forked from kuzzleio/kourou
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathencrypt.ts
96 lines (74 loc) · 2.57 KB
/
encrypt.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import fs from 'fs'
import _ from 'lodash'
import { flags } from '@oclif/command'
import { Cryptonomicon, Vault } from 'kuzzle-vault'
import { Kommand } from '../../common'
export class VaultEncrypt extends Kommand {
static initSdk = false
static description = `
Encrypts an entire secrets file.
The secrets file must be in JSON format and it must contain only strings or objects.
Example:
{
aws: {
s3: {
keyId: 'b61e267676660c314b006b06'
}
}
}
Encrypted secrets are meant to be loaded inside an application with Kuzzle Vault.
See https://github.com/kuzzleio/kuzzle-vault/ for more information.
`
static examples = [
'kourou vault:encrypt config/secrets.json --vault-key <vault-key>',
'kourou vault:encrypt config/secrets.json -o config/secrets_prod.enc.json --vault-key <vault-key>'
]
static flags = {
force: flags.boolean({
char: 'f',
description: 'Overwrite the output file if it already exists'
}),
'output-file': flags.string({
char: 'o',
description: 'Output file (default: <file>.enc.json)'
}),
'vault-key': flags.string({
description: 'Kuzzle Vault Key (or KUZZLE_VAULT_KEY)',
default: process.env.KUZZLE_VAULT_KEY,
}),
}
static args = [
{ name: 'file', description: 'File containing unencrypted secrets', required: true }
]
async runSafe() {
if (_.isEmpty(this.flags['vault-key'])) {
throw new Error('A vault key must be provided')
}
if (_.isEmpty(this.args.file)) {
throw new Error('A secrets file must be provided')
}
const [filename, ext] = this.args.file.split('.')
let outputFile = `${filename}.enc.${ext}`
if (this.flags['output-file']) {
outputFile = this.flags['output-file']
}
if (fs.existsSync(outputFile) && !this.flags.force) {
throw new Error(`Output file "${outputFile}" already exists. Use -f flag to overwrite it.`)
}
const cryptonomicon = new Cryptonomicon(this.flags['vault-key'])
if (!fs.existsSync(this.args.file)) {
throw new Error(`File "${this.args.file}" does not exists`)
}
const PARSER = Vault.getParser(this.args.file);
let secrets = {}
try {
secrets = PARSER.parse(fs.readFileSync(this.args.file, 'utf8'))
}
catch (error) {
throw new Error(`Cannot read secrets from file "${this.args.file}": ${error.message}`)
}
const encryptedSecrets = cryptonomicon.encryptObject(secrets)
fs.writeFileSync(outputFile, PARSER.stringify(encryptedSecrets, null, 2))
this.logOk(`Secrets were successfully encrypted into the file ${outputFile}`)
}
}