Allow using lists in key groups in .sops.yaml

2026-02-05 12:45:21 +01:00 · 2017-09-12 11:38:03 -07:00
parent 0b2e442e3b
commit 00d7a5a1f8
3 changed files with 31 additions and 18 deletions
--- a/config/config.go
+++ b/config/config.go
@@ -51,8 +51,13 @@ type configFile struct {
 }

 type keyGroup struct {
-	KMS string
-	PGP string
+	KMS []kmsKey
+	PGP []string
+}
+
+type kmsKey struct {
+	Arn     string             `yaml:"arn"`
+	Context map[string]*string `yaml:"context"`
 }

 type creationRule struct {
@@ -97,11 +102,11 @@ func KeyGroupsForFile(filepath string, confBytes []byte, kmsEncryptionContext ma
 			if len(rule.KeyGroups) > 0 {
 				for _, group := range rule.KeyGroups {
 					var keyGroup sops.KeyGroup
-					for _, k := range pgp.MasterKeysFromFingerprintString(group.PGP) {
-						keyGroup = append(keyGroup, k)
+					for _, k := range group.PGP {
+						keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
 					}
-					for _, k := range kms.MasterKeysFromArnString(group.KMS, kmsEncryptionContext) {
-						keyGroup = append(keyGroup, k)
+					for _, k := range group.KMS {
+						keyGroup = append(keyGroup, kms.NewMasterKeyFromArn(k.Arn, k.Context))
 					}
 					groups = append(groups, keyGroup)
 				}
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -59,10 +59,14 @@ creation_rules:
    pgp: "2"
  - filename_regex: ""
    key_groups:
-    - kms: foo
-      pgp: bar
-    - kms: baz
-      pgp: qux
+    - kms:
+      - arn: foo
+      pgp:
+      - bar
+    - kms:
+      - arn: baz
+      pgp:
+      - qux
 `)

 func TestLoadConfigFile(t *testing.T) {
@@ -99,12 +103,12 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 				FilenameRegex: "",
 				KeyGroups: []keyGroup{
 					{
-						KMS: "foo",
-						PGP: "bar",
+						KMS: []kmsKey{{Arn: "foo"}},
+						PGP: []string{"bar"},
 					},
 					{
-						KMS: "baz",
-						PGP: "qux",
+						KMS: []kmsKey{{Arn: "baz"}},
+						PGP: []string{"qux"},
 					},
 				},
 			},
--- a/functional-tests/.sops.yaml
+++ b/functional-tests/.sops.yaml
@@ -1,10 +1,14 @@
 creation_rules:
    - filename_regex: test_roundtrip_keygroups.yaml
      key_groups:
-      - pgp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A
-      - pgp: 729D26A79482B5A20DEAD0A76945978B930DD7A2
+      - pgp:
+        - 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A
+      - pgp:
+        - 729D26A79482B5A20DEAD0A76945978B930DD7A2
    - filename_regex: test_roundtrip_keygroups_missing_decryption_key.yaml
      key_groups:
-      - pgp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A
-      - pgp: 620B9A4C96230B91E7473D20113D2B26EA0890C7
+      - pgp:
+        - 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A
+      - pgp:
+        - 620B9A4C96230B91E7473D20113D2B26EA0890C7
    - pgp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A