diff --git a/.Dockerfiles/alpine/latest/Dockerfile b/.Dockerfiles/alpine/latest/Dockerfile index ea722507..500d8b9b 100644 --- a/.Dockerfiles/alpine/latest/Dockerfile +++ b/.Dockerfiles/alpine/latest/Dockerfile @@ -1,38 +1,29 @@ FROM alpine:latest -# - build tools are for: fig2dev which is needed by gnupg builds -# - openssh is for scp -# - tini is for PID 1 -# - changing alpine from 3.6 to 3.7 is for ansible 2.4, -# but need to install ansible 2.3 for dependencies first -# - shellcheck is not in the apk repository (xz/tar needed for shellcheck) -# - bundler/rspec is not found on kitchen verify (symlink needed) - RUN apk add --no-cache --update \ - curl net-tools \ - openssh-server openssh \ - sudo bash tini \ - ansible git rsync xz \ - gcc autoconf automake g++ libffi-dev tar libxpm-dev make \ - autoconf automake imagemagick-dev texinfo gettext-dev libgcrypt-dev \ - libgpg-error-dev libassuan-dev libksba-dev npth-dev libxfont-dev \ - libwmf-dev libx11-dev libxt-dev libxext-dev libxml2-dev libexif-dev perl \ - ruby-dev ruby-bundler \ - && ln -s /usr/bin/bundle /usr/local/bin/bundle \ - && ln -s /usr/bin/rspec /usr/local/bin/rspec \ - && sed -i -e 's/v3\.6/v3.7/g' /etc/apk/repositories \ - && apk add --update-cache --upgrade ansible \ - && sed -i -e 's/v3\.7/v3.6/g' /etc/apk/repositories \ - && apk add --update-cache \ - && curl --silent -L -o shellcheck.tar.xz https://storage.googleapis.com/shellcheck/shellcheck-latest.linux.x86_64.tar.xz \ - && tar -vxf shellcheck.tar.xz \ - && mv shellcheck-latest/shellcheck /usr/local/bin/ \ - && sudo mkdir -p /usr/local/src/ \ - && git clone https://github.com/Distrotech/transfig.git && cd transfig \ - && make && make install \ - && cp -R /usr/X11R7/bin/fig2dev /usr/local/bin \ + bash \ + build-base \ + coreutils \ + curl \ + findutils \ + gcc \ + libffi-dev \ + musl-dev \ + net-tools \ + openrc \ + openssh \ + openssh-server \ + openssh-sftp-server \ + openssl-dev \ + py-boto \ + py2-pip \ + python2-dev \ + rsyslog \ + sudo \ + xz \ + && pip install --upgrade pip \ && if ! getent passwd <%= @username %>; then \ - adduser -h /home/<%= @username %> -s /bin/bash <%= @username %>; \ + adduser -h /home/<%= @username %> -s /bin/bash -D <%= @username %>; \ passwd -d <%= @username %>; \ fi \ && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \ @@ -44,10 +35,10 @@ RUN apk add --no-cache --update \ && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \ && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \ && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \ + && sed -ri 's/^#?PasswordAuthentication\s+.*/PasswordAuthentication no/' /etc/ssh/sshd_config \ + && sed -ri 's/^#?ChallengeResponseAuthentication\s+.*/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config \ && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \ && echo "UseDNS=no" >> /etc/ssh/sshd_config \ - && ssh-keygen -A + && rc-update add sshd EXPOSE 22 - -VOLUME [ "/sys/fs/cgroup" ] diff --git a/.Dockerfiles/centos/latest/Dockerfile b/.Dockerfiles/centos/latest/Dockerfile new file mode 100644 index 00000000..918d72d0 --- /dev/null +++ b/.Dockerfiles/centos/latest/Dockerfile @@ -0,0 +1,71 @@ +FROM centos:latest + +ENV container="docker" + +RUN yum clean all \ + && yum makecache \ + && yum install -y epel-release \ + && yum makecache \ + && yum install -y \ + curl \ + findutils \ + gcc \ + glibc-langpack-en.x86_64 \ + libffi-devel \ + net-tools \ + openssh-server \ + openssl-devel \ + python2-devel \ + python2-pip \ + redhat-lsb \ + redhat-rpm-config \ + sudo \ + systemd \ + && pip install --upgrade pip \ + && yum clean all \ + && if ! getent passwd <%= @username %>; then \ + useradd -d /home/<%= @username %> -m -s /usr/bin/bash -p '*' <%= @username %>; \ + fi \ + && echo "<%= @username %> ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers \ + && echo "Defaults !requiretty" >> /etc/sudoers \ + && mkdir -p /home/<%= @username %>/.ssh \ + && chown -R <%= @username %> /home/<%= @username %>/.ssh \ + && chmod 0700 /home/<%= @username %>/.ssh \ + && echo '<%= IO.read(@public_key).strip %>' >> /home/<%= @username %>/.ssh/authorized_keys \ + && chown <%= @username %> /home/<%= @username %>/.ssh/authorized_keys \ + && chmod 0600 /home/<%= @username %>/.ssh/authorized_keys \ + && export LANG="en_US.UTF-8" && echo "LANG=\"en_US.UTF-8\"" > /etc/locale.conf \ + && cd /lib/systemd/system/sysinit.target.wants/; ls | grep -v systemd-tmpfiles-setup | /usr/bin/xargs rm -f $1 \ + && /usr/bin/rm -f /lib/systemd/system/multi-user.target.wants/* \ + && /usr/bin/rm -f /etc/systemd/system/*.wants/* \ + && /usr/bin/rm -f /lib/systemd/system/local-fs.target.wants/* \ + && /usr/bin/rm -f /lib/systemd/system/sockets.target.wants/*udev* \ + && /usr/bin/rm -f /lib/systemd/system/sockets.target.wants/*initctl* \ + && /usr/bin/rm -f /lib/systemd/system/basic.target.wants/* \ + && /usr/bin/rm -f /lib/systemd/system/anaconda.target.wants/* \ + && /usr/bin/rm -f /lib/systemd/system/plymouth* \ + && /usr/bin/rm -f /lib/systemd/system/systemd-update-utmp* \ + && sed -ri 's/^#?PubkeyAuthentication\s+.*/PubkeyAuthentication yes/' /etc/ssh/sshd_config \ + && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \ + && echo "UseDNS=no" >> /etc/ssh/sshd_config \ + && systemctl set-default multi-user.target \ + && ln -s /lib/systemd/system/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service \ + && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \ + && echo $'[Unit]\ +\nDescription=Finish boot up\ +\nAfter=sshd.service\ +\n\ +\n[Service]\ +\nType=oneshot\ +\nRemainAfterExit=yes\ +\nExecStartPre=/bin/sleep 3s\ +\nExecStart=/bin/rm -f /run/nologin\ +\n\ +\n[Install]\ +\nWantedBy=default.target' >> /etc/systemd/system/FinishBootUp.service \ + && ln -s /etc/systemd/system/FinishBootUp.service /etc/systemd/system/multi-user.target.wants/FinishBootUp.service + + +EXPOSE 22 + +VOLUME [ "/sys/fs/cgroup" ] diff --git a/.Dockerfiles/debian/stable/Dockerfile b/.Dockerfiles/debian/latest/Dockerfile similarity index 96% rename from .Dockerfiles/debian/stable/Dockerfile rename to .Dockerfiles/debian/latest/Dockerfile index 0a6f4d92..ddc55762 100644 --- a/.Dockerfiles/debian/stable/Dockerfile +++ b/.Dockerfiles/debian/latest/Dockerfile @@ -45,7 +45,7 @@ RUN apt-get update \ && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \ && echo "UseDNS=no" >> /etc/ssh/sshd_config \ && systemctl set-default multi-user.target \ - && ln -s /lib/systemd/system/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service \ + && ln -s /lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ssh.service \ && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \ && echo $'[Unit]\ \nDescription=Finish boot up\ diff --git a/.Dockerfiles/fedora/latest/Dockerfile b/.Dockerfiles/fedora/latest/Dockerfile index 76df24ae..17851c60 100644 --- a/.Dockerfiles/fedora/latest/Dockerfile +++ b/.Dockerfiles/fedora/latest/Dockerfile @@ -51,7 +51,7 @@ RUN dnf clean all \ && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \ && echo $'[Unit]\ \nDescription=Finish boot up\ -\nAfter=ssh.service\ +\nAfter=sshd.service\ \n\ \n[Service]\ \nType=oneshot\ diff --git a/.Dockerfiles/ubuntu/latest/Dockerfile b/.Dockerfiles/ubuntu/latest/Dockerfile index c2ce45ed..dd258102 100644 --- a/.Dockerfiles/ubuntu/latest/Dockerfile +++ b/.Dockerfiles/ubuntu/latest/Dockerfile @@ -45,7 +45,7 @@ RUN apt-get update \ && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \ && echo "UseDNS=no" >> /etc/ssh/sshd_config \ && systemctl set-default multi-user.target \ - && ln -s /lib/systemd/system/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service \ + && ln -s /lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ssh.service \ && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \ && echo $'[Unit]\ \nDescription=Finish boot up\ diff --git a/.Dockerfiles/ubuntu/rolling/Dockerfile b/.Dockerfiles/ubuntu/rolling/Dockerfile index 49e5d9df..ced96fc7 100644 --- a/.Dockerfiles/ubuntu/rolling/Dockerfile +++ b/.Dockerfiles/ubuntu/rolling/Dockerfile @@ -46,7 +46,7 @@ RUN apt-get update \ && sed -ri 's/^#?UsePrivilegeSeparation\s+.*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config \ && echo "UseDNS=no" >> /etc/ssh/sshd_config \ && systemctl set-default multi-user.target \ - && ln -s /lib/systemd/system/sshd.service /etc/systemd/system/multi-user.target.wants/sshd.service \ + && ln -s /lib/systemd/system/ssh.service /etc/systemd/system/multi-user.target.wants/ssh.service \ && ln -s /lib/systemd/system/systemd-journald.service /etc/systemd/system/multi-user.target.wants/systemd-journald.service \ && echo $'[Unit]\ \nDescription=Finish boot up\ diff --git a/.ci-tests/integration/vars/Alpine.yml b/.ci-tests/integration/vars/Alpine.yml deleted file mode 100644 index efc0715e..00000000 --- a/.ci-tests/integration/vars/Alpine.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -test_dependencies: - - gawk - - man - -build_tools: - - make diff --git a/.ci/ansible-setup.sh b/.ci/ansible-setup.sh new file mode 100755 index 00000000..a06ebf97 --- /dev/null +++ b/.ci/ansible-setup.sh @@ -0,0 +1,28 @@ +#!/bin/sh +## Script is sepcifically for use on travis-ci + +set -e + +## This is an example setup script that you would encapsulate the installation +# What version of avm setup to use +echo "Setting up Ansible Version Manager" +AVM_VERSION="v1.0.0" +## Install Ansible 2.3.1 using pip and label it 'v2.3' +export ANSIBLE_VERSIONS_0="2.3.1.0" +export INSTALL_TYPE_0="pip" +export ANSIBLE_LABEL_0="v2.3" +## Install Ansible 2.4.1 using pip and label it 'v2.4' +export ANSIBLE_VERSIONS_1="2.4.1.0" +export INSTALL_TYPE_1="pip" +export ANSIBLE_LABEL_1="v2.4" +# Whats the default version +export ANSIBLE_DEFAULT_VERSION="v2.4" + +## Create a temp dir to download avm +avm_dir="$(mktemp -d 2> /dev/null || mktemp -d -t 'mytmpdir')" +git clone https://github.com/ahelal/avm.git "${avm_dir}" > /dev/null 2>&1 + +## Run the setup +/bin/sh ${avm_dir}/setup.sh + +exit 0 diff --git a/.ci/before_deploy.sh b/.ci/before_deploy.sh index 960ec326..d7a97e6b 100644 --- a/.ci/before_deploy.sh +++ b/.ci/before_deploy.sh @@ -7,9 +7,8 @@ if [[ "$GITSECRET_DIST" == "rpm" ]]; then sudo apt-get install -y rpm; fi - -if [[ ! -z "$DOCKER_DIST" ]]; then +if [[ ! -z "$GITSECRET_DIST" ]] && [[ -z "$KITCHEN_REGEXP" ]]; then # When making a non-container build, this step will generate # proper manifest files: - make "deploy-${GITSECRET_DIST}"; + make "deploy-$GITSECRET_DIST"; fi diff --git a/.ci/before_script.sh b/.ci/before_script.sh index a3712c76..bdfefd31 100644 --- a/.ci/before_script.sh +++ b/.ci/before_script.sh @@ -2,22 +2,33 @@ set -e -# Docker: -if [[ ! -z "$DOCKER_DIST" ]]; then - TEMPLATE="sobolevn/git-secret-docker-$DOCKER_DIST" - DOCKERFILE_PATH=".docker/${GITSECRET_DIST}/${DOCKER_DIST}" +# Linux helper functions: +function update_linux() { + sudo apt-get update -qq + sudo apt-get install -qq python-apt python-pycurl git python-pip ruby ruby-dev build-essential autoconf rpm + gem install bundler +} + +function install_ansible { + bash .ci/ansible-setup.sh + bundle install + ~/.avm/v2.3/venv/bin/pip install netaddr ansible-lint + ~/.avm/v2.4/venv/bin/pip install netaddr ansible-lint +} - # Building the local image: - docker build -t "$TEMPLATE" "$DOCKERFILE_PATH" -fi # Mac: if [[ "$GITSECRET_DIST" == "brew" ]]; then - brew install "$GITSECRET_GPG_DEP" + gnupg_installed="$(brew list | grep -c "gnupg")" + [[ "$gnupg_installed" -ge 1 ]] || brew install gnupg + if [[ -f "/usr/local/bin/gpg1" ]]; then + ln -s /usr/local/bin/gpg1 /usr/local/bin/gpg + fi + brew install gawk fi -# Local linux (standart build): -if [[ "$GITSECRET_DIST" == "none" ]] && [[ "$GITSECRET_GPG_DEP" == "gnupg2" ]]; then - # Installing custom GPG version: - sudo apt-get install -y gnupg2 +# Linux: +if [[ "$TRAVIS_OS_NAME" == "linux" ]] && [[ -n "$KITCHEN_REGEXP" ]]; then + update_linux + install_ansible fi diff --git a/.ci-tests/integration/gnupg-git/default.yml b/.ci/integration/gnupg-git/default.yml similarity index 100% rename from .ci-tests/integration/gnupg-git/default.yml rename to .ci/integration/gnupg-git/default.yml diff --git a/.ci-tests/integration/gnupg-git/serverspec/default_spec.rb b/.ci/integration/gnupg-git/serverspec/default_spec.rb similarity index 100% rename from .ci-tests/integration/gnupg-git/serverspec/default_spec.rb rename to .ci/integration/gnupg-git/serverspec/default_spec.rb diff --git a/.ci-tests/integration/gnupg-git/serverspec/spec_helper.rb b/.ci/integration/gnupg-git/serverspec/spec_helper.rb similarity index 100% rename from .ci-tests/integration/gnupg-git/serverspec/spec_helper.rb rename to .ci/integration/gnupg-git/serverspec/spec_helper.rb diff --git a/.ci-tests/integration/gnupg1/default.yml b/.ci/integration/gnupg1/default.yml similarity index 93% rename from .ci-tests/integration/gnupg1/default.yml rename to .ci/integration/gnupg1/default.yml index ba5865f7..ac446dea 100644 --- a/.ci-tests/integration/gnupg1/default.yml +++ b/.ci/integration/gnupg1/default.yml @@ -18,6 +18,8 @@ distribution: Fedora - name: gnupg1 distribution: Debian + - name: gnupg1 + distribution: Alpine - name: Check for gpg1 binary stat: diff --git a/.ci-tests/integration/gnupg2/serverspec/default_spec.rb b/.ci/integration/gnupg1/serverspec/default_spec.rb similarity index 84% rename from .ci-tests/integration/gnupg2/serverspec/default_spec.rb rename to .ci/integration/gnupg1/serverspec/default_spec.rb index a5fc757f..1106a6f0 100644 --- a/.ci-tests/integration/gnupg2/serverspec/default_spec.rb +++ b/.ci/integration/gnupg1/serverspec/default_spec.rb @@ -6,7 +6,7 @@ it { should be_installed } end - if host_inventory['platform'] == 'fedora' + if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat' describe command('find /tmp/git-secret/build -name "*.rpm"') do its(:stdout) { should match /git-secret.*rpm/ } end @@ -16,7 +16,7 @@ end else describe command('find /tmp/git-secret/build -name "*.deb"') do - its(:stdout) { should match /git-secret.*deb/ } + its(:stdout) { should match(/git-secret.*deb/) } end end @@ -28,7 +28,7 @@ it { should exist } end - if host_inventory['platform'] == 'fedora' + if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat' describe command('rpm --query --info git-secret') do its(:exit_status) { should eq 0 } end diff --git a/.ci-tests/integration/gnupg1/serverspec/spec_helper.rb b/.ci/integration/gnupg1/serverspec/spec_helper.rb similarity index 100% rename from .ci-tests/integration/gnupg1/serverspec/spec_helper.rb rename to .ci/integration/gnupg1/serverspec/spec_helper.rb diff --git a/.ci-tests/integration/gnupg2/default.yml b/.ci/integration/gnupg2/default.yml similarity index 94% rename from .ci-tests/integration/gnupg2/default.yml rename to .ci/integration/gnupg2/default.yml index d70052ae..532ce93e 100644 --- a/.ci-tests/integration/gnupg2/default.yml +++ b/.ci/integration/gnupg2/default.yml @@ -20,6 +20,8 @@ distribution: Ubuntu - name: gnupg distribution: Debian + - name: gnupg + distribution: Alpine - name: Check for gpg2 binary stat: diff --git a/.ci-tests/integration/gnupg1/serverspec/default_spec.rb b/.ci/integration/gnupg2/serverspec/default_spec.rb similarity index 78% rename from .ci-tests/integration/gnupg1/serverspec/default_spec.rb rename to .ci/integration/gnupg2/serverspec/default_spec.rb index a5fc757f..5810d3b4 100644 --- a/.ci-tests/integration/gnupg1/serverspec/default_spec.rb +++ b/.ci/integration/gnupg2/serverspec/default_spec.rb @@ -3,12 +3,12 @@ describe 'git-secret::test' do describe package('git-secret') do - it { should be_installed } + it { should be_installed } end - if host_inventory['platform'] == 'fedora' + if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat' describe command('find /tmp/git-secret/build -name "*.rpm"') do - its(:stdout) { should match /git-secret.*rpm/ } + its(:stdout) { should match(/git-secret.*rpm/) } end elsif host_inventory['platform'] == 'alpine' describe command('find /tmp/git-secret/build -name "*.apk"') do @@ -16,7 +16,7 @@ end else describe command('find /tmp/git-secret/build -name "*.deb"') do - its(:stdout) { should match /git-secret.*deb/ } + its(:stdout) { should match(/git-secret.*deb/) } end end @@ -28,7 +28,7 @@ it { should exist } end - if host_inventory['platform'] == 'fedora' + if host_inventory['platform'] == 'fedora' || host_inventory['platform'] == 'redhat' describe command('rpm --query --info git-secret') do its(:exit_status) { should eq 0 } end diff --git a/.ci-tests/integration/gnupg2/serverspec/spec_helper.rb b/.ci/integration/gnupg2/serverspec/spec_helper.rb similarity index 100% rename from .ci-tests/integration/gnupg2/serverspec/spec_helper.rb rename to .ci/integration/gnupg2/serverspec/spec_helper.rb diff --git a/.ci-tests/integration/tasks/dependencies.yml b/.ci/integration/tasks/dependencies.yml similarity index 66% rename from .ci-tests/integration/tasks/dependencies.yml rename to .ci/integration/tasks/dependencies.yml index ce2f65d1..1f090e94 100644 --- a/.ci-tests/integration/tasks/dependencies.yml +++ b/.ci/integration/tasks/dependencies.yml @@ -23,6 +23,17 @@ dest: /usr/bin/bats state: link +- name: Get ShellCheck + get_url: + url: https://storage.googleapis.com/shellcheck/shellcheck-latest.linux.x86_64.tar.xz + dest: /tmp/shellcheck.tar.xz + +- name: Install ShellCheck + command: tar xvf /tmp/shellcheck.tar.xz -C /usr/bin --strip-components=1 + args: + warn: no + creates: /usr/bin/shellcheck + - name: Install fpm gem: name: fpm diff --git a/.ci-tests/integration/tasks/prep-tests.yml b/.ci/integration/tasks/prep-tests.yml similarity index 100% rename from .ci-tests/integration/tasks/prep-tests.yml rename to .ci/integration/tasks/prep-tests.yml diff --git a/.ci-tests/integration/tasks/run-tests.yml b/.ci/integration/tasks/run-tests.yml similarity index 97% rename from .ci-tests/integration/tasks/run-tests.yml rename to .ci/integration/tasks/run-tests.yml index de7d6928..7f82806d 100644 --- a/.ci-tests/integration/tasks/run-tests.yml +++ b/.ci/integration/tasks/run-tests.yml @@ -53,6 +53,8 @@ - name: Set git-secret {{ os_pkg_type }} location set_fact: pkg_path: "{{ pkg_location.files | map(attribute='path') | first }}" + when: + - pkg_location is defined - name: Install git-secret {{ os_pkg_type }} package command: bash -lc "{{ item.command }} {{ pkg_path }}" diff --git a/.ci/integration/vars/Alpine.yml b/.ci/integration/vars/Alpine.yml new file mode 100644 index 00000000..e9ed9608 --- /dev/null +++ b/.ci/integration/vars/Alpine.yml @@ -0,0 +1,15 @@ +--- +test_dependencies: + - gawk + - git + - make + - man + - procps + - rsync + - ruby + - ruby-dev + - tar + +build_tools: + - make + - tar diff --git a/.ci/integration/vars/CentOS.yml b/.ci/integration/vars/CentOS.yml new file mode 100644 index 00000000..cb19e648 --- /dev/null +++ b/.ci/integration/vars/CentOS.yml @@ -0,0 +1,19 @@ +--- +test_dependencies: + - gawk + - git + - make + - man + - redhat-rpm-config + - rpm-build + - rsync + - ruby-devel + - rubygems + - rubygems-devel + +build_tools: + - ImageMagick + - autoconf + - automake + - texinfo + - transfig diff --git a/.ci-tests/integration/vars/Debian.yml b/.ci/integration/vars/Debian.yml similarity index 92% rename from .ci-tests/integration/vars/Debian.yml rename to .ci/integration/vars/Debian.yml index 535c5222..893af6b3 100644 --- a/.ci-tests/integration/vars/Debian.yml +++ b/.ci/integration/vars/Debian.yml @@ -1,12 +1,11 @@ --- test_dependencies: - gawk - - make - git - - shellcheck + - make + - man - ruby-dev - rubygems - - man build_tools: - autoconf diff --git a/.ci-tests/integration/vars/Fedora.yml b/.ci/integration/vars/Fedora.yml similarity index 93% rename from .ci-tests/integration/vars/Fedora.yml rename to .ci/integration/vars/Fedora.yml index 9e85b2c1..cb19e648 100644 --- a/.ci-tests/integration/vars/Fedora.yml +++ b/.ci/integration/vars/Fedora.yml @@ -1,6 +1,5 @@ --- test_dependencies: - - ShellCheck - gawk - git - make diff --git a/.ci-tests/integration/vars/Ubuntu.yml b/.ci/integration/vars/Ubuntu.yml similarity index 92% rename from .ci-tests/integration/vars/Ubuntu.yml rename to .ci/integration/vars/Ubuntu.yml index a55e4966..893af6b3 100644 --- a/.ci-tests/integration/vars/Ubuntu.yml +++ b/.ci/integration/vars/Ubuntu.yml @@ -6,7 +6,6 @@ test_dependencies: - man - ruby-dev - rubygems - - shellcheck build_tools: - autoconf diff --git a/.ci-tests/integration/vars/default.yml b/.ci/integration/vars/default.yml similarity index 92% rename from .ci-tests/integration/vars/default.yml rename to .ci/integration/vars/default.yml index 535c5222..e9a48e05 100644 --- a/.ci-tests/integration/vars/default.yml +++ b/.ci/integration/vars/default.yml @@ -3,7 +3,6 @@ test_dependencies: - gawk - make - git - - shellcheck - ruby-dev - rubygems - man diff --git a/.ci/script.sh b/.ci/script.sh index 4dc6473d..26c86e9b 100644 --- a/.ci/script.sh +++ b/.ci/script.sh @@ -2,27 +2,24 @@ set -e -# Docker-baised builds: -if [[ ! -z "$DOCKER_DIST" ]]; then - TEMPLATE="sobolevn/git-secret-docker-$DOCKER_DIST" - # Passing the `TRAVIS_COMMIT` into the container: - COMMAND="if [ ! -z ${TRAVIS_COMMIT} ]; then git checkout ${TRAVIS_COMMIT}; fi; make test-${GITSECRET_DIST}-ci" - - # This will run the full intergration check inside the `docker` container: - # see `test-deb-ci` and `test-rpm-ci` in `Makefile` - docker run "$TEMPLATE" /bin/bash -c "$COMMAND" - docker ps -a -fi +function run_kitchen_tests { + ansible --version + ruby --version + python --version + pip --version + bundler --version + bundle show + bundle exec kitchen test --test-base-path="$PWD/.ci/integration" $KITCHEN_REGEXP +} # Local builds: -if [[ "$GITSECRET_DIST" == "brew" ]] || [[ "$GITSECRET_DIST" == "none" ]]; then +if [[ "$GITSECRET_DIST" == "brew" ]]; then # Only running `make test` on standard (non-docker) build, # since it is called inside the docker container anyway. make test fi -if [[ ! -z "$(command -v shellcheck)" ]]; then - # This means, that `shellcheck` does exist, so run it: - echo 'running lint' - make lint +# Linux: +if [[ "$TRAVIS_OS_NAME" == "linux" ]] && [[ -n "$KITCHEN_REGEXP" ]]; then + run_kitchen_tests fi diff --git a/.docker/deb/debian/Dockerfile b/.docker/deb/debian/Dockerfile deleted file mode 100644 index e3d9916f..00000000 --- a/.docker/deb/debian/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -FROM debian:latest - -MAINTAINER Nikita Sobolev (mail@sobolevn.me) - -# Dependencies and project initialization: - -RUN apt-get update && \ - apt-get install -y man make git apt-transport-https && \ - apt-get install -y ruby ruby-dev ruby-build && \ - apt-get autoremove && apt-get autoclean && \ - mkdir /code - -# This will increase the container size, but speed up the build, -# since this part will change, while the dependencies won't: - -WORKDIR /code - -# Removing `origin` for good: - -RUN git clone -q https://github.com/sobolevn/git-secret.git && \ - cd git-secret && git remote rm origin - -WORKDIR /code/git-secret diff --git a/.docker/deb/ubuntu/Dockerfile b/.docker/deb/ubuntu/Dockerfile deleted file mode 100644 index 72b03ef6..00000000 --- a/.docker/deb/ubuntu/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -FROM ubuntu:latest - -MAINTAINER Nikita Sobolev (mail@sobolevn.me) - -# Dependencies and project initialization: - -RUN apt-get update && \ - apt-get install -y man make git apt-transport-https && \ - apt-get install -y ruby ruby-dev ruby-build && \ - apt-get autoremove && apt-get autoclean && \ - mkdir /code - -# This will increase the container size, but speed up the build, -# since this part will change, while the dependencies won't: - -WORKDIR /code - -# Removing `origin` for good: - -RUN git clone -q https://github.com/sobolevn/git-secret.git && \ - cd git-secret && git remote rm origin - -WORKDIR /code/git-secret diff --git a/.docker/make/debian/Dockerfile b/.docker/make/debian/Dockerfile deleted file mode 100644 index 7a7a5c99..00000000 --- a/.docker/make/debian/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -FROM debian:latest - -MAINTAINER Nikita Sobolev (mail@sobolevn.me) - -# Dependencies and project initialization: - -RUN apt-get update && \ - apt-get install -y man make git apt-transport-https && \ - apt-get autoremove && apt-get autoclean - -# This will increase the container size, but speed up the build, -# since this part will change, while the dependencies won't: - -RUN mkdir /code -WORKDIR /code - -# Removing `origin` for good: - -RUN git clone -q https://github.com/sobolevn/git-secret.git && \ - cd git-secret && git remote rm origin - -WORKDIR /code/git-secret diff --git a/.docker/rpm/centos/Dockerfile b/.docker/rpm/centos/Dockerfile deleted file mode 100644 index 630aff04..00000000 --- a/.docker/rpm/centos/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -FROM centos:latest - -MAINTAINER Nikita Sobolev (mail@sobolevn.me) - -ENV HOME /root - -RUN yum update -y && \ - yum install -y epel-release && \ - yum install -y dnf && \ - dnf update -y && \ - rpm -U "http://opensource.wandisco.com/centos/7/git/x86_64/wandisco-git-release-7-2.noarch.rpm" && \ - dnf install -y gnupg man make gcc git tar > /dev/null && \ - dnf install -y which pciutils redhat-rpm-config rpm-build zlib-devel && \ - dnf -y group install 'Development tools' && \ - dnf install -y ruby ruby-devel rubygems && \ - dnf -y autoremove && \ - mkdir /code - -WORKDIR /code - -# Removing `origin` for good: - -RUN git clone -q https://github.com/sobolevn/git-secret.git && \ - cd git-secret && git remote rm origin - -WORKDIR /code/git-secret diff --git a/.docker/rpm/fedora/Dockerfile b/.docker/rpm/fedora/Dockerfile deleted file mode 100644 index 2a528688..00000000 --- a/.docker/rpm/fedora/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -FROM fedora:latest - -MAINTAINER Nikita Sobolev (mail@sobolevn.me) - -ENV HOME /root - -RUN dnf update -y && \ - dnf install -y gnupg man make gcc git tar > /dev/null && \ - dnf install -y which pciutils redhat-rpm-config rpm-build zlib-devel && \ - dnf -y group install 'Development tools' && \ - dnf install -y ruby ruby-devel rubygems && \ - dnf -y autoremove && \ - mkdir /code - -WORKDIR /code - -# Removing `origin` for good: - -RUN git clone -q https://github.com/sobolevn/git-secret.git && \ - cd git-secret && git remote rm origin - -WORKDIR /code/git-secret diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 3372b92f..a611f229 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -36,3 +36,4 @@ What versions of software are you using? **`gpg` version:** (`gpg --version`) … +**`git` version:** (`git --version`) … diff --git a/.kitchen.yml b/.kitchen.yml index 3b89fdff..892f171f 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -11,27 +11,25 @@ provisioner: ansible_verbose: false require_ansible_repo: false require_ansible_omnibus: true - ansible_version: 2.4 + ansible_version: 2.4.1 require_chef_for_busser: false sudo_command: sudo -E -H idempotency_test: false sudo: true ansible_extra_flags: "-e '{ kitchen_testrun: True }'" additional_copy_path: - - ".ci-tests/integration/vars" - - ".ci-tests/integration/tasks" + - ".ci/integration/vars" + - ".ci/integration/tasks" transport: max_ssh_sessions: 3 platforms: - - name: alpine-latest - provisioner: - require_ansible_omnibus: false + - name: debian-latest driver_config: - run_command: /sbin/tini -v -- /usr/sbin/sshd -D -E /var/log/secure - dockerfile: .Dockerfiles/alpine/latest/Dockerfile - platform: alpine + run_command: /lib/systemd/systemd + dockerfile: .Dockerfiles/debian/latest/Dockerfile + platform: debian cap_add: - SYS_ADMIN volume: @@ -39,13 +37,14 @@ platforms: - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container run_options: tmpfs: - - /run + - /run + - /run/lock - - name: debian-stable + - name: fedora-latest driver_config: run_command: /lib/systemd/systemd - dockerfile: .Dockerfiles/debian/stable/Dockerfile - platform: debian + dockerfile: .Dockerfiles/fedora/latest/Dockerfile + platform: fedora cap_add: - SYS_ADMIN volume: @@ -53,13 +52,14 @@ platforms: - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container run_options: tmpfs: - - /run + - /run + - /run/lock - - name: fedora-latest + - name: centos-latest driver_config: run_command: /lib/systemd/systemd - dockerfile: .Dockerfiles/fedora/latest/Dockerfile - platform: fedora + dockerfile: .Dockerfiles/centos/latest/Dockerfile + platform: centos cap_add: - SYS_ADMIN volume: @@ -67,7 +67,8 @@ platforms: - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container run_options: tmpfs: - - /run + - /run + - /run/lock - name: ubuntu-latest driver_config: @@ -81,7 +82,8 @@ platforms: - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container run_options: tmpfs: - - /run + - /run + - /run/lock - name: ubuntu-rolling driver_config: @@ -95,7 +97,21 @@ platforms: - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container run_options: tmpfs: - - /run + - /run + - /run/lock + + - name: alpine-latest + driver_config: + run_command: /sbin/init + dockerfile: .Dockerfiles/alpine/latest/Dockerfile + platform: alpine + volume: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - <%=ENV['PWD']%>:/opt/workspace # Make the working directory available inside the container + run_options: + tmpfs: + - /run + - /run/lock verifier: name: serverspec @@ -107,22 +123,22 @@ suites: - name: gnupg1 verifier: patterns: - - roles/git-secret/.ci-tests/integration/gnupg1/serverspec/*_spec.rb - bundler_path: '/usr/local/bin' - rspec_path: '/usr/local/bin' + - roles/git-secret/.ci/integration/gnupg1/serverspec/*_spec.rb + excludes: + - centos-latest - name: gnupg2 verifier: patterns: - - roles/git-secret/.ci-tests/integration/gnupg2/serverspec/*_spec.rb - bundler_path: '/usr/local/bin' - rspec_path: '/usr/local/bin' + - roles/git-secret/.ci/integration/gnupg2/serverspec/*_spec.rb excludes: - ubuntu-latest - name: gnupg-git verifier: patterns: - - roles/git-secret/.ci-tests/integration/gnupg-git/serverspec/*_spec.rb + - roles/git-secret/.ci/integration/gnupg-git/serverspec/*_spec.rb bundler_path: '/usr/local/bin' rspec_path: '/usr/local/bin' excludes: - ubuntu-latest + - centos-latest + - alpine-latest diff --git a/.travis.yml b/.travis.yml index 791ef5a0..930da8e1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,56 +2,87 @@ matrix: fast_finish: true include: - os: linux - env: GITSECRET_DIST="make"; DOCKER_DIST="debian" + env: KITCHEN_REGEXP="gnupg1-alpine-latest" services: docker sudo: required language: ruby + rvm: 2.4 - os: linux - env: GITSECRET_DIST="deb"; DOCKER_DIST="debian"; + env: KITCHEN_REGEXP="gnupg1-debian-latest" services: docker sudo: required language: ruby + rvm: 2.4 - os: linux - env: GITSECRET_DIST="deb"; DOCKER_DIST="ubuntu" + env: KITCHEN_REGEXP="gnupg1-fedora-latest" services: docker sudo: required language: ruby + rvm: 2.4 - os: linux - env: GITSECRET_DIST="rpm"; DOCKER_DIST="fedora" + env: KITCHEN_REGEXP="gnupg1-ubuntu-latest" services: docker sudo: required language: ruby + rvm: 2.4 - os: linux - env: GITSECRET_DIST="make"; DOCKER_DIST="alpine" + env: KITCHEN_REGEXP="gnupg1-ubuntu-rolling" services: docker sudo: required language: ruby + rvm: 2.4 - os: linux - env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg"; SECRETS_GPG_COMMAND="gpg" - sudo: false + env: KITCHEN_REGEXP="gnupg2-alpine-latest" + services: docker + sudo: required + language: ruby + rvm: 2.4 + - os: linux + env: KITCHEN_REGEXP="gnupg2-debian-latest" + services: docker + sudo: required + language: ruby + rvm: 2.4 + - os: linux + env: KITCHEN_REGEXP="gnupg2-fedora-latest" + services: docker + sudo: required + language: ruby + rvm: 2.4 + - os: linux + env: KITCHEN_REGEXP="gnupg2-centos-latest" + services: docker + sudo: required + language: ruby + rvm: 2.4 + - os: linux + env: KITCHEN_REGEXP="gnupg2-ubuntu-rolling" + services: docker + sudo: required language: ruby + rvm: 2.4 - os: linux - env: GITSECRET_DIST="none"; GITSECRET_GPG_DEP="gnupg2"; SECRETS_GPG_COMMAND="gpg2" + env: KITCHEN_REGEXP="gnupg-git-debian-latest" + services: docker + sudo: required + language: ruby + rvm: 2.4 + - os: linux + env: KITCHEN_REGEXP="gnupg-git-fedora-latest" + services: docker sudo: required language: ruby + rvm: 2.4 - os: linux - env: GITSECRET_DIST="shellcheck" + env: KITCHEN_REGEXP="gnupg-git-ubuntu-rolling" + services: docker sudo: required language: ruby - addons: - apt: - sources: - - debian-sid - packages: - - shellcheck - - os: osx - env: GITSECRET_DIST="brew"; GITSECRET_GPG_DEP="gpg1" - sudo: false - language: generic - - os: osx - env: GITSECRET_DIST="brew"; GITSECRET_GPG_DEP="gnupg@2.0" - sudo: false - language: generic + rvm: 2.4 +# - os: osx +# env: GITSECRET_DIST="brew" +# sudo: false +# language: generic before_script: - chmod +x ".ci/before_script.sh" && ".ci/before_script.sh" diff --git a/CHANGELOG.md b/CHANGELOG.md index cb48f190..cb3c260e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # Changelog +## Version 0.2.3 +- Added `-m` option to `hide` command, files will only be hidden when modifications are detected (#92) +- Changed how path mappings file works: colon delimited FSDB (#92) +- Fixed `gnupg` >= 2.1 CI tests (#6) +- Now users can run local CI tests using test-kitchen (#6) +- Migrated travis ci tests to test-kitchen for Linux platforms. +- `git secret init` now adds `random_seed` to `.gitignore` (#93) +- Added more `gpg` version to test matrix (#99) +- Dropped `git check-ignore`, using `git add --dry-run` instead to check for ignored files (#105,#38) +- Added CentOS to test matrix (#38,#91) +- All tested Linux platforms now use latest release of `shellchek` +- Added Alpine to test matrix, and apk is now built. (#75) + ## Version 0.2.2 - Change how the `usage` command works (#48) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 405d1297..01dbf826 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -28,7 +28,7 @@ Only required if dealing with manuals, `gh-pages` or releases: 1. Create your own or pick an opened issue from the [tracker][tracker]. Take a look at the [`help-wanted` tag][help-wanted] 2. Fork and clone your repository: `git clone https://github.com/${YOUR_NAME}/git-secret.git` 3. Make sure that everything works on the current platform by running `make test` -4. [Run local CI tests](#running-local-ci-tests) to verify functionality on supported platforms `bundle exec kitchen verify --test-base-path="$PWD/.ci-tests/integration"`. +4. [Run local CI tests](#running-local-ci-tests) to verify functionality on supported platforms `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"`. ### Development Process @@ -65,7 +65,7 @@ Cloud CI is done with the help of `travis`. `travis` handles multiple environmen ### Running local ci-tests 1. Install requied gems with `bundle install`. -2. Run ci-tests with `bundle exec kitchen verify --test-base-path="$PWD/.ci-tests/integration"` +2. Run ci-tests with `bundle exec kitchen verify --test-base-path="$PWD/.ci/integration"` ### Release process diff --git a/Makefile b/Makefile index 02d047ea..38c3bac8 100644 --- a/Makefile +++ b/Makefile @@ -92,7 +92,7 @@ lint: install-fpm: @if [ ! `gem list fpm -i` == "true" ]; then gem install fpm; fi - # .apk: +# .apk: .PHONY: build-apk build-apk: clean build install-fpm diff --git a/README.md b/README.md index a2b4b531..a7c5ca76 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,10 @@ See the [installation section](http://git-secret.io/installation) for the detail `git-secret` relies on several external packages: - `bash` since `3.2.57` (it is hard to tell the correct `patch` release) -- `git` since `2.6` -- `gpg` since `gnupg 1.4` to `gnupg 2.0`, versions `2.1` are not yet supported +- `gawk` since `4.0.2` +- `git` since `1.8.3.1` +- `gpg` since `gnupg 1.4` to `gnupg 2.X` +- `sha256sum` since `8.21` ## Contributing @@ -38,6 +40,15 @@ Do you want to help the project? Find an [issue](https://github.com/sobolevn/git ### Security +In order to encrypt (git-secret hide -m) files only when modified, the path +mappings file tracks sha256sum checksums of the files added (git-secret add) to +git-secret's path mappings filesystem database. Although, the chances of +encountering a sha collision are low, it is recommend that you pad files with +random data for greater security. Or avoid using the `-m` option altogether. +If your secret file holds more data than just a single password these +precautions should not be necessary, but could be followed for greater +security. + If you found any security related issues, please do not enclose it in public. Send an email to `security@wemake.services` diff --git a/src/_utils/_git_secret_tools.sh b/src/_utils/_git_secret_tools.sh index 896fa20a..a127b99f 100644 --- a/src/_utils/_git_secret_tools.sh +++ b/src/_utils/_git_secret_tools.sh @@ -163,6 +163,7 @@ function _file_has_line { function _delete_line { local escaped_path + # shellcheck disable=2001 escaped_path=$(echo "$1" | sed -e 's/[\/&]/\\&/g') # required local line="$2" # required @@ -198,6 +199,20 @@ function _unique_filename { echo "$result" } +# Helper function + + +function _gawk_inplace { + local parms="$*" + local dest_file + dest_file="$(echo "$parms" | gawk -v RS="'" -v FS="'" 'END{ gsub(/^\s+/,""); print $1 }')" + + _temporary_file + + bash -c "gawk ${parms}" > "$filename" + mv "$filename" "$dest_file" +} + # File System Database (fsdb): @@ -239,14 +254,14 @@ function _fsdb_rm_record { local key="$1" # required local fsdb="$2" # required - gawk -i inplace -v key="$key" "$AWK_FSDB_RM_RECORD" "$fsdb" + _gawk_inplace -v key="$key" "'$AWK_FSDB_RM_RECORD'" "$fsdb" } function _fsdb_clear_hashes { # First parameter is the path to fsdb local fsdb="$1" # required - gawk -i inplace "$AWK_FSDB_CLEAR_HASHES" "$fsdb" + _gawk_inplace "'$AWK_FSDB_CLEAR_HASHES'" "$fsdb" } @@ -260,13 +275,30 @@ function _show_manual_for { } +# Invalid options + +function _invalid_option_for { + local function_name="$1" # required + + man "git-secret-${function_name}" + exit 1 +} + + # VCS: function _check_ignore { local filename="$1" # required local result - result="$(git check-ignore --no-index -q "$filename" > /dev/null 2>&1; echo $?)" + result="$(git add -n "$filename" > /dev/null 2>&1; echo $?)" + # when ignored + if [[ "$result" -ne 0 ]]; then + result=0 + else + result=1 + fi + # returns 1 when not ignored, and 0 when ignored echo "$result" } @@ -459,8 +491,17 @@ function _secrets_dir_is_not_ignored { local git_secret_dir git_secret_dir=$(_get_secrets_dir) + # Create git_secret_dir required for check + local cleanup=0 + if [[ ! -d "$git_secret_dir" ]]; then + mkdir "$git_secret_dir" + cleanup=1 + fi local ignores - ignores=$(_check_ignore "${_SECRETS_DIR}") + ignores=$(_check_ignore "$git_secret_dir") + if [[ "$cleanup" == 1 ]]; then + rmdir "$git_secret_dir" + fi if [[ ! $ignores -eq 1 ]]; then _abort "'$git_secret_dir' is ignored." @@ -552,7 +593,7 @@ function _decrypt { local encrypted_filename encrypted_filename=$(_get_encrypted_filename "$filename") - local base="$SECRETS_GPG_COMMAND --use-agent -q --decrypt --no-permission-warning" + local base="$SECRETS_GPG_COMMAND --use-agent --decrypt --no-permission-warning" if [[ "$write_to_file" -eq 1 ]]; then base="$base -o $filename" diff --git a/src/_utils/_git_secret_tools_linux.sh b/src/_utils/_git_secret_tools_linux.sh index 072787bd..3bbe8410 100644 --- a/src/_utils/_git_secret_tools_linux.sh +++ b/src/_utils/_git_secret_tools_linux.sh @@ -1,6 +1,7 @@ #!/usr/bin/env bash +# shellcheck disable=1117 function __replace_in_file_linux { sed -i.bak "s/^\($1\s*=\s*\).*\$/\1$2/" "$3" } diff --git a/src/_utils/_git_secret_tools_osx.sh b/src/_utils/_git_secret_tools_osx.sh index 582bb0a3..6a58af1b 100644 --- a/src/_utils/_git_secret_tools_osx.sh +++ b/src/_utils/_git_secret_tools_osx.sh @@ -1,6 +1,7 @@ #!/usr/bin/env bash +# shellcheck disable=1117 function __replace_in_file_osx { sed -i.bak "s/^\($1[[:space:]]*=[[:space:]]*\).*\$/\1$2/" "$3" } diff --git a/src/commands/git_secret_add.sh b/src/commands/git_secret_add.sh index 1f70d560..8e2476fe 100644 --- a/src/commands/git_secret_add.sh +++ b/src/commands/git_secret_add.sh @@ -10,6 +10,8 @@ function add { i) auto_ignore=1;; h) _show_manual_for "add";; + + *) _invalid_option_for "add";; esac done diff --git a/src/commands/git_secret_changes.sh b/src/commands/git_secret_changes.sh index 4f182528..12146167 100644 --- a/src/commands/git_secret_changes.sh +++ b/src/commands/git_secret_changes.sh @@ -12,6 +12,8 @@ function changes { p) passphrase=$OPTARG;; d) homedir=$OPTARG;; + + *) _invalid_option_for 'changes';; esac done diff --git a/src/commands/git_secret_clean.sh b/src/commands/git_secret_clean.sh index 09f6653a..dc0a212e 100644 --- a/src/commands/git_secret_clean.sh +++ b/src/commands/git_secret_clean.sh @@ -11,6 +11,8 @@ function clean { v) verbose="v";; h) _show_manual_for 'clean';; + + *) _invalid_option_for 'clean';; esac done diff --git a/src/commands/git_secret_hide.sh b/src/commands/git_secret_hide.sh index 9a1e3ab9..b3d53945 100644 --- a/src/commands/git_secret_hide.sh +++ b/src/commands/git_secret_hide.sh @@ -62,7 +62,7 @@ function _get_file_hash { local file_hash checksum_local="$(_get_checksum_local)" - file_hash=$($checksum_local "$input_path" | awk '{print $1}') + file_hash=$($checksum_local "$input_path" | gawk '{print $1}') echo "$file_hash" } @@ -74,7 +74,7 @@ function _optional_fsdb_update_hash { fsdb=$(_get_secrets_dir_paths_mapping) - gawk -i inplace -v key="$key" -v hash="$hash" "$AWK_FSDB_UPDATE_HASH" "$fsdb" + _gawk_inplace -v key="$key" -v hash="$hash" "'$AWK_FSDB_UPDATE_HASH'" "$fsdb" } @@ -97,6 +97,8 @@ function hide { v) verbose='v';; h) _show_manual_for 'hide';; + + *) _invalid_option_for 'hide';; esac done diff --git a/src/commands/git_secret_init.sh b/src/commands/git_secret_init.sh index e3c64885..d3872dfc 100644 --- a/src/commands/git_secret_init.sh +++ b/src/commands/git_secret_init.sh @@ -2,12 +2,30 @@ # shellcheck disable=2016 AWK_ADD_TO_GITIGNORE=' -BEGIN { cnt=0; } +BEGIN { + cnt=0 +} + +function check_print_line(line){ + if (line == pattern) { + cnt++ + } + print line +} + +# main function { - print $0 - if ( $0 == pattern ) cnt++; + check_print_line($0) # check and print first line + while (getline == 1) { # check and print all other + check_print_line($0) + } +} + +END { + if ( cnt == 0) { # if file did not contain pattern add + print pattern + } } -ENDFILE { if ( cnt == 0) print pattern; } ' function gitignore_add_pattern { @@ -18,7 +36,7 @@ function gitignore_add_pattern { gitignore_file_path=$(_append_root_path '.gitignore') _maybe_create_gitignore - gawk -i inplace -v pattern="$pattern" "$AWK_ADD_TO_GITIGNORE" "$gitignore_file_path" + _gawk_inplace -v pattern="$pattern" "'$AWK_ADD_TO_GITIGNORE'" "$gitignore_file_path" } function init { @@ -27,6 +45,8 @@ function init { while getopts 'h' opt; do case "$opt" in h) _show_manual_for 'init';; + + *) _invalid_option_for 'init';; esac done diff --git a/src/commands/git_secret_killperson.sh b/src/commands/git_secret_killperson.sh index f47f7457..f27dcd33 100644 --- a/src/commands/git_secret_killperson.sh +++ b/src/commands/git_secret_killperson.sh @@ -7,6 +7,8 @@ function killperson { while getopts 'h' opt; do case "$opt" in h) _show_manual_for 'killperson';; + + *) _invalid_option_for 'killperson';; esac done diff --git a/src/commands/git_secret_list.sh b/src/commands/git_secret_list.sh index 5d48334a..dccba3a5 100644 --- a/src/commands/git_secret_list.sh +++ b/src/commands/git_secret_list.sh @@ -7,6 +7,8 @@ function list { while getopts 'h' opt; do case "$opt" in h) _show_manual_for 'list';; + + *) _invalid_option_for 'list';; esac done diff --git a/src/commands/git_secret_remove.sh b/src/commands/git_secret_remove.sh index 2afeb86b..94fc8791 100644 --- a/src/commands/git_secret_remove.sh +++ b/src/commands/git_secret_remove.sh @@ -11,6 +11,8 @@ function remove { c) clean=1;; h) _show_manual_for 'remove';; + + *) _invalid_option_for 'remove';; esac done @@ -39,7 +41,6 @@ function remove { fi # Deleting it from path mappings: - # _delete_line "$normalized_path" "$path_mappings" # Remove record from fsdb with matching key local key key="$normalized_path" diff --git a/src/commands/git_secret_reveal.sh b/src/commands/git_secret_reveal.sh index 7f816467..da8dee66 100644 --- a/src/commands/git_secret_reveal.sh +++ b/src/commands/git_secret_reveal.sh @@ -17,6 +17,8 @@ function reveal { p) passphrase=$OPTARG;; d) homedir=$OPTARG;; + + *) _invalid_option_for 'reveal';; esac done diff --git a/src/commands/git_secret_tell.sh b/src/commands/git_secret_tell.sh index ecdd83b6..0dd11b04 100644 --- a/src/commands/git_secret_tell.sh +++ b/src/commands/git_secret_tell.sh @@ -29,6 +29,8 @@ function tell { m) self_email=1;; d) homedir=$OPTARG;; + + *) _invalid_option_for 'tell';; esac done diff --git a/src/commands/git_secret_usage.sh b/src/commands/git_secret_usage.sh index a2c07c64..fa4e22e7 100644 --- a/src/commands/git_secret_usage.sh +++ b/src/commands/git_secret_usage.sh @@ -7,6 +7,8 @@ function usage { while getopts "h?" opt; do case "$opt" in h) _show_manual_for "usage";; + + *) _invalid_option_for "usage";; esac done diff --git a/src/commands/git_secret_whoknows.sh b/src/commands/git_secret_whoknows.sh index 066d8aed..6a6f8e4b 100644 --- a/src/commands/git_secret_whoknows.sh +++ b/src/commands/git_secret_whoknows.sh @@ -7,6 +7,8 @@ function whoknows { while getopts "h?" opt; do case "$opt" in h) _show_manual_for "whoknows";; + + *) _invalid_option_for "whoknows";; esac done diff --git a/src/version.sh b/src/version.sh index 6b5c7a3a..3d1bb1fe 100644 --- a/src/version.sh +++ b/src/version.sh @@ -1,3 +1,4 @@ #!/usr/bin/env bash -GITSECRET_VERSION='0.2.2' # shellcheck disable=2034 +# shellcheck disable=2034 +GITSECRET_VERSION='0.2.2' diff --git a/tests/_test_base.bash b/tests/_test_base.bash index 22b64ab2..f2a76d35 100644 --- a/tests/_test_base.bash +++ b/tests/_test_base.bash @@ -53,7 +53,7 @@ function test_user_email { function stop_gpg_agent { local username=$(id -u -n) - ps awx -u "$username" | gawk \ + ps -wx -U "$username" | gawk \ '/gpg-agent --homedir/ { if ( $0 !~ "awk" ) { system("kill -9 "$1) } }' \ > /dev/null 2>&1 } @@ -72,10 +72,9 @@ function get_gpg_fingerprint_by_email { local email="$1" local fingerprint - fingerprint=$($GPGTEST --list-public-keys --with-fingerprint --with-colons | \ - sed -e '/<'"$email"'>::scESC:/,/[A-Z0-9]\{40\}:/!d' | \ - sed -e '/fpr/!d' | \ - sed -n 's/fpr:::::::::\([A-Z|0-9]\{40\}\):/\1/p') + fingerprint=$($GPGTEST --with-fingerprint \ + --with-colon \ + --list-secret-key $email | gawk "$AWK_GPG_GET_FP") echo "$fingerprint" } @@ -105,9 +104,7 @@ function install_fixture_full_key { --import \"$private_key\"" > /dev/null 2>&1 # since 0.1.2 fingerprint is returned: - fingerprint=$($GPGTEST --with-fingerprint \ - --with-colon \ - --list-secret-key $email | gawk "$AWK_GPG_GET_FP") + fingerprint=$(get_gpg_fingerprint_by_email $email) install_fixture_key "$1" diff --git a/tests/test_hide.bats b/tests/test_hide.bats index 1c5da8ae..e28ec815 100644 --- a/tests/test_hide.bats +++ b/tests/test_hide.bats @@ -54,6 +54,51 @@ function teardown { } +@test "run 'hide' with '-m'" { + run git secret hide -m + + # Command must execute normally: + [ "$status" -eq 0 ] + # git secret hide -m, use temp file so cleaning should take place + [[ "${#lines[@]}" -eq 2 ]] + [ "${lines[0]}" = "done. all 1 files are hidden." ] + [ "${lines[1]}" = "cleaning up..." ] + + # New files should be crated: + local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE") + [ -f "$encrypted_file" ] +} + + +@test "run 'hide' with '-m' twice" { + local path_mappings + path_mappings=$(_get_secrets_dir_paths_mapping) + run git secret hide -m + + + # Command must execute normally: + [ "$status" -eq 0 ] + # git secret hide -m, uses a temp file so cleaning should take place + [[ "${#lines[@]}" -eq 2 ]] + [ "${lines[0]}" = "done. all 1 files are hidden." ] + [ "${lines[1]}" = "cleaning up..." ] + # back path mappings + cp "${path_mappings}" "${path_mappings}.bak" + # run hide again + run git secret hide -m + # compare + [ "$status" -eq 0 ] + [[ "${#lines[@]}" -eq 1 ]] + [ "$output" = "done. all 1 files are hidden." ] + # no changes should occur to path_mappings files + cmp -s "${path_mappings}" "${path_mappings}.bak" + + # New files should be crated: + local encrypted_file=$(_get_encrypted_filename "$FILE_TO_HIDE") + [ -f "$encrypted_file" ] +} + + @test "run 'hide' with '-c' and '-v'" { # Preparations: local encrypted_filename=$(_get_encrypted_filename "$FILE_TO_HIDE") diff --git a/tests/test_reveal.bats b/tests/test_reveal.bats index 79ce0959..87a6bf36 100644 --- a/tests/test_reveal.bats +++ b/tests/test_reveal.bats @@ -38,7 +38,7 @@ function teardown { [ "$status" -eq 0 ] [ -f "$FILE_TO_HIDE" ] - cmp --silent "$FILE_TO_HIDE" "${FILE_TO_HIDE}2" + cmp -s "$FILE_TO_HIDE" "${FILE_TO_HIDE}2" rm "${FILE_TO_HIDE}2" } @@ -107,7 +107,8 @@ function teardown { @test "run 'reveal' for multiple users (normally)" { # Preparations: local second_fingerprint=$(install_fixture_full_key "$TEST_SECOND_USER") - local password=$(test_user_password "$TEST_SECOND_USER") + # bug in gpg v2.0.22, need to use default password + local password=$(test_user_password "$TEST_DEFAULT_USER") set_state_secret_tell "$TEST_SECOND_USER" set_state_secret_hide diff --git a/tests/test_reveal_filename.bats b/tests/test_reveal_filename.bats index a10aecd9..4c5c0334 100644 --- a/tests/test_reveal_filename.bats +++ b/tests/test_reveal_filename.bats @@ -45,7 +45,7 @@ function teardown { [ "$status" -eq 0 ] [ -f "$FILE_TO_HIDE" ] - cmp --silent "$FILE_TO_HIDE" "${FILE_TO_HIDE}2" + cmp -s "$FILE_TO_HIDE" "${FILE_TO_HIDE}2" rm "${FILE_TO_HIDE}2" } diff --git a/utils/apk/apk-deploy.sh b/utils/apk/apk-deploy.sh index d3c53dfb..80545054 100644 --- a/utils/apk/apk-deploy.sh +++ b/utils/apk/apk-deploy.sh @@ -24,7 +24,7 @@ echo "{ \ \"gpgSign\": true \ }, \ \"files\": [{ \ - \"includePattern\": \"build/buildroot/(.*\.apk)\", \ + \"includePattern\": \"build/buildroot/(.*\\\\\\.apk)\", \ \"uploadPattern\": \"/git-secret_${SCRIPT_VERSION}_all.apk\" \ }], \ \"publish\": true \ diff --git a/utils/deb/deb-deploy.sh b/utils/deb/deb-deploy.sh index e05c3573..f05c281d 100755 --- a/utils/deb/deb-deploy.sh +++ b/utils/deb/deb-deploy.sh @@ -24,7 +24,7 @@ echo "{ \ \"gpgSign\": true \ }, \ \"files\": [{ \ - \"includePattern\": \"build/buildroot/(.*\.deb)\", \ + \"includePattern\": \"build/buildroot/(.*\\\\\\.deb)\", \ \"uploadPattern\": \"/git-secret_${SCRIPT_VERSION}_all.deb\", \ \"matrixParams\": { \ \"deb_distribution\": \"git-secret\", \ diff --git a/utils/rpm/rpm-deploy.sh b/utils/rpm/rpm-deploy.sh index 1fe69396..ce51bd38 100644 --- a/utils/rpm/rpm-deploy.sh +++ b/utils/rpm/rpm-deploy.sh @@ -24,7 +24,7 @@ echo "{ \ \"gpgSign\": true \ }, \ \"files\": [{ \ - \"includePattern\": \"build/buildroot/(.*\.rpm)\", \ + \"includePattern\": \"build/buildroot/(.*\\\\\\.rpm)\", \ \"uploadPattern\": \"/git-secret-${SCRIPT_VERSION}-1.noarch.rpm\" }], \ \"publish\": true \