| Age | Commit message (Collapse) | Author |
|---|
|
This release add support for encryption, with two new commands "encrypt"
and "decrypt" for encrypting and decrypting file with RSA private key.
The awwan command also can read encrypted environment file with the name
".awwan.env.vault", so any secret variables can stored there and the
script that contains '{{.Val "..."}}' works as usual.
Any magic put "#put" also can copy encrypted file without any changes, as
long as the source file with ".vault" extension exist.
For environment where awwan need to be operated automatically, for example
in build system, awwan can read the private key's passphrase automatically
from the file ".ssh/awwan.pass".
=== Bug fixes
* all: do not expand environment during parseScript
* all: fix #require does not get executed on the same start
* _www: fix execute request that still use "begin_at" and "end_at"
=== Enhancements
* all: make .Vars, .Val, and .Vals panic if values is empty
* all: print any path relative to base directory
* all: move field bufout and buferr out of httpServer struct
|
|
|
|
On new cloned repository, running the test will fail when using symlink,
0 - Decrypt: DecryptOaep: crypto/rsa: decryption error
0 + Decrypt: open testdata/decrypt-wrong-privatekey/.awwan.env.vault:
no such file or directory
|
|
In the environment where passphrase cannot be inputted manually, for
example, automatic integration or deployment, we need some mechanism
where awwan can be executed to copy or decrypt the encrypted file.
The option is by reading plain passphrase from file named "awwan.pass"
inside the ".ssh" directory.
If its exists and not empty, awwan will not prompt for passphrase from
terminal, instead use the content of that file as passhprase.
|
|
While at it, also update the documentation index, remove finished TODO,
add and expand items in TODO to be more descriptive.
|
|
While at it, reformat the TypeScript files using prettier v3.0.3.
|
|
Using api.BuildContext [1] is more efficient than building again because
some of the data from the previous build is cached and can be reused
if the original files haven't changed since the previous build.
While at it, we update the github.com/evanw/esbuild module to latest
release.
[1] https://esbuild.github.io/api/#rebuild
|
|
Those fields are used on each HTTP request to /awwan/api/execute, which
make them not safe if two or more requests processed at the same time.
|
|
All fields that use to serve HTTP API now moved inside one struct,
including memfsBase, bufout, and buferr.
|
|
|
|
We will move all fields related to HTTP server into one struct later.
|
|
|
|
This is to minimize log length in stdout and stderr, which make it
more readable.
|
|
While at it, rename the script for testing encrypted value to allow
other tests without encryption later.
|
|
This is to prevent copying or executing command with value that are
not defined or typo which make the result empty and may result in
undefined behaviour.
For example if we have "app_dir = /data/app" and command in the script
that remove that directory recursively,
sudo rm -r {{.Val "::app_dir}}/bin
will result removing "/bin" entirely.
|
|
Using hidden file (with "." prefix in name) cluttering the workspace
directory.
Since we already have ".ssh" as indicator of workspace, we should use it,
the same principal that ~/.ssh/ store user's private key.
|
|
This fix "go install" on cmd/awwan that does build with the replace
directive in share module which cause awwan not working properly.
|
|
We change the directory name because the "encrpyt" is not specific to
encryption only but only for local.
|
|
|
|
Each time the new session is created in local or remote, it will
create new temporary directory.
Previously, the name of temporary directory is random 16 characters
and numbers.
To distinguish this directory with others, we add prefix "awwan." to
the name.
|
|
The sshClient struct wrap the raw SSH connection and SFTP connection,
and provide methods get, put, sudoGet, sudoPut, mkdir, and rmdirAll.
|
|
Since loadEnvFromPaths always called after NewSession, and it is part
of session initialization, we can move the call inside the NewSession
to minimize duplicate code.
|
|
The cryptoContext contains the default hash, loaded privateKey, dummy
terminal, base directory, and default label; all of those fields are
required for encryption and decryption.
The cryptoContext have three methods: encrypt, decrypt, and
loadPrivateKey.
By moving to separate struct the cryptoContext instance can be shared
with Session.
|
|
When issuing "#put:" or "#put!" command in the script, if the input
file is not exist it will check for the encrypted file, the one with
".vault" extension.
If it exists, the encrypted file will be used as input for copy operation.
|
|
|
|
Previously, we have NewScriptForLocal, NewScriptForRemote,
ParseScriptForLocal, and ParseScriptForRemote.
Since script for local and remote actually the same and since we remove
applying environment variables at 858c26d3d940 on local, we can merge
them into NewScript and ParseScript.
|
|
Even thought the private key exist, not every command execution
require private key.
In case it is required and private key is nil, it will return an
error during decryption.
|
|
|
|
Upon executing "local" or "play" comman, awwan now read the encrypted
environment file .awwan.env.vault.
The encrypted environment file is generated using "awwan encrypt" command.
|
|
This move the comment related to non-exported fields inside the struct
instead of top.
|
|
The decrypt function accept the private key and cipher text to be
decrypted.
This will allow the function to be used by other methods later, not
only by Decrypt method.
|
|
Instead of loading private key on Encrypt or Decrypt methods, load it
when the Awwan instance created.
|
|
|
|
The type name is lineRange so the file name should be line_range, not
range.
|
|
This allow the caller of Encrypt know the path to encrypted file.
|
|
The rsa.EncryptAOEP function has a maximum message size that they can
encrypt (public key size - 2*hash.Size - 2).
To fix this limitation we replace them with the one in libcrypto
that extend the functions to allow encrypting and decrypting a larger
message.
|
|
The "decrypt" command accept single argument, a file to be decrypted.
Its reverse the "encrypt" output to get the plain text back.
|
|
The Decrypt method decrypt the file using private key from file
"{{.BaseDir}}/.awwan.key".
The encrypted file must have extension ".vault", otherwise it will return
an error.
The decrypted file output will be written in the same directory without
the ".vault" extension in filePlain.
|
|
The latest ascii.Random use "cryto/rand", so there is no need to call
rand.Seed.
|
|
The encrypt command accept single argument, the file to be encrypted.
|
|
The Encrypt method encrypt the file using private key from file
"{{.BaseDir}}/.awwan.key".
The encrypted file output will be on the same file path with ".vault"
extension.
|
|
The golangci-lint become unusable.
It does not provide any useful hints on how to write better Go code.
This changes replace golangci-lint with go vet, fieldalignment and shadow
from x/tools, and revive.
The fieldalignment tool provide hints on better struct size.
The shadow tool provide hints on overwriting or shadowed variables.
The revive tool provide hints on many code analysis that does not covered
by go vet, fieldalignment, and shadow.
|
|
|
|
|
|
|
|
The latest update on share module contains refactoring on lib/ssh.
|
|
|
|
Environment variables in the script may only expanded by shell on remote
not always on local.
|
|
=== Breaking changes
* all: changes the line number arguments for "local" and "play" command
=== Chores
* all: convert README from Asciidoc to Markdown
* all: move code for development to package internal
* all: add configuration for golangci-lint
* all: move _doc to directory _www
* go.mod: set the Go module version to 1.19
|
|
I use two remote repositories: GitHub and SourceHut.
GitHub support rendering README using asciidoc while SourceHut not.
This cause the repository that use README.adoc rendered as text in
SourceHut which make the repository page less readable.
Also, the pkg.go.dev now render README but only support Markdown.
Since we cannot control the SourceHut and go.dev, the only option is
to support converting Markdown in ciigo so I can write README using
Markdown and the rest of documentation using Asciidoc.
|
