From 3b2ce03f58ecffbcbd3477490d3ba63fcede40e0 Mon Sep 17 00:00:00 2001
From: Jeremy Massel <jeremy.massel@automattic.com>
Date: Thu, 4 Mar 2021 21:26:14 -0700
Subject: [PATCH] Allow configure encryption key temporary override

---
 src/fs.rs  | 13 +++++++++++--
 src/lib.rs |  1 +
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/fs.rs b/src/fs.rs
index 06a01f0..7802437 100644
--- a/src/fs.rs
+++ b/src/fs.rs
@@ -229,9 +229,18 @@ pub fn decrypt_files_for_configuration(
     let encryption_key;
 
     // Allow defining an environment variable that can override the key selection (for use in CI, for example).
-    // This is placed here instead of in `read_encryption_key` because it isa security risk to allow this override for
+    // This is placed here and not resued when encrypting files because it is a security risk to allow this override for
     // encryption – someone might set the encryption key on their local machine, causing every project to silently use the same key.
-    if let Ok(var) = env::var(crate::ENCRYPTION_KEY_NAME) {
+    //
+    // We also have two sets of environment variables we accept – this makes it easier to transition between versions of the `configure` tool in production.
+    // We check the temporary variable first, because it should override the permanent one when both are present
+    if let Ok(var) = env::var(crate::TEMP_ENCRYPTION_KEY_NAME) {
+        println!(
+            "Found an environment variable named {:}. Using its value as the encryption key",
+            crate::TEMP_ENCRYPTION_KEY_NAME
+        );
+        encryption_key = var;
+    } else if let Ok(var) = env::var(crate::ENCRYPTION_KEY_NAME) {
         println!(
             "Found an environment variable named {:}. Using its value as the encryption key",
             crate::ENCRYPTION_KEY_NAME
diff --git a/src/lib.rs b/src/lib.rs
index 89c98db..f2914e8 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -134,3 +134,4 @@ fn init_encryption() {
 
 const SECRETS_KEY_NAME: &str = "SECRETS_REPO";
 const ENCRYPTION_KEY_NAME: &str = "CONFIGURE_ENCRYPTION_KEY";
+const TEMP_ENCRYPTION_KEY_NAME: &str = "CONFIGURE_ENCRYPTION_KEY_TEMP"; // Useful when switching between versions of the plugin