/
gpgencryption.go
155 lines (135 loc) · 4.22 KB
/
gpgencryption.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
package chezmoi
import (
"os"
"os/exec"
"runtime"
"github.com/rs/zerolog/log"
"github.com/twpayne/chezmoi/v2/internal/chezmoilog"
)
// A GPGEncryption uses gpg for encryption and decryption. See https://gnupg.org/.
type GPGEncryption struct {
Command string
Args []string
Recipient string
Symmetric bool
Suffix string
}
// Decrypt implements Encyrption.Decrypt.
func (e *GPGEncryption) Decrypt(ciphertext []byte) ([]byte, error) {
var plaintext []byte
if err := withPrivateTempDir(func(tempDirAbsPath AbsPath) error {
ciphertextAbsPath := tempDirAbsPath.Join(RelPath("ciphertext" + e.EncryptedSuffix()))
if err := os.WriteFile(string(ciphertextAbsPath), ciphertext, 0o600); err != nil {
return err
}
plaintextAbsPath := tempDirAbsPath.Join("plaintext")
args := e.decryptArgs(plaintextAbsPath, ciphertextAbsPath)
if err := e.run(args); err != nil {
return err
}
var err error
plaintext, err = os.ReadFile(string(plaintextAbsPath))
return err
}); err != nil {
return nil, err
}
return plaintext, nil
}
// DecryptToFile implements Encryption.DecryptToFile.
func (e *GPGEncryption) DecryptToFile(plaintextFilename AbsPath, ciphertext []byte) error {
return withPrivateTempDir(func(tempDirAbsPath AbsPath) error {
ciphertextAbsPath := tempDirAbsPath.Join(RelPath("ciphertext" + e.EncryptedSuffix()))
if err := os.WriteFile(string(ciphertextAbsPath), ciphertext, 0o600); err != nil {
return err
}
args := e.decryptArgs(plaintextFilename, ciphertextAbsPath)
return e.run(args)
})
}
// Encrypt implements Encryption.Encrypt.
func (e *GPGEncryption) Encrypt(plaintext []byte) ([]byte, error) {
var ciphertext []byte
if err := withPrivateTempDir(func(tempDirAbsPath AbsPath) error {
plaintextAbsPath := tempDirAbsPath.Join("plaintext")
if err := os.WriteFile(string(plaintextAbsPath), plaintext, 0o600); err != nil {
return err
}
ciphertextAbsPath := tempDirAbsPath.Join(RelPath("ciphertext" + e.EncryptedSuffix()))
args := e.encryptArgs(plaintextAbsPath, ciphertextAbsPath)
if err := e.run(args); err != nil {
return err
}
var err error
ciphertext, err = os.ReadFile(string(ciphertextAbsPath))
return err
}); err != nil {
return nil, err
}
return ciphertext, nil
}
// EncryptFile implements Encryption.EncryptFile.
func (e *GPGEncryption) EncryptFile(plaintextFilename AbsPath) ([]byte, error) {
var ciphertext []byte
if err := withPrivateTempDir(func(tempDirAbsPath AbsPath) error {
ciphertextAbsPath := tempDirAbsPath.Join(RelPath("ciphertext" + e.EncryptedSuffix()))
args := e.encryptArgs(plaintextFilename, ciphertextAbsPath)
if err := e.run(args); err != nil {
return err
}
var err error
ciphertext, err = os.ReadFile(string(ciphertextAbsPath))
return err
}); err != nil {
return nil, err
}
return ciphertext, nil
}
// EncryptedSuffix implements Encryption.EncryptedSuffix.
func (e *GPGEncryption) EncryptedSuffix() string {
return e.Suffix
}
func (e *GPGEncryption) decryptArgs(plaintextFilename, ciphertextFilename AbsPath) []string {
args := []string{"--output", string(plaintextFilename)}
args = append(args, e.Args...)
args = append(args, "--decrypt", string(ciphertextFilename))
return args
}
func (e *GPGEncryption) encryptArgs(plaintextFilename, ciphertextFilename AbsPath) []string {
args := []string{
"--armor",
"--output", string(ciphertextFilename),
}
if e.Symmetric {
args = append(args, "--symmetric")
} else if e.Recipient != "" {
args = append(args, "--recipient", e.Recipient)
}
args = append(args, e.Args...)
if !e.Symmetric {
args = append(args, "--encrypt")
}
args = append(args, string(plaintextFilename))
return args
}
func (e *GPGEncryption) run(args []string) error {
//nolint:gosec
cmd := exec.Command(e.Command, args...)
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
return chezmoilog.LogCmdRun(log.Logger, cmd)
}
// withPrivateTempDir creates a private temporary and calls f.
func withPrivateTempDir(f func(tempDirAbsPath AbsPath) error) error {
tempDir, err := os.MkdirTemp("", "chezmoi-encryption")
if err != nil {
return err
}
defer os.RemoveAll(tempDir)
if runtime.GOOS != "windows" {
if err := os.Chmod(tempDir, 0o700); err != nil {
return err
}
}
return f(AbsPath(tempDir))
}