renovate/lib/config/decrypt.js

const is = require('@sindresorhus/is');
const crypto = require('crypto');
const { maskToken } = require('../datasource/npm');

module.exports = {
  decryptConfig,
};

function decryptConfig(config, privateKey) {
  logger.trace({ config }, 'decryptConfig()');
  const decryptedConfig = { ...config };
  for (const [key, val] of Object.entries(config)) {
    if (key === 'encrypted' && is.object(val)) {
      logger.debug({ config: val }, 'Found encrypted config');
      if (privateKey) {
        for (const [eKey, eVal] of Object.entries(val)) {
          try {
            const decryptedStr = crypto
              .privateDecrypt(privateKey, Buffer.from(eVal, 'base64'))
              .toString();
            logger.info(`Decrypted ${eKey}`);
            if (eKey === 'npmToken') {
              const token = decryptedStr.replace(/\n$/, '');
              logger.info(
                { token: maskToken(token) },
                'Migrating npmToken to npmrc'
              );
              if (decryptedConfig.npmrc) {
                /* eslint-disable no-template-curly-in-string */
                if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {
                  logger.debug('Replacing ${NPM_TOKEN} with decrypted token');
                  decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                    '${NPM_TOKEN}',
                    token
                  );
                } else {
                  logger.debug(
                    'Appending _authToken= to end of existing npmrc'
                  );
                  decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                    /\n?$/,
                    `\n_authToken=${token}\n`
                  );
                }
                /* eslint-enable no-template-curly-in-string */
              } else {
                decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
              }
            } else {
              decryptedConfig[eKey] = decryptedStr;
            }
          } catch (err) {
            logger.warn({ err }, `Error decrypting ${eKey}`);
          }
        }
      } else {
        logger.error('Found encrypted data but no privateKey');
      }
      delete decryptedConfig.encrypted;
    } else if (is.array(val)) {
      decryptedConfig[key] = [];
      val.forEach(item => {
        if (is.object(item) && !is.array(item)) {
          decryptedConfig[key].push(decryptConfig(item, privateKey));
        } else {
          decryptedConfig[key].push(item);
        }
      });
    } else if (is.object(val) && key !== 'content') {
      decryptedConfig[key] = decryptConfig(val, privateKey);
    }
  }
  delete decryptedConfig.encrypted;
  logger.trace({ config: decryptedConfig }, 'decryptedConfig');
  return decryptedConfig;
}
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`const is = require('@sindresorhus/is');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`const crypto = require('crypto');`
logs: log masked token after decryption 2018-07-03 12:21:29 +00:00			`const { maskToken } = require('../datasource/npm');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00
			`module.exports = {`
			`decryptConfig,`
			`};`

refactor: use global logger (#1116) 2017-11-08 05:44:03 +00:00			`function decryptConfig(config, privateKey) {`
chore: reduce logger.debug volume 2018-03-27 19:57:02 +00:00			`logger.trace({ config }, 'decryptConfig()');`
refactor: perform decrypt as part of merge renovate.json (#1086) Also clarify docs that encrypted config must be contained in renovate.json (i.e. not package.json). 2017-11-03 06:51:44 +00:00			`const decryptedConfig = { ...config };`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [key, val] of Object.entries(config)) {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (key === 'encrypted' && is.object(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`logger.debug({ config: val }, 'Found encrypted config');`
			`if (privateKey) {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [eKey, eVal] of Object.entries(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`try {`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`const decryptedStr = crypto`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`.privateDecrypt(privateKey, Buffer.from(eVal, 'base64'))`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`.toString();`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			logger.info(`Decrypted ${eKey}`);
			`if (eKey === 'npmToken') {`
fix(npm): strip trailing \n from npmToken 2018-07-03 12:45:13 +00:00			`const token = decryptedStr.replace(/\n$/, '');`
chore: fix prettier formatting 2018-07-03 13:05:06 +00:00			`logger.info(`
			`{ token: maskToken(token) },`
			`'Migrating npmToken to npmrc'`
			`);`
feat: npm token substitution in npmrc If an encrypted npmToken is found alongside an unencrypted npmrc in config, then the token will replace any `${NPM_TOKEN}` placeholder found, or be appended to the end of the file. This enables large npmrc files to be defined in config without needing to enrypt the entire thing. Closes #1796 2018-07-05 13:44:42 +00:00			`if (decryptedConfig.npmrc) {`
			`/* eslint-disable no-template-curly-in-string */`
			`if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {`
			`logger.debug('Replacing ${NPM_TOKEN} with decrypted token');`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
			`'${NPM_TOKEN}',`
			`token`
			`);`
			`} else {`
			`logger.debug(`
			`'Appending _authToken= to end of existing npmrc'`
			`);`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
			`/\n?$/,`
			`\n_authToken=${token}\n`
			`);`
			`}`
			`/* eslint-enable no-template-curly-in-string */`
			`} else {`
			decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
			`}`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`} else {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`decryptedConfig[eKey] = decryptedStr;`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`}`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`} catch (err) {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			logger.warn({ err }, `Error decrypting ${eKey}`);
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`} else {`
			`logger.error('Found encrypted data but no privateKey');`
			`}`
			`delete decryptedConfig.encrypted;`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.array(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`decryptedConfig[key] = [];`
			`val.forEach(item => {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (is.object(item) && !is.array(item)) {`
refactor: use global logger (#1116) 2017-11-08 05:44:03 +00:00			`decryptedConfig[key].push(decryptConfig(item, privateKey));`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`} else {`
			`decryptedConfig[key].push(item);`
			`}`
			`});`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.object(val) && key !== 'content') {`
			`decryptedConfig[key] = decryptConfig(val, privateKey);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`delete decryptedConfig.encrypted;`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`logger.trace({ config: decryptedConfig }, 'decryptedConfig');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`return decryptedConfig;`
			`}`