getsops/sops
1
0
Fork 0
mirror of https://github.com/getsops/sops.git synced 2026-02-05 12:45:21 +01:00
Code Issues Activity
Files
28cf425c24e035ba9c946e92c5922b507eaf19a5
sops/stores/stores.go

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

616 lines
19 KiB
Go
Raw Normal View History

Add documentation to all main packages
2017-09-12 20:01:12 -07:00
/*
Package stores acts as a layer between the internal representation of encrypted files and the encrypted files
themselves.
Subpackages implement serialization and deserialization to multiple formats.
This package defines the structure SOPS files should have and conversions to and from the internal representation. Part
of the purpose of this package is to make it easy to change the SOPS file format while remaining backwards-compatible.
*/
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
package stores
import (
"fmt"
Move ValToString to stores. Signed-off-by: Felix Fontein <felix@fontein.de>
2025-08-30 17:14:14 +02:00
"strconv"
"strings"
"time"
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
Rename Go module to `github.com/getsops/sops/v3` This commit renames the Go module from `go.mozilla.org/sops/v3` to `github.com/getsops/sops/v3` without a major version bump, to align with new stewardship. For more information around this change, refer to https://github.com/getsops/sops/issues/1246. For a one-liner to change the `go.mod` and any import paths in your Go project making use of this module, run: ``` find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; ``` Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-07-11 21:09:23 +02:00
"github.com/getsops/sops/v3"
"github.com/getsops/sops/v3/age"
"github.com/getsops/sops/v3/azkv"
"github.com/getsops/sops/v3/gcpkms"
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
"github.com/getsops/sops/v3/hckms"
Rename Go module to `github.com/getsops/sops/v3` This commit renames the Go module from `go.mozilla.org/sops/v3` to `github.com/getsops/sops/v3` without a major version bump, to align with new stewardship. For more information around this change, refer to https://github.com/getsops/sops/issues/1246. For a one-liner to change the `go.mod` and any import paths in your Go project making use of this module, run: ``` find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \; ``` Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-07-11 21:09:23 +02:00
"github.com/getsops/sops/v3/hcvault"
"github.com/getsops/sops/v3/kms"
"github.com/getsops/sops/v3/pgp"
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
)
Create a constant for the 'sops' metadata key. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-29 22:55:57 +01:00
const (
Improve comment. Co-authored-by: Devin Stein <devstein@alumni.upenn.edu> Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-29 23:22:25 +01:00
// SopsMetadataKey is the key used to store SOPS metadata at in SOPS encrypted files.
Create a constant for the 'sops' metadata key. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-29 22:55:57 +01:00
SopsMetadataKey = "sops"
)
Add documentation to all main packages
2017-09-12 20:01:12 -07:00
// SopsFile is a struct used by the stores as a helper to unmarshal the SOPS metadata
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
type SopsFile struct {
Fix metadata not found returning the wrong error
2017-10-03 14:35:28 -07:00
// Metadata is a pointer so we can easily tell when the field is not present
// in the SOPS file by checking for nil. This way we can show the user a
// helpful error message indicating that the metadata wasn't found, instead
// of showing a cryptic parsing error
Added support for ini files
2018-08-26 00:18:10 -07:00
Metadata *Metadata `yaml:"sops" json:"sops" ini:"sops"`
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
}
Fix golint errors
2017-09-12 09:59:23 -07:00
// Metadata is stored in SOPS encrypted files, and it contains the information necessary to decrypt the file.
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
// This struct is just used for serialization, and SOPS uses another struct internally, sops.Metadata. It exists
// in order to allow the binary format to stay backwards compatible over time, but at the same time allow the internal
// representation SOPS uses to change over time.
type Metadata struct {
Add keyservice support
2017-09-18 12:22:36 +03:00
ShamirThreshold int `yaml:"shamir_threshold,omitempty" json:"shamir_threshold,omitempty"`
KeyGroups []keygroup `yaml:"key_groups,omitempty" json:"key_groups,omitempty"`
chore: omitempty optional metadata to reduce the size of stored config Signed-off-by: Charlie Getzen <charlie_g@regrello.com>
2024-07-31 16:58:00 -05:00
KMSKeys []kmskey `yaml:"kms,omitempty" json:"kms,omitempty"`
GCPKMSKeys []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"`
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
HCKmsKeys []hckmskey `yaml:"hckms,omitempty" json:"hckms,omitempty"`
chore: omitempty optional metadata to reduce the size of stored config Signed-off-by: Charlie Getzen <charlie_g@regrello.com>
2024-07-31 16:58:00 -05:00
AzureKeyVaultKeys []azkvkey `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"`
VaultKeys []vaultkey `yaml:"hc_vault,omitempty" json:"hc_vault,omitempty"`
AgeKeys []agekey `yaml:"age,omitempty" json:"age,omitempty"`
Add keyservice support
2017-09-18 12:22:36 +03:00
LastModified string `yaml:"lastmodified" json:"lastmodified"`
MessageAuthenticationCode string `yaml:"mac" json:"mac"`
chore: omitempty optional metadata to reduce the size of stored config Signed-off-by: Charlie Getzen <charlie_g@regrello.com>
2024-07-31 16:58:00 -05:00
PGPKeys []pgpkey `yaml:"pgp,omitempty" json:"pgp,omitempty"`
Address review comments
2018-04-08 17:53:54 +03:00
UnencryptedSuffix string `yaml:"unencrypted_suffix,omitempty" json:"unencrypted_suffix,omitempty"`
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
EncryptedSuffix string `yaml:"encrypted_suffix,omitempty" json:"encrypted_suffix,omitempty"`
Add support for --unencrypted-regex (#715) * Add support for --unencrypted-regex * Fix grammar mistake * Add gofmt'd files
2020-09-02 13:15:50 -04:00
UnencryptedRegex string `yaml:"unencrypted_regex,omitempty" json:"unencrypted_regex,omitempty"`
added encrypted-regex option
2019-08-14 15:39:21 -04:00
EncryptedRegex string `yaml:"encrypted_regex,omitempty" json:"encrypted_regex,omitempty"`
Support using comments to select parts to encrypt Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-20 00:03:19 +01:00
UnencryptedCommentRegex string `yaml:"unencrypted_comment_regex,omitempty" json:"unencrypted_comment_regex,omitempty"`
EncryptedCommentRegex string `yaml:"encrypted_comment_regex,omitempty" json:"encrypted_comment_regex,omitempty"`
Support computing MAC only over values which end up encrypted Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-18 21:50:57 +01:00
MACOnlyEncrypted bool `yaml:"mac_only_encrypted,omitempty" json:"mac_only_encrypted,omitempty"`
Add keyservice support
2017-09-18 12:22:36 +03:00
Version string `yaml:"version" json:"version"`
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
}
type keygroup struct {
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
PGPKeys []pgpkey `yaml:"pgp,omitempty" json:"pgp,omitempty"`
KMSKeys []kmskey `yaml:"kms,omitempty" json:"kms,omitempty"`
GCPKMSKeys []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"`
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
HCKmsKeys []hckmskey `yaml:"hckms,omitempty" json:"hckms,omitempty"`
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
AzureKeyVaultKeys []azkvkey `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"`
Add HashiCorp Vault support (#655) * feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-05 00:57:51 +05:30
VaultKeys []vaultkey `yaml:"hc_vault" json:"hc_vault"`
Add support for age.
2020-07-04 10:47:06 -07:00
AgeKeys []agekey `yaml:"age" json:"age"`
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
}
type pgpkey struct {
CreatedAt string `yaml:"created_at" json:"created_at"`
EncryptedDataKey string `yaml:"enc" json:"enc"`
Fingerprint string `yaml:"fp" json:"fp"`
}
type kmskey struct {
Reorder store structs to match old order
2017-09-11 13:08:21 -07:00
Arn string `yaml:"arn" json:"arn"`
Role string `yaml:"role,omitempty" json:"role,omitempty"`
Context map[string]*string `yaml:"context,omitempty" json:"context,omitempty"`
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
CreatedAt string `yaml:"created_at" json:"created_at"`
EncryptedDataKey string `yaml:"enc" json:"enc"`
Added aws_profile * Decrypt * Command Line * Master Key * Encrypt * .sops.yaml
2019-01-11 14:40:28 +00:00
AwsProfile string `yaml:"aws_profile" json:"aws_profile"`
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
}
Add keyservice support
2017-09-18 12:22:36 +03:00
type gcpkmskey struct {
ResourceID string `yaml:"resource_id" json:"resource_id"`
CreatedAt string `yaml:"created_at" json:"created_at"`
EncryptedDataKey string `yaml:"enc" json:"enc"`
}
Add HashiCorp Vault support (#655) * feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-05 00:57:51 +05:30
type vaultkey struct {
VaultAddress string `yaml:"vault_address" json:"vault_address"`
EnginePath string `yaml:"engine_path" json:"engine_path"`
KeyName string `yaml:"key_name" json:"key_name"`
CreatedAt string `yaml:"created_at" json:"created_at"`
EncryptedDataKey string `yaml:"enc" json:"enc"`
}
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
type azkvkey struct {
VaultURL string `yaml:"vault_url" json:"vault_url"`
Name string `yaml:"name" json:"name"`
Version string `yaml:"version" json:"version"`
CreatedAt string `yaml:"created_at" json:"created_at"`
EncryptedDataKey string `yaml:"enc" json:"enc"`
}
Add support for age.
2020-07-04 10:47:06 -07:00
type agekey struct {
Recipient string `yaml:"recipient" json:"recipient"`
EncryptedDataKey string `yaml:"enc" json:"enc"`
}
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
type hckmskey struct {
KeyID string `yaml:"key_id" json:"key_id"`
CreatedAt string `yaml:"created_at" json:"created_at"`
EncryptedDataKey string `yaml:"enc" json:"enc"`
}
Fix golint errors
2017-09-12 09:59:23 -07:00
// MetadataFromInternal converts an internal SOPS metadata representation to a representation appropriate for storage
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata {
var m Metadata
m.LastModified = sopsMetadata.LastModified.Format(time.RFC3339)
m.UnencryptedSuffix = sopsMetadata.UnencryptedSuffix
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
m.EncryptedSuffix = sopsMetadata.EncryptedSuffix
Add support for --unencrypted-regex (#715) * Add support for --unencrypted-regex * Fix grammar mistake * Add gofmt'd files
2020-09-02 13:15:50 -04:00
m.UnencryptedRegex = sopsMetadata.UnencryptedRegex
added encrypted-regex option
2019-08-14 15:39:21 -04:00
m.EncryptedRegex = sopsMetadata.EncryptedRegex
Support using comments to select parts to encrypt Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-20 00:03:19 +01:00
m.UnencryptedCommentRegex = sopsMetadata.UnencryptedCommentRegex
m.EncryptedCommentRegex = sopsMetadata.EncryptedCommentRegex
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
m.MessageAuthenticationCode = sopsMetadata.MessageAuthenticationCode
Support computing MAC only over values which end up encrypted Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-18 21:50:57 +01:00
m.MACOnlyEncrypted = sopsMetadata.MACOnlyEncrypted
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
m.Version = sopsMetadata.Version
Refer to Shamir threshold as threshold instead of quorum
2017-09-12 10:58:53 -07:00
m.ShamirThreshold = sopsMetadata.ShamirThreshold
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
if len(sopsMetadata.KeyGroups) == 1 {
group := sopsMetadata.KeyGroups[0]
m.PGPKeys = pgpKeysFromGroup(group)
m.KMSKeys = kmsKeysFromGroup(group)
Add keyservice support
2017-09-18 12:22:36 +03:00
m.GCPKMSKeys = gcpkmsKeysFromGroup(group)
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
m.HCKmsKeys = hckmsKeysFromGroup(group)
Add HashiCorp Vault support (#655) * feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-05 00:57:51 +05:30
m.VaultKeys = vaultKeysFromGroup(group)
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
m.AzureKeyVaultKeys = azkvKeysFromGroup(group)
Add support for age.
2020-07-04 10:47:06 -07:00
m.AgeKeys = ageKeysFromGroup(group)
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
} else {
for _, group := range sopsMetadata.KeyGroups {
m.KeyGroups = append(m.KeyGroups, keygroup{
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
KMSKeys: kmsKeysFromGroup(group),
PGPKeys: pgpKeysFromGroup(group),
GCPKMSKeys: gcpkmsKeysFromGroup(group),
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
HCKmsKeys: hckmsKeysFromGroup(group),
Add HashiCorp Vault support (#655) * feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-05 00:57:51 +05:30
VaultKeys: vaultKeysFromGroup(group),
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
AzureKeyVaultKeys: azkvKeysFromGroup(group),
Add support for age.
2020-07-04 10:47:06 -07:00
AgeKeys: ageKeysFromGroup(group),
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
})
}
}
return m
}
func pgpKeysFromGroup(group sops.KeyGroup) (keys []pgpkey) {
for _, key := range group {
switch key := key.(type) {
case *pgp.MasterKey:
keys = append(keys, pgpkey{
Fingerprint: key.Fingerprint,
EncryptedDataKey: key.EncryptedKey,
CreatedAt: key.CreationDate.Format(time.RFC3339),
})
}
}
return
}
func kmsKeysFromGroup(group sops.KeyGroup) (keys []kmskey) {
for _, key := range group {
switch key := key.(type) {
case *kms.MasterKey:
keys = append(keys, kmskey{
Arn: key.Arn,
CreatedAt: key.CreationDate.Format(time.RFC3339),
EncryptedDataKey: key.EncryptedKey,
Context: key.EncryptionContext,
Role: key.Role,
Added aws_profile * Decrypt * Command Line * Master Key * Encrypt * .sops.yaml
2019-01-11 14:40:28 +00:00
AwsProfile: key.AwsProfile,
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
})
}
}
return
}
Add keyservice support
2017-09-18 12:22:36 +03:00
func gcpkmsKeysFromGroup(group sops.KeyGroup) (keys []gcpkmskey) {
for _, key := range group {
switch key := key.(type) {
case *gcpkms.MasterKey:
keys = append(keys, gcpkmskey{
ResourceID: key.ResourceID,
CreatedAt: key.CreationDate.Format(time.RFC3339),
EncryptedDataKey: key.EncryptedKey,
})
}
}
return
}
Add HashiCorp Vault support (#655) * feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-05 00:57:51 +05:30
func vaultKeysFromGroup(group sops.KeyGroup) (keys []vaultkey) {
for _, key := range group {
switch key := key.(type) {
case *hcvault.MasterKey:
keys = append(keys, vaultkey{
VaultAddress: key.VaultAddress,
EnginePath: key.EnginePath,
KeyName: key.KeyName,
CreatedAt: key.CreationDate.Format(time.RFC3339),
EncryptedDataKey: key.EncryptedKey,
})
}
}
return
}
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
func azkvKeysFromGroup(group sops.KeyGroup) (keys []azkvkey) {
for _, key := range group {
switch key := key.(type) {
case *azkv.MasterKey:
keys = append(keys, azkvkey{
VaultURL: key.VaultURL,
Name: key.Name,
Version: key.Version,
CreatedAt: key.CreationDate.Format(time.RFC3339),
EncryptedDataKey: key.EncryptedKey,
})
}
}
return
}
Add support for age.
2020-07-04 10:47:06 -07:00
func ageKeysFromGroup(group sops.KeyGroup) (keys []agekey) {
for _, key := range group {
switch key := key.(type) {
case *age.MasterKey:
keys = append(keys, agekey{
Recipient: key.Recipient,
EncryptedDataKey: key.EncryptedKey,
})
}
}
return
}
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
func hckmsKeysFromGroup(group sops.KeyGroup) (keys []hckmskey) {
for _, key := range group {
switch key := key.(type) {
case *hckms.MasterKey:
keys = append(keys, hckmskey{
KeyID: key.KeyID,
CreatedAt: key.CreationDate.Format(time.RFC3339),
EncryptedDataKey: key.EncryptedKey,
})
}
}
return
}
Fix golint errors
2017-09-12 09:59:23 -07:00
// ToInternal converts a storage-appropriate Metadata struct to a SOPS internal representation
Revert UnmarshalMetadata returning pointer
2017-08-29 12:16:00 -07:00
func (m *Metadata) ToInternal() (sops.Metadata, error) {
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
lastModified, err := time.Parse(time.RFC3339, m.LastModified)
if err != nil {
Revert UnmarshalMetadata returning pointer
2017-08-29 12:16:00 -07:00
return sops.Metadata{}, err
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
}
groups, err := m.internalKeygroups()
if err != nil {
Revert UnmarshalMetadata returning pointer
2017-08-29 12:16:00 -07:00
return sops.Metadata{}, err
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
}
added encrypted-regex option
2019-08-14 15:39:21 -04:00
cryptRuleCount := 0
if m.UnencryptedSuffix != "" {
cryptRuleCount++
}
if m.EncryptedSuffix != "" {
cryptRuleCount++
}
Add support for --unencrypted-regex (#715) * Add support for --unencrypted-regex * Fix grammar mistake * Add gofmt'd files
2020-09-02 13:15:50 -04:00
if m.UnencryptedRegex != "" {
cryptRuleCount++
}
added encrypted-regex option
2019-08-14 15:39:21 -04:00
if m.EncryptedRegex != "" {
cryptRuleCount++
Address review comments
2018-04-08 17:53:54 +03:00
}
Support using comments to select parts to encrypt Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-20 00:03:19 +01:00
if m.UnencryptedCommentRegex != "" {
cryptRuleCount++
}
if m.EncryptedCommentRegex != "" {
cryptRuleCount++
}
added encrypted-regex option
2019-08-14 15:39:21 -04:00
if cryptRuleCount > 1 {
Support using comments to select parts to encrypt Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-20 00:03:19 +01:00
return sops.Metadata{}, fmt.Errorf("Cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex, unencrypted_regex, encrypted_comment_regex, or unencrypted_comment_regex in the same file")
added encrypted-regex option
2019-08-14 15:39:21 -04:00
}
if cryptRuleCount == 0 {
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
m.UnencryptedSuffix = sops.DefaultUnencryptedSuffix
}
Revert UnmarshalMetadata returning pointer
2017-08-29 12:16:00 -07:00
return sops.Metadata{
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
KeyGroups: groups,
Refer to Shamir threshold as threshold instead of quorum
2017-09-12 10:58:53 -07:00
ShamirThreshold: m.ShamirThreshold,
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
Version: m.Version,
MessageAuthenticationCode: m.MessageAuthenticationCode,
UnencryptedSuffix: m.UnencryptedSuffix,
added the --encrypted-suffix option
2018-04-08 12:43:43 +03:00
EncryptedSuffix: m.EncryptedSuffix,
Add support for --unencrypted-regex (#715) * Add support for --unencrypted-regex * Fix grammar mistake * Add gofmt'd files
2020-09-02 13:15:50 -04:00
UnencryptedRegex: m.UnencryptedRegex,
added encrypted-regex option
2019-08-14 15:39:21 -04:00
EncryptedRegex: m.EncryptedRegex,
Support using comments to select parts to encrypt Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-20 00:03:19 +01:00
UnencryptedCommentRegex: m.UnencryptedCommentRegex,
EncryptedCommentRegex: m.EncryptedCommentRegex,
Support computing MAC only over values which end up encrypted Signed-off-by: Mitar <mitar.git@tnode.com>
2021-12-18 21:50:57 +01:00
MACOnlyEncrypted: m.MACOnlyEncrypted,
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
LastModified: lastModified,
}, nil
}
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmskey, hckmsKeys []hckmskey, azkvKeys []azkvkey, vaultKeys []vaultkey, ageKeys []agekey) (sops.KeyGroup, error) {
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
var internalGroup sops.KeyGroup
for _, kmsKey := range kmsKeys {
k, err := kmsKey.toInternal()
if err != nil {
return nil, err
}
internalGroup = append(internalGroup, k)
}
Add keyservice support
2017-09-18 12:22:36 +03:00
for _, gcpKmsKey := range gcpKmsKeys {
k, err := gcpKmsKey.toInternal()
if err != nil {
return nil, err
}
internalGroup = append(internalGroup, k)
}
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
for _, hckmsKey := range hckmsKeys {
k, err := hckmsKey.toInternal()
if err != nil {
return nil, err
}
internalGroup = append(internalGroup, k)
}
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
for _, azkvKey := range azkvKeys {
k, err := azkvKey.toInternal()
if err != nil {
return nil, err
}
internalGroup = append(internalGroup, k)
}
Add HashiCorp Vault support (#655) * feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-05 00:57:51 +05:30
for _, vaultKey := range vaultKeys {
k, err := vaultKey.toInternal()
if err != nil {
return nil, err
}
internalGroup = append(internalGroup, k)
}
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
for _, pgpKey := range pgpKeys {
k, err := pgpKey.toInternal()
if err != nil {
return nil, err
}
internalGroup = append(internalGroup, k)
}
Add support for age.
2020-07-04 10:47:06 -07:00
for _, ageKey := range ageKeys {
k, err := ageKey.toInternal()
if err != nil {
return nil, err
}
internalGroup = append(internalGroup, k)
}
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
return internalGroup, nil
}
func (m *Metadata) internalKeygroups() ([]sops.KeyGroup, error) {
var internalGroups []sops.KeyGroup
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
if len(m.PGPKeys) > 0 || len(m.KMSKeys) > 0 || len(m.GCPKMSKeys) > 0 || len(m.HCKmsKeys) > 0 || len(m.AzureKeyVaultKeys) > 0 || len(m.VaultKeys) > 0 || len(m.AgeKeys) > 0 {
internalGroup, err := internalGroupFrom(m.KMSKeys, m.PGPKeys, m.GCPKMSKeys, m.HCKmsKeys, m.AzureKeyVaultKeys, m.VaultKeys, m.AgeKeys)
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
if err != nil {
return nil, err
}
internalGroups = append(internalGroups, internalGroup)
return internalGroups, nil
} else if len(m.KeyGroups) > 0 {
for _, group := range m.KeyGroups {
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
internalGroup, err := internalGroupFrom(group.KMSKeys, group.PGPKeys, group.GCPKMSKeys, group.HCKmsKeys, group.AzureKeyVaultKeys, group.VaultKeys, group.AgeKeys)
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
if err != nil {
return nil, err
}
internalGroups = append(internalGroups, internalGroup)
}
return internalGroups, nil
} else {
return nil, fmt.Errorf("No keys found in file")
}
}
func (kmsKey *kmskey) toInternal() (*kms.MasterKey, error) {
creationDate, err := time.Parse(time.RFC3339, kmsKey.CreatedAt)
if err != nil {
return nil, err
}
return &kms.MasterKey{
Role: kmsKey.Role,
EncryptionContext: kmsKey.Context,
EncryptedKey: kmsKey.EncryptedDataKey,
CreationDate: creationDate,
Arn: kmsKey.Arn,
Added aws_profile * Decrypt * Command Line * Master Key * Encrypt * .sops.yaml
2019-01-11 14:40:28 +00:00
AwsProfile: kmsKey.AwsProfile,
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
}, nil
}
Add keyservice support
2017-09-18 12:22:36 +03:00
func (gcpKmsKey *gcpkmskey) toInternal() (*gcpkms.MasterKey, error) {
creationDate, err := time.Parse(time.RFC3339, gcpKmsKey.CreatedAt)
if err != nil {
return nil, err
}
return &gcpkms.MasterKey{
ResourceID: gcpKmsKey.ResourceID,
EncryptedKey: gcpKmsKey.EncryptedDataKey,
CreationDate: creationDate,
}, nil
}
Add support for Azure Key Vault
2018-06-17 22:50:30 +02:00
func (azkvKey *azkvkey) toInternal() (*azkv.MasterKey, error) {
creationDate, err := time.Parse(time.RFC3339, azkvKey.CreatedAt)
if err != nil {
return nil, err
}
return &azkv.MasterKey{
VaultURL: azkvKey.VaultURL,
Name: azkvKey.Name,
Version: azkvKey.Version,
EncryptedKey: azkvKey.EncryptedDataKey,
CreationDate: creationDate,
}, nil
}
Add HashiCorp Vault support (#655) * feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2020-05-05 00:57:51 +05:30
func (vaultKey *vaultkey) toInternal() (*hcvault.MasterKey, error) {
creationDate, err := time.Parse(time.RFC3339, vaultKey.CreatedAt)
if err != nil {
return nil, err
}
return &hcvault.MasterKey{
VaultAddress: vaultKey.VaultAddress,
EnginePath: vaultKey.EnginePath,
KeyName: vaultKey.KeyName,
CreationDate: creationDate,
EncryptedKey: vaultKey.EncryptedDataKey,
}, nil
}
Refactor metadata marshalling **IMPORTANT** This breaks compatibility of the file format in 1.x for json files, due to the version being encoded as a number in json files. The fix for this is easy, however. One can either use a previous version of sops in the range [2.0.0, 2.0.9] to edit the file, or one can manually edit the encrypted file and change the version from a number to a string Previously we basically hand-converted the metadata struct into a map which we then passed to the stores. Now, we convert the metadata struct to a "serialization" struct, which the stores serialize
2017-08-23 16:36:49 -07:00
func (pgpKey *pgpkey) toInternal() (*pgp.MasterKey, error) {
creationDate, err := time.Parse(time.RFC3339, pgpKey.CreatedAt)
if err != nil {
return nil, err
}
return &pgp.MasterKey{
EncryptedKey: pgpKey.EncryptedDataKey,
CreationDate: creationDate,
Fingerprint: pgpKey.Fingerprint,
}, nil
}
Consolidate example trees
2019-01-23 10:51:47 +01:00
Add support for age.
2020-07-04 10:47:06 -07:00
func (ageKey *agekey) toInternal() (*age.MasterKey, error) {
return &age.MasterKey{
EncryptedKey: ageKey.EncryptedDataKey,
Recipient: ageKey.Recipient,
}, nil
}
feat: Add HuaweiCloud KMS support Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>
2025-12-12 09:41:42 +03:00
func (hckmsKey *hckmskey) toInternal() (*hckms.MasterKey, error) {
creationDate, err := time.Parse(time.RFC3339, hckmsKey.CreatedAt)
if err != nil {
return nil, err
}
key, err := hckms.NewMasterKey(hckmsKey.KeyID)
if err != nil {
return nil, err
}
key.EncryptedKey = hckmsKey.EncryptedDataKey
key.CreationDate = creationDate
return key, nil
}
go lint
2019-07-08 15:32:33 -07:00
// ExampleComplexTree is an example sops.Tree object exhibiting complex relationships
Consolidate example trees
2019-01-23 10:51:47 +01:00
var ExampleComplexTree = sops.Tree{
Branches: sops.TreeBranches{
sops.TreeBranch{
sops.TreeItem{
Key: "hello",
Value: `Welcome to SOPS! Edit this file as you please!`,
},
sops.TreeItem{
Key: "example_key",
Value: "example_value",
},
sops.TreeItem{
Key: sops.Comment{Value: " Example comment"},
Value: nil,
},
sops.TreeItem{
Key: "example_array",
Value: []interface{}{
"example_value1",
"example_value2",
},
},
sops.TreeItem{
Key: "example_number",
Value: 1234.56789,
},
sops.TreeItem{
Key: "example_booleans",
Value: []interface{}{true, false},
},
},
},
}
go lint
2019-07-08 15:32:33 -07:00
// ExampleSimpleTree is an example sops.Tree object exhibiting only simple relationships
// with only one nested branch and only simple string values
Consolidate example trees
2019-01-23 10:51:47 +01:00
var ExampleSimpleTree = sops.Tree{
Branches: sops.TreeBranches{
sops.TreeBranch{
sops.TreeItem{
Key: "Welcome!",
Value: sops.TreeBranch{
sops.TreeItem{
Key: sops.Comment{Value: " This is an example file."},
Value: nil,
},
sops.TreeItem{
Key: "hello",
Value: "Welcome to SOPS! Edit this file as you please!",
},
sops.TreeItem{
Key: "example_key",
Value: "example_value",
},
},
},
},
},
}
go lint
2019-07-08 15:32:33 -07:00
// ExampleFlatTree is an example sops.Tree object exhibiting only simple relationships
// with no nested branches and only simple string values
Consolidate example trees
2019-01-23 10:51:47 +01:00
var ExampleFlatTree = sops.Tree{
Branches: sops.TreeBranches{
sops.TreeBranch{
sops.TreeItem{
Key: sops.Comment{Value: " This is an example file."},
Value: nil,
},
sops.TreeItem{
Key: "hello",
Value: "Welcome to SOPS! Edit this file as you please!",
},
sops.TreeItem{
Key: "example_key",
Value: "example_value",
},
Fix newline encoding for dotenv store (#612) When reading and writing dotenv files, we need to make sure to encode/decode newline characters. SOPS does not currently do this, as can be seen from the below: ```console $ echo '{"foo": "foo\nbar\nbaz"}' > plaintext.json $ sops -e --output ciphertext.json plaintext.json $ sops -d --output-type dotenv ciphertext.json foo=foo bar baz ``` This output, is invalid and cannot even be fed back into SOPS: ```console $ sops -d --output-type dotenv --output plaintext.env ciphertext.json $ sops -e plaintext.env Error unmarshalling file: invalid dotenv input line: bar ``` This commit fixes the issue, such that the final `sops -d ...` command above produces the correct output: ```console $ sops -d --output-type dotenv ciphertext.json foo=foo\nbar\nbaz ```
2020-01-24 12:03:34 -05:00
sops.TreeItem{
Key: "example_multiline",
Value: "foo\nbar\nbaz",
},
Consolidate example trees
2019-01-23 10:51:47 +01:00
},
},
}
Make check whether file contains invalid keys for encryption dependent on output store. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-28 16:46:06 +01:00
// HasSopsTopLevelKey returns true if the given branch has a top-level key called "sops".
func HasSopsTopLevelKey(branch sops.TreeBranch) bool {
for _, b := range branch {
Create a constant for the 'sops' metadata key. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-29 22:55:57 +01:00
if b.Key == SopsMetadataKey {
Make check whether file contains invalid keys for encryption dependent on output store. Signed-off-by: Felix Fontein <felix@fontein.de>
2023-12-28 16:46:06 +01:00
return true
}
}
return false
}
Move ValToString to stores. Signed-off-by: Felix Fontein <felix@fontein.de>
2025-08-30 17:14:14 +02:00
Move dotenv.IsComplexValue to stores. Signed-off-by: Felix Fontein <felix@fontein.de>
2025-09-27 11:03:52 +02:00
// IsComplexValue returns true if the given value is an array or dictionary/hash.
func IsComplexValue(v interface{}) bool {
switch v.(type) {
case []interface{}:
return true
case sops.TreeBranch:
return true
}
return false
}
Move ValToString to stores. Signed-off-by: Felix Fontein <felix@fontein.de>
2025-08-30 17:14:14 +02:00
// ValToString converts a simple value to a string.
// It does not handle complex values (arrays and mappings).
func ValToString(v interface{}) string {
switch v := v.(type) {
case float64:
result := strconv.FormatFloat(v, 'G', -1, 64)
// If the result can be confused with an integer, make sure we have at least one decimal digit
if !strings.ContainsRune(result, '.') && !strings.ContainsRune(result, 'E') {
result = strconv.FormatFloat(v, 'f', 1, 64)
}
return result
case bool:
return strconv.FormatBool(v)
case time.Time:
return v.Format(time.RFC3339)
case fmt.Stringer:
return v.String()
default:
return fmt.Sprintf("%v", v)
}
}
Copy Permalink