feat: Add HuaweiCloud KMS support

Signed-off-by: Enbiya Goral <100806254+enbiyagoral@users.noreply.github.com>

config/config.go

@@ -15,6 +15,7 @@ import (
 	"github.com/getsops/sops/v3/age"
 	"github.com/getsops/sops/v3/azkv"
 	"github.com/getsops/sops/v3/gcpkms"
+	"github.com/getsops/sops/v3/hckms"
 	"github.com/getsops/sops/v3/hcvault"
 	"github.com/getsops/sops/v3/kms"
 	"github.com/getsops/sops/v3/pgp"
@@ -132,6 +133,7 @@ type keyGroup struct {
 	Merge   []keyGroup   `yaml:"merge"`
 	KMS     []kmsKey     `yaml:"kms"`
 	GCPKMS  []gcpKmsKey  `yaml:"gcp_kms"`
+	HCKms   []hckmsKey   `yaml:"hckms"`
 	AzureKV []azureKVKey `yaml:"azure_keyvault"`
 	Vault   []string     `yaml:"hc_vault"`
 	Age     []string     `yaml:"age"`
@@ -155,6 +157,10 @@ type azureKVKey struct {
 	Version  string `yaml:"version"`
 }
 
+type hckmsKey struct {
+	KeyID string `yaml:"key_id"`
+}
+
 type destinationRule struct {
 	PathRegex        string       `yaml:"path_regex"`
 	S3Bucket         string       `yaml:"s3_bucket"`
@@ -176,6 +182,7 @@ type creationRule struct {
 	Age                     interface{} `yaml:"age"`                  // string or []string
 	PGP                     interface{} `yaml:"pgp"`                  // string or []string
 	GCPKMS                  interface{} `yaml:"gcp_kms"`              // string or []string
+	HCKms                   interface{} `yaml:"hckms"`                // string or []string
 	AzureKeyVault           interface{} `yaml:"azure_keyvault"`       // string or []string
 	VaultURI                interface{} `yaml:"hc_vault_transit_uri"` // string or []string
 	KeyGroups               []keyGroup  `yaml:"key_groups"`
@@ -214,6 +221,10 @@ func (c *creationRule) GetVaultURIs() ([]string, error) {
 	return parseKeyField(c.VaultURI, "hc_vault_transit_uri")
 }
 
+func (c *creationRule) GetHckmsKeys() ([]string, error) {
+	return parseKeyField(c.HCKms, "hckms")
+}
+
 // Utility function to handle both string and []string
 func parseKeyField(field interface{}, fieldName string) ([]string, error) {
 	if field == nil {
@@ -329,6 +340,13 @@ func extractMasterKeys(group keyGroup) (sops.KeyGroup, error) {
 	for _, k := range group.GCPKMS {
 		keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
 	}
+	for _, k := range group.HCKms {
+		key, err := hckms.NewMasterKey(k.KeyID)
+		if err != nil {
+			return nil, err
+		}
+		keyGroup = append(keyGroup, key)
+	}
 	for _, k := range group.AzureKV {
 		if key, err := azkv.NewMasterKeyWithOptionalVersion(k.VaultURL, k.Key, k.Version); err == nil {
 			keyGroup = append(keyGroup, key)
@@ -402,6 +420,17 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 		for _, k := range gcpkms.MasterKeysFromResourceIDString(strings.Join(gcpkmsKeys, ",")) {
 			keyGroup = append(keyGroup, k)
 		}
+		hckmsKeys, err := getKeysWithValidation(cRule.GetHckmsKeys, "hckms")
+		if err != nil {
+			return nil, err
+		}
+		hckmsMasterKeys, err := hckms.NewMasterKeyFromKeyIDString(strings.Join(hckmsKeys, ","))
+		if err != nil {
+			return nil, err
+		}
+		for _, k := range hckmsMasterKeys {
+			keyGroup = append(keyGroup, k)
+		}
 		azKeys, err := getKeysWithValidation(cRule.GetAzureKeyVaultKeys, "azure_keyvault")
 		if err != nil {
 			return nil, err

config/config_test.go

@@ -50,11 +50,13 @@ creation_rules:
     kms: "1"
     pgp: "2"
     gcp_kms: "3"
+    hckms: "tr-west-1:test-key-1"
     hc_vault_transit_uri: http://4:8200/v1/4/keys/4
   - path_regex: ""
     kms: foo
     pgp: bar
     gcp_kms: baz
+    hckms: "tr-west-1:test-key-2"
     hc_vault_transit_uri: http://127.0.1.1/v1/baz/keys/baz
 `)
 
@@ -114,6 +116,8 @@ creation_rules:
       - bar
       gcp_kms:
       - resource_id: foo
+      hckms:
+      - key_id: tr-west-1:test-key-1
       azure_keyvault:
       - vaultUrl: https://foo.vault.azure.net
         key: foo-key
@@ -128,6 +132,8 @@ creation_rules:
       gcp_kms:
       - resource_id: bar
       - resource_id: baz
+      hckms:
+      - key_id: tr-west-1:test-key-2
       azure_keyvault:
       - vaultUrl: https://bar.vault.azure.net
         key: bar-key
@@ -429,6 +435,7 @@ func TestLoadConfigFile(t *testing.T) {
 				KMS:       "1",
 				PGP:       "2",
 				GCPKMS:    "3",
+				HCKms:     "tr-west-1:test-key-1",
 				VaultURI:  "http://4:8200/v1/4/keys/4",
 			},
 			{
@@ -436,6 +443,7 @@ func TestLoadConfigFile(t *testing.T) {
 				KMS:       "foo",
 				PGP:       "bar",
 				GCPKMS:    "baz",
+				HCKms:     "tr-west-1:test-key-2",
 				VaultURI:  "http://127.0.1.1/v1/baz/keys/baz",
 			},
 		},
@@ -493,6 +501,7 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 						},
 						PGP:     []string{"bar"},
 						GCPKMS:  []gcpKmsKey{{ResourceID: "foo"}},
+						HCKms:   []hckmsKey{{KeyID: "tr-west-1:test-key-1"}},
 						AzureKV: []azureKVKey{{VaultURL: "https://foo.vault.azure.net", Key: "foo-key", Version: "fooversion"}},
 						Vault:   []string{"https://foo.vault:8200/v1/foo/keys/foo-key"},
 					},
@@ -503,6 +512,7 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 							{ResourceID: "bar"},
 							{ResourceID: "baz"},
 						},
+						HCKms:   []hckmsKey{{KeyID: "tr-west-1:test-key-2"}},
 						AzureKV: []azureKVKey{{VaultURL: "https://bar.vault.azure.net", Key: "bar-key", Version: "barversion"}},
 						Vault:   []string{"https://baz.vault:8200/v1/baz/keys/baz-key"},
 					},