Allow to define a secret-key and list of files per bucket

lib/mix/secrex.ex

@@ -4,13 +4,30 @@ defmodule Mix.Secrex do
   """
 
   @doc false
-  def secret_files() do
-    Application.get_env(:secrex, :files, [])
+  def secret_files(bucket) do
+    Application.get_env(:secrex, :buckets, [])
+    |> Keyword.get(bucket, [])
+    |> Keyword.get(:files, [])
   end
 
   @doc false
-  def encryption_key() do
-    key_path = Application.get_env(:secrex, :key_file)
+  def buckets() do
+    :secrex
+    |> Application.get_all_env()
+    |> Keyword.get(:buckets, [])
+    |> Keyword.keys()
+  end
+
+  @doc false
+  def get_bucket(bucket) do
+    :secrex
+    |> Application.get_env(:buckets)
+    |> Keyword.get(bucket, [])
+  end
+
+  @doc false
+  def encryption_key(bucket) do
+    key_path = bucket |> get_bucket() |> Keyword.get(:key_file)
 
     if key_path do
       key_path |> Path.expand() |> File.read!()
@@ -26,7 +43,7 @@ defmodule Mix.Secrex do
   end
 
   @doc ~S"""
-  Checks if the local decrypted files are in sync with the encrypted ones.
+  Checks either the specified or all buckets decrypted files are in sync with the encrypted ones.
 
   This could be useful in deployment process. For instance, to abort deployment if secrets diverge:
 
@@ -36,12 +53,27 @@ defmodule Mix.Secrex do
         )
       end
 
+      if Mix.Secrex.secret_files_changed?(:my_bucket) do
+        Mix.raise(
+          "Secret files are not in sync. Please run \"mix secrex.decrypt --bucket my_bucket\" to retrieve latest updates."
+        )
+      end
   """
   @spec secret_files_changed?() :: boolean()
   def secret_files_changed?() do
-    key = encryption_key()
+    changed_files = Enum.map(buckets(), &do_secret_files_changed?/1)
+    Enum.any?(changed_files)
+  end
+
+  @spec secret_files_changed?(bucket :: atom()) :: boolean()
+  def secret_files_changed?(bucket) do
+    do_secret_files_changed?(bucket)
+  end
+
+  defp do_secret_files_changed?(bucket) do
+    key = encryption_key(bucket)
 
-    Enum.any?(secret_files(), fn path ->
+    Enum.any?(secret_files(bucket), fn path ->
       enc_path = encrypted_path(path)
       decrypted = decrypt(enc_path, key)
       File.read!(path) != decrypted

lib/mix/tasks/secrex.decrypt.ex

@@ -10,10 +10,21 @@ defmodule Mix.Tasks.Secrex.Decrypt do
   @shortdoc "Decrypts secrets to the configured files"
 
   @impl true
-  def run(_args) do
-    key = encryption_key()
+  def run(["--bucket", bucket]) do
+    bucket
+    |> String.to_atom()
+    |> decrypt()
+  end
+
+  @impl true
+  def run([]) do
+    Enum.map(buckets(), &decrypt/1)
+  end
+
+  defp decrypt(bucket) do
+    key = encryption_key(bucket)
 
-    for path <- secret_files() do
+    for path <- secret_files(bucket) do
       enc_path = encrypted_path(path)
       Mix.shell().info("Decrypting #{enc_path}")
       File.write!(path, decrypt(enc_path, key))

lib/mix/tasks/secrex.encrypt.ex

@@ -10,10 +10,21 @@ defmodule Mix.Tasks.Secrex.Encrypt do
   @shortdoc "Encrypts secrets to the configured files"
 
   @impl true
-  def run(_args) do
-    key = encryption_key()
+  def run(["--bucket", bucket]) do
+    bucket
+    |> String.to_atom()
+    |> encrypt()
+  end
+
+  @impl true
+  def run([]) do
+    Enum.map(buckets(), &encrypt/1)
+  end
+
+  defp encrypt(bucket) do
+    key = encryption_key(bucket)
 
-    for path <- secret_files() do
+    for path <- secret_files(bucket) do
       Mix.shell().info("Encrypting #{path}")
 
       {:ok, encrypted} = encrypt(path, key)

test/mix/tasks/secrex_test.exs

@@ -6,7 +6,11 @@ defmodule Mix.Tasks.SecrexTest do
   setup :clean_up_directory
 
   setup do
-    Application.put_env(:secrex, :key_file, "test/support/secret-key")
+    Application.put_env(:secrex, :buckets,
+      my_test: [key_file: "test/support/secret-key"],
+      my_dev: [key_file: "test/support/.dev.secret-key"]
+    )
+
     Application.delete_env(:secrex, :files)
     Application.delete_env(:secrex, :cipher)
   end
@@ -33,33 +37,74 @@ defmodule Mix.Tasks.SecrexTest do
 
   test "encrypts and decrypts secrets to the configured files" do
     plaintext = "this is a secret"
-    source_file = @secret_path <> Integer.to_string(System.system_time(:microsecond))
+    source_file_test = @secret_path <> Integer.to_string(System.system_time(:microsecond))
+    source_file_dev = source_file_test <> "dev"
 
-    File.mkdir!(@secret_path)
-    File.write!(source_file, plaintext)
+    File.write!(source_file_dev, plaintext)
+
+    updated_test_bucket = put_files(:my_test, [source_file_test])
+    updated_dev_bucket = put_files(:my_dev, [source_file_dev])
+
+    buckets =
+      :secrex
+      |> Application.get_env(:buckets)
+      |> Keyword.put(:my_test, updated_test_bucket)
+      |> Keyword.put(:my_dev, updated_dev_bucket)
+
+    Application.put_env(:secrex, :buckets, buckets)
+
+    output =
+      capture_io(fn ->
+        Mix.Tasks.Secrex.Encrypt.run(["--bucket", "my_dev"])
+      end)
+
+    assert output =~ "Encrypting #{source_file_dev}"
+    assert output =~ "Files have been encrypted"
 
-    Application.put_env(:secrex, :files, [source_file])
+    File.rm!(source_file_dev)
+    assert File.read!(source_file_dev <> ".enc") != plaintext
+
+    output =
+      capture_io(fn ->
+        Mix.Tasks.Secrex.Decrypt.run(["--bucket", "my_dev"])
+      end)
+
+    assert output =~ "Decrypting #{source_file_dev}"
+    assert output =~ "Files have been decrypted"
+
+    assert File.read!(source_file_dev) == plaintext
+
+    dev_secret_path = Application.get_env(:secrex, :buckets)[:my_dev][:key_file]
+    dev_secret = File.read!(dev_secret_path)
+    File.rm!(dev_secret_path)
+
+    assert_raise File.Error, fn -> Mix.Tasks.Secrex.Decrypt.run(["--bucket", "my_dev"]) end
+
+    File.write!(dev_secret_path, dev_secret)
+
+    File.mkdir!(@secret_path)
+    File.write!(source_file_test, plaintext)
 
     output =
       capture_io(fn ->
         Mix.Tasks.Secrex.Encrypt.run([])
       end)
 
-    assert output =~ "Encrypting #{source_file}"
+    assert output =~ "Encrypting #{source_file_test}"
     assert output =~ "Files have been encrypted"
 
-    File.rm!(source_file)
-    assert File.read!(source_file <> ".enc") != plaintext
+    File.rm!(source_file_test)
+    assert File.read!(source_file_test <> ".enc") != plaintext
 
     output =
       capture_io(fn ->
         Mix.Tasks.Secrex.Decrypt.run([])
       end)
 
-    assert output =~ "Decrypting #{source_file}"
+    assert output =~ "Decrypting #{source_file_test}"
     assert output =~ "Files have been decrypted"
 
-    assert File.read!(source_file) == plaintext
+    assert File.read!(source_file_test) == plaintext
   end
 
   test "uses configured cipher" do
@@ -69,7 +114,9 @@ defmodule Mix.Tasks.SecrexTest do
     File.mkdir!(@secret_path)
     File.write!(source_file, plaintext)
 
-    Application.put_env(:secrex, :files, [source_file])
+    updated_bucket = put_files(:my_test, [source_file])
+
+    Application.put_env(:secrex, :buckets, my_test: updated_bucket)
     Application.put_env(:secrex, :cipher, PlaintextCipher)
 
     capture_io(fn -> Mix.Tasks.Secrex.Encrypt.run([]) end)
@@ -93,8 +140,43 @@ defmodule Mix.Tasks.SecrexTest do
     assert output =~ "Files have been decrypted"
   end
 
+  test "checks if decrypted files are in sync with the encrypted ones" do
+    plaintext = "this is a secret"
+    source_file = @secret_path <> Integer.to_string(System.system_time(:microsecond))
+
+    File.write!(source_file, plaintext)
+
+    updated_bucket = put_files(:my_test, [source_file])
+
+    Application.put_env(:secrex, :buckets, my_test: updated_bucket)
+
+    output =
+      capture_io(fn ->
+        Mix.Tasks.Secrex.Encrypt.run(["--bucket", "my_test"])
+      end)
+
+    assert output =~ "Encrypting #{source_file}"
+    assert output =~ "Files have been encrypted"
+
+    assert Mix.Secrex.secret_files_changed?(:my_test) == false
+    assert Mix.Secrex.secret_files_changed?() == false
+
+    File.write!(source_file, plaintext <> "secrets_changed")
+
+    assert Mix.Secrex.secret_files_changed?(:my_test)
+    assert Mix.Secrex.secret_files_changed?()
+
+    File.rm!(source_file)
+  end
+
   defp clean_up_directory(_) do
     File.rm_rf!(@secret_path)
     :ok
   end
+
+  defp put_files(bucket, files) do
+    Application.get_env(:secrex, :buckets)
+    |> Keyword.get(bucket, [])
+    |> Keyword.put(:files, files)
+  end
 end

test/support/.dev.secret-key

@@ -0,0 +1 @@
+0987654321