Due to the AWS SDK addressing a bug, which causes it to be more strict
when loading a configured profile.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Replace the logging of failed encryption and decryption attempts from
error to info level.
This to address a regression in which an encryption or decryption
attempt with a series of keys would result in a list of failed attempts
logged to stderr even when the operation itself eventually succeeded.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
- github.com/aws/aws-sdk-go-v2 to v1.20.1
- github.com/aws/aws-sdk-go-v2/config to v1.18.33
- github.com/aws/aws-sdk-go-v2/credentials to v1.13.32
- github.com/aws/aws-sdk-go-v2/feature/s3/manager to v1.11.77
- github.com/aws/aws-sdk-go-v2/service/kms to v1.24.2
- github.com/aws/aws-sdk-go-v2/service/s3 to v1.38.2
- github.com/aws/aws-sdk-go-v2/service/sts to v1.21.2
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commit renames the Go module from `go.mozilla.org/sops/v3` to
`github.com/getsops/sops/v3` without a major version bump, to align
with new stewardship.
For more information around this change, refer to
https://github.com/getsops/sops/issues/1246.
For a one-liner to change the `go.mod` and any import paths in your
Go project making use of this module, run:
```
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
find /path/to/repo -type f \( -name "*.go" -o -name "go.mod" \) -exec sed -i '' 's|go.mozilla.org/sops/v3|github.com/getsops/sops/v3|g' {} \;
```
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Most of the rewritten key sources introduced `WithError` calls, which
does not appear to go well with the UX of the CLI. This reverts it to
be the semi equal to current `master`.
During the diff, I noticed the current age implementation in master
does make use of `WithError`. Which makes me wonder if errors are not
returned twice at present in the CLI.
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates the AWS SDK for Go to V2, adds extensive test coverage
based on a mocking server, and a general tidying of bits of code.
The improvements are based on a fork of the key source in the Flux
project's kustomize-controller, built due to SOPS' limitation around
credential management without relying on runtime environment variables.
- AWS SDK has been updated to V2. There are still bits in `publish/`
which would need updating to drop the dependency on V1.
- It introduces a `CredentialsProvider` type which holds an
`aws.CredentialsProvider`, and can be applied to the `MasterKey`.
When applied, the provider is used in the AWS client configuration
instead of relying on the SDK default (environmental) values.
This is most useful when working with SOPS as an SDK, in combination
with e.g. a local key service server implementation.
- Extensive test coverage. STS session implementation details are not
tested due to mocking complexities, but the wiring is.
The forked version of this has compatibility tests to ensure it works
with current SOPS:
- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L134)
- 8b7e7ecb1a/internal/sops/awskms/keysource_test.go (L200)
Co-authored-by: Sanskar Jaiswal <sanskar.jaiswal@weave.works>
Signed-off-by: Hidde Beydals <hello@hidde.co>
* Sanitize hostname used for AWS STS role session name
From official docs for --role-session-name (https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html):
> The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
This fixes #441, which occurs when the hostname includes spaces and parentheses
* pr notes: wrap STS role session name regex compilation error
It's been around 9 months since our last vendor update. This is also
needed for some new features being worked on for sops workspace.
Additionally, this PR regenerates the kms mocks.
In SOPS 1.x, KMS encryption context was stored as a JSON object, but
SOPS 2.0 stored it as a comma-separated list of key/value pairs:
```
$ jq '.sops.kms | .[].context' encrypted-python
{
"a": "b",
"c": "d"
}
> jq '.sops.kms | .[].context' encrypted-go
"a:b,c:d"
```
The two outputs are incompatible with each other and caused a stack
trace when reading files encrypted with SOPS 1.x.
This patch restores read and output compatibility with SOPS 1.x.
Fixes #190.
