BIG CHANGES:

* Command no longer need to be run from the base directory of the repo.
  * blackbox_edit now asks "are you sure?" and is greatly simplified.

_blackbox_common.sh:
  * add_filename_to_cryptlist now accepts paths relative to cwd.
  * fail_if_not_on_cryptlist now accepts paths relative to cwd.
  * new function: vcs_relative_path reports a path to the file relative to the REPOBASE.
  * new function: is_on_cryptlist

plus...
  * Some minor performance enhancesments and cleanups.
  * confidence_test.sh now tests some commands while not in REPOBASE.

bin/_blackbox_common.sh

@@ -25,6 +25,7 @@ function _determine_vcs_base_and_type() {
     echo /dev/null
     VCS_TYPE=unknown
   fi
+  export VCS_TYPE
   # FIXME: Verify this function by checking for .hg or .git
   # after determining what we believe to be the answer.
 }
@@ -38,6 +39,13 @@ BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}"
 SECRING="${KEYRINGDIR}/secring.gpg"
 PUBRING="${KEYRINGDIR}/pubring.gpg"
 
+# Return error if not on cryptlist.
+function is_on_cryptlist() {
+  # Assumes $1 does NOT have the .gpg extension
+  local rname=$(vcs_relative_path "$1")
+  grep -F -x -s -q "$rname" "$BB_FILES"
+}
+
 # Exit with error if a file exists.
 function fail_if_exists() {
   if [[ -f "$1" ]]; then
@@ -69,15 +77,12 @@ function fail_if_not_in_repo() {
 # Exit with error if filename is not registered on blackbox list.
 function fail_if_not_on_cryptlist() {
   # Assumes $1 does NOT have the .gpg extension
-  local name
-  name="$1"
 
-#echo name=$name
+  local name="$1"
-#echo BB_FILES=$BB_FILES
-#echo fgrep -s -q "$name" "$BB_FILES" \; echo '$?'
 
-  if ! grep -x -s -q "$name" "$BB_FILES" ; then
+  if ! is_on_cryptlist "$name" ; then
-    echo 'ERROR: Please run this script from the base directory.'
+    echo "ERROR: $name not found in $BB_FILES"
+    echo "PWD="$(/bin/pwd)
     echo 'Exiting...'
     exit 1
   fi
@@ -114,8 +119,7 @@ function prepare_keychain() {
 function add_filename_to_cryptlist() {
   # If the name is already on the list, this is a no-op.
   # However no matter what the datestamp is updated.
-  local name
+  local name=$(vcs_relative_path "$1")
-  name="$1"
 
   if grep -s -q "$name" "$BB_FILES" ; then
     echo ========== File is registered. No need to add to list.
@@ -291,6 +295,13 @@ function vcs_commit_git() {
   git commit -m"""$@"""
 }
 
+# Output the path of a file relative to the repo base
+function vcs_relative_path() {
+  # Usage: vcs_relative_path file
+  local name="$1"
+  python -c 'import os ; print os.path.relpath("'$(pwd -P)'/'"$name"'", "'"$REPOBASE"'")'
+}
+
 
 # TODO(tlim): Rename these vcs_rm_file* to be in sync with the others.
 

bin/blackbox_edit

@@ -3,33 +3,24 @@
 #
 # blackbox_edit.sh -- Decrypt a file temporarily for edition, then re-encrypts it again
 #
-
 set -e
 . _blackbox_common.sh
+set -x
 
 for param in """$@""" ; do
-  unencrypted_file=$(mktemp)
+  if ! is_on_cryptlist "$param" ; then
-  encrypted_file=$(get_encrypted_filename "$param")
+    read -p "Encrypt file $param? (y/n) " ans
-  echo ========== PLAINFILE "$unencrypted_file"
+    case "$ans" in
-
+      y* | Y*)
-  fail_if_not_on_cryptlist "$unencrypted_file"
+        blackbox_register_new_file "$param"
-  fail_if_not_exists "$encrypted_file" "This should not happen."
+        ;;
-  if [[ ! -s "$unencrypted_file" ]]; then
+      *)
-    rm -f "$unencrypted_file"
+        echo 'Skipping...'
+        continue
+        ;;
+    esac
   fi
-  if [[ -f "$unencrypted_file" ]]; then
+  blackbox_edit_start "$param"
-    echo SKIPPING: "$1" "Will not overwrite non-empty files."
-    continue
-  fi
-
-  prepare_keychain
-  decrypt_file "$encrypted_file" "$unencrypted_file"
   $EDITOR $unencrypted_file
-
+  blackbox_edit_end "$param"
-  encrypt_file "$unencrypted_file" "$encrypted_file"
-  shred_file "$unencrypted_file"
-  
-  echo "========== UPDATED ${encrypted_file}"
-  echo "Likely next step:"
-  echo "    git commit -m\"${encrypted_file} updated\" $encrypted_file"
 done

tools/confidence_test.sh

@@ -7,11 +7,11 @@ export PATH=/home/tlimoncelli/gitwork/blackbox/bin:/usr/lib64/qt-3.3/bin:/usr/lo
 set -e
 
 function PHASE() {
-  echo '===================='
+  echo '********************'
-  echo '===================='
+  echo '********************'
-  echo '=========' """$@"""
+  echo '*********' """$@"""
-  echo '===================='
+  echo '********************'
-  echo '===================='
+  echo '********************'
 }
 
 function assert_file_missing() {
@@ -24,6 +24,10 @@ function assert_file_missing() {
 function assert_file_exists() {
   if [[ ! -e "$1" ]]; then
     echo "ASSERT FAILED: ${1} should exist."
+    echo "PWD="$(/bin/pwd -P)
+    #echo "LS START"
+    #ls -la
+    #echo "LS END"
     exit 1
   fi
 }
@@ -246,6 +250,22 @@ assert_file_missing mistake.txt
 assert_file_exists mistake.txt.gpg
 # NOTE: It is still in the history. That should be corrected someday.
 
+PHASE 'Bob enrolls my/path/to/relsecrets.txt.'
+mkdir my my/path my/path/to
+echo 'New secret' > my/path/to/relsecrets.txt
+cd my/path/to
+blackbox_register_new_file relsecrets.txt
+assert_file_missing relsecrets.txt
+assert_file_exists relsecrets.txt.gpg
+
+PHASE 'Bob decrypts relsecrets.txt.'
+cd ..
+blackbox_edit_start to/relsecrets.txt
+assert_file_exists to/relsecrets.txt
+assert_file_exists to/relsecrets.txt.gpg
+assert_file_md5hash to/relsecrets.txt "c47f9c3c8ce03d895b883ac22384cb67"
+cd ../..
+
 # TODO(tlim): Add test to make sure that now alice can NOT decrypt.
 
 #

tools/rpm_filelist.txt

@@ -2,6 +2,7 @@ read /etc/profile.d/usrblackbox.sh                tools/profile.d-usrblackbox.sh
 exec /usr/blackbox/bin/_blackbox_common.sh        bin/_blackbox_common.sh
 exec /usr/blackbox/bin/_stack_lib.sh              bin/_stack_lib.sh
 exec /usr/blackbox/bin/blackbox_addadmin          bin/blackbox_addadmin
+exec /usr/blackbox/bin/blackbox_edit              bin/blackbox_edit
 exec /usr/blackbox/bin/blackbox_edit_end          bin/blackbox_edit_end
 exec /usr/blackbox/bin/blackbox_edit_start        bin/blackbox_edit_start
 exec /usr/blackbox/bin/blackbox_initialize        bin/blackbox_initialize