CLI: Decrypt encrypted secrets before setting them in the environment

[rajdip-b]

Description

Secret decryption

Whenever the run command of the CLI receives a change in configuration, we set the value directly in the environmental variable of the child process and restart it.

We would like to check if the received configuration is encrypted or not. If yes, we would like to decrypt it first.

Graceful failure

Additionally, we would also like to add another optional field in init command to accept a --quit-on-decryption-failure boolean field. This would tell the CLI to stop the child process if the decryption fails. Otherwise, the child process would continue without setting the new value of the secret. By default, this would be false.

Solution

• Every configuration received has a isPlaintext field. If it is set to false, decrypt the secret.
• Use this function to decrypt the secret.
• If decryption fails:
  • If --quit-on-decryption-failure is not set, do a Logger.warn call and skip setting the environment.
  • If --quit-on-decryption-failure is set, do a Logger.error call and stop the child process.
• Update the configure command to accept --quit-on-decryption-failure
• Update the types in index.types.d.ts. We would want this configuration to reside in ProjectRootConfig
• Update the JSON file to store this field if it is specified.

[Dark-Kernel]

Hello @rajdip-b, I would like to give it a try and work on this issue.

[Dark-Kernel]

/attempt want

[github-actions[bot]]

Assigned the issue to @Dark-Kernel!

[Dark-Kernel]

Description

Secret decryption

Whenever the run command of the CLI receives a change in configuration, we set the value directly in the environmental variable of the child process and restart it.

Exactly in which configuration and changes?

[rajdip-b]

Howdy @Dark-Kernel! You can refer to these sections:

• https://github.com/keyshade-xyz/keyshade/blob/5512f8f15d54c7ac45f2ed013d37d19290184588/apps/cli/src/commands/run.command.ts#L103-L109
• https://github.com/keyshade-xyz/keyshade/blob/5512f8f15d54c7ac45f2ed013d37d19290184588/apps/cli/src/commands/run.command.ts#L175-L184

This tells you if the received config is in plaintext or not: https://github.com/keyshade-xyz/keyshade/blob/5512f8f15d54c7ac45f2ed013d37d19290184588/apps/cli/src/types/command/run.types.d.ts#L4

If it is not plaintext, you can decrypt it using the private key set in the command's context: https://github.com/keyshade-xyz/keyshade/blob/5512f8f15d54c7ac45f2ed013d37d19290184588/apps/cli/src/commands/run.command.ts#L70

You can duplicate this function to decrypt the data: https://github.com/keyshade-xyz/keyshade/blob/develop/apps/api/src/common/decrypt.ts

[MelloB1989]

Hey I am Kartik Deshmukh. I am one of the participants in the FOSS Hack. We want to contribute to this issue and I feel confident my contribution will help!

[Dark-Kernel]

Sorry @MelloB1989 but this issue is already taken by me.