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
468
565
|
if (argv.verbose) {
|
|
469
|
-
info(`Encrypting using key alias ${bold(
|
|
470
|
-
const describeKeyCommand = new
|
|
471
|
-
KeyId:
|
|
566
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
567
|
+
const describeKeyCommand = new DescribeKeyCommand2({
|
|
568
|
+
KeyId: awsKeyAlias
|
|
472
569
|
});
|
|
473
570
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
474
|
-
|
|
571
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
475
572
|
}
|
|
573
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
476
574
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
477
575
|
const decryptCommand = new DecryptCommand2({
|
|
478
576
|
KeyId: argv.awsKeyAlias,
|
|
479
577
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
480
|
-
EncryptionAlgorithm:
|
|
578
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
481
579
|
});
|
|
482
580
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
483
581
|
if (!decryptionResult.Plaintext) {
|
|
@@ -490,6 +588,13 @@ var handler3 = async (argv) => {
|
|
|
490
588
|
if (argv.verbose) {
|
|
491
589
|
info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
|
|
492
590
|
}
|
|
591
|
+
const plaintext = Buffer.from(decryptionResult.Plaintext).toString();
|
|
592
|
+
try {
|
|
593
|
+
const jsonObject = JSON.parse(plaintext);
|
|
594
|
+
return [parameterName, jsonObject];
|
|
595
|
+
} catch (e) {
|
|
596
|
+
console.log("NOPES", plaintext);
|
|
597
|
+
}
|
|
493
598
|
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
494
599
|
return [parameterName, value];
|
|
495
600
|
})));
|
|
@@ -498,13 +603,13 @@ var handler3 = async (argv) => {
|
|
|
498
603
|
config: encryptedSecrets.config,
|
|
499
604
|
parameters
|
|
500
605
|
};
|
|
501
|
-
const secretsPath =
|
|
606
|
+
const secretsPath = path3.resolve(process.cwd(), argv.secretsFile);
|
|
502
607
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
503
608
|
filePath: secretsPath,
|
|
504
609
|
skip: argv.yes
|
|
505
610
|
});
|
|
506
611
|
if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
|
|
507
|
-
|
|
612
|
+
fs3.writeFileSync(secretsPath, JSON.stringify(secrets, null, 4));
|
|
508
613
|
}
|
|
509
614
|
} catch (e) {
|
|
510
615
|
error(e);
|
|
@@ -519,12 +624,37 @@ __export(defaultCommand_exports, {
|
|
|
519
624
|
desc: () => desc4,
|
|
520
625
|
handler: () => handler4
|
|
521
626
|
});
|
|
522
|
-
import
|
|
523
|
-
import
|
|
627
|
+
import fs5 from "node:fs";
|
|
628
|
+
import path5 from "node:path";
|
|
524
629
|
import { KMSClient as KMSClient3, DecryptCommand as DecryptCommand3 } from "@aws-sdk/client-kms";
|
|
525
|
-
import { redBright as
|
|
630
|
+
import { redBright as redBright4 } from "chalk";
|
|
631
|
+
import { constantCase } from "constant-case";
|
|
526
632
|
import { spawn } from "cross-spawn";
|
|
527
633
|
import { parse as parse2 } from "dotenv";
|
|
634
|
+
import flat2 from "flat";
|
|
635
|
+
|
|
636
|
+
// src/lib/encryptedSecrets.ts
|
|
637
|
+
import fs4 from "fs";
|
|
638
|
+
import path4 from "path";
|
|
639
|
+
import { redBright as redBright3 } from "chalk";
|
|
640
|
+
var loadEncryptedSecrets = async ({
|
|
641
|
+
encryptedSecretsFile
|
|
642
|
+
}) => {
|
|
643
|
+
const encryptedSecretsPath = path4.resolve(process.cwd(), encryptedSecretsFile);
|
|
644
|
+
if (!await fileExists(encryptedSecretsPath)) {
|
|
645
|
+
throw new Error(`Could not open ${redBright3(encryptedSecretsPath)}`);
|
|
646
|
+
}
|
|
647
|
+
const encryptedSecrets = JSON.parse(fs4.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
648
|
+
if (!encryptedSecrets) {
|
|
649
|
+
throw new Error(`No encrypted secrets found in ${redBright3(encryptedSecretsPath)}`);
|
|
650
|
+
}
|
|
651
|
+
if (!encryptedSecrets.encryptedParameters) {
|
|
652
|
+
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
653
|
+
}
|
|
654
|
+
return encryptedSecrets;
|
|
655
|
+
};
|
|
656
|
+
|
|
657
|
+
// src/commands/defaultCommand.ts
|
|
528
658
|
var command4 = "$0 <command>";
|
|
529
659
|
var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
|
|
530
660
|
var builder4 = {
|
|
@@ -536,6 +666,8 @@ var builder4 = {
|
|
|
536
666
|
"ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
|
|
537
667
|
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
538
668
|
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
669
|
+
"encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
|
|
670
|
+
"json-filter": commonCliOptions.jsonFilter,
|
|
539
671
|
verbose: commonCliOptions.verbose,
|
|
540
672
|
command: { string: true, required: true }
|
|
541
673
|
};
|
|
@@ -545,21 +677,69 @@ var handleSec = async ({
|
|
|
545
677
|
regionAndOrigin,
|
|
546
678
|
awsKeyAlias
|
|
547
679
|
}) => {
|
|
548
|
-
const secSource =
|
|
680
|
+
const secSource = path5.resolve(process.cwd(), secFile);
|
|
549
681
|
if (!await fileExists(secSource)) {
|
|
550
|
-
console.error(`Could not open ${
|
|
682
|
+
console.error(`Could not open ${redBright4(secSource)}`);
|
|
551
683
|
return;
|
|
552
684
|
}
|
|
553
|
-
const parsedSec = parse2(
|
|
685
|
+
const parsedSec = parse2(fs5.readFileSync(secSource, { encoding: "utf8" }));
|
|
554
686
|
const kmsClient = new KMSClient3({
|
|
555
687
|
credentials: credentialsAndOrigin.value,
|
|
556
688
|
region: regionAndOrigin.value
|
|
557
689
|
});
|
|
690
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
558
691
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
559
692
|
const decryptCommand = new DecryptCommand3({
|
|
560
693
|
KeyId: awsKeyAlias,
|
|
561
694
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
562
|
-
EncryptionAlgorithm:
|
|
695
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
696
|
+
});
|
|
697
|
+
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
698
|
+
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
699
|
+
throw new Error(`No: ${JSON.stringify({
|
|
700
|
+
key,
|
|
701
|
+
cipherText,
|
|
702
|
+
decryptCommand
|
|
703
|
+
})}`);
|
|
704
|
+
}
|
|
705
|
+
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
706
|
+
return [key, value];
|
|
707
|
+
}));
|
|
708
|
+
const env = Object.fromEntries(envEntries);
|
|
709
|
+
return env;
|
|
710
|
+
};
|
|
711
|
+
var handleEncryptedJson = async ({
|
|
712
|
+
encryptedSecretsFile,
|
|
713
|
+
jsonFilter,
|
|
714
|
+
credentialsAndOrigin,
|
|
715
|
+
regionAndOrigin,
|
|
716
|
+
awsKeyAlias
|
|
717
|
+
}) => {
|
|
718
|
+
const encryptedSecrets = await loadEncryptedSecrets({
|
|
719
|
+
encryptedSecretsFile
|
|
720
|
+
});
|
|
721
|
+
const flattened = flat2.flatten(encryptedSecrets.encryptedParameters, {
|
|
722
|
+
delimiter: "__",
|
|
723
|
+
transformKey: (key) => {
|
|
724
|
+
return constantCase(key);
|
|
725
|
+
}
|
|
726
|
+
});
|
|
727
|
+
const kmsClient = new KMSClient3({
|
|
728
|
+
credentials: credentialsAndOrigin.value,
|
|
729
|
+
region: regionAndOrigin.value
|
|
730
|
+
});
|
|
731
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
732
|
+
const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => constantCase(part)).join("__");
|
|
733
|
+
const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
|
|
734
|
+
if (filterKey) {
|
|
735
|
+
return key.indexOf(filterKey) === 0;
|
|
736
|
+
}
|
|
737
|
+
return true;
|
|
738
|
+
}).map(async ([key, cipherText]) => {
|
|
739
|
+
const decryptCommand = new DecryptCommand3({
|
|
740
|
+
KeyId: awsKeyAlias,
|
|
741
|
+
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
742
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
563
743
|
});
|
|
564
744
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
565
745
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -576,16 +756,22 @@ var handleSec = async ({
|
|
|
576
756
|
return env;
|
|
577
757
|
};
|
|
578
758
|
var handler4 = async (argv) => {
|
|
759
|
+
const config = await getConfig();
|
|
579
760
|
try {
|
|
580
761
|
let env;
|
|
581
762
|
let awsEnv;
|
|
582
763
|
try {
|
|
583
764
|
if (argv.envFile) {
|
|
584
|
-
env = parse2(
|
|
765
|
+
env = parse2(fs5.readFileSync(argv.envFile, { encoding: "utf8" }));
|
|
585
766
|
if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
|
|
586
767
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
587
|
-
argv: __spreadValues({}, argv),
|
|
588
|
-
|
|
768
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
769
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
770
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
771
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
772
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
773
|
+
}),
|
|
774
|
+
env: __spreadValues({}, process.env)
|
|
589
775
|
});
|
|
590
776
|
awsEnv = {
|
|
591
777
|
AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
|
|
@@ -597,8 +783,13 @@ var handler4 = async (argv) => {
|
|
|
597
783
|
}
|
|
598
784
|
} else {
|
|
599
785
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
600
|
-
argv: __spreadValues({}, argv),
|
|
601
|
-
|
|
786
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
787
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
788
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
789
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
790
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
791
|
+
}),
|
|
792
|
+
env: __spreadValues({}, process.env)
|
|
602
793
|
});
|
|
603
794
|
if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
|
|
604
795
|
awsEnv = {
|
|
@@ -610,12 +801,23 @@ var handler4 = async (argv) => {
|
|
|
610
801
|
if (argv.verbose) {
|
|
611
802
|
console.log({ credentialsAndOrigin, regionAndOrigin });
|
|
612
803
|
}
|
|
613
|
-
|
|
614
|
-
|
|
615
|
-
|
|
616
|
-
|
|
617
|
-
|
|
618
|
-
|
|
804
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
805
|
+
if (argv.encryptedSecretsFile) {
|
|
806
|
+
env = await handleEncryptedJson({
|
|
807
|
+
encryptedSecretsFile: argv.encryptedSecretsFile,
|
|
808
|
+
jsonFilter: argv.jsonFilter,
|
|
809
|
+
credentialsAndOrigin,
|
|
810
|
+
regionAndOrigin,
|
|
811
|
+
awsKeyAlias
|
|
812
|
+
});
|
|
813
|
+
} else {
|
|
814
|
+
env = await handleSec({
|
|
815
|
+
secFile: argv.secFile,
|
|
816
|
+
credentialsAndOrigin,
|
|
817
|
+
regionAndOrigin,
|
|
818
|
+
awsKeyAlias
|
|
819
|
+
});
|
|
820
|
+
}
|
|
619
821
|
}
|
|
620
822
|
} catch (e) {
|
|
621
823
|
if (argv.ignoreMissingEnvFile !== true) {
|
|
@@ -643,18 +845,18 @@ __export(encryptEnvCommand_exports, {
|
|
|
643
845
|
desc: () => desc5,
|
|
644
846
|
handler: () => handler5
|
|
645
847
|
});
|
|
646
|
-
import
|
|
647
|
-
import
|
|
848
|
+
import fs6 from "node:fs";
|
|
849
|
+
import path6 from "node:path";
|
|
850
|
+
import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand } from "@aws-sdk/client-kms";
|
|
851
|
+
import { redBright as redBright5 } from "chalk";
|
|
648
852
|
import { parse as parse3 } from "dotenv";
|
|
649
|
-
import fs4 from "node:fs";
|
|
650
|
-
import path4 from "node:path";
|
|
651
853
|
var command5 = "encrypt-env";
|
|
652
854
|
var desc5 = "Encrypts a dotenv file";
|
|
653
855
|
var builder5 = {
|
|
654
856
|
"aws-profile": commonCliOptions.awsProfile,
|
|
655
857
|
"aws-region": commonCliOptions.awsRegion,
|
|
656
858
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
657
|
-
"env-file": commonCliOptions.envFile,
|
|
859
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
|
|
658
860
|
"sec-file": commonCliOptions.secFile,
|
|
659
861
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
660
862
|
verbose: commonCliOptions.verbose
|
|
@@ -666,12 +868,12 @@ var handler5 = async (argv) => {
|
|
|
666
868
|
argv: __spreadValues({}, argv),
|
|
667
869
|
env: __spreadValues({}, process.env)
|
|
668
870
|
});
|
|
669
|
-
const envSource =
|
|
871
|
+
const envSource = path6.resolve(process.cwd(), argv.envFile);
|
|
670
872
|
if (!await fileExists(envSource)) {
|
|
671
|
-
error(`Could not open ${
|
|
873
|
+
error(`Could not open ${redBright5(envSource)}`);
|
|
672
874
|
return;
|
|
673
875
|
}
|
|
674
|
-
const parsedEnv = parse3(
|
|
876
|
+
const parsedEnv = parse3(fs6.readFileSync(envSource, { encoding: "utf8" }));
|
|
675
877
|
const kmsClient = getKMSClient({
|
|
676
878
|
configuration: {
|
|
677
879
|
credentials: credentialsAndOrigin.value,
|
|
@@ -679,9 +881,10 @@ var handler5 = async (argv) => {
|
|
|
679
881
|
},
|
|
680
882
|
verbose: argv.verbose
|
|
681
883
|
});
|
|
884
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
682
885
|
if (argv.verbose) {
|
|
683
886
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
684
|
-
const describeKeyCommand = new
|
|
887
|
+
const describeKeyCommand = new DescribeKeyCommand3({
|
|
685
888
|
KeyId: argv.awsKeyAlias
|
|
686
889
|
});
|
|
687
890
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
@@ -691,7 +894,7 @@ var handler5 = async (argv) => {
|
|
|
691
894
|
const encryptCommand = new EncryptCommand({
|
|
692
895
|
KeyId: argv.awsKeyAlias,
|
|
693
896
|
Plaintext: Buffer.from(value),
|
|
694
|
-
EncryptionAlgorithm:
|
|
897
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
695
898
|
});
|
|
696
899
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
697
900
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -707,7 +910,7 @@ var handler5 = async (argv) => {
|
|
|
707
910
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
708
911
|
return `${key}="${cipherText}"`;
|
|
709
912
|
}))).join("\n");
|
|
710
|
-
|
|
913
|
+
fs6.writeFileSync(path6.resolve(process.cwd(), argv.secFile), sec);
|
|
711
914
|
} catch (e) {
|
|
712
915
|
error(e);
|
|
713
916
|
}
|
|
@@ -721,17 +924,14 @@ __export(encryptSecretsJson_exports, {
|
|
|
721
924
|
desc: () => desc6,
|
|
722
925
|
handler: () => handler6
|
|
723
926
|
});
|
|
724
|
-
import
|
|
725
|
-
import
|
|
726
|
-
import { DescribeKeyCommand as
|
|
727
|
-
import { redBright as
|
|
728
|
-
import
|
|
927
|
+
import fs7 from "node:fs";
|
|
928
|
+
import path7 from "node:path";
|
|
929
|
+
import { DescribeKeyCommand as DescribeKeyCommand4, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
|
|
930
|
+
import { redBright as redBright6 } from "chalk";
|
|
931
|
+
import flat3 from "flat";
|
|
729
932
|
var command6 = "encrypt-secrets-json";
|
|
730
933
|
var desc6 = "Encrypts an unencrypted file";
|
|
731
934
|
var builder6 = {
|
|
732
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
733
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
734
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
735
935
|
"secrets-file": {
|
|
736
936
|
string: true,
|
|
737
937
|
describe: "filename of json file reading secrets",
|
|
@@ -742,29 +942,39 @@ var builder6 = {
|
|
|
742
942
|
describe: "filename of json file for writing encrypted secrets",
|
|
743
943
|
default: "secrets.encrypted.json"
|
|
744
944
|
},
|
|
745
|
-
"
|
|
945
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
946
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
947
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
948
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
949
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
746
950
|
verbose: commonCliOptions.verbose,
|
|
747
951
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
748
952
|
};
|
|
749
953
|
var handler6 = async (argv) => {
|
|
954
|
+
const config = await getConfig();
|
|
750
955
|
const { info, error } = getLogger();
|
|
751
956
|
try {
|
|
752
957
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
753
|
-
argv: __spreadValues({}, argv),
|
|
958
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
959
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
960
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
961
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
962
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
963
|
+
}),
|
|
754
964
|
env: __spreadValues({}, process.env)
|
|
755
965
|
});
|
|
756
|
-
const secretsPath =
|
|
966
|
+
const secretsPath = path7.resolve(process.cwd(), argv.secretsFile);
|
|
757
967
|
if (!await fileExists(secretsPath)) {
|
|
758
|
-
error(`Could not open ${
|
|
968
|
+
error(`Could not open ${redBright6(secretsPath)}`);
|
|
759
969
|
return;
|
|
760
970
|
}
|
|
761
|
-
const secrets = JSON.parse(
|
|
971
|
+
const secrets = JSON.parse(fs7.readFileSync(secretsPath, { encoding: "utf8" }));
|
|
762
972
|
if (!secrets.parameters) {
|
|
763
973
|
throw new Error(`Expected 'parameters' property, but got none`);
|
|
764
974
|
}
|
|
765
|
-
const flatParameters =
|
|
975
|
+
const flatParameters = flat3(secrets.parameters, { delimiter: "/", maxDepth: config.maxDepth });
|
|
766
976
|
if (argv.verbose) {
|
|
767
|
-
|
|
977
|
+
info(flatParameters);
|
|
768
978
|
}
|
|
769
979
|
const kmsClient = getKMSClient({
|
|
770
980
|
configuration: {
|
|
@@ -773,19 +983,25 @@ var handler6 = async (argv) => {
|
|
|
773
983
|
},
|
|
774
984
|
verbose: argv.verbose
|
|
775
985
|
});
|
|
986
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
776
987
|
if (argv.verbose) {
|
|
777
|
-
info(`Encrypting using key alias ${bold(
|
|
778
|
-
const describeKeyCommand = new
|
|
779
|
-
KeyId:
|
|
988
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
989
|
+
const describeKeyCommand = new DescribeKeyCommand4({
|
|
990
|
+
KeyId: awsKeyAlias
|
|
780
991
|
});
|
|
781
992
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
782
|
-
|
|
993
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
783
994
|
}
|
|
995
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
784
996
|
const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
|
|
997
|
+
let parameterCopy = parameter;
|
|
998
|
+
if (typeof parameter !== "string" && typeof parameter !== "number" && typeof parameter !== "boolean") {
|
|
999
|
+
parameterCopy = JSON.stringify(parameter);
|
|
1000
|
+
}
|
|
785
1001
|
const encryptCommand = new EncryptCommand2({
|
|
786
|
-
KeyId:
|
|
787
|
-
Plaintext: Buffer.from(
|
|
788
|
-
EncryptionAlgorithm:
|
|
1002
|
+
KeyId: awsKeyAlias,
|
|
1003
|
+
Plaintext: Buffer.from(String(parameterCopy)),
|
|
1004
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
789
1005
|
});
|
|
790
1006
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
791
1007
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -801,18 +1017,18 @@ var handler6 = async (argv) => {
|
|
|
801
1017
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
802
1018
|
return [parameterName, cipherText];
|
|
803
1019
|
})));
|
|
804
|
-
const encryptedParameters =
|
|
1020
|
+
const encryptedParameters = flat3.unflatten(encryptedFlatParameters, { delimiter: "/" });
|
|
805
1021
|
const encryptedSecrets = {
|
|
806
1022
|
config: secrets.config,
|
|
807
1023
|
encryptedParameters
|
|
808
1024
|
};
|
|
809
|
-
const encryptedSecretsPath =
|
|
1025
|
+
const encryptedSecretsPath = path7.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
810
1026
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
811
1027
|
filePath: encryptedSecretsPath,
|
|
812
1028
|
skip: argv.yes
|
|
813
1029
|
});
|
|
814
1030
|
if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
|
|
815
|
-
|
|
1031
|
+
fs7.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
|
|
816
1032
|
}
|
|
817
1033
|
} catch (e) {
|
|
818
1034
|
error(e);
|
|
@@ -827,44 +1043,51 @@ __export(offloadToSSMCommand_exports, {
|
|
|
827
1043
|
desc: () => desc7,
|
|
828
1044
|
handler: () => handler7
|
|
829
1045
|
});
|
|
830
|
-
import
|
|
1046
|
+
import fs8 from "node:fs";
|
|
1047
|
+
import path8 from "node:path";
|
|
1048
|
+
import { DecryptCommand as DecryptCommand4 } from "@aws-sdk/client-kms";
|
|
831
1049
|
import { PutParameterCommand } from "@aws-sdk/client-ssm";
|
|
832
|
-
import { redBright as
|
|
833
|
-
import
|
|
834
|
-
import fs6 from "node:fs";
|
|
835
|
-
import path6 from "node:path";
|
|
1050
|
+
import { redBright as redBright7 } from "chalk";
|
|
1051
|
+
import flat4 from "flat";
|
|
836
1052
|
var command7 = "offload-secrets-json-to-ssm";
|
|
837
1053
|
var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
|
|
838
1054
|
var builder7 = {
|
|
839
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
840
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
841
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
842
1055
|
"encrypted-secrets-file": {
|
|
843
1056
|
string: true,
|
|
844
|
-
describe: "filename of json file for
|
|
1057
|
+
describe: "filename of json file for writing encrypted secrets",
|
|
845
1058
|
default: "secrets.encrypted.json"
|
|
846
1059
|
},
|
|
847
|
-
"
|
|
1060
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
1061
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
1062
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
1063
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
1064
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
848
1065
|
verbose: commonCliOptions.verbose,
|
|
849
1066
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
850
1067
|
};
|
|
851
1068
|
var handler7 = async (argv) => {
|
|
1069
|
+
const config = await getConfig();
|
|
852
1070
|
const { info, error } = getLogger();
|
|
853
1071
|
try {
|
|
854
1072
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
855
|
-
argv: __spreadValues({}, argv),
|
|
1073
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
1074
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
1075
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
1076
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
1077
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
1078
|
+
}),
|
|
856
1079
|
env: __spreadValues({}, process.env)
|
|
857
1080
|
});
|
|
858
|
-
const encryptedSecretsPath =
|
|
1081
|
+
const encryptedSecretsPath = path8.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
859
1082
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
860
|
-
error(`Could not open ${
|
|
1083
|
+
error(`Could not open ${redBright7(encryptedSecretsPath)}`);
|
|
861
1084
|
return;
|
|
862
1085
|
}
|
|
863
|
-
const encryptedSecrets = JSON.parse(
|
|
1086
|
+
const encryptedSecrets = JSON.parse(fs8.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
864
1087
|
if (!encryptedSecrets.encryptedParameters) {
|
|
865
1088
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
866
1089
|
}
|
|
867
|
-
const flatEncryptedParameters =
|
|
1090
|
+
const flatEncryptedParameters = flat4(encryptedSecrets.encryptedParameters, { delimiter: "/" });
|
|
868
1091
|
const kmsClient = getKMSClient({
|
|
869
1092
|
configuration: {
|
|
870
1093
|
credentials: credentialsAndOrigin.value,
|
|
@@ -872,19 +1095,16 @@ var handler7 = async (argv) => {
|
|
|
872
1095
|
},
|
|
873
1096
|
verbose: argv.verbose
|
|
874
1097
|
});
|
|
1098
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
875
1099
|
if (argv.verbose) {
|
|
876
|
-
info(`Encrypting using key alias ${bold(
|
|
877
|
-
const describeKeyCommand = new DescribeKeyCommand4({
|
|
878
|
-
KeyId: argv.awsKeyAlias
|
|
879
|
-
});
|
|
880
|
-
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
881
|
-
console.log("describeKeyResult", { describeKeyResult });
|
|
1100
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
882
1101
|
}
|
|
1102
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
883
1103
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
884
1104
|
const decryptCommand = new DecryptCommand4({
|
|
885
1105
|
KeyId: argv.awsKeyAlias,
|
|
886
1106
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
887
|
-
EncryptionAlgorithm:
|
|
1107
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
888
1108
|
});
|
|
889
1109
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
890
1110
|
if (!decryptionResult.Plaintext) {
|