dotsec 0.9.0 → 0.10.1-alpha.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +325 -95
- package/dist/cli.js.map +3 -3
- package/dist/esm/cli.js +344 -111
- package/dist/esm/cli.js.map +3 -3
- package/package.json +6 -2
package/dist/esm/cli.js
CHANGED
|
@@ -1,4 +1,6 @@
|
|
|
1
1
|
var __defProp = Object.defineProperty;
|
|
2
|
+
var __defProps = Object.defineProperties;
|
|
3
|
+
var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
|
|
2
4
|
var __getOwnPropSymbols = Object.getOwnPropertySymbols;
|
|
3
5
|
var __hasOwnProp = Object.prototype.hasOwnProperty;
|
|
4
6
|
var __propIsEnum = Object.prototype.propertyIsEnumerable;
|
|
@@ -14,6 +16,7 @@ var __spreadValues = (a, b) => {
|
|
|
14
16
|
}
|
|
15
17
|
return a;
|
|
16
18
|
};
|
|
19
|
+
var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
|
|
17
20
|
var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
|
|
18
21
|
var __export = (target, all) => {
|
|
19
22
|
__markAsModule(target);
|
|
@@ -47,7 +50,6 @@ var commonCliOptions = {
|
|
|
47
50
|
},
|
|
48
51
|
awsKeyAlias: {
|
|
49
52
|
string: true,
|
|
50
|
-
default: "alias/top-secret",
|
|
51
53
|
describe: "AWS KMS key alias"
|
|
52
54
|
},
|
|
53
55
|
awsKeyArn: {
|
|
@@ -60,8 +62,7 @@ var commonCliOptions = {
|
|
|
60
62
|
},
|
|
61
63
|
envFile: {
|
|
62
64
|
string: true,
|
|
63
|
-
describe: ".env file"
|
|
64
|
-
default: ".env"
|
|
65
|
+
describe: ".env file"
|
|
65
66
|
},
|
|
66
67
|
ignoreMissingEnvFile: {
|
|
67
68
|
boolean: true,
|
|
@@ -84,6 +85,14 @@ var commonCliOptions = {
|
|
|
84
85
|
boolean: true,
|
|
85
86
|
describe: "Be verbose"
|
|
86
87
|
},
|
|
88
|
+
encryptedSecretsFile: {
|
|
89
|
+
string: true,
|
|
90
|
+
describe: "filename of json file for reading encrypted secrets"
|
|
91
|
+
},
|
|
92
|
+
jsonFilter: {
|
|
93
|
+
string: true,
|
|
94
|
+
describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
|
|
95
|
+
},
|
|
87
96
|
yes: {
|
|
88
97
|
boolean: true,
|
|
89
98
|
describe: "Proceeds without confirmation"
|
|
@@ -310,11 +319,11 @@ __export(decryptSecCommand_exports, {
|
|
|
310
319
|
desc: () => desc2,
|
|
311
320
|
handler: () => handler2
|
|
312
321
|
});
|
|
313
|
-
import { KMSClient, DecryptCommand } from "@aws-sdk/client-kms";
|
|
314
|
-
import { redBright } from "chalk";
|
|
315
|
-
import { parse } from "dotenv";
|
|
316
322
|
import fs from "node:fs";
|
|
317
323
|
import path from "node:path";
|
|
324
|
+
import { KMSClient as KMSClient2, DecryptCommand } from "@aws-sdk/client-kms";
|
|
325
|
+
import { redBright } from "chalk";
|
|
326
|
+
import { parse } from "dotenv";
|
|
318
327
|
|
|
319
328
|
// src/utils/io.ts
|
|
320
329
|
import { stat } from "fs/promises";
|
|
@@ -346,6 +355,30 @@ var promptOverwriteIfFileExists = async ({
|
|
|
346
355
|
return overwriteResponse;
|
|
347
356
|
};
|
|
348
357
|
|
|
358
|
+
// src/utils/kms.ts
|
|
359
|
+
import {
|
|
360
|
+
DescribeKeyCommand,
|
|
361
|
+
KMSClient
|
|
362
|
+
} from "@aws-sdk/client-kms";
|
|
363
|
+
var getKMSClient = ({
|
|
364
|
+
configuration
|
|
365
|
+
}) => {
|
|
366
|
+
const kmsClient = new KMSClient(configuration);
|
|
367
|
+
return kmsClient;
|
|
368
|
+
};
|
|
369
|
+
var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
|
|
370
|
+
var _a, _b;
|
|
371
|
+
const describeKeyCommand = new DescribeKeyCommand({
|
|
372
|
+
KeyId: awsKeyAlias
|
|
373
|
+
});
|
|
374
|
+
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
375
|
+
const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
|
|
376
|
+
if (encryptionAlgorithm === void 0) {
|
|
377
|
+
throw new Error(`Could not determine encryption algorithm`);
|
|
378
|
+
}
|
|
379
|
+
return encryptionAlgorithm;
|
|
380
|
+
};
|
|
381
|
+
|
|
349
382
|
// src/commands/decryptSecCommand.ts
|
|
350
383
|
var command2 = "decrypt-sec";
|
|
351
384
|
var desc2 = "Decrypts a dotsec file";
|
|
@@ -354,7 +387,7 @@ var builder2 = {
|
|
|
354
387
|
"aws-region": commonCliOptions.awsRegion,
|
|
355
388
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
356
389
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
357
|
-
"env-file": commonCliOptions.envFile,
|
|
390
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: "env" }),
|
|
358
391
|
"sec-file": commonCliOptions.secFile,
|
|
359
392
|
verbose: commonCliOptions.verbose
|
|
360
393
|
};
|
|
@@ -370,15 +403,16 @@ var handler2 = async (argv) => {
|
|
|
370
403
|
return;
|
|
371
404
|
}
|
|
372
405
|
const parsedSec = parse(fs.readFileSync(secSource, { encoding: "utf8" }));
|
|
373
|
-
const kmsClient = new
|
|
406
|
+
const kmsClient = new KMSClient2({
|
|
374
407
|
credentials: credentialsAndOrigin.value,
|
|
375
408
|
region: regionAndOrigin.value
|
|
376
409
|
});
|
|
410
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
377
411
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
378
412
|
const decryptCommand = new DecryptCommand({
|
|
379
413
|
KeyId: argv.awsKeyAlias,
|
|
380
414
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
381
|
-
EncryptionAlgorithm:
|
|
415
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
382
416
|
});
|
|
383
417
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
384
418
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -405,55 +439,117 @@ __export(decryptSecretsJson_exports, {
|
|
|
405
439
|
desc: () => desc3,
|
|
406
440
|
handler: () => handler3
|
|
407
441
|
});
|
|
408
|
-
import
|
|
442
|
+
import fs3 from "node:fs";
|
|
443
|
+
import path3 from "node:path";
|
|
444
|
+
import { DecryptCommand as DecryptCommand2, DescribeKeyCommand as DescribeKeyCommand2 } from "@aws-sdk/client-kms";
|
|
409
445
|
import { redBright as redBright2 } from "chalk";
|
|
410
446
|
import flat from "flat";
|
|
411
|
-
import fs2 from "node:fs";
|
|
412
|
-
import path2 from "node:path";
|
|
413
447
|
|
|
414
|
-
// src/
|
|
415
|
-
import
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
448
|
+
// src/lib/config.ts
|
|
449
|
+
import fs2 from "fs";
|
|
450
|
+
import path2 from "node:path";
|
|
451
|
+
import { bundleRequire } from "bundle-require";
|
|
452
|
+
import JoyCon from "joycon";
|
|
453
|
+
var defaultConfig = {
|
|
454
|
+
aws: {
|
|
455
|
+
keyAlias: "alias/top-secret"
|
|
456
|
+
}
|
|
457
|
+
};
|
|
458
|
+
function jsoncParse(data) {
|
|
459
|
+
try {
|
|
460
|
+
return new Function("return " + data.trim())();
|
|
461
|
+
} catch {
|
|
462
|
+
return {};
|
|
463
|
+
}
|
|
464
|
+
}
|
|
465
|
+
var loadJson = async (filepath) => {
|
|
466
|
+
try {
|
|
467
|
+
return jsoncParse(await fs2.promises.readFile(filepath, "utf8"));
|
|
468
|
+
} catch (error) {
|
|
469
|
+
if (error instanceof Error) {
|
|
470
|
+
throw new Error(`Failed to parse ${path2.relative(process.cwd(), filepath)}: ${error.message}`);
|
|
471
|
+
} else {
|
|
472
|
+
throw error;
|
|
473
|
+
}
|
|
474
|
+
}
|
|
475
|
+
};
|
|
476
|
+
var getConfig = async () => {
|
|
477
|
+
const cwd = process.cwd();
|
|
478
|
+
const configJoycon = new JoyCon();
|
|
479
|
+
const configPath = await configJoycon.resolve({
|
|
480
|
+
files: [
|
|
481
|
+
"dotsec.config.ts",
|
|
482
|
+
"dotsec.config.js",
|
|
483
|
+
"dotsec.config.cjs",
|
|
484
|
+
"dotsec.config.mjs",
|
|
485
|
+
"dotsec.config.json",
|
|
486
|
+
"package.json"
|
|
487
|
+
],
|
|
488
|
+
cwd,
|
|
489
|
+
stopDir: path2.parse(cwd).root,
|
|
490
|
+
packageKey: "dotsec"
|
|
491
|
+
});
|
|
492
|
+
if (configPath) {
|
|
493
|
+
if (configPath.endsWith(".json")) {
|
|
494
|
+
const rawData = await loadJson(configPath);
|
|
495
|
+
let data;
|
|
496
|
+
if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
|
|
497
|
+
data = rawData.dotsec;
|
|
498
|
+
} else {
|
|
499
|
+
data = rawData;
|
|
500
|
+
}
|
|
501
|
+
return __spreadProps(__spreadValues(__spreadValues({}, defaultConfig), data), {
|
|
502
|
+
aws: __spreadValues(__spreadValues({}, defaultConfig.aws), data.aws)
|
|
503
|
+
});
|
|
504
|
+
}
|
|
505
|
+
const config = await bundleRequire({
|
|
506
|
+
filepath: configPath
|
|
507
|
+
});
|
|
508
|
+
const retrievedConfig = config.mod.dotsec || config.mod.default || config.mod;
|
|
509
|
+
return __spreadValues(__spreadValues({}, defaultConfig), retrievedConfig);
|
|
510
|
+
}
|
|
511
|
+
return __spreadValues({}, defaultConfig);
|
|
421
512
|
};
|
|
422
513
|
|
|
423
514
|
// src/commands/decryptSecretsJson.ts
|
|
424
515
|
var command3 = "decrypt-secrets-json";
|
|
425
516
|
var desc3 = "Derypts an encrypted file";
|
|
426
517
|
var builder3 = {
|
|
427
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
428
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
429
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
430
518
|
"secrets-file": {
|
|
431
519
|
string: true,
|
|
432
520
|
describe: "filename of json file writing secrets",
|
|
433
521
|
default: "secrets.json"
|
|
434
522
|
},
|
|
435
|
-
"encrypted-secrets-file": {
|
|
436
|
-
string: true,
|
|
437
|
-
describe: "filename of json file for reading encrypted secrets",
|
|
523
|
+
"encrypted-secrets-file": __spreadProps(__spreadValues({}, commonCliOptions.encryptedSecretsFile), {
|
|
438
524
|
default: "secrets.encrypted.json"
|
|
439
|
-
},
|
|
440
|
-
"
|
|
525
|
+
}),
|
|
526
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
527
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
528
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
529
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
530
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
441
531
|
verbose: commonCliOptions.verbose,
|
|
442
532
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
443
533
|
};
|
|
444
534
|
var handler3 = async (argv) => {
|
|
445
535
|
const { info, error } = getLogger();
|
|
536
|
+
const config = await getConfig();
|
|
446
537
|
try {
|
|
447
538
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
448
|
-
argv: __spreadValues({}, argv),
|
|
539
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
540
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
541
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
542
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
543
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
544
|
+
}),
|
|
449
545
|
env: __spreadValues({}, process.env)
|
|
450
546
|
});
|
|
451
|
-
const encryptedSecretsPath =
|
|
547
|
+
const encryptedSecretsPath = path3.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
452
548
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
453
549
|
error(`Could not open ${redBright2(encryptedSecretsPath)}`);
|
|
454
550
|
return;
|
|
455
551
|
}
|
|
456
|
-
const encryptedSecrets = JSON.parse(
|
|
552
|
+
const encryptedSecrets = JSON.parse(fs3.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
457
553
|
if (!encryptedSecrets.encryptedParameters) {
|
|
458
554
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
459
555
|
}
|
|
@@ -465,19 +561,21 @@ var handler3 = async (argv) => {
|
|
|
465
561
|
},
|
|
466
562
|
verbose: argv.verbose
|
|
467
563
|
});
|
|
564
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
468
565
|
if (argv.verbose) {
|
|
469
|
-
info(`Encrypting using key alias ${bold(
|
|
470
|
-
const describeKeyCommand = new
|
|
471
|
-
KeyId:
|
|
566
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
567
|
+
const describeKeyCommand = new DescribeKeyCommand2({
|
|
568
|
+
KeyId: awsKeyAlias
|
|
472
569
|
});
|
|
473
570
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
474
|
-
|
|
571
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
475
572
|
}
|
|
573
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
476
574
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
477
575
|
const decryptCommand = new DecryptCommand2({
|
|
478
576
|
KeyId: argv.awsKeyAlias,
|
|
479
577
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
480
|
-
EncryptionAlgorithm:
|
|
578
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
481
579
|
});
|
|
482
580
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
483
581
|
if (!decryptionResult.Plaintext) {
|
|
@@ -490,6 +588,13 @@ var handler3 = async (argv) => {
|
|
|
490
588
|
if (argv.verbose) {
|
|
491
589
|
info(`Encrypting key ${bold(parameterName)} ${underline("ok")}`);
|
|
492
590
|
}
|
|
591
|
+
const plaintext = Buffer.from(decryptionResult.Plaintext).toString();
|
|
592
|
+
try {
|
|
593
|
+
const jsonObject = JSON.parse(plaintext);
|
|
594
|
+
return [parameterName, jsonObject];
|
|
595
|
+
} catch (e) {
|
|
596
|
+
console.log("NOPES", plaintext);
|
|
597
|
+
}
|
|
493
598
|
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
494
599
|
return [parameterName, value];
|
|
495
600
|
})));
|
|
@@ -498,13 +603,13 @@ var handler3 = async (argv) => {
|
|
|
498
603
|
config: encryptedSecrets.config,
|
|
499
604
|
parameters
|
|
500
605
|
};
|
|
501
|
-
const secretsPath =
|
|
606
|
+
const secretsPath = path3.resolve(process.cwd(), argv.secretsFile);
|
|
502
607
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
503
608
|
filePath: secretsPath,
|
|
504
609
|
skip: argv.yes
|
|
505
610
|
});
|
|
506
611
|
if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
|
|
507
|
-
|
|
612
|
+
fs3.writeFileSync(secretsPath, JSON.stringify(secrets, null, 4));
|
|
508
613
|
}
|
|
509
614
|
} catch (e) {
|
|
510
615
|
error(e);
|
|
@@ -519,12 +624,37 @@ __export(defaultCommand_exports, {
|
|
|
519
624
|
desc: () => desc4,
|
|
520
625
|
handler: () => handler4
|
|
521
626
|
});
|
|
522
|
-
import
|
|
523
|
-
import
|
|
627
|
+
import fs5 from "node:fs";
|
|
628
|
+
import path5 from "node:path";
|
|
524
629
|
import { KMSClient as KMSClient3, DecryptCommand as DecryptCommand3 } from "@aws-sdk/client-kms";
|
|
525
|
-
import { redBright as
|
|
630
|
+
import { redBright as redBright4 } from "chalk";
|
|
631
|
+
import { constantCase } from "constant-case";
|
|
526
632
|
import { spawn } from "cross-spawn";
|
|
527
633
|
import { parse as parse2 } from "dotenv";
|
|
634
|
+
import flat2 from "flat";
|
|
635
|
+
|
|
636
|
+
// src/lib/encryptedSecrets.ts
|
|
637
|
+
import fs4 from "fs";
|
|
638
|
+
import path4 from "path";
|
|
639
|
+
import { redBright as redBright3 } from "chalk";
|
|
640
|
+
var loadEncryptedSecrets = async ({
|
|
641
|
+
encryptedSecretsFile
|
|
642
|
+
}) => {
|
|
643
|
+
const encryptedSecretsPath = path4.resolve(process.cwd(), encryptedSecretsFile);
|
|
644
|
+
if (!await fileExists(encryptedSecretsPath)) {
|
|
645
|
+
throw new Error(`Could not open ${redBright3(encryptedSecretsPath)}`);
|
|
646
|
+
}
|
|
647
|
+
const encryptedSecrets = JSON.parse(fs4.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
648
|
+
if (!encryptedSecrets) {
|
|
649
|
+
throw new Error(`No encrypted secrets found in ${redBright3(encryptedSecretsPath)}`);
|
|
650
|
+
}
|
|
651
|
+
if (!encryptedSecrets.encryptedParameters) {
|
|
652
|
+
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
653
|
+
}
|
|
654
|
+
return encryptedSecrets;
|
|
655
|
+
};
|
|
656
|
+
|
|
657
|
+
// src/commands/defaultCommand.ts
|
|
528
658
|
var command4 = "$0 <command>";
|
|
529
659
|
var desc4 = "Decrypts a .sec file, injects the results into a separate process and runs a command";
|
|
530
660
|
var builder4 = {
|
|
@@ -536,6 +666,8 @@ var builder4 = {
|
|
|
536
666
|
"ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
|
|
537
667
|
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
538
668
|
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
669
|
+
"encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
|
|
670
|
+
"json-filter": commonCliOptions.jsonFilter,
|
|
539
671
|
verbose: commonCliOptions.verbose,
|
|
540
672
|
command: { string: true, required: true }
|
|
541
673
|
};
|
|
@@ -545,21 +677,69 @@ var handleSec = async ({
|
|
|
545
677
|
regionAndOrigin,
|
|
546
678
|
awsKeyAlias
|
|
547
679
|
}) => {
|
|
548
|
-
const secSource =
|
|
680
|
+
const secSource = path5.resolve(process.cwd(), secFile);
|
|
549
681
|
if (!await fileExists(secSource)) {
|
|
550
|
-
console.error(`Could not open ${
|
|
682
|
+
console.error(`Could not open ${redBright4(secSource)}`);
|
|
551
683
|
return;
|
|
552
684
|
}
|
|
553
|
-
const parsedSec = parse2(
|
|
685
|
+
const parsedSec = parse2(fs5.readFileSync(secSource, { encoding: "utf8" }));
|
|
554
686
|
const kmsClient = new KMSClient3({
|
|
555
687
|
credentials: credentialsAndOrigin.value,
|
|
556
688
|
region: regionAndOrigin.value
|
|
557
689
|
});
|
|
690
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
558
691
|
const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
|
|
559
692
|
const decryptCommand = new DecryptCommand3({
|
|
560
693
|
KeyId: awsKeyAlias,
|
|
561
694
|
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
562
|
-
EncryptionAlgorithm:
|
|
695
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
696
|
+
});
|
|
697
|
+
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
698
|
+
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
699
|
+
throw new Error(`No: ${JSON.stringify({
|
|
700
|
+
key,
|
|
701
|
+
cipherText,
|
|
702
|
+
decryptCommand
|
|
703
|
+
})}`);
|
|
704
|
+
}
|
|
705
|
+
const value = Buffer.from(decryptionResult.Plaintext).toString();
|
|
706
|
+
return [key, value];
|
|
707
|
+
}));
|
|
708
|
+
const env = Object.fromEntries(envEntries);
|
|
709
|
+
return env;
|
|
710
|
+
};
|
|
711
|
+
var handleEncryptedJson = async ({
|
|
712
|
+
encryptedSecretsFile,
|
|
713
|
+
jsonFilter,
|
|
714
|
+
credentialsAndOrigin,
|
|
715
|
+
regionAndOrigin,
|
|
716
|
+
awsKeyAlias
|
|
717
|
+
}) => {
|
|
718
|
+
const encryptedSecrets = await loadEncryptedSecrets({
|
|
719
|
+
encryptedSecretsFile
|
|
720
|
+
});
|
|
721
|
+
const flattened = flat2.flatten(encryptedSecrets.encryptedParameters, {
|
|
722
|
+
delimiter: "__",
|
|
723
|
+
transformKey: (key) => {
|
|
724
|
+
return constantCase(key);
|
|
725
|
+
}
|
|
726
|
+
});
|
|
727
|
+
const kmsClient = new KMSClient3({
|
|
728
|
+
credentials: credentialsAndOrigin.value,
|
|
729
|
+
region: regionAndOrigin.value
|
|
730
|
+
});
|
|
731
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
732
|
+
const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => constantCase(part)).join("__");
|
|
733
|
+
const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
|
|
734
|
+
if (filterKey) {
|
|
735
|
+
return key.indexOf(filterKey) === 0;
|
|
736
|
+
}
|
|
737
|
+
return true;
|
|
738
|
+
}).map(async ([key, cipherText]) => {
|
|
739
|
+
const decryptCommand = new DecryptCommand3({
|
|
740
|
+
KeyId: awsKeyAlias,
|
|
741
|
+
CiphertextBlob: Buffer.from(cipherText, "base64"),
|
|
742
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
563
743
|
});
|
|
564
744
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
565
745
|
if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
|
|
@@ -576,16 +756,40 @@ var handleSec = async ({
|
|
|
576
756
|
return env;
|
|
577
757
|
};
|
|
578
758
|
var handler4 = async (argv) => {
|
|
759
|
+
const config = await getConfig();
|
|
579
760
|
try {
|
|
580
761
|
let env;
|
|
581
762
|
let awsEnv;
|
|
582
763
|
try {
|
|
583
764
|
if (argv.envFile) {
|
|
584
|
-
env = parse2(
|
|
765
|
+
env = parse2(fs5.readFileSync(argv.envFile, { encoding: "utf8" }));
|
|
766
|
+
if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
|
|
767
|
+
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
768
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
769
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
770
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
771
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
772
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
773
|
+
}),
|
|
774
|
+
env: __spreadValues({}, process.env)
|
|
775
|
+
});
|
|
776
|
+
awsEnv = {
|
|
777
|
+
AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
|
|
778
|
+
AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey
|
|
779
|
+
};
|
|
780
|
+
if (credentialsAndOrigin.value.sessionToken) {
|
|
781
|
+
awsEnv.AWS_SESSION_TOKEN = credentialsAndOrigin.value.sessionToken;
|
|
782
|
+
}
|
|
783
|
+
}
|
|
585
784
|
} else {
|
|
586
785
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
587
|
-
argv: __spreadValues({}, argv),
|
|
588
|
-
|
|
786
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
787
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
788
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
789
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
790
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
791
|
+
}),
|
|
792
|
+
env: __spreadValues({}, process.env)
|
|
589
793
|
});
|
|
590
794
|
if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
|
|
591
795
|
awsEnv = {
|
|
@@ -597,12 +801,23 @@ var handler4 = async (argv) => {
|
|
|
597
801
|
if (argv.verbose) {
|
|
598
802
|
console.log({ credentialsAndOrigin, regionAndOrigin });
|
|
599
803
|
}
|
|
600
|
-
|
|
601
|
-
|
|
602
|
-
|
|
603
|
-
|
|
604
|
-
|
|
605
|
-
|
|
804
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
805
|
+
if (argv.encryptedSecretsFile) {
|
|
806
|
+
env = await handleEncryptedJson({
|
|
807
|
+
encryptedSecretsFile: argv.encryptedSecretsFile,
|
|
808
|
+
jsonFilter: argv.jsonFilter,
|
|
809
|
+
credentialsAndOrigin,
|
|
810
|
+
regionAndOrigin,
|
|
811
|
+
awsKeyAlias
|
|
812
|
+
});
|
|
813
|
+
} else {
|
|
814
|
+
env = await handleSec({
|
|
815
|
+
secFile: argv.secFile,
|
|
816
|
+
credentialsAndOrigin,
|
|
817
|
+
regionAndOrigin,
|
|
818
|
+
awsKeyAlias
|
|
819
|
+
});
|
|
820
|
+
}
|
|
606
821
|
}
|
|
607
822
|
} catch (e) {
|
|
608
823
|
if (argv.ignoreMissingEnvFile !== true) {
|
|
@@ -630,18 +845,18 @@ __export(encryptEnvCommand_exports, {
|
|
|
630
845
|
desc: () => desc5,
|
|
631
846
|
handler: () => handler5
|
|
632
847
|
});
|
|
633
|
-
import
|
|
634
|
-
import
|
|
848
|
+
import fs6 from "node:fs";
|
|
849
|
+
import path6 from "node:path";
|
|
850
|
+
import { DescribeKeyCommand as DescribeKeyCommand3, EncryptCommand } from "@aws-sdk/client-kms";
|
|
851
|
+
import { redBright as redBright5 } from "chalk";
|
|
635
852
|
import { parse as parse3 } from "dotenv";
|
|
636
|
-
import fs4 from "node:fs";
|
|
637
|
-
import path4 from "node:path";
|
|
638
853
|
var command5 = "encrypt-env";
|
|
639
854
|
var desc5 = "Encrypts a dotenv file";
|
|
640
855
|
var builder5 = {
|
|
641
856
|
"aws-profile": commonCliOptions.awsProfile,
|
|
642
857
|
"aws-region": commonCliOptions.awsRegion,
|
|
643
858
|
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
644
|
-
"env-file": commonCliOptions.envFile,
|
|
859
|
+
"env-file": __spreadProps(__spreadValues({}, commonCliOptions.envFile), { default: ".env" }),
|
|
645
860
|
"sec-file": commonCliOptions.secFile,
|
|
646
861
|
"assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
647
862
|
verbose: commonCliOptions.verbose
|
|
@@ -653,12 +868,12 @@ var handler5 = async (argv) => {
|
|
|
653
868
|
argv: __spreadValues({}, argv),
|
|
654
869
|
env: __spreadValues({}, process.env)
|
|
655
870
|
});
|
|
656
|
-
const envSource =
|
|
871
|
+
const envSource = path6.resolve(process.cwd(), argv.envFile);
|
|
657
872
|
if (!await fileExists(envSource)) {
|
|
658
|
-
error(`Could not open ${
|
|
873
|
+
error(`Could not open ${redBright5(envSource)}`);
|
|
659
874
|
return;
|
|
660
875
|
}
|
|
661
|
-
const parsedEnv = parse3(
|
|
876
|
+
const parsedEnv = parse3(fs6.readFileSync(envSource, { encoding: "utf8" }));
|
|
662
877
|
const kmsClient = getKMSClient({
|
|
663
878
|
configuration: {
|
|
664
879
|
credentials: credentialsAndOrigin.value,
|
|
@@ -666,9 +881,10 @@ var handler5 = async (argv) => {
|
|
|
666
881
|
},
|
|
667
882
|
verbose: argv.verbose
|
|
668
883
|
});
|
|
884
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, argv.awsKeyAlias);
|
|
669
885
|
if (argv.verbose) {
|
|
670
886
|
info(`Encrypting using key alias ${bold(argv.awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
671
|
-
const describeKeyCommand = new
|
|
887
|
+
const describeKeyCommand = new DescribeKeyCommand3({
|
|
672
888
|
KeyId: argv.awsKeyAlias
|
|
673
889
|
});
|
|
674
890
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
@@ -678,7 +894,7 @@ var handler5 = async (argv) => {
|
|
|
678
894
|
const encryptCommand = new EncryptCommand({
|
|
679
895
|
KeyId: argv.awsKeyAlias,
|
|
680
896
|
Plaintext: Buffer.from(value),
|
|
681
|
-
EncryptionAlgorithm:
|
|
897
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
682
898
|
});
|
|
683
899
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
684
900
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -694,7 +910,7 @@ var handler5 = async (argv) => {
|
|
|
694
910
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
695
911
|
return `${key}="${cipherText}"`;
|
|
696
912
|
}))).join("\n");
|
|
697
|
-
|
|
913
|
+
fs6.writeFileSync(path6.resolve(process.cwd(), argv.secFile), sec);
|
|
698
914
|
} catch (e) {
|
|
699
915
|
error(e);
|
|
700
916
|
}
|
|
@@ -708,17 +924,14 @@ __export(encryptSecretsJson_exports, {
|
|
|
708
924
|
desc: () => desc6,
|
|
709
925
|
handler: () => handler6
|
|
710
926
|
});
|
|
711
|
-
import
|
|
712
|
-
import
|
|
713
|
-
import { DescribeKeyCommand as
|
|
714
|
-
import { redBright as
|
|
715
|
-
import
|
|
927
|
+
import fs7 from "node:fs";
|
|
928
|
+
import path7 from "node:path";
|
|
929
|
+
import { DescribeKeyCommand as DescribeKeyCommand4, EncryptCommand as EncryptCommand2 } from "@aws-sdk/client-kms";
|
|
930
|
+
import { redBright as redBright6 } from "chalk";
|
|
931
|
+
import flat3 from "flat";
|
|
716
932
|
var command6 = "encrypt-secrets-json";
|
|
717
933
|
var desc6 = "Encrypts an unencrypted file";
|
|
718
934
|
var builder6 = {
|
|
719
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
720
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
721
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
722
935
|
"secrets-file": {
|
|
723
936
|
string: true,
|
|
724
937
|
describe: "filename of json file reading secrets",
|
|
@@ -729,29 +942,39 @@ var builder6 = {
|
|
|
729
942
|
describe: "filename of json file for writing encrypted secrets",
|
|
730
943
|
default: "secrets.encrypted.json"
|
|
731
944
|
},
|
|
732
|
-
"
|
|
945
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
946
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
947
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
948
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
949
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
733
950
|
verbose: commonCliOptions.verbose,
|
|
734
951
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
735
952
|
};
|
|
736
953
|
var handler6 = async (argv) => {
|
|
954
|
+
const config = await getConfig();
|
|
737
955
|
const { info, error } = getLogger();
|
|
738
956
|
try {
|
|
739
957
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
740
|
-
argv: __spreadValues({}, argv),
|
|
958
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
959
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
960
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
961
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
962
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
963
|
+
}),
|
|
741
964
|
env: __spreadValues({}, process.env)
|
|
742
965
|
});
|
|
743
|
-
const secretsPath =
|
|
966
|
+
const secretsPath = path7.resolve(process.cwd(), argv.secretsFile);
|
|
744
967
|
if (!await fileExists(secretsPath)) {
|
|
745
|
-
error(`Could not open ${
|
|
968
|
+
error(`Could not open ${redBright6(secretsPath)}`);
|
|
746
969
|
return;
|
|
747
970
|
}
|
|
748
|
-
const secrets = JSON.parse(
|
|
971
|
+
const secrets = JSON.parse(fs7.readFileSync(secretsPath, { encoding: "utf8" }));
|
|
749
972
|
if (!secrets.parameters) {
|
|
750
973
|
throw new Error(`Expected 'parameters' property, but got none`);
|
|
751
974
|
}
|
|
752
|
-
const flatParameters =
|
|
975
|
+
const flatParameters = flat3(secrets.parameters, { delimiter: "/", maxDepth: config.maxDepth });
|
|
753
976
|
if (argv.verbose) {
|
|
754
|
-
|
|
977
|
+
info(flatParameters);
|
|
755
978
|
}
|
|
756
979
|
const kmsClient = getKMSClient({
|
|
757
980
|
configuration: {
|
|
@@ -760,19 +983,25 @@ var handler6 = async (argv) => {
|
|
|
760
983
|
},
|
|
761
984
|
verbose: argv.verbose
|
|
762
985
|
});
|
|
986
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
763
987
|
if (argv.verbose) {
|
|
764
|
-
info(`Encrypting using key alias ${bold(
|
|
765
|
-
const describeKeyCommand = new
|
|
766
|
-
KeyId:
|
|
988
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
989
|
+
const describeKeyCommand = new DescribeKeyCommand4({
|
|
990
|
+
KeyId: awsKeyAlias
|
|
767
991
|
});
|
|
768
992
|
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
769
|
-
|
|
993
|
+
info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
|
|
770
994
|
}
|
|
995
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
771
996
|
const encryptedFlatParameters = Object.fromEntries(await Promise.all(Object.entries(flatParameters).map(async ([parameterName, parameter]) => {
|
|
997
|
+
let parameterCopy = parameter;
|
|
998
|
+
if (typeof parameter !== "string" && typeof parameter !== "number" && typeof parameter !== "boolean") {
|
|
999
|
+
parameterCopy = JSON.stringify(parameter);
|
|
1000
|
+
}
|
|
772
1001
|
const encryptCommand = new EncryptCommand2({
|
|
773
|
-
KeyId:
|
|
774
|
-
Plaintext: Buffer.from(
|
|
775
|
-
EncryptionAlgorithm:
|
|
1002
|
+
KeyId: awsKeyAlias,
|
|
1003
|
+
Plaintext: Buffer.from(String(parameterCopy)),
|
|
1004
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
776
1005
|
});
|
|
777
1006
|
const encryptionResult = await kmsClient.send(encryptCommand);
|
|
778
1007
|
if (!encryptionResult.CiphertextBlob) {
|
|
@@ -788,18 +1017,18 @@ var handler6 = async (argv) => {
|
|
|
788
1017
|
const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
|
|
789
1018
|
return [parameterName, cipherText];
|
|
790
1019
|
})));
|
|
791
|
-
const encryptedParameters =
|
|
1020
|
+
const encryptedParameters = flat3.unflatten(encryptedFlatParameters, { delimiter: "/" });
|
|
792
1021
|
const encryptedSecrets = {
|
|
793
1022
|
config: secrets.config,
|
|
794
1023
|
encryptedParameters
|
|
795
1024
|
};
|
|
796
|
-
const encryptedSecretsPath =
|
|
1025
|
+
const encryptedSecretsPath = path7.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
797
1026
|
const overwriteResponse = await promptOverwriteIfFileExists({
|
|
798
1027
|
filePath: encryptedSecretsPath,
|
|
799
1028
|
skip: argv.yes
|
|
800
1029
|
});
|
|
801
1030
|
if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
|
|
802
|
-
|
|
1031
|
+
fs7.writeFileSync(encryptedSecretsPath, JSON.stringify(encryptedSecrets, null, 4));
|
|
803
1032
|
}
|
|
804
1033
|
} catch (e) {
|
|
805
1034
|
error(e);
|
|
@@ -814,44 +1043,51 @@ __export(offloadToSSMCommand_exports, {
|
|
|
814
1043
|
desc: () => desc7,
|
|
815
1044
|
handler: () => handler7
|
|
816
1045
|
});
|
|
817
|
-
import
|
|
1046
|
+
import fs8 from "node:fs";
|
|
1047
|
+
import path8 from "node:path";
|
|
1048
|
+
import { DecryptCommand as DecryptCommand4 } from "@aws-sdk/client-kms";
|
|
818
1049
|
import { PutParameterCommand } from "@aws-sdk/client-ssm";
|
|
819
|
-
import { redBright as
|
|
820
|
-
import
|
|
821
|
-
import fs6 from "node:fs";
|
|
822
|
-
import path6 from "node:path";
|
|
1050
|
+
import { redBright as redBright7 } from "chalk";
|
|
1051
|
+
import flat4 from "flat";
|
|
823
1052
|
var command7 = "offload-secrets-json-to-ssm";
|
|
824
1053
|
var desc7 = "Sends decrypted values of secrets.encrypted.json file to SSM parameter store";
|
|
825
1054
|
var builder7 = {
|
|
826
|
-
"aws-profile": commonCliOptions.awsProfile,
|
|
827
|
-
"aws-region": commonCliOptions.awsRegion,
|
|
828
|
-
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
829
1055
|
"encrypted-secrets-file": {
|
|
830
1056
|
string: true,
|
|
831
|
-
describe: "filename of json file for
|
|
1057
|
+
describe: "filename of json file for writing encrypted secrets",
|
|
832
1058
|
default: "secrets.encrypted.json"
|
|
833
1059
|
},
|
|
834
|
-
"
|
|
1060
|
+
"aws-profile": commonCliOptions.awsProfile,
|
|
1061
|
+
"aws-region": commonCliOptions.awsRegion,
|
|
1062
|
+
"aws-key-alias": commonCliOptions.awsKeyAlias,
|
|
1063
|
+
"aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
|
|
1064
|
+
"aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
|
|
835
1065
|
verbose: commonCliOptions.verbose,
|
|
836
1066
|
yes: __spreadValues({}, commonCliOptions.yes)
|
|
837
1067
|
};
|
|
838
1068
|
var handler7 = async (argv) => {
|
|
1069
|
+
const config = await getConfig();
|
|
839
1070
|
const { info, error } = getLogger();
|
|
840
1071
|
try {
|
|
841
1072
|
const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
|
|
842
|
-
argv: __spreadValues({}, argv),
|
|
1073
|
+
argv: __spreadProps(__spreadValues({}, argv), {
|
|
1074
|
+
awsRegion: config.aws.region || argv.awsRegion,
|
|
1075
|
+
awsProfile: config.aws.profile || argv.awsProfile,
|
|
1076
|
+
awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
|
|
1077
|
+
awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
|
|
1078
|
+
}),
|
|
843
1079
|
env: __spreadValues({}, process.env)
|
|
844
1080
|
});
|
|
845
|
-
const encryptedSecretsPath =
|
|
1081
|
+
const encryptedSecretsPath = path8.resolve(process.cwd(), argv.encryptedSecretsFile);
|
|
846
1082
|
if (!await fileExists(encryptedSecretsPath)) {
|
|
847
|
-
error(`Could not open ${
|
|
1083
|
+
error(`Could not open ${redBright7(encryptedSecretsPath)}`);
|
|
848
1084
|
return;
|
|
849
1085
|
}
|
|
850
|
-
const encryptedSecrets = JSON.parse(
|
|
1086
|
+
const encryptedSecrets = JSON.parse(fs8.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
|
|
851
1087
|
if (!encryptedSecrets.encryptedParameters) {
|
|
852
1088
|
throw new Error(`Expected 'encryptedParameters' property, but got none`);
|
|
853
1089
|
}
|
|
854
|
-
const flatEncryptedParameters =
|
|
1090
|
+
const flatEncryptedParameters = flat4(encryptedSecrets.encryptedParameters, { delimiter: "/" });
|
|
855
1091
|
const kmsClient = getKMSClient({
|
|
856
1092
|
configuration: {
|
|
857
1093
|
credentials: credentialsAndOrigin.value,
|
|
@@ -859,19 +1095,16 @@ var handler7 = async (argv) => {
|
|
|
859
1095
|
},
|
|
860
1096
|
verbose: argv.verbose
|
|
861
1097
|
});
|
|
1098
|
+
const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
|
|
862
1099
|
if (argv.verbose) {
|
|
863
|
-
info(`Encrypting using key alias ${bold(
|
|
864
|
-
const describeKeyCommand = new DescribeKeyCommand4({
|
|
865
|
-
KeyId: argv.awsKeyAlias
|
|
866
|
-
});
|
|
867
|
-
const describeKeyResult = await kmsClient.send(describeKeyCommand);
|
|
868
|
-
console.log("describeKeyResult", { describeKeyResult });
|
|
1100
|
+
info(`Encrypting using key alias ${bold(awsKeyAlias)} in ${bold(await kmsClient.config.region())}`);
|
|
869
1101
|
}
|
|
1102
|
+
const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
|
|
870
1103
|
const flatParameters = Object.fromEntries(await Promise.all(Object.entries(flatEncryptedParameters).map(async ([parameterName, encryptedParameter]) => {
|
|
871
1104
|
const decryptCommand = new DecryptCommand4({
|
|
872
1105
|
KeyId: argv.awsKeyAlias,
|
|
873
1106
|
CiphertextBlob: Buffer.from(encryptedParameter, "base64"),
|
|
874
|
-
EncryptionAlgorithm:
|
|
1107
|
+
EncryptionAlgorithm: encryptionAlgorithm
|
|
875
1108
|
});
|
|
876
1109
|
const decryptionResult = await kmsClient.send(decryptCommand);
|
|
877
1110
|
if (!decryptionResult.Plaintext) {
|