Граф коммитов

46 Коммитов

Автор SHA1 Сообщение Дата
Jonas Badstübner a1738b7ea7 feat(config): merge key_groups
closes #1123

Signed-off-by: Jonas Badstübner <jonas.badstuebner@hetzner-cloud.de>
2024-06-27 09:25:55 +02:00
Mitar f63e844206 Support using comments to select parts to encrypt
Signed-off-by: Mitar <mitar.git@tnode.com>
2024-06-27 09:21:08 +02:00
Bastien 42018ef4a5 Add indentation settings for json_binary
Signed-off-by: Bastien <bastien.wermeille@gmail.com>
2023-11-24 07:41:14 +01:00
Bastien Wermeille 755c16d49c Allow no indent at all for json store
Signed-off-by: Bastien Wermeille <bastien.wermeille@gmail.com>
2023-11-24 07:41:14 +01:00
Bastien Wermeille c6dc5267e5 Indentation of json files
Signed-off-by: Bastien Wermeille <bastien.wermeille@gmail.com>
2023-11-24 07:41:14 +01:00
James J. Goodhouse e9e2346fdd Add configuration for stores
this will allow for setting of parameters specific to each store, such
as indentation level for YAML

Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com>
Signed-off-by: James J. Goodhouse <jgoodhouse@newrelic.com>
2023-11-24 07:41:14 +01:00
Mitar 051ce028c9 Support computing MAC only over values which end up encrypted
Signed-off-by: Mitar <mitar.git@tnode.com>
2023-11-07 11:59:08 +01:00
Benjamin Ludewig 7ee554cb6b config: respect `aws_profile` from group config
Signed-off-by: Benjamin Ludewig <benjamin.ludewig@neuland-bfi.de>
2023-10-13 16:11:23 +02:00
Mitar 5f1ca1dd48 Fix descriptions of unencrypted-regex and encrypted-regex flags.
Signed-off-by: Mitar <mitar.git@tnode.com>
2023-09-22 11:48:36 +02:00
Hidde Beydals eeaf9f76d5
*: address various simple `staticcheck` warnings
Deprecation of `io/ioutil`, removal of unused functions, possible nil
pointer dereference, and other tiny nits.

There are (many) more, but these would require their own (commit)
context.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-08-17 00:16:40 +02:00
Hidde Beydals f2a1d4c782
Rename Go module to `github.com/getsops/sops/v3`
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.

For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.

For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:

```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-07-31 22:51:36 +02:00
Cedric Kienzler 7ebee3dc7b This fixes a bug with age encryption when specifying multiple age recipients
I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.

I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.

However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:

```yaml
creation_rules:
  - encrypted_regex: '^(data|stringData|spec)$'
    age: 'agePubKey1,agePubKey2'
```

However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.

After digging a bit trough the code, I think this should fix it.

I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
2022-03-20 22:49:11 +01:00
Paulo Lieuthier c5b1298cd8
Match file path relative to config file's directory (2) (#853)
* Match file path relative to config file's directory

* Update README.rst
2021-04-12 13:29:06 +02:00
Adrian Utrilla c178f89662 Revert "Match file path relative to config file's directory (#827)"
This reverts commit dd7ce3d2cb.
2021-03-10 21:47:43 +01:00
Paulo Lieuthier dd7ce3d2cb
Match file path relative to config file's directory (#827)
* Match file path relative to config file's directory

* Update README.rst

* Remove metadata field from configFile yaml-oriented struct
2021-03-10 21:37:53 +01:00
Brice Colucci 79d5dac9ff
feat: Support more complicated path_regexp (issues/826) (#829)
* feat: Support more complicated path_regexp (https://github.com/mozilla/sops/issues/826)

* feat: Support more complicated path_regexp (https://github.com/mozilla/sops/issues/826)

* fix review: do not panic and return an error instead if the regexp is not valid.

* fix merge mess

Co-authored-by: AJ Bahnken <1144310+ajvb@users.noreply.github.com>
2021-03-10 21:23:11 +01:00
Felix Fontein e2d6d0fdc3
Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791)
* Add another test (that currently fails).

* First shot at using yaml.v3 for reading YAML files with comments.

* Allow parsing multi-document YAML files.

* Use Decoder to parse multi-part documents.

* Use yaml.v3 for config and audit.

* First step of serializing YAML using yaml.v3.

* Always serialize with yaml.v3.

* Remove debug prints.

* Remove traces of github.com/mozilla-services/yaml.

* Improve serialization of documents consisting only of comments.

* Improve handling of some empty documents.

* Adjust to latest changes in go-yaml/yaml#684.

* Bump yaml.v3 version, temporarily disable failing tests.

* Run go mod tidy.

* Fix CI.
2021-02-21 18:48:23 +01:00
Cole Mickens 8f6271f5c8 age: MasterKeysFromRecipients: gracefully handle empty string 2020-09-21 12:48:16 -07:00
Cole Mickens 50a89c8293 age: .sops.yaml support 2020-09-21 12:48:16 -07:00
Rene Hernandez 8aca3cb790
Add support for --unencrypted-regex (#715)
* Add support for --unencrypted-regex

* Fix grammar mistake

* Add gofmt'd files
2020-09-02 19:15:50 +02:00
Martin Litvaj 99adfaed0b
Rename LoadForFile to LoadCreationRuleForFile (#663) 2020-05-04 22:58:45 +02:00
Vaibhav Kaushik e4abd871c7
Add HashiCorp Vault support (#655)
* feat: initial adding of vualt transit backend to sops
initial work on integration
feat(vault): added cli coomands working for vualt"

fix(vault): fixed config with correct tests

fix(vault): added vault to keygroup and to keyservice server

fixed metadata load

* feat(docs): added docs in README.md and in command help

fix(doc): fix rst formatting"

fix(doc): fix rst formatting

* fix(vault): addressed typos and fixes from autrilla

feat(cli): moved vault to hc-vault naming

* fix(test): typo while rebasing

* fix typos and imporve error messages for vault kms

* rename package from vault to hcvault

* refactor vault keysource url validation

* add negative test cases  for vault keysource

* add hc vault transit config option via objects
additional to URIs

* remove vault_example.yml

* streamline key name to snake case

* rename `BackendPath` to `EnginePath` for hc vault

* correction in hc-vault-transit commands

Signed-off-by: vnzongzna <github@vaibhavk.in>

* resolving conflict

Signed-off-by: vnzongzna <github@vaibhavk.in>

* Apply suggestions from code review

Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com>

* allowing only hc_vault_transit_uri as input

Co-Authored-By: gitirabassi
Co-Authored-By: ldue
Signed-off-by: vnzongzna <github@vaibhavk.in>

Co-authored-by: gitirabassi <giacomo@tirabassi.eu>
Co-authored-by: ldue <larsduennwald@gmail.com>
Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com>
Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-04 21:27:51 +02:00
Martin Litvaj 89d77b2082
Fix #611 - Dont break when config file exists but CreationRules are empty (#662) 2020-04-24 23:54:06 +02:00
MOREV Mikhail ef68940d2f Add `-omit-extensions` option for publish subcommand 2020-01-09 11:07:28 +06:00
AJ Bahnken 8e21de8dbc
Upgrade sops to go 1.13 (#566) 2019-11-18 10:06:58 -08:00
AJ Bahnken ebf0705182
vault kv version and mount names in publish config (#513)
Adds support for publishing to vault using KV v1 and a different mount
name (or multiple).
2019-08-30 13:44:04 -07:00
Jason Priebe 45076418c7 added encrypted-regex option 2019-08-14 15:39:21 -04:00
Devin Holland 52d4008829 Adding support for azure keyvault to key group config. 2019-08-02 15:22:17 -04:00
AJ Bahnken 6910225545
Adds support for sops publish-ing to Vault (#494)
* Add vault/api to vendor/

* Adds support for sops publish-ing to Vault

* Adds support for publishing secrets (unencrypted) to Vault
* Adds a new EmitAsMap for TreeBanches
* Adds documentation about sops publish-ing to Vault
* Initial integration/functional test for publishing to vault
2019-07-16 14:33:59 -07:00
AJ Bahnken ebd153f540
Implement `sops publish` command (#473)
* Implement `sops publish` command

Publishes a file to a pre-configured destination (this lives in the sops
config file). Additionally, support re-encryption rules that work
just like the creation rules. Initial support for S3/GCS.

This is a part of the sops-workspace v2.0 project

Includes the addition of a new dependency:
  github.com/googleapis/gax-go/v2

* code review changes; support global --verbose flag

* Switch to recreation_rule with full support

Reencryption rule is now recreation rule and supports everything that a
creation rule does. Now, when you load a config for a file, you load
either the creation rule or the destination rule. I'm not sure about
this style long term, but it allows for support to be added for the
recreation rules without a bigger refactor of how the config file works.

* split loadForFileFromBytes into two functions

remove branching based on destination rule or not, create one for
creation rules and one for destination rules

* pretty diff for keygroup updates in sops publish
2019-06-27 16:48:54 +00:00
Mark Kelly ac5ca1f05c AWS Profiles 2019-01-25 12:42:41 +00:00
Adrian Utrilla 9a56f8055e
Revert "AWS Profile" 2019-01-24 16:50:41 +01:00
Mark Kelly 7605dd76b1 Added aws_profile
* Decrypt
* Command Line
* Master Key
* Encrypt
* .sops.yaml
2019-01-11 17:11:43 +00:00
Calle Pettersson 19e964ebdd Make Azure key parsing failable 2018-06-18 16:03:24 +02:00
Calle Pettersson 9fa4f0e90e Add support for Azure Key Vault 2018-06-17 22:50:30 +02:00
dovreshef 16950d00d2 Adds `unencrypted_suffix` and `encrypted_suffix` to `.sops.yaml` (#325)
Add the ability to specify `unencrypted_suffix` and `encrypted_suffix` using the `.sops.yaml` config file
2018-04-09 10:50:47 +02:00
Devin Burnette d3d0267f4e deprecate filename_regex in favor of path_regex 2018-04-02 11:17:45 -04:00
John Turner 102c9e31f0 Update error message based on feedback 2017-10-30 10:09:25 -04:00
John Turner 77e90bb7c2 Don't dereference a null pointer if the config file is empty 2017-10-27 22:24:14 -04:00
Calin Don 15ea81dbd2
Add keyservice support 2017-09-18 12:48:37 +03:00
Adrian Utrilla 34c7380d00
Fix golint issues 2017-09-15 14:40:57 -07:00
Adrian Utrilla bcf8adebea
Merge branch 'master' into gcloud-kms 2017-09-15 14:34:02 -07:00
Adrian Utrilla 08a4c7e657
Add documentation to all main packages 2017-09-12 20:01:12 -07:00
Adrian Utrilla d457e85bad
Allow configuring shamir threshold from config file 2017-09-12 13:53:21 -07:00
Adrian Utrilla 00d7a5a1f8
Allow using lists in key groups in .sops.yaml 2017-09-12 11:38:03 -07:00
Adrian Utrilla 93570b20d7
Fix golint errors 2017-09-12 09:59:23 -07:00