Bear minimum to get this going again, including an update of
dependencies.
It's worth noting that there is a detachment between the GitHub Action
workflow and running this locally. As there are assumptions around:
1. Having the `pgp/sops_functional_tests_key.asc` imported.
2. Having a Vault server running for two functional tests.
The `functional-tests` Make target does not facilitate this, and
putting something in place using a temporary `GNUPGHOME` and a
container image would likely be a welcome future improvement.
In addition, there is Rust code in `validation/` which appears to be an
artifact from an ancient Python library[1][2]. This should probably be
removed in the future.
[1]: https://github.com/getsops/sops/tree/python-sops
[2]: https://pypi.org/project/sops/
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
* Add vault/api to vendor/
* Adds support for sops publish-ing to Vault
* Adds support for publishing secrets (unencrypted) to Vault
* Adds a new EmitAsMap for TreeBanches
* Adds documentation about sops publish-ing to Vault
* Initial integration/functional test for publishing to vault
* Implement `sops publish` command
Publishes a file to a pre-configured destination (this lives in the sops
config file). Additionally, support re-encryption rules that work
just like the creation rules. Initial support for S3/GCS.
This is a part of the sops-workspace v2.0 project
Includes the addition of a new dependency:
github.com/googleapis/gax-go/v2
* code review changes; support global --verbose flag
* Switch to recreation_rule with full support
Reencryption rule is now recreation rule and supports everything that a
creation rule does. Now, when you load a config for a file, you load
either the creation rule or the destination rule. I'm not sure about
this style long term, but it allows for support to be added for the
recreation rules without a bigger refactor of how the config file works.
* split loadForFileFromBytes into two functions
remove branching based on destination rule or not, create one for
creation rules and one for destination rules
* pretty diff for keygroup updates in sops publish
* Allow set "json value" to be a string.
Adds back support for string values in --set, while retaining support
for yaml multidoc that caused this bug.
Fixes#461
* Add functional test for --set'ing strings
* Fix binary file bug double encryption prevention
The `ensureNoMetadata` function was incorrectly implemented and called
LoadEncryptedFile on the InputStore and checked whether the returned error was
MetadataNotFound or not. In the case where loading the input file as an encrypted
file would fail (e.g. due to syntax errors), it would incorrectly report the file as
having a "sops" branch. When using the binary mode, it would try to load the file as
an encrypted binary file (which is expected to be JSON), which would fail, thus
triggering this error.
* Add functional test for binary file roundtrip
This happened when there's multiple master keys inside a single key
group. SOPS would decrypt the data key with every single key in the
group, when only one is needed. This meant that multiple "parts" are
found, so because SOPS encountered != 1 part without using Shamir, it
errored out.
Felix Fontein
Hidde Beydals
AJ Bahnken
AJ Bahnken
Adrian Utrilla
Adrian Utrilla