From d3d0267f4e3cb7bf1783d677c93864377c05ab6d Mon Sep 17 00:00:00 2001 From: Devin Burnette Date: Tue, 27 Mar 2018 17:36:45 -0400 Subject: [PATCH] deprecate filename_regex in favor of path_regex --- README.rst | 10 +++---- config/config.go | 27 ++++++++++++++++++- config/config_test.go | 63 ++++++++++++++++++++++++++++++++----------- 3 files changed, 78 insertions(+), 22 deletions(-) diff --git a/README.rst b/README.rst index 1dcd6b7f0..268181946 100644 --- a/README.rst +++ b/README.rst @@ -396,17 +396,17 @@ can manage the three sets of configurations for the three types of files: creation_rules: # upon creation of a file that matches the pattern *.dev.yaml, # KMS set A is used - - filename_regex: \.dev\.yaml$ + - path_regex: \.dev\.yaml$ kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' # prod files use KMS set B in the PROD IAM - - filename_regex: \.prod\.yaml$ + - path_regex: \.prod\.yaml$ kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: '1022470DE3F0BC54BC6AB62DE05550BC07FB1A0A' # gcp files using GCP KMS - - filename_regex: \.gcp\.yaml$ + - path_regex: \.gcp\.yaml$ gcp_kms: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey # Finally, if the rules above have not matched, this one is a @@ -484,7 +484,7 @@ like so: .. code:: yaml creation_rules: - - filename_regex: .*keygroups.* + - path_regex: .*keygroups.* key_groups: # First key group - pgp: @@ -525,7 +525,7 @@ with `shamir_threshold`: .. code:: yaml creation_rules: - - filename_regex: .*keygroups.* + - path_regex: .*keygroups.* shamir_threshold: 2 key_groups: # First key group diff --git a/config/config.go b/config/config.go index c74528fbf..cfe224f84 100644 --- a/config/config.go +++ b/config/config.go @@ -11,12 +11,20 @@ import ( "regexp" "github.com/mozilla-services/yaml" + "github.com/sirupsen/logrus" "go.mozilla.org/sops" "go.mozilla.org/sops/gcpkms" "go.mozilla.org/sops/kms" + "go.mozilla.org/sops/logging" "go.mozilla.org/sops/pgp" ) +var log *logrus.Logger + +func init() { + log = logging.NewLogger("CONFIG") +} + type fileSystem interface { Stat(name string) (os.FileInfo, error) } @@ -72,6 +80,7 @@ type kmsKey struct { type creationRule struct { FilenameRegex string `yaml:"filename_regex"` + PathRegex string `yaml:"path_regex"` KMS string PGP string GCPKMS string `yaml:"gcp_kms"` @@ -103,10 +112,26 @@ func loadForFileFromBytes(confBytes []byte, filePath string, kmsEncryptionContex var rule *creationRule for _, r := range conf.CreationRules { - if match, _ := regexp.MatchString(r.FilenameRegex, filePath); match { + if r.PathRegex == "" && r.FilenameRegex == "" { rule = &r break } + if r.PathRegex != "" && r.FilenameRegex != "" { + return nil, fmt.Errorf("error loading config: both filename_regex and path_regex were found, use only path_regex") + } + if r.FilenameRegex != "" { + if match, _ := regexp.MatchString(r.FilenameRegex, filePath); match { + log.Warn("The key: filename_regex will be removed in a future release. Instead use key: path_regex in your .sops.yaml file") + rule = &r + break + } + } + if r.PathRegex != "" { + if match, _ := regexp.MatchString(r.PathRegex, filePath); match { + rule = &r + break + } + } } if rule == nil { diff --git a/config/config_test.go b/config/config_test.go index 5a431b4f0..722f03b62 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -44,11 +44,27 @@ func TestFindConfigFileCurrentDir(t *testing.T) { var sampleConfig = []byte(` creation_rules: - - filename_regex: foobar* + - path_regex: foobar* kms: "1" pgp: "2" gcp_kms: "3" - - filename_regex: "" + - path_regex: "" + kms: foo + pgp: bar + gcp_kms: baz +`) + +var sampleConfigWithPath = []byte(` +creation_rules: + - path_regex: foo/bar* + kms: "1" + pgp: "2" + gcp_kms: "3" + - filename_regex: "somefilename.yml" + kms: bilbo + pgp: baggins + gcp_kms: precious + - path_regex: "" kms: foo pgp: bar gcp_kms: baz @@ -56,10 +72,10 @@ creation_rules: var sampleConfigWithGroups = []byte(` creation_rules: - - filename_regex: foobar* + - path_regex: foobar* kms: "1" pgp: "2" - - filename_regex: "" + - path_regex: "" key_groups: - kms: - arn: foo @@ -84,16 +100,16 @@ func TestLoadConfigFile(t *testing.T) { expected := configFile{ CreationRules: []creationRule{ creationRule{ - FilenameRegex: "foobar*", - KMS: "1", - PGP: "2", - GCPKMS: "3", + PathRegex: "foobar*", + KMS: "1", + PGP: "2", + GCPKMS: "3", }, creationRule{ - FilenameRegex: "", - KMS: "foo", - PGP: "bar", - GCPKMS: "baz", + PathRegex: "", + KMS: "foo", + PGP: "bar", + GCPKMS: "baz", }, }, } @@ -108,12 +124,12 @@ func TestLoadConfigFileWithGroups(t *testing.T) { expected := configFile{ CreationRules: []creationRule{ { - FilenameRegex: "foobar*", - KMS: "1", - PGP: "2", + PathRegex: "foobar*", + KMS: "1", + PGP: "2", }, { - FilenameRegex: "", + PathRegex: "", KeyGroups: []keyGroup{ { KMS: []kmsKey{{Arn: "foo"}}, @@ -155,6 +171,21 @@ func TestKeyGroupsForFile(t *testing.T) { assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString()) } +func TestKeyGroupsForFileWithPath(t *testing.T) { + conf, err := loadForFileFromBytes(sampleConfigWithPath, "foo/bar2000", nil) + assert.Equal(t, nil, err) + assert.Equal(t, "2", conf.KeyGroups[0][0].ToString()) + assert.Equal(t, "1", conf.KeyGroups[0][1].ToString()) + conf, err = loadForFileFromBytes(sampleConfigWithPath, "somefilename.yml", nil) + assert.Equal(t, nil, err) + assert.Equal(t, "baggins", conf.KeyGroups[0][0].ToString()) + assert.Equal(t, "bilbo", conf.KeyGroups[0][1].ToString()) + conf, err = loadForFileFromBytes(sampleConfig, "whatever", nil) + assert.Equal(t, nil, err) + assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString()) + assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString()) +} + func TestKeyGroupsForFileWithGroups(t *testing.T) { conf, err := loadForFileFromBytes(sampleConfigWithGroups, "whatever", nil) assert.Equal(t, nil, err)