renovate/lib/config/decrypt.ts

import crypto from 'node:crypto';
import is from '@sindresorhus/is';
import * as openpgp from 'openpgp';
import { logger } from '../logger';
import { maskToken } from '../util/mask';
import { regEx } from '../util/regex';
import { addSecretForSanitizing } from '../util/sanitize';
import { ensureTrailingSlash } from '../util/url';
import { GlobalConfig } from './global';
import { DecryptedObject } from './schema';
import type { RenovateConfig } from './types';

export async function tryDecryptPgp(
  privateKey: string,
  encryptedStr: string
): Promise<string | null> {
  if (encryptedStr.length < 500) {
    // optimization during transition of public key -> pgp
    return null;
  }
  try {
    const pk = await openpgp.readPrivateKey({
      // prettier-ignore
      armoredKey: privateKey.replace(regEx(/\n[ \t]+/g), '\n'), // little massage to help a common problem
    });
    const startBlock = '-----BEGIN PGP MESSAGE-----\n\n';
    const endBlock = '\n-----END PGP MESSAGE-----';
    let armoredMessage = encryptedStr.trim();
    if (!armoredMessage.startsWith(startBlock)) {
      armoredMessage = `${startBlock}${armoredMessage}`;
    }
    if (!armoredMessage.endsWith(endBlock)) {
      armoredMessage = `${armoredMessage}${endBlock}`;
    }
    const message = await openpgp.readMessage({
      armoredMessage,
    });
    const { data } = await openpgp.decrypt({
      message,
      decryptionKeys: pk,
    });
    logger.debug('Decrypted config using openpgp');
    return data;
  } catch (err) {
    logger.debug({ err }, 'Could not decrypt using openpgp');
    return null;
  }
}

export function tryDecryptPublicKeyDefault(
  privateKey: string,
  encryptedStr: string
): string | null {
  let decryptedStr: string | null = null;
  try {
    decryptedStr = crypto
      .privateDecrypt(privateKey, Buffer.from(encryptedStr, 'base64'))
      .toString();
    logger.debug('Decrypted config using default padding');
  } catch (err) {
    logger.debug('Could not decrypt using default padding');
  }
  return decryptedStr;
}

export function tryDecryptPublicKeyPKCS1(
  privateKey: string,
  encryptedStr: string
): string | null {
  let decryptedStr: string | null = null;
  try {
    decryptedStr = crypto
      .privateDecrypt(
        {
          key: privateKey,
          padding: crypto.constants.RSA_PKCS1_PADDING,
        },
        Buffer.from(encryptedStr, 'base64')
      )
      .toString();
  } catch (err) {
    logger.debug('Could not decrypt using PKCS1 padding');
  }
  return decryptedStr;
}

export async function tryDecrypt(
  privateKey: string,
  encryptedStr: string,
  repository: string
): Promise<string | null> {
  let decryptedStr: string | null = null;
  if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {
    const decryptedObjStr = await tryDecryptPgp(privateKey, encryptedStr);
    if (decryptedObjStr) {
      try {
        const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);
        // istanbul ignore if
        if (!decryptedObj.success) {
          const error = new Error('config-validation');
          error.validationError = `Could not parse decrypted config.`;
          throw error;
        }

        const { o: org, r: repo, v: value } = decryptedObj.data;
        if (is.nonEmptyString(value)) {
          if (is.nonEmptyString(org)) {
            const orgPrefixes = org
              .split(',')
              .map((o) => o.trim())
              .map((o) => o.toUpperCase())
              .map((o) => ensureTrailingSlash(o));
            if (is.nonEmptyString(repo)) {
              const scopedRepos = orgPrefixes.map((orgPrefix) =>
                `${orgPrefix}${repo}`.toUpperCase()
              );
              if (scopedRepos.some((r) => r === repository.toUpperCase())) {
                decryptedStr = value;
              } else {
                logger.debug(
                  { scopedRepos },
                  'Secret is scoped to a different repository'
                );
                const error = new Error('config-validation');
                error.validationError = `Encrypted secret is scoped to a different repository: "${scopedRepos.join(
                  ','
                )}".`;
                throw error;
              }
            } else {
              if (
                orgPrefixes.some((orgPrefix) =>
                  repository.toUpperCase().startsWith(orgPrefix)
                )
              ) {
                decryptedStr = value;
              } else {
                logger.debug(
                  { orgPrefixes },
                  'Secret is scoped to a different org'
                );
                const error = new Error('config-validation');
                error.validationError = `Encrypted secret is scoped to a different org: "${orgPrefixes.join(
                  ','
                )}".`;
                throw error;
              }
            }
          } else {
            const error = new Error('config-validation');
            error.validationError = `Encrypted value in config is missing a scope.`;
            throw error;
          }
        } else {
          const error = new Error('config-validation');
          error.validationError = `Encrypted value in config is missing a value.`;
          throw error;
        }
      } catch (err) {
        logger.warn({ err }, 'Could not parse decrypted string');
      }
    }
  } else {
    decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);
    if (!is.string(decryptedStr)) {
      decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);
    }
  }
  return decryptedStr;
}

export async function decryptConfig(
  config: RenovateConfig,
  repository: string
): Promise<RenovateConfig> {
  logger.trace({ config }, 'decryptConfig()');
  const decryptedConfig = { ...config };
  const privateKey = GlobalConfig.get('privateKey');
  const privateKeyOld = GlobalConfig.get('privateKeyOld');
  for (const [key, val] of Object.entries(config)) {
    if (key === 'encrypted' && is.object(val)) {
      logger.debug({ config: val }, 'Found encrypted config');
      if (privateKey) {
        for (const [eKey, eVal] of Object.entries(val)) {
          logger.debug('Trying to decrypt ' + eKey);
          let decryptedStr = await tryDecrypt(privateKey, eVal, repository);
          if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {
            logger.debug(`Trying to decrypt with old private key`);
            decryptedStr = await tryDecrypt(privateKeyOld, eVal, repository);
          }
          if (!is.nonEmptyString(decryptedStr)) {
            const error = new Error('config-validation');
            error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
            throw error;
          }
          logger.debug(`Decrypted ${eKey}`);
          if (eKey === 'npmToken') {
            const token = decryptedStr.replace(regEx(/\n$/), '');
            addSecretForSanitizing(token);
            logger.debug(
              { decryptedToken: maskToken(token) },
              'Migrating npmToken to npmrc'
            );
            if (is.string(decryptedConfig.npmrc)) {
              /* eslint-disable no-template-curly-in-string */
              if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {
                logger.debug('Replacing ${NPM_TOKEN} with decrypted token');
                decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                  regEx(/\${NPM_TOKEN}/g),
                  token
                );
              } else {
                logger.debug('Appending _authToken= to end of existing npmrc');
                decryptedConfig.npmrc = decryptedConfig.npmrc.replace(
                  regEx(/\n?$/),
                  `\n_authToken=${token}\n`
                );
              }
              /* eslint-enable no-template-curly-in-string */
            } else {
              logger.debug('Adding npmrc to config');
              decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
            }
          } else {
            decryptedConfig[eKey] = decryptedStr;
            addSecretForSanitizing(decryptedStr);
          }
        }
      } else {
        logger.error('Found encrypted data but no privateKey');
      }
      delete decryptedConfig.encrypted;
    } else if (is.array(val)) {
      decryptedConfig[key] = [];
      for (const item of val) {
        if (is.object(item) && !is.array(item)) {
          (decryptedConfig[key] as RenovateConfig[]).push(
            await decryptConfig(item as RenovateConfig, repository)
          );
        } else {
          (decryptedConfig[key] as unknown[]).push(item);
        }
      }
    } else if (is.object(val) && key !== 'content') {
      decryptedConfig[key] = await decryptConfig(
        val as RenovateConfig,
        repository
      );
    }
  }
  delete decryptedConfig.encrypted;
  logger.trace({ config: decryptedConfig }, 'decryptedConfig');
  return decryptedConfig;
}
chore: use `node:` protocol imports (#21181) 2023-03-28 21:05:36 +00:00			`import crypto from 'node:crypto';`
chore: import linting (#6105) 2020-05-01 16:03:48 +00:00			`import is from '@sindresorhus/is';`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`import * as openpgp from 'openpgp';`
feat(config): convert to ts (#4299) 2019-08-23 13:46:31 +00:00			`import { logger } from '../logger';`
			`import { maskToken } from '../util/mask';`
fix: modified regex to use RE2 (#12025) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2021-10-19 12:53:34 +00:00			`import { regEx } from '../util/regex';`
chore: rename sanitize functions for better searchability (#13826) 2022-01-26 09:57:21 +00:00			`import { addSecretForSanitizing } from '../util/sanitize';`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			`import { ensureTrailingSlash } from '../util/url';`
refactor: global config (#12743) Co-authored-by: Michael Kriese <michael.kriese@visualon.de> 2021-11-23 20:10:45 +00:00			`import { GlobalConfig } from './global';`
refactor: safely parse decrypted config (#20879) 2023-03-12 05:52:19 +00:00			`import { DecryptedObject } from './schema';`
refactor: optimize type usage (#8947) 2021-03-02 20:44:55 +00:00			`import type { RenovateConfig } from './types';`
refactor: add js type check (#4098) 2019-07-17 08:14:56 +00:00
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`export async function tryDecryptPgp(`
			`privateKey: string,`
			`encryptedStr: string`
			`): Promise<string \| null> {`
			`if (encryptedStr.length < 500) {`
			`// optimization during transition of public key -> pgp`
			`return null;`
			`}`
			`try {`
			`const pk = await openpgp.readPrivateKey({`
			`// prettier-ignore`
fix: modified regex to use RE2 (#12025) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2021-10-19 12:53:34 +00:00			`armoredKey: privateKey.replace(regEx(/\n[ \t]+/g), '\n'), // little massage to help a common problem`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`});`
			`const startBlock = '-----BEGIN PGP MESSAGE-----\n\n';`
			`const endBlock = '\n-----END PGP MESSAGE-----';`
			`let armoredMessage = encryptedStr.trim();`
			`if (!armoredMessage.startsWith(startBlock)) {`
			armoredMessage = `${startBlock}${armoredMessage}`;
			`}`
			`if (!armoredMessage.endsWith(endBlock)) {`
			armoredMessage = `${armoredMessage}${endBlock}`;
			`}`
			`const message = await openpgp.readMessage({`
			`armoredMessage,`
			`});`
			`const { data } = await openpgp.decrypt({`
			`message,`
			`decryptionKeys: pk,`
			`});`
			`logger.debug('Decrypted config using openpgp');`
			`return data;`
			`} catch (err) {`
			`logger.debug({ err }, 'Could not decrypt using openpgp');`
			`return null;`
			`}`
			`}`

feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`export function tryDecryptPublicKeyDefault(`
			`privateKey: string,`
			`encryptedStr: string`
			`): string \| null {`
refactor: add strict null checks (#14169) 2022-02-11 10:02:30 +00:00			`let decryptedStr: string \| null = null;`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`try {`
			`decryptedStr = crypto`
			`.privateDecrypt(privateKey, Buffer.from(encryptedStr, 'base64'))`
			`.toString();`
			`logger.debug('Decrypted config using default padding');`
			`} catch (err) {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`logger.debug('Could not decrypt using default padding');`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`return decryptedStr;`
			`}`

			`export function tryDecryptPublicKeyPKCS1(`
			`privateKey: string,`
			`encryptedStr: string`
			`): string \| null {`
refactor: add strict null checks (#14169) 2022-02-11 10:02:30 +00:00			`let decryptedStr: string \| null = null;`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`try {`
			`decryptedStr = crypto`
			`.privateDecrypt(`
			`{`
			`key: privateKey,`
			`padding: crypto.constants.RSA_PKCS1_PADDING,`
			`},`
			`Buffer.from(encryptedStr, 'base64')`
			`)`
			`.toString();`
			`} catch (err) {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`logger.debug('Could not decrypt using PKCS1 padding');`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`return decryptedStr;`
			`}`

feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`export async function tryDecrypt(`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`privateKey: string,`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`encryptedStr: string,`
			`repository: string`
			`): Promise<string \| null> {`
refactor: add strict null checks (#14169) 2022-02-11 10:02:30 +00:00			`let decryptedStr: string \| null = null;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`if (privateKey?.startsWith('-----BEGIN PGP PRIVATE KEY BLOCK-----')) {`
			`const decryptedObjStr = await tryDecryptPgp(privateKey, encryptedStr);`
			`if (decryptedObjStr) {`
			`try {`
refactor(schema): Use `Json` helper schema instead of `JSON.parse` (#23997) 2023-08-21 15:29:41 +00:00			`const decryptedObj = DecryptedObject.safeParse(decryptedObjStr);`
refactor: safely parse decrypted config (#20879) 2023-03-12 05:52:19 +00:00			`// istanbul ignore if`
			`if (!decryptedObj.success) {`
			`const error = new Error('config-validation');`
			error.validationError = `Could not parse decrypted config.`;
			`throw error;`
			`}`

			`const { o: org, r: repo, v: value } = decryptedObj.data;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`if (is.nonEmptyString(value)) {`
			`if (is.nonEmptyString(org)) {`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			`const orgPrefixes = org`
			`.split(',')`
			`.map((o) => o.trim())`
			`.map((o) => o.toUpperCase())`
			`.map((o) => ensureTrailingSlash(o));`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`if (is.nonEmptyString(repo)) {`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			`const scopedRepos = orgPrefixes.map((orgPrefix) =>`
			`${orgPrefix}${repo}`.toUpperCase()
			`);`
			`if (scopedRepos.some((r) => r === repository.toUpperCase())) {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`decryptedStr = value;`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`logger.debug(`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			`{ scopedRepos },`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`'Secret is scoped to a different repository'`
			`);`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			error.validationError = `Encrypted secret is scoped to a different repository: "${scopedRepos.join(
			`','`
			)}".`;
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`} else {`
fix(config): compare scopes lowercase (#12740) 2021-11-18 17:32:44 +00:00			`if (`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			`orgPrefixes.some((orgPrefix) =>`
			`repository.toUpperCase().startsWith(orgPrefix)`
			`)`
fix(config): compare scopes lowercase (#12740) 2021-11-18 17:32:44 +00:00			`) {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`decryptedStr = value;`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`logger.debug(`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			`{ orgPrefixes },`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`'Secret is scoped to a different org'`
			`);`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
feat(config): multi-org secrets decrypt (#21147) 2023-03-25 09:14:33 +00:00			error.validationError = `Encrypted secret is scoped to a different org: "${orgPrefixes.join(
			`','`
			)}".`;
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`}`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
			error.validationError = `Encrypted value in config is missing a scope.`;
			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`} else {`
fix(config): better decrypt errors (#11777) 2021-09-16 13:05:11 +00:00			`const error = new Error('config-validation');`
			error.validationError = `Encrypted value in config is missing a value.`;
			`throw error;`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
			`} catch (err) {`
			`logger.warn({ err }, 'Could not parse decrypted string');`
			`}`
			`}`
			`} else {`
			`decryptedStr = tryDecryptPublicKeyDefault(privateKey, encryptedStr);`
			`if (!is.string(decryptedStr)) {`
			`decryptedStr = tryDecryptPublicKeyPKCS1(privateKey, encryptedStr);`
			`}`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`return decryptedStr;`
			`}`

feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`export async function decryptConfig(`
			`config: RenovateConfig,`
			`repository: string`
			`): Promise<RenovateConfig> {`
chore: reduce logger.debug volume 2018-03-27 19:57:02 +00:00			`logger.trace({ config }, 'decryptConfig()');`
refactor: perform decrypt as part of merge renovate.json (#1086) Also clarify docs that encrypted config must be contained in renovate.json (i.e. not package.json). 2017-11-03 06:51:44 +00:00			`const decryptedConfig = { ...config };`
refactor: Default values for `GlobalConfig.get` (#22967) 2023-06-25 19:34:42 +00:00			`const privateKey = GlobalConfig.get('privateKey');`
			`const privateKeyOld = GlobalConfig.get('privateKeyOld');`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [key, val] of Object.entries(config)) {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (key === 'encrypted' && is.object(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`logger.debug({ config: val }, 'Found encrypted config');`
			`if (privateKey) {`
refactor: use Object.entries when looping over key/val (#1141) Closes #1079 2017-11-10 12:46:16 +00:00			`for (const [eKey, eVal] of Object.entries(val)) {`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`logger.debug('Trying to decrypt ' + eKey);`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`let decryptedStr = await tryDecrypt(privateKey, eVal, repository);`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`if (privateKeyOld && !is.nonEmptyString(decryptedStr)) {`
			logger.debug(`Trying to decrypt with old private key`);
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`decryptedStr = await tryDecrypt(privateKeyOld, eVal, repository);`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`}`
			`if (!is.nonEmptyString(decryptedStr)) {`
			`const error = new Error('config-validation');`
			error.validationError = `Failed to decrypt field ${eKey}. Please re-encrypt and try again.`;
			`throw error;`
			`}`
			logger.debug(`Decrypted ${eKey}`);
			`if (eKey === 'npmToken') {`
refactor: refactor static regex out of for loops (#13065) 2021-12-29 06:26:13 +00:00			`const token = decryptedStr.replace(regEx(/\n$/), '');`
chore: rename sanitize functions for better searchability (#13826) 2022-01-26 09:57:21 +00:00			`addSecretForSanitizing(token);`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`logger.debug(`
			`{ decryptedToken: maskToken(token) },`
			`'Migrating npmToken to npmrc'`
			`);`
			`if (is.string(decryptedConfig.npmrc)) {`
chore: re-enable eslint no-template-curly-in-string 2021-11-09 06:50:25 +00:00			`/* eslint-disable no-template-curly-in-string */`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`if (decryptedConfig.npmrc.includes('${NPM_TOKEN}')) {`
			`logger.debug('Replacing ${NPM_TOKEN} with decrypted token');`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
fix: modified regex to use RE2 (#12025) Co-authored-by: Rhys Arkins <rhys@arkins.net> 2021-10-19 12:53:34 +00:00			`regEx(/\${NPM_TOKEN}/g),`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`token`
			`);`
feat: npm token substitution in npmrc If an encrypted npmToken is found alongside an unencrypted npmrc in config, then the token will replace any `${NPM_TOKEN}` placeholder found, or be appended to the end of the file. This enables large npmrc files to be defined in config without needing to enrypt the entire thing. Closes #1796 2018-07-05 13:44:42 +00:00			`} else {`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`logger.debug('Appending _authToken= to end of existing npmrc');`
			`decryptedConfig.npmrc = decryptedConfig.npmrc.replace(`
refactor: refactor static regex out of for loops (#13065) 2021-12-29 06:26:13 +00:00			`regEx(/\n?$/),`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`\n_authToken=${token}\n`
			`);`
feat: npm token substitution in npmrc If an encrypted npmToken is found alongside an unencrypted npmrc in config, then the token will replace any `${NPM_TOKEN}` placeholder found, or be appended to the end of the file. This enables large npmrc files to be defined in config without needing to enrypt the entire thing. Closes #1796 2018-07-05 13:44:42 +00:00			`}`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`/* eslint-enable no-template-curly-in-string */`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`} else {`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`logger.debug('Adding npmrc to config');`
			decryptedConfig.npmrc = `//registry.npmjs.org/:_authToken=${token}\n`;
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`}`
feat(config): privateKeyOld (#11653) 2021-09-10 10:47:33 +00:00			`} else {`
			`decryptedConfig[eKey] = decryptedStr;`
chore: rename sanitize functions for better searchability (#13826) 2022-01-26 09:57:21 +00:00			`addSecretForSanitizing(decryptedStr);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`} else {`
			`logger.error('Found encrypted data but no privateKey');`
			`}`
			`delete decryptedConfig.encrypted;`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.array(val)) {`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`decryptedConfig[key] = [];`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`for (const item of val) {`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`if (is.object(item) && !is.array(item)) {`
chore(types): fix more typescript types (#5615) 2020-03-02 11:06:16 +00:00			`(decryptedConfig[key] as RenovateConfig[]).push(`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`await decryptConfig(item as RenovateConfig, repository)`
chore(types): fix more typescript types (#5615) 2020-03-02 11:06:16 +00:00			`);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`} else {`
build(deps): update dependency @sindresorhus/is to v3.1.0 (#6867) Co-authored-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Michael Kriese <michael.kriese@visualon.de> 2020-07-30 04:54:20 +00:00			`(decryptedConfig[key] as unknown[]).push(item);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`}`
(refactor): delegate generic predicate checking to @sindresorhus/is (#2021) Closes #1764 2018-06-04 18:07:22 +00:00			`} else if (is.object(val) && key !== 'content') {`
feat(config): scoped secrets using pgp/gpg (#11673) 2021-09-16 10:11:13 +00:00			`decryptedConfig[key] = await decryptConfig(`
			`val as RenovateConfig,`
			`repository`
			`);`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`}`
			`}`
			`delete decryptedConfig.encrypted;`
fix: don’t massage encrypted npm token (#760) 2017-09-01 05:43:49 +00:00			`logger.trace({ config: decryptedConfig }, 'decryptedConfig');`
feat: encrypted configuration strings (#759) A new config object `encrypted` can be defined at any level and contain encrypted configuration strings. Initial use is for encrypting an npm token for use with the hosted renovate app. Closes #650 2017-09-01 04:45:51 +00:00			`return decryptedConfig;`
			`}`