diff --git a/functional-tests/res/comments.enc.yaml b/functional-tests/res/comments.enc.yaml new file mode 100644 index 000000000..45f620ab2 --- /dev/null +++ b/functional-tests/res/comments.enc.yaml @@ -0,0 +1,23 @@ +lorem: ENC[AES256_GCM,data:PhmSdTs=,iv:J5ugEWq6RfyNx+5zDXvcTdoQ18YYZkqesDED7LNzou4=,tag:0Qrom6J6aUnZMZzGz5XCxw==,type:str] +#ENC[AES256_GCM,data:HiHCasVRzWUiFxKb3X/AcEeM,iv:bmNg+T91dqGk/CEtVH+FDC53osDCEPmWmJKpLyAU5OM=,tag:bTLDYxQSAfYDCBYccoUokQ==,type:comment] +dolor: ENC[AES256_GCM,data:IgvT,iv:wtPNYbDTARFE810PH6ldOLzCDcAjkB/dzPsZjpgHcko=,tag:zwE8P+AwO1hrHkgF6pTbZw==,type:str] +sops: + kms: [] + lastmodified: '2017-08-16T03:41:16Z' + mac: ENC[AES256_GCM,data:3ngUnY2hkK6pkDbCeAnOHsi/M6bLnGk1vkd+EeGyN/efqJZmwH0+9hUdACNnwHzofIR6NbtCGZal+cSCuTGD4eDuqNV+LbwV1/EaaVZj9RktTNXq3STSXxfzYGoHV3NOMtBhq6sYhF0U72nunreCymm3QzOTylAa2HlmRs54axM=,iv:EMXphsMa+ELK8XXX3MDfFJe3jFgXzwCSwjxNR5ah14k=,tag:gakwLdPvwyihj+FkTG/2kQ==,type:str] + pgp: + - created_at: '2017-08-16T03:41:16Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wYwDEEVDpnzXnMABBAAlUcnNciv6rGJua/wmjVYBAHD95VT/M6cc8dg0bPR8XH5a + /GeM2RasBzX7ICuBijjesY9exsnrTkBK3/1XpAjygdiW5DciXmqRz/5nE4DLxH+w + nZvmnCmg8AdfPKxhr+eM+pKibiN4uEhsJggA9c2ACUQ/YMo4o04fLKZGXqGtT9Lg + AeRiZfM3ykiyHDbUQ3P9YAdL4fH44A3gpeHoGeBv4iBFFE7ge+XCby9rgN9Qa7NF + /Wahxm7U3RcwT6JSbNDHNCJtolEPeuCR5D2/Kc/2b30e6fLDnpbfSJXiRh4TbOG3 + rAA= + =7P04 + -----END PGP MESSAGE----- + fp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A + unencrypted_suffix: _unencrypted + version: 2.0.9 \ No newline at end of file diff --git a/functional-tests/res/comments.yaml b/functional-tests/res/comments.yaml new file mode 100644 index 000000000..b8761445e --- /dev/null +++ b/functional-tests/res/comments.yaml @@ -0,0 +1,3 @@ +lorem: ipsum +# this-is-a-comment +dolor: sit \ No newline at end of file diff --git a/functional-tests/res/comments_list.yaml b/functional-tests/res/comments_list.yaml new file mode 100644 index 000000000..a247b5329 --- /dev/null +++ b/functional-tests/res/comments_list.yaml @@ -0,0 +1,4 @@ +lorem: +- foo +#this-is-a-comment +- bar \ No newline at end of file diff --git a/functional-tests/res/comments_unencrypted_comments.yaml b/functional-tests/res/comments_unencrypted_comments.yaml new file mode 100644 index 000000000..f95ee50c5 --- /dev/null +++ b/functional-tests/res/comments_unencrypted_comments.yaml @@ -0,0 +1,23 @@ +lorem: ENC[AES256_GCM,data:PhmSdTs=,iv:J5ugEWq6RfyNx+5zDXvcTdoQ18YYZkqesDED7LNzou4=,tag:0Qrom6J6aUnZMZzGz5XCxw==,type:str] +# this-is-a-comment +dolor: ENC[AES256_GCM,data:IgvT,iv:wtPNYbDTARFE810PH6ldOLzCDcAjkB/dzPsZjpgHcko=,tag:zwE8P+AwO1hrHkgF6pTbZw==,type:str] +sops: + kms: [] + lastmodified: '2017-08-16T03:41:16Z' + mac: ENC[AES256_GCM,data:3ngUnY2hkK6pkDbCeAnOHsi/M6bLnGk1vkd+EeGyN/efqJZmwH0+9hUdACNnwHzofIR6NbtCGZal+cSCuTGD4eDuqNV+LbwV1/EaaVZj9RktTNXq3STSXxfzYGoHV3NOMtBhq6sYhF0U72nunreCymm3QzOTylAa2HlmRs54axM=,iv:EMXphsMa+ELK8XXX3MDfFJe3jFgXzwCSwjxNR5ah14k=,tag:gakwLdPvwyihj+FkTG/2kQ==,type:str] + pgp: + - created_at: '2017-08-16T03:41:16Z' + enc: |- + -----BEGIN PGP MESSAGE----- + + wYwDEEVDpnzXnMABBAAlUcnNciv6rGJua/wmjVYBAHD95VT/M6cc8dg0bPR8XH5a + /GeM2RasBzX7ICuBijjesY9exsnrTkBK3/1XpAjygdiW5DciXmqRz/5nE4DLxH+w + nZvmnCmg8AdfPKxhr+eM+pKibiN4uEhsJggA9c2ACUQ/YMo4o04fLKZGXqGtT9Lg + AeRiZfM3ykiyHDbUQ3P9YAdL4fH44A3gpeHoGeBv4iBFFE7ge+XCby9rgN9Qa7NF + /Wahxm7U3RcwT6JSbNDHNCJtolEPeuCR5D2/Kc/2b30e6fLDnpbfSJXiRh4TbOG3 + rAA= + =7P04 + -----END PGP MESSAGE----- + fp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A + unencrypted_suffix: _unencrypted + version: 2.0.9 \ No newline at end of file diff --git a/functional-tests/src/lib.rs b/functional-tests/src/lib.rs index a5b6205e7..7ffa1e844 100644 --- a/functional-tests/src/lib.rs +++ b/functional-tests/src/lib.rs @@ -251,49 +251,32 @@ b: ba"# #[test] fn encrypt_comments() { - let file_contents = br#" - lorem: ipsum - # this-is-a-comment - dolor: sit - "#; - let file_path = prepare_temp_file("test_encrypt_comments.yaml", file_contents); + let file_path = "res/comments.yaml"; let output = Command::new(SOPS_BINARY_PATH) - .arg("-e") - .arg(file_path.clone()) - .output() - .expect("Error running sops"); + .arg("-e") + .arg(file_path.clone()) + .output() + .expect("Error running sops"); assert!(output.status.success(), "SOPS didn't return successfully"); assert!(!String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not encrypted"); } #[test] - fn decrypt_comments() { - let file_contents = br#" - lorem: ENC[AES256_GCM,data:PhmSdTs=,iv:J5ugEWq6RfyNx+5zDXvcTdoQ18YYZkqesDED7LNzou4=,tag:0Qrom6J6aUnZMZzGz5XCxw==,type:str] - #ENC[AES256_GCM,data:HiHCasVRzWUiFxKb3X/AcEeM,iv:bmNg+T91dqGk/CEtVH+FDC53osDCEPmWmJKpLyAU5OM=,tag:bTLDYxQSAfYDCBYccoUokQ==,type:comment] - dolor: ENC[AES256_GCM,data:IgvT,iv:wtPNYbDTARFE810PH6ldOLzCDcAjkB/dzPsZjpgHcko=,tag:zwE8P+AwO1hrHkgF6pTbZw==,type:str] - sops: - kms: [] - lastmodified: '2017-08-16T03:41:16Z' - mac: ENC[AES256_GCM,data:3ngUnY2hkK6pkDbCeAnOHsi/M6bLnGk1vkd+EeGyN/efqJZmwH0+9hUdACNnwHzofIR6NbtCGZal+cSCuTGD4eDuqNV+LbwV1/EaaVZj9RktTNXq3STSXxfzYGoHV3NOMtBhq6sYhF0U72nunreCymm3QzOTylAa2HlmRs54axM=,iv:EMXphsMa+ELK8XXX3MDfFJe3jFgXzwCSwjxNR5ah14k=,tag:gakwLdPvwyihj+FkTG/2kQ==,type:str] - pgp: - - created_at: '2017-08-16T03:41:16Z' - enc: |- - -----BEGIN PGP MESSAGE----- + fn encrypt_comments_list() { + let file_path = "res/comments_list.yaml"; + let output = Command::new(SOPS_BINARY_PATH) + .arg("-e") + .arg(file_path.clone()) + .output() + .expect("Error running sops"); + assert!(output.status.success(), "SOPS didn't return successfully"); + assert!(!String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not encrypted"); + assert!(!String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not encrypted"); + } - wYwDEEVDpnzXnMABBAAlUcnNciv6rGJua/wmjVYBAHD95VT/M6cc8dg0bPR8XH5a - /GeM2RasBzX7ICuBijjesY9exsnrTkBK3/1XpAjygdiW5DciXmqRz/5nE4DLxH+w - nZvmnCmg8AdfPKxhr+eM+pKibiN4uEhsJggA9c2ACUQ/YMo4o04fLKZGXqGtT9Lg - AeRiZfM3ykiyHDbUQ3P9YAdL4fH44A3gpeHoGeBv4iBFFE7ge+XCby9rgN9Qa7NF - /Wahxm7U3RcwT6JSbNDHNCJtolEPeuCR5D2/Kc/2b30e6fLDnpbfSJXiRh4TbOG3 - rAA= - =7P04 - -----END PGP MESSAGE----- - fp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A - unencrypted_suffix: _unencrypted - version: 2.0.9 - "#; - let file_path = prepare_temp_file("test_decrypt_comments.yaml", file_contents); + #[test] + fn decrypt_comments() { + let file_path = "res/comments.enc.yaml"; let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) @@ -305,32 +288,7 @@ b: ba"# #[test] fn decrypt_comments_unencrypted_comments() { - let file_contents = br#" - lorem: ENC[AES256_GCM,data:PhmSdTs=,iv:J5ugEWq6RfyNx+5zDXvcTdoQ18YYZkqesDED7LNzou4=,tag:0Qrom6J6aUnZMZzGz5XCxw==,type:str] - # this-is-a-comment - dolor: ENC[AES256_GCM,data:IgvT,iv:wtPNYbDTARFE810PH6ldOLzCDcAjkB/dzPsZjpgHcko=,tag:zwE8P+AwO1hrHkgF6pTbZw==,type:str] - sops: - kms: [] - lastmodified: '2017-08-16T03:41:16Z' - mac: ENC[AES256_GCM,data:3ngUnY2hkK6pkDbCeAnOHsi/M6bLnGk1vkd+EeGyN/efqJZmwH0+9hUdACNnwHzofIR6NbtCGZal+cSCuTGD4eDuqNV+LbwV1/EaaVZj9RktTNXq3STSXxfzYGoHV3NOMtBhq6sYhF0U72nunreCymm3QzOTylAa2HlmRs54axM=,iv:EMXphsMa+ELK8XXX3MDfFJe3jFgXzwCSwjxNR5ah14k=,tag:gakwLdPvwyihj+FkTG/2kQ==,type:str] - pgp: - - created_at: '2017-08-16T03:41:16Z' - enc: |- - -----BEGIN PGP MESSAGE----- - - wYwDEEVDpnzXnMABBAAlUcnNciv6rGJua/wmjVYBAHD95VT/M6cc8dg0bPR8XH5a - /GeM2RasBzX7ICuBijjesY9exsnrTkBK3/1XpAjygdiW5DciXmqRz/5nE4DLxH+w - nZvmnCmg8AdfPKxhr+eM+pKibiN4uEhsJggA9c2ACUQ/YMo4o04fLKZGXqGtT9Lg - AeRiZfM3ykiyHDbUQ3P9YAdL4fH44A3gpeHoGeBv4iBFFE7ge+XCby9rgN9Qa7NF - /Wahxm7U3RcwT6JSbNDHNCJtolEPeuCR5D2/Kc/2b30e6fLDnpbfSJXiRh4TbOG3 - rAA= - =7P04 - -----END PGP MESSAGE----- - fp: 1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A - unencrypted_suffix: _unencrypted - version: 2.0.9 - "#; - let file_path = prepare_temp_file("test_decrypt_comments.yaml", file_contents); + let file_path = "res/comments_unencrypted_comments.yaml"; let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) @@ -340,6 +298,7 @@ b: ba"# assert!(String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not decrypted"); } + #[test] fn roundtrip_shamir() { // The .sops.yaml file ensures this file is encrypted with two key groups, each with one GPG key let file_path = prepare_temp_file("test_roundtrip_keygroups.yaml", "a: secret".as_bytes()); diff --git a/sops.go b/sops.go index 6303f11d2..a1f94b6e2 100644 --- a/sops.go +++ b/sops.go @@ -266,7 +266,7 @@ func (tree Tree) Decrypt(key []byte, cipher Cipher) (string, error) { if err != nil { // Assume the comment was not encrypted in the first place log.Printf("[WARNING] Found possibly unencrypted comment in file (#%s). This is to be expected if the file being decrypted was created with an older version of SOPS.", c.Value) - in = c + v = c } } else { v, err = cipher.Decrypt(in.(string), key, pathString) @@ -278,7 +278,7 @@ func (tree Tree) Decrypt(key []byte, cipher Cipher) (string, error) { v = in } // Only add to MAC if not a comment - if _, ok := in.(Comment); !ok { + if _, ok := v.(Comment); !ok { bytes, err := ToBytes(v) if err != nil { return nil, fmt.Errorf("Could not convert %s to bytes: %s", in, err) diff --git a/sops_test.go b/sops_test.go index 258919dbd..67c4b8990 100644 --- a/sops_test.go +++ b/sops_test.go @@ -308,11 +308,22 @@ func TestEncryptComments(t *testing.T) { Key: Comment{"foo"}, Value: nil, }, + TreeItem{ + Key: "list", + Value: []interface{}{ + "1", + Comment{"bar"}, + "2", + }, + }, + }, + Metadata: Metadata{ + UnencryptedSuffix: DefaultUnencryptedSuffix, }, - Metadata: Metadata{}, } tree.Encrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{}) - assert.NotEqual(t, "foo", tree.Branch[0].Key.(Comment).Value) + assert.Equal(t, "oof", tree.Branch[0].Key.(Comment).Value) + assert.Equal(t, "rab", tree.Branch[1].Value.([]interface{})[1]) } func TestDecryptComments(t *testing.T) { @@ -322,11 +333,22 @@ func TestDecryptComments(t *testing.T) { Key: Comment{"oof"}, Value: nil, }, + TreeItem{ + Key: "list", + Value: []interface{}{ + "1", + Comment{"rab"}, + "2", + }, + }, + }, + Metadata: Metadata{ + UnencryptedSuffix: DefaultUnencryptedSuffix, }, - Metadata: Metadata{}, } tree.Decrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{}) assert.Equal(t, "foo", tree.Branch[0].Key.(Comment).Value) + assert.Equal(t, "bar", tree.Branch[1].Value.([]interface{})[1]) } func TestDecryptUnencryptedComments(t *testing.T) { diff --git a/stores/yaml/store.go b/stores/yaml/store.go index e6b672192..1ce582a4f 100644 --- a/stores/yaml/store.go +++ b/stores/yaml/store.go @@ -84,6 +84,8 @@ func (store Store) treeValueToYamlValue(in interface{}) interface{} { switch in := in.(type) { case sops.TreeBranch: return store.treeBranchToYamlMap(in) + case sops.Comment: + return yaml.Comment{in.Value} case []interface{}: var out []interface{} for _, v := range in { @@ -100,7 +102,7 @@ func (store Store) treeBranchToYamlMap(in sops.TreeBranch) yaml.MapSlice { for _, item := range in { if comment, ok := item.Key.(sops.Comment); ok { branch = append(branch, yaml.MapItem{ - Key: yaml.Comment{Value: comment.Value}, + Key: store.treeValueToYamlValue(comment), Value: nil, }) } else {