aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRhys Arkins <[email protected]>2024-12-13 12:31:15 +0100
committerGitHub <[email protected]>2024-12-13 11:31:15 +0000
commit44c83b0901a4a835c1c667d3b33220da1d835766 (patch)
tree054ba0522394717c1a81c9d061255930a43065e5
parentd63ff715cd72891c30faf4c61e9645bff5422e10 (diff)
downloadrenovate-44c83b0901a4a835c1c667d3b33220da1d835766.tar.gz
renovate-44c83b0901a4a835c1c667d3b33220da1d835766.zip
feat: raise error when encrypted + no privateKey (#33085)
-rw-r--r--docs/usage/self-hosted-experimental.md4
-rw-r--r--lib/config/decrypt.spec.ts10
-rw-r--r--lib/config/decrypt.ts11
3 files changed, 24 insertions, 1 deletions
diff --git a/docs/usage/self-hosted-experimental.md b/docs/usage/self-hosted-experimental.md
index 61629fab747..f80219fd96f 100644
--- a/docs/usage/self-hosted-experimental.md
+++ b/docs/usage/self-hosted-experimental.md
@@ -39,6 +39,10 @@ This includes the following:
If set to any value, Renovate will stop using the Docker Hub API (`https://hub.docker.com`) to fetch tags and instead use the normal Docker API for images pulled from `https://index.docker.io`.
+## `RENOVATE_X_ENCRYPTED_STRICT`
+
+If set to `"true"`, a config error Issue will be raised in case repository config contains `encrypted` objects without any `privateKey` defined.
+
## `RENOVATE_X_EXEC_GPID_HANDLE`
If set, Renovate will terminate the whole process group of a terminated child process spawned by Renovate.
diff --git a/lib/config/decrypt.spec.ts b/lib/config/decrypt.spec.ts
index 66d73753ebb..3a056690dba 100644
--- a/lib/config/decrypt.spec.ts
+++ b/lib/config/decrypt.spec.ts
@@ -12,6 +12,7 @@ describe('config/decrypt', () => {
beforeEach(() => {
config = {};
GlobalConfig.reset();
+ delete process.env.RENOVATE_X_ENCRYPTED_STRICT;
});
it('returns empty with no privateKey', async () => {
@@ -30,5 +31,14 @@ describe('config/decrypt', () => {
expect(res.encrypted).toBeUndefined();
expect(res.a).toBeUndefined();
});
+
+ it('throws exception if encrypted found but no privateKey', async () => {
+ config.encrypted = { a: '1' };
+ process.env.RENOVATE_X_ENCRYPTED_STRICT = 'true';
+
+ await expect(decryptConfig(config, repository)).rejects.toThrow(
+ 'config-validation',
+ );
+ });
});
});
diff --git a/lib/config/decrypt.ts b/lib/config/decrypt.ts
index ac560c4d456..80cddcd4908 100644
--- a/lib/config/decrypt.ts
+++ b/lib/config/decrypt.ts
@@ -1,4 +1,5 @@
import is from '@sindresorhus/is';
+import { CONFIG_VALIDATION } from '../constants/error-messages';
import { logger } from '../logger';
import { regEx } from '../util/regex';
import { addSecretForSanitizing } from '../util/sanitize';
@@ -173,7 +174,15 @@ export async function decryptConfig(
}
}
} else {
- logger.error('Found encrypted data but no privateKey');
+ if (process.env.RENOVATE_X_ENCRYPTED_STRICT === 'true') {
+ const error = new Error(CONFIG_VALIDATION);
+ error.validationSource = 'config';
+ error.validationError = 'Encrypted config unsupported';
+ error.validationMessage = `This config contains an encrypted object at location \`$.${key}\` but no privateKey is configured. To support encrypted config, the Renovate administrator must configure a \`privateKey\` in Global Configuration.`;
+ throw error;
+ } else {
+ logger.error('Found encrypted data but no privateKey');
+ }
}
delete decryptedConfig.encrypted;
} else if (is.array(val)) {