Skip to content

Commit 9d5e47a

Browse files
Merge pull request #24 from gitbito/release/1.3.2
bito-cra.sh - encryption related changes
2 parents 570776e + 2f7e701 commit 9d5e47a

File tree

1 file changed

+43
-2
lines changed

1 file changed

+43
-2
lines changed

cra-scripts/bito-cra.sh

Lines changed: 43 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -423,6 +423,7 @@ optional_params_server=(
423423
"code_context"
424424
"nexus_url"
425425
"cr_event_type"
426+
"encryption_key"
426427
)
427428

428429
bee_params=(
@@ -575,21 +576,61 @@ for param in "${required_params[@]}" "${bee_params[@]}" "${optional_params[@]}";
575576
nexus_url=$(echo "${props[$param]}" | sed 's/^[ \t]*//;s/[ \t]*$//')
576577
elif [ "$param" == "cr_event_type" ]; then
577578
validate_cr_event_type "${props[$param]}"
579+
elif [ "$param" == "encryption_key" ]; then
580+
encryption_key_value=${props[$param]}
578581
else
579582
docker_cmd+=" --$param=${props[$param]}"
580583
fi
581584

582585
fi
583586
done
584587
docker_cmd+=" --cr_event_type=${cr_event_type}"
585-
586588
docker_cmd=$docker_init_cmd$docker_cmd
589+
docker_cmd+=' ${docker_enc_params}'
590+
591+
# Function to encrypt text
592+
encrypt_git_secret() {
593+
local key=$1
594+
local plaintext=$2
595+
596+
# Convert key to hex
597+
local hex_key=$(echo -n "$key" | xxd -p -c 256)
598+
599+
# Generate IV (Initialization Vector)
600+
local iv=$(openssl rand -base64 16)
601+
iv="$(echo -n "$iv" | base64 -d | xxd -p -c 256)"
602+
603+
# Encrypt plaintext
604+
local ciphertext=$(echo -n "$plaintext" | openssl enc -aes-256-cfb -a -K "$hex_key" -iv "$iv" -base64)
605+
606+
# Concatenate IV and ciphertext and encode with base64
607+
local iv_ciphertext=$(echo -n "$iv")$(echo -n "$ciphertext")
608+
609+
# Encode the concatenated result with base64
610+
local encrypted_text=$(echo -n "$iv_ciphertext" | tr -d '\n')
611+
612+
echo "$encrypted_text"
613+
}
614+
587615
param_bito_access_key="bito_cli.bito.access_key"
588616
param_git_access_token="git.access_token"
617+
param_encryption_key="encryption_key"
618+
docker_enc_params=
589619
if [ "$mode" == "server" ]; then
590620
if [ -n "${props[$param_bito_access_key]}" ] && [ -n "${props[$param_git_access_token]}" ]; then
591621
git_secret="${props[$param_bito_access_key]}@#~^${props[$param_git_access_token]}"
592622

623+
if [ -n "${props[$param_encryption_key]}" ]; then
624+
encryption_key="${props[$param_encryption_key]}"
625+
if [[ ${#encryption_key} -eq 44 ]] && [[ $encryption_key =~ ^[A-Za-z0-9+/]{43}=$ ]]; then
626+
git_secret=$(encrypt_git_secret "$encryption_key" "$git_secret")
627+
docker_enc_params=" --git.secret=$git_secret --encryption_key=$encryption_key"
628+
else
629+
echo "Error: Encryption key must be a 44-character base64 string generated by openssl rand -base64 32."
630+
exit 1
631+
fi
632+
fi
633+
593634
echo "Use below as Gitlab and Github Webhook secret:"
594635
echo "$git_secret"
595636
echo
@@ -622,7 +663,7 @@ fi
622663

623664

624665
if [ "$?" == 0 ]; then
625-
echo "Running command: $(eval echo $docker_cmd)"
666+
echo "Running command: $(echo eval $docker_cmd)"
626667
eval "$docker_cmd"
627668

628669
if [ "$?" == 0 ] && [ "$mode" == "server" ]; then

0 commit comments

Comments
 (0)