зеркало из https://github.com/getsops/sops.git
Reimplement --add/rm-pgp/kms
This commit is contained in:
Adrian Utrilla
Родитель
6eeddec482
Коммит
b5224ae2d6
|
|
@ -206,7 +206,7 @@ func main() {
|
|||
var output []byte
|
||||
var err error
|
||||
if c.Bool("encrypt") {
|
||||
keyGroups, err := getKeySources(c, fileName)
|
||||
keyGroups, err := keyGroups(c, fileName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -244,7 +244,22 @@ func main() {
|
|||
}
|
||||
}
|
||||
if c.Bool("rotate") {
|
||||
// TODO: Implement AddMasterKeys and RemoveMasterKeys
|
||||
var addMasterKeys []keys.MasterKey
|
||||
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
|
||||
for _, k := range kms.MasterKeysFromArnString(c.String("add-kms"), kmsEncryptionContext) {
|
||||
addMasterKeys = append(addMasterKeys, k)
|
||||
}
|
||||
for _, k := range pgp.MasterKeysFromFingerprintString(c.String("add-pgp")) {
|
||||
addMasterKeys = append(addMasterKeys, k)
|
||||
}
|
||||
|
||||
var rmMasterKeys []keys.MasterKey
|
||||
for _, k := range kms.MasterKeysFromArnString(c.String("add-kms"), kmsEncryptionContext) {
|
||||
rmMasterKeys = append(rmMasterKeys, k)
|
||||
}
|
||||
for _, k := range pgp.MasterKeysFromFingerprintString(c.String("add-pgp")) {
|
||||
rmMasterKeys = append(rmMasterKeys, k)
|
||||
}
|
||||
output, err = Rotate(RotateOpts{
|
||||
OutputStore: outputStore,
|
||||
InputStore: inputStore,
|
||||
|
|
@ -252,8 +267,8 @@ func main() {
|
|||
Cipher: aes.Cipher{},
|
||||
KeyServices: svcs,
|
||||
IgnoreMAC: c.Bool("ignore-mac"),
|
||||
AddMasterKeys: nil,
|
||||
RemoveMasterKeys: nil,
|
||||
AddMasterKeys: addMasterKeys,
|
||||
RemoveMasterKeys: rmMasterKeys,
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -297,7 +312,7 @@ func main() {
|
|||
output, err = Edit(opts)
|
||||
} else {
|
||||
// File doesn't exist, edit the example file instead
|
||||
keyGroups, err := getKeySources(c, fileName)
|
||||
keyGroups, err := keyGroups(c, fileName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -419,19 +434,7 @@ func parseTreePath(arg string) ([]interface{}, error) {
|
|||
return path, nil
|
||||
}
|
||||
|
||||
func getKeySources(c *cli.Context, file string) ([]sops.KeyGroup, error) {
|
||||
return []sops.KeyGroup{
|
||||
{
|
||||
&pgp.MasterKey{
|
||||
Fingerprint: "12EE3273F4F41BB7E6F34E4AD9B452CB733E4A16",
|
||||
},
|
||||
},
|
||||
{
|
||||
&pgp.MasterKey{
|
||||
Fingerprint: "12EE3273F4F41BB7E6F34E4AD9B452CB733E4A16",
|
||||
},
|
||||
},
|
||||
}, nil
|
||||
func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
|
||||
var kmsKeys []keys.MasterKey
|
||||
var pgpKeys []keys.MasterKey
|
||||
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
|
||||
|
|
|
|||
|
|
@ -10,20 +10,14 @@ import (
|
|||
)
|
||||
|
||||
type RotateOpts struct {
|
||||
Cipher sops.DataKeyCipher
|
||||
InputStore sops.Store
|
||||
OutputStore sops.Store
|
||||
InputPath string
|
||||
IgnoreMAC bool
|
||||
AddMasterKeys []struct {
|
||||
Key keys.MasterKey
|
||||
ToGroup uint
|
||||
}
|
||||
RemoveMasterKeys []struct {
|
||||
Key keys.MasterKey
|
||||
FromGroup uint
|
||||
}
|
||||
KeyServices []keyservice.KeyServiceClient
|
||||
Cipher sops.DataKeyCipher
|
||||
InputStore sops.Store
|
||||
OutputStore sops.Store
|
||||
InputPath string
|
||||
IgnoreMAC bool
|
||||
AddMasterKeys []keys.MasterKey
|
||||
RemoveMasterKeys []keys.MasterKey
|
||||
KeyServices []keyservice.KeyServiceClient
|
||||
}
|
||||
|
||||
func Rotate(opts RotateOpts) ([]byte, error) {
|
||||
|
|
@ -40,7 +34,19 @@ func Rotate(opts RotateOpts) ([]byte, error) {
|
|||
return nil, err
|
||||
}
|
||||
|
||||
// TODO: Add and remove master keys
|
||||
// Add new master keys
|
||||
for _, key := range opts.AddMasterKeys {
|
||||
tree.Metadata.KeyGroups[0] = append(tree.Metadata.KeyGroups[0], key)
|
||||
}
|
||||
// Remove master keys
|
||||
for _, rmKey := range opts.RemoveMasterKeys {
|
||||
for i, groupKey := range tree.Metadata.KeyGroups[0] {
|
||||
if rmKey.ToString() == groupKey.ToString() {
|
||||
tree.Metadata.KeyGroups[0] = append(tree.Metadata.KeyGroups[0][:i], tree.Metadata.KeyGroups[0][i+1:]...)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Create a new data key
|
||||
dataKey, errs := tree.GenerateDataKeyWithKeyServices(opts.KeyServices)
|
||||
if len(errs) > 0 {
|
||||
|
|
|
|||
30
sops.go
30
sops.go
|
|
@ -326,36 +326,6 @@ func (m *Metadata) MasterKeyCount() int {
|
|||
return count
|
||||
}
|
||||
|
||||
// RemoveMasterKeys removes all of the provided keys from the metadata's KeySources, if they exist there.
|
||||
func (m *Metadata) RemoveMasterKeys(masterKeys []keys.MasterKey) {
|
||||
// TODO: Reimplement this with KeyGroups. It's unclear how it should behave.
|
||||
panic("Unimplemented")
|
||||
}
|
||||
|
||||
// AddPGPMasterKeys parses the input comma separated string of GPG fingerprints, generates a PGP MasterKey for each fingerprint, and adds the keys to the PGP KeySource
|
||||
func (m *Metadata) AddPGPMasterKeys(pgpFps string) {
|
||||
// TODO: Reimplement this with KeyGroups. It's unclear how it should behave.
|
||||
panic("Unimplemented")
|
||||
}
|
||||
|
||||
// AddKMSMasterKeys parses the input comma separated string of AWS KMS ARNs, generates a KMS MasterKey for each ARN, and then adds the keys to the KMS KeySource
|
||||
func (m *Metadata) AddKMSMasterKeys(kmsArns string, context map[string]*string) {
|
||||
// TODO: Reimplement this with KeyGroups. It's unclear how it should behave.
|
||||
panic("Unimplemented")
|
||||
}
|
||||
|
||||
// RemovePGPMasterKeys takes a comma separated string of PGP fingerprints and removes the keys corresponding to those fingerprints from the metadata's KeySources
|
||||
func (m *Metadata) RemovePGPMasterKeys(pgpFps string) {
|
||||
// TODO: Reimplement this with KeyGroups. It's unclear how it should behave.
|
||||
panic("Unimplemented")
|
||||
}
|
||||
|
||||
// RemoveKMSMasterKeys takes a comma separated string of AWS KMS ARNs and removes the keys corresponding to those ARNs from the metadata's KeySources
|
||||
func (m *Metadata) RemoveKMSMasterKeys(arns string) {
|
||||
// TODO: Reimplement this with KeyGroups. It's unclear how it should behave.
|
||||
panic("Unimplemented")
|
||||
}
|
||||
|
||||
func (m *Metadata) UpdateMasterKeysWithKeyServices(dataKey []byte, svcs []keyservice.KeyServiceClient) (errs []error) {
|
||||
if len(svcs) == 0 {
|
||||
return []error{
|
||||
|
|
|
|||
34
sops_test.go
34
sops_test.go
|
|
@ -7,8 +7,6 @@ import (
|
|||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.mozilla.org/sops/aes"
|
||||
"go.mozilla.org/sops/keys"
|
||||
"go.mozilla.org/sops/kms"
|
||||
)
|
||||
|
||||
func TestUnencryptedSuffix(t *testing.T) {
|
||||
|
|
@ -209,38 +207,6 @@ func TestTruncateTree(t *testing.T) {
|
|||
assert.Equal(t, expected, result)
|
||||
}
|
||||
|
||||
func TestRemoveMasterKeys(t *testing.T) {
|
||||
// TODO: Make this test work again
|
||||
return
|
||||
m := Metadata{
|
||||
KeyGroups: []KeyGroup{
|
||||
{
|
||||
&kms.MasterKey{
|
||||
Arn: "foo",
|
||||
}, &kms.MasterKey{
|
||||
Arn: "bar",
|
||||
},
|
||||
&kms.MasterKey{
|
||||
Arn: "foobar",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
m.RemoveMasterKeys([]keys.MasterKey{
|
||||
&kms.MasterKey{
|
||||
Arn: "bar",
|
||||
},
|
||||
&kms.MasterKey{
|
||||
Arn: "foobar",
|
||||
},
|
||||
})
|
||||
assert.Equal(t, []keys.MasterKey{
|
||||
&kms.MasterKey{
|
||||
Arn: "foo",
|
||||
},
|
||||
}, m.KeyGroups[0])
|
||||
}
|
||||
|
||||
func TestInsertOrReplaceValue(t *testing.T) {
|
||||
tree := TreeBranch{
|
||||
TreeItem{
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче