Граф коммитов

70 Коммитов

Автор SHA1 Сообщение Дата
Felix Fontein 09e147f2fb Fix typos.
Signed-off-by: Felix Fontein <felix@fontein.de>
2023-11-03 12:32:52 +01:00
Hidde Beydals 85edde792c
kms: improve AWS profile test
Due to the AWS SDK addressing a bug, which causes it to be more strict
when loading a configured profile.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-10-17 16:17:03 +02:00
Hidde Beydals 6887ebfb19
kms: add minimal test for `NewMasterKeyWithProfile`
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-10-13 16:14:37 +02:00
Benjamin Ludewig 7ee554cb6b config: respect `aws_profile` from group config
Signed-off-by: Benjamin Ludewig <benjamin.ludewig@neuland-bfi.de>
2023-10-13 16:11:23 +02:00
Felix Fontein dd59dc1096 Check err for nil in tests.
Signed-off-by: Felix Fontein <felix@fontein.de>
2023-10-03 09:41:49 +02:00
Hidde Beydals 6ec0312ffe
keyservices: address logging regression
Replace the logging of failed encryption and decryption attempts from
error to info level.

This to address a regression in which an encryption or decryption
attempt with a series of keys would result in a list of failed attempts
logged to stderr even when the operation itself eventually succeeded.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-09-13 07:44:08 +02:00
Hidde Beydals 7e487fa0d2
kms: use `BaseEndpoint` for testing
This does the same, but with much less boilerplate.

xref: https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/endpoints/#v2-endpointresolverv2--baseendpoint

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-08-23 13:42:49 +02:00
Hidde Beydals 0dbcd1a6fb
kms: update dependencies
- github.com/aws/aws-sdk-go-v2 to v1.20.1
- github.com/aws/aws-sdk-go-v2/config to v1.18.33
- github.com/aws/aws-sdk-go-v2/credentials to v1.13.32
- github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.77
- github.com/aws/aws-sdk-go-v2/service/kms to v1.24.2
- github.com/aws/aws-sdk-go-v2/service/s3 to v1.38.2
- github.com/aws/aws-sdk-go-v2/service/sts to v1.21.2

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-08-12 01:46:27 +02:00
Hidde Beydals f2a1d4c782
Rename Go module to `github.com/getsops/sops/v3`
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.

For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.

For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:

```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-07-31 22:51:36 +02:00
Hidde Beydals d54c1286e1 Revert intro of `WithError` for most key sources
Most of the rewritten key sources introduced `WithError` calls, which
does not appear to go well with the UX of the CLI. This reverts it to
be the semi equal to current `master`.

During the diff, I noticed the current age implementation in master
does make use of `WithError`. Which makes me wonder if errors are not
returned twice at present in the CLI.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2023-07-11 23:13:11 +02:00
Hidde Beydals 75b5b54524 chore: update dockertest to Go Mod compatible v3
Signed-off-by: Hidde Beydals <hello@hidde.co>
2023-07-04 13:15:46 +02:00
Hidde Beydals b6f6fa1748 kms: AWS SDK V2, allow creds config, add tests
This updates the AWS SDK for Go to V2, adds extensive test coverage
based on a mocking server, and a general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.

- AWS SDK has been updated to V2. There are still bits in `publish/`
  which would need updating to drop the dependency on V1.
- It introduces a `CredentialsProvider` type which holds an
  `aws.CredentialsProvider`, and can be applied to the `MasterKey`.
  When applied, the provider is used in the AWS client configuration
  instead of relying on the SDK default (environmental) values.
  This is most useful when working with SOPS as an SDK, in combination
  with e.g. a local key service server implementation.
- Extensive test coverage. STS session implementation details are not
  tested due to mocking complexities, but the wiring is.

The forked version of this has compatibility tests to ensure it works
with current SOPS:

- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L134)
- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L200)

Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-06-06 23:14:27 +02:00
Hidde Beydals e128fa2481 Update keyservice implementation dependencies
Latest API clients are (most) often greatest.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-04-20 21:09:53 +02:00
AJ Bahnken 1bb30e28b4
Limit role session name length to 64 characters.
Originally fixed by @SinisterMinister

Fixes #741
2022-04-04 13:02:29 -07:00
AJ Bahnken 234bf9fb5f
Upgrade all dependencies 2022-03-09 13:31:34 -08:00
Mikhail Katychev 0f2ebcf7ff
added wrap verb to outputs (#817) 2021-02-17 22:21:20 +01:00
Scott Crooks 4bd640e594
chore(gomod): Bumping AWS SDK version (#714) 2020-08-06 16:47:15 +02:00
Alex Higgins bc1567be9d Fixed aws config file issue 2020-06-10 17:21:53 -04:00
AJ Bahnken 8e21de8dbc
Upgrade sops to go 1.13 (#566) 2019-11-18 10:06:58 -08:00
Ivan Malopinsky 6e283a8ee7 Sanitize hostname used for AWS STS role session name (#558)
* Sanitize hostname used for AWS STS role session name

From official docs for --role-session-name (https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html):
> The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-

This fixes #441, which occurs when the hostname includes spaces and parentheses

* pr notes: wrap STS role session name regex compilation error
2019-11-01 08:54:07 -07:00
AJ Bahnken 15dfcfafcb
Vendoring update (#472)
It's been around 9 months since our last vendor update. This is also
needed for some new features being worked on for sops workspace.

Additionally, this PR regenerates the kms mocks.
2019-06-06 17:40:34 +00:00
Mark Kelly 068cb5a805 AWS Profiles - use credentials only if not null 2019-01-25 12:53:34 +00:00
Mark Kelly ac5ca1f05c AWS Profiles 2019-01-25 12:42:41 +00:00
Adrian Utrilla 9a56f8055e
Revert "AWS Profile" 2019-01-24 16:50:41 +01:00
mark kelly eb7b22a4a0
Merge branch 'master' into master 2019-01-14 10:44:55 +00:00
Mark Kelly 30e1380e8a keysource.go review changes 2019-01-14 10:28:33 +00:00
Mark Kelly 7605dd76b1 Added aws_profile
* Decrypt
* Command Line
* Master Key
* Encrypt
* .sops.yaml
2019-01-11 17:11:43 +00:00
Daren Desjardins 532c36eebc Support referencing AWS KMS keys by aliases
- addresses issue #381
2019-01-10 14:42:10 -08:00
Adrian Utrilla 9d6a8d0e21
Default to Warn log level unless verbose flag is passed 2018-03-07 17:18:45 +01:00
Adrian Utrilla bd846afea9
Add new logging to GCP KMS 2017-09-25 10:05:40 -07:00
Adrian Utrilla 20046c1b48
Merge branch 'master' into logging 2017-09-16 17:59:00 -07:00
Adrian Utrilla 08a4c7e657
Add documentation to all main packages 2017-09-12 20:01:12 -07:00
Adrian Utrilla d457e85bad
Allow configuring shamir threshold from config file 2017-09-12 13:53:21 -07:00
Adrian Utrilla 93570b20d7
Fix golint errors 2017-09-12 09:59:23 -07:00
Adrian Utrilla 55c7174713
Use logrus features for better logging 2017-09-07 10:49:27 -07:00
Adrian Utrilla 17d5d6b65c
Move all loggers to logrus 2017-09-06 17:36:39 -07:00
Adrian Utrilla 1b09444742
Use log.Print instead of fmt.Print everywhere 2017-08-29 12:15:25 -07:00
Adrian Utrilla dae5c6ce6f
Add logging to KMS key operations 2017-08-25 09:59:58 -07:00
Adrian Utrilla 44b26690c2
Merge remote-tracking branch 'origin/shamir' into remote-keys-shamir
Shamir tests do not pass due to KeyService not knowing about the fake
MasterKey used by the tests
2017-08-22 15:39:24 -07:00
Adrian Utrilla 10dd9b5441
Use KeyService for all encrypt and decrypt operations 2017-08-17 11:32:04 -07:00
Adrian Utrilla ada1461d2f
Remove unused capture groups from KMS ARN parsing 2017-08-15 11:49:14 -07:00
Greg Lee Coleman 6c8809285f change: loosen arn partition check
changes `createSession` arn string match
to allow `aws`, `aws-cn`, and `aws-us-gov`
2017-08-15 18:37:29 +00:00
Julien Vehent b7c1929c8e
Vendoring update, release 2.0.9 2017-05-01 18:37:35 -04:00
Adrian Utrilla 62ad4b400e
Print new line after warnings 2017-03-22 19:17:07 +01:00
Andy Freeland bd63010d67 Check type casts and add tests 2017-03-22 10:26:22 -07:00
Andy Freeland 89e75471cc Fix KMS encryption context for backwards compatibility with SOPS 1.x
In SOPS 1.x, KMS encryption context was stored as a JSON object, but
SOPS 2.0 stored it as a comma-separated list of key/value pairs:

```
$ jq '.sops.kms | .[].context' encrypted-python
{
  "a": "b",
  "c": "d"
}
> jq '.sops.kms | .[].context' encrypted-go
"a:b,c:d"
```

The two outputs are incompatible with each other and caused a stack
trace when reading files encrypted with SOPS 1.x.

This patch restores read and output compatibility with SOPS 1.x.

Fixes #190.
2017-03-22 09:59:51 -07:00
Aaron Meihm e48303b4f1 update createSession to use standard token provider 2017-03-06 14:16:21 -06:00
Adrian Utrilla 454d21d87f
Update mocks 2017-02-22 12:26:02 +01:00
Alvaro Gutierrez Perez 1007ed145b Modify TestKeyToMap to test the sorting of context keys 2016-11-06 02:47:52 +01:00
Alvaro Gutierrez Perez 9868a093a9 Sort outContext array alphabetically before joining it in a string 2016-11-06 02:47:00 +01:00