Archives
/
git-secret
mirror of https://github.com/sobolevn/git-secret
2
1
Fork 0
Code Issues Projects Releases Wiki Activity

Merges develop, removes staging, refs #76

Browse Source
pull/42/merge
sobolevn 8 years ago
parent d6f01b8ee6 12d4b9f6de
commit c85d482ec6
No known key found for this signature in database
GPG Key ID: FF672D568AE3C73E
35 changed files with 786 additions and 209 deletions
Show Stats Download Patch File Download Diff File

15
.ci/after_deploy.sh
Unescape Escape View File

@ -0,0 +1,15 @@
#!/usr/bin/env bash
set -e
# This file is required, because for some reason
# travis deploys do not trigger metadata calculation.
# See: https://github.com/sobolevn/git-secret/issues/89
# This file is only called after successful deploy.
# We need to execute custom call to the Bintray API:
curl -X POST \
--user "sobolevn:$BINTRAY_API_KEY" \
-H "X-GPG-PASSPHRASE: $BINTRAY_GPG_PASS" \
"https://api.bintray.com/calc_metadata/sobolevn/$GITSECRET_DIST"

11
.github/ISSUE_TEMPLATE.md vendored
Unescape Escape View File

@ -24,8 +24,13 @@ Any other comments?
What versions of software are you using? What versions of software are you using?
---------------------------------------- ----------------------------------------
**Operating system:** … **Operating system:** (`uname -a`)
**`git-secret` version:** … **`git-secret` path:** (`which git-secret`) …
**`git-secret` version:** (`git secret --version`) …
**Shell type and version:** (`$SHELL --version`) …
**`gpg` version:** (`gpg --version`) …
**Shell type and version:** …

3
.github/PULL_REQUEST_TEMPLATE.md vendored
Unescape Escape View File

@ -1,7 +1,8 @@
<!-- Thanks for sending a pull request! <!-- Thanks for sending a pull request!
Here's how it's done: Here's how it's done:
1. Make sure that you open your pull-request to the `develop` branch (master branch is protected, since some plugins use it when installed) 0. If you are planing a large feature, please, discuss it first in the separate issue
1. Make sure that you open your pull-request to the `develop` branch (master branch is protected anyways)
2. Make sure that tests pass 2. Make sure that tests pass
3. Make sure that your code has the same style 3. Make sure that your code has the same style

5
.travis.yml
Unescape Escape View File

@ -23,7 +23,7 @@ matrix:
language: ruby language: ruby
- os: linux - os: linux
env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg"; SECRETS_GPG_COMMAND="gpg" env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg"; SECRETS_GPG_COMMAND="gpg"
sudo: required sudo: false
language: ruby language: ruby
- os: linux - os: linux
env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg2"; SECRETS_GPG_COMMAND="gpg2" env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg2"; SECRETS_GPG_COMMAND="gpg2"
@ -71,6 +71,9 @@ deploy:
key: "$BINTRAY_API_KEY" key: "$BINTRAY_API_KEY"
passphrase: "$BINTRAY_GPG_PASS" passphrase: "$BINTRAY_GPG_PASS"
after_deploy:
- chmod +x ".ci/after_deploy.sh" && ".ci/after_deploy.sh"
notifications: notifications:
email: email:
on_success: never on_success: never

11
CONTRIBUTING.md
Unescape Escape View File

@ -35,14 +35,13 @@ Only required if dealing with manuals, `gh-pages` or releases:
### Branches ### Branches
We have three long-live branches: `master`, `staging` and `develop` (and `gh-pages` for static site). We have three long-live branches: `master`, `develop` and `gh-pages` for static site.
It basically looks like that: It basically looks like that:
> `your-branch` -> `develop` -> `staging` -> `master` > `your-branch` -> `develop` -> `master`
- `master` branch is protected, since `antigen` and tools like it install the app from the main branch directly. So only fully tested code goes there - `master` branch is protected. So only fully tested code goes there. It is also used to create a new `git` tag and a `github` release
- `staging` - this branch is used to create a new `git` tag and a `github` release, then it gets merged into `master`
- `develop` is where the development is done and the branch you should send your pull-requests to - `develop` is where the development is done and the branch you should send your pull-requests to
### Continuous integration ### Continuous integration
@ -57,7 +56,7 @@ CI is done with the help of `travis`. `travis` handles multiple environments:
The release process is defined in the `git`-hooks and `.travis.yml`. The release process is defined in the `git`-hooks and `.travis.yml`.
When creating a commit inside the `staging` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) it will trigger two main events. When creating a commit inside the `master` branch (it is usually a documentation and changelog update with the version bump inside `src/version.sh`) it will trigger two main events.
Firstly, new manuals will be created and added to the current commit with `make build-man` on `pre-commit` hook. Firstly, new manuals will be created and added to the current commit with `make build-man` on `pre-commit` hook.
@ -69,8 +68,6 @@ if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then
fi fi
``` ```
Then it will be merged inside `master` when ready.
#### Travis releases #### Travis releases
When creating a commit inside `master` branch, `travis` on successful build will publish new `deb` and `rpm` packages to [`bintray`][bintray]. When creating a commit inside `master` branch, `travis` on successful build will publish new `deb` and `rpm` packages to [`bintray`][bintray].

5
git-secret.plugin.zsh
Unescape Escape View File

@ -10,6 +10,11 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# Deprecation warning:
(>&2 echo "warning: this installation method is deprecated since version 0.2.3")
(>&2 echo "warning: it will be completely removed by the version 0.3.0")
(>&2 echo "warning: use binary installation instead")
# Create binary: # Create binary:
PLUGIN_DIR="$(dirname "$0")" PLUGIN_DIR="$(dirname "$0")"

2
man/man7/git-secret.7
Unescape Escape View File

@ -1,7 +1,7 @@
.\" generated with Ronn/v0.7.3 .\" generated with Ronn/v0.7.3
.\" http://github.com/rtomayko/ronn/tree/0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3
. .
.TH "GIT\-SECRET" "7" "February 2017" "sobolevn" "git-secret" .TH "GIT\-SECRET" "7" "March 2017" "sobolevn" "git-secret"
. .
.SH "NAME" .SH "NAME"
\fBgit\-secret\fR \fBgit\-secret\fR

264
src/_utils/_git_secret_tools.sh
Unescape Escape View File

@ -1,30 +1,28 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# Global variables:
WORKING_DIRECTORY="$PWD" # shellcheck disable=2034
# Folders: # Folders:
SECRETS_DIR=".gitsecret" _SECRETS_DIR=".gitsecret"
SECRETS_DIR_KEYS="$SECRETS_DIR/keys" _SECRETS_DIR_KEYS="${_SECRETS_DIR}/keys"
SECRETS_DIR_PATHS="$SECRETS_DIR/paths" _SECRETS_DIR_PATHS="${_SECRETS_DIR}/paths"
# Files: # Files:
SECRETS_DIR_KEYS_MAPPING="$SECRETS_DIR_KEYS/mapping.cfg" # shellcheck disable=2034 _SECRETS_DIR_KEYS_MAPPING="${_SECRETS_DIR_KEYS}/mapping.cfg"
SECRETS_DIR_KEYS_TRUSTDB="$SECRETS_DIR_KEYS/trustdb.gpg" # shellcheck disable=2034 _SECRETS_DIR_KEYS_TRUSTDB="${_SECRETS_DIR_KEYS}/trustdb.gpg"
SECRETS_DIR_PATHS_MAPPING="$SECRETS_DIR_PATHS/mapping.cfg" # shellcheck disable=2034 _SECRETS_DIR_PATHS_MAPPING="${_SECRETS_DIR_PATHS}/mapping.cfg"
: "${SECRETS_EXTENSION:=".secret"}" : "${SECRETS_EXTENSION:=".secret"}"
# Commands: # Commands:
: "${SECRETS_GPG_COMMAND:="gpg"}" : "${SECRETS_GPG_COMMAND:="gpg"}"
GPGLOCAL="$SECRETS_GPG_COMMAND --homedir=$SECRETS_DIR_KEYS --no-permission-warning"
# Inner bash: # Bash:
function _function_exists { function _function_exists {
declare -f -F "$1" > /dev/null 2>&1 local function_name="$1" # required
declare -f -F "$function_name" > /dev/null 2>&1
echo $? echo $?
} }
@ -60,34 +58,46 @@ function _os_based {
# File System: # File System:
function _set_config { function _set_config {
# First parameter is the KEY, second is VALUE, third is filename. # This function creates a line in the config, or alters it.
local key="$1" # required
local value="$2" # required
local filename="$3" # required
# The exit status is 0 (true) if the name was found, 1 (false) if not: # The exit status is 0 (true) if the name was found, 1 (false) if not:
local contains local contains
contains=$(grep -Fq "$1" "$3"; echo "$?") contains=$(grep -Fq "$key" "$filename"; echo "$?")
# Append or alter?
if [[ "$contains" -eq 0 ]]; then if [[ "$contains" -eq 0 ]]; then
_os_based __replace_in_file "$@" _os_based __replace_in_file "$@"
elif [[ "$contains" -eq 1 ]]; then elif [[ "$contains" -eq 1 ]]; then
echo "$1 = $2" >> "$3" echo "${key} = ${value}" >> "$filename"
fi fi
} }
function _file_has_line { function _file_has_line {
# First parameter is the KEY, second is the filename. # First parameter is the key, second is the filename.
local key="$1" # required
local filename="$2" # required
local contains local contains
contains=$(grep -qw "$1" "$2"; echo $?) contains=$(grep -qw "$key" "$filename"; echo $?)
# 0 on contains, 1 for error. # 0 on contains, 1 for error.
echo "$contains"; echo "$contains"
} }
function _delete_line { function _delete_line {
local escaped_path local escaped_path
escaped_path=$(echo "$1" | sed -e 's/[\/&]/\\&/g') escaped_path=$(echo "$1" | sed -e 's/[\/&]/\\&/g') # required
sed -i.bak "/$escaped_path/d" "$2"
local line="$2" # required
sed -i.bak "/$escaped_path/d" "$line"
} }
@ -103,14 +113,17 @@ function _temporary_file {
function _unique_filename { function _unique_filename {
# First parameter is base-path, second is filename, # First parameter is base-path, second is filename,
# third is optional extension. # third is optional extension.
local n=0 result=$2 local n=0
local base_path="$1"
local result="$2"
while true; do while true; do
if [[ ! -f "$1/$result" ]]; then if [[ ! -f "$base_path/$result" ]]; then
break break
fi fi
n=$(( n + 1 )) n=$(( n + 1 ))
result="${2}-${n}" result="${2}-${n}" # calling to the original "$2"
done done
echo "$result" echo "$result"
} }
@ -119,7 +132,8 @@ function _unique_filename {
# Manuals: # Manuals:
function _show_manual_for { function _show_manual_for {
local function_name="$1" local function_name="$1" # required
man "git-secret-${function_name}" man "git-secret-${function_name}"
exit 0 exit 0
} }
@ -128,39 +142,132 @@ function _show_manual_for {
# VCS: # VCS:
function _check_ignore { function _check_ignore {
git check-ignore --no-index -q "$1"; local filename="$1" # required
echo $?
local result
result="$(git check-ignore --no-index -q "$filename" > /dev/null 2>&1; echo $?)"
echo "$result"
} }
function _add_ignored_file { function _git_normalize_filename {
if [[ ! -f ".gitignore" ]]; then local filename="$1" # required
touch ".gitignore"
local result
result=$(git ls-files --full-name -o "$filename")
echo "$result"
}
function _maybe_create_gitignore {
# This function creates '.gitignore' if it was missing.
local full_path
full_path=$(_append_root_path '.gitignore')
if [[ ! -f "$full_path" ]]; then
touch "$full_path"
fi fi
}
echo "$1" >> ".gitignore" function _add_ignored_file {
# This function adds a line with the filename into the '.gitgnore' file.
# It also creates '.gitignore' if it's not there
local filename="$1" # required
_maybe_create_gitignore
local full_path
full_path=$(_append_root_path '.gitignore')
echo "$filename" >> "$full_path"
} }
function _is_inside_git_tree { function _is_inside_git_tree {
git rev-parse --is-inside-work-tree >/dev/null 2>&1 # Checks if we are working inside the `git` tree.
echo $? local result
result=$(git rev-parse --is-inside-work-tree > /dev/null 2>&1; echo $?)
echo "$result"
} }
function _get_git_root_path { function _get_git_root_path {
# We need this function to get the location of the `.git` folder, # We need this function to get the location of the `.git` folder,
# since `.gitsecret` must be on the same level. # since `.gitsecret` must be on the same level.
local result local result
result=$(git rev-parse --show-toplevel) result=$(git rev-parse --show-toplevel)
echo "$result" echo "$result"
} }
# Relative paths:
function _append_root_path {
# This function adds root path to any other path.
local path="$1" # required
local root_path
root_path=$(_get_git_root_path)
echo "$root_path/$path"
}
function _get_secrets_dir {
_append_root_path "${_SECRETS_DIR}"
}
function _get_secrets_dir_keys {
_append_root_path "${_SECRETS_DIR_KEYS}"
}
function _get_secrets_dir_path {
_append_root_path "${_SECRETS_DIR_PATHS}"
}
function _get_secrets_dir_keys_mapping {
_append_root_path "${_SECRETS_DIR_KEYS_MAPPING}"
}
function _get_secrets_dir_keys_trustdb {
_append_root_path "${_SECRETS_DIR_KEYS_TRUSTDB}"
}
function _get_secrets_dir_paths_mapping {
_append_root_path "${_SECRETS_DIR_PATHS_MAPPING}"
}
# Logic: # Logic:
function _get_gpg_local {
# This function is required to return proper `gpg` command.
# This function was created due to this bug:
# https://github.com/sobolevn/git-secret/issues/85
local homedir
homedir=$(_get_secrets_dir_keys)
local gpg_local="$SECRETS_GPG_COMMAND --homedir=$homedir --no-permission-warning"
echo "$gpg_local"
}
function _abort { function _abort {
>&2 echo "$1 abort." local message="$1" # required
>&2 echo "$message abort."
exit 1 exit 1
} }
@ -171,8 +278,11 @@ function _find_and_clean {
# optional: # optional:
local verbose=${2:-""} # can be empty or should be equal to "v" local verbose=${2:-""} # can be empty or should be equal to "v"
local root
root=$(_get_git_root_path)
# shellcheck disable=2086 # shellcheck disable=2086
find . -name "$pattern" -type f -print0 | xargs -0 rm -f$verbose find "$root" -path "$pattern" -type f -print0 | xargs -0 rm -f$verbose
} }
@ -196,11 +306,25 @@ function _find_and_clean_formated {
} }
function _list_all_added_files {
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
if [[ ! -s "$path_mappings" ]]; then
_abort "$path_mappings is missing."
fi
while read -r line; do
echo "$line"
done < "$path_mappings"
}
function _secrets_dir_exists { function _secrets_dir_exists {
local root_path # This function checks if "$_SECRETS_DIR" exists and.
root_path=$(_get_git_root_path)
local full_path="$root_path/$SECRETS_DIR" local full_path
full_path=$(_get_secrets_dir)
if [[ ! -d "$full_path" ]]; then if [[ ! -d "$full_path" ]]; then
_abort "$full_path does not exist." _abort "$full_path does not exist."
@ -208,16 +332,42 @@ function _secrets_dir_exists {
} }
function _secrets_dir_is_not_ignored {
# This function checks that "${_SECRETS_DIR}" is not ignored.
local git_secret_dir
git_secret_dir=$(_get_secrets_dir)
local ignores
ignores=$(_check_ignore "${_SECRETS_DIR}/")
if [[ ! $ignores -eq 1 ]]; then
_abort "'$git_secret_dir/' is ignored."
fi
}
function _user_required { function _user_required {
# This function does a bunch of validations:
# 1. It calls `_secrets_dir_exists` to verify that "$_SECRETS_DIR" exists.
# 2. It ensures that "$_SECRETS_DIR_KEYS_TRUSTDB" exists.
# 3. It ensures that there are added public keys.
_secrets_dir_exists _secrets_dir_exists
local error_message="no users found. run 'git secret tell' before adding files." local trustdb
if [[ ! -f "$SECRETS_DIR_KEYS_TRUSTDB" ]]; then trustdb=$(_get_secrets_dir_keys_trustdb)
local error_message="no users found. run 'git secret tell'."
if [[ ! -f "$trustdb" ]]; then
_abort "$error_message" _abort "$error_message"
fi fi
local gpg_local
gpg_local=$(_get_gpg_local)
local keys_exist local keys_exist
keys_exist=$($GPGLOCAL -n --list-keys) keys_exist=$($gpg_local -n --list-keys)
if [[ -z "$keys_exist" ]]; then if [[ -z "$keys_exist" ]]; then
_abort "$error_message" _abort "$error_message"
fi fi
@ -236,17 +386,35 @@ function _get_encrypted_filename {
} }
function _get_users_in_keyring { function _parse_keyring_users {
# First argument must be a `sed` pattern
local sed_pattern="$1"
local result local result
result=$($GPGLOCAL --list-public-keys --with-colon | sed -n 's/.*<\(.*\)>.*/\1/p')
local gpg_local
gpg_local=$(_get_gpg_local)
result=$($gpg_local --list-public-keys --with-colon | sed -n "$sed_pattern")
echo "$result" echo "$result"
} }
function _get_users_in_keyring {
# This function is required to show the users in the keyring.
# `whoknows` command uses it internally.
# It basically just parses the `gpg` public keys
_parse_keyring_users 's/.*<\(.*\)>.*/\1/p'
}
function _get_recepients { function _get_recepients {
local result # This function is required to create an encrypted file for different users.
result=$($GPGLOCAL --list-public-keys --with-colon | sed -n 's/.*<\(.*\)>.*/-r\1/p') # These users are called 'recepients' in the `gpg` terms.
echo "$result" # It basically just parses the `gpg` public keys
_parse_keyring_users 's/.*<\(.*\)>.*/-r\1/p'
} }
@ -278,9 +446,9 @@ function _decrypt {
fi fi
if [[ ! -z "$passphrase" ]]; then if [[ ! -z "$passphrase" ]]; then
echo "$passphrase" | $base --batch --yes --no-tty --passphrase-fd 0 \ echo "$passphrase" | $base --quiet --batch --yes --no-tty --passphrase-fd 0 \
"$encrypted_filename" > /dev/null 2>&1 "$encrypted_filename"
else else
$base "$encrypted_filename" > /dev/null 2>&1 $base --quiet "$encrypted_filename"
fi fi
} }

44
src/commands/git_secret_add.sh
Unescape Escape View File

@ -2,12 +2,12 @@
function add { function add {
local auto_add=0 local auto_ignore=0
OPTIND=1 OPTIND=1
while getopts "ih" opt; do while getopts "ih" opt; do
case "$opt" in case "$opt" in
i) auto_add=1;; i) auto_ignore=1;;
h) _show_manual_for "add";; h) _show_manual_for "add";;
esac esac
@ -18,29 +18,41 @@ function add {
_user_required _user_required
# Checking if all files are correct (ignored and inside the repo):
local not_ignored=() local not_ignored=()
local items=( "$@" ) local items=( "$@" )
# Checking if all files in options are ignored:
for item in "${items[@]}"; do for item in "${items[@]}"; do
# Checking if all files in options are ignored: local path # absolute path
if [[ ! -f "$item" ]]; then local normalized_path # relative to the .git dir
normalized_path=$(_git_normalize_filename "$item")
path=$(_append_root_path "$normalized_path")
# Checking that file is valid:
if [[ ! -f "$path" ]]; then
_abort "$item is not a file." _abort "$item is not a file."
fi fi
# Checking that it is ignored:
local ignored local ignored
ignored=$(_check_ignore "$item") ignored=$(_check_ignore "$path")
if [[ ! "$ignored" -eq 0 ]]; then
# Collect unignored files. if [[ "$ignored" -ne 0 ]]; then
not_ignored+=("$item") # Collect unignored files:
not_ignored+=("$normalized_path")
fi fi
done done
# Are there any uningnored files?
if [[ ! "${#not_ignored[@]}" -eq 0 ]]; then if [[ ! "${#not_ignored[@]}" -eq 0 ]]; then
# And show them all at once. # And show them all at once.
local message local message
message="these files are not ignored: $* ;" message="these files are not ignored: $* ;"
if [[ "$auto_add" -eq 0 ]]; then if [[ "$auto_ignore" -eq 0 ]]; then
# This file is not ignored. user don't want it to be added automatically. # This file is not ignored. user don't want it to be added automatically.
# Raise the exception, since all files, which will be hidden, must be ignored. # Raise the exception, since all files, which will be hidden, must be ignored.
_abort "$message" _abort "$message"
@ -55,14 +67,22 @@ function add {
fi fi
fi fi
# Adding files to path mappings:
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
for item in "${items[@]}"; do for item in "${items[@]}"; do
local path
path=$(_git_normalize_filename "$item")
# Adding files into system, skipping duplicates. # Adding files into system, skipping duplicates.
local already_in local already_in
already_in=$(_file_has_line "$item" "$SECRETS_DIR_PATHS_MAPPING") already_in=$(_file_has_line "$path" "$path_mappings")
if [[ "$already_in" -eq 1 ]]; then if [[ "$already_in" -eq 1 ]]; then
echo "$item" >> "$SECRETS_DIR_PATHS_MAPPING" echo "$path" >> "$path_mappings"
fi fi
done done
echo "${#@} items added." echo "${#@} item(s) added."
} }

24
src/commands/git_secret_changes.sh
Unescape Escape View File

@ -21,9 +21,9 @@ function changes {
_user_required _user_required
local filenames="$*" local filenames="$*"
if [[ -z $filenames ]]; then if [[ -z "$filenames" ]]; then
# Checking if no filenames are passed, show diff for all files. # Checking if no filenames are passed, show diff for all files.
filenames=$(git secret list) filenames=$(_list_all_added_files)
fi fi
IFS=' IFS='
@ -31,17 +31,27 @@ function changes {
for filename in $filenames; do for filename in $filenames; do
local decrypted local decrypted
local content
local diff_result local diff_result
local path # absolute path
local normalized_path # relative to the .git dir
normalized_path=$(_git_normalize_filename "$filename")
if [[ ! -z "$normalized_path" ]]; then
path=$(_append_root_path "$normalized_path")
else
# Path was already normalized
path=$(_append_root_path "$filename")
fi
# Now we have all the data required: # Now we have all the data required:
decrypted=$(_decrypt "$filename" "0" "0" "$homedir" "$passphrase") decrypted=$(_decrypt "$path" "0" "0" "$homedir" "$passphrase")
content=$(cat "$filename")
# Let's diff the result: # Let's diff the result:
diff_result=$(diff <(echo "$decrypted") <(echo "$content")) || true diff_result=$(diff -u <(echo "$decrypted") "$path") || true
# There was a bug in the previous version, since `diff` returns # There was a bug in the previous version, since `diff` returns
# exit code `1` when the files are different. # exit code `1` when the files are different.
echo "changes in ${filename}: ${diff_result}" echo "changes in ${path}:"
echo "${diff_result}"
done done
} }

25
src/commands/git_secret_hide.sh
Unescape Escape View File

@ -16,6 +16,9 @@ function _optional_delete {
local verbose=${2:-""} local verbose=${2:-""}
if [[ $delete -eq 1 ]]; then if [[ $delete -eq 1 ]]; then
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
# We use custom formating here: # We use custom formating here:
if [[ ! -z "$verbose" ]]; then if [[ ! -z "$verbose" ]]; then
echo && echo 'removing unencrypted files:' echo && echo 'removing unencrypted files:'
@ -24,13 +27,12 @@ function _optional_delete {
while read -r line; do while read -r line; do
# So the formating would not be repeated several times here: # So the formating would not be repeated several times here:
_find_and_clean "*$line" "$verbose" _find_and_clean "*$line" "$verbose"
done < "$SECRETS_DIR_PATHS_MAPPING" done < "$path_mappings"
if [[ ! -z "$verbose" ]]; then if [[ ! -z "$verbose" ]]; then
echo echo
fi fi
fi fi
} }
@ -63,6 +65,11 @@ function hide {
# before creating new ones. # before creating new ones.
_optional_clean "$clean" "$verbose" _optional_clean "$clean" "$verbose"
# Encrypting files:
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
local counter=0 local counter=0
while read -r line; do while read -r line; do
local encrypted_filename local encrypted_filename
@ -71,12 +78,20 @@ function hide {
local recipients local recipients
recipients=$(_get_recepients) recipients=$(_get_recepients)
local gpg_local
gpg_local=$(_get_gpg_local)
local input_path
local output_path
input_path=$(_append_root_path "$line")
output_path=$(_append_root_path "$encrypted_filename")
# shellcheck disable=2086 # shellcheck disable=2086
$GPGLOCAL --use-agent --yes --trust-model=always --encrypt \ $gpg_local --use-agent --yes --trust-model=always --encrypt \
$recipients -o "$encrypted_filename" "$line" $recipients -o "$output_path" "$input_path"
counter=$((counter+1)) counter=$((counter+1))
done < "$SECRETS_DIR_PATHS_MAPPING" done < "$path_mappings"
# If -d option was provided, it would delete the source files # If -d option was provided, it would delete the source files
# after we have already hidden them. # after we have already hidden them.

20
src/commands/git_secret_init.sh
Unescape Escape View File

@ -13,19 +13,21 @@ function init {
shift $((OPTIND-1)) shift $((OPTIND-1))
[ "$1" = '--' ] && shift [ "$1" = '--' ] && shift
if [[ -d "$SECRETS_DIR" ]]; then # Check if '.gitsecret/' already exists:
local git_secret_dir
git_secret_dir=$(_get_secrets_dir)
if [[ -d "$git_secret_dir" ]]; then
_abort 'already inited.' _abort 'already inited.'
fi fi
local ignores # Check if it is ignored:
ignores=$(_check_ignore "$SECRETS_DIR"/) _secrets_dir_is_not_ignored
if [[ ! $ignores -eq 1 ]]; then # Create internal files:
_abort "'${SECRETS_DIR}/' is ignored."
fi
mkdir "$SECRETS_DIR" "$SECRETS_DIR_KEYS" "$SECRETS_DIR_PATHS" mkdir "$git_secret_dir" "$(_get_secrets_dir_keys)" "$(_get_secrets_dir_path)"
touch "$SECRETS_DIR_KEYS_MAPPING" "$SECRETS_DIR_PATHS_MAPPING" touch "$(_get_secrets_dir_keys_mapping)" "$(_get_secrets_dir_paths_mapping)"
echo "'${SECRETS_DIR}/' created." echo "'$git_secret_dir/' created."
} }

12
src/commands/git_secret_killperson.sh
Unescape Escape View File

@ -15,13 +15,23 @@ function killperson {
_user_required _user_required
# Command logic:
local emails=( "$@" ) local emails=( "$@" )
if [[ ${#emails[@]} -eq 0 ]]; then if [[ ${#emails[@]} -eq 0 ]]; then
_abort "at least one email is required." _abort "at least one email is required."
fi fi
# Getting the local `gpg` command:
local gpg_local
gpg_local=$(_get_gpg_local)
for email in "${emails[@]}"; do for email in "${emails[@]}"; do
$GPGLOCAL --batch --yes --delete-key "$email" $gpg_local --batch --yes --delete-key "$email"
done done
echo 'removed keys.'
echo "now [$*] do not have an access to the repository."
echo 'make sure to hide the existing secrets again.'
} }

9
src/commands/git_secret_list.sh
Unescape Escape View File

@ -15,11 +15,6 @@ function list {
_user_required _user_required
if [[ ! -s "$SECRETS_DIR_PATHS_MAPPING" ]]; then # Command logic:
_abort "$SECRETS_DIR_PATHS_MAPPING is missing." _list_all_added_files
fi
while read -r line; do
echo "$line"
done < "$SECRETS_DIR_PATHS_MAPPING"
} }

28
src/commands/git_secret_remove.sh
Unescape Escape View File

@ -20,21 +20,35 @@ function remove {
# Validate if user exists: # Validate if user exists:
_user_required _user_required
# Command logic:
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
for item in "$@"; do for item in "$@"; do
if [[ ! -f "$item" ]]; then local path # absolute path
local normalized_path # relative to .git folder
normalized_path=$(_git_normalize_filename "$item")
path=$(_append_root_path "$normalized_path")
echo "$item -> $normalized_path -> $path"
# Checking if file exists:
if [[ ! -f "$path" ]]; then
_abort "$item is not a file." _abort "$item is not a file."
fi fi
_delete_line "$item" "$SECRETS_DIR_PATHS_MAPPING" # Deleting it from path mappings:
rm -f "${SECRETS_DIR_PATHS_MAPPING}.bak" # not all systems create '.bak' _delete_line "$normalized_path" "$path_mappings"
rm -f "${path_mappings}.bak" # not all systems create '.bak'
if [[ "$clean" == 1 ]]; then # Optional clean:
if [[ "$clean" -eq 1 ]]; then
local encrypted_filename local encrypted_filename
encrypted_filename=$(_get_encrypted_filename "$item") encrypted_filename=$(_get_encrypted_filename "$path")
rm -f "$encrypted_filename" rm "$encrypted_filename" # fail on error
fi fi
done done
echo 'removed from index.' echo 'removed from index.'

12
src/commands/git_secret_reveal.sh
Unescape Escape View File

@ -25,13 +25,21 @@ function reveal {
_user_required _user_required
# Command logic:
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
local counter=0 local counter=0
while read -r line; do while read -r line; do
local path
path=$(_append_root_path "$line")
# The parameters are: filename, write-to-file, force, homedir, passphrase # The parameters are: filename, write-to-file, force, homedir, passphrase
_decrypt "$line" "1" "$force" "$homedir" "$passphrase" _decrypt "$path" "1" "$force" "$homedir" "$passphrase"
counter=$((counter+1)) counter=$((counter+1))
done < "$SECRETS_DIR_PATHS_MAPPING" done < "$path_mappings"
echo "done. all $counter files are revealed." echo "done. all $counter files are revealed."
} }

5
src/commands/git_secret_tell.sh
Unescape Escape View File

@ -26,6 +26,7 @@ function tell {
# Validates that application is inited: # Validates that application is inited:
_secrets_dir_exists _secrets_dir_exists
# Command logic:
emails=( "$@" ) emails=( "$@" )
local git_email local git_email
@ -64,7 +65,9 @@ function tell {
fi fi
# Importing public key to the local keychain: # Importing public key to the local keychain:
$GPGLOCAL --import "$keyfile" > /dev/null 2>&1 local gpg_local
gpg_local=$(_get_gpg_local)
$gpg_local --import "$keyfile" > /dev/null 2>&1
done done
echo "done. ${emails[*]} added as someone who know(s) the secret." echo "done. ${emails[*]} added as someone who know(s) the secret."

18
src/main.sh
Unescape Escape View File

@ -6,19 +6,18 @@ function _check_setup {
# Checking git and secret-plugin setup: # Checking git and secret-plugin setup:
local is_tree local is_tree
is_tree=$(_is_inside_git_tree) is_tree=$(_is_inside_git_tree)
if [[ ! $is_tree -eq 0 ]]; then if [[ "$is_tree" -ne 0 ]]; then
_abort "repository is broken. try running 'git init' or 'git clone'." _abort "repository is broken. try running 'git init' or 'git clone'."
fi fi
# Checking if the '.gitsecret' is not ignored: # Checking if the '.gitsecret' is not ignored:
local ignored _secrets_dir_is_not_ignored
ignored=$(_check_ignore ".gitsecret/")
if [[ ! $ignored -eq 1 ]]; then
_abort '.gitsecret folder is ignored.'
fi
# Checking gpg setup: # Checking gpg setup:
local secring="$SECRETS_DIR_KEYS/secring.gpg" local keys_dir
keys_dir=$(_get_secrets_dir_keys)
local secring="$keys_dir/secring.gpg"
if [[ -f $secring ]] && [[ -s $secring ]]; then if [[ -f $secring ]] && [[ -s $secring ]]; then
# secring.gpg is not empty, someone has imported a private key. # secring.gpg is not empty, someone has imported a private key.
_abort 'it seems that someone has imported a secret key.' _abort 'it seems that someone has imported a secret key.'
@ -67,7 +66,10 @@ function _init_script {
_check_setup _check_setup
# Routing the input command: # Routing the input command:
if [[ $(_function_exists "$1") == 0 ]] && [[ ! $1 == _* ]]; then local function_exists
function_exists=$(_function_exists "$1")
if [[ "$function_exists" == 0 ]] && [[ ! $1 == _* ]]; then
$1 "${@:2}" $1 "${@:2}"
else # TODO: elif [[ $(_plugin_exists $1) == 0 ]]; then else # TODO: elif [[ $(_plugin_exists $1) == 0 ]]; then
_incorrect_usage "command $1 not found." 126 _incorrect_usage "command $1 not found." 126

10
tests/_test_base.bash
Unescape Escape View File

@ -15,6 +15,8 @@ TEST_GPG_HOMEDIR="$BATS_TMPDIR"
# GPG-based stuff: # GPG-based stuff:
: "${SECRETS_GPG_COMMAND:="gpg"}" : "${SECRETS_GPG_COMMAND:="gpg"}"
# This command is used with absolute homedir set and disabled warnings:
GPGTEST="$SECRETS_GPG_COMMAND --homedir=$TEST_GPG_HOMEDIR --no-permission-warning" GPGTEST="$SECRETS_GPG_COMMAND --homedir=$TEST_GPG_HOMEDIR --no-permission-warning"
@ -153,6 +155,7 @@ function remove_git_repository {
function set_state_initial { function set_state_initial {
cd "$BATS_TMPDIR" || exit 1 cd "$BATS_TMPDIR" || exit 1
rm -rf "${BATS_TMPDIR:?}/*"
} }
@ -197,8 +200,11 @@ function unset_current_state {
# removes .secret files: # removes .secret files:
git secret clean > /dev/null 2>&1 git secret clean > /dev/null 2>&1
# unsets `secret_add`, `secret_tell` and `secret_init` # unsets `secret_add`, `secret_tell` and `secret_init` by removing $_SECRETS_DIR
rm -rf "$SECRETS_DIR" local secrets_dir
secrets_dir=$(_get_secrets_dir)
rm -rf "$secrets_dir"
rm -rf ".gitignore" rm -rf ".gitignore"
# unsets `git` state # unsets `git` state

161
tests/test_add.bats
Unescape Escape View File

@ -19,83 +19,174 @@ function teardown {
} }
@test "run 'add' normally" {
# Preparations:
local filename="local_file"
echo "content" > "$filename"
echo "$filename" > ".gitignore"
run git secret add "$filename"
[ "$status" -eq 0 ]
# Ensuring that path mappings was set correctly:
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
local files_list=$(cat "$path_mappings")
[ "$files_list" = "$filename" ]
# Cleaning up:
rm "$filename" ".gitignore"
}
@test "run 'add' for unignored file" { @test "run 'add' for unignored file" {
local TEST_FILE='test_file' local test_file='test_file'
touch "$TEST_FILE" touch "$test_file"
echo "content" > "$TEST_FILE" echo "content" > "$test_file"
run git secret add "$TEST_FILE" run git secret add "$test_file"
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
rm -f "$TEST_FILE" rm "$test_file"
} }
@test "run 'add' for unignored file with '-i'" { @test "run 'add' for unignored file with '-i'" {
local TEST_FILE='test_file.auto_ignore' local test_file='test_file.auto_ignore'
touch "$TEST_FILE" touch "$test_file"
echo "content" > "$TEST_FILE" echo "content" > "$test_file"
run git secret add -i "$TEST_FILE" run git secret add -i "$test_file"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
run _file_has_line "$TEST_FILE" ".gitignore" run _file_has_line "$test_file" ".gitignore"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
rm -f "$TEST_FILE" rm "$test_file"
} }
@test "run 'add' normally" { @test "run 'add' for unignored file with '-i' in subfolder" {
local filename="local_file" # This test covers this issue:
echo "content" > "$filename" # https://github.com/sobolevn/git-secret/issues/85 task 1
echo "$filename" > ".gitignore"
run git secret add "$filename" if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then
skip "this test is skiped while 'git commmit'"
fi
# Preparations:
local test_dir='test_dir'
local nested_dir="$test_dir/adding"
local current_dir=$(pwd)
mkdir -p "$nested_dir"
cd "$nested_dir"
local test_file='test_file.auto_ignore'
touch "$test_file"
echo "content" > "$test_file"
# Test commands:
run git secret add -i "$test_file"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
rm -f "$filename" ".gitignore" run _file_has_line "$test_file" "../.gitignore"
[ "$status" -eq 0 ]
local files_list=$(cat "$SECRETS_DIR_PATHS_MAPPING") # .gitignore was not created:
[ "$files_list" = "$filename" ] [[ ! -f ".gitignore" ]]
# Cleaning up:
cd "$current_dir"
rm -r "$test_dir"
} }
@test "run 'add' for file in subdirectory" { @test "run 'add' for relative path" {
local TEST_FILE='test_file' if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then
local TEST_DIR='test_dir' skip "this test is skiped while 'git commmit'"
fi
# Prepations:
local root='test_dir'
local node="$root/node"
local sibling="$root/sibling"
local test_file="$node/test_file"
local current_dir=$(pwd)
mkdir -p "$node"
mkdir -p "$sibling"
mkdir -p "$TEST_DIR" echo "content" > "$test_file"
touch "$TEST_DIR/$TEST_FILE" echo "$test_file" > ".gitignore"
echo "content" > "$TEST_DIR/$TEST_FILE"
echo "$TEST_DIR/$TEST_FILE" > ".gitignore"
run git secret add "$TEST_DIR/$TEST_FILE" cd "$sibling"
# Testing:
run git secret add "../node/test_file"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[[ "$output" == *"1 items added."* ]] [[ "$output" == *"1 item(s) added."* ]]
# Testing mappings content:
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
rm -rf "$TEST_DIR" local files_list=$(cat "$path_mappings")
[ "$files_list" = "$test_file" ]
# Cleaning up:
cd "$current_dir"
rm -r "$root"
}
@test "run 'add' for file in subfolder" {
# Preparations:
local test_file='test_file'
local test_dir='test_dir'
mkdir -p "$test_dir"
touch "$test_dir/$test_file"
echo "content" > "$test_dir/$test_file"
echo "$test_dir/$test_file" > ".gitignore"
# Testing:
run git secret add "$test_dir/$test_file"
[ "$status" -eq 0 ]
[[ "$output" == *"1 item(s) added."* ]]
# Cleaning up:
rm -r "$test_dir"
} }
@test "run 'add' twice for one file" { @test "run 'add' twice for one file" {
# Preparations:
local filename="local_file" local filename="local_file"
echo "content" > "$filename" echo "content" > "$filename"
echo "$filename" > ".gitignore" echo "$filename" > ".gitignore"
# Testing:
run git secret add "$filename" run git secret add "$filename"
run git secret add "$filename" run git secret add "$filename"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ "$output" = "1 items added." ] [ "$output" = "1 item(s) added." ]
rm -f "$filename" ".gitignore" # Ensuring that path mappings was set correctly:
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
local files_list=`cat "$SECRETS_DIR_PATHS_MAPPING"` local files_list=$(cat "$path_mappings")
[ "$files_list" = "$filename" ] [ "$files_list" = "$filename" ]
# Cleaning up:
rm "$filename" ".gitignore"
} }
@test "run 'add' for multiple files" { @test "run 'add' for multiple files" {
# Preparations:
local filename1="local_file1" local filename1="local_file1"
echo "content1" > "$filename1" echo "content1" > "$filename1"
echo "$filename1" > ".gitignore" echo "$filename1" > ".gitignore"
@ -104,9 +195,11 @@ function teardown {
echo "content2" > "$filename2" echo "content2" > "$filename2"
echo "$filename2" >> ".gitignore" echo "$filename2" >> ".gitignore"
# Testing:
run git secret add "$filename1" "$filename2" run git secret add "$filename1" "$filename2"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ "$output" = "2 items added." ] [ "$output" = "2 item(s) added." ]
rm -f "$filename1" "$filename2" ".gitignore" # Cleaning up:
rm "$filename1" "$filename2" ".gitignore"
} }

46
tests/test_changes.bats
Unescape Escape View File

@ -23,9 +23,10 @@ function setup {
function teardown { function teardown {
rm "$FILE_TO_HIDE" "$SECOND_FILE_TO_HIDE"
uninstall_fixture_full_key "$TEST_DEFAULT_USER" "$FINGERPRINT" uninstall_fixture_full_key "$TEST_DEFAULT_USER" "$FINGERPRINT"
unset_current_state unset_current_state
rm -f "$FILE_TO_HIDE"
} }
@ -38,13 +39,31 @@ function teardown {
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
# Testing that output has both filename and changes: # Testing that output has both filename and changes:
[[ "$output" == *"changes in $FILE_TO_HIDE"* ]] local fullpath=$(_append_root_path "$FILE_TO_HIDE")
[[ "$output" == *"$new_content"* ]] [[ "$output" == *"changes in $fullpath"* ]]
[[ "$output" == *"+$new_content"* ]]
}
@test "run 'changes' with one file changed (with deletions)" {
local password=$(test_user_password "$TEST_DEFAULT_USER")
local new_content="replace"
echo "$new_content" > "$FILE_TO_HIDE"
run git secret changes -d "$TEST_GPG_HOMEDIR" -p "$password" "$FILE_TO_HIDE"
[ "$status" -eq 0 ]
# Testing that output has both filename and changes:
local fullpath=$(_append_root_path "$FILE_TO_HIDE")
[[ "$output" == *"changes in $fullpath"* ]]
[[ "$output" == *"-$FILE_CONTENTS"* ]]
[[ "$output" == *"+$new_content"* ]]
} }
@test "run 'changes' without changes" { @test "run 'changes' without changes" {
local password=$(test_user_password "$TEST_DEFAULT_USER") local password=$(test_user_password "$TEST_DEFAULT_USER")
run git secret changes -d "$TEST_GPG_HOMEDIR" -p "$password" run git secret changes -d "$TEST_GPG_HOMEDIR" -p "$password"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
} }
@ -61,13 +80,16 @@ function teardown {
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
# Testing that output has both filename and changes: # Testing that output has both filename and changes:
[[ "$output" == *"changes in $FILE_TO_HIDE"* ]] local fullpath=$(_append_root_path "$FILE_TO_HIDE")
[[ "$output" == *"$new_content"* ]] [[ "$output" == *"changes in $fullpath"* ]]
[[ "$output" == *"+$new_content"* ]]
[[ "$output" == *"changes in $SECOND_FILE_TO_HIDE"* ]] local second_path=$(_append_root_path "$SECOND_FILE_TO_HIDE")
[[ "$output" == *"$second_file_to_hide"* ]] [[ "$output" == *"changes in $second_path"* ]]
[[ "$output" == *"+$second_new_content"* ]]
} }
@test "run 'changes' with multiple selected files changed" { @test "run 'changes' with multiple selected files changed" {
local password=$(test_user_password "$TEST_DEFAULT_USER") local password=$(test_user_password "$TEST_DEFAULT_USER")
local new_content="new content" local new_content="new content"
@ -81,9 +103,11 @@ function teardown {
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
# Testing that output has both filename and changes: # Testing that output has both filename and changes:
[[ "$output" == *"changes in $FILE_TO_HIDE"* ]] local fullpath=$(_append_root_path "$FILE_TO_HIDE")
[[ "$output" == *"$new_content"* ]] [[ "$output" == *"changes in $fullpath"* ]]
[[ "$output" == *"+$new_content"* ]]
[[ "$output" == *"changes in $SECOND_FILE_TO_HIDE"* ]] local second_path=$(_append_root_path "$SECOND_FILE_TO_HIDE")
[[ "$output" == *"$second_file_to_hide"* ]] [[ "$output" == *"changes in $second_path"* ]]
[[ "$output" == *"+$second_new_content"* ]]
} }

8
tests/test_clean.bats
Unescape Escape View File

@ -23,12 +23,12 @@ function setup {
function teardown { function teardown {
# This also needs to be cleaned:
rm "$FIRST_FILE" "$SECOND_FILE"
rm -r "$FOLDER"
uninstall_fixture_key "$TEST_DEFAULT_USER" uninstall_fixture_key "$TEST_DEFAULT_USER"
unset_current_state unset_current_state
# This also needs to be cleaned:
rm -f "$FIRST_FILE" "$SECOND_FILE"
rm -rf "$FOLDER"
} }

37
tests/test_hide.bats
Unescape Escape View File

@ -18,10 +18,10 @@ function setup {
function teardown { function teardown {
rm "$FILE_TO_HIDE"
uninstall_fixture_key $TEST_DEFAULT_USER uninstall_fixture_key $TEST_DEFAULT_USER
unset_current_state unset_current_state
rm -f "$FILE_TO_HIDE"
} }
@ -48,6 +48,9 @@ function teardown {
run git secret hide run git secret hide
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[ "$output" = "done. all 2 files are hidden." ] [ "$output" = "done. all 2 files are hidden." ]
# Cleaning up:
rm "$second_file"
} }
@ -72,6 +75,8 @@ function teardown {
run git secret hide -d run git secret hide -d
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
ls && pwd
# File must be removed: # File must be removed:
[ ! -f "$FILE_TO_HIDE" ] [ ! -f "$FILE_TO_HIDE" ]
} }
@ -81,12 +86,40 @@ function teardown {
run git secret hide -v -d run git secret hide -v -d
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
ls && pwd
# File must be removed:
[ ! -f "$FILE_TO_HIDE" ]
# It should be verbose:
[[ "$output" == *"removing unencrypted files"* ]]
[[ "$output" == *"$FILE_TO_HIDE"* ]]
}
@test "run 'hide' with '-d' and '-v' and files in subdirectories" {
# Preparations:
local root_dir='test_sub_dir'
mkdir -p "$root_dir"
local second_file="$root_dir/second_file.txt"
local second_content="some content"
set_state_secret_add "$second_file" "$second_content"
# Verify that the second file is there:
[ -f "$second_file" ]
# Now it should hide 2 files:
run git secret hide -v -d
[ "$status" -eq 0 ]
# File must be removed: # File must be removed:
[ ! -f "$FILE_TO_HIDE" ] [ ! -f "$FILE_TO_HIDE" ]
[ ! -f "$second_file" ]
# It should be verbose: # It should be verbose:
[[ "$output" == *"removing unencrypted files"* ]] [[ "$output" == *"removing unencrypted files"* ]]
[[ "$output" == *"$FILE_TO_HIDE"* ]] [[ "$output" == *"$FILE_TO_HIDE"* ]]
[[ "$output" == *"$second_file"* ]]
} }

41
tests/test_init.bats
Unescape Escape View File

@ -25,11 +25,50 @@ function teardown {
@test "run 'init' normally" { @test "run 'init' normally" {
run git secret init run git secret init
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
[[ -d "${_SECRETS_DIR}" ]]
}
@test "run 'init' in subfolder" {
# This test covers this issue:
# https://github.com/sobolevn/git-secret/issues/83
if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then
skip "this test is skiped while 'git commmit'"
fi
# Preparations
local test_dir='test_dir'
local nested_dir="$test_dir/nested/dirs"
local current_dir=$(pwd)
mkdir -p "$nested_dir"
cd "$nested_dir"
# Test:
run git secret init
[ "$status" -eq 0 ]
# It should not be created in the current folder:
[[ ! -d "${_SECRETS_DIR}" ]]
# It should be created here:
local secrets_dir
secrets_dir=$(_get_secrets_dir)
[[ -d "$secrets_dir" ]]
# Cleaning up:
cd "$current_dir"
rm -r "$test_dir"
} }
@test "run 'init' with '.gitsecret' already inited" { @test "run 'init' with '.gitsecret' already inited" {
mkdir "$SECRETS_DIR" local secrets_dir
secrets_dir=$(_get_secrets_dir)
mkdir "$secrets_dir"
run git secret init run git secret init
[ "$output" = "already inited. abort." ] [ "$output" = "already inited. abort." ]

29
tests/test_killperson.bats
Unescape Escape View File

@ -25,10 +25,28 @@ function teardown {
} }
@test "run 'killperson' normally" { @test "run 'killperson' with key name" {
run git secret killperson "$TEST_DEFAULT_USER" run git secret killperson "$TEST_DEFAULT_USER"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
# Testing output:
[[ "$output" == *"$TEST_DEFAULT_USER"* ]]
# Then whoknows must return an error with status code 1:
run git secret whoknows
[ "$status" -eq 1 ]
}
@test "run 'killperson' with email" {
local email=$(test_user_email "$TEST_DEFAULT_USER")
run git secret killperson "$email"
[ "$status" -eq 0 ]
# Testing output:
[[ "$output" == *"$email"* ]]
# Then whoknows must return an error with status code 1: # Then whoknows must return an error with status code 1:
run git secret whoknows run git secret whoknows
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
@ -40,9 +58,16 @@ function teardown {
install_fixture_key "$TEST_SECOND_USER" install_fixture_key "$TEST_SECOND_USER"
set_state_secret_tell "$TEST_SECOND_USER" set_state_secret_tell "$TEST_SECOND_USER"
run git secret killperson "$TEST_DEFAULT_USER" "$TEST_SECOND_USER" local default_email=$(test_user_email "$TEST_DEFAULT_USER")
local second_email=$(test_user_email "$TEST_SECOND_USER")
run git secret killperson "$default_email" "$second_email"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
# Testing output:
[[ "$output" == *"$default_email"* ]]
[[ "$output" == *"$second_email"* ]]
# Nothing to show: # Nothing to show:
run git secret whoknows run git secret whoknows
[ "$status" -eq 1 ] [ "$status" -eq 1 ]

6
tests/test_list.bats
Unescape Escape View File

@ -18,10 +18,10 @@ function setup {
function teardown { function teardown {
rm "$FILE_TO_HIDE"
uninstall_fixture_key $TEST_DEFAULT_USER uninstall_fixture_key $TEST_DEFAULT_USER
unset_current_state unset_current_state
rm -f "$FILE_TO_HIDE"
} }
@ -45,7 +45,7 @@ function teardown {
[[ "$output" == *"$second_file"* ]] [[ "$output" == *"$second_file"* ]]
# Cleaning up: # Cleaning up:
rm -f "$second_file" rm "$second_file"
} }

2
tests/test_main.bats
Unescape Escape View File

@ -34,7 +34,7 @@ function teardown {
@test "run 'git secret --dry-run'" { @test "run 'git secret --dry-run'" {
# We will break things apart, so normally it won't run: # We will break things apart, so normally it won't run:
rm -rf ".git" rm -r "./.git"
# This must fail: # This must fail:
run git secret usage run git secret usage

41
tests/test_remove.bats
Unescape Escape View File

@ -5,9 +5,6 @@ load _test_base
FIRST_FILE="file_to_hide1" FIRST_FILE="file_to_hide1"
SECOND_FILE="file_to_hide2" SECOND_FILE="file_to_hide2"
FOLDER="somedir"
FILE_IN_FOLDER="${FOLDER}/file_to_hide3"
function setup { function setup {
install_fixture_key "$TEST_DEFAULT_USER" install_fixture_key "$TEST_DEFAULT_USER"
@ -23,17 +20,20 @@ function setup {
function teardown { function teardown {
rm "$FIRST_FILE" "$SECOND_FILE"
uninstall_fixture_key "$TEST_DEFAULT_USER" uninstall_fixture_key "$TEST_DEFAULT_USER"
unset_current_state unset_current_state
# This also needs to be cleaned:
rm -f "$FIRST_FILE" "$SECOND_FILE"
rm -rf "$FOLDER"
} }
function _has_line { function _has_line {
local result=$(grep -q "$1" "$SECRETS_DIR_PATHS_MAPPING"; echo $?) local line="$1"
local path_mappings
path_mappings=$(_get_secrets_dir_paths_mapping)
local result=$(grep -q "$line" "$path_mappings"; echo $?)
echo "$result" echo "$result"
} }
@ -42,6 +42,10 @@ function _has_line {
run git secret remove "$SECOND_FILE" run git secret remove "$SECOND_FILE"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
# Test output:
[[ "$output" == *"removed from index."* ]]
[[ "$output" == *"ensure that files: [$SECOND_FILE] are now not ignored."* ]]
# Mapping should not contain the second file: # Mapping should not contain the second file:
local mapping_contains=$(_has_line "$SECOND_FILE") local mapping_contains=$(_has_line "$SECOND_FILE")
[ "$mapping_contains" -eq 1 ] [ "$mapping_contains" -eq 1 ]
@ -83,27 +87,32 @@ function _has_line {
# see https://github.com/sobolevn/git-secret/issues/23 # see https://github.com/sobolevn/git-secret/issues/23
# Prepartions: # Prepartions:
mkdir -p "$FOLDER" local folder="somedir"
set_state_secret_add "$FILE_IN_FOLDER" "somecontent3" local file_in_folder="$folder/file_to_hide3"
mkdir -p "$folder"
set_state_secret_add "$file_in_folder" "somecontent3"
set_state_secret_hide # runing hide again to hide new data set_state_secret_hide # runing hide again to hide new data
# Now it should remove filename with slashes from the mapping: # Now it should remove filename with slashes from the mapping:
run git secret remove "$FILE_IN_FOLDER" run git secret remove "$file_in_folder"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
local mapping_contains=$(_has_line "$FILE_IN_FOLDER") local mapping_contains=$(_has_line "$file_in_folder")
[ "$mapping_contains" -eq 1 ] [ "$mapping_contains" -eq 1 ]
local enctypted_file=$(_get_encrypted_filename $FILE_IN_FOLDER) local enctypted_file=$(_get_encrypted_filename $file_in_folder)
[ -f "$enctypted_file" ] [ -f "$enctypted_file" ]
# Cleaning up:
rm -r "$folder"
} }
@test "run 'remove' with '-c'" { @test "run 'remove' with '-c'" {
git secret hide set_state_secret_hide
run git secret remove -c "$SECOND_FILE" run git secret remove -c "$SECOND_FILE"
echo "$output"
[ "$status" -eq 0 ] [ "$status" -eq 0 ]
local mapping_contains=$(_has_line "$SECOND_FILE") local mapping_contains=$(_has_line "$SECOND_FILE")
@ -111,6 +120,8 @@ function _has_line {
local first_enctypted_file=$(_get_encrypted_filename $FIRST_FILE) local first_enctypted_file=$(_get_encrypted_filename $FIRST_FILE)
local second_enctypted_file=$(_get_encrypted_filename $SECOND_FILE) local second_enctypted_file=$(_get_encrypted_filename $SECOND_FILE)
echo "$output"
echo "$first_enctypted_file and $second_enctypted_file"
[ -f "$first_enctypted_file" ] [ -f "$first_enctypted_file" ]
[ ! -f "$second_enctypted_file" ] [ ! -f "$second_enctypted_file" ]

12
tests/test_reveal.bats
Unescape Escape View File

@ -21,10 +21,10 @@ function setup {
function teardown { function teardown {
rm "$FILE_TO_HIDE"
uninstall_fixture_full_key "$TEST_DEFAULT_USER" "$FINGERPRINT" uninstall_fixture_full_key "$TEST_DEFAULT_USER" "$FINGERPRINT"
unset_current_state unset_current_state
rm -f "$FILE_TO_HIDE"
} }
@ -40,12 +40,12 @@ function teardown {
cmp --silent "$FILE_TO_HIDE" "${FILE_TO_HIDE}2" cmp --silent "$FILE_TO_HIDE" "${FILE_TO_HIDE}2"
rm -f "${FILE_TO_HIDE}2" rm "${FILE_TO_HIDE}2"
} }
@test "run 'reveal' with '-f'" { @test "run 'reveal' with '-f'" {
rm -f "$FILE_TO_HIDE" rm "$FILE_TO_HIDE"
local password=$(test_user_password "$TEST_DEFAULT_USER") local password=$(test_user_password "$TEST_DEFAULT_USER")
run git secret reveal -f -d "$TEST_GPG_HOMEDIR" -p "$password" run git secret reveal -f -d "$TEST_GPG_HOMEDIR" -p "$password"
@ -56,7 +56,7 @@ function teardown {
@test "run 'reveal' with wrong password" { @test "run 'reveal' with wrong password" {
rm -f "$FILE_TO_HIDE" rm "$FILE_TO_HIDE"
run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "WRONG" run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "WRONG"
[ "$status" -eq 2 ] [ "$status" -eq 2 ]
@ -66,7 +66,7 @@ function teardown {
@test "run 'reveal' for attacker" { @test "run 'reveal' for attacker" {
# Preparations # Preparations
rm -f "$FILE_TO_HIDE" rm "$FILE_TO_HIDE"
local atacker_fingerprint=$(install_fixture_full_key "$TEST_ATTACKER_USER") local atacker_fingerprint=$(install_fixture_full_key "$TEST_ATTACKER_USER")
local password=$(test_user_password "$TEST_ATTACKER_USER") local password=$(test_user_password "$TEST_ATTACKER_USER")

8
tests/test_reveal_filename.bats
Unescape Escape View File

@ -26,16 +26,18 @@ function setup {
function teardown { function teardown {
rm "$FILE_TO_HIDE"
uninstall_fixture_full_key "$TEST_DEFAULT_USER" "$FINGERPRINT" uninstall_fixture_full_key "$TEST_DEFAULT_USER" "$FINGERPRINT"
unset_current_state unset_current_state
rm -f "$FILE_TO_HIDE"
export SECRETS_EXTENSION="$OLD_SECRETS_EXTENSION" export SECRETS_EXTENSION="$OLD_SECRETS_EXTENSION"
} }
@test "run 'reveal' with different file extension" { @test "run 'reveal' with different file extension" {
cp "$FILE_TO_HIDE" "${FILE_TO_HIDE}2" cp "$FILE_TO_HIDE" "${FILE_TO_HIDE}2"
rm -f "$FILE_TO_HIDE" rm "$FILE_TO_HIDE"
local password=$(test_user_password "$TEST_DEFAULT_USER") local password=$(test_user_password "$TEST_DEFAULT_USER")
run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password" run git secret reveal -d "$TEST_GPG_HOMEDIR" -p "$password"
@ -45,5 +47,5 @@ function teardown {
cmp --silent "$FILE_TO_HIDE" "${FILE_TO_HIDE}2" cmp --silent "$FILE_TO_HIDE" "${FILE_TO_HIDE}2"
rm -f "${FILE_TO_HIDE}2" rm "${FILE_TO_HIDE}2"
} }

41
tests/test_tell.bats
Unescape Escape View File

@ -41,7 +41,10 @@ function teardown {
@test "run 'tell' with secret-key imported" { @test "run 'tell' with secret-key imported" {
local private_key="$SECRETS_DIR_KEYS/secring.gpg" local secrets_dir_keys
secrets_dir_keys=$(_get_secrets_dir_keys)
local private_key="$secrets_dir_keys/secring.gpg"
echo "private key" > "$private_key" echo "private key" > "$private_key"
[ -s "$private_key" ] [ -s "$private_key" ]
@ -51,7 +54,10 @@ function teardown {
@test "run 'tell' without '.gitsecret'" { @test "run 'tell' without '.gitsecret'" {
rm -rf "$SECRETS_DIR" local secrets_dir
secrets_dir=$(_get_secrets_dir)
rm -r "$secrets_dir"
run git secret tell -d "$TEST_GPG_HOMEDIR" "$TEST_DEFAULT_USER" run git secret tell -d "$TEST_GPG_HOMEDIR" "$TEST_DEFAULT_USER"
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
@ -116,3 +122,34 @@ function teardown {
# Cleaning up: # Cleaning up:
uninstall_fixture_key "$TEST_SECOND_USER" uninstall_fixture_key "$TEST_SECOND_USER"
} }
@test "run 'tell' in subfolder" {
if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then
skip "this test is skiped while 'git commmit'"
fi
# Preparations
local root_dir='test_dir'
local test_dir="$root_dir/telling"
local current_dir=$(pwd)
mkdir -p "$test_dir"
cd "$test_dir"
# Test:
run git secret tell -d "$TEST_GPG_HOMEDIR" "$TEST_DEFAULT_USER"
[ "$status" -eq 0 ]
# Testing that now user is found:
run _user_required
[ "$status" -eq 0 ]
# Testing that now user is in the list of people who knows the secret:
run git secret whoknows
[[ "$output" == *"$TEST_DEFAULT_USER"* ]]
# Cleaning up:
cd "$current_dir"
rm -r "$root_dir"
}

1
tests/test_usage.bats
Unescape Escape View File

@ -30,6 +30,7 @@ function teardown {
@test "run 'usage' with ignored '.gitsecret/'" { @test "run 'usage' with ignored '.gitsecret/'" {
echo ".gitsecret/" >> ".gitignore" echo ".gitsecret/" >> ".gitignore"
run git secret usage run git secret usage
[ "$status" -eq 1 ] [ "$status" -eq 1 ]
} }

27
tests/test_whoknows.bats
Unescape Escape View File

@ -32,6 +32,33 @@ function teardown {
} }
@test "run 'whoknows' in subfolder" {
if [[ "$BATS_RUNNING_FROM_GIT" -eq 1 ]]; then
skip "this test is skiped while 'git commmit'"
fi
# Preparations:
local current_dir=$(pwd)
local root_dir='test_dir'
local test_dir="$root_dir/subfolders/case"
mkdir -p "$test_dir"
cd "$test_dir"
# Test:
run git secret whoknows
[ "$status" -eq 0 ]
# Now test the output, both users should be present:
[[ "$output" == *"$TEST_DEFAULT_USER"* ]]
[[ "$output" == *"$TEST_SECOND_USER"* ]]
# Cleaning up:
cd "$current_dir"
rm -r "$root_dir"
}
@test "run 'whoknows' without any users" { @test "run 'whoknows' without any users" {
# Preparations, removing users: # Preparations, removing users:
local email1=$(test_user_email "$TEST_DEFAULT_USER") local email1=$(test_user_email "$TEST_DEFAULT_USER")

5
utils/hooks/post-commit.sh
Unescape Escape View File

@ -4,10 +4,10 @@ set -e
BRANCH_NAME=$(git branch | grep '\*' | sed 's/* //') BRANCH_NAME=$(git branch | grep '\*' | sed 's/* //')
if [[ "$BRANCH_NAME" == 'staging' ]]; then if [[ "$BRANCH_NAME" == 'master' ]]; then
# Build new web documentation: # Build new web documentation:
make build-gh-pages make build-gh-pages
# Compare script version and the latest tag: # Compare script version and the latest tag:
NEWEST_TAG=$(git describe --abbrev=0 --tags) NEWEST_TAG=$(git describe --abbrev=0 --tags)
SCRIPT_VERSION=$(bash "${PWD}/git-secret" --version) SCRIPT_VERSION=$(bash "${PWD}/git-secret" --version)
@ -15,5 +15,6 @@ if [[ "$BRANCH_NAME" == 'staging' ]]; then
if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then if [[ "$NEWEST_TAG" != "v${SCRIPT_VERSION}" ]]; then
# Create new release: # Create new release:
git tag -a "v${SCRIPT_VERSION}" -m "version $SCRIPT_VERSION" git tag -a "v${SCRIPT_VERSION}" -m "version $SCRIPT_VERSION"
echo "Created new tag 'v${SCRIPT_VERSION}'"
fi fi
fi fi

7
utils/hooks/pre-commit.sh
Unescape Escape View File

@ -7,10 +7,15 @@ BRANCH_NAME=$(git branch | grep '\*' | sed 's/* //')
if [[ "$BRANCH_NAME" != '(no branch)' ]]; then if [[ "$BRANCH_NAME" != '(no branch)' ]]; then
unset GIT_WORK_TREE unset GIT_WORK_TREE
# Set marker, that we running tests from `git commit`,
# so some tests will be skiped. It is done, because `git rev-parse`
# is not working when running from pre-commit hook.
export BATS_RUNNING_FROM_GIT=1
# Run tests: # Run tests:
make test make test
if [[ "$BRANCH_NAME" == "staging" ]]; then if [[ "$BRANCH_NAME" == "master" ]]; then
# Build new manuals: # Build new manuals:
make build-man make build-man

Write Preview
Loading…
Cancel
Save