Store client and cipher in comitted file

This can help with debugging + compatilibty issues as the library evolves

Author: marcqualie

lib/diffcrypt/encryptor.rb

@@ -24,7 +24,7 @@ def initialize(key)
     # @param [String] contents The raw YAML string to be encrypted
     def decrypt(contents)
       yaml = YAML.safe_load contents
-      decrypted = decrypt_hash yaml
+      decrypted = decrypt_hash yaml['data']
       YAML.dump decrypted
     end
 
@@ -43,11 +43,23 @@ def decrypt_hash(data)
 
     # @param [String] contents The raw YAML string to be encrypted
     # @param [String, nil] original_encrypted_contents The original (encrypted) content to determine which keys have changed
+    # @return [String]
     def encrypt(contents, original_encrypted_contents = nil)
+      data = encrypt_data contents, original_encrypted_contents
+      YAML.dump(
+        'client' => "diffcrypt-#{Diffcrypt::VERSION}",
+        'cipher' => CIPHER,
+        'data' => data,
+      )
+    end
+
+    # @param [String] contents The raw YAML string to be encrypted
+    # @param [String, nil] original_encrypted_contents The original (encrypted) content to determine which keys have changed
+    # @return [Hash] Encrypted hash containing the data
+    def encrypt_data(contents, original_encrypted_contents = nil)
       yaml = YAML.safe_load contents
-      original_yaml = original_encrypted_contents ? YAML.safe_load(original_encrypted_contents) : nil
-      encrypted = encrypt_values yaml, original_yaml
-      YAML.dump encrypted
+      original_yaml = original_encrypted_contents ? YAML.safe_load(original_encrypted_contents)['data'] : nil
+      encrypt_values yaml, original_yaml
     end
 
     # @param [String] value Plain text string that needs encrypting

test/diffcrypt/encryptor_test.rb

@@ -5,12 +5,19 @@
 # Since the encrypted values use openssl and are non-deterministic, we can never know the
 # actual value to test against. All we can do is ensure the value is in the correct format
 # for the encrypted content, which verifies it's not in the original state
-ENCRYPTED_VALUE_PATTERN = %('?([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)'?)
+ENCRYPTED_VALUE_PATTERN = %(['"]?([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)\-\-([a-z0-9A-Z=/+]+)['"]?)
 
 class Diffcrypt::EncryptorTest < Minitest::Test
+  def test_it_includes_client_info_at_root
+    content = "---\nkey: value"
+    expected_pattern = /---\nclient: diffcrypt-#{Diffcrypt::VERSION}\ncipher: #{Diffcrypt::Encryptor::CIPHER}\ndata:\n  key: #{ENCRYPTED_VALUE_PATTERN}\n/
+    assert_match expected_pattern, Diffcrypt::Encryptor.new(TEST_KEY).encrypt(content)
+  end
+
   def test_it_decrypts_root_values
     encrypted_content = <<~CONTENT
-      secret_key_base: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==
+      data:
+        secret_key_base: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==
     CONTENT
     expected = <<~CONTENT
       ---
@@ -27,14 +34,15 @@ def test_it_encrypts_root_values
     CONTENT
     expected_pattern = /---\nsecret_key_base: #{ENCRYPTED_VALUE_PATTERN}\n/
 
-    assert_match expected_pattern, Diffcrypt::Encryptor.new(TEST_KEY).encrypt(content)
+    assert_match expected_pattern, Diffcrypt::Encryptor.new(TEST_KEY).encrypt_data(content).to_yaml
   end
 
   def test_it_decrypts_nested_structures
     encrypted_content = <<~CONTENT
-      secret_key_base: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==
-      aws:
-        access_key_id: Ot/uCTEL+8kp61EPctnxNlg=--Be6sg7OdvjZlfxgR--7qRbbf0lA4VgjnUGUrrFwg==
+      data:
+        secret_key_base: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==
+        aws:
+          access_key_id: Ot/uCTEL+8kp61EPctnxNlg=--Be6sg7OdvjZlfxgR--7qRbbf0lA4VgjnUGUrrFwg==
     CONTENT
     expected = <<~CONTENT
       ---
@@ -55,16 +63,16 @@ def test_it_encrypts_nested_structures
     CONTENT
     expected_pattern = /---\nsecret_key_base: #{ENCRYPTED_VALUE_PATTERN}\naws:\n  access_key_id: #{ENCRYPTED_VALUE_PATTERN}\n/
 
-    assert_match expected_pattern, Diffcrypt::Encryptor.new(TEST_KEY).encrypt(content)
+    assert_match expected_pattern, Diffcrypt::Encryptor.new(TEST_KEY).encrypt_data(content).to_yaml
   end
 
   # Verifies that a change to one key does not cause the encrypted values for other keys to be recomputed
   # Mainly used in conjunction with rails credentials editor
   def test_it_only_updates_changed_values
-    original_encrypted_content = "---\nsecret_key_base_1: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==\naws:\n  secret_access_key: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==\n"
+    original_encrypted_content = "---\ndata:\n  secret_key_base_1: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==\naws:\n    secret_access_key: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==\n"
     updated_content = "---\nsecret_key_base_1: secret_key_base_test\naws:\n  secret_access_key: secret_access_key_2"
     expected_pattern = /---\nsecret_key_base_1: 88Ry6HESUoXBr6QUFXmni9zzfCIYt9qGNFvIWFcN--4xoecI5mqbNRBibI--62qPJbkzzh5h8lhFEFOSaQ==\naws:\n  secret_access_key: #{ENCRYPTED_VALUE_PATTERN}\n/
 
-    assert_match expected_pattern, Diffcrypt::Encryptor.new(TEST_KEY).encrypt(updated_content, original_encrypted_content)
+    assert_match expected_pattern, Diffcrypt::Encryptor.new(TEST_KEY).encrypt_data(updated_content, original_encrypted_content).to_yaml
   end
 end

test/fixtures/example.yml.enc

@@ -1,4 +1,7 @@
 ---
-secret_key_base: q/nKM+MSI0IAUUGTxn336uQDgDXbJxDu6GNI3vlL--I6DThmOJBJYK6SDZ--8wmyBE0O3tGtiZK8gw69Bg==
-aws:
-  access_key_id: HEnbrD9fiNclsf2hFNAyPw==--hbJkPko9OV1QXxAq--zEkhplu33aZ9a5YCPs6mlg==
+client: diffcrypt-0.1.1
+cipher: aes-128-gcm
+data:
+  secret_key_base: q/nKM+MSI0IAUUGTxn336uQDgDXbJxDu6GNI3vlL--I6DThmOJBJYK6SDZ--8wmyBE0O3tGtiZK8gw69Bg==
+  aws:
+    access_key_id: HEnbrD9fiNclsf2hFNAyPw==--hbJkPko9OV1QXxAq--zEkhplu33aZ9a5YCPs6mlg==