Initial commit

kamilchm · May 16, 2024 · 01267f8 · 01267f8
1 parent caee233
commit 01267f8
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 0 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,15 @@
+name: "Test"
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: cachix/install-nix-action@v18
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+    - run: ./tests.sh
diff --git a/dotsecrets b/dotsecrets
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+# To encrypt an env var value:
+#   bash .secrets VAR_NAME VALUE >> .secrets
+#
+# To encrypt a file:
+#   bash .secrets FILENAME >> .secrets
+#
+# To decrypt secrets in the current env (vars + files):
+#   export `bash .secrets`
+
+if [ -z "$SECRET_KEY" ]; then
+  >&2 echo "You need to have SECRET_KEY set"
+  exit 1
+fi
+PASS="pass:$SECRET_KEY"
+
+if [ -n "$1" ]; then
+  secretName="$1"
+  secretType="var"
+  valueCmd="echo -n $2"
+  if [ -z "$2" ]; then
+    if [ ! -f "$secretName" ]; then
+      >&2 echo "Empty secret value."
+      exit 1
+    fi
+    secretType="file"
+    valueCmd="cat $1"
+  fi
+
+  encoded=$($valueCmd | openssl enc -e -des3 -base64 -A -pass "$PASS" -pbkdf2)
+  echo "$secretType \"$secretName\" \"$encoded\""
+  exit 0
+fi
+
+var() {
+  echo -n "$1="
+  echo "$2" | openssl enc -d -des3 -base64 -pass "$PASS" -pbkdf2
+  echo ""
+}
+
+file() {
+  echo "$2" | openssl enc -d -des3 -base64 -pass "$PASS" -pbkdf2 > "$1"
+}
+
+# SECRETS
diff --git a/tests.sh b/tests.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash_unit -p bash bash_unit coreutils openssl
+set -euo pipefail
+
+test_env_var() {
+  export SECRET_KEY="dotsecrets-key"
+
+  bash .secrets "VAR_ONE" "VAL ONE" >> .secrets
+  assert_equals 0 $?
+
+  grep "VAL ONE" .secrets
+  assert_equals 1 $? "unencrypted value found in .secrets"
+
+  assert_equals 'VAR_ONE=VAL ONE' "$(bash .secrets)"
+}
+
+test_secret_key_not_set() {
+  unset SECRET_KEY
+  bash .secrets "VAR_ONE" "VAL_ONE" >> .secrets
+  assert_equals 1 $? "should return error if SECRET_KEY is not set"
+}
+
+CWD="$(pwd)"
+
+setup() {
+  cd "$(mktemp -d)"
+  cp "$CWD/dotsecrets" .secrets
+}
+
+teardown() {
+  cd "$CWD"
+  # TODO: verify .secrets code is unchanged
+  # TODO: verify .secrtes is the only file that can be modified
+}