forked from kuzzleio/kourou
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdecrypt.ts
84 lines (64 loc) · 2.36 KB
/
decrypt.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
import fs from 'fs'
import _ from 'lodash'
import { flags } from '@oclif/command'
import { Cryptonomicon, Vault } from 'kuzzle-vault'
import { Kommand } from '../../common'
export class VaultDecrypt extends Kommand {
static initSdk = false
static description = `
Decrypts an entire secrets file.
Decrypted secrets file must NEVER be committed into the repository.
See https://github.com/kuzzleio/kuzzle-vault/ for more information.
`
static examples = [
'kourou vault:decrypt config/secrets.enc.json --vault-key <vault-key>',
'kourou vault:decrypt config/secrets.enc.json -o config/secrets.json --vault-key <vault-key>'
]
static flags = {
force: flags.boolean({
char: 'f',
description: 'Overwrite the output file if it already exists'
}),
'output-file': flags.string({
char: 'o',
description: 'Output file (default: remove ".enc")'
}),
'vault-key': flags.string({
description: 'Kuzzle Vault Key (or KUZZLE_VAULT_KEY)',
default: process.env.KUZZLE_VAULT_KEY,
}),
}
static args = [
{ name: 'file', description: 'File containing encrypted secrets', required: true }
]
async runSafe() {
if (_.isEmpty(this.flags['vault-key'])) {
throw new Error('A vault key must be provided')
}
if (_.isEmpty(this.args.file)) {
throw new Error('A secrets file must be provided')
}
let outputFile = `${this.args.file.replace('.enc', '')}`
if (this.flags['output-file']) {
outputFile = this.flags['output-file']
}
if (fs.existsSync(outputFile) && !this.flags.force) {
throw new Error(`Output file "${outputFile}" already exists. Use -f flag to overwrite it.`)
}
const cryptonomicon = new Cryptonomicon(this.flags['vault-key'])
if (!fs.existsSync(this.args.file)) {
throw new Error(`File "${this.args.file}" does not exists`)
}
const PARSER = Vault.getParser(this.args.file);
let encryptedSecrets = {}
try {
encryptedSecrets = PARSER.parse(fs.readFileSync(this.args.file, 'utf8'))
}
catch (error) {
throw new Error(`Cannot read secrets from file "${this.args.file}": ${error.message}`)
}
const secrets = cryptonomicon.decryptObject(encryptedSecrets)
fs.writeFileSync(outputFile, PARSER.stringify(secrets, null, 2))
this.logOk(`Secrets were successfully decrypted into the file ${outputFile}`)
}
}