mirror of
https://github.com/sobolevn/git-secret
synced 2024-10-31 21:20:29 +00:00
Issue 706 decrypt errors (#831)
* check for encrypted version of file before decrypting, for #706 * improve error messages, verbose output and non-verbose output * in tests, prefix output from git init with 'git: ' * 'clean' options only remove added files, for #833 * update changelog
This commit is contained in:
parent
87e36cca5b
commit
549cd9aa24
@ -7,19 +7,22 @@
|
||||
- Adds `SECRETS_GPG_ARMOR` env variable to use `gpg --armor`
|
||||
when encrypting files, so secret files are stored
|
||||
in text format rather than binary (#631)
|
||||
- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
|
||||
- `git secret init` now sets `.gitsecret/keys` permission to 0700 (#811)
|
||||
- Improve verbose and non-verbose output
|
||||
|
||||
### Bugfixes
|
||||
|
||||
- Fix adding newlines to `.gitignore` entries (#643)
|
||||
- Fix `cat` and `reveal` on named files while in repo subdir (#710)
|
||||
- Fix `clean`, `hide`, `reveal` so they only remove marked secret files (#833)
|
||||
- Fix for `removeperson` if same email is present multiple times (#638)
|
||||
- Correct error message about files missing from .gitignore
|
||||
|
||||
### Misc
|
||||
|
||||
- Allow gnupg permission warnings in `tell`, `hide`, `reveal`, and `removeperson` (#811)
|
||||
- Rename `killperson` command to `removeperson` (#684)
|
||||
- Improve error messaging decrypting nonexistent files (#706)
|
||||
- Improve, expand, correct, and update docs (#699)
|
||||
- Update docs for use with CI/CD server (#675)
|
||||
- Upgrade bats-core to v1.6.0 (#755)
|
||||
|
@ -465,44 +465,31 @@ function _warn_or_abort {
|
||||
}
|
||||
|
||||
|
||||
function _find_and_remove_secrets {
|
||||
# required:
|
||||
local pattern="$1" # can be any string pattern
|
||||
|
||||
local verbose_opt=''
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
verbose_opt='v';
|
||||
fi
|
||||
|
||||
local root
|
||||
root=$(_get_git_root_path)
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
find "$root" -path "$pattern" -type f -print0 | xargs -0 rm -f$verbose_opt
|
||||
}
|
||||
|
||||
|
||||
function _find_and_remove_secrets_formatted {
|
||||
# required:
|
||||
local pattern="$1" # can be any string pattern
|
||||
local filenames
|
||||
_list_all_added_files # sets array variable 'filenames'
|
||||
|
||||
local outputs
|
||||
outputs=$(_find_and_remove_secrets "$pattern")
|
||||
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]] && [[ -n "$outputs" ]]; then
|
||||
# shellcheck disable=SC2001
|
||||
echo "$outputs" | sed "s/^/git-secret: cleaning: /"
|
||||
for filename in "${filenames[@]}"; do
|
||||
local path # absolute path
|
||||
encrypted_filename=$(_get_encrypted_filename "$filename")
|
||||
if [[ -f "$encrypted_filename" ]]; then
|
||||
rm "$encrypted_filename"
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
echo "git-secret: deleted: $encrypted_filename"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
|
||||
|
||||
# this sets the global array variable 'filenames'
|
||||
function _list_all_added_files {
|
||||
local path_mappings
|
||||
path_mappings=$(_get_secrets_dir_paths_mapping)
|
||||
|
||||
if [[ ! -s "$path_mappings" ]]; then
|
||||
_abort "$path_mappings is missing."
|
||||
_abort "path_mappings file is missing or empty: $path_mappings"
|
||||
fi
|
||||
|
||||
local filename
|
||||
@ -540,7 +527,7 @@ function _secrets_dir_is_not_ignored {
|
||||
ignores=$(_check_ignore "$git_secret_dir")
|
||||
|
||||
if [[ ! $ignores -eq 1 ]]; then
|
||||
_abort "'$git_secret_dir' is in .gitignore"
|
||||
_abort "entry already in .gitignore: $git_secret_dir"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -783,6 +770,10 @@ function _decrypt {
|
||||
local encrypted_filename
|
||||
encrypted_filename=$(_get_encrypted_filename "$filename")
|
||||
|
||||
if [ ! -f "$encrypted_filename" ]; then
|
||||
_warn_or_abort "cannot find file to decrypt: $encrypted_filename" "1" "$error_ok"
|
||||
fi
|
||||
|
||||
local args=( "--use-agent" "--decrypt" )
|
||||
|
||||
if [[ "$write_to_file" -eq 1 ]]; then
|
||||
|
@ -24,6 +24,5 @@ function clean {
|
||||
|
||||
_user_required
|
||||
|
||||
# User should see properly formatted output:
|
||||
_find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
|
||||
_find_and_remove_secrets_formatted
|
||||
}
|
||||
|
@ -15,14 +15,6 @@ BEGIN { FS=":"; OFS=":"; }
|
||||
}
|
||||
'
|
||||
|
||||
function _optional_clean {
|
||||
local clean="$1"
|
||||
|
||||
if [[ $clean -eq 1 ]]; then
|
||||
_find_and_remove_secrets_formatted "*$SECRETS_EXTENSION"
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function _optional_delete {
|
||||
local delete="$1"
|
||||
@ -33,20 +25,20 @@ function _optional_delete {
|
||||
|
||||
# We use custom formatting here:
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
echo && _message 'removing unencrypted files:'
|
||||
_message 'removing unencrypted files'
|
||||
fi
|
||||
|
||||
while read -r line; do
|
||||
# So the formatting would not be repeated several times here:
|
||||
while read -r line; do # each line is a record like: filename: or filename:hash
|
||||
local filename
|
||||
filename=$(_get_record_filename "$line")
|
||||
_find_and_remove_secrets "*$filename"
|
||||
done < "$path_mappings"
|
||||
|
||||
if [[ -e "$filename" ]]; then
|
||||
rm "$filename"
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
echo
|
||||
_message "deleted: $filename"
|
||||
fi
|
||||
fi
|
||||
done < "$path_mappings"
|
||||
fi
|
||||
}
|
||||
|
||||
function _get_checksum_local {
|
||||
@ -115,9 +107,11 @@ function hide {
|
||||
# We need user to continue:
|
||||
_user_required
|
||||
|
||||
# If -c option was provided, it would clean the hidden files
|
||||
# If -c option was provided, clean the hidden files
|
||||
# before creating new ones.
|
||||
_optional_clean "$clean"
|
||||
if [[ $clean -eq 1 ]]; then
|
||||
_find_and_remove_secrets_formatted
|
||||
fi
|
||||
|
||||
# Encrypting files:
|
||||
|
||||
|
@ -53,6 +53,9 @@ function remove {
|
||||
encrypted_filename=$(_get_encrypted_filename "$path")
|
||||
|
||||
rm "$encrypted_filename" # fail on error
|
||||
if [[ -n "$_SECRETS_VERBOSE" ]]; then
|
||||
_message "deleted: $encrypted_filename"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -259,9 +259,9 @@ function set_state_git {
|
||||
local has_initial_branch_option
|
||||
has_initial_branch_option=$(is_git_version_ge_2_28_0) # 0 for true
|
||||
if [[ "$has_initial_branch_option" == 0 ]]; then
|
||||
git init --initial-branch=main >> "$TEST_OUTPUT_FILE" 2>&1
|
||||
git init --initial-branch=main | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1
|
||||
else
|
||||
git init >> "$TEST_OUTPUT_FILE" 2>&1
|
||||
git init | sed 's/^/git: /' >> "$TEST_OUTPUT_FILE" 2>&1
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -55,7 +55,7 @@ function teardown {
|
||||
|
||||
@test "run 'cat' with wrong filename" {
|
||||
run git secret cat -d "$TEST_GPG_HOMEDIR" -p "$password" NO_SUCH_FILE
|
||||
[ "$status" -eq 2 ]
|
||||
[ "$status" -eq 1 ]
|
||||
}
|
||||
|
||||
|
||||
|
@ -68,7 +68,7 @@ function _secret_files_exists {
|
||||
second_filename=$(_get_encrypted_filename "$SECOND_FILE")
|
||||
|
||||
# Output must be verbose:
|
||||
[[ "$output" == *"cleaning"* ]]
|
||||
[[ "$output" == *"deleted"* ]]
|
||||
[[ "$output" == *"$first_filename"* ]]
|
||||
[[ "$output" == *"$second_filename"* ]]
|
||||
}
|
||||
@ -79,7 +79,7 @@ function _secret_files_exists {
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
# Output must be verbose:
|
||||
[[ "$output" == *"cleaning"* ]]
|
||||
[[ "$output" == *"deleted:"* ]]
|
||||
}
|
||||
|
||||
# this test is like above, but sets SECRETS_VERBOSE env var to 0
|
||||
|
@ -268,7 +268,7 @@ function teardown {
|
||||
[ -f "$FILE_TO_HIDE" ]
|
||||
|
||||
# Output should be verbose:
|
||||
[[ "$output" == *"cleaning"* ]]
|
||||
[[ "$output" == *"deleted:"* ]]
|
||||
[[ "$output" == *"$encrypted_filename"* ]]
|
||||
}
|
||||
|
||||
|
@ -50,7 +50,7 @@ function teardown {
|
||||
rm -f "$FILE_TO_HIDE"
|
||||
|
||||
local password=$(test_user_password "$TEST_DEFAULT_USER")
|
||||
run git secret reveal -Z k-d "$TEST_GPG_HOMEDIR" -p "$password"
|
||||
run git secret reveal -Z -d "$TEST_GPG_HOMEDIR" -p "$password"
|
||||
[ "$status" -ne 0 ]
|
||||
}
|
||||
|
||||
@ -61,6 +61,11 @@ function teardown {
|
||||
[ "$status" -ne 0 ]
|
||||
}
|
||||
|
||||
@test "run 'reveal' on nonexistent file" {
|
||||
local password=$(test_user_password "$TEST_DEFAULT_USER")
|
||||
run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password" "DOES-NOT-EXIST"
|
||||
[ "$status" -ne 0 ]
|
||||
}
|
||||
|
||||
@test "run 'reveal' with '-f'" {
|
||||
rm "$FILE_TO_HIDE"
|
||||
|
@ -26,7 +26,6 @@ chmod 0700 "${TEST_DIR}"
|
||||
# (IE, like: `echo '# message here' >&3`).
|
||||
# bats ... 3>&1 shows diagnostic output
|
||||
bats "${SECRETS_PROJECT_ROOT}/tests" 3>&1
|
||||
# bats "${SECRETS_PROJECT_ROOT}/tests/test_tell.bats" 3>&1
|
||||
)
|
||||
|
||||
rm -rf "${TEST_DIR}"
|
||||
|
Loading…
Reference in New Issue
Block a user