added multiple private key support by way of comma-separated paths in STACKS_PRIVATE_KEY_PATH

ribejara-te · ribejara-te · commit e852217d1db3 · 2025-04-10T15:13:26.000+02:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "stacks"
-version = "2.0.12"
+version = "2.0.13"
 description = "Stacks, the Terraform code pre-processor"
 readme = "README.md"
 requires-python = ">=3.10"
diff --git a/src/stacks/helpers/crypto.py b/src/stacks/helpers/crypto.py
@@ -100,27 +100,32 @@ def decrypt(data, private_key_path=os.getenv("STACKS_PRIVATE_KEY_PATH"), must_de
             string_encrypted_base64,
         ) = data.removeprefix("ENC[").removesuffix("]").split(";")
 
-        with open(private_key_path, "rb") as f:
-            private_key = cryptography.hazmat.primitives.serialization.load_pem_private_key(
-                f.read(),
-                password=None,
-                backend=cryptography.hazmat.backends.default_backend(),
-            )
-
-        try:
-            symmetric_key = private_key.decrypt(
-                base64.b64decode(symmetric_key_encrypted_base64.encode()),
-                cryptography.hazmat.primitives.asymmetric.padding.OAEP(
-                    mgf=cryptography.hazmat.primitives.asymmetric.padding.MGF1(algorithm=cryptography.hazmat.primitives.hashes.SHA256()),
-                    algorithm=cryptography.hazmat.primitives.hashes.SHA256(),
-                    label=None,
-                ),
-            )
-        except ValueError as e:
-            if must_decrypt:
-                raise e
-            else:
-                return data
+        private_key_paths = private_key_path.split(",")
+        for i in range(len(private_key_paths)):
+            with open(private_key_paths[i], "rb") as f:
+                private_key = cryptography.hazmat.primitives.serialization.load_pem_private_key(
+                    f.read(),
+                    password=None,
+                    backend=cryptography.hazmat.backends.default_backend(),
+                )
+
+            try:
+                symmetric_key = private_key.decrypt(
+                    base64.b64decode(symmetric_key_encrypted_base64.encode()),
+                    cryptography.hazmat.primitives.asymmetric.padding.OAEP(
+                        mgf=cryptography.hazmat.primitives.asymmetric.padding.MGF1(algorithm=cryptography.hazmat.primitives.hashes.SHA256()),
+                        algorithm=cryptography.hazmat.primitives.hashes.SHA256(),
+                        label=None,
+                    ),
+                )
+                break
+            except ValueError as e:
+                if i < len(private_key_paths)-1:
+                    continue
+                elif must_decrypt:
+                    raise e
+                else:
+                    return data
 
         init_vector = base64.b64decode(init_vector_base64.encode())
 
