bito-cra.sh - encryption related changes

cra-scripts/bito-cra.sh

@@ -423,6 +423,7 @@ optional_params_server=(
   "code_context"
   "nexus_url"
   "cr_event_type"
+  "encryption_key"
 )
 
 bee_params=(
@@ -575,21 +576,61 @@ for param in "${required_params[@]}" "${bee_params[@]}" "${optional_params[@]}";
         nexus_url=$(echo "${props[$param]}" | sed 's/^[ \t]*//;s/[ \t]*$//')
     elif [ "$param" == "cr_event_type" ]; then
         validate_cr_event_type "${props[$param]}"
+    elif [ "$param" == "encryption_key" ]; then
+        encryption_key_value=${props[$param]}
     else
         docker_cmd+=" --$param=${props[$param]}"
     fi
 
   fi
 done
 docker_cmd+=" --cr_event_type=${cr_event_type}"
-
 docker_cmd=$docker_init_cmd$docker_cmd
+docker_cmd+=' ${docker_enc_params}'
+
+# Function to encrypt text
+encrypt_git_secret() {
+  local key=$1
+  local plaintext=$2
+
+  # Convert key to hex
+  local hex_key=$(echo -n "$key" | xxd -p -c 256)
+
+  # Generate IV (Initialization Vector)
+  local iv=$(openssl rand -base64 16)
+  iv="$(echo -n "$iv" | base64 -d | xxd -p -c 256)"
+
+  # Encrypt plaintext
+  local ciphertext=$(echo -n "$plaintext" | openssl enc -aes-256-cfb -a -K "$hex_key" -iv "$iv" -base64)
+
+  # Concatenate IV and ciphertext and encode with base64
+  local iv_ciphertext=$(echo -n "$iv")$(echo -n "$ciphertext")
+
+  # Encode the concatenated result with base64
+  local encrypted_text=$(echo -n "$iv_ciphertext" | tr -d '\n')
+
+  echo "$encrypted_text"
+}
+
 param_bito_access_key="bito_cli.bito.access_key"
 param_git_access_token="git.access_token"
+param_encryption_key="encryption_key"
+docker_enc_params=
 if [ "$mode" == "server" ]; then
     if [ -n "${props[$param_bito_access_key]}" ] && [ -n "${props[$param_git_access_token]}" ]; then
         git_secret="${props[$param_bito_access_key]}@#~^${props[$param_git_access_token]}"
 
+        if [ -n "${props[$param_encryption_key]}" ]; then
+            encryption_key="${props[$param_encryption_key]}"
+            if [[ ${#encryption_key} -eq 44 ]] && [[ $encryption_key =~ ^[A-Za-z0-9+/]{43}=$ ]]; then
+                git_secret=$(encrypt_git_secret "$encryption_key" "$git_secret")
+                docker_enc_params=" --git.secret=$git_secret --encryption_key=$encryption_key"
+            else
+                echo "Error: Encryption key must be a 44-character base64 string generated by openssl rand -base64 32."
+                exit 1
+            fi
+        fi
+
         echo "Use below as Gitlab and Github Webhook secret:"
         echo "$git_secret"
         echo
@@ -622,7 +663,7 @@ fi
 
 
 if [ "$?" == 0 ]; then
-	echo "Running command: $(eval echo $docker_cmd)"
+	echo "Running command: $(echo eval $docker_cmd)"
 	eval "$docker_cmd"
 
         if [ "$?" == 0 ] && [ "$mode" == "server" ]; then