From 2f905dce485114fec10fb747443027c0f9119caa Mon Sep 17 00:00:00 2001 From: James Murty Date: Fri, 14 Aug 2020 09:34:04 +1000 Subject: [PATCH] Complete preparations for 2.1.0 release - bump version number to 2.1.0 - add CHANGELOG.md document with historical and new changes - update man page to match changes to README.md - always use double brackets '[[' ']]' around tests, they're safer --- .gitattributes | 2 +- CHANGELOG.md | 178 ++++++++++++++++++++++++++++++ README.md | 28 +---- contrib/bash/transcrypt | 2 +- contrib/packaging/pacman/PKGBUILD | 2 +- contrib/zsh/_transcrypt | 1 + man/transcrypt.1.ronn | 10 +- tests/_test_helper.bash | 28 ++--- tests/test_cleanup.bats | 42 +++---- tests/test_crypt.bats | 104 ++++++++--------- tests/test_init.bats | 75 ++++++------- tests/test_merge.bats | 42 +++---- tests/test_not_inited.bats | 39 +++---- tests/test_pre_commit.bats | 50 ++++----- transcrypt | 14 +-- 15 files changed, 388 insertions(+), 229 deletions(-) create mode 100644 CHANGELOG.md diff --git a/.gitattributes b/.gitattributes index db8bb76..7c479b7 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1 @@ -sensitive_file filter=crypt diff=crypt +sensitive_file filter=crypt diff=crypt merge=crypt diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..c0f5475 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,178 @@ +# Changelog + +This is a summary of transcrypt releases, dates, and key changes. + +See also https://github.com/elasticdog/transcrypt/releases + +## transcrypt v2.1.0 (? ? 2020) + +This release includes features to make it easier and safer to use transcrypt, +in particular: fix merge of encrypted files with conflicts, preventing +accidental commit of plain text files by incompatible Git tools, and upgrade +easily with `--upgrade`. + +### Steps to upgrade + +1. Make sure you are running the latest version of _transcrypt_: + + ``` + $ transcrypt --version + ``` + +2. Upgrade a repository: + + ``` + $ transcrypt --upgrade + ``` + +3. Enable the merge handling fix by adding `merge=crypt` to the end of each + _transcrypt_ pattern in `.gitattribute`, to look like this: + + ``` + sensitive_file filter=crypt diff=crypt merge=crypt + ``` + +### New features + +- Add `--upgrade` command to apply the latest transcrypt scripts in an already + configured repository without the need to re-apply existing settings. + +- Install a Git pre-commit hook to reject accidental commit of unencrypted + plain text version of sensitive files, which could otherwise happen if a tool + does not respect the `.gitattribute` filters Transcrypt needs to do its job. + +### Fixed + +- Fix handling of branch merges with conflicts in encrypted files, which would + previously leave the user to manually merge files with a mix of encrypted and + unencrypted content. (#69, #8, #23, #67) + +- Remove any cached unencrypted files from Git's object database when + credentials are removed from a repository with a flush or uninstall, so + sensitive file data does not remain accessible in a surprising way. (#74) + +- Fix handling of sensitive files with non-ASCII file names, such as extended + Unicode characters. (#78) + +- Transcrypt `--version` and `--help` commands now work when run outside a Git + repository. (#68) + +- The `--list` command now works in a repository that has not yet been init-ed. + +### Changed + +- Add a functional test suite built on [bats-core](https://github.com/bats-core/bats-core#installation). +- Apply Continuous Integration: run functional tests with GitHub Actions. +- Fix [EditorConfig](https://editorconfig.org/) file config for Markdown files. +- Add [CHANGELOG.md](CHANGELOG.md) file to make it easier to find notes about + project changes (see also Release) + +## transcrypt v2.0.0 (20 Jul 2019) + +**\*\*\* WARNING: Re-encryption will be required when updating to version 2.0.0! \*\*\*** + +This is not a security issue, but the result of a [bug fix](https://github.com/elasticdog/transcrypt/pull/57) to ensure that the salt generation is consistent across all operating systems. Once someone on your team updates to version 2.0.0, it will manifest as the encrypted files in your repository showing as _changed_. You should ensure that all users upgrade at the same time...since `transcrypt` itself is small, it may make sense to commit the script directly into your repo to maintain consistency moving forward. + +### Steps to Re-encrypt + +After you've upgraded to v2.0.0... + +1. Display the current config so you can reference the command to re-initialize things: + + ``` + $ transcrypt --display + The current repository was configured using transcrypt version 1.1.0 + and has the following configuration: + + GIT_WORK_TREE: /home/elasticdog/src/transcrypt + GIT_DIR: /home/elasticdog/src/transcrypt/.git + GIT_ATTRIBUTES: /home/elasticdog/src/transcrypt/.gitattributes + + CIPHER: aes-256-cbc + PASSWORD: correct horse battery staple + + Copy and paste the following command to initialize a cloned repository: + + transcrypt -c aes-256-cbc -p 'correct horse battery staple' + ``` + +2. Flush the credentials and re-configure the repo with the same settings as above: + + ``` + $ transcrypt --flush-credentials + $ transcrypt -c aes-256-cbc -p 'correct horse battery staple' + ``` + +3. Now that all of the appropriate files have been re-encrypted, add them and commit the changes: + ``` + $ git add -- $(transcrypt --list) + $ git commit --message="Re-encrypt files protected by transcrypt using new salt value" + ``` + +### Fixed + +- Force the use of macOS's system `sed` binary to prevent errors (#50) +- Fix cross-platform compatibility by making salt generation logic consistent (#57) + +### Changed + +- Add an [EditorConfig](https://editorconfig.org/) file to help with consistency in formatting (#51) +- Use [unofficial Bash strict mode](http://redsymbol.net/articles/unofficial-bash-strict-mode/) for safety (#53) +- Reformat files using the automated formatting tools [Prettier](https://prettier.io/) and [shfmt](https://github.com/mvdan/sh) +- Ensure that `transcrypt` addresses all [ShellCheck](https://github.com/koalaman/shellcheck) static analysis warnings + +## transcrypt v1.1.0 (26 May 2018) + +### Fixed + +- Fix broken cipher validation safety check when running with OpenSSL v1.1.0+. (#48) + +## transcrypt v1.0.3 (21 Aug 2017) + +### Fixed + +- Explicitly set digest hash function to match default settings before OpenSSL v1.1.0. (#41) + +## transcrypt v1.0.2 (6 Apr 2017) + +### Fixed + +- Ensure realpath function does not incorrectly return the current directory for certain inputs. (#38) + +## transcrypt v1.0.1 (6 Jan 2017) + +### Fixed + +- Correct the behavior of `mktemp` when running on OS X versions 10.10 Yosemite and earlier. +- Prevent unexpected error output when running transcrypt outside of a Git repository. + +## transcrypt v1.0.0 (2 Jan 2017) + +Since the v0.9.9 release, these are the notable improvements made to transcrypt: + +- properly handle file names with spaces +- adjust usage of `mktemp` utility to be more cross-platform +- additional safety checks for all required cli utility dependencies + +## transcrypt v0.9.9 (5 Sep 2016) + +Since the v0.9.7 release, these are the notable improvements made to transcrypt: + +- support for use of a [wildcard](https://github.com/elasticdog/transcrypt/commit/a0b7d4ec0296e83974cb02be640747149b23ef54) with `--show-raw` to dump the raw commit objects for _all_ encrypted files +- GPG import/export of repository configuration +- more [strict filter script behavior](https://github.com/elasticdog/transcrypt/pull/29) to adhere to upstream recommendations +- automatic caching of the decrypted content for faster Git operations like `git log -p` +- ability to configure bare repositories +- ability to configure "fake bare" repositories for use through [vcsh](https://github.com/RichiH/vcsh) +- ability configure multiple worktrees via [git-workflow](https://github.com/blog/2042-git-2-5-including-multiple-worktrees-and-triangular-workflows) +- support for unencrypted archive exporting via [git-archive](https://git-scm.com/docs/git-archive) + +## transcrypt v0.9.8 (5 Sep 2016) + +## transcrypt v0.9.7 ( 23 Mar 2015) + +## transcrypt v0.9.6 (30 Aug 2014 ) + +## transcrypt v0.9.5 (23 Aug 2014) + +## transcrypt v0.9.4 (3 Mar 2014) diff --git a/README.md b/README.md index aa4a194..6f2623b 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,7 @@ The requirements to run transcrypt are minimal: - Bash - Git - OpenSSL +- `column` command (on Ubuntu/Debian install `bsdmainutils`) ...and optionally: @@ -325,30 +326,3 @@ To run the tests: - [install bats-core](https://github.com/bats-core/bats-core#installation) - run all tests with: `bats tests/` - run an individual test with e.g: `./tests/test_help.bats` - -## Changes - -Fixes: - -- Fix handling of branch merges with conflicts in encrypted files, which would - previously leave the user to manually merge files with a mix of encrypted and - unencrypted content. - - To apply this fix in projects that already use transcrypt: use the `--upgrade` - command, or uninstall and re-init transcrypt then add `merge=crypt` to the - patterns in _.gitattributes_ - -- Remove any cached unencrypted from Git's object database when credentials are - removed from a repository with a flush or uninstall (#74). - -Improvements: - -- Add Git pre-commit hook to reject commit of file that should be encrypted but - has plain text content: a safety mechanism to prevent accidental commits of - plain text files staged by tools that do not respect the .gitattribute - filters Transcrypt needs to do its job. - -- Add --upgrade command to apply the latest transcrypt scripts in the - repository without changing its configuration settings. - -- Add functional tests. diff --git a/contrib/bash/transcrypt b/contrib/bash/transcrypt index 9a49f48..07dafa0 100644 --- a/contrib/bash/transcrypt +++ b/contrib/bash/transcrypt @@ -22,7 +22,7 @@ _transcrypt() { cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" opts="-c -p -y -d -r -f -F -u -l -s -e -i -v -h \ - --cipher --password --yes --display --rekey --flush-credentials --force --uninstall --list --show-raw --export-gpg --import-gpg --version --help" + --cipher --password --yes --display --rekey --flush-credentials --force --uninstall --upgrade --list --show-raw --export-gpg --import-gpg --version --help" case "${prev}" in -c | --cipher) diff --git a/contrib/packaging/pacman/PKGBUILD b/contrib/packaging/pacman/PKGBUILD index 9297665..18f658f 100644 --- a/contrib/packaging/pacman/PKGBUILD +++ b/contrib/packaging/pacman/PKGBUILD @@ -1,6 +1,6 @@ # Maintainer: Aaron Bull Schaefer pkgname=transcrypt -pkgver=2.0.0 +pkgver=2.1.0 pkgrel=1 pkgdesc='A script to configure transparent encryption of files within a Git repository' arch=('any') diff --git a/contrib/zsh/_transcrypt b/contrib/zsh/_transcrypt index 6bf4a92..ef2b32e 100644 --- a/contrib/zsh/_transcrypt +++ b/contrib/zsh/_transcrypt @@ -18,6 +18,7 @@ _transcrypt() { '(-f --flush-credentials -c --cipher -p --password -r --rekey -u --uninstall)'{-f,--flush-credentials}'[flush cached credentials]' \ '(-F --force -d --display -u --uninstall)'{-F,--force}'[ignore repository clean state]' \ '(-u --uninstall -c --cipher -d --display -f --flush-credentials -p --password -r --rekey)'{-u,--uninstall}'[uninstall transcrypt]' \ + '(--upgrade -c --cipher -d --display -f --flush-credentials -p --password -r --rekey)'{--upgrade}'[upgrade transcrypt]' \ '(-i --import-gpg -c --cipher -p --password -d --display -f --flush-credentials -u --uninstall)'{-i,--import-gpg=}'[import config from gpg file]:file:->file' \ && return 0 diff --git a/man/transcrypt.1.ronn b/man/transcrypt.1.ronn index fb6a7d0..d9c3df0 100644 --- a/man/transcrypt.1.ronn +++ b/man/transcrypt.1.ronn @@ -46,6 +46,10 @@ The transcrypt source code and full documentation may be downloaded from remove all transcrypt configuration from the repository and leave files in the current working copy decrypted + * `--upgrade`: + apply the latest transcrypt scripts in the repository without + changing your configuration settings + * `-l`, `--list`: list all of the transparently encrypted files in the repository, relative to the top-level directory @@ -78,12 +82,12 @@ were not given. $ transcrypt Once a repository has been configured with transcrypt, you can transparently -encrypt files by applying the "crypt" filter and diff to a pattern in the -top-level _.gitattributes_ config. If that pattern matches a file in your +encrypt files by applying the "crypt" filter, diff and merge to a pattern in +the top-level _.gitattributes_ config. If that pattern matches a file in your repository, the file will be transparently encrypted once you stage and commit it: - $ echo 'sensitive_file filter=crypt diff=crypt' >> .gitattributes + $ echo 'sensitive_file filter=crypt diff=crypt merge=crypt' >> .gitattributes $ git add .gitattributes sensitive_file $ git commit -m 'Add encrypted version of a sensitive file' diff --git a/tests/_test_helper.bash b/tests/_test_helper.bash index 6b145d1..08c9e42 100644 --- a/tests/_test_helper.bash +++ b/tests/_test_helper.bash @@ -1,46 +1,46 @@ function init_git_repo { # Warn and do nothing if test dir envvar is unset - if [ -z $BATS_TEST_DIRNAME ]; then + if [[ -z "$BATS_TEST_DIRNAME" ]]; then echo "WARNING: Required envvar \$BATS_TEST_DIRNAME is unset" # Warn and do nothing if test git repo path already exists - elif [ -e $BATS_TEST_DIRNAME/.git ]; then + elif [[ -e "$BATS_TEST_DIRNAME/.git" ]]; then echo "WARNING: Test repo already exists at $BATS_TEST_DIRNAME/.git" else # Initialise test git repo at the same path as the test files - git init $BATS_TEST_DIRNAME + git init "$BATS_TEST_DIRNAME" # Flag test git repo as 100% the test one, for safety before later removal - touch $BATS_TEST_DIRNAME/.git/repo-for-transcrypt-bats-tests + touch "$BATS_TEST_DIRNAME"/.git/repo-for-transcrypt-bats-tests fi } function nuke_git_repo { # Warn and do nothing if test dir envvar is unset - if [ -z $BATS_TEST_DIRNAME ]; then + if [[ -z "$BATS_TEST_DIRNAME" ]]; then echo "WARNING: Required envvar \$BATS_TEST_DIRNAME is unset" # Warn and do nothing if the test git repo is missing the flag file that # ensures it *really* is the test one, as set by the 'init_git_repo' function - elif [ ! -e $BATS_TEST_DIRNAME/.git/repo-for-transcrypt-bats-tests ]; then + elif [[ ! -e "$BATS_TEST_DIRNAME/.git/repo-for-transcrypt-bats-tests" ]]; then echo "WARNING: Aborting delete of non-test Git repo at $BATS_TEST_DIRNAME/.git" else # Forcibly delete the test git repo - rm -fR $BATS_TEST_DIRNAME/.git + rm -fR "$BATS_TEST_DIRNAME"/.git fi } function cleanup_all { nuke_git_repo - rm $BATS_TEST_DIRNAME/.gitattributes - rm -f $BATS_TEST_DIRNAME/sensitive_file + rm "$BATS_TEST_DIRNAME"/.gitattributes + rm -f "$BATS_TEST_DIRNAME"/sensitive_file } function init_transcrypt { - $BATS_TEST_DIRNAME/../transcrypt --cipher=aes-256-cbc --password=abc123 --yes + "$BATS_TEST_DIRNAME"/../transcrypt --cipher=aes-256-cbc --password=abc123 --yes } function encrypt_named_file { filename="$1" content=$2 - if [ "$content" ]; then + if [[ "$content" ]]; then echo "$content" > "$filename" fi echo "\"$filename\" filter=crypt diff=crypt merge=crypt" >> .gitattributes @@ -49,14 +49,14 @@ function encrypt_named_file { } function setup { - pushd $BATS_TEST_DIRNAME + pushd "$BATS_TEST_DIRNAME" || exit 1 init_git_repo - if [ ! "$SETUP_SKIP_INIT_TRANSCRYPT" ]; then + if [[ ! "$SETUP_SKIP_INIT_TRANSCRYPT" ]]; then init_transcrypt fi } function teardown { cleanup_all - popd + popd || exit 1 } diff --git a/tests/test_cleanup.bats b/tests/test_cleanup.bats index f7866ad..395a905 100755 --- a/tests/test_cleanup.bats +++ b/tests/test_cleanup.bats @@ -1,6 +1,6 @@ #!/usr/bin/env bats -load $BATS_TEST_DIRNAME/_test_helper.bash +load "$BATS_TEST_DIRNAME/_test_helper.bash" SECRET_CONTENT="My secret content" SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK9gPn" @@ -10,21 +10,21 @@ SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK # Confirm working copy file is decrypted run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] # Show all changes, caches plaintext due to `cachetextconv` setting run git log -p -- sensitive_file - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] [[ "${output}" = *"+$SECRET_CONTENT" ]] # Check last line of patch # Look up notes ref to cached plaintext [[ -f $BATS_TEST_DIRNAME/.git/refs/notes/textconv/crypt ]] - cached_plaintext_obj=$(cat $BATS_TEST_DIRNAME/.git/refs/notes/textconv/crypt) + cached_plaintext_obj=$(cat "$BATS_TEST_DIRNAME/.git/refs/notes/textconv/crypt") # Confirm plaintext is cached run git show "$cached_plaintext_obj" - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] [[ "${output}" = *"+$SECRET_CONTENT" ]] # Check last line of patch # Repack to force all objects into packs (which are trickier to clear) @@ -32,17 +32,17 @@ SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK # Flush credentials run ../transcrypt -f --yes - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] # Confirm working copy file is encrypted run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT_ENC" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT_ENC" ]] # Confirm show all changes shows encrypted content, not plaintext git log -p -- sensitive_file run git log -p -- sensitive_file - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] [[ "${output}" = *"+$SECRET_CONTENT_ENC" ]] # Check last line of patch # Confirm plaintext cache ref was cleared @@ -50,7 +50,7 @@ SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK # Confirm plaintext obj was truly cleared and is no longer visible run git show "$cached_plaintext_obj" - [ "$status" -ne 0 ] + [[ "$status" -ne 0 ]] } @test "cleanup: transcrypt --uninstall clears cached plaintext" { @@ -58,21 +58,21 @@ SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK # Confirm working copy file is decrypted run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] # Show all changes, caches plaintext due to `cachetextconv` setting run git log -p -- sensitive_file - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] [[ "${output}" = *"+$SECRET_CONTENT" ]] # Check last line of patch # Look up notes ref to cached plaintext [[ -f $BATS_TEST_DIRNAME/.git/refs/notes/textconv/crypt ]] - cached_plaintext_obj=$(cat $BATS_TEST_DIRNAME/.git/refs/notes/textconv/crypt) + cached_plaintext_obj=$(cat "$BATS_TEST_DIRNAME/.git/refs/notes/textconv/crypt") # Confirm plaintext is cached run git show "$cached_plaintext_obj" - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] [[ "${output}" = *"+$SECRET_CONTENT" ]] # Check last line of patch # Repack to force all objects into packs (which are trickier to clear) @@ -80,17 +80,17 @@ SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK # Uninstall run ../transcrypt --uninstall --yes - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] # Confirm working copy file remains unencrypted (per uninstall contract) run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] # Confirm show all changes shows encrypted content, not plaintext git log -p -- sensitive_file run git log -p -- sensitive_file - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] [[ "${output}" = *"+$SECRET_CONTENT_ENC" ]] # Check last line of patch # Confirm plaintext cache ref was cleared @@ -98,5 +98,5 @@ SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK # Confirm plaintext obj was truly cleared and is no longer visible run git show "$cached_plaintext_obj" - [ "$status" -ne 0 ] + [[ "$status" -ne 0 ]] } diff --git a/tests/test_crypt.bats b/tests/test_crypt.bats index 8971dcf..b93e86c 100755 --- a/tests/test_crypt.bats +++ b/tests/test_crypt.bats @@ -1,6 +1,6 @@ #!/usr/bin/env bats -load $BATS_TEST_DIRNAME/_test_helper.bash +load "$BATS_TEST_DIRNAME/_test_helper.bash" SECRET_CONTENT="My secret content" SECRET_CONTENT_ENC="U2FsdGVkX1/kkWK36bn3fbq5DY2d+JXL2YWoN/eoXA1XJZEk9JS7j/856rXK9gPn" @@ -12,8 +12,8 @@ function check_repo_is_clean { @test "crypt: git ls-crypt command is available" { # No encrypted file yet, so command should work with no output run git ls-crypt - [ "$status" -eq 0 ] - [ "${lines[0]}" = "" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "" ]] } @test "crypt: encrypt a file" { @@ -23,56 +23,56 @@ function check_repo_is_clean { @test "crypt: encrypted file contents are decrypted in working copy" { encrypt_named_file sensitive_file "$SECRET_CONTENT" run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] } @test "crypt: encrypted file contents are encrypted in git (via git show)" { encrypt_named_file sensitive_file "$SECRET_CONTENT" run git show HEAD:sensitive_file --no-textconv - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT_ENC" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT_ENC" ]] } @test "crypt: transcrypt --show-raw shows encrypted content" { encrypt_named_file sensitive_file "$SECRET_CONTENT" run ../transcrypt --show-raw sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "==> sensitive_file <==" ] - [ "${lines[1]}" = "$SECRET_CONTENT_ENC" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "==> sensitive_file <==" ]] + [[ "${lines[1]}" = "$SECRET_CONTENT_ENC" ]] } @test "crypt: git ls-crypt lists encrypted file" { encrypt_named_file sensitive_file "$SECRET_CONTENT" run git ls-crypt - [ "$status" -eq 0 ] - [ "${lines[0]}" = "sensitive_file" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "sensitive_file" ]] } @test "crypt: transcrypt --list lists encrypted file" { encrypt_named_file sensitive_file "$SECRET_CONTENT" run ../transcrypt --list - [ "$status" -eq 0 ] - [ "${lines[0]}" = "sensitive_file" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "sensitive_file" ]] } @test "crypt: transcrypt --uninstall leaves decrypted file and repo dirty" { encrypt_named_file sensitive_file "$SECRET_CONTENT" run ../transcrypt --uninstall --yes - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] run cat .gitattributes - [ "${lines[0]}" = "" ] + [[ "${lines[0]}" = "" ]] run check_repo_is_clean - [ "$status" -ne 0 ] + [[ "$status" -ne 0 ]] } @test "crypt: git reset after uninstall leaves encrypted file" { @@ -84,9 +84,9 @@ function check_repo_is_clean { check_repo_is_clean run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" != "$SECRET_CONTENT" ] - [ "${lines[0]}" = "$SECRET_CONTENT_ENC" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" != "$SECRET_CONTENT" ]] + [[ "${lines[0]}" = "$SECRET_CONTENT_ENC" ]] } @test "crypt: handle challenging file names when 'core.quotePath=true'" { @@ -105,35 +105,35 @@ function check_repo_is_clean { # Working copy is decrypted run cat "$FILENAME" - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] # Git internal copy is encrypted run git show HEAD:"$FILENAME" --no-textconv - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT_ENC" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT_ENC" ]] # transcrypt --show-raw shows encrypted content run ../transcrypt --show-raw "$FILENAME" - [ "$status" -eq 0 ] - [ "${lines[0]}" = "==> $FILENAME <==" ] - [ "${lines[1]}" = "$SECRET_CONTENT_ENC" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "==> $FILENAME <==" ]] + [[ "${lines[1]}" = "$SECRET_CONTENT_ENC" ]] # git ls-crypt lists encrypted file run git ls-crypt - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$FILENAME" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$FILENAME" ]] # transcrypt --list lists encrypted file" run ../transcrypt --list - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$FILENAME" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$FILENAME" ]] rm "$FILENAME" } @test "crypt: transcrypt --upgrade applies new merge driver" { - VERSION=`../transcrypt -v | awk '{print $2}'` + VERSION=$(../transcrypt -v | awk '{print $2}') encrypt_named_file sensitive_file "$SECRET_CONTENT" @@ -148,45 +148,45 @@ function check_repo_is_clean { # Check .gitattributes and sensitive_file before re-install run cat .gitattributes - [ "${lines[0]}" = "sensitive_file filter=crypt diff=crypt" ] - [ ! -f .git/crypt/merge ] + [[ "${lines[0]}" = "sensitive_file filter=crypt diff=crypt" ]] + [[ ! -f .git/crypt/merge ]] run git config --get --local transcrypt.version - [ "${lines[0]}" = "0.0" ] + [[ "${lines[0]}" = "0.0" ]] run git config --get --local transcrypt.cipher - [ "${lines[0]}" = "aes-256-cbc" ] + [[ "${lines[0]}" = "aes-256-cbc" ]] run git config --get --local transcrypt.password - [ "${lines[0]}" = "abc123" ] + [[ "${lines[0]}" = "abc123" ]] run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] # Perform re-install run ../transcrypt --upgrade --yes - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] run git config --get --local transcrypt.version - [ "${lines[0]}" = "$VERSION" ] + [[ "${lines[0]}" = "$VERSION" ]] run git config --get --local transcrypt.cipher - [ "${lines[0]}" = "aes-256-cbc" ] + [[ "${lines[0]}" = "aes-256-cbc" ]] run git config --get --local transcrypt.password - [ "${lines[0]}" = "abc123" ] + [[ "${lines[0]}" = "abc123" ]] # Check sensitive_file is unchanged after re-install run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] # Check merge driver is installed - [ -f .git/crypt/merge ] + [[ -f .git/crypt/merge ]] # Check .gitattributes is updated to include merge driver run cat .gitattributes - [ "${lines[0]}" = "sensitive_file filter=crypt diff=crypt merge=crypt" ] + [[ "${lines[0]}" = "sensitive_file filter=crypt diff=crypt merge=crypt" ]] run check_repo_is_clean - [ "$status" -ne 0 ] + [[ "$status" -ne 0 ]] } @test "crypt: transcrypt --force handles files missing from working copy" { @@ -205,6 +205,6 @@ function check_repo_is_clean { # Check sensitive_file is present and decrypted run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "$SECRET_CONTENT" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "$SECRET_CONTENT" ]] } diff --git a/tests/test_init.bats b/tests/test_init.bats index 90bbe78..2dd754c 100755 --- a/tests/test_init.bats +++ b/tests/test_init.bats @@ -1,81 +1,82 @@ #!/usr/bin/env bats -load $BATS_TEST_DIRNAME/_test_helper.bash +load "$BATS_TEST_DIRNAME/_test_helper.bash" # Custom setup: don't init transcrypt +# shellcheck disable=SC2034 SETUP_SKIP_INIT_TRANSCRYPT=1 @test "init: works at all" { # Use literal command not function to confirm command works at least once run ../transcrypt --cipher=aes-256-cbc --password=abc123 --yes - [ "$status" -eq 0 ] - [ "${lines[0]}" = "The repository has been successfully configured by transcrypt." ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "The repository has been successfully configured by transcrypt." ]] } @test "init: creates .gitattributes" { init_transcrypt - [ -f .gitattributes ] + [[ -f .gitattributes ]] run cat .gitattributes - [ "${lines[0]}" = "#pattern filter=crypt diff=crypt merge=crypt" ] + [[ "${lines[0]}" = "#pattern filter=crypt diff=crypt merge=crypt" ]] } @test "init: creates scripts in .git/crypt/" { init_transcrypt - [ -d .git/crypt ] - [ -f .git/crypt/clean ] - [ -f .git/crypt/smudge ] - [ -f .git/crypt/textconv ] + [[ -d .git/crypt ]] + [[ -f .git/crypt/clean ]] + [[ -f .git/crypt/smudge ]] + [[ -f .git/crypt/textconv ]] } @test "init: applies git config" { init_transcrypt - VERSION=`../transcrypt -v | awk '{print $2}'` - GIT_DIR=`git rev-parse --git-dir` + VERSION=$(../transcrypt -v | awk '{print $2}') - [ `git config --get transcrypt.version` = $VERSION ] - [ `git config --get transcrypt.cipher` = "aes-256-cbc" ] - [ `git config --get transcrypt.password` = "abc123" ] + [[ "$(git config --get transcrypt.version)" = "$VERSION" ]] + [[ "$(git config --get transcrypt.cipher)" = "aes-256-cbc" ]] + [[ "$(git config --get transcrypt.password)" = "abc123" ]] # Use --git-common-dir if available (Git post Nov 2014) otherwise --git-dir + # shellcheck disable=SC2016 if [[ -d $(git rev-parse --git-common-dir) ]]; then - [[ `git config --get filter.crypt.clean` = '"$(git rev-parse --git-common-dir)"/crypt/clean %f' ]] - [[ `git config --get filter.crypt.smudge` = '"$(git rev-parse --git-common-dir)"/crypt/smudge' ]] - [[ `git config --get diff.crypt.textconv` = '"$(git rev-parse --git-common-dir)"/crypt/textconv' ]] + [[ "$(git config --get filter.crypt.clean)" = '"$(git rev-parse --git-common-dir)"/crypt/clean %f' ]] + [[ "$(git config --get filter.crypt.smudge)" = '"$(git rev-parse --git-common-dir)"/crypt/smudge' ]] + [[ "$(git config --get diff.crypt.textconv)" = '"$(git rev-parse --git-common-dir)"/crypt/textconv' ]] else - [[ `git config --get filter.crypt.clean` = '"$(git rev-parse --git-dir)"/crypt/clean %f' ]] - [[ `git config --get filter.crypt.smudge` = '"$(git rev-parse --git-dir)"/crypt/smudge' ]] - [[ `git config --get diff.crypt.textconv` = '"$(git rev-parse --git-dir)"/crypt/textconv' ]] + [[ "$(git config --get filter.crypt.clean)" = '"$(git rev-parse --git-dir)"/crypt/clean %f' ]] + [[ "$(git config --get filter.crypt.smudge)" = '"$(git rev-parse --git-dir)"/crypt/smudge' ]] + [[ "$(git config --get diff.crypt.textconv)" = '"$(git rev-parse --git-dir)"/crypt/textconv' ]] fi - [ `git config --get filter.crypt.required` = "true" ] - [ `git config --get diff.crypt.cachetextconv` = "true" ] - [ `git config --get diff.crypt.binary` = "true" ] - [ `git config --get merge.renormalize` = "true" ] + [[ "$(git config --get filter.crypt.required)" = "true" ]] + [[ "$(git config --get diff.crypt.cachetextconv)" = "true" ]] + [[ "$(git config --get diff.crypt.binary)" = "true" ]] + [[ "$(git config --get merge.renormalize)" = "true" ]] - [[ `git config --get alias.ls-crypt` = "!git -c core.quotePath=false ls-files"* ]] + [[ "$(git config --get alias.ls-crypt)" = "!git -c core.quotePath=false ls-files | git -c core.quotePath=false check-attr --stdin filter | awk 'BEGIN { FS = \":\" }; /crypt$/{ print \$1 }'" ]] } @test "init: show details for --display" { init_transcrypt - VERSION=`../transcrypt -v | awk '{print $2}'` + VERSION=$(../transcrypt -v | awk '{print $2}') run ../transcrypt --display - [ "$status" -eq 0 ] - [ "${lines[0]}" = "The current repository was configured using transcrypt version $VERSION" ] - [ "${lines[5]}" = " CIPHER: aes-256-cbc" ] - [ "${lines[6]}" = " PASSWORD: abc123" ] - [ "${lines[8]}" = " transcrypt -c aes-256-cbc -p 'abc123'" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "The current repository was configured using transcrypt version $VERSION" ]] + [[ "${lines[5]}" = " CIPHER: aes-256-cbc" ]] + [[ "${lines[6]}" = " PASSWORD: abc123" ]] + [[ "${lines[8]}" = " transcrypt -c aes-256-cbc -p 'abc123'" ]] } @test "init: show details for -d" { init_transcrypt - VERSION=`../transcrypt -v | awk '{print $2}'` + VERSION=$(../transcrypt -v | awk '{print $2}') run ../transcrypt -d - [ "$status" -eq 0 ] - [ "${lines[0]}" = "The current repository was configured using transcrypt version $VERSION" ] - [ "${lines[5]}" = " CIPHER: aes-256-cbc" ] - [ "${lines[6]}" = " PASSWORD: abc123" ] - [ "${lines[8]}" = " transcrypt -c aes-256-cbc -p 'abc123'" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "The current repository was configured using transcrypt version $VERSION" ]] + [[ "${lines[5]}" = " CIPHER: aes-256-cbc" ]] + [[ "${lines[6]}" = " PASSWORD: abc123" ]] + [[ "${lines[8]}" = " transcrypt -c aes-256-cbc -p 'abc123'" ]] } diff --git a/tests/test_merge.bats b/tests/test_merge.bats index 448f40c..b293be6 100755 --- a/tests/test_merge.bats +++ b/tests/test_merge.bats @@ -1,6 +1,6 @@ #!/usr/bin/env bats -load $BATS_TEST_DIRNAME/_test_helper.bash +load "$BATS_TEST_DIRNAME/_test_helper.bash" @test "merge: branches with encrypted file - addition, no conflict" { echo "1. First step" > sensitive_file @@ -15,9 +15,9 @@ load $BATS_TEST_DIRNAME/_test_helper.bash git merge branch-2 run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "1. First step" ] - [ "${lines[1]}" = "2. Second step" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "1. First step" ]] + [[ "${lines[1]}" = "2. Second step" ]] } @test "merge: branches with encrypted file - line change incoming branch, no conflict" { @@ -32,12 +32,12 @@ load $BATS_TEST_DIRNAME/_test_helper.bash git checkout - run git merge branch-2 - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "1. Step the first" ] - [ "${lines[1]}" = "2. Second step" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "1. Step the first" ]] + [[ "${lines[1]}" = "2. Second step" ]] } @test "merge: branches with encrypted file - line changes both branches, no conflict" { @@ -60,13 +60,13 @@ load $BATS_TEST_DIRNAME/_test_helper.bash git commit -m "Add line 3" run git merge branch-2 - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "1. Step the first" ] - [ "${lines[1]}" = "2. Second step" ] - [ "${lines[2]}" = "3. Third step" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "1. Step the first" ]] + [[ "${lines[1]}" = "2. Second step" ]] + [[ "${lines[2]}" = "3. Third step" ]] } @test "merge: branches with encrypted file - line changes both branches, with conflicts" { @@ -85,15 +85,15 @@ load $BATS_TEST_DIRNAME/_test_helper.bash git commit -m "Change line 1 in original branch to set up conflict" run git merge branch-2 - [ "$status" -ne 0 ] + [[ "$status" -ne 0 ]] [[ "${output}" = *"CONFLICT (content): Merge conflict in sensitive_file"* ]] run cat sensitive_file - [ "$status" -eq 0 ] - [ "${lines[0]}" = "<<<<<<< master" ] - [ "${lines[1]}" = "a. First step" ] - [ "${lines[2]}" = "=======" ] - [ "${lines[3]}" = "1. Step the first" ] - [ "${lines[4]}" = "2. Second step" ] - [ "${lines[5]}" = ">>>>>>> branch-2" ] + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "<<<<<<< master" ]] + [[ "${lines[1]}" = "a. First step" ]] + [[ "${lines[2]}" = "=======" ]] + [[ "${lines[3]}" = "1. Step the first" ]] + [[ "${lines[4]}" = "2. Second step" ]] + [[ "${lines[5]}" = ">>>>>>> branch-2" ]] } diff --git a/tests/test_not_inited.bats b/tests/test_not_inited.bats index df2b73a..b948f47 100755 --- a/tests/test_not_inited.bats +++ b/tests/test_not_inited.bats @@ -1,10 +1,11 @@ #!/usr/bin/env bats -load $BATS_TEST_DIRNAME/_test_helper.bash +load "$BATS_TEST_DIRNAME/_test_helper.bash" # Custom setup: don't init transcrypt # We need to init and tear down Git repo for these tests, mainly to avoid # falling back to the transcrypt repo's Git config and partial transcrypt setup +# shellcheck disable=SC2034 SETUP_SKIP_INIT_TRANSCRYPT=1 @@ -12,34 +13,34 @@ SETUP_SKIP_INIT_TRANSCRYPT=1 @test "not inited: show help for --help" { run ../transcrypt --help - [ "${lines[1]}" = " transcrypt -- transparently encrypt files within a git repository" ] + [[ "${lines[1]}" = " transcrypt -- transparently encrypt files within a git repository" ]] } @test "not inited: show help for -h" { run ../transcrypt -h - [ "${lines[1]}" = " transcrypt -- transparently encrypt files within a git repository" ] + [[ "${lines[1]}" = " transcrypt -- transparently encrypt files within a git repository" ]] } @test "not inited: show version for --version" { - VERSION=`../transcrypt -v | awk '{print $2}'` + VERSION=$(../transcrypt -v | awk '{print $2}') run ../transcrypt --version - [ "${lines[0]}" = "transcrypt $VERSION" ] + [[ "${lines[0]}" = "transcrypt $VERSION" ]] } @test "not inited: show version for -v" { - VERSION=`../transcrypt -v | awk '{print $2}'` + VERSION=$(../transcrypt -v | awk '{print $2}') run ../transcrypt -v - [ "${lines[0]}" = "transcrypt $VERSION" ] + [[ "${lines[0]}" = "transcrypt $VERSION" ]] } @test "not inited: no files listed for --list" { run ../transcrypt --list - [ "${lines[0]}" = "" ] + [[ "${lines[0]}" = "" ]] } @test "not inited: no files listed for -l" { run ../transcrypt -l - [ "${lines[0]}" = "" ] + [[ "${lines[0]}" = "" ]] } @@ -47,31 +48,31 @@ SETUP_SKIP_INIT_TRANSCRYPT=1 @test "not inited: error on --display" { run ../transcrypt --display - [ "$status" -ne 0 ] - [ "${lines[0]}" = "transcrypt: the current repository is not configured" ] + [[ "$status" -ne 0 ]] + [[ "${lines[0]}" = "transcrypt: the current repository is not configured" ]] } @test "not inited: error on -d" { run ../transcrypt -d - [ "$status" -ne 0 ] - [ "${lines[0]}" = "transcrypt: the current repository is not configured" ] + [[ "$status" -ne 0 ]] + [[ "${lines[0]}" = "transcrypt: the current repository is not configured" ]] } @test "not inited: error on --uninstall" { run ../transcrypt --uninstall - [ "$status" -ne 0 ] - [ "${lines[0]}" = "transcrypt: the current repository is not configured" ] + [[ "$status" -ne 0 ]] + [[ "${lines[0]}" = "transcrypt: the current repository is not configured" ]] } @test "not inited: error on -u" { run ../transcrypt -u - [ "$status" -ne 0 ] - [ "${lines[0]}" = "transcrypt: the current repository is not configured" ] + [[ "$status" -ne 0 ]] + [[ "${lines[0]}" = "transcrypt: the current repository is not configured" ]] } @test "not inited: error on --upgrade" { run ../transcrypt --upgrade - [ "$status" -ne 0 ] - [ "${lines[0]}" = "transcrypt: the current repository is not configured" ] + [[ "$status" -ne 0 ]] + [[ "${lines[0]}" = "transcrypt: the current repository is not configured" ]] } diff --git a/tests/test_pre_commit.bats b/tests/test_pre_commit.bats index ea930b0..781bbf9 100755 --- a/tests/test_pre_commit.bats +++ b/tests/test_pre_commit.bats @@ -1,17 +1,17 @@ #!/usr/bin/env bats -load $BATS_TEST_DIRNAME/_test_helper.bash +load "$BATS_TEST_DIRNAME/_test_helper.bash" @test "pre-commit: pre-commit hook installed on init" { # Confirm pre-commit-crypt file is installed - [ -f .git/hooks/pre-commit-crypt ] + [[ -f .git/hooks/pre-commit-crypt ]] run cat .git/hooks/pre-commit-crypt - [ "${lines[1]}" = '# Transcrypt pre-commit hook: fail if secret file in staging lacks the magic prefix "Salted" in B64' ] + [[ "${lines[1]}" = '# Transcrypt pre-commit hook: fail if secret file in staging lacks the magic prefix "Salted" in B64' ]] # Confirm hook is also installed/activated at pre-commit file name - [ -f .git/hooks/pre-commit ] + [[ -f .git/hooks/pre-commit ]] run cat .git/hooks/pre-commit - [ "${lines[1]}" = '# Transcrypt pre-commit hook: fail if secret file in staging lacks the magic prefix "Salted" in B64' ] + [[ "${lines[1]}" = '# Transcrypt pre-commit hook: fail if secret file in staging lacks the magic prefix "Salted" in B64' ]] } @test "pre-commit: permit commit of encrypted file with encrypted content" { @@ -21,10 +21,10 @@ load $BATS_TEST_DIRNAME/_test_helper.bash echo " and more secrets" >> sensitive_file git add sensitive_file run git commit -m "Added more" - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] run git log --format=oneline - [ "$status" -eq 0 ] + [[ "$status" -eq 0 ]] [[ "${lines[0]}" = *"Added more" ]] [[ "${lines[1]}" = *"Encrypt file \"sensitive_file\"" ]] } @@ -43,7 +43,7 @@ load $BATS_TEST_DIRNAME/_test_helper.bash # Confirm the pre-commit rejects plain text content in what should be # an encrypted file run git commit -m "Added more" - [ "$status" -ne 0 ] + [[ "$status" -ne 0 ]] [[ "${output}" = *"Transcrypt managed file is not encrypted in the Git index: sensitive_file"* ]] [[ "${output}" = *"You probably staged this file using a tool that does not apply .gitattribute filters as required by Transcrypt."* ]] [[ "${output}" = *"Fix this by re-staging the file with a compatible tool or with Git on the command line:"* ]] @@ -53,37 +53,37 @@ load $BATS_TEST_DIRNAME/_test_helper.bash @test "pre-commit: warn and don't clobber existing pre-commit hook on init" { # Uninstall pre-existing transcrypt config from setup() - run $BATS_TEST_DIRNAME/../transcrypt --uninstall --yes + run "$BATS_TEST_DIRNAME"/../transcrypt --uninstall --yes # Create a pre-existing pre-commit hook touch .git/hooks/pre-commit - run $BATS_TEST_DIRNAME/../transcrypt --cipher=aes-256-cbc --password=abc123 --yes - [ "$status" -eq 0 ] - [ "${lines[0]}" = "WARNING:" ] - [ "${lines[1]}" = "Cannot install Git pre-commit hook script because file already exists: .git/hooks/pre-commit" ] - [ "${lines[2]}" = "Please manually install the pre-commit script saved as: .git/hooks/pre-commit-crypt" ] + run "$BATS_TEST_DIRNAME"/../transcrypt --cipher=aes-256-cbc --password=abc123 --yes + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = "WARNING:" ]] + [[ "${lines[1]}" = "Cannot install Git pre-commit hook script because file already exists: .git/hooks/pre-commit" ]] + [[ "${lines[2]}" = "Please manually install the pre-commit script saved as: .git/hooks/pre-commit-crypt" ]] # Confirm pre-commit-crypt file is installed, but not copied to pre-commit run cat .git/hooks/pre-commit-crypt - [ "$status" -eq 0 ] - [ "${lines[1]}" = '# Transcrypt pre-commit hook: fail if secret file in staging lacks the magic prefix "Salted" in B64' ] - [ ! -s .git/hooks/pre-commit ] # Zero file size + [[ "$status" -eq 0 ]] + [[ "${lines[1]}" = '# Transcrypt pre-commit hook: fail if secret file in staging lacks the magic prefix "Salted" in B64' ]] + [[ ! -s .git/hooks/pre-commit ]] # Zero file size] } @test "pre-commit: de-activate and remove transcrypt's pre-commit hook" { - $BATS_TEST_DIRNAME/../transcrypt --uninstall --yes - [ ! -f .git/hooks/pre-commit ] - [ ! -f .git/hooks/pre-commit-crypt ] + "$BATS_TEST_DIRNAME"/../transcrypt --uninstall --yes + [[ ! -f .git/hooks/pre-commit ]] + [[ ! -f .git/hooks/pre-commit-crypt ]] } @test "pre-commit: warn and don't delete customised pre-commit hook on uninstall" { # Customise transcrypt's pre-commit hook echo "#" >> .git/hooks/pre-commit - run $BATS_TEST_DIRNAME/../transcrypt --uninstall --yes - [ "$status" -eq 0 ] - [ "${lines[0]}" = 'WARNING: Cannot safely disable Git pre-commit hook .git/hooks/pre-commit please check it yourself' ] - [ -f .git/hooks/pre-commit ] - [ ! -f .git/hooks/pre-commit-crypt ] + run "$BATS_TEST_DIRNAME"/../transcrypt --uninstall --yes + [[ "$status" -eq 0 ]] + [[ "${lines[0]}" = 'WARNING: Cannot safely disable Git pre-commit hook .git/hooks/pre-commit please check it yourself' ]] + [[ -f .git/hooks/pre-commit ]] + [[ ! -f .git/hooks/pre-commit-crypt ]] } diff --git a/transcrypt b/transcrypt index ba871ce..610b94f 100755 --- a/transcrypt +++ b/transcrypt @@ -16,7 +16,7 @@ set -euo pipefail ##### CONSTANTS # the release version of this script -readonly VERSION='2.0.0' +readonly VERSION='2.1.0' # the default cipher to utilize readonly DEFAULT_CIPHER='aes-256-cbc' @@ -596,7 +596,7 @@ uninstall_transcrypt() { # rename helper hooks (don't delete, in case user has custom changes) pre_commit_hook="${RELATIVE_GIT_DIR}/hooks/pre-commit" pre_commit_hook_installed="${RELATIVE_GIT_DIR}/hooks/pre-commit-crypt" - if [ -f "$pre_commit_hook" ]; then + if [[ -f "$pre_commit_hook" ]]; then hook_md5=$(openssl md5 -hex <"$pre_commit_hook") installed_md5=$(openssl md5 -hex <"$pre_commit_hook_installed") if [[ "$hook_md5" = "$installed_md5" ]]; then @@ -680,7 +680,7 @@ upgrade_transcrypt() { save_configuration # Re-instate contents of .gitattributes - echo "$ORIG_GITATTRIBUTES" > "$GIT_ATTRIBUTES" + echo "$ORIG_GITATTRIBUTES" >"$GIT_ATTRIBUTES" # Update .gitattributes for transcrypt'ed files to include "merge=crypt" config case $OSTYPE in @@ -880,10 +880,10 @@ help() { $ transcrypt Once a repository has been configured with transcrypt, you can trans- - parently encrypt files by applying the "crypt" filter and diff to a - pattern in the top-level .gitattributes config. If that pattern matches - a file in your repository, the file will be transparently encrypted - once you stage and commit it: + parently encrypt files by applying the "crypt" filter, diff and merge + to a pattern in the top-level .gitattributes config. If that pattern + matches a file in your repository, the file will be transparently + encrypted once you stage and commit it: $ echo 'sensitive_file filter=crypt diff=crypt merge=crypt' >> .gitattributes $ git add .gitattributes sensitive_file