The original validation logic used AND (&&) operators which only
detected conflicts when ALL THREE destination types were specified.
This meant invalid two-way conflicts like s3_bucket + gcs_bucket
would silently pass validation.
Fixed by implementing proper counting-based validation that rejects
any configuration with more than one destination type specified.
Added comprehensive test coverage for all conflict scenarios:
- S3 + GCS conflicts
- S3 + Vault conflicts
- GCS + Vault conflicts
- All three destinations conflicts
- Positive tests for valid single destinations
Fixes a critical configuration validation bug that could lead to
unexpected publish behavior with misconfigured .sops.yaml files.
Signed-off-by: bruce-szalwinski-he <bruce.szalwinski@hotelengine.com>
this will allow for setting of parameters specific to each store, such
as indentation level for YAML
Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com>
Signed-off-by: James J. Goodhouse <jgoodhouse@newrelic.com>
Deprecation of `io/ioutil`, removal of unused functions, possible nil
pointer dereference, and other tiny nits.
There are (many) more, but these would require their own (commit)
context.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.
For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.
For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:
```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
I encountered an issue when I tried so specify multiple age recipients
in the .sops.yaml config file of my repository.
I tried running `sops --age 'agePubKey1,agePubKey2' -e -i values.secret.yaml`
which produced an appropriate file with two entries in the `/sops/age/-`
part of the encrypted yaml file.
However, I then continued to set multiple recipients in my .sops.yaml
file to simplify handling:
```yaml
creation_rules:
- encrypted_regex: '^(data|stringData|spec)$'
age: 'agePubKey1,agePubKey2'
```
However, this resulted in encryption only being done for the first
specified agePubKey, not the second or third one.
After digging a bit trough the code, I think this should fix it.
I verified the fix locally on my machine and got it working. Also adding
some unit tests and extending the repository examples so they can be
decrypted using the age keys provided in `age/keys.txt`
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
* Add another test (that currently fails).
* First shot at using yaml.v3 for reading YAML files with comments.
* Allow parsing multi-document YAML files.
* Use Decoder to parse multi-part documents.
* Use yaml.v3 for config and audit.
* First step of serializing YAML using yaml.v3.
* Always serialize with yaml.v3.
* Remove debug prints.
* Remove traces of github.com/mozilla-services/yaml.
* Improve serialization of documents consisting only of comments.
* Improve handling of some empty documents.
* Adjust to latest changes in go-yaml/yaml#684.
* Bump yaml.v3 version, temporarily disable failing tests.
* Run go mod tidy.
* Fix CI.
* feat: initial adding of vualt transit backend to sops
initial work on integration
feat(vault): added cli coomands working for vualt"
fix(vault): fixed config with correct tests
fix(vault): added vault to keygroup and to keyservice server
fixed metadata load
* feat(docs): added docs in README.md and in command help
fix(doc): fix rst formatting"
fix(doc): fix rst formatting
* fix(vault): addressed typos and fixes from autrilla
feat(cli): moved vault to hc-vault naming
* fix(test): typo while rebasing
* fix typos and imporve error messages for vault kms
* rename package from vault to hcvault
* refactor vault keysource url validation
* add negative test cases for vault keysource
* add hc vault transit config option via objects
additional to URIs
* remove vault_example.yml
* streamline key name to snake case
* rename `BackendPath` to `EnginePath` for hc vault
* correction in hc-vault-transit commands
Signed-off-by: vnzongzna <github@vaibhavk.in>
* resolving conflict
Signed-off-by: vnzongzna <github@vaibhavk.in>
* Apply suggestions from code review
Co-Authored-By: Adrian Utrilla <adrianutrilla@gmail.com>
* allowing only hc_vault_transit_uri as input
Co-Authored-By: gitirabassi
Co-Authored-By: ldue
Signed-off-by: vnzongzna <github@vaibhavk.in>
Co-authored-by: gitirabassi <giacomo@tirabassi.eu>
Co-authored-by: ldue <larsduennwald@gmail.com>
Co-authored-by: Vaibhav Kaushik <vaibhavkaushik@vaibhavka-ltm1.internal.salesforce.com>
Co-authored-by: Adrian Utrilla <adrianutrilla@gmail.com>
