From 745a0631ba79d2503582d4356d700ca0a0f75afc Mon Sep 17 00:00:00 2001 From: Adrian Utrilla Date: Thu, 17 Aug 2017 08:52:00 -0700 Subject: [PATCH] Move MasterKey to separate package to avoid import cycles --- cmd/sops/main.go | 5 +++-- keys/keys.go | 11 +++++++++++ sops.go | 33 ++++++++++++--------------------- sops_test.go | 17 +++++++++-------- 4 files changed, 35 insertions(+), 31 deletions(-) create mode 100644 keys/keys.go diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 4a5e52c44..24bcb8471 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -22,6 +22,7 @@ import ( "go.mozilla.org/sops/aes" "go.mozilla.org/sops/json" + "go.mozilla.org/sops/keys" "go.mozilla.org/sops/kms" "go.mozilla.org/sops/pgp" "go.mozilla.org/sops/yaml" @@ -391,8 +392,8 @@ func decrypt(c *cli.Context, tree sops.Tree, outputStore sops.Store) ([]byte, er } func getKeySources(c *cli.Context, file string) ([]sops.KeySource, error) { - var kmsKeys []sops.MasterKey - var pgpKeys []sops.MasterKey + var kmsKeys []keys.MasterKey + var pgpKeys []keys.MasterKey kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context")) if c.String("encryption-context") != "" && kmsEncryptionContext == nil { return nil, cli.NewExitError("Invalid KMS encryption context format", exitErrorInvalidKMSEncryptionContextFormat) diff --git a/keys/keys.go b/keys/keys.go new file mode 100644 index 000000000..f892ba71d --- /dev/null +++ b/keys/keys.go @@ -0,0 +1,11 @@ +package keys + +// MasterKey provides a way of securing the key used to encrypt the Tree by encrypting and decrypting said key. +type MasterKey interface { + Encrypt(dataKey []byte) error + EncryptIfNeeded(dataKey []byte) error + Decrypt() ([]byte, error) + NeedsRotation() bool + ToString() string + ToMap() map[string]interface{} +} diff --git a/sops.go b/sops.go index d3530c0e2..02f729975 100644 --- a/sops.go +++ b/sops.go @@ -43,6 +43,7 @@ import ( "strings" "time" + "go.mozilla.org/sops/keys" "go.mozilla.org/sops/kms" "go.mozilla.org/sops/pgp" ) @@ -184,7 +185,7 @@ func (tree TreeBranch) walkBranch(in TreeBranch, path []string, onLeaves func(in } key, ok := item.Key.(string) if !ok { - return nil, fmt.Errorf("Tree contains a non-string key (type %T): %s. Only string keys are" + + return nil, fmt.Errorf("Tree contains a non-string key (type %T): %s. Only string keys are"+ "supported", item.Key, item.Key) } newV, err := tree.walkValue(item.Value, append(path, key), onLeaves) @@ -293,17 +294,7 @@ type Metadata struct { // KeySource is a collection of MasterKeys with a Name. type KeySource struct { Name string - Keys []MasterKey -} - -// MasterKey provides a way of securing the key used to encrypt the Tree by encrypting and decrypting said key. -type MasterKey interface { - Encrypt(dataKey []byte) error - EncryptIfNeeded(dataKey []byte) error - Decrypt() ([]byte, error) - NeedsRotation() bool - ToString() string - ToMap() map[string]interface{} + Keys []keys.MasterKey } // Store provides a way to load and save the sops tree along with metadata @@ -325,12 +316,12 @@ func (m *Metadata) MasterKeyCount() int { } // RemoveMasterKeys removes all of the provided keys from the metadata's KeySources, if they exist there. -func (m *Metadata) RemoveMasterKeys(keys []MasterKey) { +func (m *Metadata) RemoveMasterKeys(masterKeys []keys.MasterKey) { for j, ks := range m.KeySources { - var newKeys []MasterKey + var newKeys []keys.MasterKey for _, k := range ks.Keys { matchFound := false - for _, keyToRemove := range keys { + for _, keyToRemove := range masterKeys { if k.ToString() == keyToRemove.ToString() { matchFound = true break @@ -374,7 +365,7 @@ func (m *Metadata) UpdateMasterKeys(dataKey []byte) (errs []error) { func (m *Metadata) AddPGPMasterKeys(pgpFps string) { for i, ks := range m.KeySources { if ks.Name == "pgp" { - var keys []MasterKey + var keys []keys.MasterKey for _, k := range pgp.MasterKeysFromFingerprintString(pgpFps) { keys = append(keys, k) fmt.Printf("Adding new PGP master key: %X\n", k.Fingerprint) @@ -389,7 +380,7 @@ func (m *Metadata) AddPGPMasterKeys(pgpFps string) { func (m *Metadata) AddKMSMasterKeys(kmsArns string, context map[string]*string) { for i, ks := range m.KeySources { if ks.Name == "kms" { - var keys []MasterKey + var keys []keys.MasterKey for _, k := range kms.MasterKeysFromArnString(kmsArns, context) { keys = append(keys, k) fmt.Printf("Adding new KMS master key: %s\n", k.Arn) @@ -402,7 +393,7 @@ func (m *Metadata) AddKMSMasterKeys(kmsArns string, context map[string]*string) // RemovePGPMasterKeys takes a comma separated string of PGP fingerprints and removes the keys corresponding to those fingerprints from the metadata's KeySources func (m *Metadata) RemovePGPMasterKeys(pgpFps string) { - var keys []MasterKey + var keys []keys.MasterKey for _, k := range pgp.MasterKeysFromFingerprintString(pgpFps) { keys = append(keys, k) } @@ -411,7 +402,7 @@ func (m *Metadata) RemovePGPMasterKeys(pgpFps string) { // RemoveKMSMasterKeys takes a comma separated string of AWS KMS ARNs and removes the keys corresponding to those ARNs from the metadata's KeySources func (m *Metadata) RemoveKMSMasterKeys(arns string) { - var keys []MasterKey + var keys []keys.MasterKey for _, k := range kms.MasterKeysFromArnString(arns, nil) { keys = append(keys, k) } @@ -525,7 +516,7 @@ func convertToMapStringInterface(in map[interface{}]interface{}) (map[string]int } func mapKMSEntriesToKeySource(in []interface{}) (KeySource, error) { - var keys []MasterKey + var keys []keys.MasterKey keysource := KeySource{Name: "kms", Keys: keys} for _, v := range in { entry, ok := v.(map[string]interface{}) @@ -559,7 +550,7 @@ func mapKMSEntriesToKeySource(in []interface{}) (KeySource, error) { } func mapPGPEntriesToKeySource(in []interface{}) (KeySource, error) { - var keys []MasterKey + var keys []keys.MasterKey keysource := KeySource{Name: "pgp", Keys: keys} for _, v := range in { entry, ok := v.(map[string]interface{}) diff --git a/sops_test.go b/sops_test.go index 03ac71da5..9f321db65 100644 --- a/sops_test.go +++ b/sops_test.go @@ -2,11 +2,13 @@ package sops import ( "bytes" - "github.com/stretchr/testify/assert" - "go.mozilla.org/sops/aes" - "go.mozilla.org/sops/kms" "reflect" "testing" + + "github.com/stretchr/testify/assert" + "go.mozilla.org/sops/aes" + "go.mozilla.org/sops/keys" + "go.mozilla.org/sops/kms" ) func TestUnencryptedSuffix(t *testing.T) { @@ -208,7 +210,7 @@ func TestRemoveMasterKeys(t *testing.T) { KeySources: []KeySource{ KeySource{ Name: "kms", - Keys: []MasterKey{ + Keys: []keys.MasterKey{ &kms.MasterKey{ Arn: "foo", }, &kms.MasterKey{ @@ -221,7 +223,7 @@ func TestRemoveMasterKeys(t *testing.T) { }, }, } - m.RemoveMasterKeys([]MasterKey{ + m.RemoveMasterKeys([]keys.MasterKey{ &kms.MasterKey{ Arn: "bar", }, @@ -229,14 +231,13 @@ func TestRemoveMasterKeys(t *testing.T) { Arn: "foobar", }, }) - assert.Equal(t, []MasterKey{ + assert.Equal(t, []keys.MasterKey{ &kms.MasterKey{ Arn: "foo", }, }, m.KeySources[0].Keys) } - func TestInsertOrReplaceValue(t *testing.T) { tree := TreeBranch{ TreeItem{ @@ -300,7 +301,7 @@ func TestInsertOrReplaceValue(t *testing.T) { }, }, TreeItem{ - Key: "foobar", + Key: "foobar", Value: 100, }, })