Sort masterkeys according to decryption-order

Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
getsops · Dec 18, 2023 · ba7d1a2 · ba7d1a2
1 parent 3028179
commit ba7d1a2
Show file tree

Hide file tree

Showing 21 changed files with 366 additions and 140 deletions.
diff --git a/README.rst b/README.rst
@@ -170,6 +170,11 @@ Given that, the only command a SOPS user needs is:
 encrypted if modified, and saved back to its original location. All of these
 steps, apart from the actual editing, are transparent to the user.
 
+The order in which available decryption methods are tried can be specified with
+``--decryption-order`` option or **SOPS_DECRYPTION_ORDER** environment variable
+as a comma separated list. The default order is ``age,pgp``. Offline methods are
+tried first and then the remaining ones.
+
 Test with the dev PGP key
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/age/keysource.go b/age/keysource.go
@@ -28,6 +28,8 @@ const (
 	SopsAgeKeyUserConfigPath = "sops/age/keys.txt"
 	// On macOS, os.UserConfigDir() ignores XDG_CONFIG_HOME. So we handle that manually.
 	xdgConfigHome = "XDG_CONFIG_HOME"
+	// String representation of the key type
+	KeyType = "age"
 )
 
 // log is the global logger for any age MasterKey.
@@ -225,6 +227,11 @@ func (key *MasterKey) ToMap() map[string]interface{} {
 	return out
 }
 
+// TypeToString converts key type to a string.
+func (key *MasterKey) TypeToString() string {
+	return KeyType
+}
+
 func getUserConfigDir() (string, error) {
 	if runtime.GOOS == "darwin" {
 		if userConfigDir, ok := os.LookupEnv(xdgConfigHome); ok && userConfigDir != "" {

diff --git a/azkv/keysource.go b/azkv/keysource.go
@@ -22,6 +22,11 @@ import (
 	"github.com/getsops/sops/v3/logging"
 )
 
+const (
+	// String representation of the key type
+	KeyType = "azure_kv"
+)
+
 var (
 	// log is the global logger for any Azure Key Vault MasterKey.
 	log *logrus.Logger
@@ -215,6 +220,11 @@ func (key MasterKey) ToMap() map[string]interface{} {
 	return out
 }
 
+// TypeToString converts key type to a string.
+func (key *MasterKey) TypeToString() string {
+	return KeyType
+}
+
 // getTokenCredential returns the tokenCredential of the MasterKey, or
 // azidentity.NewDefaultAzureCredential.
 func (key *MasterKey) getTokenCredential() (azcore.TokenCredential, error) {

diff --git a/cmd/sops/codes/codes.go b/cmd/sops/codes/codes.go
@@ -25,6 +25,7 @@ const (
 	NoFileSpecified                        int = 100
 	CouldNotRetrieveKey                    int = 128
 	NoEncryptionKeyFound                   int = 111
+	DuplicateDecryptionKeyType             int = 112
 	FileHasNotBeenModified                 int = 200
 	NoEditorFound                          int = 201
 	FailedToCompareVersions                int = 202

diff --git a/cmd/sops/common/common.go b/cmd/sops/common/common.go
@@ -72,6 +72,8 @@ type DecryptTreeOpts struct {
 	Tree *sops.Tree
 	// KeyServices are the key services to be used for decryption of the data key
 	KeyServices []keyservice.KeyServiceClient
+	// DecryptionOrder is the order in which available decryption methods are tried
+	DecryptionOrder []string
 	// IgnoreMac is whether or not to ignore the Message Authentication Code included in the SOPS tree
 	IgnoreMac bool
 	// Cipher is the cryptographic cipher to use to decrypt the values inside the tree
@@ -80,7 +82,7 @@ type DecryptTreeOpts struct {
 
 // DecryptTree decrypts the tree passed in through the DecryptTreeOpts and additionally returns the decrypted data key
 func DecryptTree(opts DecryptTreeOpts) (dataKey []byte, err error) {
-	dataKey, err = opts.Tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices)
+	dataKey, err = opts.Tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices, opts.DecryptionOrder)
 	if err != nil {
 		return nil, NewExitError(err, codes.CouldNotRetrieveKey)
 	}
@@ -222,11 +224,12 @@ func GetKMSKeyWithEncryptionCtx(tree *sops.Tree) (keyGroupIndex int, keyIndex in
 
 // GenericDecryptOpts represents decryption options and config
 type GenericDecryptOpts struct {
-	Cipher      sops.Cipher
-	InputStore  sops.Store
-	InputPath   string
-	IgnoreMAC   bool
-	KeyServices []keyservice.KeyServiceClient
+	Cipher          sops.Cipher
+	InputStore      sops.Store
+	InputPath       string
+	IgnoreMAC       bool
+	KeyServices     []keyservice.KeyServiceClient
+	DecryptionOrder []string
 }
 
 // LoadEncryptedFileWithBugFixes is a wrapper around LoadEncryptedFile which includes

diff --git a/cmd/sops/decrypt.go b/cmd/sops/decrypt.go
@@ -15,13 +15,14 @@ const notBinaryHint = ("This is likely not an encrypted binary file?" +
 	" If not, use --output-type to select the correct output type.")
 
 type decryptOpts struct {
-	Cipher      sops.Cipher
-	InputStore  sops.Store
-	OutputStore sops.Store
-	InputPath   string
-	IgnoreMAC   bool
-	Extract     []interface{}
-	KeyServices []keyservice.KeyServiceClient
+	Cipher          sops.Cipher
+	InputStore      sops.Store
+	OutputStore     sops.Store
+	InputPath       string
+	IgnoreMAC       bool
+	Extract         []interface{}
+	KeyServices     []keyservice.KeyServiceClient
+	DecryptionOrder []string
 }
 
 func decrypt(opts decryptOpts) (decryptedFile []byte, err error) {
@@ -37,10 +38,11 @@ func decrypt(opts decryptOpts) (decryptedFile []byte, err error) {
 	}
 
 	_, err = common.DecryptTree(common.DecryptTreeOpts{
-		Cipher:      opts.Cipher,
-		IgnoreMac:   opts.IgnoreMAC,
-		Tree:        tree,
-		KeyServices: opts.KeyServices,
+		Cipher:          opts.Cipher,
+		IgnoreMac:       opts.IgnoreMAC,
+		Tree:            tree,
+		KeyServices:     opts.KeyServices,
+		DecryptionOrder: opts.DecryptionOrder,
 	})
 	if err != nil {
 		return nil, err

diff --git a/cmd/sops/edit.go b/cmd/sops/edit.go
@@ -20,13 +20,14 @@ import (
 )
 
 type editOpts struct {
-	Cipher         sops.Cipher
-	InputStore     common.Store
-	OutputStore    common.Store
-	InputPath      string
-	IgnoreMAC      bool
-	KeyServices    []keyservice.KeyServiceClient
-	ShowMasterKeys bool
+	Cipher          sops.Cipher
+	InputStore      common.Store
+	OutputStore     common.Store
+	InputPath       string
+	IgnoreMAC       bool
+	KeyServices     []keyservice.KeyServiceClient
+	DecryptionOrder []string
+	ShowMasterKeys  bool
 }
 
 type editExampleOpts struct {
@@ -96,7 +97,11 @@ func edit(opts editOpts) ([]byte, error) {
 	}
 	// Decrypt the file
 	dataKey, err := common.DecryptTree(common.DecryptTreeOpts{
-		Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices,
+		Cipher:          opts.Cipher,
+		IgnoreMac:       opts.IgnoreMAC,
+		Tree:            tree,
+		KeyServices:     opts.KeyServices,
+		DecryptionOrder: opts.DecryptionOrder,
 	})
 	if err != nil {
 		return nil, err