Sort masterkeys according to decryption-order #1345
Conversation
bkreitch
force-pushed
the
sort-decrypt-methods
branch
9 times, most recently
from
cba9b72
to
0860e9d
Compare
bkreitch
force-pushed
the
sort-decrypt-methods
branch
from
cef900d
to
4a3ebf4
Compare
bkreitch
force-pushed
the
sort-decrypt-methods
branch
2 times, most recently
from
6e216ff
to
896113e
Compare
|
The failing sanity test will get fixed by #1350. It's probably best to remove the changes from go.mod and go.sum to avoid conflicts. |
bkreitch
force-pushed
the
sort-decrypt-methods
branch
from
896113e
to
5009c98
Compare
@felixfontein Ok, sure, removed. |
@felixfontein Looks like tests won't pass without committed changes to go.mod and go.sum |
bkreitch
force-pushed
the
sort-decrypt-methods
branch
from
5009c98
to
c829df7
Compare
I'm really confused why these are needed. 😕 |
bkreitch
force-pushed
the
sort-decrypt-methods
branch
from
643c54c
to
27dfadf
Compare
@felixfontein For now I've just added a small function instead of importing "golang.org/x/exp/slices". Later with Go 1.21 it could be replaced with build-in "slices" package. |
bkreitch
force-pushed
the
sort-decrypt-methods
branch
from
0a59dd8
to
33ce632
Compare
sops.go
Outdated
| var ( | ||
| MasterKeyTypes = []string{"pgp", "gcp_kms", "hc_vault", "kms", "azure_kv", "age"} | ||
| SopsDecryptionOrderDefault = []string{"age", "pgp"} | ||
| ) |
There was a problem hiding this comment.
Am really on the fence about this implementation detail. The problem I have with this introduction is that it worsens the scattering of string identifiers throughout the code base, and can easily be forgotten to be updated when a new key source is introduced.
The first solution to mitigate this that comes to mind would be to start making use of the identifier constants exposed in the key source implementation (as I suggested above), but this would cause the abstraction to further leak details as we would now have to import every key implementation within this module. Which isn't a great solution either.
Which makes me think we should either:
- Factor this out (but I have no suggestion on how to do this yet...).
- As a short-term solution, not maintain a list of all key types, but rather only sort based on what's provided (which means we can either rely on our own defaults with a limited set of identifiers, or rely on the user their input).
There was a problem hiding this comment.
@hiddeco I agree, this list is a bit problematic. I've updated the sort to rely only on provided list.
bkreitch
force-pushed
the
sort-decrypt-methods
branch
2 times, most recently
from
ec6de65
to
791ebe2
Compare
|
I think everything's good now (as good as it can get without solving the big issues @hiddeco mentioned, but these are out of scope for this PR). Except that now there's a conflict since I merged another PR. Sorry for that :( Should be pretty easy to resolve though... |
bkreitch
force-pushed
the
sort-decrypt-methods
branch
from
791ebe2
to
4ec7e69
Compare
bkreitch
force-pushed
the
sort-decrypt-methods
branch
from
a312a48
to
1bed9ea
Compare
hiddeco
force-pushed
the
sort-decrypt-methods
branch
from
1bed9ea
to
ba7d1a2
Compare
Co-authored-by: Gabriel Martinez <19713226+GMartinez-Sisti@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Bastien Wermeille <bastien.wermeille@gmail.com> Co-authored-by: Hidde Beydals <hiddeco@users.noreply.github.com> Signed-off-by: Boris Kreitchman <bkreitch@gmail.com>
hiddeco
force-pushed
the
sort-decrypt-methods
branch
from
ba7d1a2
to
c822b55
Compare
|
Thanks to everyone involved getting this ready and merged :) |
This is more generic way to address #305. As suggested in #305 (comment) and #305 (comment) it supports
--decryption-orderand SOPS_DECRYPTION_ORDER to specify the order in which decryption method are tried. Default order isage,pgp, so it covers functionality of #1121 too.Couple of additional thoughts: