Merge pull request #402 from vscheuber/main

Export and import of secret values and variables

CHANGELOG.md

@@ -7,6 +7,31 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Add
+
+- rockcarver/frodo-lib#387: Support import of ESVs (variables and secrets). Frodo now supports importing ESV variables and secrets with two new commands:
+  - `frodo esv variable import`
+  - `frodo esv secret import`
+
+- Frodo now supports exporting (and importing) of ESV secret values. To leave stuartship of secret values with the cloud environment where they belong, frodo will always encrypt values using either encryption keys from the source environment (default) or the target environment (export option). Frodo will never export secrets in the clear. However, frodo supports importing clear values (as well as importing encrypted values). Use these new commands and parameters to export/import variables and secrets including secret values:
+  - New parameters for existing `frodo esv secret export` and `frodo config export` commands:
+
+      - `--include-active-values` Include the currently active (and loaded) secret value in the export. By default, secret values are encrypted server-side in the environment they are exported from. Use `--target <host url>` to have another environment perform the encryption.
+
+      - `--target <host url>` Host URL of the environment to perform secret value encryption. The URL must resolve to an existing connection profile. Use this option to generate an export that can be imported into the target environment without requiring admin access to the source environment.
+
+  - New `frodo esv secret import` and updated existing `frodo config import` command and note-worthy parameters:
+
+      - `--include-active-values` Import any secret values contained in the import file. By default, secret values are encrypted server-side in the environment they are exported from. Use `--source <host url>` to import a file exported from another environment than the one you are importing to.
+
+      - `--source <host url>` Host URL of the environment which performed secret value encryption. The URL must resolve to an existing connection profile. Use this option to import a file that was exported from a different source environment than the one you are importing to.
+
+- rockcarver/frodo-lib#394: Support for `base64aes` encoding for ESV secrets
+
+### Changed
+
+- Update to frodo-lib 2.0.0-91
+
 ## [2.0.0-64] - 2024-06-21
 
 ### Changed

package.json

@@ -35,6 +35,7 @@
     "test": "npm run test:only",
     "test:only": "NODE_OPTIONS='--no-warnings --experimental-vm-modules' npx jest --silent",
     "test:debug": "NODE_OPTIONS='--no-warnings --experimental-vm-modules' npx jest --verbose=true --silent=false",
+    "test:update": "NODE_OPTIONS='--no-warnings --experimental-vm-modules' npx jest --verbose=true --silent=false --updateSnapshot",
     "lint": "eslint --ext .ts --ignore-path .gitignore .",
     "lint:fix": "eslint --fix --ext .ts --ignore-path .gitignore .",
     "build": "npm run build:binary",
@@ -113,7 +114,7 @@
     ]
   },
   "devDependencies": {
-    "@rockcarver/frodo-lib": "2.0.0-88",
+    "@rockcarver/frodo-lib": "2.0.0-91",
     "@types/colors": "^1.2.1",
     "@types/fs-extra": "^11.0.1",
     "@types/jest": "^29.2.3",

src/cli/config/config-export.ts

@@ -1,6 +1,7 @@
 import { state } from '@rockcarver/frodo-lib';
 import { Option } from 'commander';
 
+import * as s from '../../help/SampleData';
 import { getTokens } from '../../ops/AuthenticateOps';
 import {
   exportEverythingToFile,
@@ -60,6 +61,41 @@ export default function setup() {
         'Export all scripts including the default scripts.'
       )
     )
+    .addOption(
+      new Option(
+        '--include-active-values',
+        'Include the currently active (and loaded) secret value in the export. By default, secret values are encrypted server-side in the environment they are exported from. Use --target <host url> to have another environment perform the encryption.'
+      )
+    )
+    .addOption(
+      new Option(
+        '--target <host url>',
+        'Host URL of the environment to perform secret value encryption. The URL must resolve to an existing connection profile. Use this option to generate an export that can be imported into the target environment without requiring admin access to the source environment.'
+      )
+    )
+    .addHelpText(
+      'after',
+      `How Frodo handles secrets:\n`['brightGreen'] +
+        `  Frodo supports exporting and importing of ESV secret values. To leave stuartship of secret values with the cloud environment where they belong, frodo always encrypts values using either encryption keys from the source environment (default) or the target environment (--target parameter). Frodo never exports secrets in the clear.\n\n`[
+          'brightGreen'
+        ] +
+        `Usage Examples:\n` +
+        `  Backup global and active realm configuration including active secret values to a single file (Note: only values of active and loaded secrets can be exported):\n` +
+        `  $ frodo config export -a --include-active-values ${s.connId}\n`[
+          'brightCyan'
+        ] +
+        `  Backup global and active realm configuration including active secret values to individual files in a directory structure (Note: only values of active and loaded secrets can be exported):\n` +
+        `  $ frodo config export -A -D ${s.connId}-backup --include-active-values ${s.connId}\n`[
+          'brightCyan'
+        ] +
+        `  Export global and active realm configuration including active secret values for import into another environment.\n` +
+        `  The --target parameter instructs frodo to encrypt the exported secret values using the target environment so they can be imported into that target environment without requiring the source environment they were exported from.\n` +
+        `  Using the --target parameter, the target environment must be available at the time of export and the person performing the export must have a connection profile for the target environment.\n` +
+        `  Without the --target parameter, the source environment must be available at the time of import and the person performing the import must have a connection profile for the source environment.\n` +
+        `  $ frodo config export -a --include-active-values --target ${s.connId2} ${s.connId}\n`[
+          'brightCyan'
+        ]
+    )
     .action(
       // implement command logic inside action handler
       async (host, realm, user, password, options, command) => {
@@ -82,6 +118,8 @@ export default function setup() {
               noDecode: options.decode,
               coords: options.coords,
               includeDefault: options.default,
+              includeActiveValues: options.includeActiveValues,
+              target: options.target,
             }
           );
           if (!outcome) process.exitCode = 1;
@@ -106,6 +144,8 @@ export default function setup() {
               noDecode: options.decode,
               coords: options.coords,
               includeDefault: options.default,
+              includeActiveValues: options.includeActiveValues,
+              target: options.target,
             }
           );
           if (!outcome) process.exitCode = 1;

src/cli/config/config-import.ts

@@ -1,6 +1,7 @@
 import { state } from '@rockcarver/frodo-lib';
 import { Option } from 'commander';
 
+import * as s from '../../help/SampleData';
 import { getTokens } from '../../ops/AuthenticateOps';
 import {
   importEverythingFromFile,
@@ -57,6 +58,40 @@ export default function setup() {
         'Import all scripts including the default scripts.'
       )
     )
+    .addOption(
+      new Option(
+        '--include-active-values',
+        'Import any secret values contained in the import file. By default, secret values are encrypted server-side in the environment they are exported from. Use --source <host url> to import a file exported from another environment than the one you are importing to.'
+      )
+    )
+    .addOption(
+      new Option(
+        '--source <host url>',
+        'Host URL of the environment which performed secret value encryption. The URL must resolve to an existing connection profile. Use this option to import a file that was exported from a different source environment than the one you are importing to.'
+      )
+    )
+    .addHelpText(
+      'after',
+      `How Frodo handles secrets:\n`['brightGreen'] +
+        `  Frodo supports exporting and importing of ESV secret values. To leave stuartship of secret values with the cloud environment where they belong, frodo always encrypts values using either encryption keys from the source environment (default) or the target environment (--target parameter). Frodo never exports secrets in the clear.\n\n`[
+          'brightGreen'
+        ] +
+        `Usage Examples:\n` +
+        `  Restore global and active realm configuration including active secret values from a single file (Note: config export must have been performed using the --include-active-values option):\n` +
+        `  $ frodo config import -a -f Alpha.everything.json --include-active-values ${s.connId}\n`[
+          'brightCyan'
+        ] +
+        `  Restore global and active realm configuration including active secret values from separate files in a directory structure (Note: config export must have been performed using the --include-active-values option):\n` +
+        `  $ frodo config import -A -D ${s.connId}-backup --include-active-values ${s.connId}\n`[
+          'brightCyan'
+        ] +
+        `  Import global and active realm configuration including active secret values, wich were exported from another environment using the --include-active-values option but without using the --target parameter, therefore requiring the --source parameter on import:\n` +
+        `  The --source parameter instructs frodo to decrypt the secret values during import using the source environment, which was used to encrypt them.\n` +
+        `  Using the --source parameter, the source environment must be available at the time of import and the person performing the import must have a connection profile for the source environment.\n` +
+        `  $ frodo config import -a -f Alpha.everything.json --include-active-values --source ${s.connId} ${s.connId2}\n`[
+          'brightCyan'
+        ]
+    )
     .action(
       // implement command logic inside action handler
       async (host, realm, user, password, options, command) => {
@@ -84,6 +119,8 @@ export default function setup() {
             global: options.global,
             realm: options.realm,
             includeDefault: options.default,
+            includeActiveValues: options.includeActiveValues,
+            source: options.source,
           });
           if (!outcome) process.exitCode = 1;
         }
@@ -106,6 +143,8 @@ export default function setup() {
             global: options.global,
             realm: options.realm,
             includeDefault: options.default,
+            includeActiveValues: options.includeActiveValues,
+            source: options.source,
           });
           if (!outcome) process.exitCode = 1;
         }

src/cli/conn/conn-save.ts

@@ -58,11 +58,11 @@ export default function setup() {
           'brightCyan'
         ] +
         `  Save an existing service account to an existing or new connection profile:\n` +
-        `  $ frodo conn save --sa-id ${s.saId} --sa-jwk-file ${s.saJwkFile} ${s.amBaseUrl}'\n`[
+        `  $ frodo conn save --sa-id ${s.saId} --sa-jwk-file ${s.saJwkFile} ${s.amBaseUrl}\n`[
           'brightCyan'
         ] +
         `  Save an existing service account to an existing connection profile (partial host URL only updates an existing profile):\n` +
-        `  $ frodo conn save --sa-id ${s.saId} --sa-jwk-file ${s.saJwkFile} ${s.connId}'\n`[
+        `  $ frodo conn save --sa-id ${s.saId} --sa-jwk-file ${s.saJwkFile} ${s.connId}\n`[
           'brightCyan'
         ]
     )

src/cli/esv/esv-secret-export.ts

@@ -1,6 +1,7 @@
 import { state } from '@rockcarver/frodo-lib';
 import { Option } from 'commander';
 
+import * as s from '../../help/SampleData';
 import { getTokens } from '../../ops/AuthenticateOps';
 import {
   exportSecretsToFile,
@@ -40,6 +41,41 @@ export default function setup() {
         'Does not include metadata in the export file.'
       )
     )
+    .addOption(
+      new Option(
+        '--include-active-values',
+        'Include the currently active (and loaded) secret value in the export. By default, secret values are encrypted server-side in the environment they are exported from. Use --target <host url> to have another environment perform the encryption.'
+      )
+    )
+    .addOption(
+      new Option(
+        '--target <host url>',
+        'Host URL of the environment to perform secret value encryption. The URL must resolve to an existing connection profile. Use this option to generate an export that can be imported into the target environment without requiring admin access to the source environment.'
+      )
+    )
+    .addHelpText(
+      'after',
+      `How Frodo handles secrets:\n`['brightGreen'] +
+        `  Frodo supports exporting and importing of ESV secret values. To leave stuartship of secret values with the cloud environment where they belong, frodo always encrypts values using either encryption keys from the source environment (default) or the target environment (--target parameter). Frodo never exports secrets in the clear.\n\n`[
+          'brightGreen'
+        ] +
+        `Usage Examples:\n` +
+        `  Export secrets including active secret values to a single file (Note: only values of active and loaded secrets can be exported):\n` +
+        `  $ frodo esv secret export -a --include-active-values ${s.connId}\n`[
+          'brightCyan'
+        ] +
+        `  Export secrets including active secret values to individual files in a directory (Note: only values of active and loaded secrets can be exported):\n` +
+        `  $ frodo esv secret export -A -D ${s.connId}-secrets --include-active-values ${s.connId}\n`[
+          'brightCyan'
+        ] +
+        `  Export secrets including active secret values to a single file for import into another environment.\n` +
+        `  The --target parameter instructs frodo to encrypt the exported secret values using the target environment so they can be imported into that target environment without requiring the source environment they were exported from.\n` +
+        `  Using the --target parameter, the target environment must be available at the time of export and the person performing the export must have a connection profile for the target environment.\n` +
+        `  Without the --target parameter, the source environment must be available at the time of import and the person performing the import must have a connection profile for the source environment.\n` +
+        `  $ frodo esv secret export -a --include-active-values --target ${s.connId2} ${s.connId}\n`[
+          'brightCyan'
+        ]
+    )
     .action(
       // implement command logic inside action handler
       async (host, realm, user, password, options, command) => {
@@ -60,19 +96,27 @@ export default function setup() {
           const outcome = await exportSecretToFile(
             options.secretId,
             options.file,
-            options.metadata
+            options.metadata,
+            options.includeActiveValues,
+            options.target
           );
           if (!outcome) process.exitCode = 1;
         } else if (options.all && (await getTokens())) {
           verboseMessage('Exporting all secrets to a single file...');
           const outcome = await exportSecretsToFile(
             options.file,
-            options.metadata
+            options.metadata,
+            options.includeActiveValues,
+            options.target
           );
           if (!outcome) process.exitCode = 1;
         } else if (options.allSeparate && (await getTokens())) {
           verboseMessage('Exporting all secrets to separate files...');
-          const outcome = await exportSecretsToFiles(options.metadata);
+          const outcome = await exportSecretsToFiles(
+            options.metadata,
+            options.includeActiveValues,
+            options.target
+          );
           if (!outcome) process.exitCode = 1;
         } else {
           printMessage(