UNPKG

vinz

Version:

Enables secure storage of credentials right in your repo using AWS KMS.

github.com/bjacobel/vinz

bjacobel/vinz

108 lines (95 loc) 3.51 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
'use strict'; Object.defineProperty(exports, "__esModule", { value: true }); var _slicedToArray = function () { function sliceIterator(arr, i) { var _arr = []; var _n = true; var _d = false; var _e = undefined; try { for (var _i = arr[Symbol.iterator](), _s; !(_n = (_s = _i.next()).done); _n = true) { _arr.push(_s.value); if (i && _arr.length === i) break; } } catch (err) { _d = true; _e = err; } finally { try { if (!_n && _i["return"]) _i["return"](); } finally { if (_d) throw _e; } } return _arr; } return function (arr, i) { if (Array.isArray(arr)) { return arr; } else if (Symbol.iterator in Object(arr)) { return sliceIterator(arr, i); } else { throw new TypeError("Invalid attempt to destructure non-iterable instance"); } }; }(); var _io = require('./io'); var _constants = require('../constants'); const getVinzKeyArn = function getVinzKeyArn(kmsClient) { if (this.vinzKeyArn) { return new Promise(resolve => { resolve(this.vinzKeyArn); }); } else { return new Promise((resolve, reject) => { kmsClient.listAliases({}, (err, data) => { if (err) { reject(err); } else { resolve(data); } }); }).then(data => { const vinzKey = data.Aliases.filter(x => x.AliasName === 'alias/vinz'); if (vinzKey.length === 0) { throw new Error('No KMS key named "vinz". For more info on setup. see the readme.'); } else { this.vinzKeyArn = vinzKey[0].AliasArn; return this.vinzKeyArn; } }); } }; const encryptData = (kmsClient, keyArn, secretValue) => { return new Promise((resolve, reject) => { kmsClient.encrypt({ KeyId: keyArn, Plaintext: secretValue, EncryptionContext: _constants.ENCRYPTION_CONTEXT }, (err, data) => { if (err) { reject(err); } else { resolve(data); } }); }).then(data => { return data.CiphertextBlob; }); }; const decryptData = (kmsClient, keyArn, buffer) => { return new Promise((resolve, reject) => { kmsClient.decrypt({ CiphertextBlob: buffer, EncryptionContext: _constants.ENCRYPTION_CONTEXT }, (err, data) => { if (err) { reject(err); } else { resolve(data); } }); }).then(data => { return data.Plaintext.toString('utf8'); }); }; const encryptAndStore = function encryptAndStore(kmsClient, secretName, secretValue) { return this.getVinzKeyArn(kmsClient).then(keyArn => { return this.encryptData(kmsClient, keyArn, secretValue); }).then(encryptedSecret => { return (0, _io.writeToFile)(secretName, encryptedSecret); }).then(() => { console.log(`./${ _constants.SECRET_DIR_NAME }/${ secretName } encrypted and saved.`); }).catch(err => { console.error(err); }); }; const retrieveAndDecrypt = function retrieveAndDecrypt(kmsClient, secretName) { const arnPromise = this.getVinzKeyArn(kmsClient); const bufferPromise = (0, _io.readFromFile)(secretName); return Promise.all([arnPromise, bufferPromise]).then(resolvedValues => { var _resolvedValues = _slicedToArray(resolvedValues, 2); const keyArn = _resolvedValues[0], buffer = _resolvedValues[1]; return this.decryptData(kmsClient, keyArn, buffer); }).catch(err => { return console.error(err); }); }; exports.default = { getVinzKeyArn: getVinzKeyArn, encryptData: encryptData, encryptAndStore: encryptAndStore, decryptData: decryptData, retrieveAndDecrypt: retrieveAndDecrypt };