From 95f8b10cffdc0620b35a1c83bb1cf9a7debce8b0 Mon Sep 17 00:00:00 2001 From: Brian McGee Date: Wed, 2 Oct 2024 11:44:38 +0100 Subject: [PATCH] feat: add age plugin support Signed-off-by: Brian McGee Co-authored-by: Maximilian Bosch Signed-off-by: Brian McGee --- age/keysource.go | 74 ++++++++++++++++++++++++++++++++++++++++++------ go.mod | 3 ++ go.sum | 4 +-- 3 files changed, 71 insertions(+), 10 deletions(-) diff --git a/age/keysource.go b/age/keysource.go index 83bdbe0a6..a9051c926 100644 --- a/age/keysource.go +++ b/age/keysource.go @@ -1,8 +1,11 @@ package age import ( + "bufio" "bytes" "errors" + "filippo.io/age/plugin" + "filippo.io/age/tui" "fmt" "io" "os" @@ -60,7 +63,7 @@ type MasterKey struct { parsedIdentities []age.Identity // parsedRecipient contains a parsed age public key. // It is used to lazy-load the Recipient at-most once. - parsedRecipient *age.X25519Recipient + parsedRecipient age.Recipient } // MasterKeysFromRecipients takes a comma-separated list of Bech32-encoded @@ -126,6 +129,7 @@ func (i ParsedIdentities) ApplyToMasterKey(key *MasterKey) { // Encrypt takes a SOPS data key, encrypts it with the Recipient, and stores // the result in the EncryptedKey field. + func (key *MasterKey) Encrypt(dataKey []byte) error { if key.parsedRecipient == nil { parsedRecipient, err := parseRecipient(key.Recipient) @@ -284,7 +288,12 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) { var identities ParsedIdentities for n, r := range readers { - ids, err := age.ParseIdentities(r) + buf := new(strings.Builder) + _, err := io.Copy(buf, r) + if err != nil { + return nil, fmt.Errorf("failed to read '%s' age identities: %w", n, err) + } + ids, err := parseIdentities(buf.String()) if err != nil { return nil, fmt.Errorf("failed to parse '%s' age identities: %w", n, err) } @@ -295,12 +304,21 @@ func (key *MasterKey) loadIdentities() (ParsedIdentities, error) { // parseRecipient attempts to parse a string containing an encoded age public // key. -func parseRecipient(recipient string) (*age.X25519Recipient, error) { - parsedRecipient, err := age.ParseX25519Recipient(recipient) - if err != nil { - return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err) +func parseRecipient(recipient string) (age.Recipient, error) { + switch { + case strings.HasPrefix(recipient, "age1") && strings.Count(recipient, "1") > 1: + parsedRecipient, err := plugin.NewRecipient(recipient, tui.PluginTerminalUI) + if err != nil { + return nil, fmt.Errorf("failed to parse input as age key from age plugin: %w", err) + } + return parsedRecipient, nil + default: + parsedRecipient, err := age.ParseX25519Recipient(recipient) + if err != nil { + return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err) + } + return parsedRecipient, nil } - return parsedRecipient, nil } // parseIdentities attempts to parse the string set of encoded age identities. @@ -309,7 +327,7 @@ func parseRecipient(recipient string) (*age.X25519Recipient, error) { func parseIdentities(identity ...string) (ParsedIdentities, error) { var identities []age.Identity for _, i := range identity { - parsed, err := age.ParseIdentities(strings.NewReader(i)) + parsed, err := _parseIdentities(strings.NewReader(i)) if err != nil { return nil, err } @@ -317,3 +335,43 @@ func parseIdentities(identity ...string) (ParsedIdentities, error) { } return identities, nil } + +func parseIdentity(s string) (age.Identity, error) { + switch { + case strings.HasPrefix(s, "AGE-PLUGIN-"): + return plugin.NewIdentity(s, tui.PluginTerminalUI) + case strings.HasPrefix(s, "AGE-SECRET-KEY-1"): + return age.ParseX25519Identity(s) + default: + return nil, fmt.Errorf("unknown identity type") + } +} + +// parseIdentities is like age.ParseIdentities, but supports plugin identities. +func _parseIdentities(f io.Reader) (ParsedIdentities, error) { + const privateKeySizeLimit = 1 << 24 // 16 MiB + var ids []age.Identity + scanner := bufio.NewScanner(io.LimitReader(f, privateKeySizeLimit)) + var n int + for scanner.Scan() { + n++ + line := scanner.Text() + if strings.HasPrefix(line, "#") || line == "" { + continue + } + + i, err := parseIdentity(line) + if err != nil { + return nil, fmt.Errorf("error at line %d: %v", n, err) + } + ids = append(ids, i) + + } + if err := scanner.Err(); err != nil { + return nil, fmt.Errorf("failed to read secret keys file: %v", err) + } + if len(ids) == 0 { + return nil, fmt.Errorf("no secret keys found") + } + return ids, nil +} diff --git a/go.mod b/go.mod index 07e9d3e2e..91eb65b8c 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,7 @@ module github.com/getsops/sops/v3 go 1.22 + toolchain go1.22.9 require ( @@ -147,3 +148,5 @@ require ( google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) + +replace filippo.io/age => github.com/age-sops/age v1.90.0 diff --git a/go.sum b/go.sum index f3d35045e..16631de07 100644 --- a/go.sum +++ b/go.sum @@ -27,8 +27,6 @@ cloud.google.com/go/trace v1.11.2 h1:4ZmaBdL8Ng/ajrgKqY5jfvzqMXbrDcBsUGXOT9aqTtI cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io= dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= -filippo.io/age v1.2.0 h1:vRDp7pUMaAJzXNIWJVAZnEf/Dyi4Vu4wI8S1LBzufhE= -filippo.io/age v1.2.0/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M= @@ -65,6 +63,8 @@ github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEV github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk= github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/age-sops/age v1.90.0 h1:xcWUez+PUisvb9kzuGLUh5IU487R0oTOzmHIhfLQ2Uc= +github.com/age-sops/age v1.90.0/go.mod h1:JL9ew2lTN+Pyft4RiNGguFfOpewKwSHm5ayKD/A4004= github.com/aws/aws-sdk-go-v2 v1.32.6 h1:7BokKRgRPuGmKkFMhEg/jSul+tB9VvXhcViILtfG8b4= github.com/aws/aws-sdk-go-v2 v1.32.6/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8=