This commit is contained in:
Cole Mickens 2020-08-07 01:58:17 -07:00 коммит произвёл Jimmy Cuadra
Родитель 6068838aa3
Коммит 50a89c8293
2 изменённых файлов: 32 добавлений и 2 удалений

Просмотреть файл

@ -11,8 +11,16 @@ import (
"strings"
"filippo.io/age"
"github.com/sirupsen/logrus"
"go.mozilla.org/sops/v3/logging"
)
var log *logrus.Logger
func init() {
log = logging.NewLogger("AGE")
}
const privateKeySizeLimit = 1 << 24 // 16 MiB
// MasterKey is an age key used to encrypt and decrypt sops' data key.
@ -33,6 +41,7 @@ func (key *MasterKey) Encrypt(datakey []byte) error {
parsedRecipient, err := parseRecipient(key.Recipient)
if err != nil {
log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
return err
}
@ -40,21 +49,24 @@ func (key *MasterKey) Encrypt(datakey []byte) error {
}
w, err := age.Encrypt(buffer, key.parsedRecipient)
if err != nil {
return fmt.Errorf("failed to open file for encrypting sops data key with age: %v", err)
}
if _, err := w.Write(datakey); err != nil {
log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
return fmt.Errorf("failed to encrypt sops data key with age: %v", err)
}
if err := w.Close(); err != nil {
log.WithField("recipient", key.parsedRecipient).Error("Encryption failed")
return fmt.Errorf("failed to close file for encrypting sops data key with age: %v", err)
}
key.EncryptedKey = buffer.String()
log.WithField("recipient", key.parsedRecipient).Info("Encryption succeeded")
return nil
}

Просмотреть файл

@ -13,6 +13,7 @@ import (
"github.com/mozilla-services/yaml"
"github.com/sirupsen/logrus"
"go.mozilla.org/sops/v3"
"go.mozilla.org/sops/v3/age"
"go.mozilla.org/sops/v3/azkv"
"go.mozilla.org/sops/v3/gcpkms"
"go.mozilla.org/sops/v3/hcvault"
@ -71,6 +72,7 @@ type keyGroup struct {
GCPKMS []gcpKmsKey `yaml:"gcp_kms"`
AzureKV []azureKVKey `yaml:"azure_keyvault"`
Vault []string `yaml:"hc_vault"`
Age []string `yaml:"age"`
PGP []string
}
@ -109,6 +111,7 @@ type creationRule struct {
PathRegex string `yaml:"path_regex"`
KMS string
AwsProfile string `yaml:"aws_profile"`
Age string `yaml:"age"`
PGP string
GCPKMS string `yaml:"gcp_kms"`
AzureKeyVault string `yaml:"azure_keyvault"`
@ -147,6 +150,13 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
if len(cRule.KeyGroups) > 0 {
for _, group := range cRule.KeyGroups {
var keyGroup sops.KeyGroup
for _, k := range group.Age {
key, err := age.MasterKeyFromRecipient(k)
if err != nil {
return nil, err
}
keyGroup = append(keyGroup, key)
}
for _, k := range group.PGP {
keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
}
@ -170,6 +180,14 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
}
} else {
var keyGroup sops.KeyGroup
ageKeys, err := age.MasterKeysFromRecipients(cRule.Age)
if err != nil {
return nil, err
} else {
for _, ak := range ageKeys {
keyGroup = append(keyGroup, ak)
}
}
for _, k := range pgp.MasterKeysFromFingerprintString(cRule.PGP) {
keyGroup = append(keyGroup, k)
}