blackbox/bin/blackbox_register_new_file

#!/usr/bin/env bash

#
# blackbox_register_new_file.sh -- Enroll a new file in the blackbox system.
#
# Takes a previously unencrypted file and enrolls it into the blackbox
# system.  It will be kept in the repo as an encrypted file.  On deployment
# to systems that need the plaintext (unencrypted) versions, run
# blackbox_postdeploy.sh to decrypt all the files.

# TODO(tlim): Add the unencrypted file to .hgignore

set -e
. _blackbox_common.sh
_determine_vcs_base_and_type

unencrypted_file=$(get_unencrypted_filename "$1")
encrypted_file=$(get_encrypted_filename "$1")

if [[ $1 == $encrypted_file ]]; then
  echo ERROR: Please only register unencrypted files.
  exit 1
fi

echo ========== PLAINFILE "$unencrypted_file"
echo ========== ENCRYPTED "$encrypted_file"

fail_if_not_exists "$unencrypted_file" "Please specify an existing file."
fail_if_exists "$encrypted_file" "Will not overwrite."

prepare_keychain
encrypt_file "$unencrypted_file" "$encrypted_file"
add_filename_to_cryptlist "$unencrypted_file"

# Is the unencrypted file already in HG? (ie. are we correcting a bad situation)
SECRETSEXPOSED=$(is_in_vcs ${unencrypted_file})
echo "========== CREATED: ${encrypted_file}"
echo "========== UPDATING REPO:"
shred_file "$unencrypted_file"

VCSCMD=$(which_vcs)
if $SECRETSEXPOSED ; then
  vcs_remove "$unencrypted_file"
  vcs_add "$encrypted_file"
  COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"
else
  COMMIT_FILES="$BB_FILES $encrypted_file"
fi

# TODO(tlim): This should be moved to _blackbox_common.sh in a
# VCS-independent way.
IGNOREFILE=".${VCS_TYPE}ignore"
if [[ $VCS_TYPE = 'git' ]]; then
  ignored_file="$(echo "$unencrypted_file" | sed 's/^\([!#]\)/\\\1/')"
  if ! grep -Fsx >/dev/null "$ignored_file" "$IGNOREFILE"; then
    echo "$ignored_file" >>"$IGNOREFILE"
    COMMIT_FILES="$COMMIT_FILES $IGNOREFILE"
  fi
  vcs_add "$IGNOREFILE"
fi

echo 'NOTE: "already tracked!" messages are safe to ignore.'
vcs_add $BB_FILES $encrypted_file
vcs_commit "registered in blackbox: ${unencrypted_file}" $COMMIT_FILES
echo "========== UPDATING VCS: DONE"
echo "Local repo updated.  Please push when ready."
echo "    $VCSCMD push"
* Initialization for new repos AUTOMATED. * Adding new users AUTOMATED. * Update docs for the new, more simplified installation processes. * Remove dependency on any particular paths, etc. Copy "bin" into a place along your path and everything should "just work". * Add support for Mercurial (not tested). * blackbox_addadmin now adds keys to the keyring for you. * Unified #! lines to "#!/usr/bin/env bash" so it works better on FreeBSD. * BUGFIX: (BugId#1) blackbox_update_all_files.sh expects hg, fails for git. * BUGFIX: (BugId#2) blackbox_postdeploy.sh assumes certain directory layout. * BUGFIX: Temporary files aren't deleted. * NEW FILE: bin/blackbox_initialize: Automates enabling BB for a repo (creates directories, files, and updates .gitignore). * NEW FILE: bin/blackbox_removeadmin: Automates removing an admit. * NEW FILE: tools/confidence_test.sh: A battery of tests to verify operations. * NEW FILE: bin/Makefile: Automate package creation. * NEW FILE: bin/_stack_lib.sh: A library of shell routines from StackExchange. 2014-08-29 20:21:02 +00:00			`#!/usr/bin/env bash`
Initial check in 2014-07-07 20:30:16 -04:00
			`#`
			`# blackbox_register_new_file.sh -- Enroll a new file in the blackbox system.`
			`#`
Remove ".sh" from file names. Refactor so it does not rely on PWD being the repo basedir. Fix assumptions about HG and GIT use. 2014-08-28 20:47:32 +00:00			`# Takes a previously unencrypted file and enrolls it into the blackbox`
			`# system. It will be kept in the repo as an encrypted file. On deployment`
			`# to systems that need the plaintext (unencrypted) versions, run`
			`# blackbox_postdeploy.sh to decrypt all the files.`
Initial check in 2014-07-07 20:30:16 -04:00
Update .gitignore when registering new files To reduce the risk of accidentally adding plaintext secrets, ignore registered plaintext files. 2014-10-13 21:31:58 +02:00			`# TODO(tlim): Add the unencrypted file to .hgignore`
* Initialization for new repos AUTOMATED. * Adding new users AUTOMATED. * Update docs for the new, more simplified installation processes. * Remove dependency on any particular paths, etc. Copy "bin" into a place along your path and everything should "just work". * Add support for Mercurial (not tested). * blackbox_addadmin now adds keys to the keyring for you. * Unified #! lines to "#!/usr/bin/env bash" so it works better on FreeBSD. * BUGFIX: (BugId#1) blackbox_update_all_files.sh expects hg, fails for git. * BUGFIX: (BugId#2) blackbox_postdeploy.sh assumes certain directory layout. * BUGFIX: Temporary files aren't deleted. * NEW FILE: bin/blackbox_initialize: Automates enabling BB for a repo (creates directories, files, and updates .gitignore). * NEW FILE: bin/blackbox_removeadmin: Automates removing an admit. * NEW FILE: tools/confidence_test.sh: A battery of tests to verify operations. * NEW FILE: bin/Makefile: Automate package creation. * NEW FILE: bin/_stack_lib.sh: A library of shell routines from StackExchange. 2014-08-29 20:21:02 +00:00
Add "set -e" to all scripts. 2014-09-08 20:25:38 +00:00			`set -e`
Remove ".sh" from file names. Refactor so it does not rely on PWD being the repo basedir. Fix assumptions about HG and GIT use. 2014-08-28 20:47:32 +00:00			`. _blackbox_common.sh`
Update .gitignore when registering new files To reduce the risk of accidentally adding plaintext secrets, ignore registered plaintext files. 2014-10-13 21:31:58 +02:00			`_determine_vcs_base_and_type`
Initial check in 2014-07-07 20:30:16 -04:00
			`unencrypted_file=$(get_unencrypted_filename "$1")`
			`encrypted_file=$(get_encrypted_filename "$1")`

			`if [[ $1 == $encrypted_file ]]; then`
			`echo ERROR: Please only register unencrypted files.`
			`exit 1`
			`fi`

			`echo ========== PLAINFILE "$unencrypted_file"`
			`echo ========== ENCRYPTED "$encrypted_file"`

			`fail_if_not_exists "$unencrypted_file" "Please specify an existing file."`
			`fail_if_exists "$encrypted_file" "Will not overwrite."`

			`prepare_keychain`
			`encrypt_file "$unencrypted_file" "$encrypted_file"`
			`add_filename_to_cryptlist "$unencrypted_file"`

			`# Is the unencrypted file already in HG? (ie. are we correcting a bad situation)`
Big doc update plus refined tools to work better outside of StackExchange. 2014-08-13 15:16:35 -04:00			`SECRETSEXPOSED=$(is_in_vcs ${unencrypted_file})`
Initial check in 2014-07-07 20:30:16 -04:00			`echo "========== CREATED: ${encrypted_file}"`
Big doc update plus refined tools to work better outside of StackExchange. 2014-08-13 15:16:35 -04:00			`echo "========== UPDATING REPO:"`
Initial check in 2014-07-07 20:30:16 -04:00			`shred_file "$unencrypted_file"`
Big doc update plus refined tools to work better outside of StackExchange. 2014-08-13 15:16:35 -04:00
			`VCSCMD=$(which_vcs)`
Initial check in 2014-07-07 20:30:16 -04:00			`if $SECRETSEXPOSED ; then`
* Initialization for new repos AUTOMATED. * Adding new users AUTOMATED. * Update docs for the new, more simplified installation processes. * Remove dependency on any particular paths, etc. Copy "bin" into a place along your path and everything should "just work". * Add support for Mercurial (not tested). * blackbox_addadmin now adds keys to the keyring for you. * Unified #! lines to "#!/usr/bin/env bash" so it works better on FreeBSD. * BUGFIX: (BugId#1) blackbox_update_all_files.sh expects hg, fails for git. * BUGFIX: (BugId#2) blackbox_postdeploy.sh assumes certain directory layout. * BUGFIX: Temporary files aren't deleted. * NEW FILE: bin/blackbox_initialize: Automates enabling BB for a repo (creates directories, files, and updates .gitignore). * NEW FILE: bin/blackbox_removeadmin: Automates removing an admit. * NEW FILE: tools/confidence_test.sh: A battery of tests to verify operations. * NEW FILE: bin/Makefile: Automate package creation. * NEW FILE: bin/_stack_lib.sh: A library of shell routines from StackExchange. 2014-08-29 20:21:02 +00:00			`vcs_remove "$unencrypted_file"`
			`vcs_add "$encrypted_file"`
Initial check in 2014-07-07 20:30:16 -04:00			`COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"`
			`else`
			`COMMIT_FILES="$BB_FILES $encrypted_file"`
			`fi`
Update .gitignore when registering new files To reduce the risk of accidentally adding plaintext secrets, ignore registered plaintext files. 2014-10-13 21:31:58 +02:00
Add TODO 2014-10-14 14:26:24 +00:00			`# TODO(tlim): This should be moved to _blackbox_common.sh in a`
			`# VCS-independent way.`
Update .gitignore when registering new files To reduce the risk of accidentally adding plaintext secrets, ignore registered plaintext files. 2014-10-13 21:31:58 +02:00			`IGNOREFILE=".${VCS_TYPE}ignore"`
			`if [[ $VCS_TYPE = 'git' ]]; then`
For git, add plaintext files to .gitignore to prevent accidental additions. 2014-10-14 14:23:34 +00:00			`ignored_file="$(echo "$unencrypted_file" \| sed 's/^\([!#]\)/\\\1/')"`
			`if ! grep -Fsx >/dev/null "$ignored_file" "$IGNOREFILE"; then`
			`echo "$ignored_file" >>"$IGNOREFILE"`
			`COMMIT_FILES="$COMMIT_FILES $IGNOREFILE"`
			`fi`
			`vcs_add "$IGNOREFILE"`
Update .gitignore when registering new files To reduce the risk of accidentally adding plaintext secrets, ignore registered plaintext files. 2014-10-13 21:31:58 +02:00			`fi`

Initial check in 2014-07-07 20:30:16 -04:00			`echo 'NOTE: "already tracked!" messages are safe to ignore.'`
* Initialization for new repos AUTOMATED. * Adding new users AUTOMATED. * Update docs for the new, more simplified installation processes. * Remove dependency on any particular paths, etc. Copy "bin" into a place along your path and everything should "just work". * Add support for Mercurial (not tested). * blackbox_addadmin now adds keys to the keyring for you. * Unified #! lines to "#!/usr/bin/env bash" so it works better on FreeBSD. * BUGFIX: (BugId#1) blackbox_update_all_files.sh expects hg, fails for git. * BUGFIX: (BugId#2) blackbox_postdeploy.sh assumes certain directory layout. * BUGFIX: Temporary files aren't deleted. * NEW FILE: bin/blackbox_initialize: Automates enabling BB for a repo (creates directories, files, and updates .gitignore). * NEW FILE: bin/blackbox_removeadmin: Automates removing an admit. * NEW FILE: tools/confidence_test.sh: A battery of tests to verify operations. * NEW FILE: bin/Makefile: Automate package creation. * NEW FILE: bin/_stack_lib.sh: A library of shell routines from StackExchange. 2014-08-29 20:21:02 +00:00			`vcs_add $BB_FILES $encrypted_file`
			`vcs_commit "registered in blackbox: ${unencrypted_file}" $COMMIT_FILES`
Remove ".sh" from file names. Refactor so it does not rely on PWD being the repo basedir. Fix assumptions about HG and GIT use. 2014-08-28 20:47:32 +00:00			`echo "========== UPDATING VCS: DONE"`
Initial check in 2014-07-07 20:30:16 -04:00			`echo "Local repo updated. Please push when ready."`
Big doc update plus refined tools to work better outside of StackExchange. 2014-08-13 15:16:35 -04:00			`echo " $VCSCMD push"`