feat: 🎸 encrypt support PYE_ENCRYPT_KEY envvar

Author: ZhaoQi99

README.md

@@ -66,7 +66,7 @@ Options:
   -i, --in-place                  make changes to files in place
   -k, --key 🔑                     Your encryption key.If you don‘t specify
                                   key, pyencrypt will generate encryption key
-                                  randomly.
+                                  randomly.  [env var: PYE_ENCRYPT_KEY]
   --with-license                  Add license to encrypted file
   -m, --bind-mac 01:23:45:67:89:AB
                                   Bind mac address to encrypted file

examples/django/Dockerfile

@@ -20,7 +20,10 @@ COPY . /root/demo/
 RUN python manage.py collectstatic --noinput
 
 # --- Encryption ---
-RUN pip install git+https://github.com/ZhaoQi99/pyencrypt-pye.git
+ARG ENCRYPT_KEY
+ENV PYE_ENCRYPT_KEY=$ENCRYPT_KEY
+
+RUN pip install pyencrypt-pye
 RUN pyencrypt encrypt --in-place --yes .
 RUN cp encrypted/loader*.so .
 RUN rm -rf encrypted build/

examples/django/README.md

@@ -7,6 +7,13 @@ This example shows how to use `pyencrypt` with Django.
 docker compose up -d
 ```
 
+## Build image
+```shell
+docker build -f Dockerfile -t demo:v1.0 .
+docker build -f Dockerfile -t demo:v1.0 --build-arg ENCRYPT_KEY=YOUR_FIXED_KEY .
+docker save demo:v1.0| gzip > demo:v1.0_v1.0.tar.gz
+```
+
 ## Test
 * runserver: `curl http://127.0.0.1:8001/account/login/?username=admin&password=admin`
 * gunicorn: `curl http://127.0.0.1:8002/account/login/?username=admin&password=admin`

pyencrypt/cli.py

@@ -7,6 +7,7 @@
 from pathlib import Path
 
 import click
+from click.core import ParameterSource  # click>=8
 
 from pyencrypt import __description__, __version__
 from pyencrypt.decrypt import decrypt_file
@@ -69,6 +70,8 @@
 
 DATETIME_FORMATS = ["%Y-%m-%dT%H:%M:%S %z", "%Y-%m-%d %H:%M:%S", "%Y-%m-%d"]
 
+ENVVAR_PREFIX = "PYE_ENCRYPT"
+
 
 class KeyParamType(click.ParamType):
     name = "key"
@@ -77,6 +80,17 @@ def _check_key(self, key: str) -> bool:
         return not (len(key) % 4 or len(base64.b64decode(key)) % 16)
 
     def convert(self, value, param, ctx) -> str:
+        if ctx.get_parameter_source(param.name) == ParameterSource.ENVIRONMENT:
+            visible_chars = 4
+            masked = (
+                value[:visible_chars]
+                + "*" * (len(value) - 2 * visible_chars)
+                + value[-visible_chars:]
+            )
+            click.echo(
+                f'Using encryption key 🔑 {click.style(masked, fg="yellow")} from environment variable {click.style(param.envvar, fg="bright_cyan")}.'
+            )
+
         value = click.STRING.convert(value, param, ctx)
         if not self._check_key(value):
             self.fail(INVALID_KEY_MSG, param, ctx)
@@ -147,7 +161,13 @@ def cli():
     is_flag=True,
 )
 @click.option(
-    "-k", "--key", default=None, help=KEY_OPTION_HELP, type=CustomParamType.KEY
+    "-k",
+    "--key",
+    default=None,
+    help=KEY_OPTION_HELP,
+    type=CustomParamType.KEY,
+    envvar=f"{ENVVAR_PREFIX}_KEY",
+    show_envvar=True,
 )
 @click.option(
     "--with-license", default=False, help="Add license to encrypted file", is_flag=True

setup.cfg

@@ -35,7 +35,7 @@ install_requires =
     Cython >= 0.29.30
     pycryptodome >= 3.14.1
     python-minifier >= 2.6.0; python_version < '3.14'
-    click
+    click >= 8.0.0
     setuptools >= 66.1.0; python_version >= '3.12'
     setuptools <= 60.9.0; python_version < '3.12'
 python_requires = >=3.6,<3.14