dotsec 0.8.0 → 0.10.1-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +192 -77
- package/dist/cli.js.map +3 -3
- package/dist/esm/cli.js +217 -99
- package/dist/esm/cli.js.map +3 -3
- package/package.json +4 -2
package/dist/esm/cli.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
var __defProp = Object.defineProperty;
|
|
2
|
+
var __defProps = Object.defineProperties;
|
|
3
|
+
var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
|
|
2
4
|
var __getOwnPropSymbols = Object.getOwnPropertySymbols;
|
|
3
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
4
6
|
var __propIsEnum = Object.prototype.propertyIsEnumerable;
|
|
@@ -14,6 +16,7 @@ var __spreadValues = (a, b) => {
|
|
|
14
16
|
}
|
|
15
17
|
return a;
|
|
16
18
|
};
|
|
19
|
+
var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
|
|
17
20
|
var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
|
|
18
21
|
var __export = (target, all) => {
|
|
19
22
|
__markAsModule(target);
|
|
@@ -60,8 +63,7 @@ var commonCliOptions = {
|
|
|
60
63
|
},
|
|
61
64
|
envFile: {
|
|
62
65
|
string: true,
|
|
63
|
-
describe: ".env file"
|
|
64
|
-
default: ".env"
|
|
66
|
+
describe: ".env file"
|
|
65
67
|
},
|
|
66
68
|
ignoreMissingEnvFile: {
|
|
67
69
|
boolean: true,
|
|
@@ -84,6 +86,14 @@ var commonCliOptions = {
|
|
|
84
86
|
boolean: true,
|
|
85
87
|
describe: "Be verbose"
|
|
86
88
|
},
|
|
89
|
+
encryptedSecretsFile: {
|
|
90
|
+
string: true,
|
|
91
|
+
describe: "filename of json file for reading encrypted secrets"
|
|
92
|
+
},
|
|
93
|
+
jsonFilter: {
|
|
94
|
+
string: true,
|
|
95
|
+
describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
|
|
96
|
+
},
|
|
87
97
|
yes: {
|
|
88
98
|
boolean: true,
|
|
89
99
|
describe: "Proceeds without confirmation"
|
|
@@ -310,11 +320,11 @@ __export(decryptSecCommand_exports, {
|
|
|
310
320
|
desc: () => desc2,
|
|
311
321
|
handler: () => handler2
|
|
312
322
|
});
|
|
313
|
-
import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
|
|
314
|
-
import { redBright } from "chalk";
|
|
315
|
-
import { parse } from "dotenv";
|
|
316
323
|
import fs from "node:fs";
|
|
317
324
|
import path from "node:path";
|
|
325
|
+
import { KMSClient as KMSClient2, DecryptCommand } from "@aws-sdk/client-kms";
|
|
326
|
+
import { redBright } from "chalk";
|
|
327
|
+
import { parse } from "dotenv";
|
|
318
328
|
|
|
319
329
|
// src/utils/io.ts
|
|
320
330
|
import { stat } from "fs/promises";
|
|
@@ -346,6 +356,30 @@ var promptOverwriteIfFileExists = async ({
|
|
|
346
356
|
return overwriteResponse;
|
|
347
357
|
};
|
|
348
358
|
|
|
359
|
+
// src/utils/kms.ts
|
|
360
|
+
import {
|
|
361
|
+
DescribeKeyCommand,
|
|
362
|
+
KMSClient
|
|
363
|
+
} from "@aws-sdk/client-kms";
|
|
364
|
+
var getKMSClient = ({
|
|
365
|
+
configuration
|
|
366
|
+
}) => {
|
|
367
|
+
const kmsClient = new KMSClient(configuration);
|
|
368
|
+
return kmsClient;
|
|
369
|
+
};
|
|
370
|
+
var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
|
|
371
|
+
var _a, _b;
|
|
372
|
+
const describeKeyCommand = new DescribeKeyCommand({
|
|
373
|
+
KeyId: awsKeyAlias
|
|
374
|
+
});
|
|
375
|
+
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
376
|
+
const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
|
|
377
|
+
if (encryptionAlgorithm === void 0) {
|
|
378
|
+
throw new Error(`Could not determine encryption algorithm`);
|
|
379
|
+
}
|
|
380
|
+
return encryptionAlgorithm;
|
|
381
|
+
};
|
|
382
|
+
|
|
349
383
|
// src/commands/decryptSecCommand.ts
|
|
350
384
|
var command2 = "decrypt-sec";
|
|
351
385
|
var desc2 = "Decrypts a dotsec file";
|
|
@@ -354,7 +388,7 @@ var builder2 = {
|
|
|
354
388
|
"aws-region": commonCliOptions.awsRegion,
|
|
355
389
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
356
390
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
357
|
-
"env-file": commonCliOptions.envFile,
|
|
391
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
|
|
358
392
|
"sec-file": commonCliOptions.secFile,
|
|
359
393
|
verbose: commonCliOptions.verbose
|
|
360
394
|
};
|
|
@@ -370,15 +404,16 @@ var handler2 = async (argv) => {
|
|
|
370
404
|
return;
|
|
371
405
|
}
|
|
372
406
|
const parsedSec = parse(fs.readFileSync(secSource, { encoding: "utf8" }));
|
|
373
|
-
const kmsClient = new
|
|
407
|
+
const kmsClient = new KMSClient2({
|
|
374
408
|
credentials: credentialsAndOrigin.value,
|
|
375
409
|
region: regionAndOrigin.value
|
|
376
410
|
});
|
|
411
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
377
412
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
378
413
|
const decryptCommand = new DecryptCommand({
|
|
379
414
|
KeyId: argv.awsKeyAlias,
|
|
380
415
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
381
|
-
EncryptionAlgorithm:
|
|
416
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
382
417
|
});
|
|
383
418
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
384
419
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -405,22 +440,11 @@ __export(decryptSecretsJson_exports, {
|
|
|
405
440
|
desc: () => desc3,
|
|
406
441
|
handler: () => handler3
|
|
407
442
|
});
|
|
408
|
-
import { DecryptCommand as DecryptCommand2, DescribeKeyCommand } from "@aws-sdk/client-kms";
|
|
409
|
-
import { redBright as redBright2 } from "chalk";
|
|
410
|
-
import flat from "flat";
|
|
411
443
|
import fs2 from "node:fs";
|
|
412
444
|
import path2 from "node:path";
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
import
|
|
416
|
-
var getKMSClient = ({
|
|
417
|
-
configuration
|
|
418
|
-
}) => {
|
|
419
|
-
const kmsClient = new KMSClient2(configuration);
|
|
420
|
-
return kmsClient;
|
|
421
|
-
};
|
|
422
|
-
|
|
423
|
-
// src/commands/decryptSecretsJson.ts
|
|
445
|
+
import { DecryptCommand as DecryptCommand2, DescribeKeyCommand as DescribeKeyCommand2 } from "@aws-sdk/client-kms";
|
|
446
|
+
import { redBright as redBright2 } from "chalk";
|
|
447
|
+
import flat from "flat";
|
|
424
448
|
var command3 = "decrypt-secrets-json";
|
|
425
449
|
var desc3 = "Derypts an encrypted file";
|
|
426
450
|
var builder3 = {
|
|
@@ -432,11 +456,9 @@ var builder3 = {
|
|
|
432
456
|
describe: "filename of json file writing secrets",
|
|
433
457
|
default: "secrets.json"
|
|
434
458
|
},
|
|
435
|
-
"encrypted-secrets-file": {
|
|
436
|
-
string: true,
|
|
437
|
-
describe: "filename of json file for reading encrypted secrets",
|
|
459
|
+
"encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
|
|
438
460
|
default: "secrets.encrypted.json"
|
|
439
|
-
},
|
|
461
|
+
}),
|
|
440
462
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
441
463
|
verbose: commonCliOptions.verbose,
|
|
442
464
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
@@ -467,17 +489,18 @@ var handler3 = async (argv) => {
|
|
|
467
489
|
});
|
|
468
490
|
if (argv.verbose) {
|
|
469
491
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
470
|
-
const describeKeyCommand = new
|
|
492
|
+
const describeKeyCommand = new DescribeKeyCommand2({
|
|
471
493
|
KeyId: argv.awsKeyAlias
|
|
472
494
|
});
|
|
473
495
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
474
496
|
console.log("describeKeyResult", { describeKeyResult });
|
|
475
497
|
}
|
|
498
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
476
499
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
477
500
|
const decryptCommand = new DecryptCommand2({
|
|
478
501
|
KeyId: argv.awsKeyAlias,
|
|
479
502
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
480
|
-
EncryptionAlgorithm:
|
|
503
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
481
504
|
});
|
|
482
505
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
483
506
|
if (!decryptionResult.Plaintext) {
|
|
@@ -519,12 +542,37 @@ __export(defaultCommand_exports, {
|
|
|
519
542
|
desc: () => desc4,
|
|
520
543
|
handler: () => handler4
|
|
521
544
|
});
|
|
522
|
-
import
|
|
523
|
-
import
|
|
545
|
+
import fs4 from "node:fs";
|
|
546
|
+
import path4 from "node:path";
|
|
524
547
|
import { KMSClient as KMSClient3, DecryptCommand as DecryptCommand3 } from "@aws-sdk/client-kms";
|
|
525
|
-
import { redBright as
|
|
548
|
+
import { redBright as redBright4 } from "chalk";
|
|
549
|
+
import { constantCase } from "constant-case";
|
|
526
550
|
import { spawn } from "cross-spawn";
|
|
527
551
|
import { parse as parse2 } from "dotenv";
|
|
552
|
+
import flat2 from "flat";
|
|
553
|
+
|
|
554
|
+
// src/lib/encryptedSecrets.ts
|
|
555
|
+
import fs3 from "fs";
|
|
556
|
+
import path3 from "path";
|
|
557
|
+
import { redBright as redBright3 } from "chalk";
|
|
558
|
+
var loadEncryptedSecrets = async ({
|
|
559
|
+
encryptedSecretsFile
|
|
560
|
+
}) => {
|
|
561
|
+
const encryptedSecretsPath = path3.resolve(process.cwd(), encryptedSecretsFile);
|
|
562
|
+
if (!await fileExists(encryptedSecretsPath)) {
|
|
563
|
+
throw new Error(`Could not open ${redBright3(encryptedSecretsPath)}`);
|
|
564
|
+
}
|
|
565
|
+
const encryptedSecrets = JSON.parse(fs3.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
566
|
+
if (!encryptedSecrets) {
|
|
567
|
+
throw new Error(`No encrypted secrets found in ${redBright3(encryptedSecretsPath)}`);
|
|
568
|
+
}
|
|
569
|
+
if (!encryptedSecrets.encryptedParameters) {
|
|
570
|
+
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
571
|
+
}
|
|
572
|
+
return encryptedSecrets;
|
|
573
|
+
};
|
|
574
|
+
|
|
575
|
+
// src/commands/defaultCommand.ts
|
|
528
576
|
var command4 = "$0 <command>";
|
|
529
577
|
var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
|
|
530
578
|
var builder4 = {
|
|
@@ -536,6 +584,8 @@ var builder4 = {
|
|
|
536
584
|
"ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
|
|
537
585
|
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
538
586
|
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
587
|
+
"encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
|
|
588
|
+
"json-filter": commonCliOptions.jsonFilter,
|
|
539
589
|
verbose: commonCliOptions.verbose,
|
|
540
590
|
command: { string: true, required: true }
|
|
541
591
|
};
|
|
@@ -545,21 +595,69 @@ var handleSec = async ({
|
|
|
545
595
|
regionAndOrigin,
|
|
546
596
|
awsKeyAlias
|
|
547
597
|
}) => {
|
|
548
|
-
const secSource =
|
|
598
|
+
const secSource = path4.resolve(process.cwd(), secFile);
|
|
549
599
|
if (!await fileExists(secSource)) {
|
|
550
|
-
console.error(`Could not open ${
|
|
600
|
+
console.error(`Could not open ${redBright4(secSource)}`);
|
|
551
601
|
return;
|
|
552
602
|
}
|
|
553
|
-
const parsedSec = parse2(
|
|
603
|
+
const parsedSec = parse2(fs4.readFileSync(secSource, { encoding: "utf8" }));
|
|
554
604
|
const kmsClient = new KMSClient3({
|
|
555
605
|
credentials: credentialsAndOrigin.value,
|
|
556
606
|
region: regionAndOrigin.value
|
|
557
607
|
});
|
|
608
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
558
609
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
559
610
|
const decryptCommand = new DecryptCommand3({
|
|
560
611
|
KeyId: awsKeyAlias,
|
|
561
612
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
562
|
-
EncryptionAlgorithm:
|
|
613
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
614
|
+
});
|
|
615
|
+
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
616
|
+
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
617
|
+
throw new Error(`No: ${JSON.stringify({
|
|
618
|
+
key,
|
|
619
|
+
cipherText,
|
|
620
|
+
decryptCommand
|
|
621
|
+
})}`);
|
|
622
|
+
}
|
|
623
|
+
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
624
|
+
return [key, value];
|
|
625
|
+
}));
|
|
626
|
+
const env = Object.fromEntries(envEntries);
|
|
627
|
+
return env;
|
|
628
|
+
};
|
|
629
|
+
var handleEncryptedJson = async ({
|
|
630
|
+
encryptedSecretsFile,
|
|
631
|
+
jsonFilter,
|
|
632
|
+
credentialsAndOrigin,
|
|
633
|
+
regionAndOrigin,
|
|
634
|
+
awsKeyAlias
|
|
635
|
+
}) => {
|
|
636
|
+
const encryptedSecrets = await loadEncryptedSecrets({
|
|
637
|
+
encryptedSecretsFile
|
|
638
|
+
});
|
|
639
|
+
const flattened = flat2.flatten(encryptedSecrets.encryptedParameters, {
|
|
640
|
+
delimiter: "__",
|
|
641
|
+
transformKey: (key) => {
|
|
642
|
+
return constantCase(key);
|
|
643
|
+
}
|
|
644
|
+
});
|
|
645
|
+
const kmsClient = new KMSClient3({
|
|
646
|
+
credentials: credentialsAndOrigin.value,
|
|
647
|
+
region: regionAndOrigin.value
|
|
648
|
+
});
|
|
649
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
650
|
+
const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => constantCase(part)).join("__");
|
|
651
|
+
const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
|
|
652
|
+
if (filterKey) {
|
|
653
|
+
return key.indexOf(filterKey) === 0;
|
|
654
|
+
}
|
|
655
|
+
return true;
|
|
656
|
+
}).map(async ([key, cipherText]) => {
|
|
657
|
+
const decryptCommand = new DecryptCommand3({
|
|
658
|
+
KeyId: awsKeyAlias,
|
|
659
|
+
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
660
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
563
661
|
});
|
|
564
662
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
565
663
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -578,38 +676,60 @@ var handleSec = async ({
|
|
|
578
676
|
var handler4 = async (argv) => {
|
|
579
677
|
try {
|
|
580
678
|
let env;
|
|
679
|
+
let awsEnv;
|
|
581
680
|
try {
|
|
582
681
|
if (argv.envFile) {
|
|
583
|
-
env = parse2(
|
|
682
|
+
env = parse2(fs4.readFileSync(argv.envFile, { encoding: "utf8" }));
|
|
683
|
+
if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
|
|
684
|
+
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
685
|
+
argv: __spreadValues({}, argv),
|
|
686
|
+
env: __spreadValues(__spreadValues({}, process.env), env)
|
|
687
|
+
});
|
|
688
|
+
awsEnv = {
|
|
689
|
+
AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
|
|
690
|
+
AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey
|
|
691
|
+
};
|
|
692
|
+
if (credentialsAndOrigin.value.sessionToken) {
|
|
693
|
+
awsEnv.AWS_SESSION_TOKEN = credentialsAndOrigin.value.sessionToken;
|
|
694
|
+
}
|
|
695
|
+
}
|
|
696
|
+
} else {
|
|
697
|
+
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
698
|
+
argv: __spreadValues({}, argv),
|
|
699
|
+
env: __spreadValues(__spreadValues({}, process.env), env)
|
|
700
|
+
});
|
|
701
|
+
if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
|
|
702
|
+
awsEnv = {
|
|
703
|
+
AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
|
|
704
|
+
AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey,
|
|
705
|
+
AWS_SESSION_TOKEN: credentialsAndOrigin.value.sessionToken
|
|
706
|
+
};
|
|
707
|
+
}
|
|
708
|
+
if (argv.verbose) {
|
|
709
|
+
console.log({ credentialsAndOrigin, regionAndOrigin });
|
|
710
|
+
}
|
|
711
|
+
if (argv.encryptedSecretsFile) {
|
|
712
|
+
env = await handleEncryptedJson({
|
|
713
|
+
encryptedSecretsFile: argv.encryptedSecretsFile,
|
|
714
|
+
jsonFilter: argv.jsonFilter,
|
|
715
|
+
credentialsAndOrigin,
|
|
716
|
+
regionAndOrigin,
|
|
717
|
+
awsKeyAlias: argv.awsKeyAlias
|
|
718
|
+
});
|
|
719
|
+
} else {
|
|
720
|
+
env = await handleSec({
|
|
721
|
+
secFile: argv.secFile,
|
|
722
|
+
credentialsAndOrigin,
|
|
723
|
+
regionAndOrigin,
|
|
724
|
+
awsKeyAlias: argv.awsKeyAlias
|
|
725
|
+
});
|
|
726
|
+
}
|
|
584
727
|
}
|
|
585
728
|
} catch (e) {
|
|
586
729
|
if (argv.ignoreMissingEnvFile !== true) {
|
|
587
730
|
throw e;
|
|
588
731
|
}
|
|
589
732
|
}
|
|
590
|
-
let awsEnv;
|
|
591
|
-
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
592
|
-
argv: __spreadValues({}, argv),
|
|
593
|
-
env: __spreadValues(__spreadValues({}, process.env), env)
|
|
594
|
-
});
|
|
595
|
-
if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
|
|
596
|
-
awsEnv = {
|
|
597
|
-
AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
|
|
598
|
-
AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey,
|
|
599
|
-
AWS_SESSION_TOKEN: credentialsAndOrigin.value.sessionToken
|
|
600
|
-
};
|
|
601
|
-
}
|
|
602
|
-
if (argv.verbose) {
|
|
603
|
-
console.log({ credentialsAndOrigin, regionAndOrigin });
|
|
604
|
-
}
|
|
605
|
-
if (!argv.envFile && argv.secFile) {
|
|
606
|
-
env = await handleSec({
|
|
607
|
-
secFile: argv.secFile,
|
|
608
|
-
credentialsAndOrigin,
|
|
609
|
-
regionAndOrigin,
|
|
610
|
-
awsKeyAlias: argv.awsKeyAlias
|
|
611
|
-
});
|
|
612
|
-
}
|
|
613
733
|
const userCommandArgs = process.argv.slice(process.argv.indexOf(argv.command) + 1);
|
|
614
734
|
if (argv.command) {
|
|
615
735
|
spawn(argv.command, [...userCommandArgs], {
|
|
@@ -631,18 +751,18 @@ __export(encryptEnvCommand_exports, {
|
|
|
631
751
|
desc: () => desc5,
|
|
632
752
|
handler: () => handler5
|
|
633
753
|
});
|
|
634
|
-
import
|
|
635
|
-
import
|
|
754
|
+
import fs5 from "node:fs";
|
|
755
|
+
import path5 from "node:path";
|
|
756
|
+
import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand } from "@aws-sdk/client-kms";
|
|
757
|
+
import { redBright as redBright5 } from "chalk";
|
|
636
758
|
import { parse as parse3 } from "dotenv";
|
|
637
|
-
import fs4 from "node:fs";
|
|
638
|
-
import path4 from "node:path";
|
|
639
759
|
var command5 = "encrypt-env";
|
|
640
760
|
var desc5 = "Encrypts a dotenv file";
|
|
641
761
|
var builder5 = {
|
|
642
762
|
"aws-profile": commonCliOptions.awsProfile,
|
|
643
763
|
"aws-region": commonCliOptions.awsRegion,
|
|
644
764
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
645
|
-
"env-file": commonCliOptions.envFile,
|
|
765
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
|
|
646
766
|
"sec-file": commonCliOptions.secFile,
|
|
647
767
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
648
768
|
verbose: commonCliOptions.verbose
|
|
@@ -654,12 +774,12 @@ var handler5 = async (argv) => {
|
|
|
654
774
|
argv: __spreadValues({}, argv),
|
|
655
775
|
env: __spreadValues({}, process.env)
|
|
656
776
|
});
|
|
657
|
-
const envSource =
|
|
777
|
+
const envSource = path5.resolve(process.cwd(), argv.envFile);
|
|
658
778
|
if (!await fileExists(envSource)) {
|
|
659
|
-
error(`Could not open ${
|
|
779
|
+
error(`Could not open ${redBright5(envSource)}`);
|
|
660
780
|
return;
|
|
661
781
|
}
|
|
662
|
-
const parsedEnv = parse3(
|
|
782
|
+
const parsedEnv = parse3(fs5.readFileSync(envSource, { encoding: "utf8" }));
|
|
663
783
|
const kmsClient = getKMSClient({
|
|
664
784
|
configuration: {
|
|
665
785
|
credentials: credentialsAndOrigin.value,
|
|
@@ -667,9 +787,10 @@ var handler5 = async (argv) => {
|
|
|
667
787
|
},
|
|
668
788
|
verbose: argv.verbose
|
|
669
789
|
});
|
|
790
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
670
791
|
if (argv.verbose) {
|
|
671
792
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
672
|
-
const describeKeyCommand = new
|
|
793
|
+
const describeKeyCommand = new DescribeKeyCommand3({
|
|
673
794
|
KeyId: argv.awsKeyAlias
|
|
674
795
|
});
|
|
675
796
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
@@ -679,7 +800,7 @@ var handler5 = async (argv) => {
|
|
|
679
800
|
const encryptCommand = new EncryptCommand({
|
|
680
801
|
KeyId: argv.awsKeyAlias,
|
|
681
802
|
Plaintext: Buffer.from(value),
|
|
682
|
-
EncryptionAlgorithm:
|
|
803
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
683
804
|
});
|
|
684
805
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
685
806
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -695,7 +816,7 @@ var handler5 = async (argv) => {
|
|
|
695
816
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
696
817
|
return `${key}="${cipherText}"`;
|
|
697
818
|
}))).join("\n");
|
|
698
|
-
|
|
819
|
+
fs5.writeFileSync(path5.resolve(process.cwd(), argv.secFile), sec);
|
|
699
820
|
} catch (e) {
|
|
700
821
|
error(e);
|
|
701
822
|
}
|
|
@@ -709,11 +830,11 @@ __export(encryptSecretsJson_exports, {
|
|
|
709
830
|
desc: () => desc6,
|
|
710
831
|
handler: () => handler6
|
|
711
832
|
});
|
|
712
|
-
import
|
|
713
|
-
import
|
|
714
|
-
import { DescribeKeyCommand as
|
|
715
|
-
import { redBright as
|
|
716
|
-
import
|
|
833
|
+
import fs6 from "node:fs";
|
|
834
|
+
import path6 from "node:path";
|
|
835
|
+
import { DescribeKeyCommand as DescribeKeyCommand4, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
|
|
836
|
+
import { redBright as redBright6 } from "chalk";
|
|
837
|
+
import flat3 from "flat";
|
|
717
838
|
var command6 = "encrypt-secrets-json";
|
|
718
839
|
var desc6 = "Encrypts an unencrypted file";
|
|
719
840
|
var builder6 = {
|
|
@@ -741,16 +862,16 @@ var handler6 = async (argv) => {
|
|
|
741
862
|
argv: __spreadValues({}, argv),
|
|
742
863
|
env: __spreadValues({}, process.env)
|
|
743
864
|
});
|
|
744
|
-
const secretsPath =
|
|
865
|
+
const secretsPath = path6.resolve(process.cwd(), argv.secretsFile);
|
|
745
866
|
if (!await fileExists(secretsPath)) {
|
|
746
|
-
error(`Could not open ${
|
|
867
|
+
error(`Could not open ${redBright6(secretsPath)}`);
|
|
747
868
|
return;
|
|
748
869
|
}
|
|
749
|
-
const secrets = JSON.parse(
|
|
870
|
+
const secrets = JSON.parse(fs6.readFileSync(secretsPath, { encoding: "utf8" }));
|
|
750
871
|
if (!secrets.parameters) {
|
|
751
872
|
throw new Error(`Expected 'parameters' property, but got none`);
|
|
752
873
|
}
|
|
753
|
-
const flatParameters =
|
|
874
|
+
const flatParameters = flat3(secrets.parameters, { delimiter: "/" });
|
|
754
875
|
if (argv.verbose) {
|
|
755
876
|
console.log(flatParameters);
|
|
756
877
|
}
|
|
@@ -763,17 +884,18 @@ var handler6 = async (argv) => {
|
|
|
763
884
|
});
|
|
764
885
|
if (argv.verbose) {
|
|
765
886
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
766
|
-
const describeKeyCommand = new
|
|
887
|
+
const describeKeyCommand = new DescribeKeyCommand4({
|
|
767
888
|
KeyId: argv.awsKeyAlias
|
|
768
889
|
});
|
|
769
890
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
770
891
|
console.log("describeKeyResult", { describeKeyResult });
|
|
771
892
|
}
|
|
893
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
772
894
|
const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
|
|
773
895
|
const encryptCommand = new EncryptCommand2({
|
|
774
896
|
KeyId: argv.awsKeyAlias,
|
|
775
897
|
Plaintext: Buffer.from(parameter),
|
|
776
|
-
EncryptionAlgorithm:
|
|
898
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
777
899
|
});
|
|
778
900
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
779
901
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -789,18 +911,18 @@ var handler6 = async (argv) => {
|
|
|
789
911
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
790
912
|
return [parameterName, cipherText];
|
|
791
913
|
})));
|
|
792
|
-
const encryptedParameters =
|
|
914
|
+
const encryptedParameters = flat3.unflatten(encryptedFlatParameters, { delimiter: "/" });
|
|
793
915
|
const encryptedSecrets = {
|
|
794
916
|
config: secrets.config,
|
|
795
917
|
encryptedParameters
|
|
796
918
|
};
|
|
797
|
-
const encryptedSecretsPath =
|
|
919
|
+
const encryptedSecretsPath = path6.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
798
920
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
799
921
|
filePath: encryptedSecretsPath,
|
|
800
922
|
skip: argv.yes
|
|
801
923
|
});
|
|
802
924
|
if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
|
|
803
|
-
|
|
925
|
+
fs6.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
|
|
804
926
|
}
|
|
805
927
|
} catch (e) {
|
|
806
928
|
error(e);
|
|
@@ -815,12 +937,12 @@ __export(offloadToSSMCommand_exports, {
|
|
|
815
937
|
desc: () => desc7,
|
|
816
938
|
handler: () => handler7
|
|
817
939
|
});
|
|
818
|
-
import
|
|
940
|
+
import fs7 from "node:fs";
|
|
941
|
+
import path7 from "node:path";
|
|
942
|
+
import { DecryptCommand as DecryptCommand4 } from "@aws-sdk/client-kms";
|
|
819
943
|
import { PutParameterCommand } from "@aws-sdk/client-ssm";
|
|
820
|
-
import { redBright as
|
|
821
|
-
import
|
|
822
|
-
import fs6 from "node:fs";
|
|
823
|
-
import path6 from "node:path";
|
|
944
|
+
import { redBright as redBright7 } from "chalk";
|
|
945
|
+
import flat4 from "flat";
|
|
824
946
|
var command7 = "offload-secrets-json-to-ssm";
|
|
825
947
|
var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
|
|
826
948
|
var builder7 = {
|
|
@@ -843,16 +965,16 @@ var handler7 = async (argv) => {
|
|
|
843
965
|
argv: __spreadValues({}, argv),
|
|
844
966
|
env: __spreadValues({}, process.env)
|
|
845
967
|
});
|
|
846
|
-
const encryptedSecretsPath =
|
|
968
|
+
const encryptedSecretsPath = path7.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
847
969
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
848
|
-
error(`Could not open ${
|
|
970
|
+
error(`Could not open ${redBright7(encryptedSecretsPath)}`);
|
|
849
971
|
return;
|
|
850
972
|
}
|
|
851
|
-
const encryptedSecrets = JSON.parse(
|
|
973
|
+
const encryptedSecrets = JSON.parse(fs7.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
852
974
|
if (!encryptedSecrets.encryptedParameters) {
|
|
853
975
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
854
976
|
}
|
|
855
|
-
const flatEncryptedParameters =
|
|
977
|
+
const flatEncryptedParameters = flat4(encryptedSecrets.encryptedParameters, { delimiter: "/" });
|
|
856
978
|
const kmsClient = getKMSClient({
|
|
857
979
|
configuration: {
|
|
858
980
|
credentials: credentialsAndOrigin.value,
|
|
@@ -862,17 +984,13 @@ var handler7 = async (argv) => {
|
|
|
862
984
|
});
|
|
863
985
|
if (argv.verbose) {
|
|
864
986
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
865
|
-
const describeKeyCommand = new DescribeKeyCommand4({
|
|
866
|
-
KeyId: argv.awsKeyAlias
|
|
867
|
-
});
|
|
868
|
-
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
869
|
-
console.log("describeKeyResult", { describeKeyResult });
|
|
870
987
|
}
|
|
988
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
871
989
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
872
990
|
const decryptCommand = new DecryptCommand4({
|
|
873
991
|
KeyId: argv.awsKeyAlias,
|
|
874
992
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
875
|
-
EncryptionAlgorithm:
|
|
993
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
876
994
|
});
|
|
877
995
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
878
996
|
if (!decryptionResult.Plaintext) {
|