From d4b60948dc90cc934c8fb05b615339643bc89961 Mon Sep 17 00:00:00 2001 From: Pascal Andy Date: Wed, 18 May 2022 22:46:39 -0400 Subject: [PATCH] New feat: gc() one core fct + 5 childs to use git-crypt --- README.md | 39 ++++++- bashlava.sh | 86 +++++++++++++++- docs/fct_gc_next.md | 8 ++ docs/help.md | 3 +- docs/help_gitcrypt.md | 210 ++++++++++++++++++++++++++++++++++++++ docs/next_move_fct_mrg.md | 2 - 6 files changed, 338 insertions(+), 10 deletions(-) create mode 100755 docs/fct_gc_next.md create mode 100755 docs/help_gitcrypt.md diff --git a/README.md b/README.md index 4c6d784..2086e5c 100644 --- a/README.md +++ b/README.md @@ -12,13 +12,44 @@ # BashLava -BashLaVa is a utility-first bash framework. The idea is to abstract your workflow to minimize the time to do some repetitive actions. +BashLaVa is a utility-first bash framework. The idea is to abstract your git workflow to minimize the time to do some repetitive actions. -It's for developers that use git commands regularly. BashLaVa makes following git workflow a breeze without having to leave your terminal or use GitHub GUI. +**Update May 2022**: There are so many new features, I must re-write the whole README. -In other word, the the **agile release cycle** should be something you master. BashLaVa helps you big time to get there. +## Features -**WIP** - May 2022: There are so many new features, I must re-write the whole README. +- A Super fast git flow +- Sane default, see `.bashlava_env.sh` +- Custom configuration to quickly use bashlava accross your project +- manage your own bashscript scripts under /private +- crypt secrets + +Below from the `bashlava.sh h` + +``` + git flow + + • e ....... | create a branch edge from main ........ | standalone + • c ....... | commit ................................ | usage: c "This feature rocks" + • sq ...... | squash commits ........................ | usage: sq 3 "Add: feat xyz, issue 123" + • pr ...... | create pull request .................. | standalone + • ci ...... | show ci status on GitHub Actions ...... | standalone + • mrg ..... | merge to mainbranch ................... | standalone + • m ....... | checkout to main_branch .............. | standalone + • v ....... | version code .......................... | standalone or usage: v 1.4.2 + • t ....... | tag .................................. | standalone + • r ....... | release and open GUI on GitHub ....... | standalone + • d ....... | dummy commits ........................ | standalone +``` + +## cli that are abstracted + +- git +- gh +- docker +- git-crypt + +## Getting Started ## License diff --git a/bashlava.sh b/bashlava.sh index 6cb4e64..c8b8310 100755 --- a/bashlava.sh +++ b/bashlava.sh @@ -22,9 +22,31 @@ ________________________________________________________________________________ PRIORITY 1 ____________________________________________________________________________ -TODO git-crypt -- once gitcrypt to well test and solid -- 0o0o +TODO +## New feat: gc() one core fct + 5 childs to use git-crypt +- gc h(), add /docs/help_gitcrypt.md +- (h) update /docs/help.md +- Impact on: #4, #8 + +## Minor +- Update README.md + +TODO +gc() + CONFIG: is if key is: symetric OR pub/priv + if symetric, we need to define a custom path for the key + most likely define in /private/entrypoint + Default pub/priv + CONFIG: do a gc on() when test() + default is false + + check if projet have .git-crypt + else warn this project does have gc setup + + +TODO +- start a new git repo to test gc +- create key as new user on new computers to ensure how_to_use_gitcrypt.md is correct _______________________________________________________________________________________ _______________________________________________________________________________________ @@ -595,6 +617,64 @@ function gitio { # User_ esac } +function gc { # User_ + Condition_Attr_3_Must_Be_Empty + + if [[ "${input_2}" == "on" ]]; then + gc_on + elif [[ "${input_2}" == "off" ]]; then + gc_off + elif [[ "${input_2}" == "s" ]]; then + gc_status + elif [[ "${input_2}" == "k" ]]; then + gc_keys + elif [[ "${input_2}" == "h" ]]; then + gc_help + elif [[ "${input_2}" == "not_set" ]]; then + _doc_name="fct_gc_next.md" && Show_Docs + input_2="not_set" #reset input_2 + read -r user_input; + case ${user_input} in + 1 | on | un) gc_on;; + 2 | off | lock) gc_off;; + 3 | s | status) gc_status;; + 4 | l | list) gc_list;; + 5 | h | help) gc_help;; + *) my_message="Aborted" && Print_Gray;; + esac + else + my_message="FATAL: The command does not exist." && Print_Fatal + fi +} +### CHILD FUNCTIONS + function gc_on { # Child_ + Condition_No_Commits_Pending + git-crypt unlock + # clear the warning. See https://github.com/firepress-org/bashlava/issues/40 + clear + my_message="git-crypt unlocked your files/dir." && Print_Green + file "$(git-crypt status -e | head -1 | awk '{print $2}')" + } + function gc_off { # Child_ + Condition_No_Commits_Pending + git-crypt lock + my_message="git-crypt locked your files/dir." && Print_Green + file "$(git-crypt status -e | head -1 | awk '{print $2}')" + } + function gc_status { # Child_ + git-crypt status -e && echo + git-crypt status -u && echo + git-crypt status -f + file "$(git-crypt status -e | head -1 | awk '{print $2}')" + } + function gc_keys { # Child_ + gpg --list-keys + } + function gc_help { # Child_ + clear + _doc_name="help_gitcrypt.md" && Show_Docs + } + ### ### ### ### ### ### ### ### ### ### ### ### ### ### ### ### # # # Show diff --git a/docs/fct_gc_next.md b/docs/fct_gc_next.md new file mode 100755 index 0000000..3eb07f7 --- /dev/null +++ b/docs/fct_gc_next.md @@ -0,0 +1,8 @@ +🚀 What do you want to do next? + +- `1` ... |`on`unlock (decrypt) +- `2` ... |`off`lock (crypt) +- `3` ... |`s`status about files +- `4` ... |`k`show gpg keys +- `5` ... |`h`help about git-crypt +- `q` ... | quit diff --git a/docs/help.md b/docs/help.md index bbb825d..2294b5e 100755 --- a/docs/help.md +++ b/docs/help.md @@ -18,13 +18,14 @@ - `v` ....... |`version`code .......................... | _standalone_ or usage: v 1.4.2 - `t` ....... |`tag` .................................. | _standalone_ - `r` ....... |`release` and open GUI on GitHub ....... | _standalone_ -- `d` ....... |`dummy` commits ........................ | _standalone_ +- `d` ....... |`dummy`commits ......................... | _standalone_ **more commands** - `s` ....... |`show`every functions per categories ... | _standalone_ - `h` ....... |`help`.................................. | _standalone_ - `test` .... |`test`if bashLaVa works properly ....... | _standalone_ +- `gc` ...... | git-crypt utility ..................... | _standalone_ or usage: gc on - `l` ....... | show`log`.............................. | _standalone_ - `sv` ...... | show`version`.......................... | _standalone_ - `oe` ...... | check`out`edge ......(does not fetch) . | _standalone_ diff --git a/docs/help_gitcrypt.md b/docs/help_gitcrypt.md new file mode 100755 index 0000000..dbf0a4b --- /dev/null +++ b/docs/help_gitcrypt.md @@ -0,0 +1,210 @@ +``` + _ _ + __ _ ___ | |__ ___| |_ __ + / _` |/ __| | '_ \ / _ \ | '_ \ +| (_| | (__ | | | | __/ | |_) | + \__, |\___| |_| |_|\___|_| .__/ + |___/ |_| +``` + +# Install git-crypt on Mac + +I use Mac OS (M1) 12.3.1. + +``` +brew install git-crypt gnupg +git-crypt version + +>> +git-crypt 0.7.0 +``` + +Also install the GUI - https://gpgtools.org/ + +# Method #1 + +One commun symetric key for everybody. (Less secure over time.) + +## Set up the repository to use git-crypt + +Let's create a Symetric key (basic set up) +Let's export the key + +``` +git-crypt init + +git-crypt export-key ~/Documents/.../git-crypt-key +``` + +## Set up rules + +Create file `.gitattributes` at the root of your project. + +Here is my template: + +``` +### DO encrypt these: +secret*/** filter=git-crypt diff=git-crypt +# files to encrypt by default +**.key filter=git-crypt diff=git-crypt + +### DO NOT encrypt these: +.gitattributes !filter !diff +.gitignore !filter !diff +node_modules/** !filter !diff +Dockerfile !filter !diff +LICENSE !filter !diff +README.md !filter !diff + +# /private is part of .gitignore so we do not encrypt it +private/** !filter !diff +``` + +## Status, see what is encrypted (or not) + +``` +git-crypt status -e && echo +git-crypt status -u && echo +git-crypt status -f + +>> +encrypted: secrets/contract_2022_05_01.md +encrypted: secrets/list.txt +encrypted: secrets/token_aws.key +encrypted: secrets/token_do.key + +not encrypted: .bashlava_env_override.sh +not encrypted: .git-crypt/.gitattributes +not encrypted: .git-crypt/keys/default/0/9D99B155628F9AC9DDD9ED8B8A4F19B6D38E7253.gpg +not encrypted: .gitattributes +not encrypted: .gitignore +not encrypted: Dockerfile +not encrypted: LICENSE +not encrypted: README.md +not encrypted: docs/DUMMY.md +``` + +Confirm our file is uncrypted: + +``` +cat api.key + +> +b9dd2892257ffb0ce4e6fd0cdf202f131a03afd17769feabe9effaca265e98be +``` + +## Lock the projet + +Lock our projet and confirm our file is crypted: + +``` +git-crypt lock && cat api.key + +>> +File: secrets/token_aws.key +``` + +## UnLock the projet (symetric key) + +``` +git-crypt unlock ~/Documents/.../git-crypt-key +``` + +## Re-use key in other git repo + +To use an existing key file, just use git-crypt unlock instead of git-crypt init when you set up your git repository to use git-crypt, like this: + +``` +mkdir my-other-project # At the same directory level as myproject +cd my-other-project +git init +echo "Something" > file.txt +git add file.txt +git commit -m "initial commit" + +git-crypt unlock ~/Documents/.../git-crypt-key +``` + +# Method #2 using public/private keys + +You should use public/private keys which is much more secure. + +## As a USER_DEV + +As a USER_DEV must create a key +`gpg --gen-key` + +As a USER_DEV, check the gpg keys +`gpg --list-keys` + +As a USER_DEV, check the gpg keys and list the keys and copy the key ID (KEY_ID ex: 9F9VD135y67289ACGGD349E8S345TSRY4ECC53): + +`gpg --list-keys` + +As a USER_DEV, print the public key and pass it to the admin that will be granting the permissions to git-crypt: +`gpg --export --armor $KEY_ID` + +As a USER_DEV, export key as file: + +``` +cd ~/Documents/.../pascalandy +gpg --output public.pgp --armor --export username@email.ca +``` + +## As an ADMIN (git repo owner) + +As an ADMIN import USER_DEV + +``` +file ~/Documents/.../pascalandy/public.pgp +gpg --import ~/Documents/.../pascalandy/public.pgp +``` + +As an ADMIN, import USER_DEV within the git repo: + +``` +cd ~/Documents/.../mycrypt +git-crypt add-gpg-user --trusted username@email.ca + +>> +andy16@andy16-2:~/Documents/.../mycrypt|master ⇒ cd ~/Documents/.../mycrypt +andy16@andy16-2:~/Documents/.../mycrypt|master ⇒ git-crypt add-gpg-user --trusted username@email.ca +[master db3e97f] Add 1 git-crypt collaborator +2 files changed, 4 insertions(+) +create mode 100644 .git-crypt/.gitattributes +create mode 100644 .git-crypt/keys/default/0/9F9VD135y67289ACGGD349E8S345TSRY4ECC53.gpg +``` + +# Conclusion + +Symetric steup: It's a good idea to have ../git-crypt-key as an absolut path to you can encrypt everything from anywhere on your computer. + +## Bonus + +export/backup your keys: + +``` +gpg --output public.pgp --armor --export username@email.ca +gpg --output private.pgp --armor --export-secret-key username@email.ca +``` + +source: https://unix.stackexchange.com/a/482559 + +## Great references + +- https://hackernoon.com/things-you-must-know-about-git-crypt-to-successfully-protect-your-secret-data-kyi3wi6 +- https://buddy.works/guides/git-crypt +- https://medium.com/@ahmed.kamel/git-crypt-unattended-unlock-with-gpg-passphrase-in-docker-f0aa39b85a + +## What is great + +- The major advantage with a tool like git-crypt is that even if locally you can see all your encrypted files, + when your commit to your git repo, these secrets ARE ALWAYS ENCRYPTED. You cant mess up once you define which DIR files should be a secret. +- easy symetric key OR gpg user access management + +## Key rotation + +- No key rotation tool build in, but folks have create script to do just that +- https://github.com/AGWA/git-crypt/issues/47 + +See this doc online: https://github.com/firepress-org/bashlava/tree/main/docs/help_gitcrypt.md diff --git a/docs/next_move_fct_mrg.md b/docs/next_move_fct_mrg.md index 1464235..5a3d7bc 100755 --- a/docs/next_move_fct_mrg.md +++ b/docs/next_move_fct_mrg.md @@ -4,6 +4,4 @@ - `2` ... |`t` - `3` ... |`e` - `4` ... |`ci` -- `8` ... |`vt` (combined) -- `9` ... |`a` (WIP will allow the user to: v + t + r + e in one step) - `q` ... | quit