renovate 39.185.1 → 39.185.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/config/decrypt.d.ts +2 -0
  2. package/dist/config/decrypt.js +44 -4
  3. package/dist/config/decrypt.js.map +1 -1
  4. package/package.json +3 -3
package/dist/config/decrypt.d.ts CHANGED
@@ -1,3 +1,5 @@
1
1
  import type { RenovateConfig } from './types';
2
2
  export declare function tryDecrypt(privateKey: string, encryptedStr: string, repository: string, keyName: string): Promise<string | null>;
3
+ export declare function validateDecryptedValue(decryptedObjStr: string, repository: string): string | null;
3
4
  export declare function decryptConfig(config: RenovateConfig, repository: string, existingPath?: string): Promise<RenovateConfig>;
5
+ export declare function getAzureCollection(): string | undefined;
package/dist/config/decrypt.js CHANGED
@@ -1,7 +1,9 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.tryDecrypt = tryDecrypt;
4
+ exports.validateDecryptedValue = validateDecryptedValue;
4
5
  exports.decryptConfig = decryptConfig;
6
+ exports.getAzureCollection = getAzureCollection;
5
7
  const tslib_1 = require("tslib");
6
8
  const is_1 = tslib_1.__importDefault(require("@sindresorhus/is"));
7
9
  const error_messages_1 = require("../constants/error-messages");
@@ -59,6 +61,14 @@ function validateDecryptedValue(decryptedObjStr, repository) {
59
61
  error.validationError = `Encrypted value in config is missing a scope.`;
60
62
  throw error;
61
63
  }
64
+ const repositories = [repository.toUpperCase()];
65
+ const azureCollection = getAzureCollection();
66
+ if (is_1.default.nonEmptyString(azureCollection)) {
67
+ // used for full 'org/project/repo' matching
68
+ repositories.push(`${azureCollection}/${repository}`.toUpperCase());
69
+ // used for org prefix matching without repo
70
+ repositories.push(`${azureCollection}/*/`.toUpperCase());
71
+ }
62
72
  const orgPrefixes = org
63
73
  .split(',')
64
74
  .map((o) => o.trim())
@@ -66,8 +76,10 @@ function validateDecryptedValue(decryptedObjStr, repository) {
66
76
  .map((o) => (0, url_1.ensureTrailingSlash)(o));
67
77
  if (is_1.default.nonEmptyString(repo)) {
68
78
  const scopedRepos = orgPrefixes.map((orgPrefix) => `${orgPrefix}${repo}`.toUpperCase());
69
- if (scopedRepos.some((r) => r === repository.toUpperCase())) {
70
- return value;
79
+ for (const rp of repositories) {
80
+ if (scopedRepos.some((r) => r === rp)) {
81
+ return value;
82
+ }
71
83
  }
72
84
  logger_1.logger.debug({ scopedRepos }, 'Secret is scoped to a different repository');
73
85
  const error = new Error('config-validation');
@@ -76,8 +88,13 @@ function validateDecryptedValue(decryptedObjStr, repository) {
76
88
  throw error;
77
89
  }
78
90
  // no scoped repos, only org
79
- if (orgPrefixes.some((orgPrefix) => repository.toUpperCase().startsWith(orgPrefix))) {
80
- return value;
91
+ const azcol = azureCollection === undefined
92
+ ? undefined
93
+ : (0, url_1.ensureTrailingSlash)(azureCollection).toUpperCase();
94
+ for (const rp of repositories) {
95
+ if (orgPrefixes.some((orgPrefix) => rp.startsWith(orgPrefix) && orgPrefix !== azcol)) {
96
+ return value;
97
+ }
81
98
  }
82
99
  logger_1.logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');
83
100
  const error = new Error('config-validation');
@@ -169,4 +186,27 @@ Refer to migration documents here: https://docs.renovatebot.com/mend-hosted/migr
169
186
  logger_1.logger.trace({ config: decryptedConfig }, 'decryptedConfig');
170
187
  return decryptedConfig;
171
188
  }
189
+ function getAzureCollection() {
190
+ const platform = global_1.GlobalConfig.get('platform');
191
+ if (platform !== 'azure') {
192
+ return undefined;
193
+ }
194
+ const endpoint = global_1.GlobalConfig.get('endpoint');
195
+ const endpointUrl = (0, url_1.parseUrl)(endpoint);
196
+ if (endpointUrl === null) {
197
+ // should not happen
198
+ logger_1.logger.warn({ endpoint }, 'Unable to parse endpoint for token decryption');
199
+ return undefined;
200
+ }
201
+ const azureCollection = (0, url_1.trimSlashes)(endpointUrl.pathname);
202
+ if (!is_1.default.nonEmptyString(azureCollection)) {
203
+ logger_1.logger.debug({ endpoint }, 'Unable to find azure collection name from URL');
204
+ return undefined;
205
+ }
206
+ if (azureCollection.startsWith('tfs/')) {
207
+ // Azure DevOps Server
208
+ return azureCollection.substring(4);
209
+ }
210
+ return azureCollection;
211
+ }
172
212
  //# sourceMappingURL=decrypt.js.map
package/dist/config/decrypt.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../lib/config/decrypt.ts"],"names":[],"mappings":";;AAgBA,gCAmCC;AAsED,sCA8FC;;AAvND,kEAAkC;AAClC,gEAAgE;AAChE,sCAAmC;AACnC,yCAAsC;AACtC,+CAA0D;AAC1D,qCAAkD;AAClD,2CAAkD;AAClD,6CAG0B;AAC1B,+CAAsD;AACtD,qCAAwC;AACxC,qCAA2C;AAGpC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,YAAoB,EACpB,UAAkB,EAClB,OAAe;IAEf,IAAI,YAAY,GAAkB,IAAI,CAAC;IACvC,IAAI,UAAU,EAAE,UAAU,CAAC,uCAAuC,CAAC,EAAE,CAAC;QACpE,MAAM,eAAe,GACnB,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,MAAM;YAC3C,CAAC,CAAC,MAAM,IAAA,2BAAiB,EAAC,UAAU,EAAE,YAAY,CAAC;YACnD,CAAC,CAAC,MAAM,IAAA,uBAAe,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACtD,IAAI,eAAe,EAAE,CAAC;YACpB,YAAY,GAAG,sBAAsB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,YAAY,GAAG,IAAA,mCAA0B,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACpE,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;YAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,6FAA6F,CAC9F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,IAAA,iCAAwB,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;YAClE,mCAAmC;YACnC,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,2FAA2F,CAC5F,CAAC;YACJ,CAAC;YACD,oBAAoB;QACtB,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,sBAAsB,CAC7B,eAAuB,EACvB,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,wBAAe,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAChE,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,mCAAmC,CAAC;YAC5D,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC;QAExD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,WAAW,GAAG,GAAG;aACpB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;aAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,yBAAmB,EAAC,CAAC,CAAC,CAAC,CAAC;QAEtC,IAAI,YAAE,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAChD,GAAG,SAAS,GAAG,IAAI,EAAE,CAAC,WAAW,EAAE,CACpC,CAAC;YACF,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBAC5D,OAAO,KAAK,CAAC;YACf,CAAC;YACD,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,4CAA4C,CAC7C,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,eAAe,GAAG,0DAA0D,WAAW,IAAI,CAAC;YAClG,MAAM,KAAK,CAAC;QACd,CAAC;QAED,4BAA4B;QAC5B,IACE,WAAW,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAC7B,UAAU,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAC/C,EACD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,eAAM,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,EAAE,qCAAqC,CAAC,CAAC;QACrE,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,KAAK,CAAC,eAAe,GAAG,mDAAmD,WAAW,IAAI,CAAC;QAC3F,MAAM,KAAK,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,kCAAkC,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,aAAa,CACjC,MAAsB,EACtB,UAAkB,EAClB,YAAY,GAAG,GAAG;IAElB,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,qBAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,aAAa,GAAG,qBAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,IAAI,GAAG,KAAK,WAAW,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;YACtC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,6BAA6B,IAAI,EAAE,CAAC,CAAC;YAEnE,MAAM,gBAAgB,GAAG,qBAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YAC9D,IAAI,YAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChC,eAAM,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/C,eAAM,CAAC,KAAK,CAAC,qBAAqB,IAAI,OAAO,IAAI,EAAE,CAAC,CAAC;oBACrD,IAAI,YAAY,GAAG,MAAM,UAAU,CACjC,UAAU,EACV,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACF,IAAI,aAAa,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACtD,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;wBACvD,YAAY,GAAG,MAAM,UAAU,CAC7B,aAAa,EACb,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACJ,CAAC;oBACD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACrC,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;wBAC7C,KAAK,CAAC,eAAe,GAAG,2BAA2B,IAAI,oCAAoC,CAAC;wBAC5F,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,eAAM,CAAC,KAAK,CAAC,aAAa,IAAI,OAAO,IAAI,EAAE,CAAC,CAAC;oBAC7C,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;wBACxB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;wBACrD,eAAe,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;wBAC9B,IAAA,iCAAsB,EAAC,KAAK,CAAC,CAAC;oBAChC,CAAC;yBAAM,CAAC;wBACN,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC;wBACrC,IAAA,iCAAsB,EAAC,YAAY,CAAC,CAAC;oBACvC,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,MAAM,EAAE,CAAC;oBACvD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,kCAAiB,CAAC,CAAC;oBAC3C,KAAK,CAAC,gBAAgB,GAAG,QAAQ,CAAC;oBAClC,KAAK,CAAC,eAAe,GAAG,8BAA8B,CAAC;oBACvD,KAAK,CAAC,iBAAiB,GAAG,4DAA4D,GAAG,sJAAsJ,CAAC;oBAChP,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;wBACvC,KAAK,CAAC,iBAAiB,GAAG;;;+FAGyD,CAAC;oBACtF,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,CAAC;oBACN,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YACD,OAAO,eAAe,CAAC,SAAS,CAAC;QACnC,CAAC;aAAM,IAAI,YAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,IAAI,YAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvC,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,IAAI,KAAK,GAAG,CAAC;oBAC/C,eAAe,CAAC,GAAG,CAAsB,CAAC,IAAI,CAC7C,MAAM,aAAa,CAAC,IAAsB,EAAE,UAAU,EAAE,IAAI,CAAC,CAC9D,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACL,eAAe,CAAC,GAAG,CAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC/C,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;YACtC,eAAe,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,CACxC,GAAqB,EACrB,UAAU,EACV,IAAI,CACL,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,eAAe,CAAC,SAAS,CAAC;IACjC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC7D,OAAO,eAAe,CAAC;AACzB,CAAC","sourcesContent":["import is from '@sindresorhus/is';\nimport { CONFIG_VALIDATION } from '../constants/error-messages';\nimport { logger } from '../logger';\nimport { regEx } from '../util/regex';\nimport { addSecretForSanitizing } from '../util/sanitize';\nimport { ensureTrailingSlash } from '../util/url';\nimport { tryDecryptKbPgp } from './decrypt/kbpgp';\nimport {\n tryDecryptPublicKeyDefault,\n tryDecryptPublicKeyPKCS1,\n} from './decrypt/legacy';\nimport { tryDecryptOpenPgp } from './decrypt/openpgp';\nimport { GlobalConfig } from './global';\nimport { DecryptedObject } from './schema';\nimport type { RenovateConfig } from './types';\n\nexport async function tryDecrypt(\n privateKey: string,\n encryptedStr: string,\n repository: string,\n keyName: string,\n): Promise<string | null> {\n let decryptedStr: string | null = null;\n if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {\n const decryptedObjStr =\n process.env.RENOVATE_X_USE_OPENPGP === 'true'\n ? await tryDecryptOpenPgp(privateKey, encryptedStr)\n : await tryDecryptKbPgp(privateKey, encryptedStr);\n if (decryptedObjStr) {\n decryptedStr = validateDecryptedValue(decryptedObjStr, repository);\n }\n } else {\n decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);\n if (is.string(decryptedStr)) {\n logger.warn(\n { keyName },\n 'Encrypted value is using deprecated default padding, please change to using PGP encryption.',\n );\n } else {\n decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);\n /* v8 ignore start: not testable */\n if (is.string(decryptedStr)) {\n logger.warn(\n { keyName },\n 'Encrypted value is using deprecated PKCS1 padding, please change to using PGP encryption.',\n );\n }\n /* v8 ignore stop */\n }\n }\n return decryptedStr;\n}\n\nfunction validateDecryptedValue(\n decryptedObjStr: string,\n repository: string,\n): string | null {\n try {\n const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);\n if (!decryptedObj.success) {\n const error = new Error('config-validation');\n error.validationError = `Could not parse decrypted config.`;\n throw error;\n }\n\n const { o: org, r: repo, v: value } = decryptedObj.data;\n\n if (!is.nonEmptyString(value)) {\n const error = new Error('config-validation');\n error.validationError = `Encrypted value in config is missing a value.`;\n throw error;\n }\n\n if (!is.nonEmptyString(org)) {\n const error = new Error('config-validation');\n error.validationError = `Encrypted value in config is missing a scope.`;\n throw error;\n }\n\n const orgPrefixes = org\n .split(',')\n .map((o) => o.trim())\n .map((o) => o.toUpperCase())\n .map((o) => ensureTrailingSlash(o));\n\n if (is.nonEmptyString(repo)) {\n const scopedRepos = orgPrefixes.map((orgPrefix) =>\n `${orgPrefix}${repo}`.toUpperCase(),\n );\n if (scopedRepos.some((r) => r === repository.toUpperCase())) {\n return value;\n }\n logger.debug(\n { scopedRepos },\n 'Secret is scoped to a different repository',\n );\n const error = new Error('config-validation');\n const scopeString = scopedRepos.join(',');\n error.validationError = `Encrypted secret is scoped to a different repository: \"${scopeString}\".`;\n throw error;\n }\n\n // no scoped repos, only org\n if (\n orgPrefixes.some((orgPrefix) =>\n repository.toUpperCase().startsWith(orgPrefix),\n )\n ) {\n return value;\n }\n logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');\n const error = new Error('config-validation');\n const scopeString = orgPrefixes.join(',');\n error.validationError = `Encrypted secret is scoped to a different org: \"${scopeString}\".`;\n throw error;\n } catch (err) {\n logger.warn({ err }, 'Could not parse decrypted string');\n }\n return null;\n}\n\nexport async function decryptConfig(\n config: RenovateConfig,\n repository: string,\n existingPath = '$',\n): Promise<RenovateConfig> {\n logger.trace({ config }, 'decryptConfig()');\n const decryptedConfig = { ...config };\n const privateKey = GlobalConfig.get('privateKey');\n const privateKeyOld = GlobalConfig.get('privateKeyOld');\n for (const [key, val] of Object.entries(config)) {\n if (key === 'encrypted' && is.object(val)) {\n const path = `${existingPath}.${key}`;\n logger.debug({ config: val }, `Found encrypted config in ${path}`);\n\n const encryptedWarning = GlobalConfig.get('encryptedWarning');\n if (is.string(encryptedWarning)) {\n logger.once.warn(encryptedWarning);\n }\n\n if (privateKey) {\n for (const [eKey, eVal] of Object.entries(val)) {\n logger.debug(`Trying to decrypt ${eKey} in ${path}`);\n let decryptedStr = await tryDecrypt(\n privateKey,\n eVal,\n repository,\n eKey,\n );\n if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {\n logger.debug(`Trying to decrypt with old private key`);\n decryptedStr = await tryDecrypt(\n privateKeyOld,\n eVal,\n repository,\n eKey,\n );\n }\n if (!is.nonEmptyString(decryptedStr)) {\n const error = new Error('config-validation');\n error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;\n throw error;\n }\n logger.debug(`Decrypted ${eKey} in ${path}`);\n if (eKey === 'npmToken') {\n const token = decryptedStr.replace(regEx(/\\n$/), '');\n decryptedConfig[eKey] = token;\n addSecretForSanitizing(token);\n } else {\n decryptedConfig[eKey] = decryptedStr;\n addSecretForSanitizing(decryptedStr);\n }\n }\n } else {\n if (process.env.RENOVATE_X_ENCRYPTED_STRICT === 'true') {\n const error = new Error(CONFIG_VALIDATION);\n error.validationSource = 'config';\n error.validationError = 'Encrypted config unsupported';\n error.validationMessage = `This config contains an encrypted object at location \\`$.${key}\\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \\`privateKey\\` in Global Configuration.`;\n if (process.env.MEND_HOSTED === 'true') {\n error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).\nPlease migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/\n\nRefer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;\n }\n throw error;\n } else {\n logger.error('Found encrypted data but no privateKey');\n }\n }\n delete decryptedConfig.encrypted;\n } else if (is.array(val)) {\n decryptedConfig[key] = [];\n for (const [index, item] of val.entries()) {\n if (is.object(item) && !is.array(item)) {\n const path = `${existingPath}.${key}[${index}]`;\n (decryptedConfig[key] as RenovateConfig[]).push(\n await decryptConfig(item as RenovateConfig, repository, path),\n );\n } else {\n (decryptedConfig[key] as unknown[]).push(item);\n }\n }\n } else if (is.object(val) && key !== 'content') {\n const path = `${existingPath}.${key}`;\n decryptedConfig[key] = await decryptConfig(\n val as RenovateConfig,\n repository,\n path,\n );\n }\n }\n delete decryptedConfig.encrypted;\n logger.trace({ config: decryptedConfig }, 'decryptedConfig');\n return decryptedConfig;\n}\n"]}
1
+ {"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../lib/config/decrypt.ts"],"names":[],"mappings":";;AAgBA,gCAmCC;AAED,wDAqFC;AAED,sCA8FC;AAED,gDAyBC;;AArQD,kEAAkC;AAClC,gEAAgE;AAChE,sCAAmC;AACnC,yCAAsC;AACtC,+CAA0D;AAC1D,qCAAyE;AACzE,2CAAkD;AAClD,6CAG0B;AAC1B,+CAAsD;AACtD,qCAAwC;AACxC,qCAA2C;AAGpC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,YAAoB,EACpB,UAAkB,EAClB,OAAe;IAEf,IAAI,YAAY,GAAkB,IAAI,CAAC;IACvC,IAAI,UAAU,EAAE,UAAU,CAAC,uCAAuC,CAAC,EAAE,CAAC;QACpE,MAAM,eAAe,GACnB,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,MAAM;YAC3C,CAAC,CAAC,MAAM,IAAA,2BAAiB,EAAC,UAAU,EAAE,YAAY,CAAC;YACnD,CAAC,CAAC,MAAM,IAAA,uBAAe,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACtD,IAAI,eAAe,EAAE,CAAC;YACpB,YAAY,GAAG,sBAAsB,CAAC,eAAe,EAAE,UAAU,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;SAAM,CAAC;QACN,YAAY,GAAG,IAAA,mCAA0B,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;QACpE,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;YAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,6FAA6F,CAC9F,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,YAAY,GAAG,IAAA,iCAAwB,EAAC,UAAU,EAAE,YAAY,CAAC,CAAC;YAClE,mCAAmC;YACnC,IAAI,YAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC5B,eAAM,CAAC,IAAI,CACT,EAAE,OAAO,EAAE,EACX,2FAA2F,CAC5F,CAAC;YACJ,CAAC;YACD,oBAAoB;QACtB,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAgB,sBAAsB,CACpC,eAAuB,EACvB,UAAkB;IAElB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,wBAAe,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAChE,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,mCAAmC,CAAC;YAC5D,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC;QAExD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,KAAK,CAAC,eAAe,GAAG,+CAA+C,CAAC;YACxE,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC;QAEhD,MAAM,eAAe,GAAG,kBAAkB,EAAE,CAAC;QAC7C,IAAI,YAAE,CAAC,cAAc,CAAC,eAAe,CAAC,EAAE,CAAC;YACvC,4CAA4C;YAC5C,YAAY,CAAC,IAAI,CAAC,GAAG,eAAe,IAAI,UAAU,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;YACpE,4CAA4C;YAC5C,YAAY,CAAC,IAAI,CAAC,GAAG,eAAe,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,WAAW,GAAG,GAAG;aACpB,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;aAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,yBAAmB,EAAC,CAAC,CAAC,CAAC,CAAC;QAEtC,IAAI,YAAE,CAAC,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,MAAM,WAAW,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAChD,GAAG,SAAS,GAAG,IAAI,EAAE,CAAC,WAAW,EAAE,CACpC,CAAC;YACF,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;gBAC9B,IAAI,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,EAAE,CAAC;oBACtC,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,4CAA4C,CAC7C,CAAC;YACF,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,eAAe,GAAG,0DAA0D,WAAW,IAAI,CAAC;YAClG,MAAM,KAAK,CAAC;QACd,CAAC;QAED,4BAA4B;QAC5B,MAAM,KAAK,GACT,eAAe,KAAK,SAAS;YAC3B,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,IAAA,yBAAmB,EAAC,eAAe,CAAC,CAAC,WAAW,EAAE,CAAC;QACzD,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,IACE,WAAW,CAAC,IAAI,CACd,CAAC,SAAS,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,SAAS,KAAK,KAAK,CAC/D,EACD,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,eAAM,CAAC,KAAK,CAAC,EAAE,WAAW,EAAE,EAAE,qCAAqC,CAAC,CAAC;QACrE,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC1C,KAAK,CAAC,eAAe,GAAG,mDAAmD,WAAW,IAAI,CAAC;QAC3F,MAAM,KAAK,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,kCAAkC,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAEM,KAAK,UAAU,aAAa,CACjC,MAAsB,EACtB,UAAkB,EAClB,YAAY,GAAG,GAAG;IAElB,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC5C,MAAM,eAAe,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;IACtC,MAAM,UAAU,GAAG,qBAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,aAAa,GAAG,qBAAY,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,IAAI,GAAG,KAAK,WAAW,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;YACtC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,EAAE,6BAA6B,IAAI,EAAE,CAAC,CAAC;YAEnE,MAAM,gBAAgB,GAAG,qBAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;YAC9D,IAAI,YAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAChC,eAAM,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YACrC,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/C,eAAM,CAAC,KAAK,CAAC,qBAAqB,IAAI,OAAO,IAAI,EAAE,CAAC,CAAC;oBACrD,IAAI,YAAY,GAAG,MAAM,UAAU,CACjC,UAAU,EACV,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACF,IAAI,aAAa,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACtD,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;wBACvD,YAAY,GAAG,MAAM,UAAU,CAC7B,aAAa,EACb,IAAI,EACJ,UAAU,EACV,IAAI,CACL,CAAC;oBACJ,CAAC;oBACD,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,YAAY,CAAC,EAAE,CAAC;wBACrC,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;wBAC7C,KAAK,CAAC,eAAe,GAAG,2BAA2B,IAAI,oCAAoC,CAAC;wBAC5F,MAAM,KAAK,CAAC;oBACd,CAAC;oBACD,eAAM,CAAC,KAAK,CAAC,aAAa,IAAI,OAAO,IAAI,EAAE,CAAC,CAAC;oBAC7C,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;wBACxB,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;wBACrD,eAAe,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;wBAC9B,IAAA,iCAAsB,EAAC,KAAK,CAAC,CAAC;oBAChC,CAAC;yBAAM,CAAC;wBACN,eAAe,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC;wBACrC,IAAA,iCAAsB,EAAC,YAAY,CAAC,CAAC;oBACvC,CAAC;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,MAAM,EAAE,CAAC;oBACvD,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,kCAAiB,CAAC,CAAC;oBAC3C,KAAK,CAAC,gBAAgB,GAAG,QAAQ,CAAC;oBAClC,KAAK,CAAC,eAAe,GAAG,8BAA8B,CAAC;oBACvD,KAAK,CAAC,iBAAiB,GAAG,4DAA4D,GAAG,sJAAsJ,CAAC;oBAChP,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,MAAM,EAAE,CAAC;wBACvC,KAAK,CAAC,iBAAiB,GAAG;;;+FAGyD,CAAC;oBACtF,CAAC;oBACD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,CAAC;oBACN,eAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YACD,OAAO,eAAe,CAAC,SAAS,CAAC;QACnC,CAAC;aAAM,IAAI,YAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACzB,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YAC1B,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,IAAI,YAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,YAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBACvC,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,IAAI,KAAK,GAAG,CAAC;oBAC/C,eAAe,CAAC,GAAG,CAAsB,CAAC,IAAI,CAC7C,MAAM,aAAa,CAAC,IAAsB,EAAE,UAAU,EAAE,IAAI,CAAC,CAC9D,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACL,eAAe,CAAC,GAAG,CAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,YAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC/C,MAAM,IAAI,GAAG,GAAG,YAAY,IAAI,GAAG,EAAE,CAAC;YACtC,eAAe,CAAC,GAAG,CAAC,GAAG,MAAM,aAAa,CACxC,GAAqB,EACrB,UAAU,EACV,IAAI,CACL,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,eAAe,CAAC,SAAS,CAAC;IACjC,eAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAC7D,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,SAAgB,kBAAkB;IAChC,MAAM,QAAQ,GAAG,qBAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC9C,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACzB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,QAAQ,GAAG,qBAAY,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,IAAA,cAAQ,EAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,oBAAoB;QACpB,eAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,MAAM,eAAe,GAAG,IAAA,iBAAW,EAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAC1D,IAAI,CAAC,YAAE,CAAC,cAAc,CAAC,eAAe,CAAC,EAAE,CAAC;QACxC,eAAM,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,EAAE,+CAA+C,CAAC,CAAC;QAC5E,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,eAAe,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACvC,sBAAsB;QACtB,OAAO,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,eAAe,CAAC;AACzB,CAAC","sourcesContent":["import is from '@sindresorhus/is';\nimport { CONFIG_VALIDATION } from '../constants/error-messages';\nimport { logger } from '../logger';\nimport { regEx } from '../util/regex';\nimport { addSecretForSanitizing } from '../util/sanitize';\nimport { ensureTrailingSlash, parseUrl, trimSlashes } from '../util/url';\nimport { tryDecryptKbPgp } from './decrypt/kbpgp';\nimport {\n tryDecryptPublicKeyDefault,\n tryDecryptPublicKeyPKCS1,\n} from './decrypt/legacy';\nimport { tryDecryptOpenPgp } from './decrypt/openpgp';\nimport { GlobalConfig } from './global';\nimport { DecryptedObject } from './schema';\nimport type { RenovateConfig } from './types';\n\nexport async function tryDecrypt(\n privateKey: string,\n encryptedStr: string,\n repository: string,\n keyName: string,\n): Promise<string | null> {\n let decryptedStr: string | null = null;\n if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {\n const decryptedObjStr =\n process.env.RENOVATE_X_USE_OPENPGP === 'true'\n ? await tryDecryptOpenPgp(privateKey, encryptedStr)\n : await tryDecryptKbPgp(privateKey, encryptedStr);\n if (decryptedObjStr) {\n decryptedStr = validateDecryptedValue(decryptedObjStr, repository);\n }\n } else {\n decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);\n if (is.string(decryptedStr)) {\n logger.warn(\n { keyName },\n 'Encrypted value is using deprecated default padding, please change to using PGP encryption.',\n );\n } else {\n decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);\n /* v8 ignore start: not testable */\n if (is.string(decryptedStr)) {\n logger.warn(\n { keyName },\n 'Encrypted value is using deprecated PKCS1 padding, please change to using PGP encryption.',\n );\n }\n /* v8 ignore stop */\n }\n }\n return decryptedStr;\n}\n\nexport function validateDecryptedValue(\n decryptedObjStr: string,\n repository: string,\n): string | null {\n try {\n const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);\n if (!decryptedObj.success) {\n const error = new Error('config-validation');\n error.validationError = `Could not parse decrypted config.`;\n throw error;\n }\n\n const { o: org, r: repo, v: value } = decryptedObj.data;\n\n if (!is.nonEmptyString(value)) {\n const error = new Error('config-validation');\n error.validationError = `Encrypted value in config is missing a value.`;\n throw error;\n }\n\n if (!is.nonEmptyString(org)) {\n const error = new Error('config-validation');\n error.validationError = `Encrypted value in config is missing a scope.`;\n throw error;\n }\n\n const repositories = [repository.toUpperCase()];\n\n const azureCollection = getAzureCollection();\n if (is.nonEmptyString(azureCollection)) {\n // used for full 'org/project/repo' matching\n repositories.push(`${azureCollection}/${repository}`.toUpperCase());\n // used for org prefix matching without repo\n repositories.push(`${azureCollection}/*/`.toUpperCase());\n }\n\n const orgPrefixes = org\n .split(',')\n .map((o) => o.trim())\n .map((o) => o.toUpperCase())\n .map((o) => ensureTrailingSlash(o));\n\n if (is.nonEmptyString(repo)) {\n const scopedRepos = orgPrefixes.map((orgPrefix) =>\n `${orgPrefix}${repo}`.toUpperCase(),\n );\n for (const rp of repositories) {\n if (scopedRepos.some((r) => r === rp)) {\n return value;\n }\n }\n\n logger.debug(\n { scopedRepos },\n 'Secret is scoped to a different repository',\n );\n const error = new Error('config-validation');\n const scopeString = scopedRepos.join(',');\n error.validationError = `Encrypted secret is scoped to a different repository: \"${scopeString}\".`;\n throw error;\n }\n\n // no scoped repos, only org\n const azcol =\n azureCollection === undefined\n ? undefined\n : ensureTrailingSlash(azureCollection).toUpperCase();\n for (const rp of repositories) {\n if (\n orgPrefixes.some(\n (orgPrefix) => rp.startsWith(orgPrefix) && orgPrefix !== azcol,\n )\n ) {\n return value;\n }\n }\n logger.debug({ orgPrefixes }, 'Secret is scoped to a different org');\n const error = new Error('config-validation');\n const scopeString = orgPrefixes.join(',');\n error.validationError = `Encrypted secret is scoped to a different org: \"${scopeString}\".`;\n throw error;\n } catch (err) {\n logger.warn({ err }, 'Could not parse decrypted string');\n }\n return null;\n}\n\nexport async function decryptConfig(\n config: RenovateConfig,\n repository: string,\n existingPath = '$',\n): Promise<RenovateConfig> {\n logger.trace({ config }, 'decryptConfig()');\n const decryptedConfig = { ...config };\n const privateKey = GlobalConfig.get('privateKey');\n const privateKeyOld = GlobalConfig.get('privateKeyOld');\n for (const [key, val] of Object.entries(config)) {\n if (key === 'encrypted' && is.object(val)) {\n const path = `${existingPath}.${key}`;\n logger.debug({ config: val }, `Found encrypted config in ${path}`);\n\n const encryptedWarning = GlobalConfig.get('encryptedWarning');\n if (is.string(encryptedWarning)) {\n logger.once.warn(encryptedWarning);\n }\n\n if (privateKey) {\n for (const [eKey, eVal] of Object.entries(val)) {\n logger.debug(`Trying to decrypt ${eKey} in ${path}`);\n let decryptedStr = await tryDecrypt(\n privateKey,\n eVal,\n repository,\n eKey,\n );\n if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {\n logger.debug(`Trying to decrypt with old private key`);\n decryptedStr = await tryDecrypt(\n privateKeyOld,\n eVal,\n repository,\n eKey,\n );\n }\n if (!is.nonEmptyString(decryptedStr)) {\n const error = new Error('config-validation');\n error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;\n throw error;\n }\n logger.debug(`Decrypted ${eKey} in ${path}`);\n if (eKey === 'npmToken') {\n const token = decryptedStr.replace(regEx(/\\n$/), '');\n decryptedConfig[eKey] = token;\n addSecretForSanitizing(token);\n } else {\n decryptedConfig[eKey] = decryptedStr;\n addSecretForSanitizing(decryptedStr);\n }\n }\n } else {\n if (process.env.RENOVATE_X_ENCRYPTED_STRICT === 'true') {\n const error = new Error(CONFIG_VALIDATION);\n error.validationSource = 'config';\n error.validationError = 'Encrypted config unsupported';\n error.validationMessage = `This config contains an encrypted object at location \\`$.${key}\\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \\`privateKey\\` in Global Configuration.`;\n if (process.env.MEND_HOSTED === 'true') {\n error.validationMessage = `Mend-hosted Renovate Apps no longer support the use of encrypted secrets in Renovate file config (e.g. renovate.json).\nPlease migrate all secrets to the Developer Portal using the web UI available at https://developer.mend.io/\n\nRefer to migration documents here: https://docs.renovatebot.com/mend-hosted/migrating-secrets/`;\n }\n throw error;\n } else {\n logger.error('Found encrypted data but no privateKey');\n }\n }\n delete decryptedConfig.encrypted;\n } else if (is.array(val)) {\n decryptedConfig[key] = [];\n for (const [index, item] of val.entries()) {\n if (is.object(item) && !is.array(item)) {\n const path = `${existingPath}.${key}[${index}]`;\n (decryptedConfig[key] as RenovateConfig[]).push(\n await decryptConfig(item as RenovateConfig, repository, path),\n );\n } else {\n (decryptedConfig[key] as unknown[]).push(item);\n }\n }\n } else if (is.object(val) && key !== 'content') {\n const path = `${existingPath}.${key}`;\n decryptedConfig[key] = await decryptConfig(\n val as RenovateConfig,\n repository,\n path,\n );\n }\n }\n delete decryptedConfig.encrypted;\n logger.trace({ config: decryptedConfig }, 'decryptedConfig');\n return decryptedConfig;\n}\n\nexport function getAzureCollection(): string | undefined {\n const platform = GlobalConfig.get('platform');\n if (platform !== 'azure') {\n return undefined;\n }\n\n const endpoint = GlobalConfig.get('endpoint');\n const endpointUrl = parseUrl(endpoint);\n if (endpointUrl === null) {\n // should not happen\n logger.warn({ endpoint }, 'Unable to parse endpoint for token decryption');\n return undefined;\n }\n\n const azureCollection = trimSlashes(endpointUrl.pathname);\n if (!is.nonEmptyString(azureCollection)) {\n logger.debug({ endpoint }, 'Unable to find azure collection name from URL');\n return undefined;\n }\n\n if (azureCollection.startsWith('tfs/')) {\n // Azure DevOps Server\n return azureCollection.substring(4);\n }\n return azureCollection;\n}\n"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "renovate",
3
3
  "description": "Automated dependency updates. Flexible so you don't need to be.",
4
- "version": "39.185.1",
4
+ "version": "39.185.3",
5
5
  "type": "commonjs",
6
6
  "bin": {
7
7
  "renovate": "dist/renovate.js",
@@ -187,7 +187,7 @@
187
187
  "commander": "13.1.0",
188
188
  "conventional-commits-detector": "1.0.3",
189
189
  "croner": "9.0.0",
190
- "cronstrue": "2.54.0",
190
+ "cronstrue": "2.55.0",
191
191
  "deepmerge": "4.3.1",
192
192
  "dequal": "2.0.3",
193
193
  "detect-indent": "6.1.0",
@@ -297,7 +297,7 @@
297
297
  "@types/mdast": "3.0.15",
298
298
  "@types/moo": "0.5.10",
299
299
  "@types/ms": "2.1.0",
300
- "@types/node": "22.13.4",
300
+ "@types/node": "22.13.5",
301
301
  "@types/parse-link-header": "2.0.3",
302
302
  "@types/punycode": "2.1.4",
303
303
  "@types/semver": "7.5.8",