mirror of
https://github.com/getsops/sops.git
synced 2026-02-05 12:45:21 +01:00
Move MasterKey to separate package to avoid import cycles
This commit is contained in:
Adrian Utrilla
@@ -22,6 +22,7 @@ import (
|
||||
|
||||
"go.mozilla.org/sops/aes"
|
||||
"go.mozilla.org/sops/json"
|
||||
"go.mozilla.org/sops/keys"
|
||||
"go.mozilla.org/sops/kms"
|
||||
"go.mozilla.org/sops/pgp"
|
||||
"go.mozilla.org/sops/yaml"
|
||||
@@ -391,8 +392,8 @@ func decrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, er
|
||||
}
|
||||
|
||||
func getKeySources(c *cli.Context, file string) ([]sops.KeySource, error) {
|
||||
var kmsKeys []sops.MasterKey
|
||||
var pgpKeys []sops.MasterKey
|
||||
var kmsKeys []keys.MasterKey
|
||||
var pgpKeys []keys.MasterKey
|
||||
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
|
||||
if c.String("encryption-context") != "" && kmsEncryptionContext == nil {
|
||||
return nil, cli.NewExitError("Invalid KMS encryption context format", exitErrorInvalidKMSEncryptionContextFormat)
|
||||
|
||||
11
keys/keys.go
Normal file
11
keys/keys.go
Normal file
@@ -0,0 +1,11 @@
|
||||
package keys
|
||||
|
||||
// MasterKey provides a way of securing the key used to encrypt the Tree by encrypting and decrypting said key.
|
||||
type MasterKey interface {
|
||||
Encrypt(dataKey []byte) error
|
||||
EncryptIfNeeded(dataKey []byte) error
|
||||
Decrypt() ([]byte, error)
|
||||
NeedsRotation() bool
|
||||
ToString() string
|
||||
ToMap() map[string]interface{}
|
||||
}
|
||||
33
sops.go
33
sops.go
@@ -43,6 +43,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"go.mozilla.org/sops/keys"
|
||||
"go.mozilla.org/sops/kms"
|
||||
"go.mozilla.org/sops/pgp"
|
||||
)
|
||||
@@ -184,7 +185,7 @@ func (tree TreeBranch) walkBranch(in TreeBranch, path []string, onLeaves func(in
|
||||
}
|
||||
key, ok := item.Key.(string)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("Tree contains a non-string key (type %T): %s. Only string keys are" +
|
||||
return nil, fmt.Errorf("Tree contains a non-string key (type %T): %s. Only string keys are"+
|
||||
"supported", item.Key, item.Key)
|
||||
}
|
||||
newV, err := tree.walkValue(item.Value, append(path, key), onLeaves)
|
||||
@@ -293,17 +294,7 @@ type Metadata struct {
|
||||
// KeySource is a collection of MasterKeys with a Name.
|
||||
type KeySource struct {
|
||||
Name string
|
||||
Keys []MasterKey
|
||||
}
|
||||
|
||||
// MasterKey provides a way of securing the key used to encrypt the Tree by encrypting and decrypting said key.
|
||||
type MasterKey interface {
|
||||
Encrypt(dataKey []byte) error
|
||||
EncryptIfNeeded(dataKey []byte) error
|
||||
Decrypt() ([]byte, error)
|
||||
NeedsRotation() bool
|
||||
ToString() string
|
||||
ToMap() map[string]interface{}
|
||||
Keys []keys.MasterKey
|
||||
}
|
||||
|
||||
// Store provides a way to load and save the sops tree along with metadata
|
||||
@@ -325,12 +316,12 @@ func (m *Metadata) MasterKeyCount() int {
|
||||
}
|
||||
|
||||
// RemoveMasterKeys removes all of the provided keys from the metadata's KeySources, if they exist there.
|
||||
func (m *Metadata) RemoveMasterKeys(keys []MasterKey) {
|
||||
func (m *Metadata) RemoveMasterKeys(masterKeys []keys.MasterKey) {
|
||||
for j, ks := range m.KeySources {
|
||||
var newKeys []MasterKey
|
||||
var newKeys []keys.MasterKey
|
||||
for _, k := range ks.Keys {
|
||||
matchFound := false
|
||||
for _, keyToRemove := range keys {
|
||||
for _, keyToRemove := range masterKeys {
|
||||
if k.ToString() == keyToRemove.ToString() {
|
||||
matchFound = true
|
||||
break
|
||||
@@ -374,7 +365,7 @@ func (m *Metadata) UpdateMasterKeys(dataKey []byte) (errs []error) {
|
||||
func (m *Metadata) AddPGPMasterKeys(pgpFps string) {
|
||||
for i, ks := range m.KeySources {
|
||||
if ks.Name == "pgp" {
|
||||
var keys []MasterKey
|
||||
var keys []keys.MasterKey
|
||||
for _, k := range pgp.MasterKeysFromFingerprintString(pgpFps) {
|
||||
keys = append(keys, k)
|
||||
fmt.Printf("Adding new PGP master key: %X\n", k.Fingerprint)
|
||||
@@ -389,7 +380,7 @@ func (m *Metadata) AddPGPMasterKeys(pgpFps string) {
|
||||
func (m *Metadata) AddKMSMasterKeys(kmsArns string, context map[string]*string) {
|
||||
for i, ks := range m.KeySources {
|
||||
if ks.Name == "kms" {
|
||||
var keys []MasterKey
|
||||
var keys []keys.MasterKey
|
||||
for _, k := range kms.MasterKeysFromArnString(kmsArns, context) {
|
||||
keys = append(keys, k)
|
||||
fmt.Printf("Adding new KMS master key: %s\n", k.Arn)
|
||||
@@ -402,7 +393,7 @@ func (m *Metadata) AddKMSMasterKeys(kmsArns string, context map[string]*string)
|
||||
|
||||
// RemovePGPMasterKeys takes a comma separated string of PGP fingerprints and removes the keys corresponding to those fingerprints from the metadata's KeySources
|
||||
func (m *Metadata) RemovePGPMasterKeys(pgpFps string) {
|
||||
var keys []MasterKey
|
||||
var keys []keys.MasterKey
|
||||
for _, k := range pgp.MasterKeysFromFingerprintString(pgpFps) {
|
||||
keys = append(keys, k)
|
||||
}
|
||||
@@ -411,7 +402,7 @@ func (m *Metadata) RemovePGPMasterKeys(pgpFps string) {
|
||||
|
||||
// RemoveKMSMasterKeys takes a comma separated string of AWS KMS ARNs and removes the keys corresponding to those ARNs from the metadata's KeySources
|
||||
func (m *Metadata) RemoveKMSMasterKeys(arns string) {
|
||||
var keys []MasterKey
|
||||
var keys []keys.MasterKey
|
||||
for _, k := range kms.MasterKeysFromArnString(arns, nil) {
|
||||
keys = append(keys, k)
|
||||
}
|
||||
@@ -525,7 +516,7 @@ func convertToMapStringInterface(in map[interface{}]interface{}) (map[string]int
|
||||
}
|
||||
|
||||
func mapKMSEntriesToKeySource(in []interface{}) (KeySource, error) {
|
||||
var keys []MasterKey
|
||||
var keys []keys.MasterKey
|
||||
keysource := KeySource{Name: "kms", Keys: keys}
|
||||
for _, v := range in {
|
||||
entry, ok := v.(map[string]interface{})
|
||||
@@ -559,7 +550,7 @@ func mapKMSEntriesToKeySource(in []interface{}) (KeySource, error) {
|
||||
}
|
||||
|
||||
func mapPGPEntriesToKeySource(in []interface{}) (KeySource, error) {
|
||||
var keys []MasterKey
|
||||
var keys []keys.MasterKey
|
||||
keysource := KeySource{Name: "pgp", Keys: keys}
|
||||
for _, v := range in {
|
||||
entry, ok := v.(map[string]interface{})
|
||||
|
||||
17
sops_test.go
17
sops_test.go
@@ -2,11 +2,13 @@ package sops
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.mozilla.org/sops/aes"
|
||||
"go.mozilla.org/sops/kms"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.mozilla.org/sops/aes"
|
||||
"go.mozilla.org/sops/keys"
|
||||
"go.mozilla.org/sops/kms"
|
||||
)
|
||||
|
||||
func TestUnencryptedSuffix(t *testing.T) {
|
||||
@@ -208,7 +210,7 @@ func TestRemoveMasterKeys(t *testing.T) {
|
||||
KeySources: []KeySource{
|
||||
KeySource{
|
||||
Name: "kms",
|
||||
Keys: []MasterKey{
|
||||
Keys: []keys.MasterKey{
|
||||
&kms.MasterKey{
|
||||
Arn: "foo",
|
||||
}, &kms.MasterKey{
|
||||
@@ -221,7 +223,7 @@ func TestRemoveMasterKeys(t *testing.T) {
|
||||
},
|
||||
},
|
||||
}
|
||||
m.RemoveMasterKeys([]MasterKey{
|
||||
m.RemoveMasterKeys([]keys.MasterKey{
|
||||
&kms.MasterKey{
|
||||
Arn: "bar",
|
||||
},
|
||||
@@ -229,14 +231,13 @@ func TestRemoveMasterKeys(t *testing.T) {
|
||||
Arn: "foobar",
|
||||
},
|
||||
})
|
||||
assert.Equal(t, []MasterKey{
|
||||
assert.Equal(t, []keys.MasterKey{
|
||||
&kms.MasterKey{
|
||||
Arn: "foo",
|
||||
},
|
||||
}, m.KeySources[0].Keys)
|
||||
}
|
||||
|
||||
|
||||
func TestInsertOrReplaceValue(t *testing.T) {
|
||||
tree := TreeBranch{
|
||||
TreeItem{
|
||||
@@ -300,7 +301,7 @@ func TestInsertOrReplaceValue(t *testing.T) {
|
||||
},
|
||||
},
|
||||
TreeItem{
|
||||
Key: "foobar",
|
||||
Key: "foobar",
|
||||
Value: 100,
|
||||
},
|
||||
})
|
||||
|
||||
Reference in New Issue
Block a user