mirror of
https://github.com/sobolevn/git-secret
synced 2024-10-31 21:20:29 +00:00
Issue 706 decrypt errors (#831)
* check for encrypted version of file before decrypting, for #706 * improve error messages, verbose output and non-verbose output * in tests, prefix output from git init with 'git: ' * 'clean' options only remove added files, for #833 * update changelog
This commit is contained in:
parent
87e36cca5b
commit
549cd9aa24
@ -7,19 +7,22 @@
|
|||||||
- Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
|
- Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
|
||||||
when encrypting files, so secret files are stored
|
when encrypting files, so secret files are stored
|
||||||
in text format rather than binary (#631)
|
in text format rather than binary (#631)
|
||||||
- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
|
|
||||||
- `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)
|
- `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)
|
||||||
|
- Improve verbose and non-verbose output
|
||||||
|
|
||||||
### Bugfixes
|
### Bugfixes
|
||||||
|
|
||||||
- Fix adding newlines to `.gitignore` entries (#643)
|
- Fix adding newlines to `.gitignore` entries (#643)
|
||||||
- Fix `cat` and `reveal` on named files while in repo subdir (#710)
|
- Fix `cat` and `reveal` on named files while in repo subdir (#710)
|
||||||
|
- Fix `clean`, `hide`, `reveal` so they only remove marked secret files (#833)
|
||||||
- Fix for `removeperson` if same email is present multiple times (#638)
|
- Fix for `removeperson` if same email is present multiple times (#638)
|
||||||
- Correct error message about files missing from .gitignore
|
- Correct error message about files missing from .gitignore
|
||||||
|
|
||||||
### Misc
|
### Misc
|
||||||
|
|
||||||
|
- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
|
||||||
- Rename `killperson` command to `removeperson` (#684)
|
- Rename `killperson` command to `removeperson` (#684)
|
||||||
|
- Improve error messaging decrypting nonexistent files (#706)
|
||||||
- Improve, expand, correct, and update docs (#699)
|
- Improve, expand, correct, and update docs (#699)
|
||||||
- Update docs for use with CI/CD server (#675)
|
- Update docs for use with CI/CD server (#675)
|
||||||
- Upgrade bats-core to v1.6.0 (#755)
|
- Upgrade bats-core to v1.6.0 (#755)
|
||||||
|
@ -465,44 +465,31 @@ function _warn_or_abort {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
function _find_and_remove_secrets {
|
|
||||||
# required:
|
|
||||||
local pattern="$1" # can be any string pattern
|
|
||||||
|
|
||||||
local verbose_opt=''
|
|
||||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
|
||||||
verbose_opt='v';
|
|
||||||
fi
|
|
||||||
|
|
||||||
local root
|
|
||||||
root=$(_get_git_root_path)
|
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
find "$root" -path "$pattern" -type f -print0 | xargs -0 rm -f$verbose_opt
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function _find_and_remove_secrets_formatted {
|
function _find_and_remove_secrets_formatted {
|
||||||
# required:
|
local filenames
|
||||||
local pattern="$1" # can be any string pattern
|
_list_all_added_files # sets array variable 'filenames'
|
||||||
|
|
||||||
local outputs
|
for filename in "${filenames[@]}"; do
|
||||||
outputs=$(_find_and_remove_secrets "$pattern")
|
local path # absolute path
|
||||||
|
encrypted_filename=$(_get_encrypted_filename "$filename")
|
||||||
if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then
|
if [[ -f "$encrypted_filename" ]]; then
|
||||||
# shellcheck disable=SC2001
|
rm "$encrypted_filename"
|
||||||
echo "$outputs" | sed "s/^/git-secret: cleaning: /"
|
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||||
fi
|
echo "git-secret: deleted: $encrypted_filename"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# this sets the global array variable 'filenames'
|
# this sets the global array variable 'filenames'
|
||||||
function _list_all_added_files {
|
function _list_all_added_files {
|
||||||
local path_mappings
|
local path_mappings
|
||||||
path_mappings=$(_get_secrets_dir_paths_mapping)
|
path_mappings=$(_get_secrets_dir_paths_mapping)
|
||||||
|
|
||||||
if [[ ! -s "$path_mappings" ]]; then
|
if [[ ! -s "$path_mappings" ]]; then
|
||||||
_abort "$path_mappings is missing."
|
_abort "path_mappings file is missing or empty: $path_mappings"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local filename
|
local filename
|
||||||
@ -540,7 +527,7 @@ function _secrets_dir_is_not_ignored {
|
|||||||
ignores=$(_check_ignore "$git_secret_dir")
|
ignores=$(_check_ignore "$git_secret_dir")
|
||||||
|
|
||||||
if [[ ! $ignores -eq 1 ]]; then
|
if [[ ! $ignores -eq 1 ]]; then
|
||||||
_abort "'$git_secret_dir' is in .gitignore"
|
_abort "entry already in .gitignore: $git_secret_dir"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -783,6 +770,10 @@ function _decrypt {
|
|||||||
local encrypted_filename
|
local encrypted_filename
|
||||||
encrypted_filename=$(_get_encrypted_filename "$filename")
|
encrypted_filename=$(_get_encrypted_filename "$filename")
|
||||||
|
|
||||||
|
if [ ! -f "$encrypted_filename" ]; then
|
||||||
|
_warn_or_abort "cannot find file to decrypt: $encrypted_filename" "1" "$error_ok"
|
||||||
|
fi
|
||||||
|
|
||||||
local args=( "--use-agent" "--decrypt" )
|
local args=( "--use-agent" "--decrypt" )
|
||||||
|
|
||||||
if [[ "$write_to_file" -eq 1 ]]; then
|
if [[ "$write_to_file" -eq 1 ]]; then
|
||||||
|
@ -24,6 +24,5 @@ function clean {
|
|||||||
|
|
||||||
_user_required
|
_user_required
|
||||||
|
|
||||||
# User should see properly formatted output:
|
_find_and_remove_secrets_formatted
|
||||||
_find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
|
|
||||||
}
|
}
|
||||||
|
@ -15,14 +15,6 @@ BEGIN { FS=":"; OFS=":"; }
|
|||||||
}
|
}
|
||||||
'
|
'
|
||||||
|
|
||||||
function _optional_clean {
|
|
||||||
local clean="$1"
|
|
||||||
|
|
||||||
if [[ $clean -eq 1 ]]; then
|
|
||||||
_find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
function _optional_delete {
|
function _optional_delete {
|
||||||
local delete="$1"
|
local delete="$1"
|
||||||
@ -33,19 +25,19 @@ function _optional_delete {
|
|||||||
|
|
||||||
# We use custom formatting here:
|
# We use custom formatting here:
|
||||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||||
echo && _message 'removing unencrypted files:'
|
_message 'removing unencrypted files'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
while read -r line; do
|
while read -r line; do # each line is a record like: filename: or filename:hash
|
||||||
# So the formatting would not be repeated several times here:
|
|
||||||
local filename
|
local filename
|
||||||
filename=$(_get_record_filename "$line")
|
filename=$(_get_record_filename "$line")
|
||||||
_find_and_remove_secrets "*$filename"
|
if [[ -e "$filename" ]]; then
|
||||||
|
rm "$filename"
|
||||||
|
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||||
|
_message "deleted: $filename"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
done < "$path_mappings"
|
done < "$path_mappings"
|
||||||
|
|
||||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
|
||||||
echo
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -115,9 +107,11 @@ function hide {
|
|||||||
# We need user to continue:
|
# We need user to continue:
|
||||||
_user_required
|
_user_required
|
||||||
|
|
||||||
# If -c option was provided, it would clean the hidden files
|
# If -c option was provided, clean the hidden files
|
||||||
# before creating new ones.
|
# before creating new ones.
|
||||||
_optional_clean "$clean"
|
if [[ $clean -eq 1 ]]; then
|
||||||
|
_find_and_remove_secrets_formatted
|
||||||
|
fi
|
||||||
|
|
||||||
# Encrypting files:
|
# Encrypting files:
|
||||||
|
|
||||||
|
@ -53,6 +53,9 @@ function remove {
|
|||||||
encrypted_filename=$(_get_encrypted_filename "$path")
|
encrypted_filename=$(_get_encrypted_filename "$path")
|
||||||
|
|
||||||
rm "$encrypted_filename" # fail on error
|
rm "$encrypted_filename" # fail on error
|
||||||
|
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||||
|
_message "deleted: $encrypted_filename"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -259,9 +259,9 @@ function set_state_git {
|
|||||||
local has_initial_branch_option
|
local has_initial_branch_option
|
||||||
has_initial_branch_option=$(is_git_version_ge_2_28_0) # 0 for true
|
has_initial_branch_option=$(is_git_version_ge_2_28_0) # 0 for true
|
||||||
if [[ "$has_initial_branch_option" == 0 ]]; then
|
if [[ "$has_initial_branch_option" == 0 ]]; then
|
||||||
git init --initial-branch=main >> "$TEST_OUTPUT_FILE" 2>&1
|
git init --initial-branch=main | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1
|
||||||
else
|
else
|
||||||
git init >> "$TEST_OUTPUT_FILE" 2>&1
|
git init | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -55,7 +55,7 @@ function teardown {
|
|||||||
|
|
||||||
@test "run 'cat' with wrong filename" {
|
@test "run 'cat' with wrong filename" {
|
||||||
run git secret cat -d "$TEST_GPG_HOMEDIR" -p "$password" NO_SUCH_FILE
|
run git secret cat -d "$TEST_GPG_HOMEDIR" -p "$password" NO_SUCH_FILE
|
||||||
[ "$status" -eq 2 ]
|
[ "$status" -eq 1 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ function _secret_files_exists {
|
|||||||
second_filename=$(_get_encrypted_filename "$SECOND_FILE")
|
second_filename=$(_get_encrypted_filename "$SECOND_FILE")
|
||||||
|
|
||||||
# Output must be verbose:
|
# Output must be verbose:
|
||||||
[[ "$output" == *"cleaning"* ]]
|
[[ "$output" == *"deleted"* ]]
|
||||||
[[ "$output" == *"$first_filename"* ]]
|
[[ "$output" == *"$first_filename"* ]]
|
||||||
[[ "$output" == *"$second_filename"* ]]
|
[[ "$output" == *"$second_filename"* ]]
|
||||||
}
|
}
|
||||||
@ -79,7 +79,7 @@ function _secret_files_exists {
|
|||||||
[ "$status" -eq 0 ]
|
[ "$status" -eq 0 ]
|
||||||
|
|
||||||
# Output must be verbose:
|
# Output must be verbose:
|
||||||
[[ "$output" == *"cleaning"* ]]
|
[[ "$output" == *"deleted:"* ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
# this test is like above, but sets SECRETS_VERBOSE env var to 0
|
# this test is like above, but sets SECRETS_VERBOSE env var to 0
|
||||||
|
@ -268,7 +268,7 @@ function teardown {
|
|||||||
[ -f "$FILE_TO_HIDE" ]
|
[ -f "$FILE_TO_HIDE" ]
|
||||||
|
|
||||||
# Output should be verbose:
|
# Output should be verbose:
|
||||||
[[ "$output" == *"cleaning"* ]]
|
[[ "$output" == *"deleted:"* ]]
|
||||||
[[ "$output" == *"$encrypted_filename"* ]]
|
[[ "$output" == *"$encrypted_filename"* ]]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -50,7 +50,7 @@ function teardown {
|
|||||||
rm -f "$FILE_TO_HIDE"
|
rm -f "$FILE_TO_HIDE"
|
||||||
|
|
||||||
local password=$(test_user_password "$TEST_DEFAULT_USER")
|
local password=$(test_user_password "$TEST_DEFAULT_USER")
|
||||||
run git secret reveal -Z k-d "$TEST_GPG_HOMEDIR" -p "$password"
|
run git secret reveal -Z -d "$TEST_GPG_HOMEDIR" -p "$password"
|
||||||
[ "$status" -ne 0 ]
|
[ "$status" -ne 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -61,6 +61,11 @@ function teardown {
|
|||||||
[ "$status" -ne 0 ]
|
[ "$status" -ne 0 ]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@test "run 'reveal' on nonexistent file" {
|
||||||
|
local password=$(test_user_password "$TEST_DEFAULT_USER")
|
||||||
|
run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password" "DOES-NOT-EXIST"
|
||||||
|
[ "$status" -ne 0 ]
|
||||||
|
}
|
||||||
|
|
||||||
@test "run 'reveal' with '-f'" {
|
@test "run 'reveal' with '-f'" {
|
||||||
rm "$FILE_TO_HIDE"
|
rm "$FILE_TO_HIDE"
|
||||||
|
@ -26,7 +26,6 @@ chmod 0700 "${TEST_DIR}"
|
|||||||
# (IE, like: `echo '# message here' >&3`).
|
# (IE, like: `echo '# message here' >&3`).
|
||||||
# bats ... 3>&1 shows diagnostic output
|
# bats ... 3>&1 shows diagnostic output
|
||||||
bats "${SECRETS_PROJECT_ROOT}/tests" 3>&1
|
bats "${SECRETS_PROJECT_ROOT}/tests" 3>&1
|
||||||
# bats "${SECRETS_PROJECT_ROOT}/tests/test_tell.bats" 3>&1
|
|
||||||
)
|
)
|
||||||
|
|
||||||
rm -rf "${TEST_DIR}"
|
rm -rf "${TEST_DIR}"
|
||||||
|
Loading…
Reference in New Issue
Block a user