feat(ncu-config): add support for partially encrypted config files

Author: aduh95

bin/ncu-config.js

@@ -1,22 +1,31 @@
 #!/usr/bin/env node
 
+import * as readline from 'node:readline/promises';
+import { stdin as input, stdout as output } from 'node:process';
+
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 
 import {
   getConfig, updateConfig, GLOBAL_CONFIG, PROJECT_CONFIG, LOCAL_CONFIG
 } from '../lib/config.js';
 import { setVerbosityFromEnv } from '../lib/verbosity.js';
+import { runSync } from '../lib/run.js';
 
 setVerbosityFromEnv();
 
 const args = yargs(hideBin(process.argv))
   .completion('completion')
   .command({
-    command: 'set <key> <value>',
+    command: 'set <key> [<value>]',
     desc: 'Set a config variable',
     builder: (yargs) => {
       yargs
+        .option('encrypt', {
+          describe: 'Store the value encrypted using gpg',
+          alias: 'x',
+          type: 'boolean'
+        })
         .positional('key', {
           describe: 'key of the configuration',
           type: 'string'
@@ -61,8 +70,6 @@ const args = yargs(hideBin(process.argv))
   .conflicts('global', 'project')
   .help();
 
-const argv = args.parse();
-
 function getConfigType(argv) {
   if (argv.global) {
     return { configName: 'global', configType: GLOBAL_CONFIG };
@@ -73,9 +80,21 @@ function getConfigType(argv) {
   return { configName: 'local', configType: LOCAL_CONFIG };
 }
 
-function setHandler(argv) {
+async function setHandler(argv) {
   const { configName, configType } = getConfigType(argv);
   const config = getConfig(configType);
+  if (!argv.value) {
+    const rl = readline.createInterface({ input, output });
+    argv.value = await rl.question('What value do you want to set? ');
+    rl.close();
+  } else if (argv.encrypt) {
+    console.warn('Passing sensitive config value via the shell is discouraged');
+  }
+  if (argv.encrypt) {
+    argv.value = runSync('gpg', ['--default-recipient-self', '--encrypt', '--armor'], {
+      input: argv.value
+    });
+  }
   console.log(
     `Updating ${configName} configuration ` +
     `[${argv.key}]: ${config[argv.key]} -> ${argv.value}`);
@@ -96,6 +115,8 @@ function listHandler(argv) {
   }
 }
 
+const argv = await args.parse();
+
 if (!['get', 'set', 'list'].includes(argv._[0])) {
   args.showHelp();
 }

lib/config.js

@@ -4,6 +4,7 @@ import os from 'node:os';
 import { readJson, writeJson } from './file.js';
 import { existsSync, mkdtempSync, rmSync } from 'node:fs';
 import { spawnSync } from 'node:child_process';
+import { runSync } from './run.js';
 
 export const GLOBAL_CONFIG = Symbol('globalConfig');
 export const PROJECT_CONFIG = Symbol('projectConfig');
@@ -32,6 +33,33 @@ export function clearCachedConfig() {
   mergedConfig = null;
 }
 
+function setOwnProperty(target, key, value) {
+  return Object.defineProperty(target, key, {
+    __proto__: null,
+    configurable: true,
+    enumerable: true,
+    value
+  });
+}
+function addEncryptedPropertyGetter(target, key, input) {
+  if (input.startsWith('-----BEGIN PGP MESSAGE-----\n')) {
+    return Object.defineProperty(target, key, {
+      __proto__: null,
+      configurable: true,
+      get() {
+        console.warn(`The config value for ${key} is encrypted, spawning gpg to decrypt it...`);
+        const value = runSync('gpg', ['--decrypt'], { input });
+        setOwnProperty(target, key, value);
+        return value;
+      },
+      set(newValue) {
+        addEncryptedPropertyGetter(target, key, newValue) ||
+            setOwnProperty(target, key, newValue);
+      }
+    });
+  }
+}
+
 export function getConfig(configType, dir) {
   const configPath = getConfigPath(configType, dir);
   const encryptedConfigPath = configPath + '.gpg';
@@ -44,7 +72,11 @@ export function getConfig(configType, dir) {
     }
   }
   try {
-    return readJson(configPath);
+    const json = readJson(configPath);
+    for (const [key, val] of Object.entries(json)) {
+      addEncryptedPropertyGetter(json, key, val);
+    }
+    return json;
   } catch (cause) {
     throw new Error('Unable to parse config file ' + configPath, { cause });
   }