class Travis::CLI::EncryptFile
def decrypt_command(path)
def decrypt_command(path) "openssl aes-256-cbc -K $#{env_name(:key)} -iv $#{env_name(:iv)} -in #{escape_path(path)} -out #{escape_path(decrypt_to)} -d" end
def decrypt_to_for(input_path)
def decrypt_to_for(input_path) return if input_path == '-' if input_path.start_with? Dir.home input_path.sub(Dir.home, '~') else input_path end end
def env_name(name)
def env_name(name) @env_prefix ||= "encrypted_#{Digest.hexencode(Digest::SHA1.digest(Dir.pwd)[0..5])}" "#{@env_prefix}_#{name}" end
def escape_path(path)
def escape_path(path) Shellwords.escape(path).sub(/^\\~\//, '~\/') end
def notes(input_path, output_path)
def notes(input_path, output_path) say "\nkey: #{color(key, :info)}\niv: #{color(iv, :info)}" if print_key? empty_line say "Make sure to add #{color(output_path, :info)} to the git repository." say "Make sure #{color("not", :underline)} to add #{color(input_path, :info)} to the git repository." if input_path != '-' say "Commit all changes to your #{color('.travis.yml', :info)}." end
def output_path_for(input_path)
def output_path_for(input_path) case input_path when '-' then return '-' when /^(.+)\.enc$/ then return $1 if decrypt? when /^(.+)\.dec$/ then return $1 unless decrypt? end if interactive? and input_path =~ /(\.enc|\.dec)$/ exit 1 unless danger_zone? "File extension of input file is #{color($1, :info)}, are you sure that is correct?" end "#{input_path}.#{decrypt ? 'dec' : 'enc'}" end
def print_command(command)
def print_command(command) empty_line say command, template(__FILE__) end
def run(input_path, output_path = nil)
def run(input_path, output_path = nil) self.decrypt_to ||= decrypt_to_for(input_path) output_path ||= File.basename(output_path_for(input_path)) self.output = $stdout.tty? ? StringIO.new : $stderr if output_path == '-' result = transcode(input_path) if output_path == '-' $stdout.puts result else say "storing result as #{color(output_path, :info)}" write_file(output_path, result, force) return if decrypt? error "requires --decrypt-to option when reading from stdin" unless decrypt_to? set_env_vars command = decrypt_command(output_path) stage ? store_command(command) : print_command(command) notes(input_path, output_path) end end
def set_env_vars
def set_env_vars say "storing secure env variables for decryption" repository.env_vars.upsert env_name(:key), key, :public => false repository.env_vars.upsert env_name(:iv), iv, :public => false end
def setup
def setup super self.key ||= SecureRandom.hex(32) unless decrypt? self.iv ||= SecureRandom.hex(16) unless decrypt? error "key must be 64 characters long and a valid hex number" unless key =~ /^[a-f0-9]{64}$/ error "iv must be 32 characters long and a valid hex number" unless iv =~ /^[a-f0-9]{32}$/ end
def store_command(command)
def store_command(command) travis_config[stage] = Array(travis_config[stage]) travis_config[stage].delete(command) travis_config[stage].unshift(command) save_travis_config end
def transcode(input_path)
def transcode(input_path) description = "stdin#{' (waiting for input)' if $stdin.tty?}" if input_path == '-' say "#{decrypt ? "de" : "en"}crypting #{color(description || input_path, :info)} for #{color(slug, :info)}" data = input_path == '-' ? $stdin.read : File.binread(input_path) aes = OpenSSL::Cipher.new('AES-256-CBC') decrypt ? aes.decrypt : aes.encrypt aes.key = [key].pack('H*') aes.iv = [iv].pack('H*') aes.update(data) + aes.final end