Merge pull request #245 from joshrabinowitz/file-perms-172

add -P (preserve permission) option to reveal and hide. For #172
6 years ago · a085d2d9c5
parent 80e4908471 1ea3b3139d
commit a085d2d9c5
23 changed files with 124 additions and 29 deletions
--- a/man/man1/git-secret-add.1
+++ b/man/man1/git-secret-add.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-ADD" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-ADD" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-add\fR \- starts to track added files\.
--- a/man/man1/git-secret-cat.1
+++ b/man/man1/git-secret-cat.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-CAT" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-CAT" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-cat\fR \- decrypts files passed on command line to stdout
--- a/man/man1/git-secret-changes.1
+++ b/man/man1/git-secret-changes.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-CHANGES" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-CHANGES" "1" "July 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-changes\fR \- view diff of the hidden files\.
@ -15,7 +15,7 @@ git secret changes [\-h] [\-d dir] [\-p password] [pathspec]\.\.\.
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit\-secret\-changes\fR \- shows changes between the current version of hidden files and the ones already commited\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\.
+\fBgit\-secret\-changes\fR \- shows changes between the current version of hidden files and the ones already committed\. You can provide any number of hidden files to this command as arguments, and it will show changes for these files only\. Note that files must be specified by their encrypted names, typically \fBfilename\.yml\.secret\fR\. If no arguments are provided, information about all hidden files will be shown\.
 .
 .SH "OPTIONS"
 .
--- a/man/man1/git-secret-clean.1
+++ b/man/man1/git-secret-clean.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-CLEAN" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-CLEAN" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-clean\fR \- removes all the hidden files\.
--- a/man/man1/git-secret-hide.1
+++ b/man/man1/git-secret-hide.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-HIDE" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-HIDE" "1" "August 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-hide\fR \- encrypts all added files with the inner keyring\.
@ -10,7 +10,7 @@
 .
 .nf

-git secret hide [\-c] [\-v]
+git secret hide [\-c] [\-P] [\-v] [\-d] [\-m]
 .
 .fi
 .
@ -26,6 +26,7 @@ It is possible to modify the names of the encrypted files by setting \fBSECRETS_

 \-v  \- verbose, shows extra information\.
 \-c  \- deletes encrypted files before creating new ones\.
+\-P  \- preserve permissions of unencrypted file in encrypted file\.
 \-d  \- deletes unencrypted files after encryption\.
 \-m  \- encrypt files only when modified\.
 \-h  \- shows help\.
--- a/man/man1/git-secret-hide.1.ronn
+++ b/man/man1/git-secret-hide.1.ronn
@ -3,7 +3,7 @@ git-secret-hide - encrypts all added files with the inner keyring.

 ## SYNOPSIS

-    git secret hide [-c] [-v]
+    git secret hide [-c] [-P] [-v] [-d] [-m]


 ## DESCRIPTION
@ -19,6 +19,7 @@ It is possible to modify the names of the encrypted files by setting `SECRETS_EX

    -v  - verbose, shows extra information.
    -c  - deletes encrypted files before creating new ones.
+    -P  - preserve permissions of unencrypted file in encrypted file.
    -d  - deletes unencrypted files after encryption.
    -m  - encrypt files only when modified.
    -h  - shows help.
--- a/man/man1/git-secret-init.1
+++ b/man/man1/git-secret-init.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-INIT" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-INIT" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-init\fR \- initializes git\-secret repository\.
--- a/man/man1/git-secret-killperson.1
+++ b/man/man1/git-secret-killperson.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-KILLPERSON" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-KILLPERSON" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-killperson\fR \- deletes key identified by an email from the inner keyring\.
--- a/man/man1/git-secret-list.1
+++ b/man/man1/git-secret-list.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-LIST" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-LIST" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-list\fR \- prints all the added files\.
--- a/man/man1/git-secret-remove.1
+++ b/man/man1/git-secret-remove.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-REMOVE" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-REMOVE" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-remove\fR \- removes files from index\.
--- a/man/man1/git-secret-reveal.1
+++ b/man/man1/git-secret-reveal.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-REVEAL" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-REVEAL" "1" "August 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-reveal\fR \- decrypts all added files\.
@ -10,7 +10,7 @@
 .
 .nf

-git secret reveal [\-f] [\-d dir] [\-p password]
+git secret reveal [\-f] [\-P] [\-d dir] [\-p password]
 .
 .fi
 .
@ -21,9 +21,10 @@ git secret reveal [\-f] [\-d dir] [\-p password]
 .
 .nf

-\-f  \- forces to overwrite exisiting files without prompt\.
+\-f  \- forces to overwrite existing files without prompt\.
 \-d  \- specifies `\-\-homedir` option for the `gpg`, basically use this option if you store your keys in a custom location\.
 \-p  \- specifies password for noinput mode, adds `\-\-passphrase` option for `gpg`\.
+\-P  \- preserve permissions of encrypted file in unencrypted file\.
 \-h  \- shows help\.
 .
 .fi
--- a/man/man1/git-secret-reveal.1.ronn
+++ b/man/man1/git-secret-reveal.1.ronn
@ -3,7 +3,7 @@ git-secret-reveal - decrypts all added files.

 ## SYNOPSIS

-    git secret reveal [-f] [-d dir] [-p password]
+    git secret reveal [-f] [-P] [-d dir] [-p password]


 ## DESCRIPTION
@ -18,6 +18,7 @@ Under the hood, this uses the `gpg --decrypt` command.
    -f  - forces to overwrite existing files without prompt.
    -d  - specifies `--homedir` option for the `gpg`, basically use this option if you store your keys in a custom location.
    -p  - specifies password for noinput mode, adds `--passphrase` option for `gpg`.
+    -P  - preserve permissions of encrypted file in unencrypted file.
    -h  - shows help.


--- a/man/man1/git-secret-tell.1
+++ b/man/man1/git-secret-tell.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-TELL" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-TELL" "1" "July 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-tell\fR \- adds a person, who can access private data\.
@ -15,7 +15,7 @@ git secret tell [\-m] [\-d dir] [emails]\.\.\.
 .fi
 .
 .SH "DESCRIPTION"
-\fBgit\-secret\-tell\fR receives an email addresses as an input, searches for the \fBgpg\fR\-key in the \fBgpg\fR\'s \fBhomedir\fR by these emails, then imports a person\'s public key into the \fBgit\-secret\fR\'s inner keychain\. From this moment this person can encrypt new files with the keyring which contains their key\. But they cannot decrypt the old files, which were already encrypted without their key\. They should be reencrypted with the new keyring by someone, who has the unencrypted files\.
+\fBgit\-secret\-tell\fR receives an email addresses as an input, searches for the \fBgpg\fR\-key in the \fBgpg\fR\'s \fBhomedir\fR by these emails, then imports a person\'s public key into the \fBgit\-secret\fR\'s inner keychain\. From this moment this person can encrypt new files with the keyring which contains their key, but they cannot decrypt the old files, which were already encrypted without their key\. The files should be re\-encrypted with the new keyring by someone who has the unencrypted files\.
 .
 .P
 \fBDo not manually import secret key into \fBgit\-secret\fR\fR\. Anyways, it won\'t work with any of the secret\-keys imported\.
--- a/man/man1/git-secret-usage.1
+++ b/man/man1/git-secret-usage.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-USAGE" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-USAGE" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-usage\fR \- prints all the available commands\.
--- a/man/man1/git-secret-whoknows.1
+++ b/man/man1/git-secret-whoknows.1
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET\-WHOKNOWS" "1" "May 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET\-WHOKNOWS" "1" "June 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\-whoknows\fR \- prints email\-labels for each key in the keyring\.
--- a/man/man7/git-secret.7
+++ b/man/man7/git-secret.7
@ -1,7 +1,7 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "GIT\-SECRET" "7" "June 2018" "sobolevn" "git-secret"
+.TH "GIT\-SECRET" "7" "July 2018" "sobolevn" "git-secret"
 .
 .SH "NAME"
 \fBgit\-secret\fR
@ -44,7 +44,7 @@ Get their \fBgpg\fR public\-key\. \fBYou won\'t need their secret key\.\fR
 Import this key into your \fBgpg\fR setup (in ~/\.gnupg or similar) by running \fBgpg \-\-import KEY_NAME\.txt\fR
 .
 .IP "3." 4
-Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address assocated with the public key)
+Now add this person to your secrets repo by running \fBgit secret tell persons@email\.id\fR (this will be the email address associated with the public key)
 .
 .IP "4." 4
 The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the files using \fBgit secret reveal; git secret hide \-d\fR, and then commit and push the newly encrypted files\. (The \-d options deletes the unencrypted file after re\-encrypting it)\. Now the newly added user be able to decrypt the files in the repo using \fBgit\-secret\fR\.
@ -52,7 +52,7 @@ The newly added user cannot yet read the encrypted files\. Now, re\-encrypt the
 .IP "" 0
 .
 .P
-Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after reencrypting them with the new keyring\. So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
+Note that it is possible to add yourself to the git\-secret repo without decrypting existing files\. It will be possible to decrypt them after re\-encrypting them with the new keyring\. So, if you don\'t want unexpected keys added, you can configure some server\-side security policy with the \fBpre\-receive\fR hook\.
 .
 .SH "Configuration"
 You can configure the version of gpg used, or the extension your encrypted files use, to suit your workflow better\. To do so, just set the required variable to the value you need\. This can be done in your shell environment file or with each \fBgit\-secret\fR command\.
@ -90,7 +90,7 @@ This directory currently contains only the file \fBmapping\.cfg\fR, which lists
 All the other internal data is stored in the directory:
 .
 .SS "<code>\.gitsecret/keys</code>"
-This directory contains data used by git\-secret and PGP to allow and maintain the correct encyption and access rights for the permitted parties\.
+This directory contains data used by git\-secret and PGP to allow and maintain the correct encryption and access rights for the permitted parties\.
 .
 .P
 Generally speaking, all the files in this directory \fIexcept\fR \fBrandom_seed\fR should be checked into your repo\.
--- a/src/_utils/_git_secret_tools.sh
+++ b/src/_utils/_git_secret_tools.sh
@ -16,6 +16,7 @@ _SECRETS_DIR_PATHS_MAPPING="${_SECRETS_DIR_PATHS}/mapping.cfg"
 # Commands:
 : "${SECRETS_GPG_COMMAND:="gpg"}"
 : "${SECRETS_CHECKSUM_COMMAND:="_os_based __sha256"}"
+: "${SECRETS_OCTAL_PERMS_COMMAND:="_os_based __get_octal_perms"}"


 # AWK scripts:
--- a/src/_utils/_git_secret_tools_linux.sh
+++ b/src/_utils/_git_secret_tools_linux.sh
@ -16,3 +16,11 @@ function __temp_file_linux {
 function __sha256_linux {
  sha256sum "$1"
 }
+
+function __get_octal_perms_linux {
+  local filename
+  filename=$1
+  local perms
+  perms=$(stat --format '%a' "$filename")
+  echo "$perms"
+}
--- a/src/_utils/_git_secret_tools_osx.sh
+++ b/src/_utils/_git_secret_tools_osx.sh
@ -18,3 +18,10 @@ function __temp_file_osx {
 function __sha256_osx {
  /usr/bin/shasum -a256 "$1"
 }
+function __get_octal_perms_osx {
+  local filename
+  filename=$1
+  local perms
+  perms=$(stat -f '%p' "$filename")
+  echo "$perms"
+}
--- a/src/commands/git_secret_hide.sh
+++ b/src/commands/git_secret_hide.sh
@ -80,16 +80,19 @@ function _optional_fsdb_update_hash {

 function hide {
  local clean=0
+  local preserve=0
  local delete=0
  local fsdb_update_hash=0 # add checksum hashes to fsdb
  local verbose=''

  OPTIND=1

-  while getopts 'cdmvh' opt; do
+  while getopts 'cPdmvh' opt; do
    case "$opt" in
      c) clean=1;;

+      P) preserve=1;;
+
      d) delete=1;;

      m) fsdb_update_hash=1;;
@ -160,6 +163,14 @@ function hide {
      if [[ "$exit_code" -ne 0 ]]; then
        _abort "problem encrypting file with gpg: exit code $exit_code: $filename"
      fi
+
+      if [[ "$preserve" == 1 ]]; then
+        local perms
+        perms=$($SECRETS_OCTAL_PERMS_COMMAND "$input_path")
+        chmod "$perms" "$output_path"
+      fi
+
+
      # If -m option was provided, it will update unencrypted file hash
      local key="$filename"
      local hash="$file_hash"
--- a/src/commands/git_secret_reveal.sh
+++ b/src/commands/git_secret_reveal.sh
@ -5,15 +5,18 @@ function reveal {
  local homedir=''
  local passphrase=''
  local force=0
+  local preserve=0

  OPTIND=1

-  while getopts 'hfd:p:' opt; do
+  while getopts 'hfPd:p:' opt; do
    case "$opt" in
      h) _show_manual_for 'reveal';;

      f) force=1;;

+      P) preserve=1;;
+
      p) passphrase=$OPTARG;;

      d) homedir=$OPTARG;;
@ -46,6 +49,14 @@ function reveal {
      _abort "cannot find decrypted version of file: $filename"
    fi

+    if [[ "$preserve" == 1 ]]; then
+      local secret_file
+      secret_file=$(_get_encrypted_filename "$path")
+      local perms
+      perms=$($SECRETS_OCTAL_PERMS_COMMAND "$secret_file")
+      chmod "$perms" "$path"
+    fi
+
    counter=$((counter+1))
  done < "$path_mappings"

--- a/tests/test_hide.bats
+++ b/tests/test_hide.bats
@ -32,11 +32,39 @@ function teardown {
  [ "$status" -eq 0 ]
  [ "$output" = "done. all 1 files are hidden." ]

-  # New files should be crated:
+  # New files should be created:
  local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE")
  [ -f "$encrypted_file" ]
 }

+@test "run 'hide' with '-P'" {
+
+  # attempt to alter permissions on input file
+  chmod o-rwx "$FILE_TO_HIDE"
+
+  run git secret hide -P
+
+  # Command must execute normally:
+  [ "$status" -eq 0 ]
+  [ "$output" = "done. all 1 files are hidden." ]
+
+  # New files should be created:
+  local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE")
+  [ -f "$encrypted_file" ]
+
+  # permissions should match. We don't have access to SECRETS_OCTAL_PERMS_COMMAND here
+  local secret_perm
+  local file_perm   
+  secret_perm=$(ls -l "$encrypted_file" | cut -d' ' -f1)    
+  file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1)
+
+  # text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs
+  #echo "# secret_perm: $secret_perm, file_perm: $file_perm" >&3
+
+  [ "$secret_perm" = "$file_perm" ]
+
+}
+
@test "run 'hide' from inside subdirectory" {
  # Preparations:
  local root_dir='test_sub_dir'
@ -101,7 +129,7 @@ function teardown {
  [ "${lines[0]}" = "done. all 1 files are hidden." ]
  [ "${lines[1]}" = "cleaning up..." ]

-  # New files should be crated:
+  # New files should be created:
  local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE")
  [ -f "$encrypted_file" ]
 }
@ -130,7 +158,7 @@ function teardown {
  # no changes should occur to path_mappings files
  cmp -s "${path_mappings}" "${path_mappings}.bak"

-  # New files should be crated:
+  # New files should be created:
  local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE")
  [ -f "$encrypted_file" ]
 }
--- a/tests/test_reveal.bats
+++ b/tests/test_reveal.bats
@ -55,6 +55,31 @@ function teardown {
 }


+@test "run 'reveal' with '-P'" {
+  rm "$FILE_TO_HIDE"
+
+  local password=$(test_user_password "$TEST_DEFAULT_USER")
+
+  local secret_file=$(_get_encrypted_filename "$FILE_TO_HIDE")
+  chmod o-rwx "$secret_file"
+
+  run git secret reveal -P -d "$TEST_GPG_HOMEDIR" -p "$password"
+
+  [ "$status" -eq 0 ]
+
+  local secret_perm
+  local file_perm
+  secret_perm=$(ls -l "$FILE_TO_HIDE".secret | cut -d' ' -f1)
+  file_perm=$(ls -l "$FILE_TO_HIDE" | cut -d' ' -f1)
+
+  # text prefixed with '# ' and sent to file descriptor 3 is 'diagnostic' (debug) output for devs
+  #echo "# secret_perm: $secret_perm, file_perm: $file_perm" >&3    
+
+  [ "$secret_perm" = "$file_perm" ]
+
+  [ -f "$FILE_TO_HIDE" ]
+}
+
@test "run 'reveal' with wrong password" {
  rm "$FILE_TO_HIDE"