Skip to content

Commit c822b55

Browse files
bkreitchGMartinez-SistifelixfonteinPh0tonichiddeco
committed
Sort masterkeys according to decryption-order
Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
1 parent 3028179 commit c822b55

File tree

21 files changed

+374
-145
lines changed

21 files changed

+374
-145
lines changed

README.rst

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -170,6 +170,11 @@ Given that, the only command a SOPS user needs is:
170170
encrypted if modified, and saved back to its original location. All of these
171171
steps, apart from the actual editing, are transparent to the user.
172172

173+
The order in which available decryption methods are tried can be specified with
174+
``--decryption-order`` option or **SOPS_DECRYPTION_ORDER** environment variable
175+
as a comma separated list. The default order is ``age,pgp``. Offline methods are
176+
tried first and then the remaining ones.
177+
173178
Test with the dev PGP key
174179
~~~~~~~~~~~~~~~~~~~~~~~~~
175180

age/keysource.go

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,9 @@ import (
1212

1313
"filippo.io/age"
1414
"filippo.io/age/armor"
15-
"github.com/getsops/sops/v3/logging"
1615
"github.com/sirupsen/logrus"
16+
17+
"github.com/getsops/sops/v3/logging"
1718
)
1819

1920
const (
@@ -28,6 +29,8 @@ const (
2829
SopsAgeKeyUserConfigPath = "sops/age/keys.txt"
2930
// On macOS, os.UserConfigDir() ignores XDG_CONFIG_HOME. So we handle that manually.
3031
xdgConfigHome = "XDG_CONFIG_HOME"
32+
// KeyTypeIdentifier is the string used to identify an age MasterKey.
33+
KeyTypeIdentifier = "age"
3134
)
3235

3336
// log is the global logger for any age MasterKey.
@@ -225,6 +228,11 @@ func (key *MasterKey) ToMap() map[string]interface{} {
225228
return out
226229
}
227230

231+
// TypeToIdentifier returns the string identifier for the MasterKey type.
232+
func (key *MasterKey) TypeToIdentifier() string {
233+
return KeyTypeIdentifier
234+
}
235+
228236
func getUserConfigDir() (string, error) {
229237
if runtime.GOOS == "darwin" {
230238
if userConfigDir, ok := os.LookupEnv(xdgConfigHome); ok && userConfigDir != "" {

azkv/keysource.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,11 @@ import (
2222
"github.com/getsops/sops/v3/logging"
2323
)
2424

25+
const (
26+
// KeyTypeIdentifier is the string used to identify an Azure Key Vault MasterKey.
27+
KeyTypeIdentifier = "azure_kv"
28+
)
29+
2530
var (
2631
// log is the global logger for any Azure Key Vault MasterKey.
2732
log *logrus.Logger
@@ -215,6 +220,11 @@ func (key MasterKey) ToMap() map[string]interface{} {
215220
return out
216221
}
217222

223+
// TypeToIdentifier returns the string identifier for the MasterKey type.
224+
func (key *MasterKey) TypeToIdentifier() string {
225+
return KeyTypeIdentifier
226+
}
227+
218228
// getTokenCredential returns the tokenCredential of the MasterKey, or
219229
// azidentity.NewDefaultAzureCredential.
220230
func (key *MasterKey) getTokenCredential() (azcore.TokenCredential, error) {

cmd/sops/codes/codes.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ const (
2525
NoFileSpecified int = 100
2626
CouldNotRetrieveKey int = 128
2727
NoEncryptionKeyFound int = 111
28+
DuplicateDecryptionKeyType int = 112
2829
FileHasNotBeenModified int = 200
2930
NoEditorFound int = 201
3031
FailedToCompareVersions int = 202

cmd/sops/common/common.go

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,8 @@ type DecryptTreeOpts struct {
7272
Tree *sops.Tree
7373
// KeyServices are the key services to be used for decryption of the data key
7474
KeyServices []keyservice.KeyServiceClient
75+
// DecryptionOrder is the order in which available decryption methods are tried
76+
DecryptionOrder []string
7577
// IgnoreMac is whether or not to ignore the Message Authentication Code included in the SOPS tree
7678
IgnoreMac bool
7779
// Cipher is the cryptographic cipher to use to decrypt the values inside the tree
@@ -80,7 +82,7 @@ type DecryptTreeOpts struct {
8082

8183
// DecryptTree decrypts the tree passed in through the DecryptTreeOpts and additionally returns the decrypted data key
8284
func DecryptTree(opts DecryptTreeOpts) (dataKey []byte, err error) {
83-
dataKey, err = opts.Tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices)
85+
dataKey, err = opts.Tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices, opts.DecryptionOrder)
8486
if err != nil {
8587
return nil, NewExitError(err, codes.CouldNotRetrieveKey)
8688
}
@@ -222,11 +224,12 @@ func GetKMSKeyWithEncryptionCtx(tree *sops.Tree) (keyGroupIndex int, keyIndex in
222224

223225
// GenericDecryptOpts represents decryption options and config
224226
type GenericDecryptOpts struct {
225-
Cipher sops.Cipher
226-
InputStore sops.Store
227-
InputPath string
228-
IgnoreMAC bool
229-
KeyServices []keyservice.KeyServiceClient
227+
Cipher sops.Cipher
228+
InputStore sops.Store
229+
InputPath string
230+
IgnoreMAC bool
231+
KeyServices []keyservice.KeyServiceClient
232+
DecryptionOrder []string
230233
}
231234

232235
// LoadEncryptedFileWithBugFixes is a wrapper around LoadEncryptedFile which includes

cmd/sops/decrypt.go

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -15,13 +15,14 @@ const notBinaryHint = ("This is likely not an encrypted binary file?" +
1515
" If not, use --output-type to select the correct output type.")
1616

1717
type decryptOpts struct {
18-
Cipher sops.Cipher
19-
InputStore sops.Store
20-
OutputStore sops.Store
21-
InputPath string
22-
IgnoreMAC bool
23-
Extract []interface{}
24-
KeyServices []keyservice.KeyServiceClient
18+
Cipher sops.Cipher
19+
InputStore sops.Store
20+
OutputStore sops.Store
21+
InputPath string
22+
IgnoreMAC bool
23+
Extract []interface{}
24+
KeyServices []keyservice.KeyServiceClient
25+
DecryptionOrder []string
2526
}
2627

2728
func decrypt(opts decryptOpts) (decryptedFile []byte, err error) {
@@ -37,10 +38,11 @@ func decrypt(opts decryptOpts) (decryptedFile []byte, err error) {
3738
}
3839

3940
_, err = common.DecryptTree(common.DecryptTreeOpts{
40-
Cipher: opts.Cipher,
41-
IgnoreMac: opts.IgnoreMAC,
42-
Tree: tree,
43-
KeyServices: opts.KeyServices,
41+
Cipher: opts.Cipher,
42+
IgnoreMac: opts.IgnoreMAC,
43+
Tree: tree,
44+
KeyServices: opts.KeyServices,
45+
DecryptionOrder: opts.DecryptionOrder,
4446
})
4547
if err != nil {
4648
return nil, err

cmd/sops/edit.go

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,14 @@ import (
2020
)
2121

2222
type editOpts struct {
23-
Cipher sops.Cipher
24-
InputStore common.Store
25-
OutputStore common.Store
26-
InputPath string
27-
IgnoreMAC bool
28-
KeyServices []keyservice.KeyServiceClient
29-
ShowMasterKeys bool
23+
Cipher sops.Cipher
24+
InputStore common.Store
25+
OutputStore common.Store
26+
InputPath string
27+
IgnoreMAC bool
28+
KeyServices []keyservice.KeyServiceClient
29+
DecryptionOrder []string
30+
ShowMasterKeys bool
3031
}
3132

3233
type editExampleOpts struct {
@@ -96,7 +97,11 @@ func edit(opts editOpts) ([]byte, error) {
9697
}
9798
// Decrypt the file
9899
dataKey, err := common.DecryptTree(common.DecryptTreeOpts{
99-
Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices,
100+
Cipher: opts.Cipher,
101+
IgnoreMac: opts.IgnoreMAC,
102+
Tree: tree,
103+
KeyServices: opts.KeyServices,
104+
DecryptionOrder: opts.DecryptionOrder,
100105
})
101106
if err != nil {
102107
return nil, err

0 commit comments

Comments
 (0)