Add HashiCorp Vault support (#655)

* feat: initial adding of vualt transit backend to sops initial work on integration feat(vault): added cli coomands working for vualt" fix(vault): fixed config with correct tests fix(vault): added vault to keygroup and to keyservice server fixed metadata load * feat(docs): added docs in README.md and in command help fix(doc): fix rst formatting" fix(doc): fix rst formatting * fix(vault): addressed typos and fixes from autrilla feat(cli): moved vault to hc-vault naming * fix(test): typo while rebasing * fix typos and imporve error messages for vault kms * rename package from vault to hcvault * refactor vault keysource url validation * add negative test cases for vault keysource * add hc vault transit config option via objects additional to URIs * remove vault_example.yml * streamline key name to snake case * rename `BackendPath` to `EnginePath` for hc vault * correction in hc-vault-transit commands Signed-off-by: vnzongzna <github@vaibhavk.in> * resolving conflict Signed-off-by: vnzongzna <github@vaibhavk.in> * Apply suggestions from code review Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com> * allowing only hc_vault_transit_uri as input Co-Authored-By: gitirabassi Co-Authored-By: ldue Signed-off-by: vnzongzna <github@vaibhavk.in> Co-authored-by: gitirabassi <giacomo@tirabassi.eu> Co-authored-by: ldue <larsduennwald@gmail.com> Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com> Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
2026-02-05 12:45:21 +01:00 · 2020-05-05 00:57:51 +05:30
parent 8f93ee37a7
commit e4abd871c7
15 changed files with 1197 additions and 259 deletions
--- a/config/config.go
+++ b/config/config.go
@@ -15,6 +15,7 @@ import (
 	"go.mozilla.org/sops/v3"
 	"go.mozilla.org/sops/v3/azkv"
 	"go.mozilla.org/sops/v3/gcpkms"
+	"go.mozilla.org/sops/v3/hcvault"
 	"go.mozilla.org/sops/v3/kms"
 	"go.mozilla.org/sops/v3/logging"
 	"go.mozilla.org/sops/v3/pgp"
@@ -69,6 +70,7 @@ type keyGroup struct {
 	KMS     []kmsKey
 	GCPKMS  []gcpKmsKey  `yaml:"gcp_kms"`
 	AzureKV []azureKVKey `yaml:"azure_keyvault"`
+	Vault   []string     `yaml:"hc_vault"`
 	PGP     []string
 }

@@ -110,6 +112,7 @@ type creationRule struct {
 	PGP               string
 	GCPKMS            string     `yaml:"gcp_kms"`
 	AzureKeyVault     string     `yaml:"azure_keyvault"`
+	VaultURI          string     `yaml:"hc_vault_transit_uri"`
 	KeyGroups         []keyGroup `yaml:"key_groups"`
 	ShamirThreshold   int        `yaml:"shamir_threshold"`
 	UnencryptedSuffix string     `yaml:"unencrypted_suffix"`
@@ -154,6 +157,13 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 			for _, k := range group.AzureKV {
 				keyGroup = append(keyGroup, azkv.NewMasterKey(k.VaultURL, k.Key, k.Version))
 			}
+			for _, k := range group.Vault {
+				if masterKey, err := hcvault.NewMasterKeyFromURI(k); err == nil {
+					keyGroup = append(keyGroup, masterKey)
+				} else {
+					return nil, err
+				}
+			}
 			groups = append(groups, keyGroup)
 		}
 	} else {
@@ -174,6 +184,13 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 		for _, k := range azureKeys {
 			keyGroup = append(keyGroup, k)
 		}
+		vaultKeys, err := hcvault.NewMasterKeysFromURIs(cRule.VaultURI)
+		if err != nil {
+			return nil, err
+		}
+		for _, k := range vaultKeys {
+			keyGroup = append(keyGroup, k)
+		}
 		groups = append(groups, keyGroup)
 	}
 	return groups, nil
@@ -250,7 +267,7 @@ func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptio
 	var dest publish.Destination
 	if dRule != nil {
 		if dRule.S3Bucket != "" && dRule.GCSBucket != "" && dRule.VaultPath != "" {
-			return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule.")
+			return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule")
 		}
 		if dRule.S3Bucket != "" {
 			dest = publish.NewS3Destination(dRule.S3Bucket, dRule.S3Prefix)
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -48,10 +48,12 @@ creation_rules:
    kms: "1"
    pgp: "2"
    gcp_kms: "3"
+    hc_vault_transit_uri: http://4:8200/v1/4/keys/4
  - path_regex: ""
    kms: foo
    pgp: bar
    gcp_kms: baz
+    hc_vault_transit_uri: http://127.0.1.1/v1/baz/keys/baz
 `)

 var sampleConfigWithPath = []byte(`
@@ -60,14 +62,17 @@ creation_rules:
    kms: "1"
    pgp: "2"
    gcp_kms: "3"
+    hc_vault_uris: http://4:8200/v1/4/keys/4
  - path_regex: somefilename.yml
    kms: bilbo
    pgp: baggins
    gcp_kms: precious
+    hc_vault_uris: https://pluto/v1/pluto/keys/pluto
  - path_regex: ""
    kms: foo
    pgp: bar
    gcp_kms: baz
+    hc_vault_uris: https://foz:443/v1/foz/keys/foz
 `)

 var sampleConfigWithGroups = []byte(`
@@ -87,6 +92,8 @@ creation_rules:
      - vaultUrl: https://foo.vault.azure.net
        key: foo-key
        version: fooversion
+      hc_vault:
+      - 'https://foo.vault:8200/v1/foo/keys/foo-key'
    - kms:
      - arn: baz
      pgp:
@@ -98,6 +105,8 @@ creation_rules:
      - vaultUrl: https://bar.vault.azure.net
        key: bar-key
        version: barversion
+      hc_vault:
+      - 'https://baz.vault:8200/v1/baz/keys/baz-key'
 `)

 var sampleConfigWithSuffixParameters = []byte(`
@@ -135,6 +144,7 @@ creation_rules:
  - path_regex: foobar*
    kms: "1"
    pgp: "2"
+    hc_vault_uris: "https://vault.com/v1/bug/keys/pr"
    unencrypted_suffix: _unencrypted
    encrypted_suffix: _enc
    `)
@@ -212,12 +222,14 @@ func TestLoadConfigFile(t *testing.T) {
 				KMS:       "1",
 				PGP:       "2",
 				GCPKMS:    "3",
+				VaultURI:  "http://4:8200/v1/4/keys/4",
 			},
 			{
 				PathRegex: "",
 				KMS:       "foo",
 				PGP:       "bar",
 				GCPKMS:    "baz",
+				VaultURI:  "http://127.0.1.1/v1/baz/keys/baz",
 			},
 		},
 	}
@@ -244,6 +256,7 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 						PGP:     []string{"bar"},
 						GCPKMS:  []gcpKmsKey{{ResourceID: "foo"}},
 						AzureKV: []azureKVKey{{VaultURL: "https://foo.vault.azure.net", Key: "foo-key", Version: "fooversion"}},
+						Vault:   []string{"https://foo.vault:8200/v1/foo/keys/foo-key"},
 					},
 					{
 						KMS: []kmsKey{{Arn: "baz"}},
@@ -253,6 +266,7 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 							{ResourceID: "baz"},
 						},
 						AzureKV: []azureKVKey{{VaultURL: "https://bar.vault.azure.net", Key: "bar-key", Version: "barversion"}},
+						Vault:   []string{"https://baz.vault:8200/v1/baz/keys/baz-key"},
 					},
 				},
 			},