integrate gpg with postprocessing wrapper, standardise api

Author: dem1fo

package-lock.json

@@ -51,6 +51,7 @@
     "date-fns": "^4.1.0",
     "debug": "^4.3.7",
     "hi-base32": "^0.5.1",
+    "is-executable": "^2.0.1",
     "openpgp": "^6.2.2",
     "safe-stable-stringify": "^2.4.3",
     "toml": "^3.0.0",

package.json

@@ -18,7 +18,7 @@ import type { ValidationRule } from "../validation/Validation";
 export namespace Config {
   export interface Column {
     name: string;
-    alias: string;
+    alias: string; // TODOL: make alias optional for programmatic usage
     default?: string | number | string[] | number[];
   }
   export interface ColumnMap {
@@ -47,7 +47,8 @@ export namespace Config {
     };
     post_processing?: {
       encryption?: {
-        key_path: string;
+        recipient: string;
+        gpgBinaryPath?: string;
       }
     }
   }

src/config/Config.ts

@@ -35,6 +35,8 @@ type ConfigValidator = (label: string, v: unknown) => ConfigValidatorResult;
 
 const isTrue: ConfigValidator = (label: string, v: unknown) => (!v ? label : undefined);
 const isFalse: ConfigValidator = (label: string, v: unknown) => (!!v ? label : undefined);
+const isBoolean: ConfigValidator = (label: string, v: unknown) =>
+  typeof v !== 'boolean' ? `${label} must be a boolean` : undefined;
 const isObject: ConfigValidator = (label: string, v: unknown) =>
   typeof v !== 'object' ? `Missing ${label}` : undefined;
 const isNumber: ConfigValidator = (label: string, v: unknown) =>
@@ -130,7 +132,8 @@ function checkPostProcessing(proc: Config.FileConfiguration["post_processing"])
 
   const encryptionCheck = 
     isOptional('[post_processing].encryption', proc.encryption, isObject) ||
-    isString("[post_processing].encryption.key_path", proc.encryption?.key_path)
+    isNotEmptyString("[post_processing].encryption.recipient", proc.encryption?.recipient) ||
+    isOptional("[post_processing].encryption.gpgBinaryPath?", proc.encryption?.gpgBinaryPath, isNotEmptyString);
 
   return encryptionCheck
 }

src/config/validateConfig.ts

@@ -6,6 +6,7 @@ import { spawnSync } from 'node:child_process';
 import Debug from 'debug';
 import type { Config } from '../config';
 import { GpgErrorCode, identifyError } from './gpgError';
+import { isExecutableSync } from 'is-executable';
 
 const log = Debug('cid::engine::crypto::gpg');
 
@@ -15,8 +16,7 @@ export type GpgOptions = {
   binaryPathOverride?: string;
   pinentryMode?: Config.CryptoPinentryMode;
   timeoutMs?: number;
-  verifyRecipientKey?: boolean;
-  verifySignerKey?: boolean;
+  verifyKeys?: boolean;
 }
 
 
@@ -54,7 +54,7 @@ export class GpgWrapper {
     //       For headless usage or usage on Linux/MacOS, users should ensure GPG is set on PATH or provide
     //       path explicitly.
     if (isWindows()) {
-      const candidates = resolveWindowsGpgBinCandidates();
+      const candidates = this.resolveWindowsGpgBinCandidates();
       for (const c of candidates) if (existsSync(c)) {
         log(`[INFO] Found GPG binary at common location: ${c}`);
         return c;
@@ -80,6 +80,21 @@ export class GpgWrapper {
     return 'gpg';
   }
 
+  private resolveWindowsGpgBinCandidates(): string[] {
+    const localAppData = process.env.LOCALAPPDATA;
+    const programFiles = process.env['ProgramFiles'];
+    const programFilesX86 = process.env['ProgramFiles(x86)'];
+
+    // Order matters
+    const opts: string[] = [];
+    if (localAppData) opts.push(join(localAppData, 'Programs', 'GnuPG', 'bin', 'gpg.exe'));
+    if (programFiles) opts.push(join(programFiles, 'GnuPG', 'bin', 'gpg.exe'));
+    if (programFilesX86) opts.push(join(programFilesX86, 'GnuPG', 'bin', 'gpg.exe'));
+    if (programFiles) opts.push(join(programFiles, 'Gpg4win', 'bin', 'gpg.exe'));
+    if (programFilesX86) opts.push(join(programFilesX86, 'Gpg4win', 'bin', 'gpg.exe'));
+    return opts;
+  }
+
   private keyExists(key: string, keyType: "RECIPIENT" | "SIGNER"): boolean {
     const args = keyType === "RECIPIENT" ? [ '--list-keys', '--with-colons', key ] : [ '--list-secret-keys', '--with-colons', key ];
     const r = spawnSync(this.binPath, args, { encoding: "utf-8" });
@@ -88,12 +103,17 @@ export class GpgWrapper {
 
   public async encryptFile({ inputPath, outputPath, recipient, signer, signerPassphrase }: EncryptFileInput): Promise<EncryptFileResult> {
     // TODO: move this into the constructor?
+
+    // TODO: find an alternative for checking existence/accessibility of GPG binary.
+    //       since access() on some platforms (Windows) may return false negatives due to ACLs.
+    //       For now, swapping in 3rd party library (isExecutable) to get it working, but perhaps
+    //       it is better to just attempt to run GPG and handle the errors?
     try {
       log(`[DEBUG] Checking GPG binary at path: '${this.binPath}'`);
-      await access(this.binPath, constants.X_OK);
+      isExecutableSync(this.binPath);
       log(`[DEBUG] GPG binary is executable.`);
     }
-    catch {
+    catch (err) {
       log(`[ERROR] GPG binary not found or not executable at path: '${this.binPath}'`);
       return { success: false, error: `GPG binary not found or not executable at path: '${this.binPath}'`, code: GpgErrorCode.GPG_NOT_FOUND }
     }
@@ -122,7 +142,7 @@ export class GpgWrapper {
     }
 
     // check recipient key is in keyring and valid
-    if (this.options.verifyRecipientKey) {
+    if (this.options.verifyKeys) {
       log(`[DEBUG] Verifying recipient key exists in keyring: '${recipient}'`);
       const okay = this.keyExists(recipient, "RECIPIENT");
       if (!okay) {
@@ -134,7 +154,7 @@ export class GpgWrapper {
     }
 
     // check signer key is in the keyring and valid
-    if (signer && this.options.verifySignerKey) {
+    if (signer && signer.length > 0 && this.options.verifyKeys) {
       log(`[DEBUG] Verifying signer secret key exists in keyring: '${signer}'`);
       const okay = this.keyExists(signer, "SIGNER");
       if (!okay) {
@@ -154,7 +174,7 @@ export class GpgWrapper {
 
     args.push('--output', outputPath);
 
-    if (signer) {
+    if (signer && signer.length > 0) {
       args.push('--sign', '--local-user', signer);
       if (this.options.pinentryMode === "loopback" && !signerPassphrase) {
         log(`[WARN] pinentry-mode=loopback is set but no passphrase has been provided; signing may fail if the key is protected.`);
@@ -210,20 +230,5 @@ export class GpgWrapper {
 
 }
 
-function resolveWindowsGpgBinCandidates(): string[] {
-  const localAppData = process.env.LOCALAPPDATA;
-  const programFiles = process.env['ProgramFiles'];
-  const programFilesX86 = process.env['ProgramFiles(x86)'];
-
-  // Order matters
-  const opts: string[] = [];
-  if (localAppData) opts.push(join(localAppData, 'Programs', 'GnuPG', 'bin', 'gpg.exe'));
-  if (programFiles) opts.push(join(programFiles, 'GnuPG', 'bin', 'gpg.exe'));
-  if (programFilesX86) opts.push(join(programFilesX86, 'GnuPG', 'bin', 'gpg.exe'));
-  if (programFiles) opts.push(join(programFiles, 'Gpg4win', 'bin', 'gpg.exe'));
-  if (programFilesX86) opts.push(join(programFilesX86, 'Gpg4win', 'bin', 'gpg.exe'));
-  return opts;
-}
-
 
 export const isWindows = () => process.platform === 'win32';

src/crypto/gpg.ts

@@ -14,37 +14,76 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import { GpgWrapper } from '@/crypto/gpg';
 import type { Config } from '../config/Config';
 
 import Debug from 'debug';
 const log = Debug('cid::engine::process::postprocess');
 
+const enum POSTPROCESSING_STEP {
+  ENCRYPTION = 'ENCRYPTION',
+}
 
-export interface PostprocessFileResult {}
+type Step = {
+  success: boolean;
+  step: POSTPROCESSING_STEP;
+  outputPath?: string;
+};
 
-interface PostprocessFileInput {
-  config: Config.FileConfiguration,
-  filePath: string
+export interface PostprocessFileResult {
+  success: boolean;
+  steps: Step[];
+  outputPath?: string;
 }
 
-export async function postprocessFile({ config, filePath }: PostprocessFileInput): Promise<PostprocessFileResult> {
-  log(`[INFO] Starting processing of file '${filePath}' with config file '${config.meta.signature}'`);
-
-  if (!config.post_processing) return {}
+interface PostprocessFileInput {
+  config: Config.FileConfiguration;
+  inputPath: string;
+  outputPath: string;
+  options?: {
+    // options for postprocessing params that are not included in the config file
+    signer?: string;
+  }
+}
 
-  if (config.post_processing.encryption) {
-    // check that gpg exists on the system
-    
-    // check it it the correct version of gpg (e.g. should be the gpgp installed by Kleopatra on Windows, not gpg from git bash)
+export async function postprocessFile({ config, inputPath, outputPath, options }: PostprocessFileInput): Promise<PostprocessFileResult> {
+  log(`[INFO] Starting postprocessing of file '${inputPath}' with config file '${config.meta.signature}'`);
 
-    // find the Building Blocks public key in the user keyring
+  const result: PostprocessFileResult = { success: true, steps: [] };
 
-    // encrypt the file
-    
-    // [OPTIONAL] sign the the file with the users generated public key
+  if (!config.post_processing) {
+    log("[INFO] No postprocessing steps configured, skipping.");
+    return result;
   }
 
+  if (config.post_processing.encryption) {
+    log(`[INFO] Encryption postprocessing step configured, starting encryption of file '${inputPath}'`);
+    log(`Encryption config: ${JSON.stringify(config.post_processing.encryption)}`);
+    const gpg = new GpgWrapper({
+      trustAlways: true,
+      binaryPathOverride: config.post_processing.encryption.gpgBinaryPath,
+      timeoutMs: 60_000,
+      verifyKeys: true
+    });
+
+    const encryptResult = await gpg.encryptFile({
+      inputPath: inputPath,
+      outputPath: outputPath,
+      recipient: config.post_processing.encryption.recipient,
+      signer: options?.signer,
+    });
+
+    if (!encryptResult.success) {
+      log(`[ERROR] Encryption failed: ${encryptResult.error} (code: ${encryptResult.code})`);
+      result.steps.push({ success: false, step: POSTPROCESSING_STEP.ENCRYPTION });
+    }
+    else result.steps.push({ success: true, step: POSTPROCESSING_STEP.ENCRYPTION, outputPath: encryptResult.outputPath });
+  }
 
+  // TODO: add more postprocessing steps here
 
-  return {}
+  log("[INFO] Postprocessing complete.");
+  if (result.steps.some(s => !s.success)) result.success = false;
+  else if (result.steps.length > 0) result.outputPath = result.steps[result.steps.length - 1].outputPath; // set outputPath to last successful step outputPath
+  return result;
 }

src/processing/postprocess.ts

@@ -63,7 +63,7 @@ const validFileConfig = (): Config.FileConfiguration => ({
     error_in_salt: 'Salt error',
     terms_and_conditions: 'T&C',
   },
-  post_processing: { encryption: { key_path: '/tmp/key.pem' } },
+  post_processing: { encryption: { recipient: "REC", gpgBinaryPath: "/usr/bin/gpg" } },
 });
 
 // ---------------------------------------------------------------------
@@ -295,12 +295,17 @@ describe('config::validate::file', () => {
   });
 
 
-  it('post_processing present but missing encryption.key_path', () => {
+  it('post_processing encryption config type guards', () => {
     const cfg = validFileConfig();
-    (cfg.post_processing as any) = { encryption: { key_path: 123 } }; // wrong type
-    const res = validateConfigFile(cfg as any, 'CID', false);
-    expect(res).toContain('[post_processing].encryption.key_path must be a string');
-    // checkPostProcessing path and isString check.
+
+    (cfg.post_processing as any) = { encryption: { enabled: true, recipient: "" } };
+    let res = validateConfigFile(cfg as any, 'CID', false);
+    expect(res).toContain('[post_processing].encryption.recipient cannot be an empty string');
+
+    (cfg.post_processing as any) = { encryption: { enabled: false, recipient: "REC" } };
+    res = validateConfigFile(cfg as any, 'CID', false);
+    expect(res).toBeUndefined();
+
   });
 
   it('destination columns trigger column-level errors', () => {