dotsec 0.8.0 → 0.10.1-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/esm/cli.js CHANGED
@@ -1,4 +1,6 @@
1
1
  var __defProp = Object.defineProperty;
2
+ var __defProps = Object.defineProperties;
3
+ var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
2
4
  var __getOwnPropSymbols = Object.getOwnPropertySymbols;
3
5
  var __hasOwnProp = Object.prototype.hasOwnProperty;
4
6
  var __propIsEnum = Object.prototype.propertyIsEnumerable;
@@ -14,6 +16,7 @@ var __spreadValues = (a, b) => {
14
16
  }
15
17
  return a;
16
18
  };
19
+ var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
17
20
  var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
18
21
  var __export = (target, all) => {
19
22
  __markAsModule(target);
@@ -60,8 +63,7 @@ var commonCliOptions = {
60
63
  },
61
64
  envFile: {
62
65
  string: true,
63
- describe: ".env file",
64
- default: ".env"
66
+ describe: ".env file"
65
67
  },
66
68
  ignoreMissingEnvFile: {
67
69
  boolean: true,
@@ -84,6 +86,14 @@ var commonCliOptions = {
84
86
  boolean: true,
85
87
  describe: "Be verbose"
86
88
  },
89
+ encryptedSecretsFile: {
90
+ string: true,
91
+ describe: "filename of json file for reading encrypted secrets"
92
+ },
93
+ jsonFilter: {
94
+ string: true,
95
+ describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
96
+ },
87
97
  yes: {
88
98
  boolean: true,
89
99
  describe: "Proceeds without confirmation"
@@ -310,11 +320,11 @@ __export(decryptSecCommand_exports, {
310
320
  desc: () => desc2,
311
321
  handler: () => handler2
312
322
  });
313
- import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
314
- import { redBright } from "chalk";
315
- import { parse } from "dotenv";
316
323
  import fs from "node:fs";
317
324
  import path from "node:path";
325
+ import { KMSClient as KMSClient2, DecryptCommand } from "@aws-sdk/client-kms";
326
+ import { redBright } from "chalk";
327
+ import { parse } from "dotenv";
318
328
 
319
329
  // src/utils/io.ts
320
330
  import { stat } from "fs/promises";
@@ -346,6 +356,30 @@ var promptOverwriteIfFileExists = async ({
346
356
  return overwriteResponse;
347
357
  };
348
358
 
359
+ // src/utils/kms.ts
360
+ import {
361
+ DescribeKeyCommand,
362
+ KMSClient
363
+ } from "@aws-sdk/client-kms";
364
+ var getKMSClient = ({
365
+ configuration
366
+ }) => {
367
+ const kmsClient = new KMSClient(configuration);
368
+ return kmsClient;
369
+ };
370
+ var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
371
+ var _a, _b;
372
+ const describeKeyCommand = new DescribeKeyCommand({
373
+ KeyId: awsKeyAlias
374
+ });
375
+ const describeKeyResult = await kmsClient.send(describeKeyCommand);
376
+ const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
377
+ if (encryptionAlgorithm === void 0) {
378
+ throw new Error(`Could not determine encryption algorithm`);
379
+ }
380
+ return encryptionAlgorithm;
381
+ };
382
+
349
383
  // src/commands/decryptSecCommand.ts
350
384
  var command2 = "decrypt-sec";
351
385
  var desc2 = "Decrypts a dotsec file";
@@ -354,7 +388,7 @@ var builder2 = {
354
388
  "aws-region": commonCliOptions.awsRegion,
355
389
  "aws-key-alias": commonCliOptions.awsKeyAlias,
356
390
  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
357
- "env-file": commonCliOptions.envFile,
391
+ "env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
358
392
  "sec-file": commonCliOptions.secFile,
359
393
  verbose: commonCliOptions.verbose
360
394
  };
@@ -370,15 +404,16 @@ var handler2 = async (argv) => {
370
404
  return;
371
405
  }
372
406
  const parsedSec = parse(fs.readFileSync(secSource, { encoding: "utf8" }));
373
- const kmsClient = new KMSClient({
407
+ const kmsClient = new KMSClient2({
374
408
  credentials: credentialsAndOrigin.value,
375
409
  region: regionAndOrigin.value
376
410
  });
411
+ const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
377
412
  const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
378
413
  const decryptCommand = new DecryptCommand({
379
414
  KeyId: argv.awsKeyAlias,
380
415
  CiphertextBlob: Buffer.from(cipherText, "base64"),
381
- EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
416
+ EncryptionAlgorithm: encryptionAlgorithm
382
417
  });
383
418
  const decryptionResult = await kmsClient.send(decryptCommand);
384
419
  if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
@@ -405,22 +440,11 @@ __export(decryptSecretsJson_exports, {
405
440
  desc: () => desc3,
406
441
  handler: () => handler3
407
442
  });
408
- import { DecryptCommand as DecryptCommand2, DescribeKeyCommand } from "@aws-sdk/client-kms";
409
- import { redBright as redBright2 } from "chalk";
410
- import flat from "flat";
411
443
  import fs2 from "node:fs";
412
444
  import path2 from "node:path";
413
-
414
- // src/utils/kms.ts
415
- import { KMSClient as KMSClient2 } from "@aws-sdk/client-kms";
416
- var getKMSClient = ({
417
- configuration
418
- }) => {
419
- const kmsClient = new KMSClient2(configuration);
420
- return kmsClient;
421
- };
422
-
423
- // src/commands/decryptSecretsJson.ts
445
+ import { DecryptCommand as DecryptCommand2, DescribeKeyCommand as DescribeKeyCommand2 } from "@aws-sdk/client-kms";
446
+ import { redBright as redBright2 } from "chalk";
447
+ import flat from "flat";
424
448
  var command3 = "decrypt-secrets-json";
425
449
  var desc3 = "Derypts an encrypted file";
426
450
  var builder3 = {
@@ -432,11 +456,9 @@ var builder3 = {
432
456
  describe: "filename of json file writing secrets",
433
457
  default: "secrets.json"
434
458
  },
435
- "encrypted-secrets-file": {
436
- string: true,
437
- describe: "filename of json file for reading encrypted secrets",
459
+ "encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
438
460
  default: "secrets.encrypted.json"
439
- },
461
+ }),
440
462
  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
441
463
  verbose: commonCliOptions.verbose,
442
464
  yes: __spreadValues({}, commonCliOptions.yes)
@@ -467,17 +489,18 @@ var handler3 = async (argv) => {
467
489
  });
468
490
  if (argv.verbose) {
469
491
  info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
470
- const describeKeyCommand = new DescribeKeyCommand({
492
+ const describeKeyCommand = new DescribeKeyCommand2({
471
493
  KeyId: argv.awsKeyAlias
472
494
  });
473
495
  const describeKeyResult = await kmsClient.send(describeKeyCommand);
474
496
  console.log("describeKeyResult", { describeKeyResult });
475
497
  }
498
+ const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
476
499
  const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
477
500
  const decryptCommand = new DecryptCommand2({
478
501
  KeyId: argv.awsKeyAlias,
479
502
  CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
480
- EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
503
+ EncryptionAlgorithm: encryptionAlgorithm
481
504
  });
482
505
  const decryptionResult = await kmsClient.send(decryptCommand);
483
506
  if (!decryptionResult.Plaintext) {
@@ -519,12 +542,37 @@ __export(defaultCommand_exports, {
519
542
  desc: () => desc4,
520
543
  handler: () => handler4
521
544
  });
522
- import fs3 from "node:fs";
523
- import path3 from "node:path";
545
+ import fs4 from "node:fs";
546
+ import path4 from "node:path";
524
547
  import { KMSClient as KMSClient3, DecryptCommand as DecryptCommand3 } from "@aws-sdk/client-kms";
525
- import { redBright as redBright3 } from "chalk";
548
+ import { redBright as redBright4 } from "chalk";
549
+ import { constantCase } from "constant-case";
526
550
  import { spawn } from "cross-spawn";
527
551
  import { parse as parse2 } from "dotenv";
552
+ import flat2 from "flat";
553
+
554
+ // src/lib/encryptedSecrets.ts
555
+ import fs3 from "fs";
556
+ import path3 from "path";
557
+ import { redBright as redBright3 } from "chalk";
558
+ var loadEncryptedSecrets = async ({
559
+ encryptedSecretsFile
560
+ }) => {
561
+ const encryptedSecretsPath = path3.resolve(process.cwd(), encryptedSecretsFile);
562
+ if (!await fileExists(encryptedSecretsPath)) {
563
+ throw new Error(`Could not open ${redBright3(encryptedSecretsPath)}`);
564
+ }
565
+ const encryptedSecrets = JSON.parse(fs3.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
566
+ if (!encryptedSecrets) {
567
+ throw new Error(`No encrypted secrets found in ${redBright3(encryptedSecretsPath)}`);
568
+ }
569
+ if (!encryptedSecrets.encryptedParameters) {
570
+ throw new Error(`Expected 'encryptedParameters' property, but got none`);
571
+ }
572
+ return encryptedSecrets;
573
+ };
574
+
575
+ // src/commands/defaultCommand.ts
528
576
  var command4 = "$0 <command>";
529
577
  var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
530
578
  var builder4 = {
@@ -536,6 +584,8 @@ var builder4 = {
536
584
  "ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
537
585
  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
538
586
  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
587
+ "encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
588
+ "json-filter": commonCliOptions.jsonFilter,
539
589
  verbose: commonCliOptions.verbose,
540
590
  command: { string: true, required: true }
541
591
  };
@@ -545,21 +595,69 @@ var handleSec = async ({
545
595
  regionAndOrigin,
546
596
  awsKeyAlias
547
597
  }) => {
548
- const secSource = path3.resolve(process.cwd(), secFile);
598
+ const secSource = path4.resolve(process.cwd(), secFile);
549
599
  if (!await fileExists(secSource)) {
550
- console.error(`Could not open ${redBright3(secSource)}`);
600
+ console.error(`Could not open ${redBright4(secSource)}`);
551
601
  return;
552
602
  }
553
- const parsedSec = parse2(fs3.readFileSync(secSource, { encoding: "utf8" }));
603
+ const parsedSec = parse2(fs4.readFileSync(secSource, { encoding: "utf8" }));
554
604
  const kmsClient = new KMSClient3({
555
605
  credentials: credentialsAndOrigin.value,
556
606
  region: regionAndOrigin.value
557
607
  });
608
+ const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
558
609
  const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
559
610
  const decryptCommand = new DecryptCommand3({
560
611
  KeyId: awsKeyAlias,
561
612
  CiphertextBlob: Buffer.from(cipherText, "base64"),
562
- EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
613
+ EncryptionAlgorithm: encryptionAlgorithm
614
+ });
615
+ const decryptionResult = await kmsClient.send(decryptCommand);
616
+ if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
617
+ throw new Error(`No: ${JSON.stringify({
618
+ key,
619
+ cipherText,
620
+ decryptCommand
621
+ })}`);
622
+ }
623
+ const value = Buffer.from(decryptionResult.Plaintext).toString();
624
+ return [key, value];
625
+ }));
626
+ const env = Object.fromEntries(envEntries);
627
+ return env;
628
+ };
629
+ var handleEncryptedJson = async ({
630
+ encryptedSecretsFile,
631
+ jsonFilter,
632
+ credentialsAndOrigin,
633
+ regionAndOrigin,
634
+ awsKeyAlias
635
+ }) => {
636
+ const encryptedSecrets = await loadEncryptedSecrets({
637
+ encryptedSecretsFile
638
+ });
639
+ const flattened = flat2.flatten(encryptedSecrets.encryptedParameters, {
640
+ delimiter: "__",
641
+ transformKey: (key) => {
642
+ return constantCase(key);
643
+ }
644
+ });
645
+ const kmsClient = new KMSClient3({
646
+ credentials: credentialsAndOrigin.value,
647
+ region: regionAndOrigin.value
648
+ });
649
+ const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
650
+ const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => constantCase(part)).join("__");
651
+ const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
652
+ if (filterKey) {
653
+ return key.indexOf(filterKey) === 0;
654
+ }
655
+ return true;
656
+ }).map(async ([key, cipherText]) => {
657
+ const decryptCommand = new DecryptCommand3({
658
+ KeyId: awsKeyAlias,
659
+ CiphertextBlob: Buffer.from(cipherText, "base64"),
660
+ EncryptionAlgorithm: encryptionAlgorithm
563
661
  });
564
662
  const decryptionResult = await kmsClient.send(decryptCommand);
565
663
  if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
@@ -578,38 +676,60 @@ var handleSec = async ({
578
676
  var handler4 = async (argv) => {
579
677
  try {
580
678
  let env;
679
+ let awsEnv;
581
680
  try {
582
681
  if (argv.envFile) {
583
- env = parse2(fs3.readFileSync(argv.envFile, { encoding: "utf8" }));
682
+ env = parse2(fs4.readFileSync(argv.envFile, { encoding: "utf8" }));
683
+ if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
684
+ const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
685
+ argv: __spreadValues({}, argv),
686
+ env: __spreadValues(__spreadValues({}, process.env), env)
687
+ });
688
+ awsEnv = {
689
+ AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
690
+ AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey
691
+ };
692
+ if (credentialsAndOrigin.value.sessionToken) {
693
+ awsEnv.AWS_SESSION_TOKEN = credentialsAndOrigin.value.sessionToken;
694
+ }
695
+ }
696
+ } else {
697
+ const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
698
+ argv: __spreadValues({}, argv),
699
+ env: __spreadValues(__spreadValues({}, process.env), env)
700
+ });
701
+ if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
702
+ awsEnv = {
703
+ AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
704
+ AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey,
705
+ AWS_SESSION_TOKEN: credentialsAndOrigin.value.sessionToken
706
+ };
707
+ }
708
+ if (argv.verbose) {
709
+ console.log({ credentialsAndOrigin, regionAndOrigin });
710
+ }
711
+ if (argv.encryptedSecretsFile) {
712
+ env = await handleEncryptedJson({
713
+ encryptedSecretsFile: argv.encryptedSecretsFile,
714
+ jsonFilter: argv.jsonFilter,
715
+ credentialsAndOrigin,
716
+ regionAndOrigin,
717
+ awsKeyAlias: argv.awsKeyAlias
718
+ });
719
+ } else {
720
+ env = await handleSec({
721
+ secFile: argv.secFile,
722
+ credentialsAndOrigin,
723
+ regionAndOrigin,
724
+ awsKeyAlias: argv.awsKeyAlias
725
+ });
726
+ }
584
727
  }
585
728
  } catch (e) {
586
729
  if (argv.ignoreMissingEnvFile !== true) {
587
730
  throw e;
588
731
  }
589
732
  }
590
- let awsEnv;
591
- const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
592
- argv: __spreadValues({}, argv),
593
- env: __spreadValues(__spreadValues({}, process.env), env)
594
- });
595
- if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
596
- awsEnv = {
597
- AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
598
- AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey,
599
- AWS_SESSION_TOKEN: credentialsAndOrigin.value.sessionToken
600
- };
601
- }
602
- if (argv.verbose) {
603
- console.log({ credentialsAndOrigin, regionAndOrigin });
604
- }
605
- if (!argv.envFile && argv.secFile) {
606
- env = await handleSec({
607
- secFile: argv.secFile,
608
- credentialsAndOrigin,
609
- regionAndOrigin,
610
- awsKeyAlias: argv.awsKeyAlias
611
- });
612
- }
613
733
  const userCommandArgs = process.argv.slice(process.argv.indexOf(argv.command) + 1);
614
734
  if (argv.command) {
615
735
  spawn(argv.command, [...userCommandArgs], {
@@ -631,18 +751,18 @@ __export(encryptEnvCommand_exports, {
631
751
  desc: () => desc5,
632
752
  handler: () => handler5
633
753
  });
634
- import { DescribeKeyCommand as DescribeKeyCommand2, EncryptCommand } from "@aws-sdk/client-kms";
635
- import { redBright as redBright4 } from "chalk";
754
+ import fs5 from "node:fs";
755
+ import path5 from "node:path";
756
+ import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand } from "@aws-sdk/client-kms";
757
+ import { redBright as redBright5 } from "chalk";
636
758
  import { parse as parse3 } from "dotenv";
637
- import fs4 from "node:fs";
638
- import path4 from "node:path";
639
759
  var command5 = "encrypt-env";
640
760
  var desc5 = "Encrypts a dotenv file";
641
761
  var builder5 = {
642
762
  "aws-profile": commonCliOptions.awsProfile,
643
763
  "aws-region": commonCliOptions.awsRegion,
644
764
  "aws-key-alias": commonCliOptions.awsKeyAlias,
645
- "env-file": commonCliOptions.envFile,
765
+ "env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
646
766
  "sec-file": commonCliOptions.secFile,
647
767
  "assume-role-arn": commonCliOptions.awsAssumeRoleArn,
648
768
  verbose: commonCliOptions.verbose
@@ -654,12 +774,12 @@ var handler5 = async (argv) => {
654
774
  argv: __spreadValues({}, argv),
655
775
  env: __spreadValues({}, process.env)
656
776
  });
657
- const envSource = path4.resolve(process.cwd(), argv.envFile);
777
+ const envSource = path5.resolve(process.cwd(), argv.envFile);
658
778
  if (!await fileExists(envSource)) {
659
- error(`Could not open ${redBright4(envSource)}`);
779
+ error(`Could not open ${redBright5(envSource)}`);
660
780
  return;
661
781
  }
662
- const parsedEnv = parse3(fs4.readFileSync(envSource, { encoding: "utf8" }));
782
+ const parsedEnv = parse3(fs5.readFileSync(envSource, { encoding: "utf8" }));
663
783
  const kmsClient = getKMSClient({
664
784
  configuration: {
665
785
  credentials: credentialsAndOrigin.value,
@@ -667,9 +787,10 @@ var handler5 = async (argv) => {
667
787
  },
668
788
  verbose: argv.verbose
669
789
  });
790
+ const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
670
791
  if (argv.verbose) {
671
792
  info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
672
- const describeKeyCommand = new DescribeKeyCommand2({
793
+ const describeKeyCommand = new DescribeKeyCommand3({
673
794
  KeyId: argv.awsKeyAlias
674
795
  });
675
796
  const describeKeyResult = await kmsClient.send(describeKeyCommand);
@@ -679,7 +800,7 @@ var handler5 = async (argv) => {
679
800
  const encryptCommand = new EncryptCommand({
680
801
  KeyId: argv.awsKeyAlias,
681
802
  Plaintext: Buffer.from(value),
682
- EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
803
+ EncryptionAlgorithm: encryptionAlgorithm
683
804
  });
684
805
  const encryptionResult = await kmsClient.send(encryptCommand);
685
806
  if (!encryptionResult.CiphertextBlob) {
@@ -695,7 +816,7 @@ var handler5 = async (argv) => {
695
816
  const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
696
817
  return `${key}="${cipherText}"`;
697
818
  }))).join("\n");
698
- fs4.writeFileSync(path4.resolve(process.cwd(), argv.secFile), sec);
819
+ fs5.writeFileSync(path5.resolve(process.cwd(), argv.secFile), sec);
699
820
  } catch (e) {
700
821
  error(e);
701
822
  }
@@ -709,11 +830,11 @@ __export(encryptSecretsJson_exports, {
709
830
  desc: () => desc6,
710
831
  handler: () => handler6
711
832
  });
712
- import fs5 from "node:fs";
713
- import path5 from "node:path";
714
- import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
715
- import { redBright as redBright5 } from "chalk";
716
- import flat2 from "flat";
833
+ import fs6 from "node:fs";
834
+ import path6 from "node:path";
835
+ import { DescribeKeyCommand as DescribeKeyCommand4, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
836
+ import { redBright as redBright6 } from "chalk";
837
+ import flat3 from "flat";
717
838
  var command6 = "encrypt-secrets-json";
718
839
  var desc6 = "Encrypts an unencrypted file";
719
840
  var builder6 = {
@@ -741,16 +862,16 @@ var handler6 = async (argv) => {
741
862
  argv: __spreadValues({}, argv),
742
863
  env: __spreadValues({}, process.env)
743
864
  });
744
- const secretsPath = path5.resolve(process.cwd(), argv.secretsFile);
865
+ const secretsPath = path6.resolve(process.cwd(), argv.secretsFile);
745
866
  if (!await fileExists(secretsPath)) {
746
- error(`Could not open ${redBright5(secretsPath)}`);
867
+ error(`Could not open ${redBright6(secretsPath)}`);
747
868
  return;
748
869
  }
749
- const secrets = JSON.parse(fs5.readFileSync(secretsPath, { encoding: "utf8" }));
870
+ const secrets = JSON.parse(fs6.readFileSync(secretsPath, { encoding: "utf8" }));
750
871
  if (!secrets.parameters) {
751
872
  throw new Error(`Expected 'parameters' property, but got none`);
752
873
  }
753
- const flatParameters = flat2(secrets.parameters, { delimiter: "/" });
874
+ const flatParameters = flat3(secrets.parameters, { delimiter: "/" });
754
875
  if (argv.verbose) {
755
876
  console.log(flatParameters);
756
877
  }
@@ -763,17 +884,18 @@ var handler6 = async (argv) => {
763
884
  });
764
885
  if (argv.verbose) {
765
886
  info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
766
- const describeKeyCommand = new DescribeKeyCommand3({
887
+ const describeKeyCommand = new DescribeKeyCommand4({
767
888
  KeyId: argv.awsKeyAlias
768
889
  });
769
890
  const describeKeyResult = await kmsClient.send(describeKeyCommand);
770
891
  console.log("describeKeyResult", { describeKeyResult });
771
892
  }
893
+ const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
772
894
  const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
773
895
  const encryptCommand = new EncryptCommand2({
774
896
  KeyId: argv.awsKeyAlias,
775
897
  Plaintext: Buffer.from(parameter),
776
- EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
898
+ EncryptionAlgorithm: encryptionAlgorithm
777
899
  });
778
900
  const encryptionResult = await kmsClient.send(encryptCommand);
779
901
  if (!encryptionResult.CiphertextBlob) {
@@ -789,18 +911,18 @@ var handler6 = async (argv) => {
789
911
  const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
790
912
  return [parameterName, cipherText];
791
913
  })));
792
- const encryptedParameters = flat2.unflatten(encryptedFlatParameters, { delimiter: "/" });
914
+ const encryptedParameters = flat3.unflatten(encryptedFlatParameters, { delimiter: "/" });
793
915
  const encryptedSecrets = {
794
916
  config: secrets.config,
795
917
  encryptedParameters
796
918
  };
797
- const encryptedSecretsPath = path5.resolve(process.cwd(), argv.encryptedSecretsFile);
919
+ const encryptedSecretsPath = path6.resolve(process.cwd(), argv.encryptedSecretsFile);
798
920
  const overwriteResponse = await promptOverwriteIfFileExists({
799
921
  filePath: encryptedSecretsPath,
800
922
  skip: argv.yes
801
923
  });
802
924
  if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
803
- fs5.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
925
+ fs6.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
804
926
  }
805
927
  } catch (e) {
806
928
  error(e);
@@ -815,12 +937,12 @@ __export(offloadToSSMCommand_exports, {
815
937
  desc: () => desc7,
816
938
  handler: () => handler7
817
939
  });
818
- import { DecryptCommand as DecryptCommand4, DescribeKeyCommand as DescribeKeyCommand4 } from "@aws-sdk/client-kms";
940
+ import fs7 from "node:fs";
941
+ import path7 from "node:path";
942
+ import { DecryptCommand as DecryptCommand4 } from "@aws-sdk/client-kms";
819
943
  import { PutParameterCommand } from "@aws-sdk/client-ssm";
820
- import { redBright as redBright6 } from "chalk";
821
- import flat3 from "flat";
822
- import fs6 from "node:fs";
823
- import path6 from "node:path";
944
+ import { redBright as redBright7 } from "chalk";
945
+ import flat4 from "flat";
824
946
  var command7 = "offload-secrets-json-to-ssm";
825
947
  var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
826
948
  var builder7 = {
@@ -843,16 +965,16 @@ var handler7 = async (argv) => {
843
965
  argv: __spreadValues({}, argv),
844
966
  env: __spreadValues({}, process.env)
845
967
  });
846
- const encryptedSecretsPath = path6.resolve(process.cwd(), argv.encryptedSecretsFile);
968
+ const encryptedSecretsPath = path7.resolve(process.cwd(), argv.encryptedSecretsFile);
847
969
  if (!await fileExists(encryptedSecretsPath)) {
848
- error(`Could not open ${redBright6(encryptedSecretsPath)}`);
970
+ error(`Could not open ${redBright7(encryptedSecretsPath)}`);
849
971
  return;
850
972
  }
851
- const encryptedSecrets = JSON.parse(fs6.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
973
+ const encryptedSecrets = JSON.parse(fs7.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
852
974
  if (!encryptedSecrets.encryptedParameters) {
853
975
  throw new Error(`Expected 'encryptedParameters' property, but got none`);
854
976
  }
855
- const flatEncryptedParameters = flat3(encryptedSecrets.encryptedParameters, { delimiter: "/" });
977
+ const flatEncryptedParameters = flat4(encryptedSecrets.encryptedParameters, { delimiter: "/" });
856
978
  const kmsClient = getKMSClient({
857
979
  configuration: {
858
980
  credentials: credentialsAndOrigin.value,
@@ -862,17 +984,13 @@ var handler7 = async (argv) => {
862
984
  });
863
985
  if (argv.verbose) {
864
986
  info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
865
- const describeKeyCommand = new DescribeKeyCommand4({
866
- KeyId: argv.awsKeyAlias
867
- });
868
- const describeKeyResult = await kmsClient.send(describeKeyCommand);
869
- console.log("describeKeyResult", { describeKeyResult });
870
987
  }
988
+ const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
871
989
  const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
872
990
  const decryptCommand = new DecryptCommand4({
873
991
  KeyId: argv.awsKeyAlias,
874
992
  CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
875
- EncryptionAlgorithm: "RSAES_OAEP_SHA_256"
993
+ EncryptionAlgorithm: encryptionAlgorithm
876
994
  });
877
995
  const decryptionResult = await kmsClient.send(decryptCommand);
878
996
  if (!decryptionResult.Plaintext) {