getsops/sops
1
0
Fork 0
mirror of https://github.com/getsops/sops.git synced 2026-02-05 12:45:21 +01:00
Code Issues Activity

deprecate filename_regex in favor of path_regex

Browse Source
This commit is contained in:
Devin Burnette
2018-03-27 17:36:45 -04:00
parent 68cf5aa561
commit d3d0267f4e
3 changed files with 78 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.rst
View File

@@ -396,17 +396,17 @@ can manage the three sets of configurations for the three types of files:
creation_rules:
# upon creation of a file that matches the pattern *.dev.yaml,
# KMS set A is used
- filename_regex: \.dev\.yaml$
- path_regex: \.dev\.yaml$
kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod'
pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A'
# prod files use KMS set B in the PROD IAM
- filename_regex: \.prod\.yaml$
- path_regex: \.prod\.yaml$
kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod'
pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A'
# gcp files using GCP KMS
- filename_regex: \.gcp\.yaml$
- path_regex: \.gcp\.yaml$
gcp_kms: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey
# Finally, if the rules above have not matched, this one is a
@@ -484,7 +484,7 @@ like so:
.. code:: yaml
creation_rules:
- filename_regex: .*keygroups.*
- path_regex: .*keygroups.*
key_groups:
# First key group
- pgp:
@@ -525,7 +525,7 @@ with `shamir_threshold`:
.. code:: yaml
creation_rules:
- filename_regex: .*keygroups.*
- path_regex: .*keygroups.*
shamir_threshold: 2
key_groups:
# First key group

27
config/config.go
View File

@@ -11,12 +11,20 @@ import (
"regexp"
"github.com/mozilla-services/yaml"
"github.com/sirupsen/logrus"
"go.mozilla.org/sops"
"go.mozilla.org/sops/gcpkms"
"go.mozilla.org/sops/kms"
"go.mozilla.org/sops/logging"
"go.mozilla.org/sops/pgp"
)
var log *logrus.Logger
func init() {
log = logging.NewLogger("CONFIG")
}
type fileSystem interface {
Stat(name string) (os.FileInfo, error)
}
@@ -72,6 +80,7 @@ type kmsKey struct {
type creationRule struct {
FilenameRegex string `yaml:"filename_regex"`
PathRegex string `yaml:"path_regex"`
KMS string
PGP string
GCPKMS string `yaml:"gcp_kms"`
@@ -103,10 +112,26 @@ func loadForFileFromBytes(confBytes []byte, filePath string, kmsEncryptionContex
var rule *creationRule
for _, r := range conf.CreationRules {
if match, _ := regexp.MatchString(r.FilenameRegex, filePath); match {
if r.PathRegex == "" && r.FilenameRegex == "" {
rule = &r
break
}
if r.PathRegex != "" && r.FilenameRegex != "" {
return nil, fmt.Errorf("error loading config: both filename_regex and path_regex were found, use only path_regex")
}
if r.FilenameRegex != "" {
if match, _ := regexp.MatchString(r.FilenameRegex, filePath); match {
log.Warn("The key: filename_regex will be removed in a future release. Instead use key: path_regex in your .sops.yaml file")
rule = &r
break
}
}
if r.PathRegex != "" {
if match, _ := regexp.MatchString(r.PathRegex, filePath); match {
rule = &r
break
}
}
}
if rule == nil {

63
config/config_test.go
View File

@@ -44,11 +44,27 @@ func TestFindConfigFileCurrentDir(t *testing.T) {
var sampleConfig = []byte(`
creation_rules:
- filename_regex: foobar*
- path_regex: foobar*
kms: "1"
pgp: "2"
gcp_kms: "3"
- filename_regex: ""
- path_regex: ""
kms: foo
pgp: bar
gcp_kms: baz
`)
var sampleConfigWithPath = []byte(`
creation_rules:
- path_regex: foo/bar*
kms: "1"
pgp: "2"
gcp_kms: "3"
- filename_regex: "somefilename.yml"
kms: bilbo
pgp: baggins
gcp_kms: precious
- path_regex: ""
kms: foo
pgp: bar
gcp_kms: baz
@@ -56,10 +72,10 @@ creation_rules:
var sampleConfigWithGroups = []byte(`
creation_rules:
- filename_regex: foobar*
- path_regex: foobar*
kms: "1"
pgp: "2"
- filename_regex: ""
- path_regex: ""
key_groups:
- kms:
- arn: foo
@@ -84,16 +100,16 @@ func TestLoadConfigFile(t *testing.T) {
expected := configFile{
CreationRules: []creationRule{
creationRule{
FilenameRegex: "foobar*",
KMS: "1",
PGP: "2",
GCPKMS: "3",
PathRegex: "foobar*",
KMS: "1",
PGP: "2",
GCPKMS: "3",
},
creationRule{
FilenameRegex: "",
KMS: "foo",
PGP: "bar",
GCPKMS: "baz",
PathRegex: "",
KMS: "foo",
PGP: "bar",
GCPKMS: "baz",
},
},
}
@@ -108,12 +124,12 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
expected := configFile{
CreationRules: []creationRule{
{
FilenameRegex: "foobar*",
KMS: "1",
PGP: "2",
PathRegex: "foobar*",
KMS: "1",
PGP: "2",
},
{
FilenameRegex: "",
PathRegex: "",
KeyGroups: []keyGroup{
{
KMS: []kmsKey{{Arn: "foo"}},
@@ -155,6 +171,21 @@ func TestKeyGroupsForFile(t *testing.T) {
assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString())
}
func TestKeyGroupsForFileWithPath(t *testing.T) {
conf, err := loadForFileFromBytes(sampleConfigWithPath, "foo/bar2000", nil)
assert.Equal(t, nil, err)
assert.Equal(t, "2", conf.KeyGroups[0][0].ToString())
assert.Equal(t, "1", conf.KeyGroups[0][1].ToString())
conf, err = loadForFileFromBytes(sampleConfigWithPath, "somefilename.yml", nil)
assert.Equal(t, nil, err)
assert.Equal(t, "baggins", conf.KeyGroups[0][0].ToString())
assert.Equal(t, "bilbo", conf.KeyGroups[0][1].ToString())
conf, err = loadForFileFromBytes(sampleConfig, "whatever", nil)
assert.Equal(t, nil, err)
assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString())
assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString())
}
func TestKeyGroupsForFileWithGroups(t *testing.T) {
conf, err := loadForFileFromBytes(sampleConfigWithGroups, "whatever", nil)
assert.Equal(t, nil, err)