[temp] postprocess first pass implementation

Author: dem1fo

examples/file_based_usage.ts

@@ -1,8 +1,10 @@
 // REPLACE ALL REFERENCES TO "_generic_hasher" WITH THE DESIRED ALGORITHM IN THE ALGORITHMS DIRECTORY.
 
+import { existsSync, rmSync } from 'node:fs';
+import { encryptFileWithGpg } from '../src/crypto/gpg';
 import { loadConfig, preprocessFile, processFile } from '../src/index';
 import { makeHasher, ALGORITHM_ID } from './example_algorithm/_generic_hasher';
-import { dirname, join } from 'node:path';
+import { dirname, join, resolve } from 'node:path';
 import { fileURLToPath } from 'node:url';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -12,6 +14,8 @@ const INPUT_PATH = join(__dirname, 'example_algorithm', 'input_10.csv');
 const OUTPUT_PATH = join(__dirname, 'output', 'output_10.csv');
 const VALIDATION_ERRORS_PATH = join(__dirname, 'output', 'validation_errors.csv');
 
+if (existsSync(resolve(__dirname, "output"))) rmSync(join(__dirname, "output"), { recursive: true, force: true});
+
 // load configuration from file
 const configLoadResult = loadConfig({
   configPath: CONFIG_PATH,
@@ -39,4 +43,18 @@ const processFileResult = await processFile({
   hasherFactory: makeHasher,
 });
 // print the result, save the result, etc.
-console.dir(processFileResult, { depth: 3 });
+// console.dir(processFileResult, { depth: 3 });
+
+
+const result = await encryptFileWithGpg({
+  inputPath: processFileResult.outputFilePath!,
+  outputPath: processFileResult.outputFilePath! + '.gpg',
+  gpgPath: "gpg",
+  recipient: '5A42A8421D19427562C5DEBE0CC75DCC440E1B46',
+  // recipient: "9463D5547670C915D23671A8DA57DA502A841FEF",
+  homedir: process.env.HOMEDIR,
+  // signer: "5A42A8421D19427562C5DEBE0CC75DCC440E1B46"
+  signer: "9463D5547670C915D23671A8DA57DA502A841FEF",
+  trustAlways: true,
+});
+console.log(result)

examples/programmatic_usage.ts

@@ -39,6 +39,9 @@ const config: Config.CoreConfiguration = {
       reference: [],
       static: [ "id" ]
     },
+  },
+  post_processing: {
+    
   }
 }
 

src/config/Config.ts

@@ -32,6 +32,7 @@ export namespace Config {
   }
   export type StringBasedSalt = { source: 'STRING'; value: string };
   export type FileBasedSalt =   { source: 'FILE'; value: string; validator_regex?: string };
+  export type CryptoPinentryMode = 'default' | 'loopback';
   export interface CoreConfiguration {
     meta: { id: string }
     source: ColumnMap;
@@ -43,6 +44,11 @@ export namespace Config {
       };
       salt: StringBasedSalt | FileBasedSalt;
     };
+    post_processing?: {
+      encryption?: {
+        key_path: string;
+      }
+    }
   }
   export interface FileConfiguration extends CoreConfiguration {
     isBackup?: boolean;
@@ -61,11 +67,6 @@ export namespace Config {
     destination: ColumnMap;
     destination_map: ColumnMap;
     destination_errors: ColumnMap;
-    post_processing?: {
-      encryption?: {
-        key_path: string;
-      }
-    }
   }
 }
 

src/crypto/gpg.ts

@@ -0,0 +1,169 @@
+import { constants, existsSync } from 'fs';
+import { access } from 'node:fs/promises';
+import { spawn, type StdioOptions } from 'node:child_process';
+import { dirname, join } from 'node:path';
+import os, { homedir } from 'node:os';
+import Debug from 'debug';
+import type { Config } from '../config';
+import { GpgError, GpgErrorCode, type GpgErrorContext } from './gpgErrors';
+import { parseGpgStderr } from './gpgErrorParser';
+import { execFileCapture, type ExecError, type ExecResult } from './util';
+import { defaultGnuPgHome, resolveViaGpgConf } from './gpgDiscover';
+
+const log = Debug('cid::engine::crypto::gpg');
+
+export interface EncryptWithGpgInput {
+  inputPath: string;
+  outputPath: string;
+  gpgPath: string;
+  recipient: string;
+  signer?: string;
+  armor?: boolean;
+  trustAlways?: boolean;
+  homedir?: string;
+  pinentryMode?: Config.CryptoPinentryMode;
+  passphrase?: string;
+  allowOverwrite?: boolean,
+  timeoutMs?: number,
+}
+
+function hasPubKey(listColons: string): boolean {
+  return listColons.split('\n').some(line => line.startsWith('pub:'));
+}
+function hasSecKey(listColons: string): boolean {
+  return listColons.split('\n').some(line => line.startsWith('sec:'));
+}
+
+async function assertKeyExists(gpgPath: string, homedir: string, keyId: string, keyType: 'recipient' | 'signer') {
+  log(`[DEBUG] Checking for ${keyType} key: ${keyId}`);
+
+  const listArgs = keyType === 'signer'
+      ? ['--with-colons', '--homedir', homedir, '--batch', '--yes', '--list-secret-keys', keyId]
+      : ['--with-colons', '--homedir', homedir, '--batch', '--yes', '--list-keys', keyId];
+
+  let out: ExecResult
+  try { out = await execFileCapture(gpgPath, listArgs, { ...process.env, GNUPGHOME: homedir }); }
+  catch (err) {
+    const e = err as ExecError;
+
+    throwDefaultGpgError(e.message, { binary: gpgPath, homedir, args: listArgs });  
+
+    throw parseGpgStderr(
+      e.stderr?.trim().length ? e.stderr : e.stdout || "",
+      { binary: gpgPath, homedir, exitCode: e.code ?? null, args: listArgs, ...(keyType === "recipient" ? { recipient: keyId} : { signer: keyId })}
+    );
+  }
+  
+  const exists = keyType === 'signer' ? hasSecKey(out.stdout) : hasPubKey(out.stdout);
+  
+  if (!exists) throw new GpgError(
+    keyType === 'signer' ? GpgErrorCode.SIGNER_KEY_NOT_FOUND : GpgErrorCode.RECIPIENT_KEY_NOT_FOUND,
+    keyType === 'signer'
+      ? `Signing failed: no private key for signer "${keyId}"`
+      : `Encryption failed: no public key for recipient "${keyId}"`,
+    { binary: gpgPath, homedir, exitCode: 0, args: listArgs, ...(keyType === "recipient" ? { recipient: keyId} : { signer: keyId }) },
+    keyType === 'signer'
+      ? [ 'Ensure your signing key (private key) is present in this keyring and not on a different account.' ]
+      : [ 'Import or publish the recipient\' public key into this keyring.' ]
+  );
+}
+
+function throwDefaultGpgError(message: string, context: GpgErrorContext) {
+  if (message.includes("ENOENT")) throw new GpgError(GpgErrorCode.GPG_NOT_FOUND, `GPG failed to start: ${message}`, context);
+}
+
+async function ensureGpgAvailable(gpgPath: string, homedir: string) {
+  log(`[DEBUG] Ensuring GPG is available at: ${gpgPath}`);
+  const args = ['--version'];
+
+  let out: ExecResult;
+  try { out = await execFileCapture(gpgPath, args, { ...process.env, GNUPGHOME: homedir }); }
+  catch (err) {
+    const e = err as ExecError;
+    throwDefaultGpgError(e.message, { binary: gpgPath, homedir, args });  
+
+    throw new GpgError(
+      GpgErrorCode.GPG_NOT_FOUND,
+      `GPG not available (exit ${e.code}) at "${gpgPath}"`,
+      { binary: gpgPath, homedir, exitCode: e.code ?? null, args },
+      ['Reinstall Gpg4win (Windows) or GnuPG (Linux/macOS) or adjust the configuration to a working gpg.exe.']
+    );
+  }
+  log(`[DEBUG] GPG version output: ${out.stdout.split('\n')[0]}`);
+}
+
+
+export async function encryptFileWithGpg(input: EncryptWithGpgInput) {
+  const homedir = input.homedir ?? defaultGnuPgHome();
+
+  await ensureGpgAvailable(input.gpgPath, homedir);
+
+  // try { await access(inputPath, constants.R_OK); }
+  // catch {
+  //   throw new GpgError(
+  //     GpgErrorCode.INPUT_NOT_READABLE,
+  //     `Cannot read input file: ${inputPath}`,
+  //     { binary: gpg, homedir, inputPath },
+  //     ['Check the file path and permissions.']
+  //   );
+  // }
+
+  // const outputDir = dirname(outputPath);
+  // try { await access(outputDir, constants.W_OK); }
+  // catch {
+  //   throw new GpgError(
+  //     GpgErrorCode.OUTPUT_NOT_WRITABLE,
+  //     `Cannot write to output path: ${outputDir}`,
+  //     { binary: gpg, homedir, outputPath },
+  //     ['Check the file path and permissions.']
+  //   );
+  // }
+
+  // if (!allowOverwrite && existsSync(outputPath)) {
+  //   throw new GpgError(
+  //     GpgErrorCode.OUTPUT_WRITE_FAILED,
+  //     `Refusing to overwrite existing file: ${outputPath}`,
+  //     { outputPath },
+  //     ['Pass allowOverwrite=true to permit overwriting.']);
+  // }
+
+  // await assertKeyExists(gpg, homedir, recipient, 'recipient');
+  // if (signer) await assertKeyExists(gpg, homedir, signer, 'signer');
+
+  // const args = ['--batch', '--yes', '--status-fd', '2', '--homedir', homedir];
+  // if (armor) args.push('--armor');
+  // if (trustAlways) args.push('--trust-model', 'always');
+  // args.push('--output', outputPath);
+
+  // if (signer) {
+  //   args.push('--sign', '--local-user', signer);
+  //   if (pinentryMode === 'loopback') {
+  //     args.push('--pinentry-mode', 'loopback');
+  //     if (passphrase) args.push('--passphrase-fd', '0');
+  //   }
+  // }
+  // args.push('--encrypt');
+  // args.push('--recipient', recipient);
+  // args.push(inputPath);
+
+  // log(`Running: ${JSON.stringify(gpg)} ${args.map(a => JSON.stringify(a)).join(' ')}`);
+
+  // let stderr = ''; let stdout = '';
+  // await new Promise<void>((resolve, reject) => {
+  //   const stdio: StdioOptions = passphrase ? ['pipe', 'pipe', 'pipe'] : ['ignore', 'pipe', 'pipe'];
+  //   const p = spawn(gpg, args, { stdio, env: { ...process.env, GNUPGHOME: homedir }, timeout: timeoutMs });
+  //   p.stdout?.on('data', d => (stdout += String(d)));
+  //   p.stderr?.on('data', d => (stderr += String(d)));
+  //   if (p.stdin && passphrase) { p.stdin.write(passphrase + '\n'); p.stdin.end(); }
+  //   p.once('error', e => reject(new GpgError(
+  //     GpgErrorCode.GENERAL_GPG_ERROR, `Failed to start GPG: ${(e as Error).message}`,
+  //     { binary: gpg, homedir, args }, ['Check antivirus/process control tools and try again.']
+  //   )));
+  //   p.once('close', code => (code === 0 ? resolve() : reject(parseGpgStderr(stderr || stdout, {
+  //     binary: gpg, homedir, recipient , signer, inputPath, outputPath, exitCode: code, args
+  //   }))));
+  // });
+
+  // return { outputPath, recipient, signed: Boolean(signer) };
+}
+

src/crypto/gpgDiscover.ts

@@ -0,0 +1,111 @@
+
+import { existsSync } from 'fs';
+import { join } from 'path';
+import os from 'node:os';
+import Debug from 'debug';
+import { execFileCapture, type ExecError } from './util';
+import { exec } from 'node:child_process';
+const log = Debug('cid::engine::crypto::gpg:discover');
+
+
+export async function resolveViaGpgConf(explicit?: string) {
+  // 1. if explicit path provided, use it.
+  if (explicit && explicit.length > 0) {
+    const homedir = await tryGetHomedirViaGpgConf();
+    log(`[INFO] Using explicit gpg binary at: ${explicit}`);
+    return { gpg: explicit, homedir };
+  }
+
+  // 2. try to use gpgconf to discover homedir
+  const homedir = await tryGetHomedirViaGpgConf();
+
+  // 3. pick a candidate and validate it with the discovered homedir
+  let gpg = "gpg";
+  const okay = await tryGpgVersion(gpg, homedir);
+  if (okay) {
+    log(`[INFO] Using gpg binary at: ${gpg}`);
+    return { gpg, homedir };
+  }
+
+  // 4. PATH 'gpg' didn't work, start probing common locations
+  if (process.platform === 'win32') {
+    const candidate = resolveWindowsGpgBinCandidates().find(existsSync);
+    if (candidate) {
+      const winOkay = await tryGpgVersion(candidate, homedir);
+      if (winOkay) {
+        log(`[INFO] Using gpg binary at: ${candidate}`)
+      }
+    }
+  }
+
+  // 5. Final fallback -> returrn 'gpg' and let the error handling deal with it.
+  log(`[WARN] Falling back to gpg binary 'gpg' without validation.`);
+  return { gpg: 'gpg', homedir };
+}
+
+
+
+
+
+async function tryGetHomedirViaGpgConf() {
+  try {
+    await execFileCapture('gpgconf', ['--version'], process.env);
+    const { stdout: homedir } = await execFileCapture('gpgconf', ['--list-dirs', 'homedir'], process.env);
+    if (homedir && homedir.length > 0) return homedir.trim();
+  }
+  catch (err) {
+    const e = err as ExecError;
+    log(`[ERROR] gpgconf not available or failed (--list-dirs): ${e.message}`);
+    log(`[WARN] Falling back to default GnuPG home directory.`);
+  }
+  return defaultGnuPgHome();
+}
+
+async function tryGpgVersion(gpgPath: string, homedir?: string) {
+  try {
+    const env = homedir ? { ...process.env, GNUPGHOME: homedir } : process.env;
+    const { stdout } = await execFileCapture(gpgPath, ['--version'], env);
+    const firstLine = stdout.split('\n')[0];
+    log(`[DEBUG] Discovered GPG version ${gpgPath}: ${firstLine}`);
+    return true;
+  }
+  catch (err) {
+    const e = err as ExecError;
+    log(`[ERROR] GPG not available or failed (--version): ${e.message}`);
+    return false;
+  }
+}
+
+
+export function defaultGnuPgHome(): string {
+  if (process.platform === 'win32') {
+    const appData = process.env.APPDATA ?? join(os.homedir(), 'AppData', 'Roaming');
+    return join(appData, 'gnupg');
+  }
+  return join(os.homedir(), '.gnupg');
+}
+
+function resolveWindowsGpgBinCandidates(): string[] {
+  const localAppData = process.env.LOCALAPPDATA;
+  const programFiles = process.env['ProgramFiles'];
+  const programFilesX86 = process.env['ProgramFiles(x86)'];
+
+  const opts: string[] = [];
+  if (localAppData) opts.push(join(localAppData, 'Programs', 'GnuPG', 'bin', 'gpg.exe'));
+  if (programFiles) opts.push(join(programFiles, 'GnuPG', 'bin', 'gpg.exe'));
+  if (programFilesX86) opts.push(join(programFilesX86, 'GnuPG', 'bin', 'gpg.exe'));
+  return opts;
+}
+
+export function resolveGpgBinaryFallback(explicit?: string) {
+  if (explicit && explicit.length > 0) return explicit;
+  if (process.platform === 'win32') {
+    const candidates = resolveWindowsGpgBinCandidates();
+    const found = candidates.find(existsSync);
+    if (found) {
+      log(`Using gpg.exe at: ${found}`);
+      return found;
+    }
+  }
+  return 'gpg';
+}