renovate/lib/config/decrypt.ts

import crypto from 'crypto';
import is from '@sindresorhus/is';
import * as openpgp from 'openpgp';
import { logger } from '../logger';
import { maskToken } from '../util/mask';
import { add } from '../util/sanitize';
import { getGlobalConfig } from './global';
import type { RenovateConfig } from './types';

export async function tryDecryptPgp(
  privateKey: string,
  encryptedStr: string
): Promise<string | null> {
  if (encryptedStr.length < 500) {
    // optimization during transition of public key -> pgp
    return null;
  }
  try {
    const pk = await openpgp.readPrivateKey({
      // prettier-ignore
      armoredKey: privateKey.replace(/\n[ \t]+/g, '\n'), // little massage to help a common problem
    });
    const startBlock = '-----BEGIN PGP MESSAGE-----\n\n';
    const endBlock = '\n-----END PGP MESSAGE-----';
    let armoredMessage = encryptedStr.trim();
    if (!armoredMessage.startsWith(startBlock)) {
      armoredMessage = `${startBlock}${armoredMessage}`;
    }
    if (!armoredMessage.endsWith(endBlock)) {
      armoredMessage = `${armoredMessage}${endBlock}`;
    }
    const message = await openpgp.readMessage({
      armoredMessage,
    });
    const { data } = await openpgp.decrypt({
      message,
      decryptionKeys: pk,
    });
    logger.debug('Decrypted config using openpgp');
    return data;
  } catch (err) {
    logger.debug({ err }, 'Could not decrypt using openpgp');
    return null;
  }
}

export function tryDecryptPublicKeyDefault(
  privateKey: string,
  encryptedStr: string
): string | null {
  let decryptedStr: string = null;
  try {
    decryptedStr = crypto
      .privateDecrypt(privateKey, Buffer.from(encryptedStr, 'base64'))
      .toString();
    logger.debug('Decrypted config using default padding');
  } catch (err) {
    logger.debug('Could not decrypt using default padding');
  }
  return decryptedStr;
}

export function tryDecryptPublicKeyPKCS1(
  privateKey: string,
  encryptedStr: string
): string | null {
  let decryptedStr: string = null;
  try {
    decryptedStr = crypto
      .privateDecrypt(
        {
          key: privateKey,
          padding: crypto.constants.RSA_PKCS1_PADDING,
        },
        Buffer.from(encryptedStr, 'base64')
      )
      .toString();
  } catch (err) {
    logger.debug('Could not decrypt using PKCS1 padding');
  }
  return decryptedStr;
}

export async function tryDecrypt(
  privateKey: string,
  encryptedStr: string,
  repository: string
): Promise<string | null> {
  let decryptedStr: string = null;
  if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {
    const decryptedObjStr = await tryDecryptPgp(privateKey, encryptedStr);
    if (decryptedObjStr) {
      try {
        const decryptedObj = JSON.parse(decryptedObjStr);
        const { o: org, r: repo, v: value } = decryptedObj;
        if (is.nonEmptyString(value)) {
          if (is.nonEmptyString(org)) {
            const orgName = org.replace(/\/$/, ''); // Strip trailing slash
            if (is.nonEmptyString(repo)) {
              const scopedRepository = `${orgName}/${repo}`;
              if (scopedRepository === repository) {
                decryptedStr = value;
              } else {
                logger.debug(
                  { scopedRepository },
                  'Secret is scoped to a different repository'
                );
                const error = new Error('config-validation');
                error.validationError = `Encrypted secret is scoped to a different repository: ${scopedRepository}.`;
                throw error;
              }
            } else {
              const scopedOrg = `${orgName}/`;
              if (repository.startsWith(scopedOrg)) {
                decryptedStr = value;
              } else {
                logger.debug(
                  { scopedOrg },
                  'Secret is scoped to a different org'
                );
                const error = new Error('config-validation');
                error.validationError = `Encrypted secret is scoped to a different org" ${scopedOrg}.`;
                throw error;
              }
            }
          } else {
            const error = new Error('config-validation');
            error.validationError = `Encrypted value in config is missing a scope.`;
            throw error;
          }
        } else {
          const error = new Error('config-validation');
          error.validationError = `Encrypted value in config is missing a value.`;
          throw error;
        }
      } catch (err) {
        logger.warn({ err }, 'Could not parse decrypted string');
      }
    }
  } else {
    decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);
    if (!is.string(decryptedStr)) {
      decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);
    }
  }
  return decryptedStr;
}

export async function decryptConfig(
  config: RenovateConfig,
  repository: string
): Promise<RenovateConfig> {
  logger.trace({ config }, 'decryptConfig()');
  const decryptedConfig = { ...config };
  const { privateKey, privateKeyOld } = getGlobalConfig();
  for (const [key, val] of Object.entries(config)) {
    if (key === 'encrypted' && is.object(val)) {
      logger.debug({ config: val }, 'Found encrypted config');
      if (privateKey) {
        for (const [eKey, eVal] of Object.entries(val)) {
          logger.debug('Trying to decrypt ' + eKey);
          let decryptedStr = await tryDecrypt(privateKey, eVal, repository);
          if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {
            logger.debug(`Trying to decrypt with old private key`);
            decryptedStr = await tryDecrypt(privateKeyOld, eVal, repository);
          }
          if (!is.nonEmptyString(decryptedStr)) {
            const error = new Error('config-validation');
            error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
            throw error;
          }
          logger.debug(`Decrypted ${eKey}`);
          if (eKey === 'npmToken') {
            const token = decryptedStr.replace(/\n$/, '');
            add(token);
            logger.debug(
              { decryptedToken: maskToken(token) },
              'Migrating npmToken to npmrc'
            );
            if (is.string(decryptedConfig.npmrc)) {
              /* eslint-disable no-template-curly-in-string */
              if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {
                logger.debug('Replacing ${NPM_TOKEN} with decrypted token');
                decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                  /\${NPM_TOKEN}/g,
                  token
                );
              } else {
                logger.debug('Appending _authToken= to end of existing npmrc');
                decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                  /\n?$/,
                  `\n_authToken=${token}\n`
                );
              }
              /* eslint-enable no-template-curly-in-string */
            } else {
              logger.debug('Adding npmrc to config');
              decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
            }
          } else {
            decryptedConfig[eKey] = decryptedStr;
            add(decryptedStr);
          }
        }
      } else {
        logger.error('Found encrypted data but no privateKey');
      }
      delete decryptedConfig.encrypted;
    } else if (is.array(val)) {
      decryptedConfig[key] = [];
      for (const item of val) {
        if (is.object(item) && !is.array(item)) {
          (decryptedConfig[key] as RenovateConfig[]).push(
            await decryptConfig(item as RenovateConfig, repository)
          );
        } else {
          (decryptedConfig[key] as unknown[]).push(item);
        }
      }
    } else if (is.object(val) && key !== 'content') {
      decryptedConfig[key] = await decryptConfig(
        val as RenovateConfig,
        repository
      );
    }
  }
  delete decryptedConfig.encrypted;
  logger.trace({ config: decryptedConfig }, 'decryptedConfig');
  return decryptedConfig;
}
feat(config): convert to ts (#4299) 2019-08-23 13:46:31 +00:00			`import crypto from 'crypto';`
chore: import linting (#6105) 2020-05-01 16:03:48 +00:00			`import is from '@sindresorhus/is';`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`import * as openpgp from 'openpgp';`
feat(config): convert to ts (#4299) 2019-08-23 13:46:31 +00:00			`import { logger } from '../logger';`
			`import { maskToken } from '../util/mask';`
fix(logging): sanitize known token (#5917) 2020-05-16 10:35:41 +00:00			`import { add } from '../util/sanitize';`
chore: rename config/admin -> config/global 2021-08-15 06:21:08 +00:00			`import { getGlobalConfig } from './global';`
refactor: optimize type usage (#8947) 2021-03-02 20:44:55 +00:00			`import type { RenovateConfig } from './types';`
refactor: add js type check (#4098) 2019-07-17 08:14:56 +00:00
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`export async function tryDecryptPgp(`
			`privateKey: string,`
			`encryptedStr: string`
			`): Promise<string \| null> {`
			`if (encryptedStr.length < 500) {`
			`// optimization during transition of public key -> pgp`
			`return null;`
			`}`
			`try {`
			`const pk = await openpgp.readPrivateKey({`
			`// prettier-ignore`
			`armoredKey: privateKey.replace(/\n[ \t]+/g, '\n'), // little massage to help a common problem`
			`});`
			`const startBlock = '-----BEGIN PGP MESSAGE-----\n\n';`
			`const endBlock = '\n-----END PGP MESSAGE-----';`
			`let armoredMessage = encryptedStr.trim();`
			`if (!armoredMessage.startsWith(startBlock)) {`
			armoredMessage = `${startBlock}${armoredMessage}`;
			`}`
			`if (!armoredMessage.endsWith(endBlock)) {`
			armoredMessage = `${armoredMessage}${endBlock}`;
			`}`
			`const message = await openpgp.readMessage({`
			`armoredMessage,`
			`});`
			`const { data } = await openpgp.decrypt({`
			`message,`
			`decryptionKeys: pk,`
			`});`
			`logger.debug('Decrypted config using openpgp');`
			`return data;`
			`} catch (err) {`
			`logger.debug({ err }, 'Could not decrypt using openpgp');`
			`return null;`
			`}`
			`}`

feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`export function tryDecryptPublicKeyDefault(`
			`privateKey: string,`
			`encryptedStr: string`
			`): string \| null {`
			`let decryptedStr: string = null;`
			`try {`
			`decryptedStr = crypto`
			`.privateDecrypt(privateKey, Buffer.from(encryptedStr, 'base64'))`
			`.toString();`
			`logger.debug('Decrypted config using default padding');`
			`} catch (err) {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`logger.debug('Could not decrypt using default padding');`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`return decryptedStr;`
			`}`

			`export function tryDecryptPublicKeyPKCS1(`
			`privateKey: string,`
			`encryptedStr: string`
			`): string \| null {`
			`let decryptedStr: string = null;`
			`try {`
			`decryptedStr = crypto`
			`.privateDecrypt(`
			`{`
			`key: privateKey,`
			`padding: crypto.constants.RSA_PKCS1_PADDING,`
			`},`
			`Buffer.from(encryptedStr, 'base64')`
			`)`
			`.toString();`
			`} catch (err) {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`logger.debug('Could not decrypt using PKCS1 padding');`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`return decryptedStr;`
			`}`

feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`export async function tryDecrypt(`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`privateKey: string,`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`encryptedStr: string,`
			`repository: string`
			`): Promise<string \| null> {`
			`let decryptedStr: string = null;`
			`if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {`
			`const decryptedObjStr = await tryDecryptPgp(privateKey, encryptedStr);`
			`if (decryptedObjStr) {`
			`try {`
			`const decryptedObj = JSON.parse(decryptedObjStr);`
			`const { o: org, r: repo, v: value } = decryptedObj;`
			`if (is.nonEmptyString(value)) {`
			`if (is.nonEmptyString(org)) {`
			`const orgName = org.replace(/\/$/, ''); // Strip trailing slash`
			`if (is.nonEmptyString(repo)) {`
			const scopedRepository = `${orgName}/${repo}`;
			`if (scopedRepository === repository) {`
			`decryptedStr = value;`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`logger.debug(`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`{ scopedRepository },`
			`'Secret is scoped to a different repository'`
			`);`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
			error.validationError = `Encrypted secret is scoped to a different repository: ${scopedRepository}.`;
			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`} else {`
			const scopedOrg = `${orgName}/`;
			`if (repository.startsWith(scopedOrg)) {`
			`decryptedStr = value;`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`logger.debug(`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`{ scopedOrg },`
			`'Secret is scoped to a different org'`
			`);`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
			error.validationError = `Encrypted secret is scoped to a different org" ${scopedOrg}.`;
			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`}`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
			error.validationError = `Encrypted value in config is missing a scope.`;
			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
			error.validationError = `Encrypted value in config is missing a value.`;
			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`} catch (err) {`
			`logger.warn({ err }, 'Could not parse decrypted string');`
			`}`
			`}`
			`} else {`
			`decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);`
			`if (!is.string(decryptedStr)) {`
			`decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);`
			`}`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`return decryptedStr;`
			`}`

feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`export async function decryptConfig(`
			`config: RenovateConfig,`
			`repository: string`
			`): Promise<RenovateConfig> {`
chore: reduce logger.debug volume 2018-03-27 19:57:02 +00:00			`logger.trace({ config }, 'decryptConfig()');`
refactor: perform decrypt as part of merge renovate.json (#1086) Also clarify docs that encrypted config must be contained in renovate.json (i.e. not package.json). 2017-11-03 06:51:44 +00:00			`const decryptedConfig = { ...config };`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`const { privateKey, privateKeyOld } = getGlobalConfig();`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [key, val] of Object.entries(config)) {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (key === 'encrypted' && is.object(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`logger.debug({ config: val }, 'Found encrypted config');`
			`if (privateKey) {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [eKey, eVal] of Object.entries(val)) {`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`logger.debug('Trying to decrypt ' + eKey);`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`let decryptedStr = await tryDecrypt(privateKey, eVal, repository);`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {`
			logger.debug(`Trying to decrypt with old private key`);
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`decryptedStr = await tryDecrypt(privateKeyOld, eVal, repository);`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`if (!is.nonEmptyString(decryptedStr)) {`
			`const error = new Error('config-validation');`
			error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
			`throw error;`
			`}`
			logger.debug(`Decrypted ${eKey}`);
			`if (eKey === 'npmToken') {`
			`const token = decryptedStr.replace(/\n$/, '');`
			`add(token);`
			`logger.debug(`
			`{ decryptedToken: maskToken(token) },`
			`'Migrating npmToken to npmrc'`
			`);`
			`if (is.string(decryptedConfig.npmrc)) {`
			`/* eslint-disable no-template-curly-in-string */`
			`if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {`
			`logger.debug('Replacing ${NPM_TOKEN} with decrypted token');`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
			`/\${NPM_TOKEN}/g,`
			`token`
			`);`
feat: npm token substitution in npmrc If an encrypted npmToken is found alongside an unencrypted npmrc in config, then the token will replace any `${NPM_TOKEN}` placeholder found, or be appended to the end of the file. This enables large npmrc files to be defined in config without needing to enrypt the entire thing. Closes #1796 2018-07-05 13:44:42 +00:00			`} else {`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`logger.debug('Appending _authToken= to end of existing npmrc');`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
			`/\n?$/,`
			`\n_authToken=${token}\n`
			`);`
feat: npm token substitution in npmrc If an encrypted npmToken is found alongside an unencrypted npmrc in config, then the token will replace any `${NPM_TOKEN}` placeholder found, or be appended to the end of the file. This enables large npmrc files to be defined in config without needing to enrypt the entire thing. Closes #1796 2018-07-05 13:44:42 +00:00			`}`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`/* eslint-enable no-template-curly-in-string */`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`} else {`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`logger.debug('Adding npmrc to config');`
			decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`}`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`} else {`
			`decryptedConfig[eKey] = decryptedStr;`
			`add(decryptedStr);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`} else {`
			`logger.error('Found encrypted data but no privateKey');`
			`}`
			`delete decryptedConfig.encrypted;`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.array(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`decryptedConfig[key] = [];`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`for (const item of val) {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (is.object(item) && !is.array(item)) {`
chore(types): fix more typescript types (#5615) 2020-03-02 11:06:16 +00:00			`(decryptedConfig[key] as RenovateConfig[]).push(`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`await decryptConfig(item as RenovateConfig, repository)`
chore(types): fix more typescript types (#5615) 2020-03-02 11:06:16 +00:00			`);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`} else {`
build(deps): update dependency @sindresorhus/is to v3.1.0 (#6867) Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Michael Kriese <michael.kriese@visualon.de> 2020-07-30 04:54:20 +00:00			`(decryptedConfig[key] as unknown[]).push(item);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.object(val) && key !== 'content') {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`decryptedConfig[key] = await decryptConfig(`
			`val as RenovateConfig,`
			`repository`
			`);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`delete decryptedConfig.encrypted;`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`logger.trace({ config: decryptedConfig }, 'decryptedConfig');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`return decryptedConfig;`
			`}`