1 | "use strict";
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 |
|
19 |
|
20 |
|
21 |
|
22 |
|
23 |
|
24 |
|
25 | var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
26 | return new (P || (P = Promise))(function (resolve, reject) {
|
27 | function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
28 | function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
29 | function step(result) { result.done ? resolve(result.value) : new P(function (resolve) { resolve(result.value); }).then(fulfilled, rejected); }
|
30 | step((generator = generator.apply(thisArg, _arguments || [])).next());
|
31 | });
|
32 | };
|
33 | var __importDefault = (this && this.__importDefault) || function (mod) {
|
34 | return (mod && mod.__esModule) ? mod : { "default": mod };
|
35 | };
|
36 | Object.defineProperty(exports, "__esModule", { value: true });
|
37 | const config_1 = __importDefault(require("./config"));
|
38 | const gcloud_1 = __importDefault(require("./gcloud"));
|
39 | class KeyManager {
|
40 | constructor() {
|
41 | this.decryptedKeys = new Map();
|
42 | }
|
43 | getGithubToken(repo) {
|
44 | return __awaiter(this, void 0, void 0, function* () {
|
45 | return this.getDecrypted(config_1.default.repos[repo].encryptedGithubToken, `GITHUB_TOKEN-${repo}`);
|
46 | });
|
47 | }
|
48 | getWebhookSecret() {
|
49 | return __awaiter(this, void 0, void 0, function* () {
|
50 | return this.getDecrypted(config_1.default.encryptedWebhookSecret, 'WEBHOOK_SECRET');
|
51 | });
|
52 | }
|
53 | getDecrypted(encryptedBase64, cacheKey) {
|
54 | return __awaiter(this, void 0, void 0, function* () {
|
55 | const cached = this.decryptedKeys.get(cacheKey);
|
56 | if (cached) {
|
57 | return cached;
|
58 | }
|
59 | const google = yield gcloud_1.default();
|
60 | const projectId = yield google.auth.getProjectId();
|
61 | console.log('Decrypting ', cacheKey);
|
62 | const response = yield google
|
63 | .cloudkms({ version: 'v1' })
|
64 | .projects.locations.keyRings.cryptoKeys.decrypt({
|
65 | name: `projects/${projectId}/locations/${config_1.default.kms.location}/keyRings/${config_1.default.kms.keyring}/cryptoKeys/${config_1.default.kms.key}`,
|
66 | requestBody: {
|
67 | ciphertext: encryptedBase64,
|
68 | },
|
69 | });
|
70 | const decrypted = Buffer.from(response.data.plaintext, 'base64').toString('ascii');
|
71 | this.decryptedKeys.set(cacheKey, decrypted);
|
72 | return decrypted;
|
73 | });
|
74 | }
|
75 | }
|
76 | exports.KeyManager = KeyManager;
|
77 | exports.keyManager = new KeyManager();
|
78 |
|
\ | No newline at end of file |