getsops/sops
1
0
Fork 0
mirror of https://github.com/getsops/sops.git synced 2026-02-05 12:45:21 +01:00
Code Issues Activity

Fix KMS encryption context not being passed when config is pre-loaded

Browse Source 
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Alex Shearn <alex.shearn@kraken.tech>
This commit is contained in:
Alex Shearn
2025-12-16 11:09:12 +00:00
parent fe9ab6eaf4
commit e50165dc41
2 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/sops/main.go
View File

@@ -1901,7 +1901,8 @@ func main() {
needsCreationRule := isEncryptMode || isRotateMode || isSetMode || isEditMode
var config *config.Config
if needsCreationRule {
config, err = loadConfig(c, fileNameOverride, nil)
kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context"))
config, err = loadConfig(c, fileNameOverride, kmsEncryptionContext)
if err != nil {
return toExitError(err)
}

28
config/config_test.go
View File

@@ -879,3 +879,31 @@ destination_rules:
assert.NotNil(t, conf.Destination)
assert.Contains(t, conf.Destination.Path("secrets.yaml"), "https://vault.example.com/v1/secret/data/secret/sops/secrets.yaml")
}
// TestKeyGroupsForFileWithExternalEncryptionContext tests that when kmsEncryptionContext
// is passed to parseCreationRuleForFile, the resulting KMS keys have the encryption context set.
// This is a regression test for https://github.com/getsops/sops/issues/1972
func TestKeyGroupsForFileWithExternalEncryptionContext(t *testing.T) {
// Config with flat KMS format (not key_groups) - this is where external context applies
var sampleConfigWithFlatKMS = []byte(`
creation_rules:
- path_regex: ""
kms: "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012"
`)
// External encryption context passed via --encryption-context flag
appName := "myapp"
kmsEncryptionContext := map[string]*string{
"AppName": &appName,
}
conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithFlatKMS, t), "/conf/path", "secrets.yaml", kmsEncryptionContext)
assert.Nil(t, err)
assert.NotNil(t, conf)
assert.Equal(t, 1, len(conf.KeyGroups))
assert.Equal(t, 1, len(conf.KeyGroups[0]))
// The KMS key should have the encryption context applied
// Format: ARN|context where context is "AppName:myapp"
assert.Equal(t, "arn:aws:kms:us-west-2:123456789012:key/12345678-1234-1234-1234-123456789012|AppName:myapp", conf.KeyGroups[0][0].ToString())
}