renovate/lib/config/decrypt.js

const is = require('@sindresorhus/is');
const crypto = require('crypto');
const { maskToken } = require('../util/mask');

module.exports = {
  decryptConfig,
};

function decryptConfig(config, privateKey) {
  logger.trace({ config }, 'decryptConfig()');
  const decryptedConfig = { ...config };
  for (const [key, val] of Object.entries(config)) {
    if (key === 'encrypted' && is.object(val)) {
      logger.debug({ config: val }, 'Found encrypted config');
      if (privateKey) {
        for (const [eKey, eVal] of Object.entries(val)) {
          try {
            let decryptedStr;
            try {
              logger.debug('Trying default padding for ' + eKey);
              decryptedStr = crypto
                .privateDecrypt(privateKey, Buffer.from(eVal, 'base64'))
                .toString();
              logger.info('Decrypted config using default padding');
            } catch (err) {
              logger.debug('Trying RSA_PKCS1_PADDING for ' + eKey);
              decryptedStr = crypto
                .privateDecrypt(
                  {
                    key: privateKey,
                    padding: crypto.constants.RSA_PKCS1_PADDING,
                  },
                  Buffer.from(eVal, 'base64')
                )
                .toString();
              // let it throw if the above fails
            }
            // istanbul ignore if
            if (!decryptedStr.length) {
              throw new Error('empty string');
            }
            logger.info(`Decrypted ${eKey}`);
            if (eKey === 'npmToken') {
              const token = decryptedStr.replace(/\n$/, '');
              logger.info(
                { decryptedToken: maskToken(token) },
                'Migrating npmToken to npmrc'
              );
              if (decryptedConfig.npmrc) {
                /* eslint-disable no-template-curly-in-string */
                if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {
                  logger.debug('Replacing ${NPM_TOKEN} with decrypted token');
                  decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                    '${NPM_TOKEN}',
                    token
                  );
                } else {
                  logger.debug(
                    'Appending _authToken= to end of existing npmrc'
                  );
                  decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                    /\n?$/,
                    `\n_authToken=${token}\n`
                  );
                }
                /* eslint-enable no-template-curly-in-string */
              } else {
                logger.debug('Adding npmrc to config');
                decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
              }
            } else {
              decryptedConfig[eKey] = decryptedStr;
            }
          } catch (err) {
            logger.warn({ err }, `Error decrypting ${eKey}`);
          }
        }
      } else {
        logger.error('Found encrypted data but no privateKey');
      }
      delete decryptedConfig.encrypted;
    } else if (is.array(val)) {
      decryptedConfig[key] = [];
      val.forEach(item => {
        if (is.object(item) && !is.array(item)) {
          decryptedConfig[key].push(decryptConfig(item, privateKey));
        } else {
          decryptedConfig[key].push(item);
        }
      });
    } else if (is.object(val) && key !== 'content') {
      decryptedConfig[key] = decryptConfig(val, privateKey);
    }
  }
  delete decryptedConfig.encrypted;
  logger.trace({ config: decryptedConfig }, 'decryptedConfig');
  return decryptedConfig;
}
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`const is = require('@sindresorhus/is');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`const crypto = require('crypto');`
refactor: Extract mask token function from npm datasource to utils (#3040) Helps with https://github.com/renovatebot/renovate/pull/3039 😄 2019-01-07 05:38:24 +00:00			`const { maskToken } = require('../util/mask');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00
			`module.exports = {`
			`decryptConfig,`
			`};`

refactor: use global logger (#1116) 2017-11-08 05:44:03 +00:00			`function decryptConfig(config, privateKey) {`
chore: reduce logger.debug volume 2018-03-27 19:57:02 +00:00			`logger.trace({ config }, 'decryptConfig()');`
refactor: perform decrypt as part of merge renovate.json (#1086) Also clarify docs that encrypted config must be contained in renovate.json (i.e. not package.json). 2017-11-03 06:51:44 +00:00			`const decryptedConfig = { ...config };`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [key, val] of Object.entries(config)) {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (key === 'encrypted' && is.object(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`logger.debug({ config: val }, 'Found encrypted config');`
			`if (privateKey) {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [eKey, eVal] of Object.entries(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`try {`
feat: support encryption with RSA_PKCS1_PADDING Renovate will now attempt to decrypt with existing default padding, and if that fails then try with RSA_PKCS1_PADDING. 2018-08-22 09:00:19 +00:00			`let decryptedStr;`
			`try {`
fix(decrypt): throw error for empty string 2019-01-24 12:41:23 +00:00			`logger.debug('Trying default padding for ' + eKey);`
feat: support encryption with RSA_PKCS1_PADDING Renovate will now attempt to decrypt with existing default padding, and if that fails then try with RSA_PKCS1_PADDING. 2018-08-22 09:00:19 +00:00			`decryptedStr = crypto`
			`.privateDecrypt(privateKey, Buffer.from(eVal, 'base64'))`
			`.toString();`
refactor: log default padding decrypt 2019-01-24 14:24:46 +00:00			`logger.info('Decrypted config using default padding');`
feat: support encryption with RSA_PKCS1_PADDING Renovate will now attempt to decrypt with existing default padding, and if that fails then try with RSA_PKCS1_PADDING. 2018-08-22 09:00:19 +00:00			`} catch (err) {`
fix(decrypt): throw error for empty string 2019-01-24 12:41:23 +00:00			`logger.debug('Trying RSA_PKCS1_PADDING for ' + eKey);`
feat: support encryption with RSA_PKCS1_PADDING Renovate will now attempt to decrypt with existing default padding, and if that fails then try with RSA_PKCS1_PADDING. 2018-08-22 09:00:19 +00:00			`decryptedStr = crypto`
			`.privateDecrypt(`
			`{`
			`key: privateKey,`
			`padding: crypto.constants.RSA_PKCS1_PADDING,`
			`},`
			`Buffer.from(eVal, 'base64')`
			`)`
			`.toString();`
			`// let it throw if the above fails`
			`}`
tests: fix coverage 2019-01-25 05:36:07 +00:00			`// istanbul ignore if`
fix(decrypt): throw error for empty string 2019-01-24 12:41:23 +00:00			`if (!decryptedStr.length) {`
			`throw new Error('empty string');`
			`}`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			logger.info(`Decrypted ${eKey}`);
			`if (eKey === 'npmToken') {`
fix(npm): strip trailing \n from npmToken 2018-07-03 12:45:13 +00:00			`const token = decryptedStr.replace(/\n$/, '');`
chore: fix prettier formatting 2018-07-03 13:05:06 +00:00			`logger.info(`
refactor: log masked decrypted token 2019-01-24 12:19:38 +00:00			`{ decryptedToken: maskToken(token) },`
chore: fix prettier formatting 2018-07-03 13:05:06 +00:00			`'Migrating npmToken to npmrc'`
			`);`
feat: npm token substitution in npmrc If an encrypted npmToken is found alongside an unencrypted npmrc in config, then the token will replace any `${NPM_TOKEN}` placeholder found, or be appended to the end of the file. This enables large npmrc files to be defined in config without needing to enrypt the entire thing. Closes #1796 2018-07-05 13:44:42 +00:00			`if (decryptedConfig.npmrc) {`
			`/* eslint-disable no-template-curly-in-string */`
			`if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {`
			`logger.debug('Replacing ${NPM_TOKEN} with decrypted token');`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
			`'${NPM_TOKEN}',`
			`token`
			`);`
			`} else {`
			`logger.debug(`
			`'Appending _authToken= to end of existing npmrc'`
			`);`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
			`/\n?$/,`
			`\n_authToken=${token}\n`
			`);`
			`}`
			`/* eslint-enable no-template-curly-in-string */`
			`} else {`
refactor: log npmrc 2018-07-06 14:56:29 +00:00			`logger.debug('Adding npmrc to config');`
feat: npm token substitution in npmrc If an encrypted npmToken is found alongside an unencrypted npmrc in config, then the token will replace any `${NPM_TOKEN}` placeholder found, or be appended to the end of the file. This enables large npmrc files to be defined in config without needing to enrypt the entire thing. Closes #1796 2018-07-05 13:44:42 +00:00			decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
			`}`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`} else {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`decryptedConfig[eKey] = decryptedStr;`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`}`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`} catch (err) {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			logger.warn({ err }, `Error decrypting ${eKey}`);
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`} else {`
			`logger.error('Found encrypted data but no privateKey');`
			`}`
			`delete decryptedConfig.encrypted;`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.array(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`decryptedConfig[key] = [];`
			`val.forEach(item => {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (is.object(item) && !is.array(item)) {`
refactor: use global logger (#1116) 2017-11-08 05:44:03 +00:00			`decryptedConfig[key].push(decryptConfig(item, privateKey));`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`} else {`
			`decryptedConfig[key].push(item);`
			`}`
			`});`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.object(val) && key !== 'content') {`
			`decryptedConfig[key] = decryptConfig(val, privateKey);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`delete decryptedConfig.encrypted;`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`logger.trace({ config: decryptedConfig }, 'decryptedConfig');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`return decryptedConfig;`
			`}`