зеркало из https://github.com/getsops/sops.git
age: .sops.yaml support
This commit is contained in:
Родитель
6068838aa3
Коммит
50a89c8293
|
@ -11,8 +11,16 @@ import (
|
|||
"strings"
|
||||
|
||||
"filippo.io/age"
|
||||
"github.com/sirupsen/logrus"
|
||||
"go.mozilla.org/sops/v3/logging"
|
||||
)
|
||||
|
||||
var log *logrus.Logger
|
||||
|
||||
func init() {
|
||||
log = logging.NewLogger("AGE")
|
||||
}
|
||||
|
||||
const privateKeySizeLimit = 1 << 24 // 16 MiB
|
||||
|
||||
// MasterKey is an age key used to encrypt and decrypt sops' data key.
|
||||
|
@ -33,6 +41,7 @@ func (key *MasterKey) Encrypt(datakey []byte) error {
|
|||
parsedRecipient, err := parseRecipient(key.Recipient)
|
||||
|
||||
if err != nil {
|
||||
log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -40,21 +49,24 @@ func (key *MasterKey) Encrypt(datakey []byte) error {
|
|||
}
|
||||
|
||||
w, err := age.Encrypt(buffer, key.parsedRecipient)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to open file for encrypting sops data key with age: %v", err)
|
||||
}
|
||||
|
||||
if _, err := w.Write(datakey); err != nil {
|
||||
log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
|
||||
return fmt.Errorf("failed to encrypt sops data key with age: %v", err)
|
||||
}
|
||||
|
||||
if err := w.Close(); err != nil {
|
||||
log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
|
||||
return fmt.Errorf("failed to close file for encrypting sops data key with age: %v", err)
|
||||
}
|
||||
|
||||
key.EncryptedKey = buffer.String()
|
||||
|
||||
log.WithField("recipient", key.parsedRecipient).Info("Encryption succeeded")
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -13,6 +13,7 @@ import (
|
|||
"github.com/mozilla-services/yaml"
|
||||
"github.com/sirupsen/logrus"
|
||||
"go.mozilla.org/sops/v3"
|
||||
"go.mozilla.org/sops/v3/age"
|
||||
"go.mozilla.org/sops/v3/azkv"
|
||||
"go.mozilla.org/sops/v3/gcpkms"
|
||||
"go.mozilla.org/sops/v3/hcvault"
|
||||
|
@ -71,6 +72,7 @@ type keyGroup struct {
|
|||
GCPKMS []gcpKmsKey `yaml:"gcp_kms"`
|
||||
AzureKV []azureKVKey `yaml:"azure_keyvault"`
|
||||
Vault []string `yaml:"hc_vault"`
|
||||
Age []string `yaml:"age"`
|
||||
PGP []string
|
||||
}
|
||||
|
||||
|
@ -109,6 +111,7 @@ type creationRule struct {
|
|||
PathRegex string `yaml:"path_regex"`
|
||||
KMS string
|
||||
AwsProfile string `yaml:"aws_profile"`
|
||||
Age string `yaml:"age"`
|
||||
PGP string
|
||||
GCPKMS string `yaml:"gcp_kms"`
|
||||
AzureKeyVault string `yaml:"azure_keyvault"`
|
||||
|
@ -147,6 +150,13 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
|
|||
if len(cRule.KeyGroups) > 0 {
|
||||
for _, group := range cRule.KeyGroups {
|
||||
var keyGroup sops.KeyGroup
|
||||
for _, k := range group.Age {
|
||||
key, err := age.MasterKeyFromRecipient(k)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
keyGroup = append(keyGroup, key)
|
||||
}
|
||||
for _, k := range group.PGP {
|
||||
keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
|
||||
}
|
||||
|
@ -170,6 +180,14 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
|
|||
}
|
||||
} else {
|
||||
var keyGroup sops.KeyGroup
|
||||
ageKeys, err := age.MasterKeysFromRecipients(cRule.Age)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
for _, ak := range ageKeys {
|
||||
keyGroup = append(keyGroup, ak)
|
||||
}
|
||||
}
|
||||
for _, k := range pgp.MasterKeysFromFingerprintString(cRule.PGP) {
|
||||
keyGroup = append(keyGroup, k)
|
||||
}
|
||||
|
|
Загрузка…
Ссылка в новой задаче