Lock credentials file while editing, dont generate new encrypted file if no file changes

Author: dsa0x

Readme.md

@@ -2,7 +2,7 @@
 
 Sicher is a Go implementation of the secret management system that was introduced in Ruby on Rails 6.
 
-Sicher is a go package that allows the safe storage of encrypted credentials in a version control system. The credentials can only be decrypted by a key file, and this key file is not added to the source control. The file is edited in a temp file on a local system and destroyed after each edit.
+Sicher is a go package that allows the secure storage of encrypted credentials in a version control system. The credentials can only be decrypted by a key file, and this key file is not added to the source control. The file is edited in a temp file on a local system and destroyed after each edit.
 
 Using sicher in a project creates a set of files
 

dev.enc

@@ -1 +1 @@
-cb3272c8a4437c24b70296e697b551a9aa972e244d682af20fd5d2d1a4f32c9b1a059a48caa0d8c08e52e59c4660f88ae4309d5a0e3e5e198a81974c7e4918fd7fdbfcf32e72f3d9af4a9fc1fe7ea56b9f7d2b315b4fbfe47d9d5fc698510322a9==--==090e8f04181739a0d57068d8
+5f990c89f9b5f406e2e6d3c641b6fea7efadd697e759f5b63f1cdfa6265f38d957eeb3==--==25a5bf6099052bf3b862e49f

filelock.go

@@ -0,0 +1,61 @@
+package sicher
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"time"
+
+	"golang.org/x/sys/unix"
+)
+
+type fileLock struct {
+	file *os.File
+}
+
+type FileCreator func() (*os.File, error)
+
+func newFileLock(file *os.File) *fileLock {
+	return &fileLock{file: file}
+}
+
+func (l *fileLock) Lock() bool {
+	if err := unix.Flock(int(l.file.Fd()), unix.LOCK_EX); err != nil {
+		log.Fatalf("file lock error: %v\n", err)
+		return false
+	}
+	return true
+}
+
+func (l *fileLock) Unlock() {
+	if err := unix.Flock(int(l.file.Fd()), unix.LOCK_UN); err != nil {
+		log.Fatalf("file unlock error: %v\n", err)
+	}
+}
+
+func (l *fileLock) Create(creator FileCreator) error {
+	f, err := creator()
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	l.file = f
+	l.Lock()
+	return nil
+}
+
+func (l *fileLock) LockWithTimeout(timeout time.Duration) {
+	ch := make(chan bool)
+	go func() {
+		ch <- l.Lock()
+	}()
+
+	select {
+	case <-time.After(timeout):
+		fmt.Printf("File is being edited in another terminal. Lock timeout after %v\n", timeout)
+		os.Exit(1)
+	case <-ch:
+		break
+	}
+}

go.mod

@@ -1,3 +1,5 @@
 module github.com/dsa0x/sicher
 
 go 1.17
+
+require golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e // indirect

go.sum

@@ -0,0 +1,2 @@
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

sicher.go

@@ -16,6 +16,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"regexp"
+	"time"
 )
 
 var delimiter = "==--=="
@@ -177,7 +178,7 @@ func (s *sicher) Edit(editor ...string) error {
 		if os.Getenv(masterKey) != "" {
 			key = []byte(os.Getenv(masterKey))
 		} else {
-			return fmt.Errorf("encryption key(%s.key) is not available. Create one by running the cli with init flag", s.Environment)
+			return fmt.Errorf("encryption key(%s.key) is not available. Provide a key file or enter one through the command line", s.Environment)
 		}
 	}
 	strKey := string(key)
@@ -189,6 +190,11 @@ func (s *sicher) Edit(editor ...string) error {
 	}
 	defer credFile.Close()
 
+	// lock file to enable only one edit at a time
+	credFileLock := newFileLock(credFile)
+	credFileLock.LockWithTimeout(time.Second * 10)
+	defer credFileLock.Unlock()
+
 	var buf bytes.Buffer
 	_, err = io.Copy(&buf, credFile)
 	if err != nil {
@@ -202,7 +208,6 @@ func (s *sicher) Edit(editor ...string) error {
 		return fmt.Errorf("error creating temp file %v", err)
 	}
 	defer f.Close()
-	f.Chmod(0600)
 	filePath := f.Name()
 	defer cleanUpFile(filePath)
 
@@ -212,8 +217,9 @@ func (s *sicher) Edit(editor ...string) error {
 		return fmt.Errorf("error decoding encryption file: %s", err)
 	}
 
+	var plaintext []byte
 	if nonce != nil && fileText != nil {
-		plaintext, err := decrypt(strKey, nonce, fileText)
+		plaintext, err = decrypt(strKey, nonce, fileText)
 		if err != nil {
 			return fmt.Errorf("error decrypting file: %s", err)
 		}
@@ -246,11 +252,16 @@ func (s *sicher) Edit(editor ...string) error {
 		return fmt.Errorf("error reading credentials file %v ", err)
 	}
 
+	// if no file changes, dont generate new encrypted file
+	if bytes.Equal(file, plaintext) {
+		fmt.Fprintf(stdOut, "No changes made.\n")
+		return nil
+	}
+
 	//encrypt and overwrite credentials file
 	// the encrypted file is encoded in hexadecimal format
 	nonce, encrypted, err := encrypt(strKey, file)
 	if err != nil {
-
 		return fmt.Errorf("error encrypting file: %s ", err)
 	}