refactor: Improve git-crypt verification logic
This commit is contained in:
parent
bee2596001
commit
2669a76711
1 changed files with 19 additions and 8 deletions
|
|
@ -21,18 +21,29 @@ gcrypt_export_key() {
|
|||
|
||||
gcrypt_verify() {
|
||||
local genome_name="$1"
|
||||
local key_path="${KEYS_DIR}/${genome_name}.key"
|
||||
|
||||
info "Verifying git-crypt status for ${genome_name}..."
|
||||
git-crypt lock
|
||||
info "Verifying git-crypt configuration for ${genome_name}..."
|
||||
|
||||
if file "raw/private/.gitkeep" 2>/dev/null | grep -q "data"; then
|
||||
success "Encryption verified: private/ directory is protected."
|
||||
# `git-crypt status` reports the CONFIGURED status (from `.gitattributes`), not the
|
||||
# lock/unlock status of the working tree. Encrypted lines have their labels right-aligned
|
||||
# (with leading whitespace), so you CANNOT anchor on `^encrypted`.
|
||||
# We filter by private/ and distinguish “encrypted” from “not encrypted” without
|
||||
# relying on exact spacing.
|
||||
local status_out encrypted_count not_encrypted_count
|
||||
status_out=$(git-crypt status 2>/dev/null || true)
|
||||
encrypted_count=$(printf '%s\n' "$status_out" | grep 'private/' | grep -cE '^[[:space:]]*encrypted:' || true)
|
||||
not_encrypted_count=$(printf '%s\n' "$status_out" | grep 'private/' | grep -cE '^not encrypted:' || true)
|
||||
|
||||
if [[ "$encrypted_count" -gt 0 ]]; then
|
||||
success "Encryption configured: ${encrypted_count} private file(s) under git-crypt."
|
||||
if [[ "$not_encrypted_count" -gt 0 ]]; then
|
||||
warn "${not_encrypted_count} file(s) under private/ are NOT covered by the git-crypt filter — check .gitattributes (leak risk)."
|
||||
fi
|
||||
elif [[ "$not_encrypted_count" -gt 0 ]]; then
|
||||
warn "private/ files exist but none are covered by the git-crypt filter — check the .gitattributes filter (leak risk)."
|
||||
else
|
||||
warn "Encryption check inconclusive. Run 'git-crypt status' manually."
|
||||
info "No private/ files present yet — nothing to verify."
|
||||
fi
|
||||
|
||||
[[ -f "$key_path" ]] && git-crypt unlock "$key_path"
|
||||
}
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue