git-crypt 0.1.4

A Rust implementation of git-crypt for transparent encryption of files in a git repository
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

use crate::crypto::CryptoKey;
use crate::error::{GitCryptError, Result};
use git2::Repository;
use std::io::{self, Read, Write};
use std::path::Path;

pub struct GitRepo {
    repo: Repository,
}

impl GitRepo {
    /// Open repository at the given path
    pub fn open(path: impl AsRef<Path>) -> Result<Self> {
        let repo = Repository::discover(path).map_err(|_| GitCryptError::NotInGitRepo)?;
        Ok(Self { repo })
    }

    /// Get the git directory path
    pub fn git_dir(&self) -> &Path {
        self.repo.path()
    }

    /// Configure git filters for git-crypt
    pub fn configure_filters(&self) -> Result<()> {
        let mut config = self.repo.config()?;

        // Set up clean filter (encrypts on add/commit)
        config.set_str("filter.git-crypt.clean", "git-crypt clean")?;

        // Set up smudge filter (decrypts on checkout)
        config.set_str("filter.git-crypt.smudge", "git-crypt smudge")?;

        // Don't diff encrypted files
        config.set_str("filter.git-crypt.diff", "git-crypt diff")?;

        // Required attribute
        config.set_bool("filter.git-crypt.required", true)?;

        Ok(())
    }

    /// Remove git-crypt filters
    pub fn remove_filters(&self) -> Result<()> {
        let mut config = self.repo.config()?;

        let _ = config.remove("filter.git-crypt.clean");
        let _ = config.remove("filter.git-crypt.smudge");
        let _ = config.remove("filter.git-crypt.diff");
        let _ = config.remove("filter.git-crypt.required");

        Ok(())
    }

    /// Get repository root path
    #[allow(dead_code)]
    pub fn workdir(&self) -> Result<&Path> {
        self.repo.workdir().ok_or(GitCryptError::Other(
            "Repository has no working directory".into(),
        ))
    }
}

/// Clean filter: encrypt file content
pub fn clean_filter(key: &CryptoKey) -> Result<()> {
    let mut input = Vec::new();
    io::stdin().read_to_end(&mut input)?;

    // Check if already encrypted (has magic header)
    if CryptoKey::is_encrypted(&input) {
        io::stdout().write_all(&input)?;
        return Ok(());
    }

    let encrypted = key.encrypt(&input)?;

    // Write encrypted data to stdout
    io::stdout().write_all(&encrypted)?;

    Ok(())
}

/// Smudge filter: decrypt file content
pub fn smudge_filter(key: &CryptoKey) -> Result<()> {
    let mut input = Vec::new();
    io::stdin().read_to_end(&mut input)?;

    // Check if encrypted
    if !CryptoKey::is_encrypted(&input) {
        io::stdout().write_all(&input)?;
        return Ok(());
    }

    let decrypted = key.decrypt(&input)?;

    // Write decrypted data to stdout
    io::stdout().write_all(&decrypted)?;

    Ok(())
}

/// Diff filter: show that file is encrypted
pub fn diff_filter() -> Result<()> {
    let mut input = Vec::new();
    io::stdin().read_to_end(&mut input)?;

    if CryptoKey::is_encrypted(&input) {
        writeln!(
            io::stdout(),
            "*** This file is encrypted with git-crypt ***"
        )?;
    } else {
        io::stdout().write_all(&input)?;
    }

    Ok(())
}