зеркало из https://github.com/getsops/sops.git
Use a single keys.txt file for age private keys.
This commit is contained in:
Родитель
5c171c800c
Коммит
617db437de
|
@ -27,10 +27,10 @@ func (key *MasterKey) Encrypt(datakey []byte) error {
|
||||||
buffer := &bytes.Buffer{}
|
buffer := &bytes.Buffer{}
|
||||||
|
|
||||||
if key.parsedRecipient == nil {
|
if key.parsedRecipient == nil {
|
||||||
parsedRecipient, err := age.ParseX25519Recipient(key.Recipient)
|
parsedRecipient, err := parseRecipient(key.Recipient)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("failed to parse input as Bech32-encoded age public key: %v", err)
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
key.parsedRecipient = parsedRecipient
|
key.parsedRecipient = parsedRecipient
|
||||||
|
@ -76,7 +76,7 @@ func (key *MasterKey) SetEncryptedDataKey(enc []byte) {
|
||||||
|
|
||||||
// Decrypt decrypts the EncryptedKey field with the age identity and returns the result.
|
// Decrypt decrypts the EncryptedKey field with the age identity and returns the result.
|
||||||
func (key *MasterKey) Decrypt() ([]byte, error) {
|
func (key *MasterKey) Decrypt() ([]byte, error) {
|
||||||
ageKeyDir, ok := os.LookupEnv("SOPS_AGE_KEY_DIR")
|
ageKeyFile, ok := os.LookupEnv("SOPS_AGE_KEY_FILE")
|
||||||
|
|
||||||
if !ok {
|
if !ok {
|
||||||
userConfigDir, err := os.UserConfigDir()
|
userConfigDir, err := os.UserConfigDir()
|
||||||
|
@ -85,17 +85,19 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
|
||||||
return nil, fmt.Errorf("user config directory could not be determined: %v", err)
|
return nil, fmt.Errorf("user config directory could not be determined: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ageKeyDir = filepath.Join(userConfigDir, ".sops", "age")
|
ageKeyFile = filepath.Join(userConfigDir, ".sops", "age", "keys.txt")
|
||||||
}
|
}
|
||||||
|
|
||||||
path := filepath.Join(ageKeyDir, fmt.Sprintf("%s.key", key.Recipient))
|
_, err := os.Stat(ageKeyFile)
|
||||||
|
|
||||||
_, err := os.Stat(path)
|
|
||||||
|
|
||||||
file, err := os.Open(path)
|
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("no private key found at %s: %s", path, err)
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
file, err := os.Open(ageKeyFile)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("no key file found at %s: %s", ageKeyFile, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
defer file.Close()
|
defer file.Close()
|
||||||
|
@ -114,17 +116,17 @@ func (key *MasterKey) Decrypt() ([]byte, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := scanner.Err(); err != nil {
|
if err := scanner.Err(); err != nil {
|
||||||
return nil, fmt.Errorf("error scanning lines in age private key file: %v", err)
|
return nil, fmt.Errorf("error scanning lines in age key file: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if privateKey == "" {
|
if privateKey == "" {
|
||||||
return nil, fmt.Errorf("no age private key found in file at: %v", path)
|
return nil, fmt.Errorf("no age private key found in file at: %v", ageKeyFile)
|
||||||
}
|
}
|
||||||
|
|
||||||
parsedIdentity, err := age.ParseX25519Identity(string(privateKey))
|
parsedIdentity, err := age.ParseX25519Identity(string(privateKey))
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to parse private key as age X25519Identity at %s: %v", path, err)
|
return nil, fmt.Errorf("failed to parse private key as age X25519Identity at %s: %v", ageKeyFile, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
buffer := &bytes.Buffer{}
|
buffer := &bytes.Buffer{}
|
||||||
|
@ -183,7 +185,7 @@ func MasterKeysFromRecipients(commaSeparatedRecipients string) ([]*MasterKey, er
|
||||||
|
|
||||||
// MasterKeyFromRecipient takes a Bech32-encoded public key and returns a new MasterKey.
|
// MasterKeyFromRecipient takes a Bech32-encoded public key and returns a new MasterKey.
|
||||||
func MasterKeyFromRecipient(recipient string) (*MasterKey, error) {
|
func MasterKeyFromRecipient(recipient string) (*MasterKey, error) {
|
||||||
parsedRecipient, err := age.ParseX25519Recipient(recipient)
|
parsedRecipient, err := parseRecipient(recipient)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -194,3 +196,14 @@ func MasterKeyFromRecipient(recipient string) (*MasterKey, error) {
|
||||||
parsedRecipient: parsedRecipient,
|
parsedRecipient: parsedRecipient,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// parseRecipient attempts to parse a string containing an encoded age public key
|
||||||
|
func parseRecipient(recipient string) (*age.X25519Recipient, error) {
|
||||||
|
parsedRecipient, err := age.ParseX25519Recipient(recipient)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return parsedRecipient, nil
|
||||||
|
}
|
||||||
|
|
|
@ -23,7 +23,7 @@ func TestAge(t *testing.T) {
|
||||||
assert.NoError(err)
|
assert.NoError(err)
|
||||||
|
|
||||||
_, filename, _, _ := runtime.Caller(0)
|
_, filename, _, _ := runtime.Caller(0)
|
||||||
err = os.Setenv("SOPS_AGE_KEY_DIR", path.Dir(filename))
|
err = os.Setenv("SOPS_AGE_KEY_FILE", path.Join(path.Dir(filename), "keys.txt"))
|
||||||
assert.NoError(err)
|
assert.NoError(err)
|
||||||
|
|
||||||
decryptedKey, err := key.Decrypt()
|
decryptedKey, err := key.Decrypt()
|
||||||
|
|
Загрузка…
Ссылка в новой задаче