Issue 706 decrypt errors (#831)

* check for encrypted version of file before decrypting, for #706
* improve error messages, verbose output and non-verbose output
* in tests, prefix output from git init with 'git: '
* 'clean' options only remove added files, for #833
* update changelog
This commit is contained in:
Josh Rabinowitz 2022-04-19 17:14:55 -04:00 committed by GitHub
parent 87e36cca5b
commit 549cd9aa24
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 51 additions and 57 deletions

View File

@ -7,19 +7,22 @@
- Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
when encrypting files, so secret files are stored
in text format rather than binary (#631)
- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
- `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)
- Improve verbose and non-verbose output
### Bugfixes
- Fix adding newlines to `.gitignore` entries (#643)
- Fix `cat` and `reveal` on named files while in repo subdir (#710)
- Fix `clean`, `hide`, `reveal` so they only remove marked secret files (#833)
- Fix for `removeperson` if same email is present multiple times (#638)
- Correct error message about files missing from .gitignore
### Misc
- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
- Rename `killperson` command to `removeperson` (#684)
- Improve error messaging decrypting nonexistent files (#706)
- Improve, expand, correct, and update docs (#699)
- Update docs for use with CI/CD server (#675)
- Upgrade bats-core to v1.6.0 (#755)

View File

@ -465,44 +465,31 @@ function _warn_or_abort {
}
function _find_and_remove_secrets {
# required:
local pattern="$1" # can be any string pattern
local verbose_opt=''
if [[ -n "$_SECRETS_VERBOSE" ]]; then
verbose_opt='v';
fi
local root
root=$(_get_git_root_path)
# shellcheck disable=SC2086
find "$root" -path "$pattern" -type f -print0 | xargs -0 rm -f$verbose_opt
}
function _find_and_remove_secrets_formatted {
# required:
local pattern="$1" # can be any string pattern
local filenames
_list_all_added_files # sets array variable 'filenames'
local outputs
outputs=$(_find_and_remove_secrets "$pattern")
if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then
# shellcheck disable=SC2001
echo "$outputs" | sed "s/^/git-secret: cleaning: /"
for filename in "${filenames[@]}"; do
local path # absolute path
encrypted_filename=$(_get_encrypted_filename "$filename")
if [[ -f "$encrypted_filename" ]]; then
rm "$encrypted_filename"
if [[ -n "$_SECRETS_VERBOSE" ]]; then
echo "git-secret: deleted: $encrypted_filename"
fi
fi
done
}
# this sets the global array variable 'filenames'
function _list_all_added_files {
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
if [[ ! -s "$path_mappings" ]]; then
_abort "$path_mappings is missing."
_abort "path_mappings file is missing or empty: $path_mappings"
fi
local filename
@ -540,7 +527,7 @@ function _secrets_dir_is_not_ignored {
ignores=$(_check_ignore "$git_secret_dir")
if [[ ! $ignores -eq 1 ]]; then
_abort "'$git_secret_dir' is in .gitignore"
_abort "entry already in .gitignore: $git_secret_dir"
fi
}
@ -783,6 +770,10 @@ function _decrypt {
local encrypted_filename
encrypted_filename=$(_get_encrypted_filename "$filename")
if [ ! -f "$encrypted_filename" ]; then
_warn_or_abort "cannot find file to decrypt: $encrypted_filename" "1" "$error_ok"
fi
local args=( "--use-agent" "--decrypt" )
if [[ "$write_to_file" -eq 1 ]]; then

View File

@ -24,6 +24,5 @@ function clean {
_user_required
# User should see properly formatted output:
_find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
_find_and_remove_secrets_formatted
}

View File

@ -15,14 +15,6 @@ BEGIN { FS=":"; OFS=":"; }
}
'
function _optional_clean {
local clean="$1"
if [[ $clean -eq 1 ]]; then
_find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
fi
}
function _optional_delete {
local delete="$1"
@ -33,20 +25,20 @@ function _optional_delete {
# We use custom formatting here:
if [[ -n "$_SECRETS_VERBOSE" ]]; then
echo && _message 'removing unencrypted files:'
_message 'removing unencrypted files'
fi
while read -r line; do
# So the formatting would not be repeated several times here:
while read -r line; do # each line is a record like: filename: or filename:hash
local filename
filename=$(_get_record_filename "$line")
_find_and_remove_secrets "*$filename"
done < "$path_mappings"
if [[ -e "$filename" ]]; then
rm "$filename"
if [[ -n "$_SECRETS_VERBOSE" ]]; then
echo
_message "deleted: $filename"
fi
fi
done < "$path_mappings"
fi
}
function _get_checksum_local {
@ -115,9 +107,11 @@ function hide {
# We need user to continue:
_user_required
# If -c option was provided, it would clean the hidden files
# If -c option was provided, clean the hidden files
# before creating new ones.
_optional_clean "$clean"
if [[ $clean -eq 1 ]]; then
_find_and_remove_secrets_formatted
fi
# Encrypting files:

View File

@ -53,6 +53,9 @@ function remove {
encrypted_filename=$(_get_encrypted_filename "$path")
rm "$encrypted_filename" # fail on error
if [[ -n "$_SECRETS_VERBOSE" ]]; then
_message "deleted: $encrypted_filename"
fi
fi
done

View File

@ -259,9 +259,9 @@ function set_state_git {
local has_initial_branch_option
has_initial_branch_option=$(is_git_version_ge_2_28_0) # 0 for true
if [[ "$has_initial_branch_option" == 0 ]]; then
git init --initial-branch=main >> "$TEST_OUTPUT_FILE" 2>&1
git init --initial-branch=main | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1
else
git init >> "$TEST_OUTPUT_FILE" 2>&1
git init | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1
fi
}

View File

@ -55,7 +55,7 @@ function teardown {
@test "run 'cat' with wrong filename" {
run git secret cat -d "$TEST_GPG_HOMEDIR" -p "$password" NO_SUCH_FILE
[ "$status" -eq 2 ]
[ "$status" -eq 1 ]
}

View File

@ -68,7 +68,7 @@ function _secret_files_exists {
second_filename=$(_get_encrypted_filename "$SECOND_FILE")
# Output must be verbose:
[[ "$output" == *"cleaning"* ]]
[[ "$output" == *"deleted"* ]]
[[ "$output" == *"$first_filename"* ]]
[[ "$output" == *"$second_filename"* ]]
}
@ -79,7 +79,7 @@ function _secret_files_exists {
[ "$status" -eq 0 ]
# Output must be verbose:
[[ "$output" == *"cleaning"* ]]
[[ "$output" == *"deleted:"* ]]
}
# this test is like above, but sets SECRETS_VERBOSE env var to 0

View File

@ -268,7 +268,7 @@ function teardown {
[ -f "$FILE_TO_HIDE" ]
# Output should be verbose:
[[ "$output" == *"cleaning"* ]]
[[ "$output" == *"deleted:"* ]]
[[ "$output" == *"$encrypted_filename"* ]]
}

View File

@ -50,7 +50,7 @@ function teardown {
rm -f "$FILE_TO_HIDE"
local password=$(test_user_password "$TEST_DEFAULT_USER")
run git secret reveal -Z k-d "$TEST_GPG_HOMEDIR" -p "$password"
run git secret reveal -Z -d "$TEST_GPG_HOMEDIR" -p "$password"
[ "$status" -ne 0 ]
}
@ -61,6 +61,11 @@ function teardown {
[ "$status" -ne 0 ]
}
@test "run 'reveal' on nonexistent file" {
local password=$(test_user_password "$TEST_DEFAULT_USER")
run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password" "DOES-NOT-EXIST"
[ "$status" -ne 0 ]
}
@test "run 'reveal' with '-f'" {
rm "$FILE_TO_HIDE"

View File

@ -26,7 +26,6 @@ chmod 0700 "${TEST_DIR}"
# (IE, like: `echo '# message here' >&3`).
# bats ... 3>&1 shows diagnostic output
bats "${SECRETS_PROJECT_ROOT}/tests" 3>&1
# bats "${SECRETS_PROJECT_ROOT}/tests/test_tell.bats" 3>&1
)
rm -rf "${TEST_DIR}"