Add file encryption/decryption and release workflow (#14)

Author: giarc3

.github/signing-key.asc.iron

@@ -1,25 +1,30 @@
 name: ironoxide-cli
 
-on:
-  push:
-    branches:
-      - master
-  pull_request:
+on: push
 
 jobs:
-  check:
-    name: Check
+  test:
     runs-on: ubuntu-18.04
     steps:
       - uses: actions/checkout@v2
+      # Work around https://github.com/actions/cache/issues/133#issuecomment-599102035
+      - run: sudo chown -R $(whoami):$(id -ng) ~/.cargo/
+        name: Fix perms on .cargo so we can restore the cache.
+      - name: Restore rust cache
+        uses: actions/cache@v1
+        with:
+          key: ${{ github.workflow }}-rust-${{ hashFiles('Cargo.lock') }}
+          restore-keys: |
+            ${{ github.workflow }}-rust-
+          path: ~/.cargo
       - uses: actions-rs/toolchain@v1
         with:
           profile: minimal
           toolchain: stable
           override: true
       - uses: actions-rs/cargo@v1
         with:
-          command: check
+          command: test
   fmt:
     name: Rustfmt
     runs-on: ubuntu-18.04
@@ -35,3 +40,12 @@ jobs:
         with:
           command: fmt
           args: --all -- --check
+
+  security:
+    runs-on: ubuntu-18.04
+    steps:
+      - uses: actions/checkout@v2
+      - name: Rust security audit
+        uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yaml

@@ -0,0 +1,106 @@
+name: release
+
+on:
+  push:
+    tags:
+    - '*'
+
+jobs:
+  release:
+    runs-on: ubuntu-18.04
+    needs: build
+    steps:
+    - uses: actions/checkout@v2
+    - name: Decrypt PGP key
+      uses: IronCoreLabs/ironhide-actions/decrypt@v1
+      with:
+        keys: ${{ secrets.IRONHIDE_KEYS }}
+        input: .github/signing-key.asc.iron
+    - name: Import PGP key
+      run: gpg --batch --import .github/signing-key.asc
+    - uses: actions/create-release@v1
+      id: release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        tag_name: ${{ github.ref }}
+        release_name: Version ${{ github.ref }}
+
+    - name: Download release artifacts from ubuntu-18.04
+      uses: actions/download-artifact@v1
+      with:
+        name: release-ubuntu-18.04
+        path: release/ubuntu-18.04
+    - name: Sign artifact for ubuntu-18.04
+      run: |
+        gpg --batch --detach-sign -a release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04
+        gpg --batch --verify release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04.asc release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04
+    - name: Upload artifact for ubuntu-18.04
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04
+        asset_name: ironoxide-cli-ubuntu-18.04
+        asset_content_type: application/data
+    - name: Upload signature for ubuntu-18.04
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/ubuntu-18.04/ironoxide-cli-ubuntu-18.04.asc
+        asset_name: ironoxide-cli-ubuntu-18.04.asc
+        asset_content_type: application/pgp-signature
+
+    - name: Download release artifacts from macos-10.15
+      uses: actions/download-artifact@v1
+      with:
+        name: release-macos-10.15
+        path: release/macos-10.15
+    - name: Sign artifact for macos-10.15
+      run: |
+        gpg --batch --detach-sign -a release/macos-10.15/ironoxide-cli-macos-10.15
+        gpg --batch --verify release/macos-10.15/ironoxide-cli-macos-10.15.asc release/macos-10.15/ironoxide-cli-macos-10.15
+    - name: Upload artifact for macos-10.15
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/macos-10.15/ironoxide-cli-macos-10.15
+        asset_name: ironoxide-cli-macos-10.15
+        asset_content_type: application/data
+    - name: Upload signature for macos-10.15
+      uses: actions/upload-release-asset@v1
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        upload_url: ${{ steps.release.outputs.upload_url }}
+        asset_path: release/macos-10.15/ironoxide-cli-macos-10.15.asc
+        asset_name: ironoxide-cli-macos-10.15.asc
+        asset_content_type: application/pgp-signature
+
+  build:
+    strategy:
+      matrix:
+        os: [ ubuntu-18.04, macos-10.15 ]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions-rs/toolchain@v1
+      with:
+        toolchain: stable
+    - uses: actions-rs/cargo@v1
+      with:
+        command: build
+        args: --release
+    - name: Package release artifacts
+      working-directory: target/release
+      run: mv ironoxide-cli ironoxide-cli-${{ matrix.os }}
+    - name: Upload artifacts
+      uses: actions/upload-artifact@v1
+      with:
+        name: release-${{ matrix.os }}
+        path: target/release/ironoxide-cli-${{ matrix.os }}

.github/workflows/release.yaml

@@ -12,6 +12,7 @@ serde_json = "~1.0"
 structopt = "~0.3"
 tokio = {version = "~0.2.11", features = ["macros"]}
 futures = "~0.3"
+itertools = "~0.9"
 
 [profile.dev.package."*"]
 opt-level = 3

Cargo.lock

@@ -43,7 +43,7 @@ cargo install --git https://github.com/IronCoreLabs/ironoxide-cli
 
 IronOxide CLI is used by running `ironoxide-cli`, followed by your desired subcommands and options.
 You can see all the available subcommands by running `ironoxide-cli -h`.
-Subcommands are currently broken into two categories: user commands and group commands.
+Subcommands are currently broken into three categories: user commands, group commands, and file commands.
 
 ### User Commands
 
@@ -82,6 +82,18 @@ The `group-remove-members` subcommand is used to remove members from a group.
 
 The `group-list` subcommand is used to list all groups that the user is a member or administrator of.
 
+### File Commands
+
+#### file-encrypt
+
+The `file-encrypt` subcommand is used to encrypt a file to the provided users and groups. The calling user
+will also be granted access to the file. By default, the encrypted file will be output with the `.iron` extension appended.
+
+#### file-decrypt
+
+The `file-decrypt` subcommand is used to decrypt a file that the calling user has been granted access to. By default, the
+decrypted file will be output with the `.iron` extension removed.
+
 ## Examples
 
 ```console
@@ -110,6 +122,21 @@ Failures: []
 $ ironoxide-cli group-list ironemployee.json
 Found DeviceContext in "ironemployee.json"
 Groups found: ["employees"]
+
+$ ironoxide-cli file-encrypt keys.json --groups employees --device ironadmin.json
+Read in file "keys.json"
+Found DeviceContext in "ironadmin.json"
+Successfully encrypted file to: [
+    "User: ironadmin",
+    "Group: employees",
+]
+Failed to encrypt file to: []
+Output encrypted file to "keys.json.iron"
+
+$ ironoxide-cli file-decrypt keys.json.iron --device ironadmin.json
+Read in file "keys.json.iron"
+Found DeviceContext in "ironadmin.json"
+Output decrypted file to "keys.json"
 ```
 
 # License