lib/travis/cli/encrypt_file.rb in travis-1.11.1 vs lib/travis/cli/encrypt_file.rb in travis-1.12.0
- old
+ new
@@ -1,6 +1,7 @@
-# encoding: utf-8
+# frozen_string_literal: true
+
require 'travis/cli'
require 'travis/tools/system'
require 'securerandom'
require 'openssl'
@@ -9,18 +10,20 @@
module Travis
module CLI
class EncryptFile < RepoCommand
attr_accessor :stage
+
description 'encrypts a file and adds decryption steps to .travis.yml'
on '-K', '--key KEY', 'encryption key to be used (randomly generated otherwise)'
on '--iv IV', 'encryption IV to be used (randomly generated otherwise)'
on '-d', '--decrypt', 'decrypt the file instead of encrypting it, requires key and iv'
on '-f', '--force', 'override output file if it exists'
on '-p', '--print-key', 'print (possibly generated) key and iv'
on '-w', '--decrypt-to PATH', 'where to write the decrypted file to on the Travis CI VM'
- on '-a', '--add [STAGE]', 'automatically add command to .travis.yml (default stage is before_install)' do |c, stage|
+ on '-a', '--add [STAGE]',
+ 'automatically add command to .travis.yml (default stage is before_install)' do |c, stage|
c.stage = stage || 'before_install'
end
def run(input_path, output_path = nil)
confirm = force_interactive.nil? || force_interactive
@@ -35,11 +38,11 @@
else
say "storing result as #{color(output_path, :info)}"
write_file(output_path, result, force)
return if decrypt?
- error "requires --decrypt-to option when reading from stdin" unless decrypt_to?
+ error 'requires --decrypt-to option when reading from stdin' unless decrypt_to?
set_env_vars(input_path)
command = decrypt_command(output_path)
stage ? store_command(command, confirm) : print_command(command)
@@ -50,12 +53,12 @@
def setup
super
self.key ||= SecureRandom.hex(32) unless decrypt?
self.iv ||= SecureRandom.hex(16) unless decrypt?
- error "key must be 64 characters long and a valid hex number" unless key =~ /^[a-f0-9]{64}$/
- error "iv must be 32 characters long and a valid hex number" unless iv =~ /^[a-f0-9]{32}$/
+ error 'key must be 64 characters long and a valid hex number' unless key =~ /^[a-f0-9]{64}$/
+ error 'iv must be 32 characters long and a valid hex number' unless iv =~ /^[a-f0-9]{32}$/
end
def print_command(command)
empty_line
say command, template(__FILE__)
@@ -67,66 +70,74 @@
travis_config[stage].unshift(command)
confirm_and_save_travis_config confirm
end
def decrypt_command(path)
- "openssl aes-256-cbc -K $#{env_name(path, :key)} -iv $#{env_name(path, :iv)} -in #{escape_path(path)} -out #{escape_path(decrypt_to)} -d"
+ "openssl aes-256-cbc -K $#{env_name(path,
+ :key)} -iv $#{env_name(path,
+ :iv)} -in #{escape_path(path)} -out #{escape_path(decrypt_to)} -d"
end
def set_env_vars(input_path)
- say "storing secure env variables for decryption"
- repository.env_vars.upsert env_name(input_path, :key), key, :public => false
- repository.env_vars.upsert env_name(input_path, :iv), iv, :public => false
+ say 'storing secure env variables for decryption'
+ repository.env_vars.upsert env_name(input_path, :key), key, public: false
+ repository.env_vars.upsert env_name(input_path, :iv), iv, public: false
end
def env_name(input_path, name)
@env_prefix ||= "encrypted_#{Digest.hexencode(Digest::SHA1.digest(input_path)[0..5])}"
"#{@env_prefix}_#{name}"
end
def notes(input_path, output_path)
- say "\nkey: #{color(key, :info)}\niv: #{color(iv, :info)}" if print_key?
+ say "\nkey: #{color(key, :info)}\niv: #{color(iv, :info)}" if print_key?
empty_line
say "Make sure to add #{color(output_path, :info)} to the git repository."
- say "Make sure #{color("not", :underline)} to add #{color(input_path, :info)} to the git repository." if input_path != '-'
+ if input_path != '-'
+ say "Make sure #{color('not',
+ :underline)} to add #{color(input_path,
+ :info)} to the git repository."
+ end
say "Commit all changes to your #{color('.travis.yml', :info)}."
end
def transcode(input_path)
description = "stdin#{' (waiting for input)' if $stdin.tty?}" if input_path == '-'
- say "#{decrypt ? "de" : "en"}crypting #{color(description || input_path, :info)} for #{color(slug, :info)}"
+ say "#{decrypt ? 'de' : 'en'}crypting #{color(description || input_path, :info)} for #{color(slug, :info)}"
data = input_path == '-' ? $stdin.read : File.binread(input_path)
aes = OpenSSL::Cipher.new('AES-256-CBC')
- decrypt ? aes.decrypt : aes.encrypt
+ decrypt ? aes.decrypt : aes.encrypt
aes.key = [key].pack('H*')
aes.iv = [iv].pack('H*')
aes.update(data) + aes.final
end
def decrypt_to_for(input_path)
return if input_path == '-'
+
if input_path.start_with? Dir.home
input_path.sub(Dir.home, '~')
else
input_path
end
end
def escape_path(path)
- Shellwords.escape(path).sub(/^\\~\//, '~\/')
+ Shellwords.escape(path).sub(%r{^\\~/}, '~\/')
end
def output_path_for(input_path)
case input_path
when '-' then return '-'
- when /^(.+)\.enc$/ then return $1 if decrypt?
- when /^(.+)\.dec$/ then return $1 unless decrypt?
+ when /^(.+)\.enc$/ then return ::Regexp.last_match(1) if decrypt?
+ when /^(.+)\.dec$/ then return ::Regexp.last_match(1) unless decrypt?
end
- if interactive? and input_path =~ /(\.enc|\.dec)$/
- exit 1 unless danger_zone? "File extension of input file is #{color($1, :info)}, are you sure that is correct?"
+ if interactive? && input_path =~ /(\.enc|\.dec)$/ && !(danger_zone? "File extension of input file is #{color(::Regexp.last_match(1),
+ :info)}, are you sure that is correct?")
+ exit 1
end
"#{input_path}.#{decrypt ? 'dec' : 'enc'}"
end
end