diff --git a/bin/_blackbox_common.sh b/bin/_blackbox_common.sh index 0d2e8ee..af77c88 100755 --- a/bin/_blackbox_common.sh +++ b/bin/_blackbox_common.sh @@ -25,6 +25,7 @@ function _determine_vcs_base_and_type() { echo /dev/null VCS_TYPE=unknown fi + export VCS_TYPE # FIXME: Verify this function by checking for .hg or .git # after determining what we believe to be the answer. } @@ -38,6 +39,13 @@ BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}" SECRING="${KEYRINGDIR}/secring.gpg" PUBRING="${KEYRINGDIR}/pubring.gpg" +# Return error if not on cryptlist. +function is_on_cryptlist() { + # Assumes $1 does NOT have the .gpg extension + local rname=$(vcs_relative_path "$1") + grep -F -x -s -q "$rname" "$BB_FILES" +} + # Exit with error if a file exists. function fail_if_exists() { if [[ -f "$1" ]]; then @@ -69,15 +77,12 @@ function fail_if_not_in_repo() { # Exit with error if filename is not registered on blackbox list. function fail_if_not_on_cryptlist() { # Assumes $1 does NOT have the .gpg extension - local name - name="$1" -#echo name=$name -#echo BB_FILES=$BB_FILES -#echo fgrep -s -q "$name" "$BB_FILES" \; echo '$?' + local name="$1" - if ! grep -x -s -q "$name" "$BB_FILES" ; then - echo 'ERROR: Please run this script from the base directory.' + if ! is_on_cryptlist "$name" ; then + echo "ERROR: $name not found in $BB_FILES" + echo "PWD="$(/bin/pwd) echo 'Exiting...' exit 1 fi @@ -114,8 +119,7 @@ function prepare_keychain() { function add_filename_to_cryptlist() { # If the name is already on the list, this is a no-op. # However no matter what the datestamp is updated. - local name - name="$1" + local name=$(vcs_relative_path "$1") if grep -s -q "$name" "$BB_FILES" ; then echo ========== File is registered. No need to add to list. @@ -291,6 +295,13 @@ function vcs_commit_git() { git commit -m"""$@""" } +# Output the path of a file relative to the repo base +function vcs_relative_path() { + # Usage: vcs_relative_path file + local name="$1" + python -c 'import os ; print os.path.relpath("'$(pwd -P)'/'"$name"'", "'"$REPOBASE"'")' +} + # TODO(tlim): Rename these vcs_rm_file* to be in sync with the others. diff --git a/bin/blackbox_edit b/bin/blackbox_edit index 2309287..e3f6b4f 100755 --- a/bin/blackbox_edit +++ b/bin/blackbox_edit @@ -3,33 +3,24 @@ # # blackbox_edit.sh -- Decrypt a file temporarily for edition, then re-encrypts it again # - set -e . _blackbox_common.sh +set -x for param in """$@""" ; do - unencrypted_file=$(mktemp) - encrypted_file=$(get_encrypted_filename "$param") - echo ========== PLAINFILE "$unencrypted_file" - - fail_if_not_on_cryptlist "$unencrypted_file" - fail_if_not_exists "$encrypted_file" "This should not happen." - if [[ ! -s "$unencrypted_file" ]]; then - rm -f "$unencrypted_file" + if ! is_on_cryptlist "$param" ; then + read -p "Encrypt file $param? (y/n) " ans + case "$ans" in + y* | Y*) + blackbox_register_new_file "$param" + ;; + *) + echo 'Skipping...' + continue + ;; + esac fi - if [[ -f "$unencrypted_file" ]]; then - echo SKIPPING: "$1" "Will not overwrite non-empty files." - continue - fi - - prepare_keychain - decrypt_file "$encrypted_file" "$unencrypted_file" + blackbox_edit_start "$param" $EDITOR $unencrypted_file - - encrypt_file "$unencrypted_file" "$encrypted_file" - shred_file "$unencrypted_file" - - echo "========== UPDATED ${encrypted_file}" - echo "Likely next step:" - echo " git commit -m\"${encrypted_file} updated\" $encrypted_file" + blackbox_edit_end "$param" done diff --git a/tools/confidence_test.sh b/tools/confidence_test.sh index c5778d6..bd977af 100755 --- a/tools/confidence_test.sh +++ b/tools/confidence_test.sh @@ -7,11 +7,11 @@ export PATH=/home/tlimoncelli/gitwork/blackbox/bin:/usr/lib64/qt-3.3/bin:/usr/lo set -e function PHASE() { - echo '====================' - echo '====================' - echo '=========' """$@""" - echo '====================' - echo '====================' + echo '********************' + echo '********************' + echo '*********' """$@""" + echo '********************' + echo '********************' } function assert_file_missing() { @@ -24,6 +24,10 @@ function assert_file_missing() { function assert_file_exists() { if [[ ! -e "$1" ]]; then echo "ASSERT FAILED: ${1} should exist." + echo "PWD="$(/bin/pwd -P) + #echo "LS START" + #ls -la + #echo "LS END" exit 1 fi } @@ -246,6 +250,22 @@ assert_file_missing mistake.txt assert_file_exists mistake.txt.gpg # NOTE: It is still in the history. That should be corrected someday. +PHASE 'Bob enrolls my/path/to/relsecrets.txt.' +mkdir my my/path my/path/to +echo 'New secret' > my/path/to/relsecrets.txt +cd my/path/to +blackbox_register_new_file relsecrets.txt +assert_file_missing relsecrets.txt +assert_file_exists relsecrets.txt.gpg + +PHASE 'Bob decrypts relsecrets.txt.' +cd .. +blackbox_edit_start to/relsecrets.txt +assert_file_exists to/relsecrets.txt +assert_file_exists to/relsecrets.txt.gpg +assert_file_md5hash to/relsecrets.txt "c47f9c3c8ce03d895b883ac22384cb67" +cd ../.. + # TODO(tlim): Add test to make sure that now alice can NOT decrypt. # diff --git a/tools/rpm_filelist.txt b/tools/rpm_filelist.txt index 943177e..d0b9cc5 100644 --- a/tools/rpm_filelist.txt +++ b/tools/rpm_filelist.txt @@ -2,6 +2,7 @@ read /etc/profile.d/usrblackbox.sh tools/profile.d-usrblackbox.sh exec /usr/blackbox/bin/_blackbox_common.sh bin/_blackbox_common.sh exec /usr/blackbox/bin/_stack_lib.sh bin/_stack_lib.sh exec /usr/blackbox/bin/blackbox_addadmin bin/blackbox_addadmin +exec /usr/blackbox/bin/blackbox_edit bin/blackbox_edit exec /usr/blackbox/bin/blackbox_edit_end bin/blackbox_edit_end exec /usr/blackbox/bin/blackbox_edit_start bin/blackbox_edit_start exec /usr/blackbox/bin/blackbox_initialize bin/blackbox_initialize