This adds improvements to identity loading, extensive test coverage
and a general tidying of bits of code. The improvements are based on a
fork of the age key source in the Flux project's kustomize-controller,
which was built due to SOPS' limitations around identity management
without relying on runtime environment variables.
- It introduces a `ParsedIdentity` type which contains a slice of age
identities, and can be applied to the `MasterKey`. When applied,
further loading of identities from the runtime environment is skipped
for `Decrypt` operations. This is most useful when working with SOPS
as an SDK, in combination with e.g. a local key service server
implementation.
- The `Identity` field has been deprecated in the `MasterKey` struct.
Presence of the field was misleading, as it is not actually used.
- Any detected identity reference is now loaded, instead of it assuming
a priority order. This makes more sense, as age is able to work with
a set of loaded identities. If no environment variables are defined,
the existence of the keys.txt in the user's config directory is
required.
- Decrypt logs have been added to match other key sources.
- Extensive test coverage.
Signed-off-by: Hidde Beydals <hello@hidde.co>
In [this](https://github.com/mozilla/sops/pull/966#discussion_r830294838) comment
it was proposed to make `masterKeyFromRecipient` private to avoid
reintroducing this bug in the future.
Since I agree with the Idea, this change will make the mehtod private
and update all unit-tests to use the `MasterKeysFromRecipients` method
instead.
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.
I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.
However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData|spec)$'
age: 'agePubKey1,agePubKey2'
```
However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.
After digging a bit trough the code, I think this should fix it.
I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
This removes two pieces of code in the age keysource that are not
actually used.
The `parsedIdentity` is technically a candidate to stay, but should
then be changed to a `[]*age.X25519Identity` type and be lazy-loaded
by `Decrypt` (with the result of `age.ParseIdentities`).
Signed-off-by: Hidde Beydals <hello@hidde.co>
* Use age/armor for encrypted data key
Currently the encrypted data key is stored as a binary value, and this
results in SOPS encrypted DOTENV files having weird binary characters.
This changes the encrypt/decrypt methods to use the armor reader writer
provided by: filippo.io/age/armor
Signed-off-by: Andreas Amstutz <tullo@users.noreply.github.com>
* upgrade filippo.io/age to v1.0.0-beta7
Signed-off-by: Andreas Amstutz <tullo@users.noreply.github.com>
* add unit test
Signed-off-by: Andreas Amstutz <tullo@users.noreply.github.com>
Co-authored-by: Andreas Amstutz <tullo@users.noreply.github.com>
