diff --git a/CHANGELOG.md b/CHANGELOG.md index 509376b4..f5a18e39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,19 +7,22 @@ - Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor` when encrypting files, so secret files are stored in text format rather than binary (#631) -- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811) - `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811) +- Improve verbose and non-verbose output ### Bugfixes - Fix adding newlines to `.gitignore` entries (#643) - Fix `cat` and `reveal` on named files while in repo subdir (#710) +- Fix `clean`, `hide`, `reveal` so they only remove marked secret files (#833) - Fix for `removeperson` if same email is present multiple times (#638) - Correct error message about files missing from .gitignore ### Misc +- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811) - Rename `killperson` command to `removeperson` (#684) +- Improve error messaging decrypting nonexistent files (#706) - Improve, expand, correct, and update docs (#699) - Update docs for use with CI/CD server (#675) - Upgrade bats-core to v1.6.0 (#755) diff --git a/src/_utils/_git_secret_tools.sh b/src/_utils/_git_secret_tools.sh index 8c28fa93..cb57dc97 100644 --- a/src/_utils/_git_secret_tools.sh +++ b/src/_utils/_git_secret_tools.sh @@ -465,44 +465,31 @@ function _warn_or_abort { } -function _find_and_remove_secrets { - # required: - local pattern="$1" # can be any string pattern - - local verbose_opt='' - if [[ -n "$_SECRETS_VERBOSE" ]]; then - verbose_opt='v'; - fi - - local root - root=$(_get_git_root_path) - - # shellcheck disable=SC2086 - find "$root" -path "$pattern" -type f -print0 | xargs -0 rm -f$verbose_opt -} - - function _find_and_remove_secrets_formatted { - # required: - local pattern="$1" # can be any string pattern - - local outputs - outputs=$(_find_and_remove_secrets "$pattern") - - if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then - # shellcheck disable=SC2001 - echo "$outputs" | sed "s/^/git-secret: cleaning: /" - fi + local filenames + _list_all_added_files # sets array variable 'filenames' + + for filename in "${filenames[@]}"; do + local path # absolute path + encrypted_filename=$(_get_encrypted_filename "$filename") + if [[ -f "$encrypted_filename" ]]; then + rm "$encrypted_filename" + if [[ -n "$_SECRETS_VERBOSE" ]]; then + echo "git-secret: deleted: $encrypted_filename" + fi + fi + done } + # this sets the global array variable 'filenames' function _list_all_added_files { local path_mappings path_mappings=$(_get_secrets_dir_paths_mapping) if [[ ! -s "$path_mappings" ]]; then - _abort "$path_mappings is missing." + _abort "path_mappings file is missing or empty: $path_mappings" fi local filename @@ -540,7 +527,7 @@ function _secrets_dir_is_not_ignored { ignores=$(_check_ignore "$git_secret_dir") if [[ ! $ignores -eq 1 ]]; then - _abort "'$git_secret_dir' is in .gitignore" + _abort "entry already in .gitignore: $git_secret_dir" fi } @@ -783,6 +770,10 @@ function _decrypt { local encrypted_filename encrypted_filename=$(_get_encrypted_filename "$filename") + if [ ! -f "$encrypted_filename" ]; then + _warn_or_abort "cannot find file to decrypt: $encrypted_filename" "1" "$error_ok" + fi + local args=( "--use-agent" "--decrypt" ) if [[ "$write_to_file" -eq 1 ]]; then diff --git a/src/commands/git_secret_clean.sh b/src/commands/git_secret_clean.sh index d44cd6d5..028ccaef 100644 --- a/src/commands/git_secret_clean.sh +++ b/src/commands/git_secret_clean.sh @@ -24,6 +24,5 @@ function clean { _user_required - # User should see properly formatted output: - _find_and_remove_secrets_formatted "*$SECRETS_EXTENSION" + _find_and_remove_secrets_formatted } diff --git a/src/commands/git_secret_hide.sh b/src/commands/git_secret_hide.sh index 3bffc55d..4e078f2a 100644 --- a/src/commands/git_secret_hide.sh +++ b/src/commands/git_secret_hide.sh @@ -15,14 +15,6 @@ BEGIN { FS=":"; OFS=":"; } } ' -function _optional_clean { - local clean="$1" - - if [[ $clean -eq 1 ]]; then - _find_and_remove_secrets_formatted "*$SECRETS_EXTENSION" - fi -} - function _optional_delete { local delete="$1" @@ -33,19 +25,19 @@ function _optional_delete { # We use custom formatting here: if [[ -n "$_SECRETS_VERBOSE" ]]; then - echo && _message 'removing unencrypted files:' + _message 'removing unencrypted files' fi - while read -r line; do - # So the formatting would not be repeated several times here: + while read -r line; do # each line is a record like: filename: or filename:hash local filename filename=$(_get_record_filename "$line") - _find_and_remove_secrets "*$filename" + if [[ -e "$filename" ]]; then + rm "$filename" + if [[ -n "$_SECRETS_VERBOSE" ]]; then + _message "deleted: $filename" + fi + fi done < "$path_mappings" - - if [[ -n "$_SECRETS_VERBOSE" ]]; then - echo - fi fi } @@ -115,9 +107,11 @@ function hide { # We need user to continue: _user_required - # If -c option was provided, it would clean the hidden files + # If -c option was provided, clean the hidden files # before creating new ones. - _optional_clean "$clean" + if [[ $clean -eq 1 ]]; then + _find_and_remove_secrets_formatted + fi # Encrypting files: diff --git a/src/commands/git_secret_remove.sh b/src/commands/git_secret_remove.sh index 9eeff190..056b5513 100644 --- a/src/commands/git_secret_remove.sh +++ b/src/commands/git_secret_remove.sh @@ -53,6 +53,9 @@ function remove { encrypted_filename=$(_get_encrypted_filename "$path") rm "$encrypted_filename" # fail on error + if [[ -n "$_SECRETS_VERBOSE" ]]; then + _message "deleted: $encrypted_filename" + fi fi done diff --git a/tests/_test_base.bash b/tests/_test_base.bash index c29610aa..391998f6 100644 --- a/tests/_test_base.bash +++ b/tests/_test_base.bash @@ -259,9 +259,9 @@ function set_state_git { local has_initial_branch_option has_initial_branch_option=$(is_git_version_ge_2_28_0) # 0 for true if [[ "$has_initial_branch_option" == 0 ]]; then - git init --initial-branch=main >> "$TEST_OUTPUT_FILE" 2>&1 + git init --initial-branch=main | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1 else - git init >> "$TEST_OUTPUT_FILE" 2>&1 + git init | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1 fi } diff --git a/tests/test_cat.bats b/tests/test_cat.bats index f39b4ab8..e88b6739 100644 --- a/tests/test_cat.bats +++ b/tests/test_cat.bats @@ -55,7 +55,7 @@ function teardown { @test "run 'cat' with wrong filename" { run git secret cat -d "$TEST_GPG_HOMEDIR" -p "$password" NO_SUCH_FILE - [ "$status" -eq 2 ] + [ "$status" -eq 1 ] } diff --git a/tests/test_clean.bats b/tests/test_clean.bats index fb8e523f..165556c2 100644 --- a/tests/test_clean.bats +++ b/tests/test_clean.bats @@ -68,7 +68,7 @@ function _secret_files_exists { second_filename=$(_get_encrypted_filename "$SECOND_FILE") # Output must be verbose: - [[ "$output" == *"cleaning"* ]] + [[ "$output" == *"deleted"* ]] [[ "$output" == *"$first_filename"* ]] [[ "$output" == *"$second_filename"* ]] } @@ -79,7 +79,7 @@ function _secret_files_exists { [ "$status" -eq 0 ] # Output must be verbose: - [[ "$output" == *"cleaning"* ]] + [[ "$output" == *"deleted:"* ]] } # this test is like above, but sets SECRETS_VERBOSE env var to 0 diff --git a/tests/test_hide.bats b/tests/test_hide.bats index 46294e1f..71cd526e 100644 --- a/tests/test_hide.bats +++ b/tests/test_hide.bats @@ -268,7 +268,7 @@ function teardown { [ -f "$FILE_TO_HIDE" ] # Output should be verbose: - [[ "$output" == *"cleaning"* ]] + [[ "$output" == *"deleted:"* ]] [[ "$output" == *"$encrypted_filename"* ]] } diff --git a/tests/test_reveal.bats b/tests/test_reveal.bats index 006c5273..5799743a 100644 --- a/tests/test_reveal.bats +++ b/tests/test_reveal.bats @@ -50,7 +50,7 @@ function teardown { rm -f "$FILE_TO_HIDE" local password=$(test_user_password "$TEST_DEFAULT_USER") - run git secret reveal -Z k-d "$TEST_GPG_HOMEDIR" -p "$password" + run git secret reveal -Z -d "$TEST_GPG_HOMEDIR" -p "$password" [ "$status" -ne 0 ] } @@ -61,6 +61,11 @@ function teardown { [ "$status" -ne 0 ] } +@test "run 'reveal' on nonexistent file" { + local password=$(test_user_password "$TEST_DEFAULT_USER") + run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password" "DOES-NOT-EXIST" + [ "$status" -ne 0 ] +} @test "run 'reveal' with '-f'" { rm "$FILE_TO_HIDE" diff --git a/utils/tests.sh b/utils/tests.sh index 73914f5d..1c58ade7 100755 --- a/utils/tests.sh +++ b/utils/tests.sh @@ -26,7 +26,6 @@ chmod 0700 "${TEST_DIR}" # (IE, like: `echo '# message here' >&3`). # bats ... 3>&1 shows diagnostic output bats "${SECRETS_PROJECT_ROOT}/tests" 3>&1 - # bats "${SECRETS_PROJECT_ROOT}/tests/test_tell.bats" 3>&1 ) rm -rf "${TEST_DIR}"