Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
sops
sops-3.7.3.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sops-3.7.3.obscpio of Package sops
07070100000000000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001500000000sops-3.7.3/.circleci07070100000001000081A400000000000000000000000162794F9300000EB0000000000000000000000000000000000000002000000000sops-3.7.3/.circleci/config.ymlversion: 2.1 workflows: build-and-deploy: jobs: - build - push: filters: tags: only: /^v.*/ branches: ignore: /.*/ jobs: build: working_directory: /go/src/go.mozilla.org/sops docker: - image: circleci/golang:1.13 resource_class: large steps: - checkout - setup_remote_docker: version: 20.10.11 - run: name: Build containers command: | docker build -t mozilla/sops . docker tag mozilla/sops "mozilla/sops:$CIRCLE_SHA1" - run: name: Build containers (alpine) command: | # Just to ensure the container can be built. docker build -f Dockerfile.alpine -t mozilla/sops:alpine . push: machine: image: ubuntu-2004:202111-02 resource_class: large steps: - checkout - run: name: semver check command: | MAJOR=$(echo ${CIRCLE_TAG#v} | cut -d"." -f1) MINOR=$(echo ${CIRCLE_TAG#v} | cut -d"." -f2) PATCH=$(echo ${CIRCLE_TAG#v} | cut -d"." -f3) echo "export MAJOR=${MAJOR}" >> $BASH_ENV echo "export MINOR=${MINOR}" >> $BASH_ENV echo "export PATCH=${PATCH}" >> $BASH_ENV if [ -z $MAJOR ];then cat \<< EOF Failure Info: This job uses the semver from the git TAG as the public version to publish. - This should only run on workflows triggered by a tag. - The tag name should be a semver like 'v1.2.3' - The version should follow conventions documented at https://github.com/fsaintjacques/semver-tool EOF exit 1 fi - run: name: Build containers command: | docker build -t mozilla/sops . docker build -f Dockerfile.alpine -t mozilla/sops:alpine . - run: name: Tag & Push containers command: | #latest bin/ci/deploy_dockerhub.sh "latest" bin/ci/deploy_dockerhub.sh "alpine" # by sha echo "Tag and push mozilla/sops:$CIRCLE_SHA1" docker tag mozilla/sops "mozilla/sops:$CIRCLE_SHA1" bin/ci/deploy_dockerhub.sh "$CIRCLE_SHA1" # no sha for alpine # by semver # v1.2.3 if [ ! -z $PATCH ];then echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR.$PATCH" docker tag mozilla/sops "mozilla/sops:v$MAJOR.$MINOR.$PATCH" bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR.$PATCH" echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR.$PATCH-alpine" docker tag mozilla/sops:alpine "mozilla/sops:v$MAJOR.$MINOR.$PATCH-alpine" bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR.$PATCH-alpine" fi # v1.2 if [ ! -z $MINOR ];then echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR" docker tag mozilla/sops "mozilla/sops:v$MAJOR.$MINOR" bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR" echo "Tag and Push mozilla/sops:v$MAJOR.$MINOR-alpine" docker tag mozilla/sops:alpine "mozilla/sops:v$MAJOR.$MINOR-alpine" bin/ci/deploy_dockerhub.sh "v$MAJOR.$MINOR-alpine" fi # v1 echo "Tag and Push mozilla/sops:v$MAJOR" docker tag mozilla/sops "mozilla/sops:v$MAJOR" bin/ci/deploy_dockerhub.sh "v$MAJOR" echo "Tag and Push mozilla/sops:v$MAJOR-alpine" docker tag mozilla/sops:alpine "mozilla/sops:v$MAJOR-alpine" bin/ci/deploy_dockerhub.sh "v$MAJOR-alpine" 07070100000002000081A400000000000000000000000162794F9300000025000000000000000000000000000000000000001900000000sops-3.7.3/.dockerignore/.git /Dockerfile /Dockerfile.alpine 07070100000003000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000001300000000sops-3.7.3/.github07070100000004000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001D00000000sops-3.7.3/.github/workflows07070100000005000081A400000000000000000000000162794F9300000D85000000000000000000000000000000000000002500000000sops-3.7.3/.github/workflows/cli.ymlname: CLI on: push: branches: - develop - master pull_request: branches: - develop - master jobs: build: name: Build and test ${{ matrix.os }} ${{ matrix.arch }} runs-on: ubuntu-latest strategy: matrix: os: [linux, darwin, windows] arch: [amd64, arm64] exclude: - os: windows arch: arm64 env: VAULT_VERSION: "1.1.3" VAULT_TOKEN: "root" VAULT_ADDR: "http://127.0.0.1:8200" steps: - name: Install dependencies run: sudo apt-get update && sudo apt-get install git -y - name: Set up Go 1.17 uses: actions/setup-go@v2 with: go-version: 1.17 id: go - name: Check out code into the Go module directory uses: actions/checkout@v2 - uses: actions/cache@v2 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Build Linux and Darwin if: matrix.os != 'windows' run: GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -o sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} -v ./cmd/sops - name: Build Windows if: matrix.os == 'windows' run: GOOS=${{ matrix.os }} go build -o sops-${{ matrix.os }}-${{ github.sha }} -v ./cmd/sops - name: Import test GPG keys run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done - name: Test run: make test - name: Upload artifact for Linux and Darwin if: matrix.os != 'windows' uses: actions/upload-artifact@v2 with: name: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} path: sops-${{ matrix.os }}-${{ matrix.arch }}-${{ github.sha }} - name: Upload artifact for Windows if: matrix.os == 'windows' uses: actions/upload-artifact@v2 with: name: sops-${{ matrix.os }}-${{ github.sha }} path: sops-${{ matrix.os }}-${{ github.sha }} test: name: Functional tests runs-on: ubuntu-latest needs: [build] env: VAULT_VERSION: "1.1.3" VAULT_TOKEN: "root" VAULT_ADDR: "http://127.0.0.1:8200" steps: - name: Install rustup run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain 1.47.0 - name: Check out code uses: actions/checkout@v2 - uses: actions/download-artifact@v2 with: name: sops-linux-amd64-${{ github.sha }} - name: Move SOPS binary run: mv sops-linux-amd64-${{ github.sha }} ./functional-tests/sops - name: Make SOPS binary executable run: chmod +x ./functional-tests/sops - name: Download Vault run: curl -O "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" && sudo unzip vault_${VAULT_VERSION}_linux_amd64.zip -d /usr/local/bin/ - name: Start Vault server run: vault server -dev -dev-root-token-id="$VAULT_TOKEN" & - name: Enable Vault KV run: vault secrets enable -version=1 kv - name: Import test GPG keys run: for i in 1 2 3 4 5; do gpg --import pgp/sops_functional_tests_key.asc && break || sleep 15; done - name: Run tests run: cargo test working-directory: ./functional-tests 07070100000006000081A400000000000000000000000162794F9300000C2E000000000000000000000000000000000000002900000000sops-3.7.3/.github/workflows/release.ymlname: Release on: push: tags: - "v*" jobs: tagged-release: name: "Tagged Release" runs-on: ubuntu-latest steps: - name: Install dependencies run: sudo apt-get update && sudo apt-get install git ruby rpm -y - name: Install fpm run: gem install fpm || sudo gem install fpm - name: Set up Go 1.17 uses: actions/setup-go@v2 with: go-version: 1.17 id: go - name: Check out code into the Go module directory uses: actions/checkout@v2 - name: Go vendor run: go mod vendor - name: Make release directory run: mkdir dist - name: Build deb and rpm run: make deb-pkg rpm-pkg - name: Move deb and rpm into release directory run: mv *.deb *.rpm dist/ - name: Set RELEASE_VERSION run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - name: Set RELEASE_NUMBER run: echo "RELEASE_NUMBER=$(echo $RELEASE_VERSION | cut -c2-)" >> $GITHUB_ENV - name: Build linux amd64 binary run: GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 go.mozilla.org/sops/v3/cmd/sops && cp dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 dist/sops-${{ env.RELEASE_VERSION }}.linux - name: Build linux arm64 binary run: GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 go.mozilla.org/sops/v3/cmd/sops - name: Build darwin amd64 binary run: GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 go.mozilla.org/sops/v3/cmd/sops - name: Copy darwin amd64 to have a no-architecture labeled version run: cp dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 dist/sops-${{ env.RELEASE_VERSION }}.darwin - name: Build darwin arm64 binary run: GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 go.mozilla.org/sops/v3/cmd/sops - name: Build windows binary run: GOOS=windows CGO_ENABLED=0 go build -mod vendor -o dist/sops-${{ env.RELEASE_VERSION }}.exe go.mozilla.org/sops/v3/cmd/sops - name: Create release uses: "mozilla/action-automatic-releases@latest" with: repo_token: "${{ secrets.GITHUB_TOKEN }}" prerelease: true files: | dist/sops-${{ env.RELEASE_VERSION }}.exe dist/sops-${{ env.RELEASE_VERSION }}.darwin.amd64 dist/sops-${{ env.RELEASE_VERSION }}.darwin.arm64 dist/sops-${{ env.RELEASE_VERSION }}.darwin dist/sops-${{ env.RELEASE_VERSION }}.linux.amd64 dist/sops-${{ env.RELEASE_VERSION }}.linux.arm64 dist/sops-${{ env.RELEASE_VERSION }}.linux dist/sops_${{ env.RELEASE_NUMBER }}_amd64.deb dist/sops_${{ env.RELEASE_NUMBER }}_arm64.deb dist/sops-${{ env.RELEASE_NUMBER }}-1.x86_64.rpm dist/sops-${{ env.RELEASE_NUMBER }}-1.aarch64.rpm 07070100000007000081A400000000000000000000000162794F9300000033000000000000000000000000000000000000001600000000sops-3.7.3/.gitignoretarget Cargo.lock vendor/ coverage.txt profile.out 07070100000008000081A400000000000000000000000162794F9300000081000000000000000000000000000000000000001600000000sops-3.7.3/.sops.yamlcreation_rules: - pgp: >- FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4, D7229043384BCC60326C6FB9D8720D957C3D3074 07070100000009000081A400000000000000000000000162794F93000021EE000000000000000000000000000000000000001900000000sops-3.7.3/CHANGELOG.rstChangelog ========= 3.7.3 ----- Changes: * Upgrade dependencies (#1024, #1045) * Build alpine container in CI (#1018, #1032, #1025) * keyservice: accept KeyServiceServer in LocalClient (#1035) * Add support for GCP Service Account within `GOOGLE_CREDENTIALS` (#953) Bug fixes: * Upload the correct binary for the linux amd64 build (#1026) * Fix bug when specifying multiple age recipients (#966) * Allow for empty yaml maps (#908) * Limit AWS role names to 64 characters (#1037) 3.7.2 ----- Changes: * README updates (#861, #860) * Various test fixes (#909, #906, #1008) * Added Linux and Darwin arm64 releases (#911, #891) * Upgrade to go v1.17 (#1012) * Support SOPS_AGE_KEY environment variable (#1006) Bug fixes: * Make sure comments in yaml files are not duplicated (#866) * Make sure configuration file paths work correctly relative to the config file in us (#853) 3.7.1 ----- Changes: * Security fix * Add release workflow (#843) * Fix issue where CI wouldn't run against master (#848) * Trim extra whitespace around age keys (#846) 3.7.0 ----- Features: * Add support for age (#688) * Add filename to exec-file (#761) Changes: * On failed decryption with GPG, return the error returned by GPG to the sops user (#762) * Use yaml.v3 instead of modified yaml.v2 for handling YAML files (#791) * Update aws-sdk-go to version v1.37.18 (#823) Project Changes: * Switch from TravisCI to Github Actions (#792) 3.6.1 ----- Features: * Add support for --unencrypted-regex (#715) Changes: * Use keys.openpgp.org instead of gpg.mozilla.org (#732) * Upgrade AWS SDK version (#714) * Support --input-type for exec-file (#699) Bug fixes: * Fixes broken Vault tests (#731) * Revert "Add standard newline/quoting behavior to dotenv store" (#706) 3.6.0 ----- Features: * Support for encrypting data through the use of Hashicorp Vault (#655) * `sops publish` now supports `--recursive` flag for publishing all files in a directory (#602) * `sops publish` now supports `--omit-extensions` flag for omitting the extension in the destination path (#602) * sops now supports JSON arrays of arrays (#642) Improvements: * Updates and standardization for the dotenv store (#612, #622) * Close temp files after using them for edit command (#685) Bug fixes: * AWS SDK usage now correctly resolves the `~/.aws/config` file (#680) * `sops updatekeys` now correctly matches config rules (#682) * `sops updatekeys` now correctly uses the config path cli flag (#672) * Partially empty sops config files don't break the use of sops anymore (#662) * Fix possible infinite loop in PGP's passphrase prompt call (#690) Project changes: * Dockerfile now based off of golang version 1.14 (#649) * Push alpine version of docker image to Dockerhub (#609) * Push major, major.minor, and major.minor.patch tagged docker images to Dockerhub (#607) * Removed out of date contact information (#668) * Update authors in the cli help text (#645) 3.5.0 ----- Features: * `sops exec-env` and `sops exec-file`, two new commands for utilizing sops secrets within a temporary file or env vars Bug fixes: * Sanitize AWS STS session name, as sops creates it based off of the machines hostname * Fix for `decrypt.Data` to support `.ini` files * Various package fixes related to switching to Go Modules * Fixes for Vault-related tests running locally and in CI. Project changes: * Change to proper use of go modules, changing to primary module name to `go.mozilla.org/sops/v3` * Change tags to requiring a `v` prefix. * Add documentation for `sops updatekeys` command 3.4.0 ----- Features: * `sops publish`, a new command for publishing sops encrypted secrets to S3, GCS, or Hashicorp Vault * Support for multiple Azure authentication mechanisms * Azure Keyvault support to the sops config file * `encrypted_regex` option to the sops config file Bug fixes: * Return non-zero exit code for invalid CLI flags * Broken path handling for sops editing on Windows * `go lint/fmt` violations * Check for pgp fingerprint before slicing it Project changes: * Build container using golang 1.12 * Switch to using go modules * Hashicorp Vault server in Travis CI build * Mozilla Publice License file to repo * Replaced expiring test gpg keys 3.3.1 ----- Bug fixes: * Make sure the pgp key fingerprint is longer than 16 characters before slicing it. (#463) * Allow for `--set` value to be a string. (#461) Project changes: * Using `develop` as a staging branch to create releases off of. What is in `master` is now the current stable release. * Upgrade to using Go 1.12 to build sops * Updated all vendored packages 3.3.0 ----- New features: * Multi-document support for YAML files * Support referencing AWS KMS keys by their alias * Support for INI files * Support for AWS CLI profiles * Comment support in .env files * Added vi to the list of known editors * Added a way to specify the GPG key server to use through the SOPS_GPG_KEYSERVER environment variable Bug fixes: * Now uses $HOME instead of ~ (which didn't work) to find the GPG home * Fix panic when vim was not available as an editor, but other alternative editors were * Fix issue with AWS KMS Encryption Contexts (#445) with more than one context value failing to decrypt intermittently. Includes an automatic fix for old files affected by this issue. Project infrastructure changes: * Added integration tests for AWS KMS * Added Code of Conduct 3.2.0 ----- * Added --output flag to write output a file directly instead of through stdout * Added support for dotenv files 3.1.1 ----- * Fix incorrect version number from previous release 3.1.0 ----- * Add support for Azure Key Service * Fix bug that prevented JSON escapes in input files from working 3.0.5 ----- * Prevent files from being encrypted twice * Fix empty comments not being decrypted correctly * If keyservicecmd returns an error, log it. * Initial sops workspace auditing support (still wip) * Refactor Store interface to reflect operations SOPS performs 3.0.3 ----- * --set now works with nested data structures and not just simple values * Changed default log level to warn instead of info * Avoid creating empty files when using the editor mode to create new files and not making any changes to the example files * Output unformatted strings when using --extract instead of encoding them to yaml * Allow forcing binary input and output types from command line flags * Deprecate filename_regex in favor of path_regex. filename_regex had a bug and matched on the whole file path, when it should have only matched on the file name. path_regex on the other hand is documented to match on the whole file path. * Add an encrypted-suffix option, the exact opposite of unencrypted-suffix * Allow specifying unencrypted_suffix and encrypted_suffix rules in the .sops.yaml configuration file * Introduce key service flag optionally prompting users on encryption/decryption 3.0.1 ----- * Don't consider io.EOF returned by Decoder.Token as error * add IsBinary: true to FileHints when encoding with crypto/openpgp * some improvements to error messages 3.0.0 ----- * Shamir secret sharing scheme support allows SOPS to require multiple master keys to access a data key and decrypt a file. See `sops groups -help` and the documentation in README. * Keyservice to forward access to a local master key on a socket, similar to gpg-agent. See `sops keyservice --help` and the documentation in README. * Encrypt comments by default * Support for Google Compute Platform KMS * Refactor of the store logic to separate the internal representation SOPS has of files from the external representation used in JSON and YAML files * Reencoding of versions as string on sops 1.X files. **WARNING** this change breaks backward compatibility. SOPS shows an error message with instructions on how to solve this if it happens. * Added command to reconfigure the keys used to encrypt/decrypt a file based on the .sops.yaml config file * Retrieve missing PGP keys from gpg.mozilla.org * Improved error messages for errors when decrypting files 2.0.0 ----- * [major] rewrite in Go 1.14 ---- * [medium] Support AWS KMS Encryption Contexts * [minor] Support insertion in encrypted documents via --set * [minor] Read location of gpg binary from SOPS_GPG_EXEC env variables 1.13 ---- * [minor] handle $EDITOR variable with parameters 1.12 ---- * [minor] make sure filename_regex gets applied to file names, not paths * [minor] move check of latest version under the -V flag * [medium] fix handling of binary data to preserve file integrity * [minor] try to use configuration when encrypting existing files 0707010000000A000081A400000000000000000000000162794F93000001EF000000000000000000000000000000000000001E00000000sops-3.7.3/CODE_OF_CONDUCT.md# Community Participation Guidelines This repository is governed by Mozilla's code of conduct and etiquette guidelines. For more details, please read the [Mozilla Community Participation Guidelines](https://www.mozilla.org/about/governance/policies/participation/). ## How to Report For more information on how to report violations of the Community Participation Guidelines, please read our '[How to Report](https://www.mozilla.org/about/governance/policies/participation/reporting/)' page. 0707010000000B000081A400000000000000000000000162794F9300000830000000000000000000000000000000000000001B00000000sops-3.7.3/CONTRIBUTING.md# Contributing to SOPS Mozilla welcomes contributions from everyone. Here are a few guidelines and instructions if you're thinking of helping with the development of SOPS. # Getting started * Make sure you have Go 1.12 or greater installed. You can find information on how to install Go [here](https://golang.org/dl/) * After following the [Go installation guide](https://golang.org/doc/install), run `go get go.mozilla.org/sops`. This will automatically clone this repository. * Switch into sops's directory, which will be in `$GOPATH/src/go.mozilla.org/sops`. * Run the tests with `make test`. They should all pass. * Fork the project on GitHub. * Add your fork to git's remotes: * If you use SSH authentication: `git remote add <your username> git@github.com:<your username>/sops.git`. * Otherwise: `git remote add <your username> https://github.com/<your username>/sops.git`. * **Switch to the `develop` branch: `git checkout develop`** * Make any changes you want to sops, commit them, and push them to your fork. * **Create a pull request against `develop`**, and a contributor will come by and review your code. They may ask for some changes, and hopefully your contribution will be merged to the `develop` branch! # Guidelines * Unless it's particularly hard, changes that fix a bug should have a regression test to make sure that the bug is not introduced again. * New features and changes to existing features should be documented, and, if possible, tested. # Regenerating mocks If you encounter an error like `kms/mocks/KMSAPI.go:1607: cannot use (*KMSAPI)(nil) (type *KMSAPI) as type kmsiface.KMSAPI in assignment: *KMSAPI does not implement kmsiface.KMSAPI (missing ListResourceTags method)`, you need to regenerate mocks, probably because the interface was changed by a vendoring update. There is a make command to do this for you. Simply run `make mock`, and the new mocks will be automatically generated. # Communication If you need any help contributing to sops, several contributors are on the `#go` channel on [Mozilla's IRC server](https://wiki.mozilla.org/IRC). 0707010000000C000081A400000000000000000000000162794F93000000DF000000000000000000000000000000000000001600000000sops-3.7.3/DockerfileFROM golang:1.17 COPY . /go/src/go.mozilla.org/sops WORKDIR /go/src/go.mozilla.org/sops RUN CGO_ENABLED=1 make install RUN apt-get update RUN apt-get install -y vim python3-pip emacs RUN pip install awscli ENV EDITOR vim 0707010000000D000081A400000000000000000000000162794F9300000156000000000000000000000000000000000000001D00000000sops-3.7.3/Dockerfile.alpineFROM golang:1.17-alpine3.15 AS builder RUN apk --no-cache add make COPY . /go/src/go.mozilla.org/sops WORKDIR /go/src/go.mozilla.org/sops RUN CGO_ENABLED=1 make install FROM alpine:3.15 RUN apk --no-cache add \ vim ca-certificates ENV EDITOR vim COPY --from=builder /go/bin/sops /usr/local/bin/sops ENTRYPOINT ["/usr/local/bin/sops"] 0707010000000E000081A400000000000000000000000162794F9300004155000000000000000000000000000000000000001300000000sops-3.7.3/LICENSEMozilla Public License Version 2.0 ================================== 1. Definitions -------------- 1.1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software. 1.2. "Contributor Version" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution. 1.3. "Contribution" means Covered Software of a particular Contributor. 1.4. "Covered Software" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof. 1.5. "Incompatible With Secondary Licenses" means (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License. 1.6. "Executable Form" means any form of the work other than Source Code Form. 1.7. "Larger Work" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software. 1.8. "License" means this document. 1.9. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License. 1.10. "Modifications" means any of the following: (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or (b) any new file in Source Code Form that contains any Covered Software. 1.11. "Patent Claims" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version. 1.12. "Secondary License" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses. 1.13. "Source Code Form" means the form of the work preferred for making modifications. 1.14. "You" (or "Your") means an individual or a legal entity exercising rights under this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. License Grants and Conditions -------------------------------- 2.1. Grants Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license: (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version. 2.2. Effective Date The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution. 2.3. Limitations on Grant Scope The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor: (a) for any code that a Contributor has removed from Covered Software; or (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or (c) under Patent Claims infringed by Covered Software in the absence of its Contributions. This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4). 2.4. Subsequent Licenses No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3). 2.5. Representation Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License. 2.6. Fair Use This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents. 2.7. Conditions Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1. 3. Responsibilities ------------------- 3.1. Distribution of Source Form All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form. 3.2. Distribution of Executable Form If You distribute Covered Software in Executable Form then: (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License. 3.3. Distribution of a Larger Work You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s). 3.4. Notices You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies. 3.5. Application of Additional Terms You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction. 4. Inability to Comply Due to Statute or Regulation --------------------------------------------------- If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Termination -------------- 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice. 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination. ************************************************************************ * * * 6. Disclaimer of Warranty * * ------------------------- * * * * Covered Software is provided under this License on an "as is" * * basis, without warranty of any kind, either expressed, implied, or * * statutory, including, without limitation, warranties that the * * Covered Software is free of defects, merchantable, fit for a * * particular purpose or non-infringing. The entire risk as to the * * quality and performance of the Covered Software is with You. * * Should any Covered Software prove defective in any respect, You * * (not any Contributor) assume the cost of any necessary servicing, * * repair, or correction. This disclaimer of warranty constitutes an * * essential part of this License. No use of any Covered Software is * * authorized under this License except under this disclaimer. * * * ************************************************************************ ************************************************************************ * * * 7. Limitation of Liability * * -------------------------- * * * * Under no circumstances and under no legal theory, whether tort * * (including negligence), contract, or otherwise, shall any * * Contributor, or anyone who distributes Covered Software as * * permitted above, be liable to You for any direct, indirect, * * special, incidental, or consequential damages of any character * * including, without limitation, damages for lost profits, loss of * * goodwill, work stoppage, computer failure or malfunction, or any * * and all other commercial damages or losses, even if such party * * shall have been informed of the possibility of such damages. This * * limitation of liability shall not apply to liability for death or * * personal injury resulting from such party's negligence to the * * extent applicable law prohibits such limitation. Some * * jurisdictions do not allow the exclusion or limitation of * * incidental or consequential damages, so this exclusion and * * limitation may not apply to You. * * * ************************************************************************ 8. Litigation ------------- Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims. 9. Miscellaneous ---------------- This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. 10. Versions of the License --------------------------- 10.1. New Versions Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number. 10.2. Effect of New Versions You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward. 10.3. Modified Versions If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License). 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached. Exhibit A - Source Code Form License Notice ------------------------------------------- This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice. You may add additional accurate notices of copyright ownership. Exhibit B - "Incompatible With Secondary Licenses" Notice --------------------------------------------------------- This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0. 0707010000000F000081A400000000000000000000000162794F93000011E0000000000000000000000000000000000000001400000000sops-3.7.3/Makefile# This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. PROJECT := go.mozilla.org/sops/v3 GO := GOPROXY=https://proxy.golang.org go GOLINT := golint all: test vet generate install functional-tests origin-build: test vet generate install functional-tests-all install: $(GO) install go.mozilla.org/sops/v3/cmd/sops tag: all git tag -s $(TAGVER) -a -m "$(TAGMSG)" lint: $(GOLINT) $(PROJECT) vendor: $(GO) mod tidy $(GO) mod vendor vet: $(GO) vet $(PROJECT) test: vendor gpg --import pgp/sops_functional_tests_key.asc 2>&1 1>/dev/null || exit 0 ./test.sh showcoverage: test $(GO) tool cover -html=coverage.out generate: keyservice/keyservice.pb.go $(GO) generate %.pb.go: %.proto protoc --go_out=plugins=grpc:. $< functional-tests: $(GO) build -o functional-tests/sops go.mozilla.org/sops/v3/cmd/sops cd functional-tests && cargo test # Ignored tests are ones that require external services (e.g. AWS KMS) # TODO: Once `--include-ignored` lands in rust stable, switch to that. functional-tests-all: $(GO) build -o functional-tests/sops go.mozilla.org/sops/v3/cmd/sops cd functional-tests && cargo test && cargo test -- --ignored # Creates variables during target re-definition. Basically this block allows the particular variables to be used in the final target build-deb-%: OS = $(word 1,$(subst -, ,$*)) build-deb-%: ARCH = $(word 2,$(subst -, ,$*)) build-deb-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) # Poor-mans function with parameters being split out from the variable part of it's name build-deb-%: rm -rf tmppkg mkdir -p tmppkg/usr/local/bin GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "AJ Bahnken <ajvb+sops@mozilla.com>" \ --url https://go.mozilla.org/sops \ --architecture $(FPM_ARCH) \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t deb . # Create .deb packages for multiple architectures deb-pkg: vendor build-deb-linux-amd64-x86_64 build-deb-linux-arm64-arm64 # Creates variables during target re-definition. Basically this block allows the particular variables to be used in the final target build-rpm-%: OS = $(word 1,$(subst -, ,$*)) build-rpm-%: ARCH = $(word 2,$(subst -, ,$*)) build-rpm-%: FPM_ARCH = $(word 3,$(subst -, ,$*)) # Poor-mans function with parameters being split out from the variable part of it's name build-rpm-%: rm -rf tmppkg mkdir -p tmppkg/usr/local/bin GOOS=$(OS) GOARCH="$(ARCH)" CGO_ENABLED=0 go build -mod vendor -o tmppkg/usr/local/bin/sops go.mozilla.org/sops/v3/cmd/sops fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "AJ Bahnken <ajvb+sops@mozilla.com>" \ --url https://go.mozilla.org/sops \ --architecture $(FPM_ARCH) \ --rpm-os $(OS) \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t rpm . # Create .rpm packages for multiple architectures rpm-pkg: vendor build-rpm-linux-amd64-x86_64 build-rpm-linux-arm64-arm64 dmg-pkg: install ifneq ($(OS),darwin) echo 'you must be on MacOS and set OS=darwin on the make command line to build an OSX package' else rm -rf tmppkg mkdir -p tmppkg/usr/local/bin cp $$GOPATH/bin/sops tmppkg/usr/local/bin/ fpm -C tmppkg -n sops --license MPL2.0 --vendor mozilla \ --description "Sops is an editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP." \ -m "Mozilla Security <security@mozilla.org>" \ --url https://go.mozilla.org/sops \ --architecture x86_64 \ -v "$$(grep '^const Version' version/version.go |cut -d \" -f 2)" \ -s dir -t osxpkg \ --osxpkg-identifier-prefix org.mozilla.sops \ -p tmppkg/sops-$$(git describe --abbrev=0 --tags).pkg . hdiutil makehybrid -hfs -hfs-volume-name "Mozilla Sops" \ -o tmppkg/sops-$$(git describe --abbrev=0 --tags).dmg tmpdmg endif download-index: bash make_download_page.sh mock: go install github.com/vektra/mockery/.../ mockery -dir vendor/github.com/aws/aws-sdk-go/service/kms/kmsiface/ -name KMSAPI -output kms/mocks .PHONY: all test generate clean vendor functional-tests mock 07070100000010000081A400000000000000000000000162794F930000FB57000000000000000000000000000000000000001600000000sops-3.7.3/README.rstSOPS: Secrets OPerationS ======================== **sops** is an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP. (`demo <https://www.youtube.com/watch?v=YTEVyLXFiq0>`_) .. image:: https://i.imgur.com/X0TM5NI.gif ------------ .. image:: https://pkg.go.dev/badge/go.mozilla.org/sops/v3.svg :target: https://pkg.go.dev/go.mozilla.org/sops/v3 Download -------- Stable release ~~~~~~~~~~~~~~ Binaries and packages of the latest stable release are available at `https://github.com/mozilla/sops/releases <https://github.com/mozilla/sops/releases>`_. Development branch ~~~~~~~~~~~~~~~~~~ For the adventurous, unstable features are available in the `develop` branch, which you can install from source: .. code:: bash $ mkdir -p $GOPATH/src/go.mozilla.org/sops/ $ git clone https://github.com/mozilla/sops.git $GOPATH/src/go.mozilla.org/sops/ $ cd $GOPATH/src/go.mozilla.org/sops/ $ git checkout develop $ make install (requires Go >= 1.17) If you don't have Go installed, set it up with: .. code:: bash $ {apt,yum,brew} install golang $ echo 'export GOPATH=~/go' >> ~/.bashrc $ source ~/.bashrc $ mkdir $GOPATH Or whatever variation of the above fits your system and shell. To use **sops** as a library, take a look at the `decrypt package <https://pkg.go.dev/go.mozilla.org/sops/v3/decrypt>`_. .. sectnum:: .. contents:: Table of Contents Usage ----- For a quick presentation of Sops, check out this Youtube tutorial: .. image:: https://img.youtube.com/vi/V2PRhxphH2w/0.jpg :target: https://www.youtube.com/watch?v=V2PRhxphH2w If you're using AWS KMS, create one or multiple master keys in the IAM console and export them, comma separated, in the **SOPS_KMS_ARN** env variable. It is recommended to use at least two master keys in different regions. .. code:: bash export SOPS_KMS_ARN="arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e,arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d" Your AWS credentials must be present in ``~/.aws/credentials``. sops uses aws-sdk-go. .. code:: $ cat ~/.aws/credentials [default] aws_access_key_id = AKI..... aws_secret_access_key = mw...... If you want to use PGP, export the fingerprints of the public keys, comma separated, in the **SOPS_PGP_FP** env variable. .. code:: bash export SOPS_PGP_FP="85D77543B3D624B63CEA9E6DBC17301B491B3F21,E60892BB9BD89A69F759A1A0A3D652173B763E8F" Note: you can use both PGP and KMS simultaneously. Then simply call ``sops`` with a file path as argument. It will handle the encryption/decryption transparently and open the cleartext file in an editor .. code:: shell $ sops mynewtestfile.yaml mynewtestfile.yaml doesn't exist, creating it. please wait while an encryption key is being generated and stored in a secure fashion file written to mynewtestfile.yaml Editing will happen in whatever ``$EDITOR`` is set to, or, if it's not set, in vim. Keep in mind that sops will wait for the editor to exit, and then try to reencrypt the file. Some GUI editors (atom, sublime) spawn a child process and then exit immediately. They usually have an option to wait for the main editor window to be closed before exiting. See `#127 <https://github.com/mozilla/sops/issues/127>`_ for more information. The resulting encrypted file looks like this: .. code:: yaml myapp1: ENC[AES256_GCM,data:Tr7o=,iv:1=,aad:No=,tag:k=] app2: db: user: ENC[AES256_GCM,data:CwE4O1s=,iv:2k=,aad:o=,tag:w==] password: ENC[AES256_GCM,data:p673w==,iv:YY=,aad:UQ=,tag:A=] # private key for secret operations in app2 key: |- ENC[AES256_GCM,data:Ea3kL5O5U8=,iv:DM=,aad:FKA=,tag:EA==] an_array: - ENC[AES256_GCM,data:v8jQ=,iv:HBE=,aad:21c=,tag:gA==] - ENC[AES256_GCM,data:X10=,iv:o8=,aad:CQ=,tag:Hw==] - ENC[AES256_GCM,data:KN=,iv:160=,aad:fI4=,tag:tNw==] sops: kms: - created_at: 1441570389.775376 enc: CiC....Pm1Hm arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e - created_at: 1441570391.925734 enc: Ci...awNx arn: arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d pgp: - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 created_at: 1441570391.930042 enc: | -----BEGIN PGP MESSAGE----- hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA ...=oJgS -----END PGP MESSAGE----- A copy of the encryption/decryption key is stored securely in each KMS and PGP block. As long as one of the KMS or PGP method is still usable, you will be able to access your data. To decrypt a file in a ``cat`` fashion, use the ``-d`` flag: .. code:: bash $ sops -d mynewtestfile.yaml ``sops`` encrypted files contain the necessary information to decrypt their content. All a user of ``sops`` needs is valid AWS credentials and the necessary permissions on KMS keys. Given that, the only command a ``sops`` user needs is: .. code:: bash $ sops <file> `<file>` will be opened, decrypted, passed to a text editor (vim by default), encrypted if modified, and saved back to its original location. All of these steps, apart from the actual editing, are transparent to the user. Test with the dev PGP key ~~~~~~~~~~~~~~~~~~~~~~~~~ If you want to test **sops** without having to do a bunch of setup, you can use the example files and pgp key provided with the repository:: $ git clone https://github.com/mozilla/sops.git $ cd sops $ gpg --import pgp/sops_functional_tests_key.asc $ sops example.yaml This last step will decrypt ``example.yaml`` using the test private key. Encrypting using age ~~~~~~~~~~~~~~~~~~~~ `age <https://age-encryption.org/>`_ is a simple, modern, and secure tool for encrypting files. It's recommended to use age over PGP, if possible. You can encrypt a file for one or more age recipients (comma separated) using the ``--age`` option or the **SOPS_AGE_RECIPIENTS** environment variable: .. code:: bash $ sops --encrypt --age age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw test.yaml > test.enc.yaml When decrypting a file with the corresponding identity, sops will look for a text file name ``keys.txt`` located in a ``sops`` subdirectory of your user configuration directory. On Linux, this would be ``$XDG_CONFIG_HOME/sops/age/keys.txt``. On macOS, this would be ``$HOME/Library/Application Support/sops/age/keys.txt``. On Windows, this would be ``%AppData%\sops\age\keys.txt``. You can specify the location of this file manually by setting the environment variable **SOPS_AGE_KEY_FILE**. Alternatively you can provide the the key(s) directly by setting the **SOPS_AGE_KEY** environment variable. The contents of this key file should be a list of age X25519 identities, one per line. Lines beginning with ``#`` are considered comments and ignored. Each identity will be tried in sequence until one is able to decrypt the data. Encrypting with SSH keys via age is not yet supported by sops. Encrypting using GCP KMS ~~~~~~~~~~~~~~~~~~~~~~~~ GCP KMS uses `Application Default Credentials <https://developers.google.com/identity/protocols/application-default-credentials>`_. If you already logged in using .. code:: bash $ gcloud auth login you can enable application default credentials using the sdk:: $ gcloud auth application-default login Encrypting/decrypting with GCP KMS requires a KMS ResourceID. You can use the cloud console the get the ResourceID or you can create one using the gcloud sdk: .. code:: bash $ gcloud kms keyrings create sops --location global $ gcloud kms keys create sops-key --location global --keyring sops --purpose encryption $ gcloud kms keys list --location global --keyring sops # you should see NAME PURPOSE PRIMARY_STATE projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key ENCRYPT_DECRYPT ENABLED Now you can encrypt a file using:: $ sops --encrypt --gcp-kms projects/my-project/locations/global/keyRings/sops/cryptoKeys/sops-key test.yaml > test.enc.yaml And decrypt it using:: $ sops --decrypt test.enc.yaml Encrypting using Azure Key Vault ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Azure Key Vault integration tries several authentication methods, in this order: 1. Client credentials 2. Client Certificate 3. Username Password 4. MSI 5. Azure CLI auth You can force a specific authentication method through the AZURE_AUTH_METHOD environment variable, which may be one of: clientcredentials, clientcertificate, usernamepassword, msi, or cli (default). For example, you can use service principals with the following environment variables: .. code:: bash AZURE_TENANT_ID AZURE_CLIENT_ID AZURE_CLIENT_SECRET You can create a service principal using the cli like this: .. code:: bash $ az ad sp create-for-rbac -n my-keyvault-sp { "appId": "<some-uuid>", "displayName": "my-keyvault-sp", "name": "http://my-keyvault-sp", "password": "<some-uuid>", "tenant": "<tenant-id>" } The appId is the client id, and the password is the client secret. Encrypting/decrypting with Azure Key Vault requires the resource identifier for a key. This has the following form:: https://${VAULT_URL}/keys/${KEY_NAME}/${KEY_VERSION} To create a Key Vault and assign your service principal permissions on it from the commandline: .. code:: bash # Create a resource group if you do not have one: $ az group create --name sops-rg --location westeurope # Key Vault names are globally unique, so generate one: $ keyvault_name=sops-$(uuidgen | tr -d - | head -c 16) # Create a Vault, a key, and give the service principal access: $ az keyvault create --name $keyvault_name --resource-group sops-rg --location westeurope $ az keyvault key create --name sops-key --vault-name $keyvault_name --protection software --ops encrypt decrypt $ az keyvault set-policy --name $keyvault_name --resource-group sops-rg --spn $AZURE_CLIENT_ID \ --key-permissions encrypt decrypt # Read the key id: $ az keyvault key show --name sops-key --vault-name $keyvault_name --query key.kid https://sops.vault.azure.net/keys/sops-key/some-string Now you can encrypt a file using:: $ sops --encrypt --azure-kv https://sops.vault.azure.net/keys/sops-key/some-string test.yaml > test.enc.yaml And decrypt it using:: $ sops --decrypt test.enc.yaml Encrypting using Hashicorp Vault ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We assume you have an instance (or more) of Vault running and you have privileged access to it. For instructions on how to deploy a secure instance of Vault, refer to Hashicorp's official documentation. To easily deploy Vault locally: (DO NOT DO THIS FOR PRODUCTION!!!) .. code:: bash $ docker run -d -p8200:8200 vault:1.2.0 server -dev -dev-root-token-id=toor .. code:: bash $ # Substitute this with the address Vault is running on $ export VAULT_ADDR=http://127.0.0.1:8200 $ # this may not be necessary in case you previously used `vault login` for production use $ export VAULT_TOKEN=toor $ # to check if Vault started and is configured correctly $ vault status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.2.0 Cluster Name vault-cluster-618cc902 Cluster ID e532e461-e8f0-1352-8a41-fc7c11096908 HA Enabled false $ # It is required to enable a transit engine if not already done (It is suggested to create a transit engine specifically for sops, in which it is possible to have multiple keys with various permission levels) $ vault secrets enable -path=sops transit Success! Enabled the transit secrets engine at: sops/ $ # Then create one or more keys $ vault write sops/keys/firstkey type=rsa-4096 Success! Data written to: sops/keys/firstkey $ vault write sops/keys/secondkey type=rsa-2048 Success! Data written to: sops/keys/secondkey $ vault write sops/keys/thirdkey type=chacha20-poly1305 Success! Data written to: sops/keys/thirdkey $ sops --hc-vault-transit $VAULT_ADDR/v1/sops/keys/firstkey vault_example.yml $ cat <<EOF > .sops.yaml creation_rules: - path_regex: \.dev\.yaml$ hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/secondkey" - path_regex: \.prod\.yaml$ hc_vault_transit_uri: "$VAULT_ADDR/v1/sops/keys/thirdkey" EOF $ sops --verbose -e prod/raw.yaml > prod/encrypted.yaml Adding and removing keys ~~~~~~~~~~~~~~~~~~~~~~~~ When creating new files, ``sops`` uses the PGP, KMS and GCP KMS defined in the command line arguments ``--kms``, ``--pgp``, ``--gcp-kms`` or ``--azure-kv``, or from the environment variables ``SOPS_KMS_ARN``, ``SOPS_PGP_FP``, ``SOPS_GCP_KMS_IDS``, ``SOPS_AZURE_KEYVAULT_URLS``. That information is stored in the file under the ``sops`` section, such that decrypting files does not require providing those parameters again. Master PGP and KMS keys can be added and removed from a ``sops`` file in one of three ways:: 1. By using a .sops.yaml file and the ``updatekeys`` command. 2. By using command line flags. 3. By editing the file directly. The sops team recommends the ``updatekeys`` approach. ``updatekeys`` command ********************** The ``updatekeys`` command uses the `.sops.yaml <#using-sops-yaml-conf-to-select-kms-pgp-for-new-files>`_ configuration file to update (add or remove) the corresponding secrets in the encrypted file. Note that the example below uses the `Block Scalar yaml construct <https://yaml-multiline.info/>`_ to build a space separated list. .. code:: yaml creation_rules: - pgp: >- 85D77543B3D624B63CEA9E6DBC17301B491B3F21, FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 .. code:: bash $ sops updatekeys test.enc.yaml Sops will prompt you with the changes to be made. This interactivity can be disabled by supplying the ``-y`` flag. Command Line ************ Command line flag ``--add-kms``, ``--add-pgp``, ``--add-gcp-kms``, ``--add-azure-kv``, ``--rm-kms``, ``--rm-pgp``, ``--rm-gcp-kms`` and ``--rm-azure-kv`` can be used to add and remove keys from a file. These flags use the comma separated syntax as the ``--kms``, ``--pgp``, ``--gcp-kms`` and ``--azure-kv`` arguments when creating new files. Note that ``-r`` or ``--rotate`` is mandatory in this mode. Not specifying rotate will ignore the ``--add-*`` options. Use ``updatekeys`` if you want to add a key without rotating the data key. .. code:: bash # add a new pgp key to the file and rotate the data key $ sops -r -i --add-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml # remove a pgp key from the file and rotate the data key $ sops -r -i --rm-pgp 85D77543B3D624B63CEA9E6DBC17301B491B3F21 example.yaml Direct Editing ************** Alternatively, invoking ``sops`` with the flag **-s** will display the master keys while editing. This method can be used to add or remove kms or pgp keys under the sops section. Invoking ``sops`` with the **-i** flag will perform an in-place edit instead of redirecting output to ``stdout``. For example, to add a KMS master key to a file, add the following entry while editing: .. code:: yaml sops: kms: - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e And, similarly, to add a PGP master key, we add its fingerprint: .. code:: yaml sops: pgp: - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 When the file is saved, ``sops`` will update its metadata and encrypt the data key with the freshly added master keys. The removed entries are simply deleted from the file. When removing keys, it is recommended to rotate the data key using ``-r``, otherwise owners of the removed key may have add access to the data key in the past. KMS AWS Profiles ~~~~~~~~~~~~~~~~ If you want to use a specific profile, you can do so with `aws_profile`: .. code:: yaml sops: kms: - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e aws_profile: foo If no AWS profile is set, default credentials will be used. Similarly the `--aws-profile` flag can be set with the command line with any of the KMS commands. Assuming roles and using KMS in various AWS accounts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SOPS has the ability to use KMS in multiple AWS accounts by assuming roles in each account. Being able to assume roles is a nice feature of AWS that allows administrators to establish trust relationships between accounts, typically from the most secure account to the least secure one. In our use-case, we use roles to indicate that a user of the Master AWS account is allowed to make use of KMS master keys in development and staging AWS accounts. Using roles, a single file can be encrypted with KMS keys in multiple accounts, thus increasing reliability and ease of use. You can use keys in various accounts by tying each KMS master key to a role that the user is allowed to assume in each account. The `IAM roles <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html>`_ documentation has full details on how this needs to be configured on AWS's side. From the point of view of ``sops``, you only need to specify the role a KMS key must assume alongside its ARN, as follows: .. code:: yaml sops: kms: - arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e role: arn:aws:iam::927034868273:role/sops-dev-xyz The role must have permission to call Encrypt and Decrypt using KMS. An example policy is shown below. .. code:: json { "Sid": "Allow use of the key", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Principal": { "AWS": [ "arn:aws:iam::927034868273:role/sops-dev-xyz" ] } } You can specify a role in the ``--kms`` flag and ``SOPS_KMS_ARN`` variable by appending it to the ARN of the master key, separated by a **+** sign:: <KMS ARN>+<ROLE ARN> arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500+arn:aws:iam::927034868273:role/sops-dev-xyz AWS KMS Encryption Context ~~~~~~~~~~~~~~~~~~~~~~~~~~ SOPS has the ability to use `AWS KMS key policy and encryption context <http://docs.aws.amazon.com/kms/latest/developerguide/encryption-context.html>`_ to refine the access control of a given KMS master key. When creating a new file, you can specify encryption context in the ``--encryption-context`` flag by comma separated list of key-value pairs: .. code:: bash $ sops --encryption-context Environment:production,Role:web-server test.dev.yaml The format of the Encrypt Context string is ``<EncryptionContext Key>:<EncryptionContext Value>,<EncryptionContext Key>:<EncryptionContext Value>,...`` The encryption context will be stored in the file metadata and does not need to be provided at decryption. Encryption contexts can be used in conjunction with KMS Key Policies to define roles that can only access a given context. An example policy is shown below: .. code:: json { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp", "kms:EncryptionContext:FilePath": "/var/opt/secrets/" } } } Key Rotation ~~~~~~~~~~~~ It is recommended to renew the data key on a regular basis. ``sops`` supports key rotation via the ``-r`` flag. Invoking it on an existing file causes sops to reencrypt the file with a new data key, which is then encrypted with the various KMS and PGP master keys defined in the file. .. code:: bash sops -r example.yaml Using .sops.yaml conf to select KMS/PGP for new files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It is often tedious to specify the ``--kms`` ``--gcp-kms`` and ``--pgp`` parameters for creation of all new files. If your secrets are stored under a specific directory, like a ``git`` repository, you can create a ``.sops.yaml`` configuration file at the root directory to define which keys are used for which filename. Let's take an example: * file named **something.dev.yaml** should use one set of KMS A * file named **something.prod.yaml** should use another set of KMS B * other files use a third set of KMS C * all live under **mysecretrepo/something.{dev,prod,gcp}.yaml** Under those circumstances, a file placed at **mysecretrepo/.sops.yaml** can manage the three sets of configurations for the three types of files: .. code:: yaml # creation rules are evaluated sequentially, the first match wins creation_rules: # upon creation of a file that matches the pattern *.dev.yaml, # KMS set A is used - path_regex: \.dev\.yaml$ kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' # prod files use KMS set B in the PROD IAM - path_regex: \.prod\.yaml$ kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' hc_vault_uris: "http://localhost:8200/v1/sops/keys/thirdkey" # gcp files using GCP KMS - path_regex: \.gcp\.yaml$ gcp_kms: projects/mygcproject/locations/global/keyRings/mykeyring/cryptoKeys/thekey # Finally, if the rules above have not matched, this one is a # catchall that will encrypt the file using KMS set C # The absence of a path_regex means it will match everything - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' When creating any file under **mysecretrepo**, whether at the root or under a subdirectory, sops will recursively look for a ``.sops.yaml`` file. If one is found, the filename of the file being created is compared with the filename regexes of the configuration file. The first regex that matches is selected, and its KMS and PGP keys are used to encrypt the file. It should be noted that the looking up of ``.sops.yaml`` is from the working directory (CWD) instead of the directory of the encrypting file (see `Issue 242 <https://github.com/mozilla/sops/issues/242>`_). The path_regex checks the path of the encrypting file relative to the .sops.yaml config file. Here is another example: * files located under directory **development** should use one set of KMS A * files located under directory **production** should use another set of KMS B * other files use a third set of KMS C .. code:: yaml creation_rules: # upon creation of a file under development, # KMS set A is used - path_regex: .*/development/.* kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' # prod files use KMS set B in the PROD IAM - path_regex: .*/production/.* kms: 'arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e+arn:aws:iam::361527076523:role/hiera-sops-prod,arn:aws:kms:eu-central-1:361527076523:key/cb1fab90-8d17-42a1-a9d8-334968904f94+arn:aws:iam::361527076523:role/hiera-sops-prod' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' # other files use KMS set C - kms: 'arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500,arn:aws:kms:us-west-2:142069644989:key/846cfb17-373d-49b9-8baf-f36b04512e47,arn:aws:kms:us-west-2:361527076523:key/5052f06a-5d3f-489e-b86c-57201e06f31e' pgp: 'FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4' Creating a new file with the right keys is now as simple as .. code:: bash $ sops <newfile>.prod.yaml Note that the configuration file is ignored when KMS or PGP parameters are passed on the sops command line or in environment variables. Specify a different GPG executable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``sops`` checks for the ``SOPS_GPG_EXEC`` environment variable. If specified, it will attempt to use the executable set there instead of the default of ``gpg``. Example: place the following in your ``~/.bashrc`` .. code:: bash SOPS_GPG_EXEC = 'your_gpg_client_wrapper' Specify a different GPG key server ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By default, ``sops`` uses the key server ``keys.openpgp.org`` to retrieve the GPG keys that are not present in the local keyring. This is no longer configurable. You can learn more about why from this write-up: `SKS Keyserver Network Under Attack <https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f>`_. Key groups ~~~~~~~~~~ By default, ``sops`` encrypts the data key for a file with each of the master keys, such that if any of the master keys is available, the file can be decrypted. However, it is sometimes desirable to require access to multiple master keys in order to decrypt files. This can be achieved with key groups. When using key groups in sops, data keys are split into parts such that keys from multiple groups are required to decrypt a file. ``sops`` uses Shamir's Secret Sharing to split the data key such that each key group has a fragment, each key in the key group can decrypt that fragment, and a configurable number of fragments (threshold) are needed to decrypt and piece together the complete data key. When decrypting a file using multiple key groups, ``sops`` goes through key groups in order, and in each group, tries to recover the fragment of the data key using a master key from that group. Once the fragment is recovered, ``sops`` moves on to the next group, until enough fragments have been recovered to obtain the complete data key. By default, the threshold is set to the number of key groups. For example, if you have three key groups configured in your SOPS file and you don't override the default threshold, then one master key from each of the three groups will be required to decrypt the file. Management of key groups is done with the ``sops groups`` command. For example, you can add a new key group with 3 PGP keys and 3 KMS keys to the file ``my_file.yaml``: .. code:: bash $ sops groups add --file my_file.yaml --pgp fingerprint1 --pgp fingerprint2 --pgp fingerprint3 --kms arn1 --kms arn2 --kms arn3 Or you can delete the 1st group (group number 0, as groups are zero-indexed) from ``my_file.yaml``: .. code:: bash $ sops groups delete --file my_file.yaml 0 Key groups can also be specified in the ``.sops.yaml`` config file, like so: .. code:: yaml creation_rules: - path_regex: .*keygroups.* key_groups: # First key group - pgp: - fingerprint1 - fingerprint2 kms: - arn: arn1 role: role1 context: foo: bar - arn: arn2 # Second key group - pgp: - fingerprint3 - fingerprint4 kms: - arn: arn3 - arn: arn4 # Third key group - pgp: - fingerprint5 Given this configuration, we can create a new encrypted file like we normally would, and optionally provide the ``--shamir-secret-sharing-threshold`` command line flag if we want to override the default threshold. ``sops`` will then split the data key into three parts (from the number of key groups) and encrypt each fragment with the master keys found in each group. For example: .. code:: bash $ sops --shamir-secret-sharing-threshold 2 example.json Alternatively, you can configure the Shamir threshold for each creation rule in the ``.sops.yaml`` config with ``shamir_threshold``: .. code:: yaml creation_rules: - path_regex: .*keygroups.* shamir_threshold: 2 key_groups: # First key group - pgp: - fingerprint1 - fingerprint2 kms: - arn: arn1 role: role1 context: foo: bar - arn: arn2 # Second key group - pgp: - fingerprint3 - fingerprint4 kms: - arn: arn3 - arn: arn4 # Third key group - pgp: - fingerprint5 And then run ``sops example.json``. The threshold (``shamir_threshold``) is set to 2, so this configuration will require master keys from two of the three different key groups in order to decrypt the file. You can then decrypt the file the same way as with any other SOPS file: .. code:: bash $ sops -d example.json Key service ~~~~~~~~~~~ There are situations where you might want to run ``sops`` on a machine that doesn't have direct access to encryption keys such as PGP keys. The ``sops`` key service allows you to forward a socket so that ``sops`` can access encryption keys stored on a remote machine. This is similar to GPG Agent, but more portable. SOPS uses a client-server approach to encrypting and decrypting the data key. By default, SOPS runs a local key service in-process. SOPS uses a key service client to send an encrypt or decrypt request to a key service, which then performs the operation. The requests are sent using gRPC and Protocol Buffers. The requests contain an identifier for the key they should perform the operation with, and the plaintext or encrypted data key. The requests do not contain any cryptographic keys, public or private. **WARNING: the key service connection currently does not use any sort of authentication or encryption. Therefore, it is recommended that you make sure the connection is authenticated and encrypted in some other way, for example through an SSH tunnel.** Whenever we try to encrypt or decrypt a data key, SOPS will try to do so first with the local key service (unless it's disabled), and if that fails, it will try all other remote key services until one succeeds. You can start a key service server by running ``sops keyservice``. You can specify the key services the ``sops`` binary uses with ``--keyservice``. This flag can be specified more than once, so you can use multiple key services. The local key service can be disabled with ``enable-local-keyservice=false``. For example, to decrypt a file using both the local key service and the key service exposed on the unix socket located in ``/tmp/sops.sock``, you can run: .. code:: bash $ sops --keyservice unix:///tmp/sops.sock -d file.yaml` And if you only want to use the key service exposed on the unix socket located in ``/tmp/sops.sock`` and not the local key service, you can run: .. code:: bash $ sops --enable-local-keyservice=false --keyservice unix:///tmp/sops.sock -d file.yaml Auditing ~~~~~~~~ Sometimes, users want to be able to tell what files were accessed by whom in an environment they control. For this reason, SOPS can generate audit logs to record activity on encrypted files. When enabled, SOPS will write a log entry into a pre-configured PostgreSQL database when a file is decrypted. The log includes a timestamp, the username SOPS is running as, and the file that was decrypted. In order to enable auditing, you must first create the database and credentials using the schema found in ``audit/schema.sql``. This schema defines the tables that store the audit events and a role named ``sops`` that only has permission to add entries to the audit event tables. The default password for the role ``sops`` is ``sops``. You should change this password. Once you have created the database, you have to tell SOPS how to connect to it. Because we don't want users of SOPS to be able to control auditing, the audit configuration file location is not configurable, and must be at ``/etc/sops/audit.yaml``. This file should have strict permissions such that only the root user can modify it. For example, to enable auditing to a PostgreSQL database named ``sops`` running on localhost, using the user ``sops`` and the password ``sops``, ``/etc/sops/audit.yaml`` should have the following contents: .. code:: yaml backends: postgres: - connection_string: "postgres://sops:sops@localhost/sops?sslmode=verify-full" You can find more information on the ``connection_string`` format in the `PostgreSQL docs <https://www.postgresql.org/docs/current/static/libpq-connect.html#libpq-connstring>`_. Under the ``postgres`` map entry in the above YAML is a list, so one can provide more than one backend, and SOPS will log to all of them: .. code:: yaml backends: postgres: - connection_string: "postgres://sops:sops@localhost/sops?sslmode=verify-full" - connection_string: "postgres://sops:sops@remotehost/sops?sslmode=verify-full" Saving Output to a File ~~~~~~~~~~~~~~~~~~~~~~~ By default ``sops`` just dumps all the output to the standard output. We can use the ``--output`` flag followed by a filename to save the output to the file specified. Beware using both ``--in-place`` and ``--output`` flags will result in an error. Passing Secrets to Other Processes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to writing secrets to standard output and to files on disk, ``sops`` has two commands for passing decrypted secrets to a new process: ``exec-env`` and ``exec-file``. These commands will place all output into the environment of a child process and into a temporary file, respectively. For example, if a program looks for credentials in its environment, ``exec-env`` can be used to ensure that the decrypted contents are available only to this process and never written to disk. .. code:: bash # print secrets to stdout to confirm values $ sops -d out.json { "database_password": "jf48t9wfw094gf4nhdf023r", "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" } # decrypt out.json and run a command # the command prints the environment variable and runs a script that uses it $ sops exec-env out.json 'echo secret: $database_password; ./database-import' secret: jf48t9wfw094gf4nhdf023r # launch a shell with the secrets available in its environment $ sops exec-env out.json 'sh' sh-3.2# echo $database_password jf48t9wfw094gf4nhdf023r # the secret is not accessible anywhere else sh-3.2$ exit $ echo your password: $database_password your password: If the command you want to run only operates on files, you can use ``exec-file`` instead. By default ``sops`` will use a FIFO to pass the contents of the decrypted file to the new program. Using a FIFO, secrets are only passed in memory which has two benefits: the plaintext secrets never touch the disk, and the child process can only read the secrets once. In contexts where this won't work, eg platforms like Windows where FIFOs unavailable or secret files that need to be available to the child process longer term, the ``--no-fifo`` flag can be used to instruct ``sops`` to use a traditional temporary file that will get cleaned up once the process is finished executing. ``exec-file`` behaves similar to ``find(1)`` in that ``{}`` is used as a placeholder in the command which will be substituted with the temporary file path (whether a FIFO or an actual file). .. code:: bash # operating on the same file as before, but as a file this time $ sops exec-file out.json 'echo your temporary file: {}; cat {}' your temporary file: /tmp/.sops894650499/tmp-file { "database_password": "jf48t9wfw094gf4nhdf023r", "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" } # launch a shell with a variable TMPFILE pointing to the temporary file $ sops exec-file --no-fifo out.json 'TMPFILE={} sh' sh-3.2$ echo $TMPFILE /tmp/.sops506055069/tmp-file291138648 sh-3.2$ cat $TMPFILE { "database_password": "jf48t9wfw094gf4nhdf023r", "AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE", "AWS_SECRET_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" } sh-3.2$ ./program --config $TMPFILE sh-3.2$ exit # try to open the temporary file from earlier $ cat /tmp/.sops506055069/tmp-file291138648 cat: /tmp/.sops506055069/tmp-file291138648: No such file or directory Additionally, on unix-like platforms, both ``exec-env`` and ``exec-file`` support dropping privileges before executing the new program via the ``--user <username>`` flag. This is particularly useful in cases where the encrypted file is only readable by root, but the target program does not need root privileges to function. This flag should be used where possible for added security. To overwrite the default file name (``tmp-file``) in ``exec-file`` use the ``--filename <filename>`` parameter. .. code:: bash # the encrypted file can't be read by the current user $ cat out.json cat: out.json: Permission denied # execute sops as root, decrypt secrets, then drop privileges $ sudo sops exec-env --user nobody out.json 'sh' sh-3.2$ echo $database_password jf48t9wfw094gf4nhdf023r # dropped privileges, still can't load the original file sh-3.2$ id uid=4294967294(nobody) gid=4294967294(nobody) groups=4294967294(nobody) sh-3.2$ cat out.json cat: out.json: Permission denied Using the publish command ~~~~~~~~~~~~~~~~~~~~~~~~~ ``sops publish $file`` publishes a file to a pre-configured destination (this lives in the sops config file). Additionally, support re-encryption rules that work just like the creation rules. This command requires a ``.sops.yaml`` configuration file. Below is an example: .. code:: yaml destination_rules: - s3_bucket: "sops-secrets" path_regex: s3/* recreation_rule: pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307 - gcs_bucket: "sops-secrets" path_regex: gcs/* recreation_rule: pgp: F69E4901EDBAD2D1753F8C67A64535C4163FB307 - vault_path: "sops/" vault_kv_mount_name: "secret/" # default vault_kv_version: 2 # default path_regex: vault/* omit_extensions: true The above configuration will place all files under ``s3/*`` into the S3 bucket ``sops-secrets``, all files under ``gcs/*`` into the GCS bucket ``sops-secrets``, and the contents of all files under ``vault/*`` into Vault's KV store under the path ``secrets/sops/``. For the files that will be published to S3 and GCS, it will decrypt them and re-encrypt them using the ``F69E4901EDBAD2D1753F8C67A64535C4163FB307`` pgp key. You would deploy a file to S3 with a command like: ``sops publish s3/app.yaml`` To publish all files in selected directory recursively, you need to specify ``--recursive`` flag. If you don't want file extension to appear in destination secret path, use ``--omit-extensions`` flag or ``omit_extensions: true`` in the destination rule in ``.sops.yaml``. Publishing to Vault ******************* There are a few settings for Vault that you can place in your destination rules. The first is ``vault_path``, which is required. The others are optional, and they are ``vault_address``, ``vault_kv_mount_name``, ``vault_kv_version``. ``sops`` uses the official Vault API provided by Hashicorp, which makes use of `environment variables <https://www.vaultproject.io/docs/commands/#environment-variables>`_ for configuring the client. ``vault_kv_mount_name`` is used if your Vault KV is mounted somewhere other than ``secret/``. ``vault_kv_version`` supports ``1`` and ``2``, with ``2`` being the default. If destination secret path already exists in Vault and contains same data as the source file, it will be skipped. Below is an example of publishing to Vault (using token auth with a local dev instance of Vault). .. code:: bash $ export VAULT_TOKEN=... $ export VAULT_ADDR='http://127.0.0.1:8200' $ sops -d vault/test.yaml example_string: bar example_number: 42 example_map: key: value $ sops publish vault/test.yaml uploading /home/user/sops_directory/vault/test.yaml to http://127.0.0.1:8200/v1/secret/data/sops/test.yaml ? (y/n): y $ vault kv get secret/sops/test.yaml ====== Metadata ====== Key Value --- ----- created_time 2019-07-11T03:32:17.074792017Z deletion_time n/a destroyed false version 3 ========= Data ========= Key Value --- ----- example_map map[key:value] example_number 42 example_string bar Important information on types ------------------------------ YAML and JSON type extensions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``sops`` uses the file extension to decide which encryption method to use on the file content. ``YAML``, ``JSON``, ``ENV``, and ``INI`` files are treated as trees of data, and key/values are extracted from the files to only encrypt the leaf values. The tree structure is also used to check the integrity of the file. Therefore, if a file is encrypted using a specific format, it need to be decrypted in the same format. The easiest way to achieve this is to conserve the original file extension after encrypting a file. For example: .. code:: bash $ sops -e -i myfile.json $ sops -d myfile.json If you want to change the extension of the file once encrypted, you need to provide sops with the ``--input-type`` flag upon decryption. For example: .. code:: bash $ sops -e myfile.json > myfile.json.enc $ sops -d --input-type json myfile.json.enc When operating on stdin, use the ``--input-type`` and ``--output-type`` flags as follows: .. code:: bash $ cat myfile.json | sops --input-type json --output-type json -d /dev/stdin YAML anchors ~~~~~~~~~~~~ ``sops`` only supports a subset of ``YAML``'s many types. Encrypting YAML files that contain strings, numbers and booleans will work fine, but files that contain anchors will not work, because the anchors redefine the structure of the file at load time. This file will not work in ``sops``: .. code:: yaml bill-to: &id001 street: | 123 Tornado Alley Suite 16 city: East Centerville state: KS ship-to: *id001 ``sops`` uses the path to a value as additional data in the AEAD encryption, and thus dynamic paths generated by anchors break the authentication step. JSON and TEXT file types do not support anchors and thus have no such limitation. YAML Streams ~~~~~~~~~~~~ ``YAML`` supports having more than one "document" in a single file, while formats like ``JSON`` do not. ``sops`` is able to handle both. This means the following multi-document will be encrypted as expected: .. code:: yaml --- data: foo --- data: bar Note that the ``sops`` metadata, i.e. the hash, etc, is computed for the physical file rather than each internal "document". Top-level arrays ~~~~~~~~~~~~~~~~ ``YAML`` and ``JSON`` top-level arrays are not supported, because ``sops`` needs a top-level ``sops`` key to store its metadata. This file will not work in sops: .. code:: yaml --- - some - array - elements But this one will work because the ``sops`` key can be added at the same level as the ``data`` key. .. code:: yaml data: - some - array - elements Similarly, with ``JSON`` arrays, this document will not work: .. code:: json [ "some", "array", "elements" ] But this one will work just fine: .. code:: json { "data": [ "some", "array", "elements" ] } Examples -------- Take a look into the `examples <https://github.com/mozilla/sops/tree/master/examples>`_ folder for detailed use cases of sops in a CI environment. The section below describes specific tips for common use cases. Creating a new file ~~~~~~~~~~~~~~~~~~~ The command below creates a new file with a data key encrypted by KMS and PGP. .. code:: bash $ sops --kms "arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" --pgp C9CAB0AF1165060DB58D6D6B2653B624D620786D /path/to/new/file.yaml Encrypting an existing file ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Similar to the previous command, we tell sops to use one KMS and one PGP key. The path points to an existing cleartext file, so we give sops flag ``-e`` to encrypt the file, and redirect the output to a destination file. .. code:: bash $ export SOPS_KMS_ARN="arn:aws:kms:us-west-2:927034868273:key/fe86dd69-4132-404c-ab86-4269956b4500" $ export SOPS_PGP_FP="C9CAB0AF1165060DB58D6D6B2653B624D620786D" $ sops -e /path/to/existing/file.yaml > /path/to/new/encrypted/file.yaml Decrypt the file with ``-d``. .. code:: bash $ sops -d /path/to/new/encrypted/file.yaml Encrypt or decrypt a file in place ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rather than redirecting the output of ``-e`` or ``-d``, sops can replace the original file after encrypting or decrypting it. .. code:: bash # file.yaml is in cleartext $ sops -e -i /path/to/existing/file.yaml # file.yaml is now encrypted $ sops -d -i /path/to/existing/file.yaml # file.yaml is back in cleartext Encrypting binary files ~~~~~~~~~~~~~~~~~~~~~~~ ``sops`` primary use case is encrypting YAML and JSON configuration files, but it also has the ability to manage binary files. When encrypting a binary, sops will read the data as bytes, encrypt it, store the encrypted base64 under ``tree['data']`` and write the result as JSON. Note that the base64 encoding of encrypted data can actually make the encrypted file larger than the cleartext one. In-place encryption/decryption also works on binary files. .. code:: $ dd if=/dev/urandom of=/tmp/somerandom bs=1024 count=512 512+0 records in 512+0 records out 524288 bytes (524 kB) copied, 0.0466158 s, 11.2 MB/s $ sha512sum /tmp/somerandom 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom $ sops -e -i /tmp/somerandom please wait while a data encryption key is being generated and stored securely $ sops -d -i /tmp/somerandom $ sha512sum /tmp/somerandom 9589bb20280e9d381f7a192000498c994e921b3cdb11d2ef5a986578dc2239a340b25ef30691bac72bdb14028270828dad7e8bd31e274af9828c40d216e60cbe /tmp/somerandom Extract a sub-part of a document tree ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``sops`` can extract a specific part of a YAML or JSON document, by provided the path in the ``--extract`` command line flag. This is useful to extract specific values, like keys, without needing an extra parser. .. code:: bash $ sops -d --extract '["app2"]["key"]' ~/git/svc/sops/example.yaml -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAPTMNIyHuZtpLYc7VsHQtwOkWYobkUblmHWRmbXzlAX6K8tMf3Wf ImcbNkqAKnELzFAPSBeEMhrBN0PyOC9lYlMCAwEAAQJBALXD4sjuBn1E7Y9aGiMz bJEBuZJ4wbhYxomVoQKfaCu+kH80uLFZKoSz85/ySauWE8LgZcMLIBoiXNhDKfQL vHECIQD6tCG9NMFWor69kgbX8vK5Y+QL+kRq+9HK6yZ9a+hsLQIhAPn4Ie6HGTjw fHSTXWZpGSan7NwTkIu4U5q2SlLjcZh/AiEA78NYRRBwGwAYNUqzutGBqyXKUl4u Erb0xAEyVV7e8J0CIQC8VBY8f8yg+Y7Kxbw4zDYGyb3KkXL10YorpeuZR4LuQQIg bKGPkMM4w5blyE1tqGN0T7sJwEx+EUOgacRNqM2ljVA= -----END RSA PRIVATE KEY----- The tree path syntax uses regular python dictionary syntax, without the variable name. Extract keys by naming them, and array elements by numbering them. .. code:: bash $ sops -d --extract '["an_array"][1]' ~/git/svc/sops/example.yaml secretuser2 Set a sub-part in a document tree ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ``sops`` can set a specific part of a YAML or JSON document, by providing the path and value in the ``--set`` command line flag. This is useful to set specific values, like keys, without needing an editor. .. code:: bash $ sops --set '["app2"]["key"] "app2keystringvalue"' ~/git/svc/sops/example.yaml The tree path syntax uses regular python dictionary syntax, without the variable name. Set to keys by naming them, and array elements by numbering them. .. code:: bash $ sops --set '["an_array"][1] "secretuser2"' ~/git/svc/sops/example.yaml The value must be formatted as json. .. code:: bash $ sops --set '["an_array"][1] {"uid1":null,"uid2":1000,"uid3":["bob"]}' ~/git/svc/sops/example.yaml Showing diffs in cleartext in git ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You most likely want to store encrypted files in a version controlled repository. Sops can be used with git to decrypt files when showing diffs between versions. This is very handy for reviewing changes or visualizing history. To configure sops to decrypt files during diff, create a ``.gitattributes`` file at the root of your repository that contains a filter and a command. .. code:: *.yaml diff=sopsdiffer Here we only care about YAML files. ``sopsdiffer`` is an arbitrary name that we map to a sops command in the git configuration file of the repository. .. code:: bash $ git config diff.sopsdiffer.textconv "sops -d" $ grep -A 1 sopsdiffer .git/config [diff "sopsdiffer"] textconv = "sops -d" With this in place, calls to ``git diff`` will decrypt both previous and current versions of the target file prior to displaying the diff. And it even works with git client interfaces, because they call git diff under the hood! Encrypting only parts of a file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Note: this only works on YAML and JSON files, not on BINARY files. By default, ``sops`` encrypts all the values of a YAML or JSON file and leaves the keys in cleartext. In some instances, you may want to exclude some values from being encrypted. This can be accomplished by adding the suffix **_unencrypted** to any key of a file. When set, all values underneath the key that set the **_unencrypted** suffix will be left in cleartext. Note that, while in cleartext, unencrypted content is still added to the checksum of the file, and thus cannot be modified outside of sops without breaking the file integrity check. The unencrypted suffix can be set to a different value using the ``--unencrypted-suffix`` option. Conversely, you can opt in to only encrypt some values in a YAML or JSON file, by adding a chosen suffix to those keys and passing it to the ``--encrypted-suffix`` option. A third method is to use the ``--encrypted-regex`` which will only encrypt values under keys that match the supplied regular expression. For example, this command: .. code:: bash $ sops --encrypt --encrypted-regex '^(data|stringData)$' k8s-secrets.yaml will encrypt the values under the ``data`` and ``stringData`` keys in a YAML file containing kubernetes secrets. It will not encrypt other values that help you to navigate the file, like ``metadata`` which contains the secrets' names. Conversely, you can opt in to only left certain keys without encrypting by using the ``--unencrypted-regex`` option, which will leave the values unencrypted of those keys that match the supplied regular expression. For example, this command: .. code:: bash $ sops --encrypt --unencrypted-regex '^(description|metadata)$' k8s-secrets.yaml will not encrypt the values under the ``description`` and ``metadata`` keys in a YAML file containing kubernetes secrets, while encrypting everything else. You can also specify these options in the ``.sops.yaml`` config file. Note: these four options ``--unencrypted-suffix``, ``--encrypted-suffix``, ``--encrypted-regex`` and ``--unencrypted-regex`` are mutually exclusive and cannot all be used in the same file. Encryption Protocol ------------------- When sops creates a file, it generates a random 256 bit data key and asks each KMS and PGP master key to encrypt the data key. The encrypted version of the data key is stored in the ``sops`` metadata under ``sops.kms`` and ``sops.pgp``. For KMS: .. code:: yaml sops: kms: - enc: CiC6yCOtzsnFhkfdIslYZ0bAf//gYLYCmIu87B3sy/5yYxKnAQEBAQB4usgjrc7JxYZH3SLJWGdGwH//4GC2ApiLvOwd7Mv+cmMAAAB+MHwGCSqGSIb3DQEHBqBvMG0CAQAwaAYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAyGdRODuYMHbA8Ozj8CARCAO7opMolPJUmBXd39Zlp0L2H9fzMKidHm1vvaF6nNFq0ClRY7FlIZmTm4JfnOebPseffiXFn9tG8cq7oi enc_ts: 1439568549.245995 arn: arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e For PGP: .. code:: yaml sops: pgp: - fp: 85D77543B3D624B63CEA9E6DBC17301B491B3F21 created_at: 1441570391.930042 enc: | -----BEGIN PGP MESSAGE----- Version: GnuPG v1 hQIMA0t4uZHfl9qgAQ//UvGAwGePyHuf2/zayWcloGaDs0MzI+zw6CmXvMRNPUsA pAgRKczJmDu4+XzN+cxX5Iq9xEWIbny9B5rOjwTXT3qcUYZ4Gkzbq4MWkjuPp/Iv qO4MJaYzoH5YxC4YORQ2LvzhA2YGsCzYnljmatGEUNg01yJ6r5mwFwDxl4Nc80Cn RwnHuGExK8j1jYJZu/juK1qRbuBOAuruIPPWVdFB845PA7waacG1IdUW3ZtBkOy3 O0BIfG2ekRg0Nik6sTOhDUA+l2bewCcECI8FYCEjwHm9Sg5cxmP2V5m1mby+uKAm kewaoOyjbmV1Mh3iI1b/AQMr+/6ZE9MT2KnsoWosYamFyjxV5r1ZZM7cWKnOT+tu KOvGhTV1TeOfVpajNTNwtV/Oyh3mMLQ0F0HgCTqomQVqw5+sj7OWAASuD3CU/dyo pcmY5Qe0TNL1JsMNEH8LJDqSh+E0hsUxdY1ouVsg3ysf6mdM8ciWb3WRGxih1Vmf unfLy8Ly3V7ZIC8EHV8aLJqh32jIZV4i2zXIoO4ZBKrudKcECY1C2+zb/TziVAL8 qyPe47q8gi1rIyEv5uirLZjgpP+JkDUgoMnzlX334FZ9pWtQMYW4Y67urAI4xUq6 /q1zBAeHoeeeQK+YKDB7Ak/Y22YsiqQbNp2n4CKSKAE4erZLWVtDvSp+49SWmS/S XgGi+13MaXIp0ecPKyNTBjF+NOw/I3muyKr8EbDHrd2XgIT06QXqjYLsCb1TZ0zm xgXsOTY3b+ONQ2zjhcovanDp7/k77B+gFitLYKg4BLZsl7gJB12T8MQnpfSmRT4= =oJgS -----END PGP MESSAGE----- ``sops`` then opens a text editor on the newly created file. The user adds data to the file and saves it when done. Upon save, sops browses the entire file as a key/value tree. Every time sops encounters a leaf value (a value that does not have children), it encrypts the value with AES256_GCM using the data key and a 256 bit random initialization vector. Each file uses a single data key to encrypt all values of a document, but each value receives a unique initialization vector and has unique authentication data. Additional data is used to guarantee the integrity of the encrypted data and of the tree structure: when encrypting the tree, key names are concatenated into a byte string that is used as AEAD additional data (aad) when encrypting values. We expect that keys do not carry sensitive information, and keeping them in cleartext allows for better diff and overall readability. Any valid KMS or PGP master key can later decrypt the data key and access the data. Multiple master keys allow for sharing encrypted files without sharing master keys, and provide a disaster recovery solution. The recommended way to use sops is to have two KMS master keys in different regions and one PGP public key with the private key stored offline. If, by any chance, both KMS master keys are lost, you can always recover the encrypted data using the PGP private key. Message Authentication Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to authenticating branches of the tree using keys as additional data, sops computes a MAC on all the values to ensure that no value has been added or removed fraudulently. The MAC is stored encrypted with AES_GCM and the data key under tree->`sops`->`mac`. Motivation ---------- Automating the distribution of secrets and credentials to components of an infrastructure is a hard problem. We know how to encrypt secrets and share them between humans, but extending that trust to systems is difficult. Particularly when these systems follow devops principles and are created and destroyed without human intervention. The issue boils down to establishing the initial trust of a system that just joined the infrastructure, and providing it access to the secrets it needs to configure itself. The initial trust ~~~~~~~~~~~~~~~~~ In many infrastructures, even highly dynamic ones, the initial trust is established by a human. An example is seen in Puppet by the way certificates are issued: when a new system attempts to join a Puppetmaster, an administrator must, by default, manually approve the issuance of the certificate the system needs. This is cumbersome, and many puppetmasters are configured to auto-sign new certificates to work around that issue. This is obviously not recommended and far from ideal. AWS provides a more flexible approach to trusting new systems. It uses a powerful mechanism of roles and identities. In AWS, it is possible to verify that a new system has been granted a specific role at creation, and it is possible to map that role to specific resources. Instead of trusting new systems directly, the administrator trusts the AWS permission model and its automation infrastructure. As long as AWS keys are safe, and the AWS API is secure, we can assume that trust is maintained and systems are who they say they are. KMS, Trust and secrets distribution ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Using the AWS trust model, we can create fine grained access controls to Amazon's Key Management Service (KMS). KMS is a service that encrypts and decrypts data with AES_GCM, using keys that are never visible to users of the service. Each KMS master key has a set of role-based access controls, and individual roles are permitted to encrypt or decrypt using the master key. KMS helps solve the problem of distributing keys, by shifting it into an access control problem that can be solved using AWS's trust model. Operational requirements ~~~~~~~~~~~~~~~~~~~~~~~~ When Mozilla's Services Operations team started revisiting the issue of distributing secrets to EC2 instances, we set a goal to store these secrets encrypted until the very last moment, when they need to be decrypted on target systems. Not unlike many other organizations that operate sufficiently complex automation, we found this to be a hard problem with a number of prerequisites: 1. Secrets must be stored in YAML files for easy integration into hiera 2. Secrets must be stored in GIT, and when a new CloudFormation stack is built, the current HEAD is pinned to the stack. (This allows secrets to be changed in GIT without impacting the current stack that may autoscale). 3. Entries must be encrypted separately. Encrypting entire files as blobs makes git conflict resolution almost impossible. Encrypting each entry separately is much easier to manage. 4. Secrets must always be encrypted on disk (admin laptop, upstream git repo, jenkins and S3) and only be decrypted on the target systems SOPS can be used to encrypt YAML, JSON and BINARY files. In BINARY mode, the content of the file is treated as a blob, the same way PGP would encrypt an entire file. In YAML and JSON modes, however, the content of the file is manipulated as a tree where keys are stored in cleartext, and values are encrypted. hiera-eyaml does something similar, and over the years we learned to appreciate its benefits, namely: * diffs are meaningful. If a single value of a file is modified, only that value will show up in the diff. The diff is still limited to only showing encrypted data, but that information is already more granular that indicating that an entire file has changed. * conflicts are easier to resolve. If multiple users are working on the same encrypted files, as long as they don't modify the same values, changes are easy to merge. This is an improvement over the PGP encryption approach where unsolvable conflicts often happen when multiple users work on the same file. OpenPGP integration ~~~~~~~~~~~~~~~~~~~ OpenPGP gets a lot of bad press for being an outdated crypto protocol, and while true, what really made us look for alternatives is the difficulty of managing and distributing keys to systems. With KMS, we manage permissions to an API, not keys, and that's a lot easier to do. But PGP is not dead yet, and we still rely on it heavily as a backup solution: all our files are encrypted with KMS and with one PGP public key, with its private key stored securely for emergency decryption in the event that we lose all our KMS master keys. SOPS can be used without KMS entirely, the same way you would use an encrypted PGP file: by referencing the pubkeys of each individual who has access to the file. It can easily be done by providing sops with a comma-separated list of public keys when creating a new file: .. code:: bash $ sops --pgp "E60892BB9BD89A69F759A1A0A3D652173B763E8F,84050F1D61AF7C230A12217687DF65059EF093D3,85D77543B3D624B63CEA9E6DBC17301B491B3F21" mynewfile.yaml Threat Model ------------ The security of the data stored using sops is as strong as the weakest cryptographic mechanism. Values are encrypted using AES256_GCM which is the strongest symmetric encryption algorithm known today. Data keys are encrypted in either KMS, which also uses AES256_GCM, or PGP which uses either RSA or ECDSA keys. Going from the most likely to the least likely, the threats are as follows: Compromised AWS credentials grant access to KMS master key ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An attacker with access to an AWS console can grant itself access to one of the KMS master keys used to encrypt a sops data key. This threat should be mitigated by protecting AWS accesses with strong controls, such as multi-factor authentication, and also by performing regular audits of permissions granted to AWS users. Compromised PGP key ~~~~~~~~~~~~~~~~~~~ PGP keys are routinely mishandled, either because owners copy them from machine to machine, or because the key is left forgotten on an unused machine an attacker gains access to. When using PGP encryption, sops users should take special care of PGP private keys, and store them on smart cards or offline as often as possible. Factorized RSA key ~~~~~~~~~~~~~~~~~~ sops doesn't apply any restriction on the size or type of PGP keys. A weak PGP keys, for example 512 bits RSA, could be factorized by an attacker to gain access to the private key and decrypt the data key. Users of sops should rely on strong keys, such as 2048+ bits RSA keys, or 256+ bits ECDSA keys. Weak AES cryptography ~~~~~~~~~~~~~~~~~~~~~ A vulnerability in AES256_GCM could potentially leak the data key or the KMS master key used by a sops encrypted file. While no such vulnerability exists today, we recommend that users keep their encrypted files reasonably private. Backward compatibility ---------------------- ``sops`` will remain backward compatible on the major version, meaning that all improvements brought to the 1.X and 2.X branches (current) will maintain the file format introduced in **1.0**. Security -------- Please report security issues to security at mozilla dot org, or by using one of the contact method available here: `https://www.mozilla.org/en-US/security/#For_Developers <https://www.mozilla.org/en-US/security/#For_Developers>`_ License ------- Mozilla Public License Version 2.0 Authors ------- The core team is composed of: * AJ Banhken @ajvb The original authors were: * Adrian Utrilla @autrilla * Julien Vehent @jvehent And a whole bunch of `contributors <https://github.com/mozilla/sops/graphs/contributors>`_ Credits ------- `sops` was inspired by `hiera-eyaml <https://github.com/TomPoulton/hiera-eyaml>`_, `credstash <https://github.com/LuminalOSS/credstash>`_ , `sneaker <https://github.com/codahale/sneaker>`_, `password store <http://www.passwordstore.org/>`_ and too many years managing PGP encrypted files by hand... 07070100000011000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000000F00000000sops-3.7.3/aes07070100000012000081A400000000000000000000000162794F9300001562000000000000000000000000000000000000001900000000sops-3.7.3/aes/cipher.go/* Package aes defines a Cipher that uses 256-bit AES-GCM authenticated encryption to encrypt values the SOPS tree. */ package aes //import "go.mozilla.org/sops/v3/aes" import ( cryptoaes "crypto/aes" "crypto/cipher" "crypto/rand" "encoding/base64" "fmt" "regexp" "strconv" "strings" "github.com/sirupsen/logrus" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/logging" ) var log *logrus.Logger func init() { log = logging.NewLogger("AES") } type encryptedValue struct { data []byte iv []byte tag []byte datatype string } const nonceSize int = 32 type stashKey struct { additionalData string plaintext interface{} } // Cipher encrypts and decrypts data keys with AES GCM 256 type Cipher struct { // stash is a map that stores IVs for reuse, so that the ciphertext doesn't change when decrypting and reencrypting // the same values. stash map[stashKey][]byte } // NewCipher is the constructor for a new Cipher object func NewCipher() Cipher { return Cipher{ stash: make(map[stashKey][]byte), } } var encre = regexp.MustCompile(`^ENC\[AES256_GCM,data:(.+),iv:(.+),tag:(.+),type:(.+)\]`) func parse(value string) (*encryptedValue, error) { matches := encre.FindStringSubmatch(value) if matches == nil { return nil, fmt.Errorf("Input string %s does not match sops' data format", value) } data, err := base64.StdEncoding.DecodeString(matches[1]) if err != nil { return nil, fmt.Errorf("Error base64-decoding data: %s", err) } iv, err := base64.StdEncoding.DecodeString(matches[2]) if err != nil { return nil, fmt.Errorf("Error base64-decoding iv: %s", err) } tag, err := base64.StdEncoding.DecodeString(matches[3]) if err != nil { return nil, fmt.Errorf("Error base64-decoding tag: %s", err) } datatype := string(matches[4]) return &encryptedValue{data, iv, tag, datatype}, nil } // Decrypt takes a sops-format value string and a key and returns the decrypted value and a stash value func (c Cipher) Decrypt(ciphertext string, key []byte, additionalData string) (plaintext interface{}, err error) { if isEmpty(ciphertext) { return "", nil } encryptedValue, err := parse(ciphertext) if err != nil { return nil, err } aescipher, err := cryptoaes.NewCipher(key) if err != nil { return nil, err } gcm, err := cipher.NewGCMWithNonceSize(aescipher, len(encryptedValue.iv)) if err != nil { return nil, err } data := append(encryptedValue.data, encryptedValue.tag...) decryptedBytes, err := gcm.Open(nil, encryptedValue.iv, data, []byte(additionalData)) if err != nil { return nil, fmt.Errorf("Could not decrypt with AES_GCM: %s", err) } decryptedValue := string(decryptedBytes) switch encryptedValue.datatype { case "str": plaintext = decryptedValue case "int": plaintext, err = strconv.Atoi(decryptedValue) case "float": plaintext, err = strconv.ParseFloat(decryptedValue, 64) case "bytes": plaintext = decryptedBytes case "bool": plaintext, err = strconv.ParseBool(decryptedValue) case "comment": plaintext = sops.Comment{Value: decryptedValue} default: return nil, fmt.Errorf("Unknown datatype: %s", encryptedValue.datatype) } c.stash[stashKey{plaintext: plaintext, additionalData: additionalData}] = encryptedValue.iv return plaintext, err } func isEmpty(value interface{}) bool { switch value := value.(type) { case string: return value == "" case []byte: return len(value) == 0 case sops.Comment: return isEmpty(value.Value) default: return false } } // Encrypt takes one of (string, int, float, bool) and encrypts it with the provided key and additional auth data, returning a sops-format encrypted string. func (c Cipher) Encrypt(plaintext interface{}, key []byte, additionalData string) (ciphertext string, err error) { if isEmpty(plaintext) { return "", nil } aescipher, err := cryptoaes.NewCipher(key) if err != nil { return "", fmt.Errorf("Could not initialize AES GCM encryption cipher: %s", err) } var iv []byte if stash, ok := c.stash[stashKey{plaintext: plaintext, additionalData: additionalData}]; !ok { iv = make([]byte, nonceSize) _, err = rand.Read(iv) if err != nil { return "", fmt.Errorf("Could not generate random bytes for IV: %s", err) } } else { iv = stash } gcm, err := cipher.NewGCMWithNonceSize(aescipher, nonceSize) if err != nil { return "", fmt.Errorf("Could not create GCM: %s", err) } var plainBytes []byte var encryptedType string switch value := plaintext.(type) { case string: encryptedType = "str" plainBytes = []byte(value) case int: encryptedType = "int" plainBytes = []byte(strconv.Itoa(value)) case float64: encryptedType = "float" // The Python version encodes floats without padding 0s after the decimal point. plainBytes = []byte(strconv.FormatFloat(value, 'f', -1, 64)) case bool: encryptedType = "bool" // The Python version encodes booleans with Titlecase plainBytes = []byte(strings.Title(strconv.FormatBool(value))) case sops.Comment: encryptedType = "comment" plainBytes = []byte(value.Value) default: return "", fmt.Errorf("Value to encrypt has unsupported type %T", value) } out := gcm.Seal(nil, iv, plainBytes, []byte(additionalData)) return fmt.Sprintf("ENC[AES256_GCM,data:%s,iv:%s,tag:%s,type:%s]", base64.StdEncoding.EncodeToString(out[:len(out)-cryptoaes.BlockSize]), base64.StdEncoding.EncodeToString(iv), base64.StdEncoding.EncodeToString(out[len(out)-cryptoaes.BlockSize:]), encryptedType), nil } 07070100000013000081A400000000000000000000000162794F9300000AED000000000000000000000000000000000000001E00000000sops-3.7.3/aes/cipher_test.gopackage aes import ( "crypto/rand" "strings" "testing" "testing/quick" "github.com/stretchr/testify/assert" "go.mozilla.org/sops/v3" ) func TestDecrypt(t *testing.T) { expected := "foo" key := []byte(strings.Repeat("f", 32)) message := `ENC[AES256_GCM,data:oYyi,iv:MyIDYbT718JRr11QtBkcj3Dwm4k1aCGZBVeZf0EyV8o=,tag:t5z2Z023Up0kxwCgw1gNxg==,type:str]` decryption, err := NewCipher().Decrypt(message, key, "bar:") if err != nil { t.Errorf("%s", err) } if decryption != expected { t.Errorf("Decrypt(\"%s\", \"%s\") == \"%s\", expected %s", message, key, decryption, expected) } } func TestDecryptInvalidAad(t *testing.T) { message := `ENC[AES256_GCM,data:oYyi,iv:MyIDYbT718JRr11QtBkcj3Dwm4k1aCGZBVeZf0EyV8o=,tag:t5z2Z023Up0kxwCgw1gNxg==,type:str]` _, err := NewCipher().Decrypt(message, []byte(strings.Repeat("f", 32)), "") if err == nil { t.Errorf("Decrypting with an invalid AAC should fail") } } func TestRoundtripString(t *testing.T) { f := func(x, aad string) bool { key := make([]byte, 32) rand.Read(key) s, err := NewCipher().Encrypt(x, key, aad) if err != nil { log.Println(err) return false } d, err := NewCipher().Decrypt(s, key, aad) if err != nil { return false } return x == d } if err := quick.Check(f, nil); err != nil { t.Error(err) } } func TestRoundtripFloat(t *testing.T) { key := []byte(strings.Repeat("f", 32)) f := func(x float64) bool { s, err := NewCipher().Encrypt(x, key, "") if err != nil { log.Println(err) return false } d, err := NewCipher().Decrypt(s, key, "") if err != nil { return false } return x == d } if err := quick.Check(f, nil); err != nil { t.Error(err) } } func TestRoundtripInt(t *testing.T) { key := []byte(strings.Repeat("f", 32)) f := func(x int) bool { s, err := NewCipher().Encrypt(x, key, "") if err != nil { log.Println(err) return false } d, err := NewCipher().Decrypt(s, key, "") if err != nil { return false } return x == d } if err := quick.Check(f, nil); err != nil { t.Error(err) } } func TestRoundtripBool(t *testing.T) { key := []byte(strings.Repeat("f", 32)) f := func(x bool) bool { s, err := NewCipher().Encrypt(x, key, "") if err != nil { log.Println(err) return false } d, err := NewCipher().Decrypt(s, key, "") if err != nil { return false } return x == d } if err := quick.Check(f, nil); err != nil { t.Error(err) } } func TestEncryptEmptyComment(t *testing.T) { key := []byte(strings.Repeat("f", 32)) s, err := NewCipher().Encrypt(sops.Comment{}, key, "") assert.Nil(t, err) assert.Equal(t, "", s) } func TestDecryptEmptyValue(t *testing.T) { key := []byte(strings.Repeat("f", 32)) s, err := NewCipher().Decrypt("", key, "") assert.Nil(t, err) assert.Equal(t, "", s) } 07070100000014000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000000F00000000sops-3.7.3/age07070100000015000081A400000000000000000000000162794F9300000179000000000000000000000000000000000000001800000000sops-3.7.3/age/keys.txt# created: 2020-07-18T03:16:47-07:00 # public key: age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw AGE-SECRET-KEY-1NJT5YCS2LWU4V4QAJQ6R4JNU7LXPDX602DZ9NUFANVU5GDTGUWCQ5T59M6 # created: 2021-12-12T01:39:30+01:00 # public key: age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep AGE-SECRET-KEY-1T0Z66WSXS6RMNCPSL7P2E8N4Q7SUD8VMG9ND27S08JL7Y2XAU9EQECHDS707070100000016000081A400000000000000000000000162794F93000017E3000000000000000000000000000000000000001C00000000sops-3.7.3/age/keysource.gopackage age import ( "bytes" "fmt" "io" "os" "path/filepath" "strings" "filippo.io/age" "filippo.io/age/armor" "github.com/sirupsen/logrus" "go.mozilla.org/sops/v3/logging" ) var log *logrus.Logger func init() { log = logging.NewLogger("AGE") } const SopsAgeKeyEnv = "SOPS_AGE_KEY" const SopsAgeKeyFileEnv = "SOPS_AGE_KEY_FILE" // MasterKey is an age key used to encrypt and decrypt sops' data key. type MasterKey struct { Identity string // a Bech32-encoded private key Recipient string // a Bech32-encoded public key EncryptedKey string // a sops data key encrypted with age parsedRecipient *age.X25519Recipient // a parsed age public key } // Encrypt takes a sops data key, encrypts it with age and stores the result in the EncryptedKey field. func (key *MasterKey) Encrypt(datakey []byte) error { buffer := &bytes.Buffer{} if key.parsedRecipient == nil { parsedRecipient, err := parseRecipient(key.Recipient) if err != nil { log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return err } key.parsedRecipient = parsedRecipient } aw := armor.NewWriter(buffer) w, err := age.Encrypt(aw, key.parsedRecipient) if err != nil { return fmt.Errorf("failed to open file for encrypting sops data key with age: %w", err) } if _, err := w.Write(datakey); err != nil { log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return fmt.Errorf("failed to encrypt sops data key with age: %w", err) } if err := w.Close(); err != nil { log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return fmt.Errorf("failed to close file for encrypting sops data key with age: %w", err) } if err := aw.Close(); err != nil { log.WithField("recipient", key.parsedRecipient).Error("Encryption failed") return fmt.Errorf("failed to close armored writer: %w", err) } key.EncryptedKey = buffer.String() log.WithField("recipient", key.parsedRecipient).Info("Encryption succeeded") return nil } // EncryptIfNeeded encrypts the provided sops' data key and encrypts it if it hasn't been encrypted yet. func (key *MasterKey) EncryptIfNeeded(datakey []byte) error { if key.EncryptedKey == "" { return key.Encrypt(datakey) } return nil } // EncryptedDataKey returns the encrypted data key this master key holds. func (key *MasterKey) EncryptedDataKey() []byte { return []byte(key.EncryptedKey) } // SetEncryptedDataKey sets the encrypted data key for this master key. func (key *MasterKey) SetEncryptedDataKey(enc []byte) { key.EncryptedKey = string(enc) } // Decrypt decrypts the EncryptedKey field with the age identity and returns the result. func (key *MasterKey) Decrypt() ([]byte, error) { var ageKeyReader io.Reader var ageKeyReaderName string if ageKeyReader == nil { ageKey, ok := os.LookupEnv(SopsAgeKeyEnv) if ok { ageKeyReader = strings.NewReader(ageKey) ageKeyReaderName = "environment variable" } } if ageKeyReader == nil { ageKeyFilePath, ok := os.LookupEnv(SopsAgeKeyFileEnv) if ok { ageKeyFile, err := os.Open(ageKeyFilePath) if err != nil { return nil, fmt.Errorf("failed to open file: %w", err) } defer ageKeyFile.Close() ageKeyReader = ageKeyFile ageKeyReaderName = ageKeyFilePath } } if ageKeyReader == nil { userConfigDir, err := os.UserConfigDir() if err != nil { return nil, fmt.Errorf("user config directory could not be determined: %w", err) } ageKeyFilePath := filepath.Join(userConfigDir, "sops", "age", "keys.txt") ageKeyFile, err := os.Open(ageKeyFilePath) if err != nil { return nil, fmt.Errorf("failed to open file: %w", err) } defer ageKeyFile.Close() ageKeyReader = ageKeyFile ageKeyReaderName = ageKeyFilePath } identities, err := age.ParseIdentities(ageKeyReader) if err != nil { return nil, err } src := bytes.NewReader([]byte(key.EncryptedKey)) ar := armor.NewReader(src) r, err := age.Decrypt(ar, identities...) if err != nil { return nil, fmt.Errorf("no age identity found in %q that could decrypt the data", ageKeyReaderName) } var b bytes.Buffer if _, err := io.Copy(&b, r); err != nil { return nil, fmt.Errorf("failed to copy decrypted data into bytes.Buffer: %w", err) } return b.Bytes(), nil } // NeedsRotation returns whether the data key needs to be rotated or not. func (key *MasterKey) NeedsRotation() bool { return false } // ToString converts the key to a string representation. func (key *MasterKey) ToString() string { return key.Recipient } // ToMap converts the MasterKey to a map for serialization purposes. func (key *MasterKey) ToMap() map[string]interface{} { return map[string]interface{}{"recipient": key.Recipient, "enc": key.EncryptedKey} } // MasterKeysFromRecipients takes a comma-separated list of Bech32-encoded public keys and returns a // slice of new MasterKeys. func MasterKeysFromRecipients(commaSeparatedRecipients string) ([]*MasterKey, error) { if commaSeparatedRecipients == "" { // otherwise Split returns [""] and MasterKeyFromRecipient is unhappy return make([]*MasterKey, 0), nil } recipients := strings.Split(commaSeparatedRecipients, ",") var keys []*MasterKey for _, recipient := range recipients { key, err := masterKeyFromRecipient(recipient) if err != nil { return nil, err } keys = append(keys, key) } return keys, nil } // masterKeyFromRecipient takes a Bech32-encoded public key and returns a new MasterKey. func masterKeyFromRecipient(recipient string) (*MasterKey, error) { recipient = strings.TrimSpace(recipient) parsedRecipient, err := parseRecipient(recipient) if err != nil { return nil, err } return &MasterKey{ Recipient: recipient, parsedRecipient: parsedRecipient, }, nil } // parseRecipient attempts to parse a string containing an encoded age public key func parseRecipient(recipient string) (*age.X25519Recipient, error) { parsedRecipient, err := age.ParseX25519Recipient(recipient) if err != nil { return nil, fmt.Errorf("failed to parse input as Bech32-encoded age public key: %w", err) } return parsedRecipient, nil } 07070100000017000081A400000000000000000000000162794F93000014B7000000000000000000000000000000000000002100000000sops-3.7.3/age/keysource_test.gopackage age import ( "io/ioutil" "os" "path" "runtime" "testing" "github.com/stretchr/testify/assert" ) func TestMasterKeysFromRecipientsEmpty(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := "" recipients, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(recipients, make([]*MasterKey, 0)) } func TestMasterKeyFromRecipientWithLeadingAndTrailingSpacesSingle(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := " age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw " keys, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(len(keys), 1) assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") } func TestMasterKeyFromRecipientWithLeadingAndTrailingSpacesMultiple(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := " age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw , age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep " keys, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(len(keys), 2) assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") assert.Equal(keys[1].Recipient, "age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") } func TestMasterKeysFromRecipientsWithSingle(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw" keys, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(len(keys), 1) assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") } func TestMasterKeysFromRecipientsWithMultiple(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw,age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep" keys, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(len(keys), 2) assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") assert.Equal(keys[1].Recipient, "age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") } func TestAge(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw,age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep" keys, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(len(keys), 2) assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") assert.Equal(keys[1].Recipient, "age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") dataKey := []byte("abcdefghijklmnopqrstuvwxyz123456") for _, key := range keys { err = key.Encrypt(dataKey) assert.NoError(err) _, filename, _, _ := runtime.Caller(0) err = os.Setenv("SOPS_AGE_KEY_FILE", path.Join(path.Dir(filename), "keys.txt")) assert.NoError(err) decryptedKey, err := key.Decrypt() assert.NoError(err) assert.Equal(dataKey, decryptedKey) } } func TestAgeDotEnv(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw,age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep" keys, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(len(keys), 2) assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") assert.Equal(keys[1].Recipient, "age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") dotenv := `IMAGE_PREFIX=repo/service- APPLICATION_KEY=K6pfAWuUVND9Fz5SC7jmA6pfAWuUVND9Fz5SC7jmA KEY_ID=003683d721f2ae683d721f2a1 DOMAIN=files.127.0.0.1.nip.io` dataKey := []byte(dotenv) err = keys[0].Encrypt(dataKey) assert.NoError(err) _, filename, _, _ := runtime.Caller(0) err = os.Setenv(SopsAgeKeyFileEnv, path.Join(path.Dir(filename), "keys.txt")) defer os.Unsetenv(SopsAgeKeyFileEnv) assert.NoError(err) decryptedKey, err := keys[0].Decrypt() assert.NoError(err) assert.Equal(dataKey, decryptedKey) } func TestAgeEnv(t *testing.T) { assert := assert.New(t) commaSeparatedRecipients := "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw,age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep" keys, err := MasterKeysFromRecipients(commaSeparatedRecipients) assert.NoError(err) assert.Equal(len(keys), 2) assert.Equal(keys[0].Recipient, "age1yt3tfqlfrwdwx0z0ynwplcr6qxcxfaqycuprpmy89nr83ltx74tqdpszlw") assert.Equal(keys[1].Recipient, "age1tmaae3ld5vpevmsh5yacsauzx8jetg300mpvc4ugp5zr5l6ssq9sla97ep") dataKey := []byte("abcdefghijklmnopqrstuvwxyz123456") err = keys[0].Encrypt(dataKey) assert.NoError(err) _, filename, _, _ := runtime.Caller(0) keysBytes, err := ioutil.ReadFile(path.Join(path.Dir(filename), "keys.txt")) assert.NoError(err) err = os.Setenv(SopsAgeKeyEnv, string(keysBytes)) defer os.Unsetenv(SopsAgeKeyEnv) assert.NoError(err) decryptedKey, err := keys[0].Decrypt() assert.NoError(err) assert.Equal(dataKey, decryptedKey) } 07070100000018000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001100000000sops-3.7.3/audit07070100000019000081A400000000000000000000000162794F9300001352000000000000000000000000000000000000001A00000000sops-3.7.3/audit/audit.gopackage audit import ( "database/sql" "flag" "fmt" "io/ioutil" "os/user" "github.com/pkg/errors" // empty import as per https://godoc.org/github.com/lib/pq _ "github.com/lib/pq" "gopkg.in/yaml.v3" "github.com/sirupsen/logrus" "go.mozilla.org/sops/v3/logging" ) var log *logrus.Logger func init() { log = logging.NewLogger("AUDIT") confBytes, err := ioutil.ReadFile(configFile) if err != nil { log.WithField("error", err).Debugf("Error reading config") return } var conf config err = yaml.Unmarshal(confBytes, &conf) if err != nil { log.WithField("error", err).Panicf("Error unmarshalling config") } // If we are running test, then don't create auditors. // This is pretty hacky, but doing it The Right Way would require // restructuring SOPS to use dependency injection instead of just using // globals everywhere. if flag.Lookup("test.v") != nil { return } var auditErrors []error for _, pgConf := range conf.Backends.Postgres { auditDb, err := NewPostgresAuditor(pgConf.ConnStr) if err != nil { auditErrors = append(auditErrors, errors.Wrap(err, fmt.Sprintf("connectStr: %s, err", pgConf.ConnStr))) } auditors = append(auditors, auditDb) } if len(auditErrors) > 0 { log.Errorf("connecting to audit database, defined in %s", configFile) for _, err := range auditErrors { log.Error(err) } log.Fatal("one or more audit backends reported errors, exiting") } } // TODO: Make platform agnostic const configFile = "/etc/sops/audit.yaml" type config struct { Backends struct { Postgres []struct { ConnStr string `yaml:"connection_string"` } `yaml:"postgres"` } `yaml:"backends"` } var auditors []Auditor // SubmitEvent handles an event for all auditors func SubmitEvent(event interface{}) { for _, auditor := range auditors { auditor.Handle(event) } } // Register registers a new Auditor in the global auditor list func Register(auditor Auditor) { auditors = append(auditors, auditor) } // Auditor is notified when noteworthy events happen, // for example when a file is encrypted or decrypted. type Auditor interface { // Handle() takes an audit event and attempts to persists it; // how it is persisted and how errors are handled is up to the // implementation of this interface. Handle(event interface{}) } // DecryptEvent contains fields relevant to a decryption event type DecryptEvent struct { File string } // EncryptEvent contains fields relevant to an encryption event type EncryptEvent struct { File string } // RotateEvent contains fields relevant to a key rotation event type RotateEvent struct { File string } // PostgresAuditor is a Postgres SQL DB implementation of the Auditor interface. // It persists the audit event by writing a row to the 'audit_event' table. // Errors with writing to the database will output a log message and the // process will exit with status set to 1 type PostgresAuditor struct { DB *sql.DB } // NewPostgresAuditor is the constructor for a new PostgresAuditor struct // initialized with the given db connection string func NewPostgresAuditor(connStr string) (*PostgresAuditor, error) { db, err := sql.Open("postgres", connStr) pg := &PostgresAuditor{DB: db} if err != nil { return pg, err } var result int err = pg.DB.QueryRow("SELECT 1").Scan(&result) if err != nil { return pg, fmt.Errorf("Pinging audit database failed: %s", err) } else if result != 1 { return pg, fmt.Errorf("Database malfunction: SELECT 1 should return 1, but returned %d", result) } return pg, nil } // Handle persists the audit event by writing a row to the // 'audit_event' postgres table func (p *PostgresAuditor) Handle(event interface{}) { u, err := user.Current() if err != nil { log.Fatalf("Error getting current user for auditing: %s", err) } switch event := event.(type) { case DecryptEvent: // Save the event to the database log.WithField("file", event.File). Debug("Saving decrypt event to database") _, err = p.DB.Exec("INSERT INTO audit_event (action, username, file) VALUES ($1, $2, $3)", "decrypt", u.Username, event.File) if err != nil { log.Fatalf("Failed to insert audit record: %s", err) } case EncryptEvent: // Save the event to the database log.WithField("file", event.File). Debug("Saving encrypt event to database") _, err = p.DB.Exec("INSERT INTO audit_event (action, username, file) VALUES ($1, $2, $3)", "encrypt", u.Username, event.File) if err != nil { log.Fatalf("Failed to insert audit record: %s", err) } case RotateEvent: // Save the event to the database log.WithField("file", event.File). Debug("Saving rotate event to database") _, err = p.DB.Exec("INSERT INTO audit_event (action, username, file) VALUES ($1, $2, $3)", "rotate", u.Username, event.File) if err != nil { log.Fatalf("Failed to insert audit record: %s", err) } default: log.WithField("type", fmt.Sprintf("%T", event)). Info("Received unknown event") } } 0707010000001A000081A400000000000000000000000162794F930000013F000000000000000000000000000000000000001C00000000sops-3.7.3/audit/schema.sqlCREATE TABLE audit_event ( id SERIAL PRIMARY KEY, timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP, action TEXT, username TEXT, file TEXT ); CREATE ROLE sops WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN PASSWORD 'sops'; GRANT INSERT ON audit_event TO sops; GRANT USAGE ON audit_event_id_seq TO sops; 0707010000001B000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001000000000sops-3.7.3/azkv0707010000001C000081A400000000000000000000000162794F93000022C7000000000000000000000000000000000000001D00000000sops-3.7.3/azkv/keysource.go/* Package azkv contains an implementation of the go.mozilla.org/sops/v3/keys.MasterKey interface that encrypts and decrypts the data key using Azure Key Vault with the Azure Go SDK. */ package azkv //import "go.mozilla.org/sops/v3/azkv" import ( "context" "encoding/base64" "errors" "fmt" "os" "regexp" "strings" "time" "go.mozilla.org/sops/v3/logging" "github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault" "github.com/Azure/go-autorest/autorest" "github.com/Azure/go-autorest/autorest/azure" "github.com/Azure/go-autorest/autorest/azure/auth" "github.com/sirupsen/logrus" ) var log *logrus.Logger func init() { log = logging.NewLogger("AZKV") } // MasterKey is a Azure Key Vault key used to encrypt and decrypt sops' data key. type MasterKey struct { VaultURL string Name string Version string EncryptedKey string CreationDate time.Time } func newKeyVaultClient() (keyvault.BaseClient, error) { var err error c := keyvault.New() c.Authorizer, err = newAuthorizer() if err != nil { log.WithError(err).Error("Failed to create Azure authorizer") return c, err } return c, nil } // newAuthorizer returns the correct authorizer for the given settings and/or based on the value // of the AZURE_AUTH_METHOD environment variable, which may be one of: // clientcredentials, clientcertificate, usernamepassword, msi, or cli (default). func newAuthorizer() (autorest.Authorizer, error) { settings := struct { authMethod string tenantID string clientID string clientSecret string certificatePath string certificatePassword string username string password string envName string resource string environment azure.Environment }{ authMethod: os.Getenv("AZURE_AUTH_METHOD"), tenantID: os.Getenv("AZURE_TENANT_ID"), clientID: os.Getenv("AZURE_CLIENT_ID"), clientSecret: os.Getenv("AZURE_CLIENT_SECRET"), certificatePath: os.Getenv("AZURE_CERTIFICATE_PATH"), certificatePassword: os.Getenv("AZURE_CERTIFICATE_PASSWORD"), username: os.Getenv("AZURE_USERNAME"), password: os.Getenv("AZURE_PASSWORD"), envName: os.Getenv("AZURE_ENVIRONMENT"), resource: os.Getenv("AZURE_AD_RESOURCE"), } settings.environment = azure.PublicCloud if settings.envName != "" { val, err := azure.EnvironmentFromName(settings.envName) if err != nil { return nil, err } settings.environment = val } if settings.resource == "" { settings.resource = strings.TrimSuffix(settings.environment.KeyVaultEndpoint, "/") } if os.Getenv("MSI_ENDPOINT") != "" { settings.authMethod = "msi" } // 1. Client credentials if (settings.clientSecret != "") || settings.authMethod == "clientcredentials" { config := auth.NewClientCredentialsConfig(settings.clientID, settings.clientSecret, settings.tenantID) config.AADEndpoint = settings.environment.ActiveDirectoryEndpoint config.Resource = settings.resource return config.Authorizer() } // 2. Client Certificate if (settings.certificatePath != "") || settings.authMethod == "clientcertificate" { config := auth.NewClientCertificateConfig(settings.certificatePath, settings.certificatePassword, settings.clientID, settings.tenantID) config.AADEndpoint = settings.environment.ActiveDirectoryEndpoint config.Resource = settings.resource return config.Authorizer() } // 3. Username Password if (settings.username != "" && settings.password != "") || settings.authMethod == "usernamepassword" { config := auth.NewUsernamePasswordConfig(settings.username, settings.password, settings.clientID, settings.tenantID) config.AADEndpoint = settings.environment.ActiveDirectoryEndpoint config.Resource = settings.resource return config.Authorizer() } // 4. MSI if settings.authMethod == "msi" { config := auth.NewMSIConfig() config.Resource = settings.resource config.ClientID = settings.clientID return config.Authorizer() } // 5. Device Code if settings.authMethod == "devicecode" { // TODO: Removed until we decide how to handle prompt on stdout, etc. //// TODO: This will be required on every execution. Consider caching. //config := auth.NewDeviceFlowConfig(settings.clientID, settings.tenantID) //return config.Authorizer() return nil, errors.New("device code flow not implemented") } // 6. CLI return auth.NewAuthorizerFromCLIWithResource(settings.resource) } // NewMasterKey creates a new MasterKey from an URL, key name and version, setting the creation date to the current date func NewMasterKey(vaultURL string, keyName string, keyVersion string) *MasterKey { return &MasterKey{ VaultURL: vaultURL, Name: keyName, Version: keyVersion, CreationDate: time.Now().UTC(), } } // MasterKeysFromURLs takes a comma separated list of Azure Key Vault URLs and returns a slice of new MasterKeys for them func MasterKeysFromURLs(urls string) ([]*MasterKey, error) { var keys []*MasterKey if urls == "" { return keys, nil } for _, s := range strings.Split(urls, ",") { k, err := NewMasterKeyFromURL(s) if err != nil { return nil, err } keys = append(keys, k) } return keys, nil } // NewMasterKeyFromURL takes an Azure Key Vault key URL and returns a new MasterKey // URL format is {vaultUrl}/keys/{key-name}/{key-version} func NewMasterKeyFromURL(url string) (*MasterKey, error) { k := &MasterKey{} re := regexp.MustCompile("^(https://[^/]+)/keys/([^/]+)/([^/]+)$") parts := re.FindStringSubmatch(url) if parts == nil || len(parts) < 2 { return nil, fmt.Errorf("Could not parse valid key from %q", url) } k.VaultURL = parts[1] k.Name = parts[2] k.Version = parts[3] k.CreationDate = time.Now().UTC() return k, nil } // EncryptedDataKey returns the encrypted data key this master key holds func (key *MasterKey) EncryptedDataKey() []byte { return []byte(key.EncryptedKey) } // SetEncryptedDataKey sets the encrypted data key for this master key func (key *MasterKey) SetEncryptedDataKey(enc []byte) { key.EncryptedKey = string(enc) } // Encrypt takes a sops data key, encrypts it with Key Vault and stores the result in the EncryptedKey field func (key *MasterKey) Encrypt(dataKey []byte) error { c, err := newKeyVaultClient() if err != nil { return err } data := base64.RawURLEncoding.EncodeToString(dataKey) p := keyvault.KeyOperationsParameters{Value: &data, Algorithm: keyvault.RSAOAEP256} res, err := c.Encrypt(context.Background(), key.VaultURL, key.Name, key.Version, p) if err != nil { log.WithError(err).WithFields(logrus.Fields{ "key": key.Name, "version": key.Version, }).Error("Encryption failed") return fmt.Errorf("Failed to encrypt data: %w", err) } key.EncryptedKey = *res.Result log.WithFields(logrus.Fields{ "key": key.Name, "version": key.Version, }).Info("Encryption succeeded") return nil } // EncryptIfNeeded encrypts the provided sops' data key and encrypts it if it hasn't been encrypted yet func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { if key.EncryptedKey == "" { return key.Encrypt(dataKey) } return nil } // Decrypt decrypts the EncryptedKey field with Azure Key Vault and returns the result. func (key *MasterKey) Decrypt() ([]byte, error) { c, err := newKeyVaultClient() if err != nil { return nil, err } p := keyvault.KeyOperationsParameters{Value: &key.EncryptedKey, Algorithm: keyvault.RSAOAEP256} res, err := c.Decrypt(context.TODO(), key.VaultURL, key.Name, key.Version, p) if err != nil { log.WithError(err).WithFields(logrus.Fields{ "key": key.Name, "version": key.Version, }).Error("Decryption failed") return nil, fmt.Errorf("Error decrypting key: %w", err) } plaintext, err := base64.RawURLEncoding.DecodeString(*res.Result) if err != nil { log.WithError(err).WithFields(logrus.Fields{ "key": key.Name, "version": key.Version, }).Error("Decryption failed") return nil, err } log.WithFields(logrus.Fields{ "key": key.Name, "version": key.Version, }).Info("Decryption succeeded") return plaintext, nil } // NeedsRotation returns whether the data key needs to be rotated or not. func (key *MasterKey) NeedsRotation() bool { return time.Since(key.CreationDate) > (time.Hour * 24 * 30 * 6) } // ToString converts the key to a string representation func (key *MasterKey) ToString() string { return fmt.Sprintf("%s/keys/%s/%s", key.VaultURL, key.Name, key.Version) } // ToMap converts the MasterKey to a map for serialization purposes func (key MasterKey) ToMap() map[string]interface{} { out := make(map[string]interface{}) out["vaultUrl"] = key.VaultURL out["key"] = key.Name out["version"] = key.Version out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) out["enc"] = key.EncryptedKey return out } 0707010000001D000081A400000000000000000000000162794F9300000C7D000000000000000000000000000000000000002200000000sops-3.7.3/azkv/keysource_test.gopackage azkv import ( "flag" "testing" "time" "github.com/stretchr/testify/assert" ) func TestAzureKeySourceFromUrl(t *testing.T) { cases := []struct { name string input string expectSuccess bool expectedFoundKeys int expectedKeys []MasterKey }{ { name: "Single url", input: "https://test.vault.azure.net/keys/test-key/a2a690a4fcc04166b739da342a912c90", expectSuccess: true, expectedFoundKeys: 1, expectedKeys: []MasterKey{ { VaultURL: "https://test.vault.azure.net", Name: "test-key", Version: "a2a690a4fcc04166b739da342a912c90", }, }, }, { name: "Multiple url", input: "https://test.vault.azure.net/keys/test-key/a2a690a4fcc04166b739da342a912c90,https://test2.vault.azure.net/keys/another-test-key/cf0021e8b743453bae758e7fbf71b60e", expectSuccess: true, expectedFoundKeys: 2, expectedKeys: []MasterKey{ { VaultURL: "https://test.vault.azure.net", Name: "test-key", Version: "a2a690a4fcc04166b739da342a912c90", }, { VaultURL: "https://test2.vault.azure.net", Name: "another-test-key", Version: "cf0021e8b743453bae758e7fbf71b60e", }, }, }, { name: "Single malformed url", input: "https://test.vault.azure.net/no-keys-here/test-key/a2a690a4fcc04166b739da342a912c90", expectSuccess: false, }, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { keys, err := MasterKeysFromURLs(c.input) if err != nil && c.expectSuccess { t.Fatalf("Unexpected error %v", err) } else if err == nil && !c.expectSuccess { t.Fatal("Expected error, but no error was returned") } if c.expectedFoundKeys != len(keys) { t.Errorf("Unexpected number of keys returned, expected %d, got %d", c.expectedFoundKeys, len(keys)) } for idx := range keys { assert.Equal(t, c.expectedKeys[idx].VaultURL, keys[idx].VaultURL) assert.Equal(t, c.expectedKeys[idx].Name, keys[idx].Name) assert.Equal(t, c.expectedKeys[idx].Version, keys[idx].Version) } }) } } func TestKeyToMap(t *testing.T) { key := MasterKey{ CreationDate: time.Date(2016, time.October, 31, 10, 0, 0, 0, time.UTC), VaultURL: "https://test.vault.azure.net", Name: "test-key", Version: "1", EncryptedKey: "this is encrypted", } assert.Equal(t, map[string]interface{}{ "vaultUrl": key.VaultURL, "key": key.Name, "version": key.Version, "enc": "this is encrypted", "created_at": "2016-10-31T10:00:00Z", }, key.ToMap()) } var azureKeyAcceptanceTestURL = flag.String("azure-key", "", "URL to Azure Key Vault (note that this can incur real costs!)") func TestRoundtrip(t *testing.T) { if *azureKeyAcceptanceTestURL == "" { t.Skip("Azure URL not provided, skipping acceptance test") } input := []byte("test-string") key, err := NewMasterKeyFromURL(*azureKeyAcceptanceTestURL) if err != nil { t.Fatal(err) } err = key.Encrypt(input) if err != nil { t.Fatal(err) } output, err := key.Decrypt() if err != nil { t.Fatal(err) } assert.Equal(t, input, output) } 0707010000001E000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000000F00000000sops-3.7.3/bin0707010000001F000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001200000000sops-3.7.3/bin/ci07070100000020000081ED00000000000000000000000162794F9300000324000000000000000000000000000000000000002600000000sops-3.7.3/bin/ci/deploy_dockerhub.sh#!/bin/bash # THIS IS MEANT TO BE RUN BY CI set -e set +x # Usage: retry MAX CMD... # Retry CMD up to MAX times. If it fails MAX times, returns failure. # Example: retry 3 docker push "mozilla/sops:$TAG" function retry() { max=$1 shift count=1 until "$@"; do count=$((count + 1)) if [[ $count -gt $max ]]; then return 1 fi echo "$count / $max" done return 0 } if [[ "$DOCKER_DEPLOY" == "true" ]]; then # configure docker creds retry 3 docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD" # docker tag and push git branch to dockerhub if [ -n "$1" ]; then retry 3 docker push "mozilla/sops:$1" || (echo "Couldn't push mozilla/sops:$1" && false) echo "Pushed mozilla/sops:$1" fi fi 07070100000021000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000000F00000000sops-3.7.3/cmd07070100000022000041ED00000000000000000000000662794F9300000000000000000000000000000000000000000000001400000000sops-3.7.3/cmd/sops07070100000023000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001A00000000sops-3.7.3/cmd/sops/codes07070100000024000081A400000000000000000000000162794F9300000548000000000000000000000000000000000000002300000000sops-3.7.3/cmd/sops/codes/codes.go// Package codes the exit statuses returned by the sops binary package codes // Exit statuses returned by the binary const ( ErrorGeneric int = 1 CouldNotReadInputFile int = 2 CouldNotWriteOutputFile int = 3 ErrorDumpingTree int = 4 ErrorReadingConfig int = 5 ErrorInvalidKMSEncryptionContextFormat int = 6 ErrorInvalidSetFormat int = 7 ErrorConflictingParameters int = 8 ErrorEncryptingMac int = 21 ErrorEncryptingTree int = 23 ErrorDecryptingMac int = 24 ErrorDecryptingTree int = 25 CannotChangeKeysFromNonExistentFile int = 49 MacMismatch int = 51 MacNotFound int = 52 ConfigFileNotFound int = 61 KeyboardInterrupt int = 85 InvalidTreePathFormat int = 91 NoFileSpecified int = 100 CouldNotRetrieveKey int = 128 NoEncryptionKeyFound int = 111 FileHasNotBeenModified int = 200 NoEditorFound int = 201 FailedToCompareVersions int = 202 FileAlreadyEncrypted int = 203 ) 07070100000025000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001B00000000sops-3.7.3/cmd/sops/common07070100000026000081A400000000000000000000000162794F930000345C000000000000000000000000000000000000002500000000sops-3.7.3/cmd/sops/common/common.gopackage common import ( "fmt" "io/ioutil" "os" "path/filepath" "time" "github.com/fatih/color" wordwrap "github.com/mitchellh/go-wordwrap" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/codes" . "go.mozilla.org/sops/v3/cmd/sops/formats" "go.mozilla.org/sops/v3/keys" "go.mozilla.org/sops/v3/keyservice" "go.mozilla.org/sops/v3/kms" "go.mozilla.org/sops/v3/stores/dotenv" "go.mozilla.org/sops/v3/stores/ini" "go.mozilla.org/sops/v3/stores/json" "go.mozilla.org/sops/v3/stores/yaml" "go.mozilla.org/sops/v3/version" "golang.org/x/crypto/ssh/terminal" "gopkg.in/urfave/cli.v1" ) // ExampleFileEmitter emits example files. This is used by the `sops` binary // whenever a new file is created, in order to present the user with a non-empty file type ExampleFileEmitter interface { EmitExample() []byte } // Store handles marshaling and unmarshaling from SOPS files type Store interface { sops.Store ExampleFileEmitter } type storeConstructor = func() Store func newBinaryStore() Store { return &json.BinaryStore{} } func newDotenvStore() Store { return &dotenv.Store{} } func newIniStore() Store { return &ini.Store{} } func newJsonStore() Store { return &json.Store{} } func newYamlStore() Store { return &yaml.Store{} } var storeConstructors = map[Format]storeConstructor{ Binary: newBinaryStore, Dotenv: newDotenvStore, Ini: newIniStore, Json: newJsonStore, Yaml: newYamlStore, } // DecryptTreeOpts are the options needed to decrypt a tree type DecryptTreeOpts struct { // Tree is the tree to be decrypted Tree *sops.Tree // KeyServices are the key services to be used for decryption of the data key KeyServices []keyservice.KeyServiceClient // IgnoreMac is whether or not to ignore the Message Authentication Code included in the SOPS tree IgnoreMac bool // Cipher is the cryptographic cipher to use to decrypt the values inside the tree Cipher sops.Cipher } // DecryptTree decrypts the tree passed in through the DecryptTreeOpts and additionally returns the decrypted data key func DecryptTree(opts DecryptTreeOpts) (dataKey []byte, err error) { dataKey, err = opts.Tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices) if err != nil { return nil, NewExitError(err, codes.CouldNotRetrieveKey) } computedMac, err := opts.Tree.Decrypt(dataKey, opts.Cipher) if err != nil { return nil, NewExitError(fmt.Sprintf("Error decrypting tree: %s", err), codes.ErrorDecryptingTree) } fileMac, err := opts.Cipher.Decrypt(opts.Tree.Metadata.MessageAuthenticationCode, dataKey, opts.Tree.Metadata.LastModified.Format(time.RFC3339)) if !opts.IgnoreMac { if fileMac != computedMac { // If the file has an empty MAC, display "no MAC" instead of not displaying anything if fileMac == "" { fileMac = "no MAC" } return nil, NewExitError(fmt.Sprintf("MAC mismatch. File has %s, computed %s", fileMac, computedMac), codes.MacMismatch) } } return dataKey, nil } // EncryptTreeOpts are the options needed to encrypt a tree type EncryptTreeOpts struct { // Tree is the tree to be encrypted Tree *sops.Tree // Cipher is the cryptographic cipher to use to encrypt the values inside the tree Cipher sops.Cipher // DataKey is the key the cipher should use to encrypt the values inside the tree DataKey []byte } // EncryptTree encrypts the tree passed in through the EncryptTreeOpts func EncryptTree(opts EncryptTreeOpts) error { unencryptedMac, err := opts.Tree.Encrypt(opts.DataKey, opts.Cipher) if err != nil { return NewExitError(fmt.Sprintf("Error encrypting tree: %s", err), codes.ErrorEncryptingTree) } opts.Tree.Metadata.LastModified = time.Now().UTC() opts.Tree.Metadata.MessageAuthenticationCode, err = opts.Cipher.Encrypt(unencryptedMac, opts.DataKey, opts.Tree.Metadata.LastModified.Format(time.RFC3339)) if err != nil { return NewExitError(fmt.Sprintf("Could not encrypt MAC: %s", err), codes.ErrorEncryptingMac) } return nil } // LoadEncryptedFile loads an encrypted SOPS file, returning a SOPS tree func LoadEncryptedFile(loader sops.EncryptedFileLoader, inputPath string) (*sops.Tree, error) { fileBytes, err := ioutil.ReadFile(inputPath) if err != nil { return nil, NewExitError(fmt.Sprintf("Error reading file: %s", err), codes.CouldNotReadInputFile) } path, err := filepath.Abs(inputPath) if err != nil { return nil, err } tree, err := loader.LoadEncryptedFile(fileBytes) tree.FilePath = path return &tree, err } // NewExitError returns a cli.ExitError given an error (wrapped in a generic interface{}) // and an exit code to represent the failure func NewExitError(i interface{}, exitCode int) *cli.ExitError { if userErr, ok := i.(sops.UserError); ok { return NewExitError(userErr.UserError(), exitCode) } return cli.NewExitError(i, exitCode) } // StoreForFormat returns the correct format-specific implementation // of the Store interface given the format. func StoreForFormat(format Format) Store { storeConst, found := storeConstructors[format] if !found { storeConst = storeConstructors[Binary] // default } return storeConst() } // DefaultStoreForPath returns the correct format-specific implementation // of the Store interface given the path to a file func DefaultStoreForPath(path string) Store { format := FormatForPath(path) return StoreForFormat(format) } // DefaultStoreForPathOrFormat returns the correct format-specific implementation // of the Store interface given the formatString if specified, or the path to a file. // This is to support the cli, where both are provided. func DefaultStoreForPathOrFormat(path, format string) Store { formatFmt := FormatForPathOrString(path, format) return StoreForFormat(formatFmt) } // KMS_ENC_CTX_BUG_FIXED_VERSION represents the SOPS version in which the // encryption context bug was fixed const KMS_ENC_CTX_BUG_FIXED_VERSION = "3.3.0" // DetectKMSEncryptionContextBug returns true if the encryption context bug is detected // in a given runtime sops.Tree object func DetectKMSEncryptionContextBug(tree *sops.Tree) (bool, error) { versionCheck, err := version.AIsNewerThanB(KMS_ENC_CTX_BUG_FIXED_VERSION, tree.Metadata.Version) if err != nil { return false, err } if versionCheck { _, _, key := GetKMSKeyWithEncryptionCtx(tree) if key != nil { return true, nil } } return false, nil } // GetKMSKeyWithEncryptionCtx returns the first KMS key affected by the encryption context bug as well as its location in the key groups. func GetKMSKeyWithEncryptionCtx(tree *sops.Tree) (keyGroupIndex int, keyIndex int, key *kms.MasterKey) { for i, kg := range tree.Metadata.KeyGroups { for n, k := range kg { kmsKey, ok := k.(*kms.MasterKey) if ok { if kmsKey.EncryptionContext != nil && len(kmsKey.EncryptionContext) >= 2 { duplicateValues := map[string]int{} for _, v := range kmsKey.EncryptionContext { duplicateValues[*v] = duplicateValues[*v] + 1 } if len(duplicateValues) > 1 { return i, n, kmsKey } } } } } return 0, 0, nil } // GenericDecryptOpts represents decryption options and config type GenericDecryptOpts struct { Cipher sops.Cipher InputStore sops.Store InputPath string IgnoreMAC bool KeyServices []keyservice.KeyServiceClient } // LoadEncryptedFileWithBugFixes is a wrapper around LoadEncryptedFile which includes // check for the issue described in https://github.com/mozilla/sops/pull/435 func LoadEncryptedFileWithBugFixes(opts GenericDecryptOpts) (*sops.Tree, error) { tree, err := LoadEncryptedFile(opts.InputStore, opts.InputPath) if err != nil { return nil, err } encCtxBug, err := DetectKMSEncryptionContextBug(tree) if err != nil { return nil, err } if encCtxBug { tree, err = FixAWSKMSEncryptionContextBug(opts, tree) if err != nil { return nil, err } } return tree, nil } // FixAWSKMSEncryptionContextBug is used to fix the issue described in https://github.com/mozilla/sops/pull/435 func FixAWSKMSEncryptionContextBug(opts GenericDecryptOpts, tree *sops.Tree) (*sops.Tree, error) { message := "Up until version 3.3.0 of sops there was a bug surrounding the " + "use of encryption context with AWS KMS." + "\nYou can read the full description of the issue here:" + "\nhttps://github.com/mozilla/sops/pull/435" + "\n\nIf a TTY is detected, sops will ask you if you'd like for this issue to be " + "automatically fixed, which will require re-encrypting the data keys used by " + "each key." + "\n\nIf you are not using a TTY, sops will fix the issue for this run.\n\n" fmt.Println(wordwrap.WrapString(message, 75)) persistFix := false if terminal.IsTerminal(int(os.Stdout.Fd())) { var response string for response != "y" && response != "n" { fmt.Println("Would you like sops to automatically fix this issue? (y/n): ") _, err := fmt.Scanln(&response) if err != nil { return nil, err } } if response == "n" { return nil, fmt.Errorf("Exiting. User responded no") } persistFix = true } // If there is another key, then we should be able to just decrypt // without having to try different variations of the encryption context. dataKey, err := DecryptTree(DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices, }) if err != nil { dataKey = RecoverDataKeyFromBuggyKMS(opts, tree) } if dataKey == nil { return nil, NewExitError(fmt.Sprintf("Failed to decrypt, meaning there is likely another problem from the encryption context bug: %s", err), codes.ErrorDecryptingTree) } errs := tree.Metadata.UpdateMasterKeysWithKeyServices(dataKey, opts.KeyServices) if len(errs) > 0 { err = fmt.Errorf("Could not re-encrypt data key: %s", errs) return nil, err } err = EncryptTree(EncryptTreeOpts{ DataKey: dataKey, Tree: tree, Cipher: opts.Cipher, }) if err != nil { return nil, err } // If we are not going to persist the fix, just return the re-encrypted tree. if !persistFix { return tree, nil } encryptedFile, err := opts.InputStore.EmitEncryptedFile(*tree) if err != nil { return nil, NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } file, err := os.Create(opts.InputPath) defer file.Close() if err != nil { return nil, NewExitError(fmt.Sprintf("Could not open file for writing: %s", err), codes.CouldNotWriteOutputFile) } _, err = file.Write(encryptedFile) if err != nil { return nil, err } newTree, err := LoadEncryptedFile(opts.InputStore, opts.InputPath) if err != nil { return nil, err } return newTree, nil } // RecoverDataKeyFromBuggyKMS loops through variations on Encryption Context to // recover the datakey. This is used to fix the issue described in https://github.com/mozilla/sops/pull/435 func RecoverDataKeyFromBuggyKMS(opts GenericDecryptOpts, tree *sops.Tree) []byte { kgndx, kndx, originalKey := GetKMSKeyWithEncryptionCtx(tree) keyToEdit := *originalKey encCtxVals := map[string]interface{}{} for _, v := range keyToEdit.EncryptionContext { encCtxVals[*v] = "" } encCtxVariations := []map[string]*string{} for ctxVal := range encCtxVals { encCtxVariation := map[string]*string{} for key := range keyToEdit.EncryptionContext { val := ctxVal encCtxVariation[key] = &val } encCtxVariations = append(encCtxVariations, encCtxVariation) } for _, encCtxVar := range encCtxVariations { keyToEdit.EncryptionContext = encCtxVar tree.Metadata.KeyGroups[kgndx][kndx] = &keyToEdit dataKey, err := DecryptTree(DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices, }) if err == nil { tree.Metadata.KeyGroups[kgndx][kndx] = originalKey tree.Metadata.Version = version.Version return dataKey } } return nil } // Diff represents a key diff type Diff struct { Common []keys.MasterKey Added []keys.MasterKey Removed []keys.MasterKey } func max(a, b int) int { if a > b { return a } return b } // DiffKeyGroups returns the list of diffs found in two sops.keyGroup slices func DiffKeyGroups(ours, theirs []sops.KeyGroup) []Diff { var diffs []Diff for i := 0; i < max(len(ours), len(theirs)); i++ { var diff Diff var ourGroup, theirGroup sops.KeyGroup if len(ours) > i { ourGroup = ours[i] } if len(theirs) > i { theirGroup = theirs[i] } ourKeys := make(map[string]struct{}) theirKeys := make(map[string]struct{}) for _, key := range ourGroup { ourKeys[key.ToString()] = struct{}{} } for _, key := range theirGroup { if _, ok := ourKeys[key.ToString()]; ok { diff.Common = append(diff.Common, key) } else { diff.Added = append(diff.Added, key) } theirKeys[key.ToString()] = struct{}{} } for _, key := range ourGroup { if _, ok := theirKeys[key.ToString()]; !ok { diff.Removed = append(diff.Removed, key) } } diffs = append(diffs, diff) } return diffs } // PrettyPrintDiffs prints a slice of Diff objects to stdout func PrettyPrintDiffs(diffs []Diff) { for i, diff := range diffs { color.New(color.Underline).Printf("Group %d\n", i+1) for _, c := range diff.Common { fmt.Printf(" %s\n", c.ToString()) } for _, c := range diff.Added { color.New(color.FgGreen).Printf("+++ %s\n", c.ToString()) } for _, c := range diff.Removed { color.New(color.FgRed).Printf("--- %s\n", c.ToString()) } } } 07070100000027000081A400000000000000000000000162794F93000007DC000000000000000000000000000000000000001F00000000sops-3.7.3/cmd/sops/decrypt.gopackage main import ( "fmt" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/keyservice" ) type decryptOpts struct { Cipher sops.Cipher InputStore sops.Store OutputStore sops.Store InputPath string IgnoreMAC bool Extract []interface{} KeyServices []keyservice.KeyServiceClient } func decrypt(opts decryptOpts) (decryptedFile []byte, err error) { tree, err := common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{ Cipher: opts.Cipher, InputStore: opts.InputStore, InputPath: opts.InputPath, IgnoreMAC: opts.IgnoreMAC, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } _, err = common.DecryptTree(common.DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } if len(opts.Extract) > 0 { return extract(tree, opts.Extract, opts.OutputStore) } decryptedFile, err = opts.OutputStore.EmitPlainFile(tree.Branches) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error dumping file: %s", err), codes.ErrorDumpingTree) } return decryptedFile, err } func extract(tree *sops.Tree, path []interface{}, outputStore sops.Store) (output []byte, err error) { v, err := tree.Branches[0].Truncate(path) if err != nil { return nil, fmt.Errorf("error truncating tree: %s", err) } if newBranch, ok := v.(sops.TreeBranch); ok { tree.Branches[0] = newBranch decrypted, err := outputStore.EmitPlainFile(tree.Branches) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error dumping file: %s", err), codes.ErrorDumpingTree) } return decrypted, err } else if str, ok := v.(string); ok { return []byte(str), nil } bytes, err := outputStore.EmitValue(v) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error dumping tree: %s", err), codes.ErrorDumpingTree) } return bytes, nil } 07070100000028000081A400000000000000000000000162794F9300001FFF000000000000000000000000000000000000001C00000000sops-3.7.3/cmd/sops/edit.gopackage main import ( "fmt" "io/ioutil" "os" "crypto/md5" exec "golang.org/x/sys/execabs" "io" "strings" "bufio" "bytes" "path/filepath" "github.com/google/shlex" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/keyservice" "go.mozilla.org/sops/v3/version" ) type editOpts struct { Cipher sops.Cipher InputStore common.Store OutputStore common.Store InputPath string IgnoreMAC bool KeyServices []keyservice.KeyServiceClient ShowMasterKeys bool } type editExampleOpts struct { editOpts UnencryptedSuffix string EncryptedSuffix string UnencryptedRegex string EncryptedRegex string KeyGroups []sops.KeyGroup GroupThreshold int } type runEditorUntilOkOpts struct { TmpFile *os.File OriginalHash []byte InputStore sops.Store ShowMasterKeys bool Tree *sops.Tree } func editExample(opts editExampleOpts) ([]byte, error) { fileBytes := opts.InputStore.EmitExample() branches, err := opts.InputStore.LoadPlainFile(fileBytes) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error unmarshalling file: %s", err), codes.CouldNotReadInputFile) } path, err := filepath.Abs(opts.InputPath) if err != nil { return nil, err } tree := sops.Tree{ Branches: branches, Metadata: sops.Metadata{ KeyGroups: opts.KeyGroups, UnencryptedSuffix: opts.UnencryptedSuffix, EncryptedSuffix: opts.EncryptedSuffix, UnencryptedRegex: opts.UnencryptedRegex, EncryptedRegex: opts.EncryptedRegex, Version: version.Version, ShamirThreshold: opts.GroupThreshold, }, FilePath: path, } // Generate a data key dataKey, errs := tree.GenerateDataKeyWithKeyServices(opts.KeyServices) if len(errs) > 0 { return nil, common.NewExitError(fmt.Sprintf("Error encrypting the data key with one or more master keys: %s", errs), codes.CouldNotRetrieveKey) } return editTree(opts.editOpts, &tree, dataKey) } func edit(opts editOpts) ([]byte, error) { // Load the file tree, err := common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{ Cipher: opts.Cipher, InputStore: opts.InputStore, InputPath: opts.InputPath, IgnoreMAC: opts.IgnoreMAC, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } // Decrypt the file dataKey, err := common.DecryptTree(common.DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } return editTree(opts, tree, dataKey) } func editTree(opts editOpts, tree *sops.Tree, dataKey []byte) ([]byte, error) { // Create temporary file for editing tmpdir, err := ioutil.TempDir("", "") if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not create temporary directory: %s", err), codes.CouldNotWriteOutputFile) } defer os.RemoveAll(tmpdir) tmpfile, err := os.Create(filepath.Join(tmpdir, filepath.Base(opts.InputPath))) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not create temporary file: %s", err), codes.CouldNotWriteOutputFile) } // Write to temporary file var out []byte if opts.ShowMasterKeys { out, err = opts.OutputStore.EmitEncryptedFile(*tree) } else { out, err = opts.OutputStore.EmitPlainFile(tree.Branches) } if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } _, err = tmpfile.Write(out) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not write output file: %s", err), codes.CouldNotWriteOutputFile) } // Close temporary file, since Windows won't delete the file unless it's closed beforehand defer tmpfile.Close() // Compute file hash to detect if the file has been edited origHash, err := hashFile(tmpfile.Name()) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not hash file: %s", err), codes.CouldNotReadInputFile) } // Let the user edit the file err = runEditorUntilOk(runEditorUntilOkOpts{ InputStore: opts.InputStore, OriginalHash: origHash, TmpFile: tmpfile, ShowMasterKeys: opts.ShowMasterKeys, Tree: tree}) if err != nil { return nil, err } // Encrypt the file err = common.EncryptTree(common.EncryptTreeOpts{ DataKey: dataKey, Tree: tree, Cipher: opts.Cipher, }) if err != nil { return nil, err } // Output the file encryptedFile, err := opts.OutputStore.EmitEncryptedFile(*tree) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } return encryptedFile, nil } func runEditorUntilOk(opts runEditorUntilOkOpts) error { for { err := runEditor(opts.TmpFile.Name()) if err != nil { return common.NewExitError(fmt.Sprintf("Could not run editor: %s", err), codes.NoEditorFound) } newHash, err := hashFile(opts.TmpFile.Name()) if err != nil { return common.NewExitError(fmt.Sprintf("Could not hash file: %s", err), codes.CouldNotReadInputFile) } if bytes.Equal(newHash, opts.OriginalHash) { return common.NewExitError("File has not changed, exiting.", codes.FileHasNotBeenModified) } edited, err := ioutil.ReadFile(opts.TmpFile.Name()) if err != nil { return common.NewExitError(fmt.Sprintf("Could not read edited file: %s", err), codes.CouldNotReadInputFile) } newBranches, err := opts.InputStore.LoadPlainFile(edited) if err != nil { log.WithField( "error", err, ).Errorf("Could not load tree, probably due to invalid " + "syntax. Press a key to return to the editor, or Ctrl+C to " + "exit.") bufio.NewReader(os.Stdin).ReadByte() continue } if opts.ShowMasterKeys { // The file is not actually encrypted, but it contains SOPS // metadata t, err := opts.InputStore.LoadEncryptedFile(edited) if err != nil { log.WithField( "error", err, ).Errorf("SOPS metadata is invalid. Press a key to " + "return to the editor, or Ctrl+C to exit.") bufio.NewReader(os.Stdin).ReadByte() continue } // Replace the whole tree, because otherwise newBranches would // contain the SOPS metadata opts.Tree = &t } opts.Tree.Branches = newBranches needVersionUpdated, err := version.AIsNewerThanB(version.Version, opts.Tree.Metadata.Version) if err != nil { return common.NewExitError(fmt.Sprintf("Failed to compare document version %q with program version %q: %v", opts.Tree.Metadata.Version, version.Version, err), codes.FailedToCompareVersions) } if needVersionUpdated { opts.Tree.Metadata.Version = version.Version } if opts.Tree.Metadata.MasterKeyCount() == 0 { log.Error("No master keys were provided, so sops can't " + "encrypt the file. Press a key to return to the editor, or " + "Ctrl+C to exit.") bufio.NewReader(os.Stdin).ReadByte() continue } break } return nil } func hashFile(filePath string) ([]byte, error) { var result []byte file, err := os.Open(filePath) if err != nil { return result, err } defer file.Close() hash := md5.New() if _, err := io.Copy(hash, file); err != nil { return result, err } return hash.Sum(result), nil } func runEditor(path string) error { editor := os.Getenv("EDITOR") var cmd *exec.Cmd if editor == "" { editor, err := lookupAnyEditor("vim", "nano", "vi") if err != nil { return err } cmd = exec.Command(editor, path) } else { parts, err := shlex.Split(editor) if err != nil { return fmt.Errorf("invalid $EDITOR: %s", editor) } parts = append(parts, path) cmd = exec.Command(parts[0], parts[1:]...) } cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr return cmd.Run() } func lookupAnyEditor(editorNames ...string) (editorPath string, err error) { for _, editorName := range editorNames { editorPath, err = exec.LookPath(editorName) if err == nil { return editorPath, nil } } return "", fmt.Errorf("no editor available: sops attempts to use the editor defined in the EDITOR environment variable, and if that's not set defaults to any of %s, but none of them could be found", strings.Join(editorNames, ", ")) } 07070100000029000081A400000000000000000000000162794F9300000C76000000000000000000000000000000000000001F00000000sops-3.7.3/cmd/sops/encrypt.gopackage main import ( "io/ioutil" "path/filepath" "fmt" wordwrap "github.com/mitchellh/go-wordwrap" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/keyservice" "go.mozilla.org/sops/v3/version" ) type encryptOpts struct { Cipher sops.Cipher InputStore sops.Store OutputStore sops.Store InputPath string KeyServices []keyservice.KeyServiceClient UnencryptedSuffix string EncryptedSuffix string UnencryptedRegex string EncryptedRegex string KeyGroups []sops.KeyGroup GroupThreshold int } type fileAlreadyEncryptedError struct{} func (err *fileAlreadyEncryptedError) Error() string { return "File already encrypted" } func (err *fileAlreadyEncryptedError) UserError() string { message := "The file you have provided contains a top-level entry called " + "'sops'. This is generally due to the file already being encrypted. " + "SOPS uses a top-level entry called 'sops' to store the metadata " + "required to decrypt the file. For this reason, SOPS can not " + "encrypt files that already contain such an entry.\n\n" + "If this is an unencrypted file, rename the 'sops' entry.\n\n" + "If this is an encrypted file and you want to edit it, use the " + "editor mode, for example: `sops my_file.yaml`" return wordwrap.WrapString(message, 75) } func ensureNoMetadata(opts encryptOpts, branch sops.TreeBranch) error { for _, b := range branch { if b.Key == "sops" { return &fileAlreadyEncryptedError{} } } return nil } func encrypt(opts encryptOpts) (encryptedFile []byte, err error) { // Load the file fileBytes, err := ioutil.ReadFile(opts.InputPath) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error reading file: %s", err), codes.CouldNotReadInputFile) } branches, err := opts.InputStore.LoadPlainFile(fileBytes) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Error unmarshalling file: %s", err), codes.CouldNotReadInputFile) } if err := ensureNoMetadata(opts, branches[0]); err != nil { return nil, common.NewExitError(err, codes.FileAlreadyEncrypted) } path, err := filepath.Abs(opts.InputPath) if err != nil { return nil, err } tree := sops.Tree{ Branches: branches, Metadata: sops.Metadata{ KeyGroups: opts.KeyGroups, UnencryptedSuffix: opts.UnencryptedSuffix, EncryptedSuffix: opts.EncryptedSuffix, UnencryptedRegex: opts.UnencryptedRegex, EncryptedRegex: opts.EncryptedRegex, Version: version.Version, ShamirThreshold: opts.GroupThreshold, }, FilePath: path, } dataKey, errs := tree.GenerateDataKeyWithKeyServices(opts.KeyServices) if len(errs) > 0 { err = fmt.Errorf("Could not generate data key: %s", errs) return nil, err } err = common.EncryptTree(common.EncryptTreeOpts{ DataKey: dataKey, Tree: &tree, Cipher: opts.Cipher, }) if err != nil { return nil, err } encryptedFile, err = opts.OutputStore.EmitEncryptedFile(tree) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } return } 0707010000002A000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001C00000000sops-3.7.3/cmd/sops/formats0707010000002B000081A400000000000000000000000162794F9300000764000000000000000000000000000000000000002700000000sops-3.7.3/cmd/sops/formats/formats.gopackage formats import "strings" // Format is an enum type type Format int const ( Binary Format = iota Dotenv Ini Json Yaml ) var stringToFormat = map[string]Format{ "binary": Binary, "dotenv": Dotenv, "ini": Ini, "json": Json, "yaml": Yaml, } // FormatFromString returns a Format from a string. // This is used for converting string cli options. func FormatFromString(formatString string) Format { format, found := stringToFormat[formatString] if !found { return Binary } return format } // IsYAMLFile returns true if a given file path corresponds to a YAML file func IsYAMLFile(path string) bool { return strings.HasSuffix(path, ".yaml") || strings.HasSuffix(path, ".yml") } // IsJSONFile returns true if a given file path corresponds to a JSON file func IsJSONFile(path string) bool { return strings.HasSuffix(path, ".json") } // IsEnvFile returns true if a given file path corresponds to a .env file func IsEnvFile(path string) bool { return strings.HasSuffix(path, ".env") } // IsIniFile returns true if a given file path corresponds to a INI file func IsIniFile(path string) bool { return strings.HasSuffix(path, ".ini") } // FormatForPath returns the correct format given the path to a file func FormatForPath(path string) Format { format := Binary // default if IsYAMLFile(path) { format = Yaml } else if IsJSONFile(path) { format = Json } else if IsEnvFile(path) { format = Dotenv } else if IsIniFile(path) { format = Ini } return format } // FormatForPathOrString returns the correct format-specific implementation // of the Store interface given the formatString if specified, or the path to a file. // This is to support the cli, where both are provided. func FormatForPathOrString(path, format string) Format { formatFmt, found := stringToFormat[format] if !found { formatFmt = FormatForPath(path) } return formatFmt } 0707010000002C000081A400000000000000000000000162794F9300000671000000000000000000000000000000000000002C00000000sops-3.7.3/cmd/sops/formats/formats_test.gopackage formats import ( "testing" "github.com/stretchr/testify/assert" ) func TestFormatFromString(t *testing.T) { assert.Equal(t, Binary, FormatFromString("foobar")) assert.Equal(t, Dotenv, FormatFromString("dotenv")) assert.Equal(t, Ini, FormatFromString("ini")) assert.Equal(t, Yaml, FormatFromString("yaml")) assert.Equal(t, Json, FormatFromString("json")) } func TestFormatForPath(t *testing.T) { assert.Equal(t, Binary, FormatForPath("/path/to/foobar")) assert.Equal(t, Dotenv, FormatForPath("/path/to/foobar.env")) assert.Equal(t, Ini, FormatForPath("/path/to/foobar.ini")) assert.Equal(t, Json, FormatForPath("/path/to/foobar.json")) assert.Equal(t, Yaml, FormatForPath("/path/to/foobar.yml")) assert.Equal(t, Yaml, FormatForPath("/path/to/foobar.yaml")) } func TestFormatForPathOrString(t *testing.T) { assert.Equal(t, Binary, FormatForPathOrString("/path/to/foobar", "")) assert.Equal(t, Dotenv, FormatForPathOrString("/path/to/foobar", "dotenv")) assert.Equal(t, Dotenv, FormatForPathOrString("/path/to/foobar.env", "")) assert.Equal(t, Ini, FormatForPathOrString("/path/to/foobar", "ini")) assert.Equal(t, Ini, FormatForPathOrString("/path/to/foobar.ini", "")) assert.Equal(t, Json, FormatForPathOrString("/path/to/foobar", "json")) assert.Equal(t, Json, FormatForPathOrString("/path/to/foobar.json", "")) assert.Equal(t, Yaml, FormatForPathOrString("/path/to/foobar", "yaml")) assert.Equal(t, Yaml, FormatForPathOrString("/path/to/foobar.yml", "")) assert.Equal(t, Ini, FormatForPathOrString("/path/to/foobar.yml", "ini")) assert.Equal(t, Binary, FormatForPathOrString("/path/to/foobar.yml", "binary")) } 0707010000002D000081A400000000000000000000000162794F9300009F5A000000000000000000000000000000000000001C00000000sops-3.7.3/cmd/sops/main.gopackage main //import "go.mozilla.org/sops/v3/cmd/sops" import ( encodingjson "encoding/json" "fmt" "net" "net/url" "os" osExec "os/exec" "path/filepath" "reflect" "strconv" "strings" "time" "github.com/sirupsen/logrus" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/aes" "go.mozilla.org/sops/v3/age" _ "go.mozilla.org/sops/v3/audit" "go.mozilla.org/sops/v3/azkv" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/cmd/sops/subcommand/exec" "go.mozilla.org/sops/v3/cmd/sops/subcommand/groups" keyservicecmd "go.mozilla.org/sops/v3/cmd/sops/subcommand/keyservice" publishcmd "go.mozilla.org/sops/v3/cmd/sops/subcommand/publish" "go.mozilla.org/sops/v3/cmd/sops/subcommand/updatekeys" "go.mozilla.org/sops/v3/config" "go.mozilla.org/sops/v3/gcpkms" "go.mozilla.org/sops/v3/hcvault" "go.mozilla.org/sops/v3/keys" "go.mozilla.org/sops/v3/keyservice" "go.mozilla.org/sops/v3/kms" "go.mozilla.org/sops/v3/logging" "go.mozilla.org/sops/v3/pgp" "go.mozilla.org/sops/v3/stores/dotenv" "go.mozilla.org/sops/v3/stores/json" "go.mozilla.org/sops/v3/version" "google.golang.org/grpc" "gopkg.in/urfave/cli.v1" ) var log *logrus.Logger func init() { log = logging.NewLogger("CMD") } func main() { cli.VersionPrinter = version.PrintVersion app := cli.NewApp() keyserviceFlags := []cli.Flag{ cli.BoolTFlag{ Name: "enable-local-keyservice", Usage: "use local key service", }, cli.StringSliceFlag{ Name: "keyservice", Usage: "Specify the key services to use in addition to the local one. Can be specified more than once. Syntax: protocol://address. Example: tcp://myserver.com:5000", }, } app.Name = "sops" app.Usage = "sops - encrypted file editor with AWS KMS, GCP KMS, Azure Key Vault, age, and GPG support" app.ArgsUsage = "sops [options] file" app.Version = version.Version app.Authors = []cli.Author{ {Name: "AJ Bahnken", Email: "ajvb@mozilla.com"}, {Name: "Adrian Utrilla", Email: "adrianutrilla@gmail.com"}, {Name: "Julien Vehent", Email: "jvehent@mozilla.com"}, } app.UsageText = `sops is an editor of encrypted files that supports AWS KMS and PGP To encrypt or decrypt a document with AWS KMS, specify the KMS ARN in the -k flag or in the SOPS_KMS_ARN environment variable. (you need valid credentials in ~/.aws/credentials or in your env) To encrypt or decrypt a document with GCP KMS, specify the GCP KMS resource ID in the --gcp-kms flag or in the SOPS_GCP_KMS_IDS environment variable. (you need to setup google application default credentials. See https://developers.google.com/identity/protocols/application-default-credentials) To encrypt or decrypt a document with HashiCorp Vault's Transit Secret Engine, specify the Vault key URI name in the --hc-vault-transit flag or in the SOPS_VAULT_URIS environment variable (eg. https://vault.example.org:8200/v1/transit/keys/dev where 'https://vault.example.org:8200' is the vault server, 'transit' the enginePath, and 'dev' is the name of the key ) environment variable. (you need to enable the Transit Secrets Engine in Vault. See https://www.vaultproject.io/docs/secrets/transit/index.html) To encrypt or decrypt a document with Azure Key Vault, specify the Azure Key Vault key URL in the --azure-kv flag or in the SOPS_AZURE_KEYVAULT_URL environment variable. (authentication is based on environment variables, see https://docs.microsoft.com/en-us/go/azure/azure-sdk-go-authorization#use-environment-based-authentication. The user/sp needs the key/encrypt and key/decrypt permissions) To encrypt or decrypt using age, specify the recipient in the -a flag, or in the SOPS_AGE_RECIPIENTS environment variable. To encrypt or decrypt using PGP, specify the PGP fingerprint in the -p flag or in the SOPS_PGP_FP environment variable. To use multiple KMS or PGP keys, separate them by commas. For example: $ sops -p "10F2...0A, 85D...B3F21" file.yaml The -p, -k, --gcp-kms, --hc-vault-transit and --azure-kv flags are only used to encrypt new documents. Editing or decrypting existing documents can be done with "sops file" or "sops -d file" respectively. The KMS and PGP keys listed in the encrypted documents are used then. To manage master keys in existing documents, use the "add-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" and "rm-{kms,pgp,gcp-kms,azure-kv,hc-vault-transit}" flags. To use a different GPG binary than the one in your PATH, set SOPS_GPG_EXEC. To select a different editor than the default (vim), set EDITOR. For more information, see the README at github.com/mozilla/sops` app.EnableBashCompletion = true app.Commands = []cli.Command{ { Name: "exec-env", Usage: "execute a command with decrypted values inserted into the environment", ArgsUsage: "[file to decrypt] [command to run]", Flags: append([]cli.Flag{ cli.BoolFlag{ Name: "background", Usage: "background the process and don't wait for it to complete", }, cli.StringFlag{ Name: "user", Usage: "the user to run the command as", }, }, keyserviceFlags...), Action: func(c *cli.Context) error { if len(c.Args()) != 2 { return common.NewExitError(fmt.Errorf("error: missing file to decrypt"), codes.ErrorGeneric) } fileName := c.Args()[0] command := c.Args()[1] inputStore := inputStore(c, fileName) svcs := keyservices(c) opts := decryptOpts{ OutputStore: &dotenv.Store{}, InputStore: inputStore, InputPath: fileName, Cipher: aes.NewCipher(), KeyServices: svcs, IgnoreMAC: c.Bool("ignore-mac"), } output, err := decrypt(opts) if err != nil { return toExitError(err) } if err := exec.ExecWithEnv(exec.ExecOpts{ Command: command, Plaintext: output, Background: c.Bool("background"), User: c.String("user"), }); err != nil { return toExitError(err) } return nil }, }, { Name: "exec-file", Usage: "execute a command with the decrypted contents as a temporary file", ArgsUsage: "[file to decrypt] [command to run]", Flags: append([]cli.Flag{ cli.BoolFlag{ Name: "background", Usage: "background the process and don't wait for it to complete", }, cli.BoolFlag{ Name: "no-fifo", Usage: "use a regular file instead of a fifo to temporarily hold the decrypted contents", }, cli.StringFlag{ Name: "user", Usage: "the user to run the command as", }, cli.StringFlag{ Name: "input-type", Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type", }, cli.StringFlag{ Name: "output-type", Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format", }, cli.StringFlag{ Name: "filename", Usage: "filename for the temporarily file (default: tmp-file)", }, }, keyserviceFlags...), Action: func(c *cli.Context) error { if len(c.Args()) != 2 { return common.NewExitError(fmt.Errorf("error: missing file to decrypt"), codes.ErrorGeneric) } fileName := c.Args()[0] command := c.Args()[1] inputStore := inputStore(c, fileName) outputStore := outputStore(c, fileName) svcs := keyservices(c) opts := decryptOpts{ OutputStore: outputStore, InputStore: inputStore, InputPath: fileName, Cipher: aes.NewCipher(), KeyServices: svcs, IgnoreMAC: c.Bool("ignore-mac"), } output, err := decrypt(opts) if err != nil { return toExitError(err) } filename := c.String("filename") if filename == "" { filename = "tmp-file" } if err := exec.ExecWithFile(exec.ExecOpts{ Command: command, Plaintext: output, Background: c.Bool("background"), Fifo: !c.Bool("no-fifo"), User: c.String("user"), Filename: filename, }); err != nil { return toExitError(err) } return nil }, }, { Name: "publish", Usage: "Publish sops file or directory to a configured destination", ArgsUsage: `file`, Flags: append([]cli.Flag{ cli.BoolFlag{ Name: "yes, y", Usage: `pre-approve all changes and run non-interactively`, }, cli.BoolFlag{ Name: "omit-extensions", Usage: "Omit file extensions in destination path when publishing sops file to configured destinations", }, cli.BoolFlag{ Name: "recursive", Usage: "If the source path is a directory, publish all its content recursively", }, cli.BoolFlag{ Name: "verbose", Usage: "Enable verbose logging output", }, }, keyserviceFlags...), Action: func(c *cli.Context) error { if c.Bool("verbose") || c.GlobalBool("verbose") { logging.SetLevel(logrus.DebugLevel) } configPath, err := config.FindConfigFile(".") if err != nil { return common.NewExitError(err, codes.ErrorGeneric) } if c.NArg() < 1 { return common.NewExitError("Error: no file specified", codes.NoFileSpecified) } path := c.Args()[0] info, err := os.Stat(path) if err != nil { return err } if info.IsDir() && !c.Bool("recursive") { return fmt.Errorf("can't operate on a directory without --recursive flag.") } err = filepath.Walk(path, func(subPath string, info os.FileInfo, err error) error { if err != nil { return err } if !info.IsDir() { err = publishcmd.Run(publishcmd.Opts{ ConfigPath: configPath, InputPath: subPath, Cipher: aes.NewCipher(), KeyServices: keyservices(c), InputStore: inputStore(c, subPath), Interactive: !c.Bool("yes"), OmitExtensions: c.Bool("omit-extensions"), Recursive: c.Bool("recursive"), RootPath: path, }) if cliErr, ok := err.(*cli.ExitError); ok && cliErr != nil { return cliErr } else if err != nil { return common.NewExitError(err, codes.ErrorGeneric) } } return nil }) if err != nil { return err } return nil }, }, { Name: "keyservice", Usage: "start a SOPS key service server", Flags: []cli.Flag{ cli.StringFlag{ Name: "network, net", Usage: "network to listen on, e.g. 'tcp' or 'unix'", Value: "tcp", }, cli.StringFlag{ Name: "address, addr", Usage: "address to listen on, e.g. '127.0.0.1:5000' or '/tmp/sops.sock'", Value: "127.0.0.1:5000", }, cli.BoolFlag{ Name: "prompt", Usage: "Prompt user to confirm every incoming request", }, cli.BoolFlag{ Name: "verbose", Usage: "Enable verbose logging output", }, }, Action: func(c *cli.Context) error { if c.Bool("verbose") || c.GlobalBool("verbose") { logging.SetLevel(logrus.DebugLevel) } err := keyservicecmd.Run(keyservicecmd.Opts{ Network: c.String("network"), Address: c.String("address"), Prompt: c.Bool("prompt"), }) if err != nil { log.Errorf("Error running keyservice: %s", err) return err } return nil }, }, { Name: "groups", Usage: "modify the groups on a SOPS file", Subcommands: []cli.Command{ { Name: "add", Usage: "add a new group to a SOPS file", Flags: append([]cli.Flag{ cli.StringFlag{ Name: "file, f", Usage: "the file to add the group to", }, cli.StringSliceFlag{ Name: "pgp", Usage: "the PGP fingerprints the new group should contain. Can be specified more than once", }, cli.StringSliceFlag{ Name: "kms", Usage: "the KMS ARNs the new group should contain. Can be specified more than once", }, cli.StringFlag{ Name: "aws-profile", Usage: "The AWS profile to use for requests to AWS", }, cli.StringSliceFlag{ Name: "gcp-kms", Usage: "the GCP KMS Resource ID the new group should contain. Can be specified more than once", }, cli.StringSliceFlag{ Name: "azure-kv", Usage: "the Azure Key Vault key URL the new group should contain. Can be specified more than once", }, cli.StringSliceFlag{ Name: "hc-vault-transit", Usage: "the full vault path to the key used to encrypt/decrypt. Make you choose and configure a key with encrption/decryption enabled (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev'). Can be specified more than once", }, cli.StringSliceFlag{ Name: "age", Usage: "the age recipient the new group should contain. Can be specified more than once", }, cli.BoolFlag{ Name: "in-place, i", Usage: "write output back to the same file instead of stdout", }, cli.IntFlag{ Name: "shamir-secret-sharing-threshold", Usage: "the number of master keys required to retrieve the data key with shamir", }, cli.StringFlag{ Name: "encryption-context", Usage: "comma separated list of KMS encryption context key:value pairs", }, }, keyserviceFlags...), Action: func(c *cli.Context) error { pgpFps := c.StringSlice("pgp") kmsArns := c.StringSlice("kms") gcpKmses := c.StringSlice("gcp-kms") vaultURIs := c.StringSlice("hc-vault-transit") azkvs := c.StringSlice("azure-kv") ageRecipients := c.StringSlice("age") var group sops.KeyGroup for _, fp := range pgpFps { group = append(group, pgp.NewMasterKeyFromFingerprint(fp)) } for _, arn := range kmsArns { group = append(group, kms.NewMasterKeyFromArn(arn, kms.ParseKMSContext(c.String("encryption-context")), c.String("aws-profile"))) } for _, kms := range gcpKmses { group = append(group, gcpkms.NewMasterKeyFromResourceID(kms)) } for _, uri := range vaultURIs { k, err := hcvault.NewMasterKeyFromURI(uri) if err != nil { log.WithError(err).Error("Failed to add key") continue } group = append(group, k) } for _, url := range azkvs { k, err := azkv.NewMasterKeyFromURL(url) if err != nil { log.WithError(err).Error("Failed to add key") continue } group = append(group, k) } for _, recipient := range ageRecipients { keys, err := age.MasterKeysFromRecipients(recipient) if err != nil { log.WithError(err).Error("Failed to add key") continue } for _, key := range keys { group = append(group, key) } } return groups.Add(groups.AddOpts{ InputPath: c.String("file"), InPlace: c.Bool("in-place"), InputStore: inputStore(c, c.String("file")), OutputStore: outputStore(c, c.String("file")), Group: group, GroupThreshold: c.Int("shamir-secret-sharing-threshold"), KeyServices: keyservices(c), }) }, }, { Name: "delete", Usage: "delete a key group from a SOPS file", Flags: append([]cli.Flag{ cli.StringFlag{ Name: "file, f", Usage: "the file to add the group to", }, cli.BoolFlag{ Name: "in-place, i", Usage: "write output back to the same file instead of stdout", }, cli.IntFlag{ Name: "shamir-secret-sharing-threshold", Usage: "the number of master keys required to retrieve the data key with shamir", }, }, keyserviceFlags...), ArgsUsage: `[index]`, Action: func(c *cli.Context) error { group, err := strconv.ParseUint(c.Args().First(), 10, 32) if err != nil { return fmt.Errorf("failed to parse [index] argument: %s", err) } return groups.Delete(groups.DeleteOpts{ InputPath: c.String("file"), InPlace: c.Bool("in-place"), InputStore: inputStore(c, c.String("file")), OutputStore: outputStore(c, c.String("file")), Group: uint(group), GroupThreshold: c.Int("shamir-secret-sharing-threshold"), KeyServices: keyservices(c), }) }, }, }, }, { Name: "updatekeys", Usage: "update the keys of a SOPS file using the config file", ArgsUsage: `file`, Flags: append([]cli.Flag{ cli.BoolFlag{ Name: "yes, y", Usage: `pre-approve all changes and run non-interactively`, }, }, keyserviceFlags...), Action: func(c *cli.Context) error { var err error var configPath string if c.GlobalString("config") != "" { configPath = c.GlobalString("config") } else { configPath, err = config.FindConfigFile(".") if err != nil { return common.NewExitError(err, codes.ErrorGeneric) } } if c.NArg() < 1 { return common.NewExitError("Error: no file specified", codes.NoFileSpecified) } err = updatekeys.UpdateKeys(updatekeys.Opts{ InputPath: c.Args()[0], GroupQuorum: c.Int("shamir-secret-sharing-quorum"), KeyServices: keyservices(c), Interactive: !c.Bool("yes"), ConfigPath: configPath, }) if cliErr, ok := err.(*cli.ExitError); ok && cliErr != nil { return cliErr } else if err != nil { return common.NewExitError(err, codes.ErrorGeneric) } return nil }, }, } app.Flags = append([]cli.Flag{ cli.BoolFlag{ Name: "decrypt, d", Usage: "decrypt a file and output the result to stdout", }, cli.BoolFlag{ Name: "encrypt, e", Usage: "encrypt a file and output the result to stdout", }, cli.BoolFlag{ Name: "rotate, r", Usage: "generate a new data encryption key and reencrypt all values with the new key", }, cli.StringFlag{ Name: "kms, k", Usage: "comma separated list of KMS ARNs", EnvVar: "SOPS_KMS_ARN", }, cli.StringFlag{ Name: "aws-profile", Usage: "The AWS profile to use for requests to AWS", }, cli.StringFlag{ Name: "gcp-kms", Usage: "comma separated list of GCP KMS resource IDs", EnvVar: "SOPS_GCP_KMS_IDS", }, cli.StringFlag{ Name: "azure-kv", Usage: "comma separated list of Azure Key Vault URLs", EnvVar: "SOPS_AZURE_KEYVAULT_URLS", }, cli.StringFlag{ Name: "hc-vault-transit", Usage: "comma separated list of vault's key URI (e.g. 'https://vault.example.org:8200/v1/transit/keys/dev')", EnvVar: "SOPS_VAULT_URIS", }, cli.StringFlag{ Name: "pgp, p", Usage: "comma separated list of PGP fingerprints", EnvVar: "SOPS_PGP_FP", }, cli.StringFlag{ Name: "age, a", Usage: "comma separated list of age recipients", EnvVar: "SOPS_AGE_RECIPIENTS", }, cli.BoolFlag{ Name: "in-place, i", Usage: "write output back to the same file instead of stdout", }, cli.StringFlag{ Name: "extract", Usage: "extract a specific key or branch from the input document. Decrypt mode only. Example: --extract '[\"somekey\"][0]'", }, cli.StringFlag{ Name: "input-type", Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the file's extension to determine the type", }, cli.StringFlag{ Name: "output-type", Usage: "currently json, yaml, dotenv and binary are supported. If not set, sops will use the input file's extension to determine the output format", }, cli.BoolFlag{ Name: "show-master-keys, s", Usage: "display master encryption keys in the file during editing", }, cli.StringFlag{ Name: "add-gcp-kms", Usage: "add the provided comma-separated list of GCP KMS key resource IDs to the list of master keys on the given file", }, cli.StringFlag{ Name: "rm-gcp-kms", Usage: "remove the provided comma-separated list of GCP KMS key resource IDs from the list of master keys on the given file", }, cli.StringFlag{ Name: "add-azure-kv", Usage: "add the provided comma-separated list of Azure Key Vault key URLs to the list of master keys on the given file", }, cli.StringFlag{ Name: "rm-azure-kv", Usage: "remove the provided comma-separated list of Azure Key Vault key URLs from the list of master keys on the given file", }, cli.StringFlag{ Name: "add-kms", Usage: "add the provided comma-separated list of KMS ARNs to the list of master keys on the given file", }, cli.StringFlag{ Name: "rm-kms", Usage: "remove the provided comma-separated list of KMS ARNs from the list of master keys on the given file", }, cli.StringFlag{ Name: "add-hc-vault-transit", Usage: "add the provided comma-separated list of Vault's URI key to the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)", }, cli.StringFlag{ Name: "rm-hc-vault-transit", Usage: "remove the provided comma-separated list of Vault's URI key from the list of master keys on the given file ( eg. https://vault.example.org:8200/v1/transit/keys/dev)", }, cli.StringFlag{ Name: "add-age", Usage: "add the provided comma-separated list of age recipients fingerprints to the list of master keys on the given file", }, cli.StringFlag{ Name: "rm-age", Usage: "remove the provided comma-separated list of age recipients from the list of master keys on the given file", }, cli.StringFlag{ Name: "add-pgp", Usage: "add the provided comma-separated list of PGP fingerprints to the list of master keys on the given file", }, cli.StringFlag{ Name: "rm-pgp", Usage: "remove the provided comma-separated list of PGP fingerprints from the list of master keys on the given file", }, cli.BoolFlag{ Name: "ignore-mac", Usage: "ignore Message Authentication Code during decryption", }, cli.StringFlag{ Name: "unencrypted-suffix", Usage: "override the unencrypted key suffix.", }, cli.StringFlag{ Name: "encrypted-suffix", Usage: "override the encrypted key suffix. When empty, all keys will be encrypted, unless otherwise marked with unencrypted-suffix.", }, cli.StringFlag{ Name: "unencrypted-regex", Usage: "set the unencrypted key suffix. When specified, only keys matching the regex will be left unencrypted.", }, cli.StringFlag{ Name: "encrypted-regex", Usage: "set the encrypted key suffix. When specified, only keys matching the regex will be encrypted.", }, cli.StringFlag{ Name: "config", Usage: "path to sops' config file. If set, sops will not search for the config file recursively.", }, cli.StringFlag{ Name: "encryption-context", Usage: "comma separated list of KMS encryption context key:value pairs", }, cli.StringFlag{ Name: "set", Usage: `set a specific key or branch in the input document. value must be a json encoded string. (edit mode only). eg. --set '["somekey"][0] {"somevalue":true}'`, }, cli.IntFlag{ Name: "shamir-secret-sharing-threshold", Usage: "the number of master keys required to retrieve the data key with shamir", }, cli.BoolFlag{ Name: "verbose", Usage: "Enable verbose logging output", }, cli.StringFlag{ Name: "output", Usage: "Save the output after encryption or decryption to the file specified", }, }, keyserviceFlags...) app.Action = func(c *cli.Context) error { if c.Bool("verbose") { logging.SetLevel(logrus.DebugLevel) } if c.NArg() < 1 { return common.NewExitError("Error: no file specified", codes.NoFileSpecified) } if c.Bool("in-place") && c.String("output") != "" { return common.NewExitError("Error: cannot operate on both --output and --in-place", codes.ErrorConflictingParameters) } fileName, err := filepath.Abs(c.Args()[0]) if err != nil { return toExitError(err) } if _, err := os.Stat(fileName); os.IsNotExist(err) { if c.String("add-kms") != "" || c.String("add-pgp") != "" || c.String("add-gcp-kms") != "" || c.String("add-hc-vault-transit") != "" || c.String("add-azure-kv") != "" || c.String("add-age") != "" || c.String("rm-kms") != "" || c.String("rm-pgp") != "" || c.String("rm-gcp-kms") != "" || c.String("rm-hc-vault-transit") != "" || c.String("rm-azure-kv") != "" || c.String("rm-age") != "" { return common.NewExitError("Error: cannot add or remove keys on non-existent files, use `--kms` and `--pgp` instead.", codes.CannotChangeKeysFromNonExistentFile) } if c.Bool("encrypt") || c.Bool("decrypt") || c.Bool("rotate") { return common.NewExitError("Error: cannot operate on non-existent file", codes.NoFileSpecified) } } unencryptedSuffix := c.String("unencrypted-suffix") encryptedSuffix := c.String("encrypted-suffix") encryptedRegex := c.String("encrypted-regex") unencryptedRegex := c.String("unencrypted-regex") conf, err := loadConfig(c, fileName, nil) if err != nil { return toExitError(err) } if conf != nil { // command line options have precedence if unencryptedSuffix == "" { unencryptedSuffix = conf.UnencryptedSuffix } if encryptedSuffix == "" { encryptedSuffix = conf.EncryptedSuffix } if encryptedRegex == "" { encryptedRegex = conf.EncryptedRegex } if unencryptedRegex == "" { unencryptedRegex = conf.UnencryptedRegex } } cryptRuleCount := 0 if unencryptedSuffix != "" { cryptRuleCount++ } if encryptedSuffix != "" { cryptRuleCount++ } if encryptedRegex != "" { cryptRuleCount++ } if unencryptedRegex != "" { cryptRuleCount++ } if cryptRuleCount > 1 { return common.NewExitError("Error: cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex or unencrypted_regex in the same file", codes.ErrorConflictingParameters) } // only supply the default UnencryptedSuffix when EncryptedSuffix and EncryptedRegex are not provided if cryptRuleCount == 0 { unencryptedSuffix = sops.DefaultUnencryptedSuffix } inputStore := inputStore(c, fileName) outputStore := outputStore(c, fileName) svcs := keyservices(c) var output []byte if c.Bool("encrypt") { var groups []sops.KeyGroup groups, err = keyGroups(c, fileName) if err != nil { return toExitError(err) } var threshold int threshold, err = shamirThreshold(c, fileName) if err != nil { return toExitError(err) } output, err = encrypt(encryptOpts{ OutputStore: outputStore, InputStore: inputStore, InputPath: fileName, Cipher: aes.NewCipher(), UnencryptedSuffix: unencryptedSuffix, EncryptedSuffix: encryptedSuffix, UnencryptedRegex: unencryptedRegex, EncryptedRegex: encryptedRegex, KeyServices: svcs, KeyGroups: groups, GroupThreshold: threshold, }) } if c.Bool("decrypt") { var extract []interface{} extract, err = parseTreePath(c.String("extract")) if err != nil { return common.NewExitError(fmt.Errorf("error parsing --extract path: %s", err), codes.InvalidTreePathFormat) } output, err = decrypt(decryptOpts{ OutputStore: outputStore, InputStore: inputStore, InputPath: fileName, Cipher: aes.NewCipher(), Extract: extract, KeyServices: svcs, IgnoreMAC: c.Bool("ignore-mac"), }) } if c.Bool("rotate") { var addMasterKeys []keys.MasterKey kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context")) for _, k := range kms.MasterKeysFromArnString(c.String("add-kms"), kmsEncryptionContext, c.String("aws-profile")) { addMasterKeys = append(addMasterKeys, k) } for _, k := range pgp.MasterKeysFromFingerprintString(c.String("add-pgp")) { addMasterKeys = append(addMasterKeys, k) } for _, k := range gcpkms.MasterKeysFromResourceIDString(c.String("add-gcp-kms")) { addMasterKeys = append(addMasterKeys, k) } azureKeys, err := azkv.MasterKeysFromURLs(c.String("add-azure-kv")) if err != nil { return err } for _, k := range azureKeys { addMasterKeys = append(addMasterKeys, k) } hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("add-hc-vault-transit")) if err != nil { return err } for _, k := range hcVaultKeys { addMasterKeys = append(addMasterKeys, k) } ageKeys, err := age.MasterKeysFromRecipients(c.String("add-age")) if err != nil { return err } for _, k := range ageKeys { addMasterKeys = append(addMasterKeys, k) } var rmMasterKeys []keys.MasterKey for _, k := range kms.MasterKeysFromArnString(c.String("rm-kms"), kmsEncryptionContext, c.String("aws-profile")) { rmMasterKeys = append(rmMasterKeys, k) } for _, k := range pgp.MasterKeysFromFingerprintString(c.String("rm-pgp")) { rmMasterKeys = append(rmMasterKeys, k) } for _, k := range gcpkms.MasterKeysFromResourceIDString(c.String("rm-gcp-kms")) { rmMasterKeys = append(rmMasterKeys, k) } azureKeys, err = azkv.MasterKeysFromURLs(c.String("rm-azure-kv")) if err != nil { return err } for _, k := range azureKeys { rmMasterKeys = append(rmMasterKeys, k) } hcVaultKeys, err = hcvault.NewMasterKeysFromURIs(c.String("rm-hc-vault-transit")) if err != nil { return err } for _, k := range hcVaultKeys { rmMasterKeys = append(rmMasterKeys, k) } ageKeys, err = age.MasterKeysFromRecipients(c.String("rm-age")) if err != nil { return err } for _, k := range ageKeys { rmMasterKeys = append(rmMasterKeys, k) } output, err = rotate(rotateOpts{ OutputStore: outputStore, InputStore: inputStore, InputPath: fileName, Cipher: aes.NewCipher(), KeyServices: svcs, IgnoreMAC: c.Bool("ignore-mac"), AddMasterKeys: addMasterKeys, RemoveMasterKeys: rmMasterKeys, }) } if c.String("set") != "" { var path []interface{} var value interface{} path, value, err = extractSetArguments(c.String("set")) if err != nil { return toExitError(err) } output, err = set(setOpts{ OutputStore: outputStore, InputStore: inputStore, InputPath: fileName, Cipher: aes.NewCipher(), KeyServices: svcs, IgnoreMAC: c.Bool("ignore-mac"), Value: value, TreePath: path, }) } isEditMode := !c.Bool("encrypt") && !c.Bool("decrypt") && !c.Bool("rotate") && c.String("set") == "" if isEditMode { _, statErr := os.Stat(fileName) fileExists := statErr == nil opts := editOpts{ OutputStore: outputStore, InputStore: inputStore, InputPath: fileName, Cipher: aes.NewCipher(), KeyServices: svcs, IgnoreMAC: c.Bool("ignore-mac"), ShowMasterKeys: c.Bool("show-master-keys"), } if fileExists { output, err = edit(opts) } else { // File doesn't exist, edit the example file instead var groups []sops.KeyGroup groups, err = keyGroups(c, fileName) if err != nil { return toExitError(err) } var threshold int threshold, err = shamirThreshold(c, fileName) if err != nil { return toExitError(err) } output, err = editExample(editExampleOpts{ editOpts: opts, UnencryptedSuffix: unencryptedSuffix, EncryptedSuffix: encryptedSuffix, UnencryptedRegex: unencryptedRegex, EncryptedRegex: encryptedRegex, KeyGroups: groups, GroupThreshold: threshold, }) } } if err != nil { return toExitError(err) } // We open the file *after* the operations on the tree have been // executed to avoid truncating it when there's errors if c.Bool("in-place") || isEditMode || c.String("set") != "" { file, err := os.Create(fileName) if err != nil { return common.NewExitError(fmt.Sprintf("Could not open in-place file for writing: %s", err), codes.CouldNotWriteOutputFile) } defer file.Close() _, err = file.Write(output) if err != nil { return toExitError(err) } log.Info("File written successfully") return nil } outputFile := os.Stdout if c.String("output") != "" { file, err := os.Create(c.String("output")) if err != nil { return common.NewExitError(fmt.Sprintf("Could not open output file for writing: %s", err), codes.CouldNotWriteOutputFile) } defer file.Close() outputFile = file } _, err = outputFile.Write(output) return toExitError(err) } err := app.Run(os.Args) if err != nil { log.Fatal(err) } } func toExitError(err error) error { if cliErr, ok := err.(*cli.ExitError); ok && cliErr != nil { return cliErr } else if execErr, ok := err.(*osExec.ExitError); ok && execErr != nil { return cli.NewExitError(err, execErr.ExitCode()) } else if err != nil { return cli.NewExitError(err, codes.ErrorGeneric) } return nil } func keyservices(c *cli.Context) (svcs []keyservice.KeyServiceClient) { if c.Bool("enable-local-keyservice") { svcs = append(svcs, keyservice.NewLocalClient()) } uris := c.StringSlice("keyservice") for _, uri := range uris { url, err := url.Parse(uri) if err != nil { log.WithField("uri", uri). Warnf("Error parsing URI for keyservice, skipping") continue } addr := url.Host if url.Scheme == "unix" { addr = url.Path } opts := []grpc.DialOption{ grpc.WithInsecure(), grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) { return net.DialTimeout(url.Scheme, addr, timeout) }), } log.WithField( "address", fmt.Sprintf("%s://%s", url.Scheme, addr), ).Infof("Connecting to key service") conn, err := grpc.Dial(addr, opts...) if err != nil { log.Fatalf("failed to listen: %v", err) } svcs = append(svcs, keyservice.NewKeyServiceClient(conn)) } return } func inputStore(context *cli.Context, path string) common.Store { return common.DefaultStoreForPathOrFormat(path, context.String("input-type")) } func outputStore(context *cli.Context, path string) common.Store { return common.DefaultStoreForPathOrFormat(path, context.String("output-type")) } func parseTreePath(arg string) ([]interface{}, error) { var path []interface{} components := strings.Split(arg, "[") for _, component := range components { if component == "" { continue } if component[len(component)-1] != ']' { return nil, fmt.Errorf("component %s doesn't end with ]", component) } component = component[:len(component)-1] if component[0] == byte('"') || component[0] == byte('\'') { // The component is a string component = component[1 : len(component)-1] path = append(path, component) } else { // The component must be a number i, err := strconv.Atoi(component) if err != nil { return nil, err } path = append(path, i) } } return path, nil } func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) { var kmsKeys []keys.MasterKey var pgpKeys []keys.MasterKey var cloudKmsKeys []keys.MasterKey var azkvKeys []keys.MasterKey var hcVaultMkKeys []keys.MasterKey var ageMasterKeys []keys.MasterKey kmsEncryptionContext := kms.ParseKMSContext(c.String("encryption-context")) if c.String("encryption-context") != "" && kmsEncryptionContext == nil { return nil, common.NewExitError("Invalid KMS encryption context format", codes.ErrorInvalidKMSEncryptionContextFormat) } if c.String("kms") != "" { for _, k := range kms.MasterKeysFromArnString(c.String("kms"), kmsEncryptionContext, c.String("aws-profile")) { kmsKeys = append(kmsKeys, k) } } if c.String("gcp-kms") != "" { for _, k := range gcpkms.MasterKeysFromResourceIDString(c.String("gcp-kms")) { cloudKmsKeys = append(cloudKmsKeys, k) } } if c.String("azure-kv") != "" { azureKeys, err := azkv.MasterKeysFromURLs(c.String("azure-kv")) if err != nil { return nil, err } for _, k := range azureKeys { azkvKeys = append(azkvKeys, k) } } if c.String("hc-vault-transit") != "" { hcVaultKeys, err := hcvault.NewMasterKeysFromURIs(c.String("hc-vault-transit")) if err != nil { return nil, err } for _, k := range hcVaultKeys { hcVaultMkKeys = append(hcVaultMkKeys, k) } } if c.String("pgp") != "" { for _, k := range pgp.MasterKeysFromFingerprintString(c.String("pgp")) { pgpKeys = append(pgpKeys, k) } } if c.String("age") != "" { ageKeys, err := age.MasterKeysFromRecipients(c.String("age")) if err != nil { return nil, err } for _, k := range ageKeys { ageMasterKeys = append(ageMasterKeys, k) } } if c.String("kms") == "" && c.String("pgp") == "" && c.String("gcp-kms") == "" && c.String("azure-kv") == "" && c.String("hc-vault-transit") == "" && c.String("age") == "" { conf, err := loadConfig(c, file, kmsEncryptionContext) // config file might just not be supplied, without any error if conf == nil { errMsg := "config file not found and no keys provided through command line options" if err != nil { errMsg = fmt.Sprintf("%s: %s", errMsg, err) } return nil, fmt.Errorf(errMsg) } return conf.KeyGroups, err } var group sops.KeyGroup group = append(group, kmsKeys...) group = append(group, cloudKmsKeys...) group = append(group, azkvKeys...) group = append(group, pgpKeys...) group = append(group, hcVaultMkKeys...) group = append(group, ageMasterKeys...) log.Debugf("Master keys available: %+v", group) return []sops.KeyGroup{group}, nil } // loadConfig will look for an existing config file, either provided through the command line, or using config.FindConfigFile. // Since a config file is not required, this function does not error when one is not found, and instead returns a nil config pointer func loadConfig(c *cli.Context, file string, kmsEncryptionContext map[string]*string) (*config.Config, error) { var err error var configPath string if c.String("config") != "" { configPath = c.String("config") } else { // Ignore config not found errors returned from FindConfigFile since the config file is not mandatory configPath, err = config.FindConfigFile(".") if err != nil { // If we can't find a config file, but we were not explicitly requested to, assume it does not exist return nil, nil } } conf, err := config.LoadCreationRuleForFile(configPath, file, kmsEncryptionContext) if err != nil { return nil, err } return conf, nil } func shamirThreshold(c *cli.Context, file string) (int, error) { if c.Int("shamir-secret-sharing-threshold") != 0 { return c.Int("shamir-secret-sharing-threshold"), nil } conf, err := loadConfig(c, file, nil) if conf == nil { // This takes care of the following two case: // 1. No config was provided. Err will be nil and ShamirThreshold will be the default value of 0. // 2. We did find a config file, but failed to load it. In that case the calling function will print the error and exit. return 0, err } return conf.ShamirThreshold, nil } func jsonValueToTreeInsertableValue(jsonValue string) (interface{}, error) { var valueToInsert interface{} err := encodingjson.Unmarshal([]byte(jsonValue), &valueToInsert) if err != nil { return nil, common.NewExitError("Value for --set is not valid JSON", codes.ErrorInvalidSetFormat) } // Check if decoding it as json we find a single value // and not a map or slice, in which case we can't marshal // it to a sops.TreeBranch kind := reflect.ValueOf(valueToInsert).Kind() if kind == reflect.Map || kind == reflect.Slice { var err error valueToInsert, err = (&json.Store{}).LoadPlainFile([]byte(jsonValue)) if err != nil { return nil, common.NewExitError("Invalid --set value format", codes.ErrorInvalidSetFormat) } } // Fix for #461 // Attempt conversion to TreeBranches to handle yaml multidoc. If conversion fails it's // most likely a string value, so just return it as-is. values, ok := valueToInsert.(sops.TreeBranches) if !ok { return valueToInsert, nil } return values[0], nil } func extractSetArguments(set string) (path []interface{}, valueToInsert interface{}, err error) { // Set is a string with the format "python-dict-index json-value" // Since python-dict-index has to end with ], we split at "] " to get the two parts pathValuePair := strings.SplitAfterN(set, "] ", 2) if len(pathValuePair) < 2 { return nil, nil, common.NewExitError("Invalid --set format", codes.ErrorInvalidSetFormat) } fullPath := strings.TrimRight(pathValuePair[0], " ") jsonValue := pathValuePair[1] valueToInsert, err = jsonValueToTreeInsertableValue(jsonValue) path, err = parseTreePath(fullPath) if err != nil { return nil, nil, common.NewExitError("Invalid --set format", codes.ErrorInvalidSetFormat) } return path, valueToInsert, nil } 0707010000002E000081A400000000000000000000000162794F9300000897000000000000000000000000000000000000001E00000000sops-3.7.3/cmd/sops/rotate.gopackage main import ( "fmt" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/audit" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/keys" "go.mozilla.org/sops/v3/keyservice" ) type rotateOpts struct { Cipher sops.Cipher InputStore sops.Store OutputStore sops.Store InputPath string IgnoreMAC bool AddMasterKeys []keys.MasterKey RemoveMasterKeys []keys.MasterKey KeyServices []keyservice.KeyServiceClient } func rotate(opts rotateOpts) ([]byte, error) { tree, err := common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{ Cipher: opts.Cipher, InputStore: opts.InputStore, InputPath: opts.InputPath, IgnoreMAC: opts.IgnoreMAC, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } audit.SubmitEvent(audit.RotateEvent{ File: tree.FilePath, }) _, err = common.DecryptTree(common.DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } // Add new master keys for _, key := range opts.AddMasterKeys { tree.Metadata.KeyGroups[0] = append(tree.Metadata.KeyGroups[0], key) } // Remove master keys for _, rmKey := range opts.RemoveMasterKeys { for i := range tree.Metadata.KeyGroups { for j, groupKey := range tree.Metadata.KeyGroups[i] { if rmKey.ToString() == groupKey.ToString() { tree.Metadata.KeyGroups[i] = append(tree.Metadata.KeyGroups[i][:j], tree.Metadata.KeyGroups[i][j+1:]...) } } } } // Create a new data key dataKey, errs := tree.GenerateDataKeyWithKeyServices(opts.KeyServices) if len(errs) > 0 { err = fmt.Errorf("Could not generate data key: %s", errs) return nil, err } // Reencrypt the file with the new key err = common.EncryptTree(common.EncryptTreeOpts{ DataKey: dataKey, Tree: tree, Cipher: opts.Cipher, }) if err != nil { return nil, err } encryptedFile, err := opts.OutputStore.EmitEncryptedFile(*tree) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } return encryptedFile, nil } 0707010000002F000081A400000000000000000000000162794F9300000602000000000000000000000000000000000000001B00000000sops-3.7.3/cmd/sops/set.gopackage main import ( "fmt" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/keyservice" ) type setOpts struct { Cipher sops.Cipher InputStore sops.Store OutputStore sops.Store InputPath string IgnoreMAC bool TreePath []interface{} Value interface{} KeyServices []keyservice.KeyServiceClient } func set(opts setOpts) ([]byte, error) { // Load the file // TODO: Issue #173: if the file does not exist, create it with the contents passed in as opts.Value tree, err := common.LoadEncryptedFileWithBugFixes(common.GenericDecryptOpts{ Cipher: opts.Cipher, InputStore: opts.InputStore, InputPath: opts.InputPath, IgnoreMAC: opts.IgnoreMAC, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } // Decrypt the file dataKey, err := common.DecryptTree(common.DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: opts.IgnoreMAC, Tree: tree, KeyServices: opts.KeyServices, }) if err != nil { return nil, err } // Set the value tree.Branches[0] = tree.Branches[0].Set(opts.TreePath, opts.Value) err = common.EncryptTree(common.EncryptTreeOpts{ DataKey: dataKey, Tree: tree, Cipher: opts.Cipher, }) if err != nil { return nil, err } encryptedFile, err := opts.OutputStore.EmitEncryptedFile(*tree) if err != nil { return nil, common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } return encryptedFile, err } 07070100000030000041ED00000000000000000000000762794F9300000000000000000000000000000000000000000000001F00000000sops-3.7.3/cmd/sops/subcommand07070100000031000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002400000000sops-3.7.3/cmd/sops/subcommand/exec07070100000032000081A400000000000000000000000162794F9300000795000000000000000000000000000000000000002C00000000sops-3.7.3/cmd/sops/subcommand/exec/exec.gopackage exec import ( "bytes" "io/ioutil" "os" "runtime" "strings" "go.mozilla.org/sops/v3/logging" "github.com/sirupsen/logrus" ) var log *logrus.Logger func init() { log = logging.NewLogger("EXEC") } type ExecOpts struct { Command string Plaintext []byte Background bool Fifo bool User string Filename string } func GetFile(dir, filename string) *os.File { handle, err := ioutil.TempFile(dir, filename) if err != nil { log.Fatal(err) } return handle } func ExecWithFile(opts ExecOpts) error { if opts.User != "" { SwitchUser(opts.User) } if runtime.GOOS == "windows" && opts.Fifo { log.Warn("no fifos on windows, use --no-fifo next time") opts.Fifo = false } dir, err := ioutil.TempDir("", ".sops") if err != nil { log.Fatal(err) } defer os.RemoveAll(dir) var filename string if opts.Fifo { // fifo handling needs to be async, even opening to write // will block if there is no reader present filename = GetPipe(dir, opts.Filename) go WritePipe(filename, opts.Plaintext) } else { handle := GetFile(dir, opts.Filename) handle.Write(opts.Plaintext) handle.Close() filename = handle.Name() } placeholdered := strings.Replace(opts.Command, "{}", filename, -1) cmd := BuildCommand(placeholdered) cmd.Env = os.Environ() if opts.Background { return cmd.Start() } cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr return cmd.Run() } func ExecWithEnv(opts ExecOpts) error { if opts.User != "" { SwitchUser(opts.User) } env := os.Environ() lines := bytes.Split(opts.Plaintext, []byte("\n")) for _, line := range lines { if len(line) == 0 { continue } if line[0] == '#' { continue } env = append(env, string(line)) } cmd := BuildCommand(opts.Command) cmd.Env = env if opts.Background { return cmd.Start() } cmd.Stdin = os.Stdin cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr return cmd.Run() } 07070100000033000081A400000000000000000000000162794F93000003EA000000000000000000000000000000000000003100000000sops-3.7.3/cmd/sops/subcommand/exec/exec_unix.go// +build !windows package exec import ( "os" "os/exec" "os/user" "path/filepath" "strconv" "syscall" ) func BuildCommand(command string) *exec.Cmd { return exec.Command("/bin/sh", "-c", command) } func WritePipe(pipe string, contents []byte) { handle, err := os.OpenFile(pipe, os.O_WRONLY, 0600) if err != nil { os.Remove(pipe) log.Fatal(err) } handle.Write(contents) handle.Close() } func GetPipe(dir, filename string) string { tmpfn := filepath.Join(dir, filename) err := syscall.Mkfifo(tmpfn, 0600) if err != nil { log.Fatal(err) } return tmpfn } func SwitchUser(username string) { user, err := user.Lookup(username) if err != nil { log.Fatal(err) } uid, _ := strconv.Atoi(user.Uid) err = syscall.Setgid(uid) if err != nil { log.Fatal(err) } err = syscall.Setuid(uid) if err != nil { log.Fatal(err) } err = syscall.Setreuid(uid, uid) if err != nil { log.Fatal(err) } err = syscall.Setregid(uid, uid) if err != nil { log.Fatal(err) } } 07070100000034000081A400000000000000000000000162794F93000001AE000000000000000000000000000000000000003400000000sops-3.7.3/cmd/sops/subcommand/exec/exec_windows.gopackage exec import ( "os/exec" ) func BuildCommand(command string) *exec.Cmd { return exec.Command("cmd.exe", "/C", command) } func WritePipe(pipe string, contents []byte) { log.Fatal("fifos are not available on windows") } func GetPipe(dir, filename string) string { log.Fatal("fifos are not available on windows") return "" } func SwitchUser(username string) { log.Fatal("user switching not available on windows") } 07070100000035000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002600000000sops-3.7.3/cmd/sops/subcommand/groups07070100000036000081A400000000000000000000000162794F93000004DF000000000000000000000000000000000000002D00000000sops-3.7.3/cmd/sops/subcommand/groups/add.gopackage groups import ( "os" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/keyservice" ) // AddOpts are the options for adding a key group to a SOPS file type AddOpts struct { InputPath string InputStore sops.Store OutputStore sops.Store Group sops.KeyGroup GroupThreshold int InPlace bool KeyServices []keyservice.KeyServiceClient } // Add adds a key group to a SOPS file func Add(opts AddOpts) error { tree, err := common.LoadEncryptedFile(opts.InputStore, opts.InputPath) if err != nil { return err } dataKey, err := tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices) if err != nil { return err } tree.Metadata.KeyGroups = append(tree.Metadata.KeyGroups, opts.Group) if opts.GroupThreshold != 0 { tree.Metadata.ShamirThreshold = opts.GroupThreshold } tree.Metadata.UpdateMasterKeysWithKeyServices(dataKey, opts.KeyServices) output, err := opts.OutputStore.EmitEncryptedFile(*tree) if err != nil { return err } var outputFile = os.Stdout if opts.InPlace { var err error outputFile, err = os.Create(opts.InputPath) if err != nil { return err } defer outputFile.Close() } outputFile.Write(output) return nil } 07070100000037000081A400000000000000000000000162794F930000064D000000000000000000000000000000000000003000000000sops-3.7.3/cmd/sops/subcommand/groups/delete.gopackage groups import ( "os" "fmt" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/keyservice" ) // DeleteOpts are the options for deleting a key group from a SOPS file type DeleteOpts struct { InputPath string InputStore sops.Store OutputStore sops.Store Group uint GroupThreshold int InPlace bool KeyServices []keyservice.KeyServiceClient } // Delete deletes a key group from a SOPS file func Delete(opts DeleteOpts) error { tree, err := common.LoadEncryptedFile(opts.InputStore, opts.InputPath) if err != nil { return err } dataKey, err := tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices) if err != nil { return err } tree.Metadata.KeyGroups = append(tree.Metadata.KeyGroups[:opts.Group], tree.Metadata.KeyGroups[opts.Group+1:]...) if opts.GroupThreshold != 0 { tree.Metadata.ShamirThreshold = opts.GroupThreshold } if len(tree.Metadata.KeyGroups) < tree.Metadata.ShamirThreshold { return fmt.Errorf("removing this key group will make the Shamir threshold impossible to satisfy: "+ "Shamir threshold is %d, but we only have %d key groups", tree.Metadata.ShamirThreshold, len(tree.Metadata.KeyGroups)) } tree.Metadata.UpdateMasterKeysWithKeyServices(dataKey, opts.KeyServices) output, err := opts.OutputStore.EmitEncryptedFile(*tree) if err != nil { return err } var outputFile = os.Stdout if opts.InPlace { var err error outputFile, err = os.Create(opts.InputPath) if err != nil { return err } defer outputFile.Close() } outputFile.Write(output) return nil } 07070100000038000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002A00000000sops-3.7.3/cmd/sops/subcommand/keyservice07070100000039000081A400000000000000000000000162794F930000041E000000000000000000000000000000000000003800000000sops-3.7.3/cmd/sops/subcommand/keyservice/keyservice.gopackage keyservice import ( "net" "os" "os/signal" "syscall" "go.mozilla.org/sops/v3/keyservice" "go.mozilla.org/sops/v3/logging" "github.com/sirupsen/logrus" "google.golang.org/grpc" ) var log *logrus.Logger func init() { log = logging.NewLogger("KEYSERVICE") } // Opts are the options the key service server can take type Opts struct { Network string Address string Prompt bool } // Run runs a SOPS key service server func Run(opts Opts) error { lis, err := net.Listen(opts.Network, opts.Address) if err != nil { return err } defer lis.Close() grpcServer := grpc.NewServer() keyservice.RegisterKeyServiceServer(grpcServer, keyservice.Server{ Prompt: opts.Prompt, }) log.Infof("Listening on %s://%s", opts.Network, opts.Address) // Close socket if we get killed sigc := make(chan os.Signal, 1) signal.Notify(sigc, os.Interrupt, os.Kill, syscall.SIGTERM) go func(c chan os.Signal) { sig := <-c log.Infof("Caught signal %s: shutting down.", sig) lis.Close() os.Exit(0) }(sigc) return grpcServer.Serve(lis) } 0707010000003A000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002700000000sops-3.7.3/cmd/sops/subcommand/publish0707010000003B000081A400000000000000000000000162794F93000011C5000000000000000000000000000000000000003200000000sops-3.7.3/cmd/sops/subcommand/publish/publish.gopackage publish import ( "errors" "fmt" "io/ioutil" "path/filepath" "strings" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/config" "go.mozilla.org/sops/v3/keyservice" "go.mozilla.org/sops/v3/logging" "go.mozilla.org/sops/v3/publish" "go.mozilla.org/sops/v3/version" "github.com/sirupsen/logrus" ) var log *logrus.Logger func init() { log = logging.NewLogger("PUBLISH") } // Opts represents publish options and config type Opts struct { Interactive bool Cipher sops.Cipher ConfigPath string InputPath string KeyServices []keyservice.KeyServiceClient InputStore sops.Store OmitExtensions bool Recursive bool RootPath string } // Run publish operation func Run(opts Opts) error { var fileContents []byte path, err := filepath.Abs(opts.InputPath) if err != nil { return err } conf, err := config.LoadDestinationRuleForFile(opts.ConfigPath, opts.InputPath, make(map[string]*string)) if err != nil { return err } if conf.Destination == nil { return errors.New("no destination configured for this file") } var destinationPath string if opts.Recursive { destinationPath, err = filepath.Rel(opts.RootPath, opts.InputPath) if err != nil { return err } } else { _, destinationPath = filepath.Split(path) } if opts.OmitExtensions || conf.OmitExtensions { destinationPath = strings.TrimSuffix(destinationPath, filepath.Ext(path)) } // Check that this is a sops-encrypted file tree, err := common.LoadEncryptedFile(opts.InputStore, opts.InputPath) if err != nil { return err } data := map[string]interface{}{} switch conf.Destination.(type) { case *publish.S3Destination, *publish.GCSDestination: // Re-encrypt if settings exist to do so if len(conf.KeyGroups[0]) != 0 { log.Debug("Re-encrypting tree before publishing") _, err = common.DecryptTree(common.DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: false, Tree: tree, KeyServices: opts.KeyServices, }) if err != nil { return err } diffs := common.DiffKeyGroups(tree.Metadata.KeyGroups, conf.KeyGroups) keysWillChange := false for _, diff := range diffs { if len(diff.Added) > 0 || len(diff.Removed) > 0 { keysWillChange = true } } if keysWillChange { fmt.Printf("The following changes will be made to the file's key groups:\n") common.PrettyPrintDiffs(diffs) } tree.Metadata = sops.Metadata{ KeyGroups: conf.KeyGroups, UnencryptedSuffix: conf.UnencryptedSuffix, EncryptedSuffix: conf.EncryptedSuffix, Version: version.Version, ShamirThreshold: conf.ShamirThreshold, } dataKey, errs := tree.GenerateDataKeyWithKeyServices(opts.KeyServices) if len(errs) > 0 { err = fmt.Errorf("Could not generate data key: %s", errs) return err } err = common.EncryptTree(common.EncryptTreeOpts{ DataKey: dataKey, Tree: tree, Cipher: opts.Cipher, }) if err != nil { return err } fileContents, err = opts.InputStore.EmitEncryptedFile(*tree) if err != nil { return common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } } else { fileContents, err = ioutil.ReadFile(path) if err != nil { return fmt.Errorf("could not read file: %s", err) } } case *publish.VaultDestination: _, err = common.DecryptTree(common.DecryptTreeOpts{ Cipher: opts.Cipher, IgnoreMac: false, Tree: tree, KeyServices: opts.KeyServices, }) if err != nil { return err } data, err = sops.EmitAsMap(tree.Branches) if err != nil { return err } } if opts.Interactive { var response string for response != "y" && response != "n" { fmt.Printf("uploading %s to %s ? (y/n): ", path, conf.Destination.Path(destinationPath)) _, err := fmt.Scanln(&response) if err != nil { return err } } if response == "n" { msg := fmt.Sprintf("Publication of %s canceled", path) if opts.Recursive { fmt.Println(msg) return nil } else { return errors.New(msg) } } } switch dest := conf.Destination.(type) { case *publish.S3Destination, *publish.GCSDestination: err = dest.Upload(fileContents, destinationPath) case *publish.VaultDestination: err = dest.UploadUnencrypted(data, destinationPath) } if err != nil { return err } return nil } func min(a, b int) int { if a < b { return a } return b } 0707010000003C000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002A00000000sops-3.7.3/cmd/sops/subcommand/updatekeys0707010000003D000081A400000000000000000000000162794F9300000B9C000000000000000000000000000000000000003800000000sops-3.7.3/cmd/sops/subcommand/updatekeys/updatekeys.gopackage updatekeys import ( "fmt" "log" "os" "path/filepath" "go.mozilla.org/sops/v3/cmd/sops/codes" "go.mozilla.org/sops/v3/cmd/sops/common" "go.mozilla.org/sops/v3/config" "go.mozilla.org/sops/v3/keyservice" ) // Opts represents key operation options and config type Opts struct { InputPath string GroupQuorum int KeyServices []keyservice.KeyServiceClient Interactive bool ConfigPath string } // UpdateKeys update the keys for a given file func UpdateKeys(opts Opts) error { path, err := filepath.Abs(opts.InputPath) if err != nil { return err } info, err := os.Stat(path) if err != nil { return err } if info.IsDir() { return fmt.Errorf("can't operate on a directory") } opts.InputPath = path return updateFile(opts) } func updateFile(opts Opts) error { store := common.DefaultStoreForPath(opts.InputPath) log.Printf("Syncing keys for file %s", opts.InputPath) tree, err := common.LoadEncryptedFile(store, opts.InputPath) if err != nil { return err } conf, err := config.LoadCreationRuleForFile(opts.ConfigPath, opts.InputPath, make(map[string]*string)) if err != nil { return err } diffs := common.DiffKeyGroups(tree.Metadata.KeyGroups, conf.KeyGroups) keysWillChange := false for _, diff := range diffs { if len(diff.Added) > 0 || len(diff.Removed) > 0 { keysWillChange = true } } if !keysWillChange { log.Printf("File %s already up to date", opts.InputPath) return nil } fmt.Printf("The following changes will be made to the file's groups:\n") common.PrettyPrintDiffs(diffs) if opts.Interactive { var response string for response != "y" && response != "n" { fmt.Printf("Is this okay? (y/n):") _, err = fmt.Scanln(&response) if err != nil { return err } } if response == "n" { log.Printf("File %s left unchanged", opts.InputPath) return nil } } key, err := tree.Metadata.GetDataKeyWithKeyServices(opts.KeyServices) if err != nil { return common.NewExitError(err, codes.CouldNotRetrieveKey) } tree.Metadata.KeyGroups = conf.KeyGroups if opts.GroupQuorum != 0 { tree.Metadata.ShamirThreshold = opts.GroupQuorum } tree.Metadata.ShamirThreshold = min(tree.Metadata.ShamirThreshold, len(tree.Metadata.KeyGroups)) errs := tree.Metadata.UpdateMasterKeysWithKeyServices(key, opts.KeyServices) if len(errs) > 0 { return fmt.Errorf("error updating one or more master keys: %s", errs) } output, err := store.EmitEncryptedFile(*tree) if err != nil { return common.NewExitError(fmt.Sprintf("Could not marshal tree: %s", err), codes.ErrorDumpingTree) } outputFile, err := os.Create(opts.InputPath) if err != nil { return fmt.Errorf("could not open file for writing: %s", err) } defer outputFile.Close() _, err = outputFile.Write(output) if err != nil { return fmt.Errorf("error writing to file: %s", err) } log.Printf("File %s synced with new keys", opts.InputPath) return nil } func min(a, b int) int { if a < b { return a } return b } 0707010000003E000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000001200000000sops-3.7.3/config0707010000003F000081A400000000000000000000000162794F9300002B3E000000000000000000000000000000000000001C00000000sops-3.7.3/config/config.go/* Package config provides a way to find and load SOPS configuration files */ package config //import "go.mozilla.org/sops/v3/config" import ( "fmt" "io/ioutil" "os" "path" "path/filepath" "regexp" "strings" "github.com/sirupsen/logrus" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/age" "go.mozilla.org/sops/v3/azkv" "go.mozilla.org/sops/v3/gcpkms" "go.mozilla.org/sops/v3/hcvault" "go.mozilla.org/sops/v3/kms" "go.mozilla.org/sops/v3/logging" "go.mozilla.org/sops/v3/pgp" "go.mozilla.org/sops/v3/publish" "gopkg.in/yaml.v3" ) var log *logrus.Logger func init() { log = logging.NewLogger("CONFIG") } type fileSystem interface { Stat(name string) (os.FileInfo, error) } type osFS struct { stat func(string) (os.FileInfo, error) } func (fs osFS) Stat(name string) (os.FileInfo, error) { return fs.stat(name) } var fs fileSystem = osFS{stat: os.Stat} const ( maxDepth = 100 configFileName = ".sops.yaml" ) // FindConfigFile looks for a sops config file in the current working directory and on parent directories, up to the limit defined by the maxDepth constant. func FindConfigFile(start string) (string, error) { filepath := path.Dir(start) for i := 0; i < maxDepth; i++ { _, err := fs.Stat(path.Join(filepath, configFileName)) if err != nil { filepath = path.Join(filepath, "..") } else { return path.Join(filepath, configFileName), nil } } return "", fmt.Errorf("Config file not found") } type configFile struct { CreationRules []creationRule `yaml:"creation_rules"` DestinationRules []destinationRule `yaml:"destination_rules"` } type keyGroup struct { KMS []kmsKey GCPKMS []gcpKmsKey `yaml:"gcp_kms"` AzureKV []azureKVKey `yaml:"azure_keyvault"` Vault []string `yaml:"hc_vault"` Age []string `yaml:"age"` PGP []string } type gcpKmsKey struct { ResourceID string `yaml:"resource_id"` } type kmsKey struct { Arn string `yaml:"arn"` Role string `yaml:"role,omitempty"` Context map[string]*string `yaml:"context"` AwsProfile string `yaml:"aws_profile"` } type azureKVKey struct { VaultURL string `yaml:"vaultUrl"` Key string `yaml:"key"` Version string `yaml:"version"` } type destinationRule struct { PathRegex string `yaml:"path_regex"` S3Bucket string `yaml:"s3_bucket"` S3Prefix string `yaml:"s3_prefix"` GCSBucket string `yaml:"gcs_bucket"` GCSPrefix string `yaml:"gcs_prefix"` VaultPath string `yaml:"vault_path"` VaultAddress string `yaml:"vault_address"` VaultKVMountName string `yaml:"vault_kv_mount_name"` VaultKVVersion int `yaml:"vault_kv_version"` RecreationRule creationRule `yaml:"recreation_rule,omitempty"` OmitExtensions bool `yaml:"omit_extensions"` } type creationRule struct { PathRegex string `yaml:"path_regex"` KMS string AwsProfile string `yaml:"aws_profile"` Age string `yaml:"age"` PGP string GCPKMS string `yaml:"gcp_kms"` AzureKeyVault string `yaml:"azure_keyvault"` VaultURI string `yaml:"hc_vault_transit_uri"` KeyGroups []keyGroup `yaml:"key_groups"` ShamirThreshold int `yaml:"shamir_threshold"` UnencryptedSuffix string `yaml:"unencrypted_suffix"` EncryptedSuffix string `yaml:"encrypted_suffix"` UnencryptedRegex string `yaml:"unencrypted_regex"` EncryptedRegex string `yaml:"encrypted_regex"` } // Load loads a sops config file into a temporary struct func (f *configFile) load(bytes []byte) error { err := yaml.Unmarshal(bytes, f) if err != nil { return fmt.Errorf("Could not unmarshal config file: %s", err) } return nil } // Config is the configuration for a given SOPS file type Config struct { KeyGroups []sops.KeyGroup ShamirThreshold int UnencryptedSuffix string EncryptedSuffix string UnencryptedRegex string EncryptedRegex string Destination publish.Destination OmitExtensions bool } func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[string]*string) ([]sops.KeyGroup, error) { var groups []sops.KeyGroup if len(cRule.KeyGroups) > 0 { for _, group := range cRule.KeyGroups { var keyGroup sops.KeyGroup for _, k := range group.Age { keys, err := age.MasterKeysFromRecipients(k) if err != nil { return nil, err } for _, key := range keys { keyGroup = append(keyGroup, key) } } for _, k := range group.PGP { keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k)) } for _, k := range group.KMS { keyGroup = append(keyGroup, kms.NewMasterKey(k.Arn, k.Role, k.Context)) } for _, k := range group.GCPKMS { keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID)) } for _, k := range group.AzureKV { keyGroup = append(keyGroup, azkv.NewMasterKey(k.VaultURL, k.Key, k.Version)) } for _, k := range group.Vault { if masterKey, err := hcvault.NewMasterKeyFromURI(k); err == nil { keyGroup = append(keyGroup, masterKey) } else { return nil, err } } groups = append(groups, keyGroup) } } else { var keyGroup sops.KeyGroup if cRule.Age != "" { ageKeys, err := age.MasterKeysFromRecipients(cRule.Age) if err != nil { return nil, err } else { for _, ak := range ageKeys { keyGroup = append(keyGroup, ak) } } } for _, k := range pgp.MasterKeysFromFingerprintString(cRule.PGP) { keyGroup = append(keyGroup, k) } for _, k := range kms.MasterKeysFromArnString(cRule.KMS, kmsEncryptionContext, cRule.AwsProfile) { keyGroup = append(keyGroup, k) } for _, k := range gcpkms.MasterKeysFromResourceIDString(cRule.GCPKMS) { keyGroup = append(keyGroup, k) } azureKeys, err := azkv.MasterKeysFromURLs(cRule.AzureKeyVault) if err != nil { return nil, err } for _, k := range azureKeys { keyGroup = append(keyGroup, k) } vaultKeys, err := hcvault.NewMasterKeysFromURIs(cRule.VaultURI) if err != nil { return nil, err } for _, k := range vaultKeys { keyGroup = append(keyGroup, k) } groups = append(groups, keyGroup) } return groups, nil } func loadConfigFile(confPath string) (*configFile, error) { confBytes, err := ioutil.ReadFile(confPath) if err != nil { return nil, fmt.Errorf("could not read config file: %s", err) } conf := &configFile{} err = conf.load(confBytes) if err != nil { return nil, fmt.Errorf("error loading config: %s", err) } return conf, nil } func configFromRule(rule *creationRule, kmsEncryptionContext map[string]*string) (*Config, error) { cryptRuleCount := 0 if rule.UnencryptedSuffix != "" { cryptRuleCount++ } if rule.EncryptedSuffix != "" { cryptRuleCount++ } if rule.EncryptedRegex != "" { cryptRuleCount++ } if cryptRuleCount > 1 { return nil, fmt.Errorf("error loading config: cannot use more than one of encrypted_suffix, unencrypted_suffix, or encrypted_regex for the same rule") } groups, err := getKeyGroupsFromCreationRule(rule, kmsEncryptionContext) if err != nil { return nil, err } return &Config{ KeyGroups: groups, ShamirThreshold: rule.ShamirThreshold, UnencryptedSuffix: rule.UnencryptedSuffix, EncryptedSuffix: rule.EncryptedSuffix, UnencryptedRegex: rule.UnencryptedRegex, EncryptedRegex: rule.EncryptedRegex, }, nil } func parseDestinationRuleForFile(conf *configFile, filePath string, kmsEncryptionContext map[string]*string) (*Config, error) { var rule *creationRule var dRule *destinationRule if len(conf.DestinationRules) > 0 { for _, r := range conf.DestinationRules { if r.PathRegex == "" { dRule = &r rule = &dRule.RecreationRule break } if r.PathRegex != "" { if match, _ := regexp.MatchString(r.PathRegex, filePath); match { dRule = &r rule = &dRule.RecreationRule break } } } } if dRule == nil { return nil, fmt.Errorf("error loading config: no matching destination found in config") } var dest publish.Destination if dRule != nil { if dRule.S3Bucket != "" && dRule.GCSBucket != "" && dRule.VaultPath != "" { return nil, fmt.Errorf("error loading config: more than one destinations were found in a single destination rule, you can only use one per rule") } if dRule.S3Bucket != "" { dest = publish.NewS3Destination(dRule.S3Bucket, dRule.S3Prefix) } if dRule.GCSBucket != "" { dest = publish.NewGCSDestination(dRule.GCSBucket, dRule.GCSPrefix) } if dRule.VaultPath != "" { dest = publish.NewVaultDestination(dRule.VaultAddress, dRule.VaultPath, dRule.VaultKVMountName, dRule.VaultKVVersion) } } config, err := configFromRule(rule, kmsEncryptionContext) if err != nil { return nil, err } config.Destination = dest config.OmitExtensions = dRule.OmitExtensions return config, nil } func parseCreationRuleForFile(conf *configFile, confPath, filePath string, kmsEncryptionContext map[string]*string) (*Config, error) { // If config file doesn't contain CreationRules (it's empty or only contains DestionationRules), assume it does not exist if conf.CreationRules == nil { return nil, nil } configDir, err := filepath.Abs(filepath.Dir(confPath)) if err != nil { return nil, err } // compare file path relative to path of config file filePath = strings.TrimPrefix(filePath, configDir + string(filepath.Separator)) var rule *creationRule for _, r := range conf.CreationRules { if r.PathRegex == "" { rule = &r break } reg, err := regexp.Compile(r.PathRegex) if err != nil { return nil, fmt.Errorf("can not compile regexp: %w", err) } if reg.MatchString(filePath) { rule = &r break } } if rule == nil { return nil, fmt.Errorf("error loading config: no matching creation rules found") } config, err := configFromRule(rule, kmsEncryptionContext) if err != nil { return nil, err } return config, nil } // LoadCreationRuleForFile load the configuration for a given SOPS file from the config file at confPath. A kmsEncryptionContext // should be provided for configurations that do not contain key groups, as there's no way to specify context inside // a SOPS config file outside of key groups. func LoadCreationRuleForFile(confPath string, filePath string, kmsEncryptionContext map[string]*string) (*Config, error) { conf, err := loadConfigFile(confPath) if err != nil { return nil, err } return parseCreationRuleForFile(conf, confPath, filePath, kmsEncryptionContext) } // LoadDestinationRuleForFile works the same as LoadCreationRuleForFile, but gets the "creation_rule" from the matching destination_rule's // "recreation_rule". func LoadDestinationRuleForFile(confPath string, filePath string, kmsEncryptionContext map[string]*string) (*Config, error) { conf, err := loadConfigFile(confPath) if err != nil { return nil, err } return parseDestinationRuleForFile(conf, filePath, kmsEncryptionContext) } 07070100000040000081A400000000000000000000000162794F9300003113000000000000000000000000000000000000002100000000sops-3.7.3/config/config_test.gopackage config import ( "os" "path" "testing" "github.com/stretchr/testify/assert" ) type mockFS struct { stat func(string) (os.FileInfo, error) } func (fs mockFS) Stat(name string) (os.FileInfo, error) { return fs.stat(name) } func TestFindConfigFileRecursive(t *testing.T) { expectedPath := path.Clean("./../../.sops.yaml") fs = mockFS{stat: func(name string) (os.FileInfo, error) { if name == expectedPath { return nil, nil } return nil, &os.PathError{} }} filepath, err := FindConfigFile(".") assert.Nil(t, err) assert.Equal(t, expectedPath, filepath) } func TestFindConfigFileCurrentDir(t *testing.T) { expectedPath := path.Clean(".sops.yaml") fs = mockFS{stat: func(name string) (os.FileInfo, error) { if name == expectedPath { return nil, nil } return nil, &os.PathError{} }} filepath, err := FindConfigFile(".") assert.Nil(t, err) assert.Equal(t, expectedPath, filepath) } var sampleConfig = []byte(` creation_rules: - path_regex: foobar* kms: "1" pgp: "2" gcp_kms: "3" hc_vault_transit_uri: http://4:8200/v1/4/keys/4 - path_regex: "" kms: foo pgp: bar gcp_kms: baz hc_vault_transit_uri: http://127.0.1.1/v1/baz/keys/baz `) var sampleConfigWithPath = []byte(` creation_rules: - path_regex: foo/bar* kms: "1" pgp: "2" gcp_kms: "3" hc_vault_uris: http://4:8200/v1/4/keys/4 - path_regex: somefilename.yml kms: bilbo pgp: baggins gcp_kms: precious hc_vault_uris: https://pluto/v1/pluto/keys/pluto - path_regex: "" kms: foo pgp: bar gcp_kms: baz hc_vault_uris: https://foz:443/v1/foz/keys/foz `) var sampleConfigWithAmbiguousPath = []byte(` creation_rules: - path_regex: foo/* kms: "1" pgp: "2" gcp_kms: "3" hc_vault_uris: http://4:8200/v1/4/keys/4 `) var sampleConfigWithGroups = []byte(` creation_rules: - path_regex: foobar* kms: "1" pgp: "2" - path_regex: "" key_groups: - kms: - arn: foo pgp: - bar gcp_kms: - resource_id: foo azure_keyvault: - vaultUrl: https://foo.vault.azure.net key: foo-key version: fooversion hc_vault: - 'https://foo.vault:8200/v1/foo/keys/foo-key' - kms: - arn: baz pgp: - qux gcp_kms: - resource_id: bar - resource_id: baz azure_keyvault: - vaultUrl: https://bar.vault.azure.net key: bar-key version: barversion hc_vault: - 'https://baz.vault:8200/v1/baz/keys/baz-key' `) var sampleConfigWithSuffixParameters = []byte(` creation_rules: - path_regex: foobar* kms: "1" pgp: "2" unencrypted_suffix: _unencrypted - path_regex: bar?foo$ encrypted_suffix: _enc key_groups: - kms: - arn: baz pgp: - qux gcp_kms: - resource_id: bar - resource_id: baz azure_keyvault: - vaultUrl: https://foo.vault.azure.net key: foo-key version: fooversion `) var sampleConfigWithRegexParameters = []byte(` creation_rules: - path_regex: barbar* kms: "1" pgp: "2" encrypted_regex: "^enc:" unencrypted_regex: "^dec:" `) var sampleConfigWithInvalidParameters = []byte(` creation_rules: - path_regex: foobar* kms: "1" pgp: "2" hc_vault_uris: "https://vault.com/v1/bug/keys/pr" unencrypted_suffix: _unencrypted encrypted_suffix: _enc `) var sampleConfigWithNoMatchingRules = []byte(` creation_rules: - path_regex: notexisting pgp: bar `) var sampleEmptyConfig = []byte(``) var sampleConfigWithEmptyCreationRules = []byte(` creation_rules: `) var sampleConfigWithOnlyDestinationRules = []byte(` destination_rules: - path_regex: "" s3_bucket: "foobar" s3_prefix: "test/" recreation_rule: pgp: newpgp `) var sampleConfigWithDestinationRule = []byte(` creation_rules: - path_regex: foobar* kms: "1" pgp: "2" gcp_kms: "3" - path_regex: "" kms: foo pgp: bar gcp_kms: baz destination_rules: - path_regex: "" s3_bucket: "foobar" s3_prefix: "test/" recreation_rule: pgp: newpgp `) var sampleConfigWithVaultDestinationRules = []byte(` creation_rules: - path_regex: foobar* kms: "1" pgp: "2" gcp_kms: "3" - path_regex: "" kms: foo pgp: bar gcp_kms: baz destination_rules: - vault_path: "foobar/" path_regex: "vault-v2/*" - vault_path: "barfoo/" vault_kv_mount_name: "kv/" vault_kv_version: 1 path_regex: "vault-v1/*" `) var sampleConfigWithInvalidComplicatedRegexp = []byte(` creation_rules: - path_regex: "[ ]\\K(?<!\\d )(?=" kms: default `) var sampleConfigWithComplicatedRegexp = []byte(` creation_rules: - path_regex: "stage/dev/feature-.*" kms: dev-feature - path_regex: "stage/dev/.*" kms: dev - path_regex: "stage/staging/.*" kms: staging - path_regex: "stage/.*/.*" kms: default `) func parseConfigFile(confBytes []byte, t *testing.T) *configFile { conf := &configFile{} err := conf.load(confBytes) assert.Nil(t, err) return conf } func TestLoadConfigFile(t *testing.T) { expected := configFile{ CreationRules: []creationRule{ { PathRegex: "foobar*", KMS: "1", PGP: "2", GCPKMS: "3", VaultURI: "http://4:8200/v1/4/keys/4", }, { PathRegex: "", KMS: "foo", PGP: "bar", GCPKMS: "baz", VaultURI: "http://127.0.1.1/v1/baz/keys/baz", }, }, } conf := configFile{} err := conf.load(sampleConfig) assert.Nil(t, err) assert.Equal(t, expected, conf) } func TestLoadConfigFileWithGroups(t *testing.T) { expected := configFile{ CreationRules: []creationRule{ { PathRegex: "foobar*", KMS: "1", PGP: "2", }, { PathRegex: "", KeyGroups: []keyGroup{ { KMS: []kmsKey{{Arn: "foo"}}, PGP: []string{"bar"}, GCPKMS: []gcpKmsKey{{ResourceID: "foo"}}, AzureKV: []azureKVKey{{VaultURL: "https://foo.vault.azure.net", Key: "foo-key", Version: "fooversion"}}, Vault: []string{"https://foo.vault:8200/v1/foo/keys/foo-key"}, }, { KMS: []kmsKey{{Arn: "baz"}}, PGP: []string{"qux"}, GCPKMS: []gcpKmsKey{ {ResourceID: "bar"}, {ResourceID: "baz"}, }, AzureKV: []azureKVKey{{VaultURL: "https://bar.vault.azure.net", Key: "bar-key", Version: "barversion"}}, Vault: []string{"https://baz.vault:8200/v1/baz/keys/baz-key"}, }, }, }, }, } conf := configFile{} err := conf.load(sampleConfigWithGroups) assert.Nil(t, err) assert.Equal(t, expected, conf) } func TestLoadConfigFileWithNoMatchingRules(t *testing.T) { _, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithNoMatchingRules, t), "/conf/path", "foobar2000", nil) assert.NotNil(t, err) } func TestLoadConfigFileWithInvalidComplicatedRegexp(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidComplicatedRegexp, t), "/conf/path", "stage/prod/api.yml", nil) assert.Equal(t, "can not compile regexp: error parsing regexp: invalid escape sequence: `\\K`", err.Error()) assert.Nil(t, conf) } func TestLoadConfigFileWithComplicatedRegexp(t *testing.T) { for filePath, k := range map[string]string{ "stage/prod/api.yml": "default", "stage/dev/feature-foo.yml": "dev-feature", "stage/dev/api.yml": "dev", } { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithComplicatedRegexp, t), "/conf/path", filePath, nil) assert.Nil(t, err) assert.Equal(t, k, conf.KeyGroups[0][0].ToString()) } } func TestLoadEmptyConfigFile(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleEmptyConfig, t), "/conf/path", "foobar2000", nil) assert.Nil(t, conf) assert.Nil(t, err) } func TestLoadConfigFileWithEmptyCreationRules(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithEmptyCreationRules, t), "/conf/path", "foobar2000", nil) assert.Nil(t, conf) assert.Nil(t, err) } func TestLoadConfigFileWithOnlyDestinationRules(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithOnlyDestinationRules, t), "/conf/path", "foobar2000", nil) assert.Nil(t, conf) assert.Nil(t, err) } func TestKeyGroupsForFile(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "/conf/path", "foobar2000", nil) assert.Nil(t, err) assert.Equal(t, "2", conf.KeyGroups[0][0].ToString()) assert.Equal(t, "1", conf.KeyGroups[0][1].ToString()) conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "/conf/path", "whatever", nil) assert.Nil(t, err) assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString()) assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString()) } func TestKeyGroupsForFileWithPath(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithPath, t), "/conf/path", "foo/bar2000", nil) assert.Nil(t, err) assert.Equal(t, "2", conf.KeyGroups[0][0].ToString()) assert.Equal(t, "1", conf.KeyGroups[0][1].ToString()) conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfigWithPath, t), "/conf/path", "somefilename.yml", nil) assert.Nil(t, err) assert.Equal(t, "baggins", conf.KeyGroups[0][0].ToString()) assert.Equal(t, "bilbo", conf.KeyGroups[0][1].ToString()) conf, err = parseCreationRuleForFile(parseConfigFile(sampleConfig, t), "/conf/path", "whatever", nil) assert.Nil(t, err) assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString()) assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString()) } func TestKeyGroupsForFileWithGroups(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithGroups, t), "/conf/path", "whatever", nil) assert.Nil(t, err) assert.Equal(t, "bar", conf.KeyGroups[0][0].ToString()) assert.Equal(t, "foo", conf.KeyGroups[0][1].ToString()) assert.Equal(t, "qux", conf.KeyGroups[1][0].ToString()) assert.Equal(t, "baz", conf.KeyGroups[1][1].ToString()) } func TestLoadConfigFileWithUnencryptedSuffix(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithSuffixParameters, t), "/conf/path", "foobar", nil) assert.Nil(t, err) assert.Equal(t, "_unencrypted", conf.UnencryptedSuffix) } func TestLoadConfigFileWithEncryptedSuffix(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithSuffixParameters, t), "/conf/path", "barfoo", nil) assert.Nil(t, err) assert.Equal(t, "_enc", conf.EncryptedSuffix) } func TestLoadConfigFileWithUnencryptedRegex(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil) assert.Equal(t, nil, err) assert.Equal(t, "^dec:", conf.UnencryptedRegex) } func TestLoadConfigFileWithEncryptedRegex(t *testing.T) { conf, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithRegexParameters, t), "/conf/path", "barbar", nil) assert.Equal(t, nil, err) assert.Equal(t, "^enc:", conf.EncryptedRegex) } func TestLoadConfigFileWithInvalidParameters(t *testing.T) { _, err := parseCreationRuleForFile(parseConfigFile(sampleConfigWithInvalidParameters, t), "/conf/path", "foobar", nil) assert.NotNil(t, err) } func TestLoadConfigFileWithAmbiguousPath(t *testing.T) { config := parseConfigFile(sampleConfigWithAmbiguousPath, t) _, err := parseCreationRuleForFile(config, "/foo/config", "/foo/foo/bar", nil) assert.Nil(t, err) _, err = parseCreationRuleForFile(config, "/foo/config", "/foo/fuu/bar", nil) assert.NotNil(t, err) } func TestLoadConfigFileWithDestinationRule(t *testing.T) { conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithDestinationRule, t), "barfoo", nil) assert.Nil(t, err) assert.Equal(t, "newpgp", conf.KeyGroups[0][0].ToString()) assert.NotNil(t, conf.Destination) assert.Equal(t, "s3://foobar/test/barfoo", conf.Destination.Path("barfoo")) } func TestLoadConfigFileWithVaultDestinationRules(t *testing.T) { conf, err := parseDestinationRuleForFile(parseConfigFile(sampleConfigWithVaultDestinationRules, t), "vault-v2/barfoo", nil) assert.Nil(t, err) assert.NotNil(t, conf.Destination) assert.Contains(t, conf.Destination.Path("barfoo"), "/v1/secret/data/foobar/barfoo") conf, err = parseDestinationRuleForFile(parseConfigFile(sampleConfigWithVaultDestinationRules, t), "vault-v1/barfoo", nil) assert.Nil(t, err) assert.NotNil(t, conf.Destination) assert.Contains(t, conf.Destination.Path("barfoo"), "/v1/kv/barfoo/barfoo") } 07070100000041000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002100000000sops-3.7.3/config/test_resources07070100000042000081A400000000000000000000000162794F9300000B59000000000000000000000000000000000000002E00000000sops-3.7.3/config/test_resources/example.yamlexample_key: ENC[AES256_GCM,data:mOtEkS9nmmncpxRBYA==,iv:ecPCSny/r62lJr2DuwvucwK/SGiAWLSbariWob7r4Ek=,tag:3m8Dul5yxqEmunMJom+Cag==,type:str] example_array: - ENC[AES256_GCM,data:vYoTCRm2gudQ/XFkIm8=,iv:DOM9XZRFFdty4kjMWvqT4UCiwHr5sd7Z3CiS6Xg4q8Q=,tag:07gBVF4mSeG/7Xs+qBeMew==,type:str] - ENC[AES256_GCM,data:Wf3LVG1677UaZSzzIYc=,iv:8sQd09YT7BkJSntvKUudfXtjPyqzsPqayu0Qo8v+SHI=,tag:zVz8aWLVox40iEKOSUGW+Q==,type:str] example_multiline: |- ENC[AES256_GCM,data:Jw34myS8s3NPrOnPnBdJ67bVyNxKmq7pmp0=,iv:8pjw5k5XpV2x4bM2jpISMHy97b6ffkCFvbtKOiZ22VU=,tag:V3NFD/WtgBDXujNTxst1HQ==,type:str] example_number: ENC[AES256_GCM,data:/KVkicl+xk6x,iv:M+qJNRywTlnkk28nLV3aO6pszNoLcNlrSs05aPIwgwE=,tag:Zku+tQMIeF/Sqnuy8QW4zg==,type:float] example: nested: values: ENC[AES256_GCM,data:y/Gbd4dFl8X4,iv:zOKYeVFBLEoliQ/WuxgNwui+9Vy1CcR+Eg9Zrs9d2qs=,tag:UUC/23KmH4ZGPT+dhHBYGg==,type:str] example_booleans: - ENC[AES256_GCM,data:RYzb/A==,iv:7cQpPBZ/0Woa5X3kdlx+4pOW15EmJMXopelmOGfYd1w=,tag:RT0L/KZJTrHQ9E3fgFfqhA==,type:bool] - ENC[AES256_GCM,data:H/wjpX4=,iv:EDRADHc4Z65yJzXHpVsWgaqcNPhwEdmSNeRtmi14p0g=,tag:ED3o+9Yv4NkoMg2BeS03Cw==,type:bool] sops: lastmodified: '2016-08-02T18:34:06Z' attention: This section contains key material that should only be modified with extra care. See `sops -h`. unencrypted_suffix: _unencrypted mac: ENC[AES256_GCM,data:n6bRU4NrPaMvQj0nI7j7x+Ihkdvr61SDYKw7atVeTDGj+puvd+/0DuFyeWJADNtlAZq7pasSobUMuA66MrNpavMLc5/tBX+NZbT1cbGD0nBt4y7ztog1MFSay03CDrhbepmWNSs8ihgYtHfxfGiqzTU5sRTM+iEHAiwJ1h7eU4k=,iv:oqO1KMNkWUC+aAxgNV4Kng4CBWzO7wIIswDwbRvlv8g=,tag:uUmgKKFeNGvAzZZLI0RViA==,type:str] version: '1.13' pgp: - fp: E5297818703249D0C60E19E6824612478D1A4CCD created_at: '2016-08-02T18:34:06Z' enc: | -----BEGIN PGP MESSAGE----- Version: GnuPG v1 hQIMA2X8rvoeiASBAQ/+MYitjFEMfLz5N6JeZ0IoYAbpJZPWkUavhXF9H4SU9mYi 8Tp4KgJVRhv7IOsqmuMrxIWZL9++HqEpe+HWWy6luzPrWU7HIPpwGcYRCyWrdt2u UjBVYMVgLwGMfrWe6sr0yWrVXrLQ2ltPBn8J5vyHDZUYXY33B1vj7F2BuF2oL32J f9ZTAikiHJI/4Q62P5x7RQrqHqV/Ncczf+w/ni+ZnOwH5kay306DKNwTX64AWoc6 iW/nPCRzIfhWx89BPu+SwGaEwQbHvS7zMLZ/UtarNWAFQ5QmlBW6dyH9Edj5bA7u BuhxjBT/6ZaXX6iSAl98021eplf6s945vB7gPuzrgW1LM4t6X8M9P0KMMrDujz/S cm7Vrhm//syT2IJqFR9x/PylbpHhVTwTWZIFvLRRJlM66NYsvxMvJdknovN/889D I+mQkA8oxtjyof8fgIOvU7ph6yBzRbb838a0Fyu5U5wwrNzBc5N23WNjzNcT1XRy kl7W7MElHnjzq2jNJIB+XipaV6uoMbaoiYZNi+bpHj6pASCaBko7c8aPYVLruPbZ G3fCMY1mxwRBYyn6d1sTqzVGR4WBJLc+4ikm+H4O4aa4sv137/cnRRbVNhpgefob H9SSjSr2gr9YiHgMsG0kdilyTnccYaeljBqOJKUKiWOPk8OBiycNtU+rESagw5rS XgHpMul9uyxksAQf7VpXJJQYYgk+DlZhkkd/hVu59vxJo2oxxp5aGyBijGSy7mcI 3FajmsEFKdPaHpbsSDP0/83RHIwVwbQK5N+IcNGHk/rnh7XEJ73vtrsA9muAmoo= =OxaE -----END PGP MESSAGE----- 07070100000043000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001300000000sops-3.7.3/decrypt07070100000044000081A400000000000000000000000162794F930000090C000000000000000000000000000000000000001E00000000sops-3.7.3/decrypt/decrypt.go/* Package decrypt is the external API other Go programs can use to decrypt SOPS files. It is the only package in SOPS with a stable API. */ package decrypt // import "go.mozilla.org/sops/v3/decrypt" import ( "fmt" "io/ioutil" "time" "go.mozilla.org/sops/v3/aes" "go.mozilla.org/sops/v3/cmd/sops/common" . "go.mozilla.org/sops/v3/cmd/sops/formats" // Re-export ) // File is a wrapper around Data that reads a local encrypted // file and returns its cleartext data in an []byte func File(path, format string) (cleartext []byte, err error) { // Read the file into an []byte encryptedData, err := ioutil.ReadFile(path) if err != nil { return nil, fmt.Errorf("Failed to read %q: %w", path, err) } // uses same logic as cli. formatFmt := FormatForPathOrString(path, format) return DataWithFormat(encryptedData, formatFmt) } // DataWithFormat is a helper that takes encrypted data, and a format enum value, // decrypts the data and returns its cleartext in an []byte. func DataWithFormat(data []byte, format Format) (cleartext []byte, err error) { store := common.StoreForFormat(format) // Load SOPS file and access the data key tree, err := store.LoadEncryptedFile(data) if err != nil { return nil, err } key, err := tree.Metadata.GetDataKey() if err != nil { return nil, err } // Decrypt the tree cipher := aes.NewCipher() mac, err := tree.Decrypt(key, cipher) if err != nil { return nil, err } // Compute the hash of the cleartext tree and compare it with // the one that was stored in the document. If they match, // integrity was preserved originalMac, err := cipher.Decrypt( tree.Metadata.MessageAuthenticationCode, key, tree.Metadata.LastModified.Format(time.RFC3339), ) if originalMac != mac { return nil, fmt.Errorf("Failed to verify data integrity. expected mac %q, got %q", originalMac, mac) } return store.EmitPlainFile(tree.Branches) } // Data is a helper that takes encrypted data and a format string, // decrypts the data and returns its cleartext in an []byte. // The format string can be `json`, `yaml`, `ini`, `dotenv` or `binary`. // If the format string is empty, binary format is assumed. func Data(data []byte, format string) (cleartext []byte, err error) { formatFmt := FormatFromString(format) return DataWithFormat(data, formatFmt) } 07070100000045000081A400000000000000000000000162794F9300000522000000000000000000000000000000000000002300000000sops-3.7.3/decrypt/example_test.gopackage decrypt import ( "encoding/json" "go.mozilla.org/sops/v3/logging" "github.com/sirupsen/logrus" ) var log *logrus.Logger func init() { log = logging.NewLogger("DECRYPT") } type configuration struct { FirstName string `json:"firstName"` LastName string `json:"lastName"` Age float64 `json:"age"` Address struct { City string `json:"city"` PostalCode string `json:"postalCode"` State string `json:"state"` StreetAddress string `json:"streetAddress"` } `json:"address"` PhoneNumbers []struct { Number string `json:"number"` Type string `json:"type"` } `json:"phoneNumbers"` AnEmptyValue string `json:"anEmptyValue"` } func ExampleDecryptFile() { var ( confPath string = "./example.json" cfg configuration err error ) confData, err := File(confPath, "json") if err != nil { log.Fatalf("cleartext configuration marshalling failed with error: %v", err) } err = json.Unmarshal(confData, &cfg) if err != nil { log.Fatalf("cleartext configuration unmarshalling failed with error: %v", err) } if cfg.FirstName != "John" || cfg.LastName != "Smith" || cfg.Age != 25.4 || cfg.PhoneNumbers[1].Number != "646 555-4567" { log.Fatalf("configuration does not contain expected values: %+v", cfg) } log.Printf("%+v", cfg) } 07070100000046000081A400000000000000000000000162794F9300000C64000000000000000000000000000000000000001700000000sops-3.7.3/example.ini; ENC[AES256_GCM,data:EexYkXJHDv1E9WwU8wUrBakxAZcnlIkAJQgRFts3alF+5w==,iv:/wd7bCxSkJ85eG69NMq2RH70Dlw5q/diL42GcdTbRYs=,tag:8W4B3JjLYAtJgG3Zi6Hu+A==,type:comment] [name] firstName = ENC[AES256_GCM,data:7cWtsg==,iv:rh/1l0yiOE3JmmSJB9CXp4Ctb5en0FcNUZZkLyWsX3c=,tag:d7We6RtSs3AYhA6jan/CoA==,type:str] lastName = ENC[AES256_GCM,data:Iq50v00=,iv:o+bfCsNBsv/+XdXS4M7TCOTPzG38ft14/Q9/vZvnNvM=,tag:cRivFOZyIpMDXdKA9R+6mA==,type:str] age = ENC[AES256_GCM,data:aSt9Fg==,iv:z1NjXdRRFs8+dAFkrngS7PyhUSCOTzAmxtzCcfafkAM=,tag:6kpo65TxMu1oKF9d7L1wJg==,type:str] [address] city = ENC[AES256_GCM,data:3hQ6RXAc8ik=,iv:ajAjhQIJiNWy9PGj8ZCI5k+3uw7igweqZ+eiZ9tuvG0=,tag:bGX7PK+/hTQE/1uYmXexyA==,type:str] postalCode = ENC[AES256_GCM,data:1Ha0avZTe6IflQ==,iv:l8rbQbhSwxr3AJzqe/H8ALrHcXsntcBfkyUGt9/6k/U=,tag:f6s6ObY5QaqmG4CUpV+UKg==,type:str] state = ENC[AES256_GCM,data:ba0=,iv:P/VsGYbhT8ihRvluWc8HcUDPPigh/IcHXBnj0Xb86AE=,tag:JN7Y77eOaF1+tJjN2cxtnQ==,type:str] streetAddress = ENC[AES256_GCM,data:LYYluDyJzryoYT2Nkg==,iv:KTmXPVV5tSY8/piTb/uPcfJL2mUqkS1aUI9pukQm1Dc=,tag:AzdSsRjEWx8kzclSZIdIcA==,type:str] [phoneNumbers] home = ENC[AES256_GCM,data:wv3pG8J7wmiotVY6,iv:YdX9RKlN9t0PohEu+Dxws0POUf8hjDMi4PJre+4/lsg=,tag:2XadWng1DxnfMituylFC5g==,type:str] office = ENC[AES256_GCM,data:Hu3X626TUgV3Ix7i,iv:P1SBjvZPogJih4KLFLcbxeWeZT2aTNXPBtwlC9yZZ70=,tag:4SOkQZw4ynKfrFwrmre6Lw==,type:str] [not private] notsecret_unencrypted = hi there! [sops] pgp__list_0__map_fp = FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 pgp__list_1__map_created_at = 2019-12-10T22:45:52Z pgp__list_1__map_fp = D7229043384BCC60326C6FB9D8720D957C3D3074 lastmodified = 2019-12-10T22:45:52Z pgp__list_0__map_created_at = 2019-12-10T22:45:52Z pgp__list_0__map_enc = -----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAGb6tDB1gDtwLcVuENgd/AU1ZjxDbUY46OJzi1fkQ4jyo\nvxfCviqfslYyncVrKab0S9U+alIu8Po8BrHCTwmDkcnPG7HWMcqRo+Nq3JShir3y\ntVMbHuRGykPmGjs7GOUn1WibOisiJjHzLdFOsyNexveBV9AVln7kZazCRlXwbLqc\nyJ9IQsWi1ET6DjtViejiBKblDzZ87WgvL2Z0E8QfYXmrB3GpFa+K4Aqgb3pHkQQo\nGQArNAe8BmrhEXotj0IS/K3v2wjX5Sqli+0dh4qhaXiIeYb16nfc4M1TUo4Vvj7Q\nyWdjufTi+2RIxxUEkIdRg6lDVabm98hLn6/jsQ5c5tLgAeT99N9te4j1eeO62xwy\nz4S+4Xok4Cng9OFHFODz4hh6ah3gYuXRf4qFh++GUaxGwG/iGNSiY7A9eWg1gM+N\nPB6MtiOnhuB15N5mbD2V1xrzlF0fu0K98Vviv75h4eGzYQA=\n=RaGg\n-----END PGP MESSAGE----- mac = ENC[AES256_GCM,data:5NouZe0uY8581eqXLe31TWYqThPlfePdpIyYDBgj3FwGvPfhiWB+dn/diSt4NpZ9zUNI4VhF2cmNesk8NgZdUK9/N9WbGgmJjjdBXvo0xhvr8RR22AiVCB9ipDlSFqnOMyJzo+CAvpSDbwF1bMU0qxwKW+zpDZV2uLX+px7b2qM=,iv:em3/lIV7eYA46u2kM0bR1/3O6Ga2vRfS5/r2qh0jges=,tag:ow9277u7mFNcs4IdsU4YUQ==,type:str] pgp__list_1__map_enc = -----BEGIN PGP MESSAGE-----\n\nwYwDXFUltYFwV4MBBAAQYkLcQ1MORGYYprtFwUZPO2J3CBOU4u76qJQod5JXZuAa\n3aCynkyrOHIpgh2cKoyUle4u/FK68mFl9+TxixlFDRxt1CsvMR8dHP0EFJOMSq5U\nNwpcnEh20++3DNiq7bCtS2W68FRh8bVxmhEEXPxW4HLJV4WZSE4pu9B7w9kd5NLg\nAeQyj0ugpILq3IonJdLsgLkg4RGV4GDgFOEqxOCT4uKeSX/gdOXvr5WJzlWJRLjT\nA51CtgnUVXlNO5zfCiFRMXOFyE1FCeBm5Ivkgh4KxkQvwI6jSZpU1rjiz4QYTOGO\n4gA=\n=XdTd\n-----END PGP MESSAGE----- unencrypted_suffix = _unencrypted version = 3.5.0 07070100000047000081A400000000000000000000000162794F9300000CBB000000000000000000000000000000000000001800000000sops-3.7.3/example.json{ "firstName": "ENC[AES256_GCM,data:f8++3g==,iv:rYuVzzb+C40QlYgO4Dl2V7atZUx0ITBcyb5fUsftKMo=,tag:krquPqa1HQltZqidzNamrA==,type:str]", "lastName": "ENC[AES256_GCM,data:94a2Q8c=,iv:c3NC7L80UTtbz7gdvPV5oSUwg30lC3Kg82uvRVs5CZw=,tag:kUXRNerUWmSe44mwD4w5uA==,type:str]", "age": "ENC[AES256_GCM,data:gjwWkw==,iv:XEWFpsyvEsPwr3qqsOJlfZ+vSZdiA+D6DAc6aoq/BS0=,tag:pcnUyMtYFa9v5DB6sNV15w==,type:float]", "address": { "city": "ENC[AES256_GCM,data:vSeyQwN1Z9k=,iv:DBmuX4w6w14Z/1b820OE3SM3MPx3oLGAeSoR4CWxdhg=,tag:ClpJZLb4ObIOdDD441clrw==,type:str]", "postalCode": "ENC[AES256_GCM,data:SZadC4tZh106eg==,iv:z/yWCZTd19j+3cFY5mwVkxY8a7i6veTBnwh4fsw5Kbw=,tag:iel9Pqh0jS0KhjxklXeqIg==,type:str]", "state": "ENC[AES256_GCM,data:b0Y=,iv:7Ar/Tb7XCDo5ABZNdSNBqGquaGEQF7dNxd1VvW7Nwak=,tag:uEjmOKwPlkYSq4IV1tQjwQ==,type:str]", "streetAddress": "ENC[AES256_GCM,data:dVFPTRPKOFSJ1plV9w==,iv:08Ks4C1FzFozezKBBYSPEAIkC5DkthDFmMW0R3zVbkI=,tag:waInfXMCAcx5C7avXHahOw==,type:str]" }, "phoneNumbers": [ { "number": "ENC[AES256_GCM,data:lkUEC7s3qU9AY6W+,iv:KjF9i0K9u7THbb3Bn1adQrIKpv1ZqA3PiJkctgFm3Bw=,tag:LBSqqr+gn15x0Pz5JKMJJQ==,type:str]", "type": "ENC[AES256_GCM,data:aXBHGg==,iv:ulcjNwVfGFvUtVN8q0h1LMYM5zRDmOsqtoFC1JOHREY=,tag:7vdMoCOD+7IeUHWQqQJ8XA==,type:str]" }, { "number": "ENC[AES256_GCM,data:z9Ujp3n2yXBqPNM1,iv:1nbZrIKozuS2p2AgD5/gHgjMN/VSd8SFeCbWdjy9Cf0=,tag:tfwaYihQDMAsmy/yt6ScLg==,type:str]", "type": "ENC[AES256_GCM,data:ddkB7Iu6,iv:4t31C5r1zhCpLQ64idoJ8OBC7ocME15zCUXCmgf2ItY=,tag:RmBsmbhQW10oOTDuzfxEaA==,type:str]" } ], "anEmptyValue": "", "sops": { "kms": null, "gcp_kms": null, "azure_kv": null, "lastmodified": "2019-12-10T22:45:55Z", "mac": "ENC[AES256_GCM,data:VoXDgYpIYCvFSLyKGx4c8yk56Mk5GkeIwM8IyUi4RgkKBY/xEIzNUOuMqBzWEOvTTsivF/JtUOrBIsDRxGY0u0qNJK1R5WFuSYr3TA5sdu3ytMcu+mKY4THSJN8uuri/tXVcoF+ywLOS6NRFbHDJPtJGcy1XQwJJAgvdw+sIvQA=,iv:dvk3FYXHr2N6gYIw2OqbYiHn6FfXzuyHqZvJIo6IVGM=,tag:rjnNkJSGpXJ762EyjDltXg==,type:str]", "pgp": [ { "created_at": "2019-12-10T22:45:55Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAMSeWf3F8kIm8EFiVgGVQgWGIHUVoolToi8d8lAC8/UdK\ncx9dIqlR43IFvvmCKyNZ6Q+/a1ERc07xLpVp3wmN80sE4NZCGZioThZjp2qNS42e\n/HtLfDu+Rie1eKcXEik40rMDn7d8gaFVOpD3FbzoZUFVm8hN5ChzqQqL1nLy9ZgY\nbthH3Rzt58Z1/sxARLNF2/yUqAEX/YEoL0MxM68Z55kwiMqSZ1rdmLKKfXdJbdoL\nSRrFyi+XaAwr1bTD+BnqHqgmYEEWEfHPDW7e1St/4IS4PU98kKuVLjhBKbfTRUpF\nkzxt+XQV6uDfPzdeOzf+JrFMRaoxTRMpcUi4Jn0vstLgAeSAjSzqkUr6DEVsuS8V\nAqRD4Z9I4HHgy+GYruDQ4kDtTvPgbeUWFma5yz25JOoORZIHaGiEB3T8ZhrFD8VI\ndFLxtxLtCeCg5BhRcrxFgWPQCMK/uCt/GFniNf4Y2OGOHQA=\n=r/lV\n-----END PGP MESSAGE-----", "fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" }, { "created_at": "2019-12-10T22:45:55Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwYwDXFUltYFwV4MBBABs0ZEghsU+mdsRFROvlT8ACqk4Ru0Bssw3N+lkSrpR+QyY\nuRgAFNmZgPKz4DhZLHbhOD0zAAHuMCGriXVqtxMYMveX1nbXom+ayBmU0jja+6X2\njwk0MghHS1bgIsGrrhPoD7c3iirdaXSgHKAxwl4bpw5OxW6t91moOtJ4DAyGXdLg\nAeTkQxUyLFEeUbx4xX7kNCm+4Yho4CngDuH4oOD44gSWJsjgU+XiRBuJa50tiloC\nA10yQkWZtuyPOWppO5qOdXqV3XDIeOBl5JSNFuv5B80w8UIYhPPXWpriV1nBveE/\nwAA=\n=Vg44\n-----END PGP MESSAGE-----", "fp": "D7229043384BCC60326C6FB9D8720D957C3D3074" } ], "unencrypted_suffix": "_unencrypted", "version": "3.5.0" } }07070100000048000081A400000000000000000000000162794F93000007E9000000000000000000000000000000000000001700000000sops-3.7.3/example.txt{ "data": "ENC[AES256_GCM,data:p6kOd9e7KOYw47VlNlKa52wPFfbY3xaJYQrO5QDT1LyNvUIVBSRTrJxvn5MCC7vdnTOkcBzWmlr6Z/Q23/sx22++3Y7nXTSgFPQxPVIA8X33OoIsCamNHS8+8JWOReALCf2Cd3rzedu0GWR+/f2YBSHNA3C4nffEDbWbXRyAvcvCv3G4umH+Jh9auWUlfbk3Bx/8LvX6DodcxhQ=,iv:ESrDyOG6qetEWGBNHWRpT6ra1NhpaFH3SnjBSdMj2r0=,tag:aP5vOboB64cJDUls9WKsTA==,type:str]", "sops": { "kms": null, "gcp_kms": null, "azure_kv": null, "lastmodified": "2019-12-10T22:44:49Z", "mac": "ENC[AES256_GCM,data:wN+npCzfJVz6nwZQ40FTPD23Ly1CEiU1N6aDua+Mgj9cH7NwJOklW8QKTs3+q3f4HEkbeuFE6VQN+Jm05Zsj1inGjAdG2MfDurspJl6Jpe5DBKgk3zudAcc66gm4T4Dn3h7zFvNovOl+VEa4+ntaxIoVNugVDq3ZLTj/wMd3XwU=,iv:RadNg2jPeQEkE1F/GzrdcPIZHbxXoZpo+iOHpRGlLhc=,tag:ID8N4xhN7p3N5EYGTkYKxg==,type:str]", "pgp": [ { "created_at": "2019-12-10T22:44:49Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgANOTnicDHAmqwi76yIm2eAgzm32k34hsPS40vKeCKtbIP\niR91/hDmklYXgR9yL9xgBI0SRTMGySSk9YJ9daZd61JVh1IVuxr93Y8GSxhDldAn\n1Wc2dXJ24x7zxfUs4sfZYCtzXZBUb/eAPLDIkeKPzkVKN4kLdVdccOig/2lOuuVo\nw3Xy+m7cx0VPdsFFzVWok15oHj8n0+J8v6Vnyiyx7yI7xgsynNwpZDUN+K15NyGs\nkaO21AeQnxDWmwo4H93+r10esFYns0kyLOCNwN5/XLskT31f9MCo8H4bBDyeO1lE\nrfLKAn0mh81qKedQLTssjElCLBgY4CpcL9B688P/otLgAeSR+v/JrgslAw+QhiBC\nPxqj4ZUC4KbgFeERieC34sjLWuPgxOUoC769iqiM3ArscWLYG6jYb9Acigwtf5/r\nNkFoXHoZPOD15Ne/ElmCDPowh0aAFCwVp6/ipRc0teELTQA=\n=FyYT\n-----END PGP MESSAGE-----", "fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" }, { "created_at": "2019-12-10T22:44:49Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwYwDXFUltYFwV4MBBACebuDSGC4caG1iSviC+IQKXw/mQXmWDDWLA1RDH7/ZEa/2\nqsA0Eb5bsd4Hf5pW6UpK/TDZpFn3eKeCn8wP2G792Ez19UmhwHB+0Zid9Zq76UAZ\n1bcwX2YJeCgd8/OgIxfh7a6MDDz6TDNGL916BIE6kFJwT3Vvm9EzF7vDglE5mtLg\nAeTK87HB76QLJNDI03Q8JYrN4e1S4KzgxOFhkeAv4lmhR+zgCeU3u0ripltx+Hys\ngtiGJSnuoJrYrwhSIO8JOoc2iR0bkuCn5Gf4VirHEUwrIUqgQVsmLQnick1iv+Hk\n3QA=\n=exjM\n-----END PGP MESSAGE-----", "fp": "D7229043384BCC60326C6FB9D8720D957C3D3074" } ], "unencrypted_suffix": "_unencrypted", "version": "3.5.0" } }07070100000049000081A400000000000000000000000162794F930000140F000000000000000000000000000000000000001800000000sops-3.7.3/example.yamlmyapp1: ENC[AES256_GCM,data:zlGNmhTYX5xol4ZZFsiaoGkD73nn,iv:ql9mkhoU1I64E/FJi3iA0HaAe2U3kQVFee2ZLwPnBik=,tag:SqVSfu/JkRrwqidAT/i0pg==,type:str] app2: db: user: ENC[AES256_GCM,data:tQ1l,iv:o9MiMveNYO7T82yDab+4pAt17DO6B4wl8yGy3oFbDb8=,tag:0RjvUUtSQwaUc9SF3RSTZQ==,type:str] password: ENC[AES256_GCM,data:8Ll+TDCgzQ==,iv:aao0OSVdFwaB9EGZ0O+Wn5bRJ6do7hgiQioqiwDi1w0=,tag:WKj0nuSSPkm2dBOBwinYvg==,type:str] #ENC[AES256_GCM,data:uPuUQAahmq1xL5L2B0+a2gHSl7zXucjqa4Kr0AgNKTpgHw3IPx2lCoK+,iv:qYxjRmWMir47YKhmrrHwV0atmGjcJ3Dts+xvQ+6skHQ=,tag:dsj+0DsfiDyJNGUmvZwnHg==,type:comment] key: ENC[AES256_GCM,data:xRjmLiX4BCoSUElToUs5twDq1WNWQNvNMi8yitXly43iGQiwltIs0FsY5u+7fzLepS66oLTGdL0NfWwCGxksYYzUKz5OXRLEatacZP40D71861zu+njmGdXepY0q0q5VOG7ObgIAMMMElVKRIFdjpVgmgUa+/h6R77mEbDztk6lqb28r15XyR6GmdubierTE7aialFzNoC+XO/yk7bnMi0XA/aomj1H5RdZ37LBR2k+rhqXmhkPdGTdJ39t4Ou1Q2Oc4RHRGvgs/EeFqQHcq0AilqXsFIv/PE0bQP564LaOcXK33B+PnoV1D+lXZ7mLOjKlq04c+UojwXjpZeXBr6Ip4H3dAGkPAoQKMtyGwHYzuLCNesxwPv2tPqbxkbVev0AKezGhnPjvCNvRN3S1Y0LPf1atfwzOCBQBhdUTpmXtxCdTNG0cUUZjeIKAyJXDWJooYHlstzDti/dSGMEedOnKq6648Yp7tLNDjAg5CGbDEWjTWehtqgvixUoRdYc2/r/ie3t09XB9h70BzLFDnbNdTNHhg0/aivHeDf8LJ2Co8YvIjLTwlm7GV0mSwzJIoY/2YxXFtw+XFqt+BCt1G8wq3R6OdXZK/+6fUKH/D4EVym5nrGkZIuOCiTB+wpzy09QmZ80Fo+ba0x/1g9ZTMKHk=,iv:ZtzvrO7QSHEOCnKCrIYcaesKnyScV8KaHZr22tUMLlU=,tag:2A3nJBIPF2Q3FlwMYLvG2w==,type:str] number: ENC[AES256_GCM,data:DX0qiTOWhQvG/w==,iv:ouWsby8JoFwCRj/mLVCnNcYhP2sdyf4h6nwZuGksE7Q=,tag:lPU6AId2JrlquHnYRw+E8Q==,type:float] an_array: - ENC[AES256_GCM,data:vyczE8EQr9qHkaM=,iv:sT5jKk3LZ61Zq/neTli5tcnDFxCxY5RuGr2k5oGQWJQ=,tag:1HgaHWfyh6EJLkI1V2kOrw==,type:str] - ENC[AES256_GCM,data:XtBinnYXR7bx1GY=,iv:KvT9smKVmgMNrab+RzfuWscyvJav2r8j1P08ucNmhgQ=,tag:IllAEvIPPeKOfqi1XbmT8w==,type:str] - ENC[AES256_GCM,data:gpZ7nwWTGaI+Ti+lk+CPQOoM0ypwK7UMMBUiZAniQHDNJelipqc8hyhNeV+tpJLNaRt74OHs04EX8g==,iv:mKcwVelqLvwVDPjR8NeyMZ7AhsjRgmnYmyEuwPNPrQ8=,tag:vrkoccUfJs105yLCmXYYCw==,type:str] - ENC[AES256_GCM,data:L9jPh+7+XsdqEpUnFcD4nA==,iv:xyfKjOXVrBDCIQG5786pSu5yvHdl/PK8eVxkIUWoCIw=,tag:Q0wlTV2e2vZeU6eTF5Oacg==,type:str] somebooleans: - ENC[AES256_GCM,data:ExiXxg==,iv:K7FUwomqdA7o9lzvNoAMH/wbXs08FextTGGeJKnaatU=,tag:A9UntgvPIcappmeM3jsbdA==,type:bool] - ENC[AES256_GCM,data:3I0AVdM=,iv:q4YKnRIKufREPmwT4sz8plcsOD6iem/tY3NMUV0STBE=,tag:0w4OMKClWTzjKhqsJZT8JA==,type:bool] this: is: a: nested: value: ENC[AES256_GCM,data:oFn5fJS5+slb2sCdLY5SxZ+iWeowWtf4wn9g,iv:MZ7i4tZnfCQhQRUwXV2fYQPIJ0tTUFLiD9xuB+765e8=,tag:ZEjE5jvxE5HkN3mma84pKw==,type:str] #ENC[AES256_GCM,data:WwWiKtMsD1shPe5kPHOh2bJqQPGHwxa6GYrR1y14wiid,iv:AZPaRyVDOl100PvBPMeq0lt6/O5ZUhzWX5UmWNABWvM=,tag:PBReK6Ap/VHxncn0G4qtEA==,type:comment] #ENC[AES256_GCM,data:eYRaxgs3vGeS96+ZDV8GYrwbvsrMtnWHOtsT2045tD2mlfOD,iv:/RVNEWuBlxhhY8OlJPbS/81QJukXZu1EWnPUQwrcin4=,tag:DybgrXKGWxoRyIQOlc+UMA==,type:comment] #ENC[AES256_GCM,data:JXKEWGBg4eeCdeQ=,iv:K5keuEjyekf7a3q7WBOKwljsHGXRdQteJcXeeKvHo28=,tag:60VtIdsy13qSKPIEWHUUNg==,type:comment] somelist_unencrypted: - all elements of this list - remain in clear text - because of the _unencrypted suffix in the key nested_unencrypted: this: is: all: going to remain in clear text sops: kms: [] gcp_kms: [] azure_kv: [] lastmodified: '2019-12-10T22:45:53Z' mac: ENC[AES256_GCM,data:WDjMv0eWcyPQzZlr3MppeAMQavN88xv5LzI/9wOlg+WPhRoTdrvgFpWowyWvTdUC/i0ybRQRg2u/Wam0kaqzMDpl/E806Gp9hgJcSneqydDJqPiMh+HpXkXWpc70xbYg8/gc1l7eIfSG7rS1dC2t2je60OAIfC/5zAXrL9KH4Ho=,iv:h0hWhb+46upix6K7hZfNNQoiX7WCapiMTv5I/keZsm4=,tag:v7mVbTN3HWmekol5iaO8FA==,type:str] pgp: - created_at: '2019-12-10T22:45:53Z' enc: |- -----BEGIN PGP MESSAGE----- wcBMAyUpShfNkFB/AQgAE0MaWAQGbTKY7Xg3fDNtzlvnVBkkQRHsLt5kUTu2nAy4 sPX0NRXPVF/tAMxr9mI2fRjKnNBXKpOAecNis85D/QEkfflG8/syGkqiJqy9Nqon WSm1bNriPfD4PL850688EJe49Xrsz6rVbW5FYZCHMbnPxvmoheMJRxLonW3/eWPy IjJ9i6Z7W175mv1y7FELOimdQeelynp4r8bOuuq1BhePB4+wJXihw9n0ovuLklpl Kr2iCmIUibSywlEO/LGQT/VXo6R7xgSN2Xg0RwWfflajYHNhVkHlnNYzkACjvdhj ph1M5fLGDqPu+ySSe93EyahNhdwKgQ7R9yF8/13+QdLgAeRmrBgh0N54mQQAQyL7 mH/i4SWi4BjgmeHgUeBL4qcm2avg6OUasVJQHlTeA8D+c3TwKSTRVDijN4GBadYJ Z5/vXKOseeBk5JWCnIHC/MtjOkuPt53nvGzi3lYvW+F0FQA= =RDyn -----END PGP MESSAGE----- fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 - created_at: '2019-12-10T22:45:53Z' enc: |- -----BEGIN PGP MESSAGE----- wYwDXFUltYFwV4MBBABpm+tFhFhv3A7A/L/p6nL3HXKKhONrgguYgXA/hhSg4/bD 1Po5pQhCM4yb3gqWewxgVpGNKFr/Gl+kN9eZ3LXp5nEdhei/aQn7BbWkhph5PKt6 faiEZAL5PNHvktvEQwPsfNJvxe8QT2Z9oFmlueP0n3mCZz3UV9LZHNwOP7XfzdLg AeRzUGrZK43KavmIjdgPXcd/4ZW14NPgNeGm8+BO4nD26Fvgh+UiCb0TpBiI7WsX HQGUlFjuR6Vd7Q+vg8B/1Ovm3fUw7uCG5Gc2WeB0M+pXaLYS9bCDL9jisGOkD+Ef ZAA= =mqGc -----END PGP MESSAGE----- fp: D7229043384BCC60326C6FB9D8720D957C3D3074 unencrypted_suffix: _unencrypted version: 3.5.0 0707010000004A000041ED00000000000000000000000462794F9300000000000000000000000000000000000000000000001400000000sops-3.7.3/examples0707010000004B000041ED00000000000000000000000462794F9300000000000000000000000000000000000000000000001F00000000sops-3.7.3/examples/all_in_one0707010000004C000081A400000000000000000000000162794F9300000013000000000000000000000000000000000000002A00000000sops-3.7.3/examples/all_in_one/.gitignoreconfig/secret.json 0707010000004D000081A400000000000000000000000162794F9300000C7D000000000000000000000000000000000000002A00000000sops-3.7.3/examples/all_in_one/README.rstAll-in-one example ================== This directory is an example configuration for SOPS inside of a project. We will cover the files used and relevant scripts for developers. This example is optimized for saving developer time by storing all secrets in a single file (e.g. ``secret.enc.json``). One downside is any configurations which should be stored side by side might not be. Getting started --------------- To use this example, run the following: .. code:: bash # From the `sops` root directory # Import the test key gpg --import tests/sops_functional_tests_key.asc # Navigate to our example directory cd examples/all_in_one # Decrypt our secrets bin/decrypt-config.sh # Optionally edit a secret # bin/edit-secret.sh config/secret.enc.json # Run a script that uses our decrypted secrets python main.py Storage ------- In both development and production, we will be storing the secrets file unencrypted on disk. This is for a few reasons: - Can't store file in an encrypted manner because we would need to know the secret to decode it - Loading it into memory at boot is impractical - Requires reimplementing SOPS' decryption logic to multiple languages which increases chance of human error which is bad for security - If someone uses an automatic process reloader during development, then it could get expensive with AWS - We could cache the results from AWS but those secrets would wind up being stored on disk As peace of mind, think about this: - Unencrypted on disk is fine because if the attacker ever gains access to the server, then they can run ``sops --decrypt`` as well. Files ----- - ``bin/decrypt-config.sh`` - Script to decrypt secret file - ``bin/edit-config-file.sh`` - Script to edit a secret file and then decrypt it - ``config/secret.enc.json`` - Catch-all file containing our secrets - ``config/secret.json`` - Decrypted catch-all secrets file - ``config/static.py`` - Configuration file which imports secrets - ``.gitignore`` - Ignore file for decrypted secret file - ``main.py`` - Example script Usage ----- Development ~~~~~~~~~~~ For development, each developer must have access to the PGP/KMS keys. This means: - If we are using PGP, then each developer must have the private key installed on their local machine - If we are using KMS, then each developer must have AWS access to the appropriate key Testing ~~~~~~~ For testing in a public CI, we can copy ``secret.enc.json`` to ``secret.json``. This will represent the same structure as ``secret.enc.json`` with an additional ``sops`` key but not reveal any secret information. .. For convenience, we can run ``CONFIG_COPY_ONLY=TRUE bin/decrypt-config.sh`` which will use ``cp`` rather than ``sops --decrypt``. For testing in a private CI where we need private information, see the `Production instructions <#production>`_. Production ~~~~~~~~~~ For production, we have a few options: - Build an archive (e.g. ``.tar.gz``) in a private CI which contains the secrets and deploy our service via the archive - Install PGP private key/KMS credentials on production machine, decrypt secrets during deployment process on production machine 0707010000004E000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002300000000sops-3.7.3/examples/all_in_one/bin0707010000004F000081ED00000000000000000000000162794F9300000261000000000000000000000000000000000000003500000000sops-3.7.3/examples/all_in_one/bin/decrypt-config.sh#!/usr/bin/env bash # Exit on first error set -e # Define our secret files secret_files="secret.enc.json" # For each of our files in our encrypted config for file in $secret_files; do # Determine src and target for our file src_file="config/$file" target_file="$(echo "config/$file" | sed -E "s/.enc.json/.json/")" # If we only want to copy, then perform a copy # DEV: We allow `CONFIG_COPY_ONLY` to handle tests in Travis CI if test "$CONFIG_COPY_ONLY" = "TRUE"; then cp "$src_file" "$target_file" # Otherwise, decrypt it else sops --decrypt "$src_file" > "$target_file" fi done 07070100000050000081ED00000000000000000000000162794F930000033F000000000000000000000000000000000000003700000000sops-3.7.3/examples/all_in_one/bin/edit-config-file.sh#!/usr/bin/env bash # Exit on first error set -e # Define our secret files secret_files="secret.enc.json" # Look up our file filepath="$1" if test "$filepath" = ""; then echo "Expected \`filepath\` but received nothing" 1>&2 echo "Usage: $0 <filepath>" 1>&2 exit 1 fi # If our file is a secret filename="$(basename "$filepath")" if echo "$secret_files" | grep "$filename"; then # Load it into SOPS and run our sync script sops "$filepath" bin/decrypt-config.sh # Otherwise (it's a normal file) else # Resolve our editor via `sops` logic editor="$EDITOR" if test "$editor" = ""; then editor="$(which vim nano | head -n 1)" fi if test "$editor" = ""; then echo "Expected \`EDITOR\` environment variable to be defined but it was not" 1>&2 exit 1 fi # Edit our file "$editor" "$filepath" fi 07070100000051000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002600000000sops-3.7.3/examples/all_in_one/config07070100000052000081A400000000000000000000000162794F9300000000000000000000000000000000000000000000003200000000sops-3.7.3/examples/all_in_one/config/__init__.py07070100000053000081A400000000000000000000000162794F930000073B000000000000000000000000000000000000003600000000sops-3.7.3/examples/all_in_one/config/secret.enc.json{ "github_oauth_token": "ENC[AES256_GCM,data:lVe1fLoILE8e/jiah90=,iv:6g350p9Id8+ssrV5lVEF4TWEnR+JfY84iUsh92/9XIQ=,tag:2qojKddpx5lO1iR2dqLZJg==,type:str]", "sops": { "kms": null, "gcp_kms": null, "azure_kv": null, "lastmodified": "2019-12-10T22:46:40Z", "mac": "ENC[AES256_GCM,data:XUVZm8UI26QEbhlIkQDfEWcyhooh/bGQ2eHOTu/ojbE4SBLRpcLtKHt2Bn8Z/72pLV77FmmSXAIwy8+xvzeTmEAZNRMfjrm0ZulBY1VgJLTrvA4Hh9F7H+Pb95xtc8B9SbFAo65L+xBJJ/e6t8QsV0N4crOoq0Su3OuvqXIVa90=,iv:1Vnq304ic+vPZ0as0xLpaO8dMduMrF3Xh9aAHT+VLiA=,tag:37+ami7Z3tQd1EwZKC7sPg==,type:str]", "pgp": [ { "created_at": "2019-12-10T22:46:40Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgATTwZYaZdIVFnJrzujQvk5x/SqVc5VY367UtStph9pxn5\nkSh2lvPrYHtkbpPkvv5Ug5CUwUbofq4rj3YSO3kVSDu5Z3IrAT+EtnK5PECg2JDT\nIXskkjFegQYp4YtC5UUhjIVIALti/9b3g2skVES/IHHlL+BE9AWj93yF24weu54D\nbwF6PQyGRE7HhZ8uUWEKIGTbJbpDzySk06LJSF33uNbKUViRtHuLu4JNFb22sjzy\nMKzITct/4KVlHAkC4ZHpDlsXmtooBJ8Yk7DK2vEM1POk2pE6ZBQbEgtY0hAOMFGB\nfg+j6cvNsLYWyQrjaB9Vsf4+QPDeTWuv5+cJjvgildLgAeQssqFSnZXumtz/VgB1\nm7Ma4Rov4DLgAeHkV+DJ4vTaGavgHuVj+a53Oa9HuX4p1rNV3ZLUyJi6HmNOWjvw\np8QFzrcRyOCN5N3VkrUyEK9l03NczoI9nt7i6r8jBeHWTQA=\n=Uxc1\n-----END PGP MESSAGE-----", "fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" }, { "created_at": "2019-12-10T22:46:40Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwYwDXFUltYFwV4MBBAA5g2pnnh43zql0b1bOa6zw0S6uMSLioFy5Or4Z+aEhywpe\n94unRNqABQdqCtowoUpjJ4vEHxQ+dkHPXpYJejolBKPaKpHJHLrdImkC9nb62jJ8\nthWFitj8ELQnHdmSk+t5kvaNj4nWXSuTTiXd2UodXZcHxH4UI4P7A4aZXKTYytLg\nAeRHhnSBOBYD0rMvFIWKLcR94SZE4LrgluHLYODT4l6Ln4fg5uX2CzKsP/KD4+jI\nPDvITr4Sdnh6m6XEctb4whn0OOKXo+Ca5OJ75/+Kb9SzSbA24uXJ1qriELpTt+Hk\nawA=\n=SIw4\n-----END PGP MESSAGE-----", "fp": "D7229043384BCC60326C6FB9D8720D957C3D3074" } ], "unencrypted_suffix": "_unencrypted", "version": "3.5.0" } }07070100000054000081A400000000000000000000000162794F9300000104000000000000000000000000000000000000003000000000sops-3.7.3/examples/all_in_one/config/static.py# Load in our dependencies import json # Load in our secrets with open('config/secret.json', 'r') as file: secret = json.loads(file.read()) # Define our configuration common = { 'github_oauth_token': secret['github_oauth_token'], 'port': 8080, } 07070100000055000081A400000000000000000000000162794F93000001CA000000000000000000000000000000000000002700000000sops-3.7.3/examples/all_in_one/main.py# Load in our dependencies from __future__ import absolute_import from config.static import common # Define our main function def main(): # Output our configuration print('Configuration') print('-------------') for key in common: # Example: `port: "8080"` print('{key}: "{val}"'.format(key=key, val=common[key])) # If this script is being invoked directly, then run our main function if __name__ == '__main__': main() 07070100000056000041ED00000000000000000000000462794F9300000000000000000000000000000000000000000000001D00000000sops-3.7.3/examples/per_file07070100000057000081A400000000000000000000000162794F9300000012000000000000000000000000000000000000002800000000sops-3.7.3/examples/per_file/.gitignoreconfig config.bak 07070100000058000081A400000000000000000000000162794F9300000D83000000000000000000000000000000000000002800000000sops-3.7.3/examples/per_file/README.rstPer-file example ================ This directory is an example configuration for SOPS inside of a project. We will cover the files used and relevant scripts for developers. This example is optimized for storing sensitive information next to related non-sensitive information (e.g. password next to username). The downsides include: - Slowing down developers by requiring usage of SOPS for non-sensitive information - Losing dynamic configurations that rely on reusing variables (e.g. ``test = {'foo': {'bar': common['foo']['bar'], 'baz': false}}``) - There might be work arounds via YAML Getting started --------------- To use this example, run the following .. code:: bash # From the `sops` root directory # Import the test key gpg --import pgp/sops_functional_tests_key.asc # Navigate to our example directory cd examples/per_file # Decrypt our secrets bin/decrypt-config.sh # Optionally edit a secret # bin/edit-secret.sh config.enc/static_github.json # Run our script python main.py Storage ------- In both development and production, we will be storing the secrets file unencrypted on disk. This is for a few reasons: - Can't store file in an encrypted manner because we would need to know the secret to decode it - Loading it into memory at boot is impractical - Requires reimplementing SOPS' decryption logic to multiple languages which increases chance of human error which is bad for security - If someone uses an automatic process reloader during development, then it could get expensive with AWS - We could cache the results from AWS but those secrets would wind up being stored on disk As peace of mind, think about this: - Unencrypted on disk is fine because if the attacker ever gains access to the server, then they can run ``sops --decrypt`` as well. Files ----- - ``bin/decrypt-config.sh`` - Script to decrypt secret file - ``bin/edit-config-file.sh`` - Script to edit a secret file and then decrypt it - ``config`` - Directory containing decrypted secrets - ``config.bak`` - Backup of ``config`` to prevent accidental data loss - ``config.enc`` - Directory containing encrypted secrets - ``static.py`` - Python script to merge together secrets - ``static_github.json`` - File containing secrets - ``.gitignore`` - Ignore file for ``config`` and ``config.bak`` - ``main.py`` - Example script Usage ----- Development ~~~~~~~~~~~ For development, each developer must have access to the PGP/KMS keys. This means: - If we are using PGP, then each developer must have the private key installed on their local machine - If we are using KMS, then each developer must have AWS access to the appropriate key Testing ~~~~~~~ For testing in a public CI, we can copy ``config.enc`` to ``config``. The secret files will have structure with an additional ``sops`` key but not reveal any secret information. .. For convenience, we can run ``CONFIG_COPY_ONLY=TRUE bin/decrypt-config.sh`` which will use ``ln -s`` rather than ``sops --decrypt``. For testing in a private CI where we need private information, see the `Production instructions <#production>`_. Production ~~~~~~~~~~ For production, we have a few options: - Build an archive (e.g. ``.tar.gz``) in a private CI which contains the secrets and deploy our service via the archive - Install PGP private key/KMS credentials on production machine, decrypt secrets during deployment process on production machine 07070100000059000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002100000000sops-3.7.3/examples/per_file/bin0707010000005A000081ED00000000000000000000000162794F930000032A000000000000000000000000000000000000003300000000sops-3.7.3/examples/per_file/bin/decrypt-config.sh#!/usr/bin/env bash # Exit on first error set -e # Define our secret extenssion secret_ext=".json" # If there is a config directory, then move it to a backup if test -d config; then if test -d config.bak; then rm -r config.bak fi mv config/ config.bak/ fi # Create our new config directory mkdir config # For each of our files in our encrypted config for src_file in config.enc/*; do # Determine target for our file src_filename="$(basename "$src_file")" target_file="config/$src_filename" # If the file is our secret, then decrypt it if echo "$src_filename" | grep -E "${secret_ext}$" && test "$CONFIG_COPY_ONLY" != "TRUE"; then sops --decrypt "$src_file" > "$target_file" # Otherwise, symlink to the original file else ln -s "../$src_file" "$target_file" fi done 0707010000005B000081ED00000000000000000000000162794F9300000139000000000000000000000000000000000000003500000000sops-3.7.3/examples/per_file/bin/edit-config-file.sh#!/usr/bin/env bash # Exit on first error set -e # Localize our filepath filepath="$1" if test "$filepath" = ""; then echo "Expected \`filepath\` but received nothing" 1>&2 echo "Usage: $0 <filepath>" 1>&2 exit 1 fi # Load our file into SOPS and run our sync script sops "$filepath" bin/decrypt-config.sh 0707010000005C000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002800000000sops-3.7.3/examples/per_file/config.enc0707010000005D000081A400000000000000000000000162794F9300000000000000000000000000000000000000000000003400000000sops-3.7.3/examples/per_file/config.enc/__init__.py0707010000005E000081A400000000000000000000000162794F93000007DF000000000000000000000000000000000000003200000000sops-3.7.3/examples/per_file/config.enc/static.py# Load in our dependencies import json # Define our configuration # DEV: THE FOLLOWING CONFIGURATIONS SHOULD NOT CONTAIN ANY SECRETS # THIS FILE IS NOT ENCRYPTED!! common = { 'port': 8080, } development = { } test = { } production = { } config = { 'common': common, 'development': development, 'test': test, 'production': production, } def walk(item, fn): """Traverse dicts and lists to update keys via `fn`""" # If we are looking at a dict, then traverse each of its branches if isinstance(item, dict): for key in item: # Walk our value walk(item[key], fn) # If we are changing our key, then update it new_key = fn(key) if new_key != key: item[new_key] = item[key] del item[key] # Otherwise, if we are looking at a list, walk each of its items elif isinstance(item, list): for val in item: walk(val, fn) # Merge all of our static secrets onto our config # For each of our secrets secret_files = [ 'config/static_github.json', ] for secret_file in secret_files: with open(secret_file, 'r') as file: # Load and parse our JSON data = json.loads(file.read()) # Strip off `_unencrypted` from all keys walk(data, lambda key: key.replace('_unencrypted', '')) # For each of the environments for env_key in data: # Load in the respective source and target env_src = data[env_key] env_target = config[env_key] # Merge info between configs for key in env_src: if key in env_target: raise AssertionError( 'Expected "{env_key}.{key}" to not be defined already ' 'but it was. ' 'Please verify no configs are using the same key' .format(env_key=env_key, key=key)) env_target.update(env_src) 0707010000005F000081A400000000000000000000000162794F930000093F000000000000000000000000000000000000003B00000000sops-3.7.3/examples/per_file/config.enc/static_github.json{ "common": { "github_username_unencrypted": "twolfson-dev", "github_password": "ENC[AES256_GCM,data:wtyRyrcYh1AaoA==,iv:lJKpAdaRjC4jAl+wIT6ozSZanSIEJwEyJkLi0aFHlGg=,tag:NrrARDWsoWqOyQ+oyALHAA==,type:str]" }, "development": {}, "test": { "github_username_unencrypted": "test-user", "github_password": "ENC[AES256_GCM,data:To6eP3uCm+IQo6KCBalF2Q+7zc4=,iv:GZz08Kz9fjCsIk1edHVZRYgSzfF9smzGbllOU6op+z8=,tag:Zrp5RNck7DXCVffX/zmWIQ==,type:str]" }, "production": { "github_username_unencrypted": "twolfson", "github_password": "ENC[AES256_GCM,data:AZ+Yef+hheVBQWtQ6Ys=,iv:RMd4iwMCiNkt2zPyLBakdA9+HaJA9hh2qUbbdNcemLo=,tag:ejPV/E3dwubZl6s1NyZnSA==,type:str]" }, "sops": { "kms": null, "gcp_kms": null, "azure_kv": null, "lastmodified": "2019-12-10T22:47:04Z", "mac": "ENC[AES256_GCM,data:rBKvMg8FroPuKB03JEzRvlnONsca7ByBqoTB18kjXHwr7mmnBYLQP4mWiYPRRRaBDaGtDXx3FH+Igyo84vPwNO2eEN94gv1NpeGqPI1vRUwAkCB3UE3hIQN22zXBEwWO4sUPKzERuG8t5dFF7xO4EyzweZlC+nwtyQUQX78ysGo=,iv:vymJO0wSb+/W4LUiZi9+ov9YVy3la+BopXiqd2X/mbA=,tag:Pm7NolfYB7ELKjHaGdbauQ==,type:str]", "pgp": [ { "created_at": "2019-12-10T22:47:04Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgAJAeWCsS3nqQ+uDy5gj7Fm7evXn/gY5DW7AWJjkXmHqwx\n+IHVERj9JsfFApoUCPu4Om/KB67uegLWk/GFmAtHcwV2GrsGt1AAIURdNSwYf8P7\nLix9fpRwAUlamXS0wDbGQQyNX3X1rIMu7PnL3KLzvfBQUHaVs3+4GpNXjzUVRGgb\nmjtCTsH3u1VYiHrRz0uoWisPDlvn60fPv0mcYdu17sVpgPnC0qmHh6UJd85dGzfy\nSOisauKYkirOfLSJyVCItFD0GwPVd3mbEcxmIokHmaIznck/Tto3sXcQO4Amc54+\nCjXhk0f/KJbKQQg4mbZMaEMISE+/s3H4mBmk2VADJNLgAeS5csP9GjYrFOAHsgGR\nrDIC4SMd4DTgmuEYSOCh4qLAvJfgmOXA0EoByddCKyrCIHDdyq+lFOQq1Hk+kfl/\nruUZSgCy9OCo5FerieGdW/fWfWsKx2CGKczi0Q/ivuFb2QA=\n=rw7+\n-----END PGP MESSAGE-----", "fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4" }, { "created_at": "2019-12-10T22:47:04Z", "enc": "-----BEGIN PGP MESSAGE-----\n\nwYwDXFUltYFwV4MBBACeF7HYThUNm0osc9SEASAnYLB0/qp6IdA6dc0aNHBZxM3Z\nxiOmbGOfImgwWMDGFP3GYFe3NNt/imzy0V+umVWMYxLYb9Hm3yCdVSb6ks9xJwkp\nXWD7vLXXEuVRsLp+IsmMXSRRJ/shBLIORiOMIAiSv92yluNT8PZF3Nv1hA56Y9Lg\nAeR2GEqpdbw6/tIUPMJUHWQf4XZ14DHgkOF9beAN4qqnf1zgsuVA+YmakiS7L5iY\nA/4OMVnCDJBKTD+l91ID5d4k2bQoU+Dm5AmJqm+I6sX6nViQUgyEyjvi+aeOuuG0\nDQA=\n=0KIM\n-----END PGP MESSAGE-----", "fp": "D7229043384BCC60326C6FB9D8720D957C3D3074" } ], "unencrypted_suffix": "_unencrypted", "version": "3.5.0" } }07070100000060000081A400000000000000000000000162794F9300000377000000000000000000000000000000000000002500000000sops-3.7.3/examples/per_file/main.py# Load in our dependencies from __future__ import absolute_import from config.static import config # Define our main function def main(): # Output our configuration # DEV: We use custom keys for a custom sort print('Configuration') print('=============') for env_key in ('common', 'development', 'test', 'production'): # Example: `Environment: common` # Example: `-------------------` env_str = 'Environment: {env_key}'.format(env_key=env_key) print(env_str) print(''.join(['-' for char in env_str])) env_config = config[env_key] for key in sorted(env_config.keys()): # Example: `port: "8080"` print('{key}: "{val}"'.format(key=key, val=env_config[key])) print('') # If this script is being invoked directly, then run our main function if __name__ == '__main__': main() 07070100000061000041ED00000000000000000000000562794F9300000000000000000000000000000000000000000000001C00000000sops-3.7.3/functional-tests07070100000062000081A400000000000000000000000162794F9300000401000000000000000000000000000000000000002700000000sops-3.7.3/functional-tests/.sops.yamlcreation_rules: - path_regex: test_roundtrip_keygroups.yaml key_groups: - pgp: - FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 - pgp: - D7229043384BCC60326C6FB9D8720D957C3D3074 - path_regex: test_roundtrip_keygroups_missing_decryption_key.yaml key_groups: - pgp: - FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 - pgp: - B611A2F9F11D0FF82568805119F9B5DAEA91FF86 - pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 destination_rules: - s3_bucket: "sops-publish-functional-tests" s3_prefix: "functional-test/" path_regex: test_encrypt_publish_s3.json reencryption_rule: pgp: B611A2F9F11D0FF82568805119F9B5DAEA91FF86 - vault_path: "functional-test/" vault_kv_mount_name: "secret/" vault_kv_version: 2 path_regex: test_encrypt_publish_vault.json - vault_path: "functional-test-version-1/" vault_kv_mount_name: "kv/" vault_kv_version: 1 path_regex: test_encrypt_publish_vault_version_1.json 07070100000063000081A400000000000000000000000162794F93000000EE000000000000000000000000000000000000002700000000sops-3.7.3/functional-tests/Cargo.toml[package] name = "functional-tests" version = "0.1.0" authors = ["Adrian Utrilla <adrianutrilla@gmail.com>"] [dependencies] tempdir = "0.3.5" serde = "1.0" serde_json = "0.8" serde_yaml = "0.5" serde_derive = "1.0" lazy_static = "0.1.*" 07070100000064000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002000000000sops-3.7.3/functional-tests/bin07070100000065000081A400000000000000000000000162794F9300000000000000000000000000000000000000000000002A00000000sops-3.7.3/functional-tests/bin/editor.rs07070100000066000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002000000000sops-3.7.3/functional-tests/res07070100000067000081A400000000000000000000000162794F930000070B000000000000000000000000000000000000003200000000sops-3.7.3/functional-tests/res/comments.enc.yaml#ENC[AES256_GCM,data:IYA+b4ORDq8u9CBQolipWD4HRqoZyA==,iv:F8ldQqGng+WptHuBkFtjrGM+7sRZCsvd0FHq98lrpAE=,tag:ZHbLU9+CELinf5PhhuIzSQ==,type:comment] lorem: ENC[AES256_GCM,data:PhmSdTs=,iv:J5ugEWq6RfyNx+5zDXvcTdoQ18YYZkqesDED7LNzou4=,tag:0Qrom6J6aUnZMZzGz5XCxw==,type:str] #ENC[AES256_GCM,data:HiHCasVRzWUiFxKb3X/AcEeM,iv:bmNg+T91dqGk/CEtVH+FDC53osDCEPmWmJKpLyAU5OM=,tag:bTLDYxQSAfYDCBYccoUokQ==,type:comment] dolor: ENC[AES256_GCM,data:IgvT,iv:wtPNYbDTARFE810PH6ldOLzCDcAjkB/dzPsZjpgHcko=,tag:zwE8P+AwO1hrHkgF6pTbZw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] lastmodified: '2020-10-07T15:49:13Z' mac: ENC[AES256_GCM,data:2dhyKdHYSynjXPwYrn9356wA7vRKw+T5qwBenI2vZrgthpQBOCQG4M6f7eeH3VLTxB4mN4CAchb25dsNRoGr6A38VruaSSAhPco3Rh4AlvKSvXuhgRnzZvNxE/bnHX1D4K5cdTb4FsJg/Ue1l7UcWrlrv1s3H3SwLHP/nf+suD0=,iv:6xBYURjjaQzlUOKOrs2NWOChiNFZVAGPJZQZ59MwX3o=,tag:uXD5VYme+c8eHcCc5TD2YA==,type:str] pgp: - created_at: '2019-08-29T21:52:32Z' enc: | -----BEGIN PGP MESSAGE----- hQEMAyUpShfNkFB/AQgAlvpTj0NYqF4mQyIeM7wX2SHLb4U07/flpqDpp2W/30Pz AHA7sYrgP0l8BrjT2kwtgCN0cdfoIHJudezrNjANp2P5TbP2b9kYYNxpehzB9PFj FixnCS7Zp8WIt1yXr1TX+ANZoXLopVcRbMaQ5OdH7CN1pNQtMR+R3FR3X/IqKxiU Do1YLaooRJICUC8LJw2Tb4K+lYnTSqd/HalLGym++ivFvdDB1Ya1GhT1FswXidXK IRjsOVbxV0q5VeNOR0zxsheOvuHyCje16c7NXJtATJVWtTFABJB8u7CY5HhZSgq+ rXJHyLHqVLzJ8E4WqHQkMNUlVcrqAz7glZ6xbAhfI9JeAYk5SuBOQOQ4yvASqH4K b0N3+/abluBY7YPqKuRZBiEtmcYlZ+zIHuOTP1rD/7L5VY8CwE5U8SFlEqwM7nQJ 6/vtl6qngOFjwt34WrhZzUfLPB/wRV/m1Qv2kr0RNA== =Ykiw -----END PGP MESSAGE----- fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 unencrypted_suffix: _unencrypted version: 3.6.1 07070100000068000081A400000000000000000000000162794F9300000043000000000000000000000000000000000000002E00000000sops-3.7.3/functional-tests/res/comments.yaml# first comment in file lorem: ipsum # this-is-a-comment dolor: sit07070100000069000081A400000000000000000000000162794F9300000025000000000000000000000000000000000000003300000000sops-3.7.3/functional-tests/res/comments_list.yamllorem: - foo #this-is-a-comment - bar0707010000006A000081A400000000000000000000000162794F9300000605000000000000000000000000000000000000004300000000sops-3.7.3/functional-tests/res/comments_unencrypted_comments.yaml# first comment in file lorem: ENC[AES256_GCM,data:qVz4paM=,iv:0oGsaw71i3wZKmlyDl8uDhQT9XLvJt3oIyx514X44K8=,tag:acbMS613StWo1IVnKK+5uQ==,type:str] # this-is-a-comment dolor: ENC[AES256_GCM,data:21fI,iv:01LXdHZYwLTeyUB1YWIAM6KF8cPPVsw/RuQO+Ab4pgM=,tag:o1xnCIIoccWzdWxB2kZYKg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] lastmodified: '2019-08-29T22:42:03Z' mac: ENC[AES256_GCM,data:xKkcsqrAHxyqwgv+IVqx52AmrJdC607Dc/Ughna2e2UnnHteXTw7LGt4d0sSlw8LgjaXpa+T6lQ0MgnMPjgTEa20lbtVtauCDdRCnR7Z/Vdk7t7uLl94+STD7C1H6obnOe4fG6c2cUfDNHoeABLetti2ZBZOSZDkWQeCucLys/s=,iv:k9ODJLNYsBedQKMHcgn0KUXPlunOq5jDFH9BeJOyYRE=,tag:d+Ga71V+gijiWLFZ7BhQgg==,type:str] pgp: - created_at: '2019-08-29T22:42:03Z' enc: |- -----BEGIN PGP MESSAGE----- wcBMAyUpShfNkFB/AQgAMgUtep3vurVXoOI1h4Ovr3YbYz+gRHAPGMAUdXQdX7az fmh7Eq+6Eye2wpnAaogJ2RtIoYO1F/jkoQO74mgaLXNu/gtr8b6Ejc61sQSyjnjg N9I50+Bh075TqzToZTo7gOwOlltMjA/UVGD0z+gPHP1MpcVpUvm7C0Ol5L0Co37O UvLrQJjw1x6ktAawWokw910iX9usXiTj87fYvaqutNKRBfh1LI0Os2H8C9xpJu7q I60NcqF7JQbAaaumRroQpF2K7RI1nt+qTshPqWzDLfjzlrCVPnJlxludqvHUKzR3 TnJdb4Dsx3o/XEQkZxpl7RZa9SZZuKg3EejTxOj0ZtLgAeRLzLl0gSeMGvkntASq NQkM4e1p4AjgJOEqrOCw4h0xtdrg9+UczwVpI4rnibRqJZtEhFHRaupX6leAEi1l FMikSjpGSOB55PVMt6+e4ruokoulnq32VRTi07691uEeowA= =ft04 -----END PGP MESSAGE----- fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 unencrypted_suffix: _unencrypted version: 3.3.1 0707010000006B000081A400000000000000000000000162794F93000007B5000000000000000000000000000000000000003300000000sops-3.7.3/functional-tests/res/multiple_keys.yamlmessage: ENC[AES256_GCM,data:4soxy1Q=,iv:GGOFFLu8aqMEyoOBdMGdevug7E0R8H0iDyXIKQ5ufzM=,tag:954eipkbSu2U64tx2usiBA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] lastmodified: '2019-08-29T22:22:04Z' mac: ENC[AES256_GCM,data:Rcyh6DKgpd8WNvLqnPhMRYDGztK/WjNJ+SisCD4qL50wxiYUgwRGs5S9I8kOFm4+8pruOcQyCVIDzyjQHZfM1bKs+CnMJTrp1HDz2vhIKkE8O6EdE5+JbNxwc6ZFQE6YThmx6rz93gMHnDOcrO0XG2guGxTumM5xPkZsEBfpIyQ=,iv:YI0Yc2khjy+q1BxiEBDejgymyAQmBkdyl3fQUm76/1Y=,tag:pf4ZbMy9TrpTA/B2qVEkmw==,type:str] pgp: - created_at: '2019-08-29T22:22:04Z' enc: |- -----BEGIN PGP MESSAGE----- wcBMAyUpShfNkFB/AQgAQH8KFrXipAGaHsKjQecpZ4R5PsWg4nqetgsy6FTcAI3j KwvBoXapI+2m5aXjAdO4k76ZxGyyXXdwe6ebbuikxCuDl28m86o9xNxbBv5SxbaO gTxtUR+swcnYRyfVmkd07HhATXQw7b2q4ERNJAVH9zxJcmzNzP6q9eRjePRWXSjn xxzpnS9kQkevuzJXg5dhVZ9HnsuVEthK88c9H3ZZQt/kg3GLaj2XDhFUt9Xy3POl 3Q2dE8xzVXzg5rF+0n8H0WpiRJ7hbvW6kvAanKNUDeNLY2shmkKiIzh4W0f2Vl5Q W1nw23Tga6IQ6mSqLItZB5bYX/C9K33kceV1DYyW+tLgAeTofEdQuueh2myAYmmV Wjap4eAq4F/gi+EpuOAS4jDaEhPgY+UkojNLl9ow2EkyrIMMJCKDSzuZcmZhwTYl 7/RSqGHDHuDX5GvXVgnRiqnoDiPsImCDN5/iNmoSVuG9cgA= =wVy4 -----END PGP MESSAGE----- fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 - created_at: '2019-08-29T22:22:04Z' enc: | -----BEGIN PGP MESSAGE----- hIwDXFUltYFwV4MBA/9/qqKDEbT9oZJqB7Z7R1RAz+TStVUzlE9+M0ScFuguBUpd 7doLhhgBYa9ygti5pnAN4E1SI97xPhflGZLTp4OtdTg5UGOUwh6BM0BZI1ai6dlK u4ra0BKOmDzv9SkbTngStXfPPLC9msc6sZe9TER88puqNAZ4DBrTyTtEAmg5wtJe AecV7hxDzAGleAdmaTC+WHkvg/EgwY/9PaU1IMf6tCx8O/bS8JQhxmptO1aAm5Vr dO/SV2m9QStMafO6OG1aGpy3zkVytlxGavkUK+dPp5fYbRYGQVfUiGpgRRZEZg== =NlDf -----END PGP MESSAGE----- fp: D7229043384BCC60326C6FB9D8720D957C3D3074 unencrypted_suffix: _unencrypted version: 3.3.1 0707010000006C000081A400000000000000000000000162794F9300000456000000000000000000000000000000000000002C00000000sops-3.7.3/functional-tests/res/no_mac.yamlmyapp1: ENC[AES256_GCM,data:NjYyOQ1GyFUhy25XX7cz7CZo4tLt,iv:WeWmnZCG7/pm71VMd37ua3LsZ6NnqQzLAyN8ylfYHb8=,tag:zh2hOpxHZ8ON+sJgB+OnTg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] lastmodified: '2019-08-29T22:23:01Z' pgp: - created_at: '2019-08-29T22:23:00Z' enc: |- -----BEGIN PGP MESSAGE----- wcBMAyUpShfNkFB/AQgABuzcPMJSK+DvnPKZVyYlmDLCM9BobLz/7/F8zyX4O00T UN7/0Lc+MwZWUOe7lmTVgorDLcfxLONbLg9nxXO+apbb2gRABRYdggosMFaRUn3+ m+maKQ4yDTIjIvblVa/olN8reD4Bt037mT52IxTZBLDAnyVw45dRTe9mzJ73eTi7 1Mk5s6s1ZH52SQHtbY4TSqCnOKodn3UkTjnFmDXMSAzCwBDmK/wv+fDufXSkLpeR AGufxo697as2bQ8mpqgPPTvB04MgXwnTngUQ8BfagyOndgTCrU9YMA1gewJnJJj4 azRP9SOukqtn0c/LpewiOHHk/w00dMLEk0E8DpxMItLgAeQQGaX95PJfl3vuPeRT 2CA24Qbb4DbgseGimeBG4oS0oCLg4OVDd1tvVtu4+6VGKJr8YvgDk7WpDAK33LoO QBWfQ5mPIeAN5GVWJ2Mk1qcSQTlO9LmM1vPiWojLjOEvZAA= =5Gax -----END PGP MESSAGE----- fp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4 unencrypted_suffix: _unencrypted version: 3.3.1 0707010000006D000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002000000000sops-3.7.3/functional-tests/src0707010000006E000081A400000000000000000000000162794F9300005CEC000000000000000000000000000000000000002700000000sops-3.7.3/functional-tests/src/lib.rsextern crate tempdir; extern crate serde; extern crate serde_json; extern crate serde_yaml; #[macro_use] extern crate lazy_static; #[macro_use] extern crate serde_derive; #[cfg(test)] mod tests { extern crate serde; extern crate serde_json; extern crate serde_yaml; use std::env; use std::fs::File; use std::io::{Write, Read}; use tempdir::TempDir; use std::process::Command; use serde_yaml::Value; use std::path::Path; const SOPS_BINARY_PATH: &'static str = "./sops"; const KMS_KEY: &'static str = "FUNCTIONAL_TEST_KMS_ARN"; macro_rules! assert_encrypted { ($object:expr, $key:expr) => { assert!($object.get(&$key).is_some()); match *$object.get(&$key).unwrap() { Value::String(ref s) => { assert!(s.starts_with("ENC["), "Value is not encrypted"); } _ => panic!("Value under key was not a string"), } } } lazy_static! { static ref TMP_DIR: TempDir = TempDir::new("sops-functional-tests") .expect("Unable to create temporary directory"); } fn prepare_temp_file(name: &str, contents: &[u8]) -> String { let file_path = TMP_DIR.path().join(name); let mut tmp_file = File::create(file_path.clone()).expect("Unable to create temporary file"); tmp_file.write_all(&contents) .expect("Error writing to temporary file"); file_path.to_string_lossy().into_owned() } #[test] fn encrypt_json_file() { let file_path = prepare_temp_file("test_encrypt.json", b"{ \"foo\": 2, \"bar\": \"baz\" }"); let output = Command::new(SOPS_BINARY_PATH) .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "sops didn't exit successfully"); let json = &String::from_utf8_lossy(&output.stdout); let data: Value = serde_json::from_str(json).expect("Error parsing sops's JSON output"); match data.into() { Value::Mapping(m) => { assert!(m.get(&Value::String("sops".to_owned())).is_some(), "sops metadata branch not found"); assert_encrypted!(&m, Value::String("foo".to_owned())); assert_encrypted!(&m, Value::String("bar".to_owned())); } _ => panic!("sops's JSON output is not an object"), } } #[test] #[ignore] fn publish_json_file_s3() { let file_path = prepare_temp_file("test_encrypt_publish_s3.json", b"{ \"foo\": 2, \"bar\": \"baz\" }"); assert!(Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "SOPS failed to encrypt a file"); assert!(Command::new(SOPS_BINARY_PATH) .arg("publish") .arg("--yes") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "sops failed to publish a file to S3"); //TODO: Check that file exists in S3 Bucket } #[test] fn publish_json_file_vault() { let file_path = prepare_temp_file("test_encrypt_publish_vault.json", b"{ \"foo\": 2, \"bar\": \"baz\" }"); assert!(Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "SOPS failed to encrypt a file"); assert!(Command::new(SOPS_BINARY_PATH) .arg("publish") .arg("--yes") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "sops failed to publish a file to Vault"); //TODO: Check that file exists in Vault } #[test] fn publish_json_file_vault_version_1() { let file_path = prepare_temp_file("test_encrypt_publish_vault_version_1.json", b"{ \"foo\": 2, \"bar\": \"baz\" }"); assert!(Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "SOPS failed to encrypt a file"); assert!(Command::new(SOPS_BINARY_PATH) .arg("publish") .arg("--yes") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "sops failed to publish a file to Vault"); //TODO: Check that file exists in Vault } #[test] #[ignore] fn encrypt_json_file_kms() { let kms_arn = env::var(KMS_KEY).expect("Expected $FUNCTIONAL_TEST_KMS_ARN env var to be set"); let file_path = prepare_temp_file("test_encrypt_kms.json", b"{ \"foo\": 2, \"bar\": \"baz\" }"); let output = Command::new(SOPS_BINARY_PATH) .arg("--kms") .arg(kms_arn) .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "sops didn't exit successfully"); let json = &String::from_utf8_lossy(&output.stdout); let data: Value = serde_json::from_str(json).expect("Error parsing sops's JSON output"); match data.into() { Value::Mapping(m) => { assert!(m.get(&Value::String("sops".to_owned())).is_some(), "sops metadata branch not found"); assert_encrypted!(&m, Value::String("foo".to_owned())); assert_encrypted!(&m, Value::String("bar".to_owned())); } _ => panic!("sops's JSON output is not an object"), } } #[test] fn encrypt_yaml_file() { let file_path = prepare_temp_file("test_encrypt.yaml", b"foo: 2 bar: baz"); let output = Command::new(SOPS_BINARY_PATH) .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "sops didn't exit successfully"); let json = &String::from_utf8_lossy(&output.stdout); let data: Value = serde_yaml::from_str(&json).expect("Error parsing sops's JSON output"); match data.into() { Value::Mapping(m) => { assert!(m.get(&Value::String("sops".to_owned())).is_some(), "sops metadata branch not found"); assert_encrypted!(&m, Value::String("foo".to_owned())); assert_encrypted!(&m, Value::String("bar".to_owned())); } _ => panic!("sops's YAML output is not a mapping"), } } #[test] fn set_json_file_update() { let file_path = prepare_temp_file("test_set_update.json", r#"{"a": 2, "b": "ba"}"#.as_bytes()); Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops"); let output = Command::new(SOPS_BINARY_PATH) .arg("--set") .arg(r#"["a"] {"aa": "aaa"}"#) .arg(file_path.clone()) .output() .expect("Error running sops"); println!("stdout: {}, stderr: {}", String::from_utf8_lossy(&output.stdout), String::from_utf8_lossy(&output.stderr)); let mut s = String::new(); File::open(file_path).unwrap().read_to_string(&mut s).unwrap(); let data: Value = serde_json::from_str(&s).expect("Error parsing sops's JSON output"); if let Value::Mapping(data) = data { let a = data.get(&Value::String("a".to_owned())).unwrap(); if let &Value::Mapping(ref a) = a { assert_encrypted!(&a, Value::String("aa".to_owned())); return; } } panic!("Output JSON does not have the expected structure"); } #[test] fn set_json_file_insert() { let file_path = prepare_temp_file("test_set_insert.json", r#"{"a": 2, "b": "ba"}"#.as_bytes()); Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops"); let output = Command::new(SOPS_BINARY_PATH) .arg("--set") .arg(r#"["c"] {"cc": "ccc"}"#) .arg(file_path.clone()) .output() .expect("Error running sops"); println!("stdout: {}, stderr: {}", String::from_utf8_lossy(&output.stdout), String::from_utf8_lossy(&output.stderr)); let mut s = String::new(); File::open(file_path).unwrap().read_to_string(&mut s).unwrap(); let data: Value = serde_json::from_str(&s).expect("Error parsing sops's JSON output"); if let Value::Mapping(data) = data { let a = data.get(&Value::String("c".to_owned())).unwrap(); if let &Value::Mapping(ref a) = a { assert_encrypted!(&a, Value::String("cc".to_owned())); return; } } panic!("Output JSON does not have the expected structure"); } #[test] fn set_yaml_file_update() { let file_path = prepare_temp_file("test_set_update.yaml", r#"a: 2 b: ba"# .as_bytes()); Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops"); let output = Command::new(SOPS_BINARY_PATH) .arg("--set") .arg(r#"["a"] {"aa": "aaa"}"#) .arg(file_path.clone()) .output() .expect("Error running sops"); println!("stdout: {}, stderr: {}", String::from_utf8_lossy(&output.stdout), String::from_utf8_lossy(&output.stderr)); let mut s = String::new(); File::open(file_path).unwrap().read_to_string(&mut s).unwrap(); let data: Value = serde_yaml::from_str(&s).expect("Error parsing sops's JSON output"); if let Value::Mapping(data) = data { let a = data.get(&Value::String("a".to_owned())).unwrap(); if let &Value::Mapping(ref a) = a { assert_encrypted!(&a, Value::String("aa".to_owned())); return; } } panic!("Output JSON does not have the expected structure"); } #[test] fn set_yaml_file_insert() { let file_path = prepare_temp_file("test_set_insert.yaml", r#"a: 2 b: ba"# .as_bytes()); Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops"); let output = Command::new(SOPS_BINARY_PATH) .arg("--set") .arg(r#"["c"] {"cc": "ccc"}"#) .arg(file_path.clone()) .output() .expect("Error running sops"); println!("stdout: {}, stderr: {}", String::from_utf8_lossy(&output.stdout), String::from_utf8_lossy(&output.stderr)); let mut s = String::new(); File::open(file_path).unwrap().read_to_string(&mut s).unwrap(); let data: Value = serde_yaml::from_str(&s).expect("Error parsing sops's JSON output"); if let Value::Mapping(data) = data { let a = data.get(&Value::String("c".to_owned())).unwrap(); if let &Value::Mapping(ref a) = a { assert_encrypted!(&a, Value::String("cc".to_owned())); return; } } panic!("Output YAML does not have the expected structure"); } #[test] fn set_yaml_file_string() { let file_path = prepare_temp_file("test_set_string.yaml", r#"a: 2 b: ba"# .as_bytes()); Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops"); Command::new(SOPS_BINARY_PATH) .arg("-e") .arg("-i") .arg("--set") .arg(r#"["a"] "aaa""#) .arg(file_path.clone()) .output() .expect("Error running sops"); let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg("-i") .arg(file_path.clone()) .output() .expect("Error running sops"); println!("stdout: {}, stderr: {}", String::from_utf8_lossy(&output.stdout), String::from_utf8_lossy(&output.stderr)); let mut s = String::new(); File::open(file_path).unwrap().read_to_string(&mut s).unwrap(); let data: Value = serde_yaml::from_str(&s).expect("Error parsing sops's YAML output"); if let Value::Mapping(data) = data { let a = data.get(&Value::String("a".to_owned())).unwrap(); assert_eq!(a, &Value::String("aaa".to_owned())); } else { panic!("Output JSON does not have the expected structure"); } } #[test] fn decrypt_file_no_mac() { let file_path = prepare_temp_file("test_decrypt_no_mac.yaml", include_bytes!("../res/no_mac.yaml")); assert!(!Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "SOPS allowed decrypting a file with no MAC without --ignore-mac"); assert!(Command::new(SOPS_BINARY_PATH) .arg("-d") .arg("--ignore-mac") .arg(file_path.clone()) .output() .expect("Error running sops") .status .success(), "SOPS failed to decrypt a file with no MAC with --ignore-mac passed in"); } #[test] fn encrypt_comments() { let file_path = "res/comments.yaml"; let output = Command::new(SOPS_BINARY_PATH) .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS didn't return successfully"); assert!(!String::from_utf8_lossy(&output.stdout).contains("first comment in file"), "Comment was not encrypted"); assert!(!String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not encrypted"); } #[test] fn encrypt_comments_list() { let file_path = "res/comments_list.yaml"; let output = Command::new(SOPS_BINARY_PATH) .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS didn't return successfully"); assert!(!String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not encrypted"); assert!(!String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not encrypted"); } #[test] fn decrypt_comments() { let file_path = "res/comments.enc.yaml"; let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS didn't return successfully"); assert!(String::from_utf8_lossy(&output.stdout).contains("first comment in file"), "Comment was not decrypted"); assert!(String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not decrypted"); } #[test] fn decrypt_comments_unencrypted_comments() { let file_path = "res/comments_unencrypted_comments.yaml"; let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS didn't return successfully"); assert!(String::from_utf8_lossy(&output.stdout).contains("first comment in file"), "Comment was not decrypted"); assert!(String::from_utf8_lossy(&output.stdout).contains("this-is-a-comment"), "Comment was not decrypted"); } #[test] fn roundtrip_shamir() { // The .sops.yaml file ensures this file is encrypted with two key groups, each with one GPG key let file_path = prepare_temp_file("test_roundtrip_keygroups.yaml", "a: secret".as_bytes()); let output = Command::new(SOPS_BINARY_PATH) .arg("-i") .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS failed to encrypt a file with Shamir Secret Sharing"); let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status .success(), "SOPS failed to decrypt a file with Shamir Secret Sharing"); assert!(String::from_utf8_lossy(&output.stdout).contains("secret")); } #[test] fn roundtrip_shamir_missing_decryption_key() { // The .sops.yaml file ensures this file is encrypted with two key groups, each with one GPG key, // but we don't have one of the private keys let file_path = prepare_temp_file("test_roundtrip_keygroups_missing_decryption_key.yaml", "a: secret".as_bytes()); let output = Command::new(SOPS_BINARY_PATH) .arg("-i") .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS failed to encrypt a file with Shamir Secret Sharing"); let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(!output.status .success(), "SOPS succeeded decrypting a file with a missing decrytion key"); } #[test] fn test_decrypt_file_multiple_keys() { let file_path = prepare_temp_file("test_decrypt_file_multiple_keys.yaml", include_bytes!("../res/multiple_keys.yaml")); let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status .success(), "SOPS failed to decrypt a file that uses multiple keys"); } #[test] fn extract_string() { let file_path = prepare_temp_file("test_extract_string.yaml", "multiline: |\n multi\n line".as_bytes()); let output = Command::new(SOPS_BINARY_PATH) .arg("-i") .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS failed to encrypt a file"); let output = Command::new(SOPS_BINARY_PATH) .arg("--extract") .arg("[\"multiline\"]") .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status .success(), "SOPS failed to extract"); assert_eq!(output.stdout, b"multi\nline"); } #[test] fn roundtrip_binary() { let data = b"\"\"{}this_is_binary_data"; let file_path = prepare_temp_file("test.binary", data); let output = Command::new(SOPS_BINARY_PATH) .arg("-i") .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "SOPS failed to encrypt a binary file"); let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status .success(), "SOPS failed to decrypt a binary file"); assert_eq!(output.stdout, data); } #[test] #[ignore] fn roundtrip_kms_encryption_context() { let kms_arn = env::var(KMS_KEY).expect("Expected $FUNCTIONAL_TEST_KMS_ARN env var to be set"); let file_path = prepare_temp_file("test_roundtrip_kms_encryption_context.json", b"{ \"foo\": 2, \"bar\": \"baz\" }"); let output = Command::new(SOPS_BINARY_PATH) .arg("--kms") .arg(kms_arn) .arg("--encryption-context") .arg("foo:bar,one:two") .arg("-i") .arg("-e") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status.success(), "sops didn't exit successfully"); let output = Command::new(SOPS_BINARY_PATH) .arg("-d") .arg(file_path.clone()) .output() .expect("Error running sops"); assert!(output.status .success(), "SOPS failed to decrypt a file with KMS Encryption Context"); assert!(String::from_utf8_lossy(&output.stdout).contains("foo")); assert!(String::from_utf8_lossy(&output.stdout).contains("baz")); } #[test] fn output_flag() { let input_path = prepare_temp_file("test_output_flag.binary", b"foo"); let output_path = Path::join(TMP_DIR.path(), "output_flag.txt"); let output = Command::new(SOPS_BINARY_PATH) .arg("--output") .arg(&output_path) .arg("-e") .arg(input_path.clone()) .output() .expect("Error running sops"); assert!(output.status .success(), "SOPS failed to decrypt a binary file"); assert_eq!(output.stdout, &[]); let mut f = File::open(&output_path).expect("output file not found"); let mut contents = String::new(); f.read_to_string(&mut contents) .expect("couldn't read output file contents"); assert_ne!(contents, "", "Output file is empty"); } } 0707010000006F000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001200000000sops-3.7.3/gcpkms07070100000070000081A400000000000000000000000162794F9300001551000000000000000000000000000000000000001F00000000sops-3.7.3/gcpkms/keysource.gopackage gcpkms //import "go.mozilla.org/sops/v3/gcpkms" import ( "encoding/base64" "fmt" "google.golang.org/api/option" "os" "regexp" "strings" "time" "go.mozilla.org/sops/v3/logging" "github.com/sirupsen/logrus" "golang.org/x/net/context" cloudkms "google.golang.org/api/cloudkms/v1" ) var log *logrus.Logger func init() { log = logging.NewLogger("GCPKMS") } // MasterKey is a GCP KMS key used to encrypt and decrypt sops' data key. type MasterKey struct { ResourceID string EncryptedKey string CreationDate time.Time } // EncryptedDataKey returns the encrypted data key this master key holds func (key *MasterKey) EncryptedDataKey() []byte { return []byte(key.EncryptedKey) } // SetEncryptedDataKey sets the encrypted data key for this master key func (key *MasterKey) SetEncryptedDataKey(enc []byte) { key.EncryptedKey = string(enc) } // Encrypt takes a sops data key, encrypts it with GCP KMS and stores the result in the EncryptedKey field func (key *MasterKey) Encrypt(dataKey []byte) error { cloudkmsService, err := key.createCloudKMSService() if err != nil { log.WithField("resourceID", key.ResourceID).Info("Encryption failed") return fmt.Errorf("Cannot create GCP KMS service: %w", err) } req := &cloudkms.EncryptRequest{ Plaintext: base64.StdEncoding.EncodeToString(dataKey), } resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.Encrypt(key.ResourceID, req).Do() if err != nil { log.WithField("resourceID", key.ResourceID).Info("Encryption failed") return fmt.Errorf("Failed to call GCP KMS encryption service: %w", err) } log.WithField("resourceID", key.ResourceID).Info("Encryption succeeded") key.EncryptedKey = resp.Ciphertext return nil } // EncryptIfNeeded encrypts the provided sops' data key and encrypts it if it hasn't been encrypted yet func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { if key.EncryptedKey == "" { return key.Encrypt(dataKey) } return nil } // Decrypt decrypts the EncryptedKey field with CGP KMS and returns the result. func (key *MasterKey) Decrypt() ([]byte, error) { cloudkmsService, err := key.createCloudKMSService() if err != nil { log.WithField("resourceID", key.ResourceID).Info("Decryption failed") return nil, fmt.Errorf("Cannot create GCP KMS service: %w", err) } req := &cloudkms.DecryptRequest{ Ciphertext: key.EncryptedKey, } resp, err := cloudkmsService.Projects.Locations.KeyRings.CryptoKeys.Decrypt(key.ResourceID, req).Do() if err != nil { log.WithField("resourceID", key.ResourceID).Info("Decryption failed") return nil, fmt.Errorf("Error decrypting key: %w", err) } encryptedKey, err := base64.StdEncoding.DecodeString(resp.Plaintext) if err != nil { log.WithField("resourceID", key.ResourceID).Info("Decryption failed") return nil, err } log.WithField("resourceID", key.ResourceID).Info("Decryption succeeded") return encryptedKey, nil } // NeedsRotation returns whether the data key needs to be rotated or not. func (key *MasterKey) NeedsRotation() bool { return time.Since(key.CreationDate) > (time.Hour * 24 * 30 * 6) } // ToString converts the key to a string representation func (key *MasterKey) ToString() string { return key.ResourceID } // NewMasterKeyFromResourceID takes a GCP KMS resource ID string and returns a new MasterKey for that func NewMasterKeyFromResourceID(resourceID string) *MasterKey { k := &MasterKey{} resourceID = strings.Replace(resourceID, " ", "", -1) k.ResourceID = resourceID k.CreationDate = time.Now().UTC() return k } // MasterKeysFromResourceIDString takes a comma separated list of GCP KMS resource IDs and returns a slice of new MasterKeys for them func MasterKeysFromResourceIDString(resourceID string) []*MasterKey { var keys []*MasterKey if resourceID == "" { return keys } for _, s := range strings.Split(resourceID, ",") { keys = append(keys, NewMasterKeyFromResourceID(s)) } return keys } func (key MasterKey) createCloudKMSService() (*cloudkms.Service, error) { re := regexp.MustCompile(`^projects/[^/]+/locations/[^/]+/keyRings/[^/]+/cryptoKeys/[^/]+$`) matches := re.FindStringSubmatch(key.ResourceID) if matches == nil { return nil, fmt.Errorf("No valid resourceId found in %q", key.ResourceID) } ctx := context.Background() var options []option.ClientOption if credentials, err := getGoogleCredentials(); err != nil { return nil, err } else if len(credentials) > 0 { options = append(options, option.WithCredentialsJSON(credentials)) } cloudkmsService, err := cloudkms.NewService(ctx, options...) if err != nil { return nil, err } return cloudkmsService, nil } // ToMap converts the MasterKey to a map for serialization purposes func (key MasterKey) ToMap() map[string]interface{} { out := make(map[string]interface{}) out["resource_id"] = key.ResourceID out["enc"] = key.EncryptedKey out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) return out } // getGoogleCredentials looks for a GCP Service Account in the environment // variable: GOOGLE_CREDENTIALS, set as either a path to a credentials file or directly as the // variable's value in JSON format. // // If not set, will default to use GOOGLE_APPLICATION_CREDENTIALS func getGoogleCredentials() ([]byte, error) { defaultCredentials := os.Getenv("GOOGLE_CREDENTIALS") if _, err := os.Stat(defaultCredentials); err == nil { return os.ReadFile(defaultCredentials) } return []byte(defaultCredentials), nil } 07070100000071000081A400000000000000000000000162794F930000049F000000000000000000000000000000000000002400000000sops-3.7.3/gcpkms/keysource_test.gopackage gcpkms import ( "testing" "time" "github.com/stretchr/testify/assert" ) func TestGCPKMSKeySourceFromString(t *testing.T) { s := "projects/sops-testing1/locations/global/keyRings/creds/cryptoKeys/key1, projects/sops-testing2/locations/global/keyRings/creds/cryptoKeys/key2" ks := MasterKeysFromResourceIDString(s) k1 := ks[0] k2 := ks[1] expectedResourceID1 := "projects/sops-testing1/locations/global/keyRings/creds/cryptoKeys/key1" expectedResourceID2 := "projects/sops-testing2/locations/global/keyRings/creds/cryptoKeys/key2" if k1.ResourceID != expectedResourceID1 { t.Errorf("ResourceID mismatch. Expected %s, found %s", expectedResourceID1, k1.ResourceID) } if k2.ResourceID != expectedResourceID2 { t.Errorf("ResourceID mismatch. Expected %s, found %s", expectedResourceID2, k2.ResourceID) } } func TestKeyToMap(t *testing.T) { key := MasterKey{ CreationDate: time.Date(2016, time.October, 31, 10, 0, 0, 0, time.UTC), ResourceID: "foo", EncryptedKey: "this is encrypted", } assert.Equal(t, map[string]interface{}{ "resource_id": "foo", "enc": "this is encrypted", "created_at": "2016-10-31T10:00:00Z", }, key.ToMap()) } 07070100000072000081A400000000000000000000000162794F930000158C000000000000000000000000000000000000001200000000sops-3.7.3/go.modmodule go.mozilla.org/sops/v3 go 1.17 require ( cloud.google.com/go/storage v1.22.0 filippo.io/age v1.0.0 github.com/Azure/azure-sdk-for-go v63.3.0+incompatible github.com/Azure/go-autorest/autorest v0.11.26 github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 github.com/ProtonMail/go-crypto v0.0.0-20220407094043-a94812496cf5 github.com/aws/aws-sdk-go v1.43.43 github.com/blang/semver v3.5.1+incompatible github.com/fatih/color v1.13.0 github.com/golang/protobuf v1.5.2 github.com/google/go-cmp v0.5.7 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/goware/prefixer v0.0.0-20160118172347-395022866408 github.com/hashicorp/vault/api v1.5.0 github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef github.com/lib/pq v1.10.5 github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/go-wordwrap v1.0.1 github.com/ory/dockertest v3.3.5+incompatible github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.8.1 github.com/stretchr/testify v1.7.1 go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 golang.org/x/net v0.0.0-20220420153159-1850ba15e1be golang.org/x/sys v0.0.0-20220412211240-33da011f77ad google.golang.org/api v0.74.0 google.golang.org/grpc v1.45.0 google.golang.org/protobuf v1.28.0 gopkg.in/ini.v1 v1.66.4 gopkg.in/urfave/cli.v1 v1.20.0 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b ) require ( cloud.google.com/go v0.100.2 // indirect cloud.google.com/go/compute v1.5.0 // indirect cloud.google.com/go/iam v0.3.0 // indirect github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/Microsoft/go-winio v0.5.2 // indirect github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect github.com/armon/go-metrics v0.3.10 // indirect github.com/armon/go-radix v1.0.0 // indirect github.com/cenkalti/backoff v2.2.1+incompatible // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/containerd/continuity v0.2.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/dimchansky/utfbom v1.1.1 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.4.0 // indirect github.com/golang-jwt/jwt/v4 v4.3.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/googleapis/gax-go/v2 v2.2.0 // indirect github.com/googleapis/go-type-adapters v1.0.0 // indirect github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-hclog v1.2.0 // indirect github.com/hashicorp/go-immutable-radix v1.3.1 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-plugin v1.4.3 // indirect github.com/hashicorp/go-retryablehttp v0.7.0 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect github.com/hashicorp/go-secure-stdlib/parseutil v0.1.3 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/hashicorp/go-sockaddr v1.0.2 // indirect github.com/hashicorp/go-uuid v1.0.2 // indirect github.com/hashicorp/go-version v1.4.0 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/vault/sdk v0.4.1 // indirect github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-isatty v0.0.14 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/mapstructure v1.4.3 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/oklog/run v1.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.0.2 // indirect github.com/opencontainers/runc v1.1.0 // indirect github.com/pierrec/lz4 v2.6.1+incompatible // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/stretchr/objx v0.3.0 // indirect go.opencensus.io v0.23.0 // indirect go.uber.org/atomic v1.9.0 // indirect golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220405205423-9d709892a2bf // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools v2.2.0+incompatible // indirect ) 07070100000073000081A400000000000000000000000162794F9300018C60000000000000000000000000000000000000001200000000sops-3.7.3/go.sumbazil.org/fuse v0.0.0-20200407214033-5883e5a4b512/go.mod h1:FbcW6z/2VytnFDhZfumh8Ss8zxHE6qpMP5sHTRe0EaM= cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To= cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4= cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M= cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc= cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk= cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs= cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc= cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI= cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4= cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA= cloud.google.com/go v0.100.2 h1:t9Iw5QH5v4XtlEQaCtUY7x6sCABps8sW0acw7e2WQ6Y= cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow= cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM= cloud.google.com/go/compute v1.5.0 h1:b1zWmYuuHz7gO9kDcM/EpHGr06UgsYNRpNJzI2kFiLM= cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/iam v0.3.0 h1:exkAomrVUuzx9kWFI1wm3KI0uoDeUFPB4kKGzx6x+Gc= cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU= cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.22.0 h1:NUV0NNp9nkBuW66BFRLuMgldN60C57ET3dhbwLIYio8= cloud.google.com/go/storage v1.22.0/go.mod h1:GbaLEoMqbVm6sx3Z0R++gSiBlgMv6yUi2q1DeGFKQgE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= filippo.io/age v1.0.0 h1:V6q14n0mqYU3qKFkZ6oOaF9oXneOviS3ubXsSVBRSzc= filippo.io/age v1.0.0/go.mod h1:PaX+Si/Sd5G8LgfCwldsSba3H1DDQZhIhFGkhbHaBq8= filippo.io/edwards25519 v1.0.0-rc.1/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= github.com/Azure/azure-sdk-for-go v63.3.0+incompatible h1:INepVujzUrmArRZjDLHbtER+FkvCoEwyRCXGqOlmDII= github.com/Azure/azure-sdk-for-go v63.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= github.com/Azure/go-autorest/autorest v0.11.26 h1:W/MzvoAiFfL5h4nq81wm7axvITgbnOoifXXGkFrgF1g= github.com/Azure/go-autorest/autorest v0.11.26/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= github.com/Azure/go-autorest/autorest/adal v0.9.18 h1:kLnPsRjzZZUF3K5REu/Kc+qMQrvuza2bwSnNdhmzLfQ= github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 h1:P6bYXFoao05z5uhOQzbC3Qd8JqF3jUoocoTeIxkp2cA= github.com/Azure/go-autorest/autorest/azure/auth v0.5.11/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg= github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 h1:0W/yGmFdTIT77fvdlGZ0LMISoLHFJ7Tx4U0yeB+uFs4= github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw= github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/ProtonMail/go-crypto v0.0.0-20220407094043-a94812496cf5 h1:cSHEbLj0GZeHM1mWG84qEnGFojNEQ83W7cwaPRjcwXU= github.com/ProtonMail/go-crypto v0.0.0-20220407094043-a94812496cf5/go.mod h1:z4/9nQmJSSwwds7ejkxaJwO37dru3geImFUdJlaLzQo= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.3.9/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-metrics v0.3.10 h1:FR+drcQStOe+32sYyJYyZ7FIdgoGGBnwLl+flodp8Uo= github.com/armon/go-metrics v0.3.10/go.mod h1:4O98XIr/9W0sxpJ8UaYkvjk10Iff7SnFrb4QAOwNTFc= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI= github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/aws/aws-sdk-go v1.43.43 h1:1L06qzQvl4aC3Skfh5rV7xVhGHjIZoHcqy16NoyQ1o4= github.com/aws/aws-sdk-go v1.43.43/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= github.com/containerd/continuity v0.2.2 h1:QSqfxcn8c+12slxwu00AtzXrsami0MJb/MQs9lOLHLA= github.com/containerd/continuity v0.2.2/go.mod h1:pWygW9u7LtS1o4N/Tn0FoCFDIXZ7rxcMX7HX1Dmibvk= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ= github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w= github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo= github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y= github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk= github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.3.0 h1:kHL1vqdqWNfATmA0FNMdmZNMyZI1U6O31X4rlIPoBog= github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw= github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4= github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8= github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk= github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o= github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1 h1:d8MncMlErDFTwQGBK1xhv026j9kqhvw1Qv9IbWT1VLQ= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= github.com/googleapis/gax-go/v2 v2.2.0 h1:s7jOdKSaksJVOxE0Y/S32otcfiP+UQ0cL8/GTKaONwE= github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= github.com/googleapis/go-type-adapters v1.0.0 h1:9XdMn+d/G57qq1s8dNc5IesGCXHf6V2HZ2JwRxfA2tA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gotestyourself/gotestyourself v2.2.0+incompatible h1:AQwinXlbQR2HvPjQZOmDhRqsv5mZf+Jb1RnSLxcqZcI= github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY= github.com/goware/prefixer v0.0.0-20160118172347-395022866408 h1:Y9iQJfEqnN3/Nce9cOegemcy/9Ai5k3huT6E80F3zaw= github.com/goware/prefixer v0.0.0-20160118172347-395022866408/go.mod h1:PE1ycukgRPJ7bJ9a1fdfQ9j8i/cEcRAoLZzbxYpNB/s= github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM= github.com/hashicorp/go-hclog v1.2.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ= github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-immutable-radix v1.3.1 h1:DKHmCUm2hRBK510BaiZlwvpD40f8bJFeZnpfm2KLowc= github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g= github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-plugin v1.4.3 h1:DXmvivbWD5qdiBts9TpBC7BYL1Aia5sxbRgQB+v6UZM= github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.7.0 h1:eu1EI/mbirUgP5C8hVsTNaGZreBDlYiwC1FZWkvQPQ4= github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw= github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 h1:p4AKXPPS24tO8Wc8i1gLvSKdmkiSY5xuju57czJ/IJQ= github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.3 h1:geBw3SBrxQq+buvbf4K+Qltv1gjaXJxy8asD4CjGYow= github.com/hashicorp/go-secure-stdlib/parseutil v0.1.3/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= github.com/hashicorp/go-secure-stdlib/password v0.1.1/go.mod h1:9hH302QllNwu1o2TGYtSk8I8kTAN0ca1EHpwhm5Mmzo= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1/go.mod h1:l8slYwnJA26yBz+ErHpp2IRCLr0vuOMGBORIz4rRiAs= github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.4.0 h1:aAQzgqIrRKRa7w75CKpbBxYsmUoPjzVm1W59ca1L0J4= github.com/hashicorp/go-version v1.4.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hashicorp/vault/api v1.5.0 h1:Bp6yc2bn7CWkOrVIzFT/Qurzx528bdavF3nz590eu28= github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo= github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 h1:xixZ2bWeofWV68J+x6AzmKuVM/JWCQwkWm6GW/MUR6I= github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE= github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/lib/pq v1.10.5 h1:J+gdV2cUmX7ZqL2B0lFcW0m+egaHC2V3lpO8nWxyYiQ= github.com/lib/pq v1.10.5/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.6/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84= github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y= github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.4.3 h1:OVowDSCllw/YjdLkam3/sm7wEtOy59d8ndGgCcyj8cs= github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA= github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM= github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= github.com/opencontainers/runc v1.1.0 h1:O9+X96OcDjkmmZyfaG996kV7yq8HsoU2h1XRRQcefG8= github.com/opencontainers/runc v1.1.0/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/ory/dockertest v3.3.5+incompatible h1:iLLK6SQwIhcbrG783Dghaaa3WPzGc+4Emza6EbVUUGA= github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs= github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM= github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As= github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= github.com/tv42/httpunix v0.0.0-20191220191345-2ba4b9c3382c/go.mod h1:hzIxponao9Kjc7aWznkXaL4U4TWaDSs8zcsY4Ka08nM= github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a h1:N7VD+PwpJME2ZfQT8+ejxwA4Ow10IkGbU0MGf94ll8k= go.mozilla.org/gopgagent v0.0.0-20170926210634-4d7ea76ff71a/go.mod h1:YDKUvO0b//78PaaEro6CAPH6NqohCmL2Cwju5XI2HoE= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY= golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220420153159-1850ba15e1be h1:yx80W7nvY5ySWpaU8UWaj5o9e23YgO9BRhQol7Lc+JI= golang.org/x/net v0.0.0-20220420153159-1850ba15e1be/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE= golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210903071746-97244b99971b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 h1:M73Iuj3xbbb9Uk1DYhzydthsj6oOd6l9bpuFcNoUvTs= golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw= golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8= golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE= google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= google.golang.org/api v0.41.0/go.mod h1:RkxM5lITDfTzmyKFPt+wGrCJbVfniCr2ool8kTBzRTU= google.golang.org/api v0.43.0/go.mod h1:nQsDGjRXMo4lvh5hP0TKqF244gqhGcr/YSIykhUk/94= google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59tHXo= google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE= google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI= google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I= google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo= google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g= google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA= google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8= google.golang.org/api v0.74.0 h1:ExR2D+5TYIrMphWgs5JCgwRhEDlPDXXrLwHHMgPHTXE= google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA= google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA= google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A= google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A= google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210604141403-392c879c8b08/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w= google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI= google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E= google.golang.org/genproto v0.0.0-20220405205423-9d709892a2bf h1:JTjwKJX9erVpsw17w+OIPP7iAgEkN/r8urhWSunEDTs= google.golang.org/genproto v0.0.0-20220405205423-9d709892a2bf/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k= google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.45.0 h1:NEpgUqV3Z+ZjkqMsxMg11IaDrXY4RY6CQukSGK0uI1M= google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/ini.v1 v1.66.4 h1:SsAcf+mM7mRZo2nJNGt8mZCjG8ZRaNGMURJw7BsIST4= gopkg.in/ini.v1 v1.66.4/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/urfave/cli.v1 v1.20.0 h1:NdAVW6RYxDif9DhDHaAortIu956m2c0v+09AZBPTbE0= gopkg.in/urfave/cli.v1 v1.20.0/go.mod h1:vuBzUtMdQeixQj8LVd+/98pzhxNGQoyuPBlsXHOQNO0= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= 07070100000074000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001300000000sops-3.7.3/hcvault07070100000075000081A400000000000000000000000162794F9300001F32000000000000000000000000000000000000002000000000sops-3.7.3/hcvault/keysource.gopackage hcvault import ( "bytes" "encoding/base64" "fmt" "io" "net/url" "os" "path" "path/filepath" "regexp" "strings" "time" "github.com/hashicorp/vault/api" homedir "github.com/mitchellh/go-homedir" "github.com/sirupsen/logrus" "go.mozilla.org/sops/v3/logging" ) var log *logrus.Logger func init() { log = logging.NewLogger("VAULT_TRANSIT") } // MasterKey is a Vault Transit backend path used to encrypt and decrypt sops' data key. type MasterKey struct { EncryptedKey string KeyName string EnginePath string VaultAddress string CreationDate time.Time } // NewMasterKeysFromURIs gets lots of keys from lots of URIs func NewMasterKeysFromURIs(uris string) ([]*MasterKey, error) { var keys []*MasterKey if uris == "" { return keys, nil } uriList := strings.Split(uris, ",") for _, uri := range uriList { if uri == "" { continue } key, err := NewMasterKeyFromURI(uri) if err != nil { return nil, err } keys = append(keys, key) } return keys, nil } // NewMasterKeyFromURI obtains the vaultAddress the transit backend path and the key name from the full URI of the key func NewMasterKeyFromURI(uri string) (*MasterKey, error) { log.Debugln("Called NewMasterKeyFromURI with uri: ", uri) var key *MasterKey if uri == "" { return key, nil } u, err := url.Parse(uri) if err != nil { return nil, err } if u.Scheme == "" { return nil, fmt.Errorf("missing scheme in vault URL (should be like this: https://vault.example.com:8200/v1/transit/keys/keyName), got: %v", uri) } enginePath, keyName, err := getBackendAndKeyFromPath(u.RequestURI()) if err != nil { return nil, err } u.Path = "" return NewMasterKey(u.String(), enginePath, keyName), nil } func getBackendAndKeyFromPath(fullPath string) (enginePath, keyName string, err error) { // Running vault behind a reverse proxy with longer urls seems not to be supported // by the vault client api so we have a separate Error for that here. if re := regexp.MustCompile(`/[^/]+/v[\d]+/[^/]+/[^/]+/[^/]+`); re.Match([]byte(fullPath)) { return "", "", fmt.Errorf("running Vault with a prefixed url is not supported! (Format has to be like https://vault.example.com:8200/v1/transit/keys/keyName)") } else if re := regexp.MustCompile(`/v[\d]+/[^/]+/[^/]+/[^/]+`); re.Match([]byte(fullPath)) == false { return "", "", fmt.Errorf("vault path does not seem to be formatted correctly: (eg. https://vault.example.com:8200/v1/transit/keys/keyName)") } fullPath = strings.TrimPrefix(fullPath, "/") fullPath = strings.TrimSuffix(fullPath, "/") dirs := strings.Split(fullPath, "/") keyName = dirs[len(dirs)-1] enginePath = path.Join(dirs[1 : len(dirs)-2]...) err = nil return } // NewMasterKey creates a new MasterKey from a vault address, transit backend path and a key name and setting the creation date to the current date func NewMasterKey(addess, enginePath, keyName string) *MasterKey { mk := &MasterKey{ VaultAddress: addess, EnginePath: enginePath, KeyName: keyName, CreationDate: time.Now().UTC(), } log.Debugln("Created Vault Master Key: ", mk) return mk } // EncryptedDataKey returns the encrypted data key this master key holds func (key *MasterKey) EncryptedDataKey() []byte { return []byte(key.EncryptedKey) } // SetEncryptedDataKey sets the encrypted data key for this master key func (key *MasterKey) SetEncryptedDataKey(enc []byte) { key.EncryptedKey = string(enc) } func vaultClient(address string) (*api.Client, error) { cfg := api.DefaultConfig() cfg.Address = address cli, err := api.NewClient(cfg) if err != nil { return nil, fmt.Errorf("Cannot create Vault Client: %w", err) } if cli.Token() != "" { return cli, nil } homePath, err := homedir.Dir() if err != nil { panic(fmt.Sprintf("error getting user's home directory: %v", err)) } tokenPath := filepath.Join(homePath, ".vault-token") f, err := os.Open(tokenPath) if os.IsNotExist(err) { return cli, nil } if err != nil { return nil, err } defer f.Close() buf := bytes.NewBuffer(nil) if _, err := io.Copy(buf, f); err != nil { return nil, err } cli.SetToken(strings.TrimSpace(buf.String())) return cli, nil } // Encrypt takes a sops data key, encrypts it with Vault Transit and stores the result in the EncryptedKey field func (key *MasterKey) Encrypt(dataKey []byte) error { fullPath := path.Join(key.EnginePath, "encrypt", key.KeyName) cli, err := vaultClient(key.VaultAddress) if err != nil { return err } encoded := base64.StdEncoding.EncodeToString(dataKey) payload := make(map[string]interface{}) payload["plaintext"] = encoded raw, err := cli.Logical().Write(fullPath, payload) if err != nil { log.WithField("Path", fullPath).Info("Encryption failed") return err } if raw == nil || raw.Data == nil { return fmt.Errorf("The transit backend %s is empty", fullPath) } encrypted, ok := raw.Data["ciphertext"] if !ok { return fmt.Errorf("there's not encrypted data") } encryptedKey, ok := encrypted.(string) if !ok { return fmt.Errorf("the ciphertext cannot be casted to string") } key.EncryptedKey = encryptedKey return nil } // EncryptIfNeeded encrypts the provided sops' data key and encrypts it if it hasn't been encrypted yet func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { if key.EncryptedKey == "" { return key.Encrypt(dataKey) } return nil } // Decrypt decrypts the EncryptedKey field with Vault Transit and returns the result. func (key *MasterKey) Decrypt() ([]byte, error) { fullPath := path.Join(key.EnginePath, "decrypt", key.KeyName) cli, err := vaultClient(key.VaultAddress) if err != nil { return nil, err } payload := make(map[string]interface{}) payload["ciphertext"] = key.EncryptedKey raw, err := cli.Logical().Write(fullPath, payload) if err != nil { log.WithField("Path", fullPath).Info("Encryption failed") return nil, err } if raw == nil || raw.Data == nil { return nil, fmt.Errorf("The transit backend %s is empty", fullPath) } decrypted, ok := raw.Data["plaintext"] if ok != true { return nil, fmt.Errorf("there's no decrypted data") } dataKey, ok := decrypted.(string) if ok != true { return nil, fmt.Errorf("the plaintest cannot be casted to string") } result, err := base64.StdEncoding.DecodeString(dataKey) if err != nil { return nil, fmt.Errorf("Couldn't decode base64 plaintext") } return result, nil } // NeedsRotation returns whether the data key needs to be rotated or not. // This is simply copied from GCPKMS // TODO: handle key rotation on vault side func (key *MasterKey) NeedsRotation() bool { //TODO: manage rewrapping https://www.vaultproject.io/api/secret/transit/index.html#rewrap-data return time.Since(key.CreationDate) > (time.Hour * 24 * 30 * 6) } // ToString converts the key to a string representation func (key *MasterKey) ToString() string { return fmt.Sprintf("%s/v1/%s/keys/%s", key.VaultAddress, key.EnginePath, key.KeyName) } func (key *MasterKey) createVaultTransitAndKey() error { cli, err := vaultClient(key.VaultAddress) if err != nil { return err } if err != nil { return fmt.Errorf("Cannot create Vault Client: %w", err) } err = cli.Sys().Mount(key.EnginePath, &api.MountInput{ Type: "transit", Description: "backend transit used by SOPS", }) if err != nil { return err } path := path.Join(key.EnginePath, "keys", key.KeyName) payload := make(map[string]interface{}) payload["type"] = "rsa-4096" _, err = cli.Logical().Write(path, payload) if err != nil { return err } _, err = cli.Logical().Read(path) if err != nil { return err } return nil } // ToMap converts the MasterKey to a map for serialization purposes func (key MasterKey) ToMap() map[string]interface{} { out := make(map[string]interface{}) out["vault_address"] = key.VaultAddress out["key_name"] = key.KeyName out["engine_path"] = key.EnginePath out["enc"] = key.EncryptedKey out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) return out } 07070100000076000081A400000000000000000000000162794F9300000FD2000000000000000000000000000000000000002500000000sops-3.7.3/hcvault/keysource_test.gopackage hcvault import ( "fmt" logger "log" "os" "testing" "time" "github.com/hashicorp/vault/api" "github.com/ory/dockertest" "github.com/stretchr/testify/assert" ) func TestMain(m *testing.M) { // uses a sensible default on windows (tcp/http) and linux/osx (socket) pool, err := dockertest.NewPool("") if err != nil { logger.Fatalf("Could not connect to docker: %s", err) } // pulls an image, creates a container based on it and runs it resource, err := pool.Run("vault", "1.2.2", []string{"VAULT_DEV_ROOT_TOKEN_ID=secret"}) if err != nil { logger.Fatalf("Could not start resource: %s", err) } vaultAddr := fmt.Sprintf("http://%s", resource.GetHostPort("8200/tcp")) os.Setenv("VAULT_ADDR", vaultAddr) os.Setenv("VAULT_TOKEN", "secret") // exponential backoff-retry, because the application in the container might not be ready to accept connections yet if err := pool.Retry(func() error { cli, err := api.NewClient(api.DefaultConfig()) if err != nil { return fmt.Errorf("Cannot create Vault Client: %w", err) } status, err := cli.Sys().InitStatus() if err != nil { return err } if status != true { return fmt.Errorf("Vault not ready yet") } return nil }); err != nil { logger.Fatalf("Could not connect to docker: %s", err) } key := NewMasterKey(vaultAddr, "sops", "main") err = key.createVaultTransitAndKey() if err != nil { logger.Fatal(err) } code := 0 if err == nil { code = m.Run() } // You can't defer this because os.Exit doesn't care for defer if err := pool.Purge(resource); err != nil { logger.Fatalf("Could not purge resource: %s", err) } os.Exit(code) } func TestKeyToMap(t *testing.T) { key := MasterKey{ CreationDate: time.Date(2016, time.October, 31, 10, 0, 0, 0, time.UTC), VaultAddress: "http://127.0.0.1:8200", EnginePath: "foo", KeyName: "bar", EncryptedKey: "this is encrypted", } assert.Equal(t, map[string]interface{}{ "vault_address": "http://127.0.0.1:8200", "engine_path": "foo", "key_name": "bar", "enc": "this is encrypted", "created_at": "2016-10-31T10:00:00Z", }, key.ToMap()) } func TestEncryptionDecryption(t *testing.T) { dataKey := []byte("super very Secret Key!!!") key := MasterKey{ VaultAddress: os.Getenv("VAULT_ADDR"), EnginePath: "sops", KeyName: "main", } err := key.Encrypt(dataKey) if err != nil { fmt.Println(err) t.Fail() return } decrypted, err := key.Decrypt() if err != nil { fmt.Println(err) t.Fail() return } assert.Equal(t, dataKey, decrypted) } func TestNewMasterKeyFromURI(t *testing.T) { uri1 := "https://vault.example.com:8200/v1/transit/keys/keyName" uri2 := "https://vault.me.com/v1/super42/bestmarket/keys/slig" uri3 := "http://127.0.0.1:12121/v1/transit/keys/dev" mk1 := &MasterKey{ VaultAddress: "https://vault.example.com:8200", EnginePath: "transit", KeyName: "keyName", } mk2 := &MasterKey{ VaultAddress: "https://vault.me.com", EnginePath: "super42/bestmarket", KeyName: "slig", } mk3 := &MasterKey{ VaultAddress: "http://127.0.0.1:12121", EnginePath: "transit", KeyName: "dev", } genMk1, err := NewMasterKeyFromURI(uri1) if err != nil { log.Errorln(err) t.Fail() } genMk2, err := NewMasterKeyFromURI(uri2) if err != nil { log.Errorln(err) t.Fail() } genMk3, err := NewMasterKeyFromURI(uri3) if err != nil { log.Errorln(err) t.Fail() } if assert.NotNil(t, genMk1) { mk1.CreationDate = genMk1.CreationDate assert.Equal(t, mk1, genMk1) } if assert.NotNil(t, genMk2) { mk2.CreationDate = genMk2.CreationDate assert.Equal(t, mk2, genMk2) } if assert.NotNil(t, genMk3) { mk3.CreationDate = genMk3.CreationDate assert.Equal(t, mk3, genMk3) } badURIs := []string{ "vault.me/keys/dev/mykey", "http://127.0.0.1:12121/v1/keys/dev", "tcp://127.0.0.1:12121/v1/keys/dev", } for _, uri := range badURIs { if _, err = NewMasterKeyFromURI(uri); err == nil { log.Errorf("Should be a invalid uri: %s", uri) t.Fail() } } } 07070100000077000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001000000000sops-3.7.3/keys07070100000078000081A400000000000000000000000162794F930000017D000000000000000000000000000000000000001800000000sops-3.7.3/keys/keys.gopackage keys // MasterKey provides a way of securing the key used to encrypt the Tree by encrypting and decrypting said key. type MasterKey interface { Encrypt(dataKey []byte) error EncryptIfNeeded(dataKey []byte) error EncryptedDataKey() []byte SetEncryptedDataKey([]byte) Decrypt() ([]byte, error) NeedsRotation() bool ToString() string ToMap() map[string]interface{} } 07070100000079000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001600000000sops-3.7.3/keyservice0707010000007A000081A400000000000000000000000162794F9300000422000000000000000000000000000000000000002000000000sops-3.7.3/keyservice/client.gopackage keyservice import ( "golang.org/x/net/context" "google.golang.org/grpc" ) // LocalClient is a key service client that performs all operations locally type LocalClient struct { Server KeyServiceServer } // NewLocalClient creates a new local client func NewLocalClient() LocalClient { return LocalClient{Server{}} } // NewCustomLocalClient creates a new local client with a non-default backing // KeyServiceServer implementation func NewCustomLocalClient(server KeyServiceServer) LocalClient { return LocalClient{Server: server} } // Decrypt processes a decrypt request locally // See keyservice/server.go for more details func (c LocalClient) Decrypt(ctx context.Context, req *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) { return c.Server.Decrypt(ctx, req) } // Encrypt processes an encrypt request locally // See keyservice/server.go for more details func (c LocalClient) Encrypt(ctx context.Context, req *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) { return c.Server.Encrypt(ctx, req) } 0707010000007B000081A400000000000000000000000162794F930000070F000000000000000000000000000000000000002400000000sops-3.7.3/keyservice/keyservice.go/* Package keyservice implements a gRPC API that can be used by SOPS to encrypt and decrypt the data key using remote master keys. */ package keyservice import ( "fmt" "go.mozilla.org/sops/v3/age" "go.mozilla.org/sops/v3/azkv" "go.mozilla.org/sops/v3/gcpkms" "go.mozilla.org/sops/v3/hcvault" "go.mozilla.org/sops/v3/keys" "go.mozilla.org/sops/v3/kms" "go.mozilla.org/sops/v3/pgp" ) // KeyFromMasterKey converts a SOPS internal MasterKey to an RPC Key that can be serialized with Protocol Buffers func KeyFromMasterKey(mk keys.MasterKey) Key { switch mk := mk.(type) { case *pgp.MasterKey: return Key{ KeyType: &Key_PgpKey{ PgpKey: &PgpKey{ Fingerprint: mk.Fingerprint, }, }, } case *gcpkms.MasterKey: return Key{ KeyType: &Key_GcpKmsKey{ GcpKmsKey: &GcpKmsKey{ ResourceId: mk.ResourceID, }, }, } case *hcvault.MasterKey: return Key{ KeyType: &Key_VaultKey{ VaultKey: &VaultKey{ VaultAddress: mk.VaultAddress, EnginePath: mk.EnginePath, KeyName: mk.KeyName, }, }, } case *kms.MasterKey: ctx := make(map[string]string) for k, v := range mk.EncryptionContext { ctx[k] = *v } return Key{ KeyType: &Key_KmsKey{ KmsKey: &KmsKey{ Arn: mk.Arn, Role: mk.Role, Context: ctx, AwsProfile: mk.AwsProfile, }, }, } case *azkv.MasterKey: return Key{ KeyType: &Key_AzureKeyvaultKey{ AzureKeyvaultKey: &AzureKeyVaultKey{ VaultUrl: mk.VaultURL, Name: mk.Name, Version: mk.Version, }, }, } case *age.MasterKey: return Key{ KeyType: &Key_AgeKey{ AgeKey: &AgeKey{ Recipient: mk.Recipient, }, }, } default: panic(fmt.Sprintf("Tried to convert unknown MasterKey type %T to keyservice.Key", mk)) } } 0707010000007C000081A400000000000000000000000162794F93000089E3000000000000000000000000000000000000002700000000sops-3.7.3/keyservice/keyservice.pb.go// Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.23.0 // protoc v3.13.0 // source: keyservice/keyservice.proto package keyservice import ( context "context" proto "github.com/golang/protobuf/proto" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" sync "sync" ) const ( // Verify that this generated code is sufficiently up-to-date. _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) // Verify that runtime/protoimpl is sufficiently up-to-date. _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) // This is a compile-time assertion that a sufficiently up-to-date version // of the legacy proto package is being used. const _ = proto.ProtoPackageIsVersion4 type Key struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields // Types that are assignable to KeyType: // *Key_KmsKey // *Key_PgpKey // *Key_GcpKmsKey // *Key_AzureKeyvaultKey // *Key_VaultKey // *Key_AgeKey KeyType isKey_KeyType `protobuf_oneof:"key_type"` } func (x *Key) Reset() { *x = Key{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *Key) String() string { return protoimpl.X.MessageStringOf(x) } func (*Key) ProtoMessage() {} func (x *Key) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[0] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use Key.ProtoReflect.Descriptor instead. func (*Key) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{0} } func (m *Key) GetKeyType() isKey_KeyType { if m != nil { return m.KeyType } return nil } func (x *Key) GetKmsKey() *KmsKey { if x, ok := x.GetKeyType().(*Key_KmsKey); ok { return x.KmsKey } return nil } func (x *Key) GetPgpKey() *PgpKey { if x, ok := x.GetKeyType().(*Key_PgpKey); ok { return x.PgpKey } return nil } func (x *Key) GetGcpKmsKey() *GcpKmsKey { if x, ok := x.GetKeyType().(*Key_GcpKmsKey); ok { return x.GcpKmsKey } return nil } func (x *Key) GetAzureKeyvaultKey() *AzureKeyVaultKey { if x, ok := x.GetKeyType().(*Key_AzureKeyvaultKey); ok { return x.AzureKeyvaultKey } return nil } func (x *Key) GetVaultKey() *VaultKey { if x, ok := x.GetKeyType().(*Key_VaultKey); ok { return x.VaultKey } return nil } func (x *Key) GetAgeKey() *AgeKey { if x, ok := x.GetKeyType().(*Key_AgeKey); ok { return x.AgeKey } return nil } type isKey_KeyType interface { isKey_KeyType() } type Key_KmsKey struct { KmsKey *KmsKey `protobuf:"bytes,1,opt,name=kms_key,json=kmsKey,proto3,oneof"` } type Key_PgpKey struct { PgpKey *PgpKey `protobuf:"bytes,2,opt,name=pgp_key,json=pgpKey,proto3,oneof"` } type Key_GcpKmsKey struct { GcpKmsKey *GcpKmsKey `protobuf:"bytes,3,opt,name=gcp_kms_key,json=gcpKmsKey,proto3,oneof"` } type Key_AzureKeyvaultKey struct { AzureKeyvaultKey *AzureKeyVaultKey `protobuf:"bytes,4,opt,name=azure_keyvault_key,json=azureKeyvaultKey,proto3,oneof"` } type Key_VaultKey struct { VaultKey *VaultKey `protobuf:"bytes,5,opt,name=vault_key,json=vaultKey,proto3,oneof"` } type Key_AgeKey struct { AgeKey *AgeKey `protobuf:"bytes,6,opt,name=age_key,json=ageKey,proto3,oneof"` } func (*Key_KmsKey) isKey_KeyType() {} func (*Key_PgpKey) isKey_KeyType() {} func (*Key_GcpKmsKey) isKey_KeyType() {} func (*Key_AzureKeyvaultKey) isKey_KeyType() {} func (*Key_VaultKey) isKey_KeyType() {} func (*Key_AgeKey) isKey_KeyType() {} type PgpKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields Fingerprint string `protobuf:"bytes,1,opt,name=fingerprint,proto3" json:"fingerprint,omitempty"` } func (x *PgpKey) Reset() { *x = PgpKey{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *PgpKey) String() string { return protoimpl.X.MessageStringOf(x) } func (*PgpKey) ProtoMessage() {} func (x *PgpKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[1] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use PgpKey.ProtoReflect.Descriptor instead. func (*PgpKey) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{1} } func (x *PgpKey) GetFingerprint() string { if x != nil { return x.Fingerprint } return "" } type KmsKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields Arn string `protobuf:"bytes,1,opt,name=arn,proto3" json:"arn,omitempty"` Role string `protobuf:"bytes,2,opt,name=role,proto3" json:"role,omitempty"` Context map[string]string `protobuf:"bytes,3,rep,name=context,proto3" json:"context,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` AwsProfile string `protobuf:"bytes,4,opt,name=aws_profile,json=awsProfile,proto3" json:"aws_profile,omitempty"` } func (x *KmsKey) Reset() { *x = KmsKey{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *KmsKey) String() string { return protoimpl.X.MessageStringOf(x) } func (*KmsKey) ProtoMessage() {} func (x *KmsKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use KmsKey.ProtoReflect.Descriptor instead. func (*KmsKey) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{2} } func (x *KmsKey) GetArn() string { if x != nil { return x.Arn } return "" } func (x *KmsKey) GetRole() string { if x != nil { return x.Role } return "" } func (x *KmsKey) GetContext() map[string]string { if x != nil { return x.Context } return nil } func (x *KmsKey) GetAwsProfile() string { if x != nil { return x.AwsProfile } return "" } type GcpKmsKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields ResourceId string `protobuf:"bytes,1,opt,name=resource_id,json=resourceId,proto3" json:"resource_id,omitempty"` } func (x *GcpKmsKey) Reset() { *x = GcpKmsKey{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *GcpKmsKey) String() string { return protoimpl.X.MessageStringOf(x) } func (*GcpKmsKey) ProtoMessage() {} func (x *GcpKmsKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use GcpKmsKey.ProtoReflect.Descriptor instead. func (*GcpKmsKey) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{3} } func (x *GcpKmsKey) GetResourceId() string { if x != nil { return x.ResourceId } return "" } type VaultKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields VaultAddress string `protobuf:"bytes,1,opt,name=vault_address,json=vaultAddress,proto3" json:"vault_address,omitempty"` EnginePath string `protobuf:"bytes,2,opt,name=engine_path,json=enginePath,proto3" json:"engine_path,omitempty"` KeyName string `protobuf:"bytes,3,opt,name=key_name,json=keyName,proto3" json:"key_name,omitempty"` } func (x *VaultKey) Reset() { *x = VaultKey{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *VaultKey) String() string { return protoimpl.X.MessageStringOf(x) } func (*VaultKey) ProtoMessage() {} func (x *VaultKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use VaultKey.ProtoReflect.Descriptor instead. func (*VaultKey) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{4} } func (x *VaultKey) GetVaultAddress() string { if x != nil { return x.VaultAddress } return "" } func (x *VaultKey) GetEnginePath() string { if x != nil { return x.EnginePath } return "" } func (x *VaultKey) GetKeyName() string { if x != nil { return x.KeyName } return "" } type AzureKeyVaultKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields VaultUrl string `protobuf:"bytes,1,opt,name=vault_url,json=vaultUrl,proto3" json:"vault_url,omitempty"` Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` Version string `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"` } func (x *AzureKeyVaultKey) Reset() { *x = AzureKeyVaultKey{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *AzureKeyVaultKey) String() string { return protoimpl.X.MessageStringOf(x) } func (*AzureKeyVaultKey) ProtoMessage() {} func (x *AzureKeyVaultKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use AzureKeyVaultKey.ProtoReflect.Descriptor instead. func (*AzureKeyVaultKey) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{5} } func (x *AzureKeyVaultKey) GetVaultUrl() string { if x != nil { return x.VaultUrl } return "" } func (x *AzureKeyVaultKey) GetName() string { if x != nil { return x.Name } return "" } func (x *AzureKeyVaultKey) GetVersion() string { if x != nil { return x.Version } return "" } type AgeKey struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields Recipient string `protobuf:"bytes,1,opt,name=recipient,proto3" json:"recipient,omitempty"` } func (x *AgeKey) Reset() { *x = AgeKey{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *AgeKey) String() string { return protoimpl.X.MessageStringOf(x) } func (*AgeKey) ProtoMessage() {} func (x *AgeKey) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[6] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use AgeKey.ProtoReflect.Descriptor instead. func (*AgeKey) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{6} } func (x *AgeKey) GetRecipient() string { if x != nil { return x.Recipient } return "" } type EncryptRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields Key *Key `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` Plaintext []byte `protobuf:"bytes,2,opt,name=plaintext,proto3" json:"plaintext,omitempty"` } func (x *EncryptRequest) Reset() { *x = EncryptRequest{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *EncryptRequest) String() string { return protoimpl.X.MessageStringOf(x) } func (*EncryptRequest) ProtoMessage() {} func (x *EncryptRequest) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[7] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use EncryptRequest.ProtoReflect.Descriptor instead. func (*EncryptRequest) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{7} } func (x *EncryptRequest) GetKey() *Key { if x != nil { return x.Key } return nil } func (x *EncryptRequest) GetPlaintext() []byte { if x != nil { return x.Plaintext } return nil } type EncryptResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields Ciphertext []byte `protobuf:"bytes,1,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` } func (x *EncryptResponse) Reset() { *x = EncryptResponse{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *EncryptResponse) String() string { return protoimpl.X.MessageStringOf(x) } func (*EncryptResponse) ProtoMessage() {} func (x *EncryptResponse) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[8] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use EncryptResponse.ProtoReflect.Descriptor instead. func (*EncryptResponse) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{8} } func (x *EncryptResponse) GetCiphertext() []byte { if x != nil { return x.Ciphertext } return nil } type DecryptRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields Key *Key `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` Ciphertext []byte `protobuf:"bytes,2,opt,name=ciphertext,proto3" json:"ciphertext,omitempty"` } func (x *DecryptRequest) Reset() { *x = DecryptRequest{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *DecryptRequest) String() string { return protoimpl.X.MessageStringOf(x) } func (*DecryptRequest) ProtoMessage() {} func (x *DecryptRequest) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[9] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use DecryptRequest.ProtoReflect.Descriptor instead. func (*DecryptRequest) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{9} } func (x *DecryptRequest) GetKey() *Key { if x != nil { return x.Key } return nil } func (x *DecryptRequest) GetCiphertext() []byte { if x != nil { return x.Ciphertext } return nil } type DecryptResponse struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields Plaintext []byte `protobuf:"bytes,1,opt,name=plaintext,proto3" json:"plaintext,omitempty"` } func (x *DecryptResponse) Reset() { *x = DecryptResponse{} if protoimpl.UnsafeEnabled { mi := &file_keyservice_keyservice_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } } func (x *DecryptResponse) String() string { return protoimpl.X.MessageStringOf(x) } func (*DecryptResponse) ProtoMessage() {} func (x *DecryptResponse) ProtoReflect() protoreflect.Message { mi := &file_keyservice_keyservice_proto_msgTypes[10] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { ms.StoreMessageInfo(mi) } return ms } return mi.MessageOf(x) } // Deprecated: Use DecryptResponse.ProtoReflect.Descriptor instead. func (*DecryptResponse) Descriptor() ([]byte, []int) { return file_keyservice_keyservice_proto_rawDescGZIP(), []int{10} } func (x *DecryptResponse) GetPlaintext() []byte { if x != nil { return x.Plaintext } return nil } var File_keyservice_keyservice_proto protoreflect.FileDescriptor var file_keyservice_keyservice_proto_rawDesc = []byte{ 0x0a, 0x1b, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2f, 0x6b, 0x65, 0x79, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x98, 0x02, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x6b, 0x6d, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x6b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x70, 0x67, 0x70, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x50, 0x67, 0x70, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x70, 0x67, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x2c, 0x0a, 0x0b, 0x67, 0x63, 0x70, 0x5f, 0x6b, 0x6d, 0x73, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0a, 0x2e, 0x47, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x09, 0x67, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x41, 0x0a, 0x12, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x4b, 0x65, 0x79, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x10, 0x61, 0x7a, 0x75, 0x72, 0x65, 0x4b, 0x65, 0x79, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x28, 0x0a, 0x09, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x09, 0x2e, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x08, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x07, 0x61, 0x67, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x41, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x48, 0x00, 0x52, 0x06, 0x61, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x42, 0x0a, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x22, 0x2a, 0x0a, 0x06, 0x50, 0x67, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x0a, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x66, 0x69, 0x6e, 0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x22, 0xbb, 0x01, 0x0a, 0x06, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x61, 0x72, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x61, 0x72, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x72, 0x6f, 0x6c, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x61, 0x77, 0x73, 0x5f, 0x70, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x77, 0x73, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x1a, 0x3a, 0x0a, 0x0c, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x2c, 0x0a, 0x09, 0x47, 0x63, 0x70, 0x4b, 0x6d, 0x73, 0x4b, 0x65, 0x79, 0x12, 0x1f, 0x0a, 0x0b, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x49, 0x64, 0x22, 0x6b, 0x0a, 0x08, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x23, 0x0a, 0x0d, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x5f, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x65, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x50, 0x61, 0x74, 0x68, 0x12, 0x19, 0x0a, 0x08, 0x6b, 0x65, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x5d, 0x0a, 0x10, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x4b, 0x65, 0x79, 0x56, 0x61, 0x75, 0x6c, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x26, 0x0a, 0x06, 0x41, 0x67, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70, 0x69, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x72, 0x65, 0x63, 0x69, 0x70, 0x69, 0x65, 0x6e, 0x74, 0x22, 0x46, 0x0a, 0x0e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x04, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1c, 0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x22, 0x31, 0x0a, 0x0f, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x22, 0x48, 0x0a, 0x0e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x04, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x74, 0x65, 0x78, 0x74, 0x22, 0x2f, 0x0a, 0x0f, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70, 0x6c, 0x61, 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x32, 0x6c, 0x0a, 0x0a, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x2e, 0x0a, 0x07, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x07, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x12, 0x0f, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x44, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( file_keyservice_keyservice_proto_rawDescOnce sync.Once file_keyservice_keyservice_proto_rawDescData = file_keyservice_keyservice_proto_rawDesc ) func file_keyservice_keyservice_proto_rawDescGZIP() []byte { file_keyservice_keyservice_proto_rawDescOnce.Do(func() { file_keyservice_keyservice_proto_rawDescData = protoimpl.X.CompressGZIP(file_keyservice_keyservice_proto_rawDescData) }) return file_keyservice_keyservice_proto_rawDescData } var file_keyservice_keyservice_proto_msgTypes = make([]protoimpl.MessageInfo, 12) var file_keyservice_keyservice_proto_goTypes = []interface{}{ (*Key)(nil), // 0: Key (*PgpKey)(nil), // 1: PgpKey (*KmsKey)(nil), // 2: KmsKey (*GcpKmsKey)(nil), // 3: GcpKmsKey (*VaultKey)(nil), // 4: VaultKey (*AzureKeyVaultKey)(nil), // 5: AzureKeyVaultKey (*AgeKey)(nil), // 6: AgeKey (*EncryptRequest)(nil), // 7: EncryptRequest (*EncryptResponse)(nil), // 8: EncryptResponse (*DecryptRequest)(nil), // 9: DecryptRequest (*DecryptResponse)(nil), // 10: DecryptResponse nil, // 11: KmsKey.ContextEntry } var file_keyservice_keyservice_proto_depIdxs = []int32{ 2, // 0: Key.kms_key:type_name -> KmsKey 1, // 1: Key.pgp_key:type_name -> PgpKey 3, // 2: Key.gcp_kms_key:type_name -> GcpKmsKey 5, // 3: Key.azure_keyvault_key:type_name -> AzureKeyVaultKey 4, // 4: Key.vault_key:type_name -> VaultKey 6, // 5: Key.age_key:type_name -> AgeKey 11, // 6: KmsKey.context:type_name -> KmsKey.ContextEntry 0, // 7: EncryptRequest.key:type_name -> Key 0, // 8: DecryptRequest.key:type_name -> Key 7, // 9: KeyService.Encrypt:input_type -> EncryptRequest 9, // 10: KeyService.Decrypt:input_type -> DecryptRequest 8, // 11: KeyService.Encrypt:output_type -> EncryptResponse 10, // 12: KeyService.Decrypt:output_type -> DecryptResponse 11, // [11:13] is the sub-list for method output_type 9, // [9:11] is the sub-list for method input_type 9, // [9:9] is the sub-list for extension type_name 9, // [9:9] is the sub-list for extension extendee 0, // [0:9] is the sub-list for field type_name } func init() { file_keyservice_keyservice_proto_init() } func file_keyservice_keyservice_proto_init() { if File_keyservice_keyservice_proto != nil { return } if !protoimpl.UnsafeEnabled { file_keyservice_keyservice_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Key); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*PgpKey); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*KmsKey); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*GcpKmsKey); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*VaultKey); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*AzureKeyVaultKey); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*AgeKey); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*EncryptRequest); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*EncryptResponse); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*DecryptRequest); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } file_keyservice_keyservice_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*DecryptResponse); i { case 0: return &v.state case 1: return &v.sizeCache case 2: return &v.unknownFields default: return nil } } } file_keyservice_keyservice_proto_msgTypes[0].OneofWrappers = []interface{}{ (*Key_KmsKey)(nil), (*Key_PgpKey)(nil), (*Key_GcpKmsKey)(nil), (*Key_AzureKeyvaultKey)(nil), (*Key_VaultKey)(nil), (*Key_AgeKey)(nil), } type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_keyservice_keyservice_proto_rawDesc, NumEnums: 0, NumMessages: 12, NumExtensions: 0, NumServices: 1, }, GoTypes: file_keyservice_keyservice_proto_goTypes, DependencyIndexes: file_keyservice_keyservice_proto_depIdxs, MessageInfos: file_keyservice_keyservice_proto_msgTypes, }.Build() File_keyservice_keyservice_proto = out.File file_keyservice_keyservice_proto_rawDesc = nil file_keyservice_keyservice_proto_goTypes = nil file_keyservice_keyservice_proto_depIdxs = nil } // Reference imports to suppress errors if they are not otherwise used. var _ context.Context var _ grpc.ClientConnInterface // This is a compile-time assertion to ensure that this generated file // is compatible with the grpc package it is being compiled against. const _ = grpc.SupportPackageIsVersion6 // KeyServiceClient is the client API for KeyService service. // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. type KeyServiceClient interface { Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) } type keyServiceClient struct { cc grpc.ClientConnInterface } func NewKeyServiceClient(cc grpc.ClientConnInterface) KeyServiceClient { return &keyServiceClient{cc} } func (c *keyServiceClient) Encrypt(ctx context.Context, in *EncryptRequest, opts ...grpc.CallOption) (*EncryptResponse, error) { out := new(EncryptResponse) err := c.cc.Invoke(ctx, "/KeyService/Encrypt", in, out, opts...) if err != nil { return nil, err } return out, nil } func (c *keyServiceClient) Decrypt(ctx context.Context, in *DecryptRequest, opts ...grpc.CallOption) (*DecryptResponse, error) { out := new(DecryptResponse) err := c.cc.Invoke(ctx, "/KeyService/Decrypt", in, out, opts...) if err != nil { return nil, err } return out, nil } // KeyServiceServer is the server API for KeyService service. type KeyServiceServer interface { Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) } // UnimplementedKeyServiceServer can be embedded to have forward compatible implementations. type UnimplementedKeyServiceServer struct { } func (*UnimplementedKeyServiceServer) Encrypt(context.Context, *EncryptRequest) (*EncryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Encrypt not implemented") } func (*UnimplementedKeyServiceServer) Decrypt(context.Context, *DecryptRequest) (*DecryptResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method Decrypt not implemented") } func RegisterKeyServiceServer(s *grpc.Server, srv KeyServiceServer) { s.RegisterService(&_KeyService_serviceDesc, srv) } func _KeyService_Encrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(EncryptRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyServiceServer).Encrypt(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/KeyService/Encrypt", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyServiceServer).Encrypt(ctx, req.(*EncryptRequest)) } return interceptor(ctx, in, info, handler) } func _KeyService_Decrypt_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(DecryptRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { return srv.(KeyServiceServer).Decrypt(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, FullMethod: "/KeyService/Decrypt", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(KeyServiceServer).Decrypt(ctx, req.(*DecryptRequest)) } return interceptor(ctx, in, info, handler) } var _KeyService_serviceDesc = grpc.ServiceDesc{ ServiceName: "KeyService", HandlerType: (*KeyServiceServer)(nil), Methods: []grpc.MethodDesc{ { MethodName: "Encrypt", Handler: _KeyService_Encrypt_Handler, }, { MethodName: "Decrypt", Handler: _KeyService_Decrypt_Handler, }, }, Streams: []grpc.StreamDesc{}, Metadata: "keyservice/keyservice.proto", } 0707010000007D000081A400000000000000000000000162794F9300000409000000000000000000000000000000000000002700000000sops-3.7.3/keyservice/keyservice.protosyntax = "proto3"; message Key { oneof key_type { KmsKey kms_key = 1; PgpKey pgp_key = 2; GcpKmsKey gcp_kms_key = 3; AzureKeyVaultKey azure_keyvault_key = 4; VaultKey vault_key = 5; AgeKey age_key = 6; } } message PgpKey { string fingerprint = 1; } message KmsKey { string arn = 1; string role = 2; map<string, string> context = 3; string aws_profile = 4; } message GcpKmsKey { string resource_id = 1; } message VaultKey { string vault_address = 1; string engine_path = 2; string key_name = 3; } message AzureKeyVaultKey { string vault_url = 1; string name = 2; string version = 3; } message AgeKey { string recipient = 1; } message EncryptRequest { Key key = 1; bytes plaintext = 2; } message EncryptResponse { bytes ciphertext = 1; } message DecryptRequest { Key key = 1; bytes ciphertext = 2; } message DecryptResponse { bytes plaintext = 1; } service KeyService { rpc Encrypt (EncryptRequest) returns (EncryptResponse) {} rpc Decrypt (DecryptRequest) returns (DecryptResponse) {} } 0707010000007E000081A400000000000000000000000162794F93000022F9000000000000000000000000000000000000002000000000sops-3.7.3/keyservice/server.gopackage keyservice import ( "fmt" "go.mozilla.org/sops/v3/age" "go.mozilla.org/sops/v3/azkv" "go.mozilla.org/sops/v3/gcpkms" "go.mozilla.org/sops/v3/hcvault" "go.mozilla.org/sops/v3/kms" "go.mozilla.org/sops/v3/pgp" "golang.org/x/net/context" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) // Server is a key service server that uses SOPS MasterKeys to fulfill requests type Server struct { // Prompt indicates whether the server should prompt before decrypting or encrypting data Prompt bool } func (ks *Server) encryptWithPgp(key *PgpKey, plaintext []byte) ([]byte, error) { pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint) err := pgpKey.Encrypt(plaintext) if err != nil { return nil, err } return []byte(pgpKey.EncryptedKey), nil } func (ks *Server) encryptWithKms(key *KmsKey, plaintext []byte) ([]byte, error) { kmsKey := kmsKeyToMasterKey(key) err := kmsKey.Encrypt(plaintext) if err != nil { return nil, err } return []byte(kmsKey.EncryptedKey), nil } func (ks *Server) encryptWithGcpKms(key *GcpKmsKey, plaintext []byte) ([]byte, error) { gcpKmsKey := gcpkms.MasterKey{ ResourceID: key.ResourceId, } err := gcpKmsKey.Encrypt(plaintext) if err != nil { return nil, err } return []byte(gcpKmsKey.EncryptedKey), nil } func (ks *Server) encryptWithAzureKeyVault(key *AzureKeyVaultKey, plaintext []byte) ([]byte, error) { azkvKey := azkv.MasterKey{ VaultURL: key.VaultUrl, Name: key.Name, Version: key.Version, } err := azkvKey.Encrypt(plaintext) if err != nil { return nil, err } return []byte(azkvKey.EncryptedKey), nil } func (ks *Server) encryptWithVault(key *VaultKey, plaintext []byte) ([]byte, error) { vaultKey := hcvault.MasterKey{ VaultAddress: key.VaultAddress, EnginePath: key.EnginePath, KeyName: key.KeyName, } err := vaultKey.Encrypt(plaintext) if err != nil { return nil, err } return []byte(vaultKey.EncryptedKey), nil } func (ks *Server) encryptWithAge(key *AgeKey, plaintext []byte) ([]byte, error) { ageKey := age.MasterKey{ Recipient: key.Recipient, } if err := ageKey.Encrypt(plaintext); err != nil { return nil, err } return []byte(ageKey.EncryptedKey), nil } func (ks *Server) decryptWithPgp(key *PgpKey, ciphertext []byte) ([]byte, error) { pgpKey := pgp.NewMasterKeyFromFingerprint(key.Fingerprint) pgpKey.EncryptedKey = string(ciphertext) plaintext, err := pgpKey.Decrypt() return []byte(plaintext), err } func (ks *Server) decryptWithKms(key *KmsKey, ciphertext []byte) ([]byte, error) { kmsKey := kmsKeyToMasterKey(key) kmsKey.EncryptedKey = string(ciphertext) plaintext, err := kmsKey.Decrypt() return []byte(plaintext), err } func (ks *Server) decryptWithGcpKms(key *GcpKmsKey, ciphertext []byte) ([]byte, error) { gcpKmsKey := gcpkms.MasterKey{ ResourceID: key.ResourceId, } gcpKmsKey.EncryptedKey = string(ciphertext) plaintext, err := gcpKmsKey.Decrypt() return []byte(plaintext), err } func (ks *Server) decryptWithAzureKeyVault(key *AzureKeyVaultKey, ciphertext []byte) ([]byte, error) { azkvKey := azkv.MasterKey{ VaultURL: key.VaultUrl, Name: key.Name, Version: key.Version, } azkvKey.EncryptedKey = string(ciphertext) plaintext, err := azkvKey.Decrypt() return []byte(plaintext), err } func (ks *Server) decryptWithVault(key *VaultKey, ciphertext []byte) ([]byte, error) { vaultKey := hcvault.MasterKey{ VaultAddress: key.VaultAddress, EnginePath: key.EnginePath, KeyName: key.KeyName, } vaultKey.EncryptedKey = string(ciphertext) plaintext, err := vaultKey.Decrypt() return []byte(plaintext), err } func (ks *Server) decryptWithAge(key *AgeKey, ciphertext []byte) ([]byte, error) { ageKey := age.MasterKey{ Recipient: key.Recipient, } ageKey.EncryptedKey = string(ciphertext) plaintext, err := ageKey.Decrypt() return []byte(plaintext), err } // Encrypt takes an encrypt request and encrypts the provided plaintext with the provided key, returning the encrypted // result func (ks Server) Encrypt(ctx context.Context, req *EncryptRequest) (*EncryptResponse, error) { key := *req.Key var response *EncryptResponse switch k := key.KeyType.(type) { case *Key_PgpKey: ciphertext, err := ks.encryptWithPgp(k.PgpKey, req.Plaintext) if err != nil { return nil, err } response = &EncryptResponse{ Ciphertext: ciphertext, } case *Key_KmsKey: ciphertext, err := ks.encryptWithKms(k.KmsKey, req.Plaintext) if err != nil { return nil, err } response = &EncryptResponse{ Ciphertext: ciphertext, } case *Key_GcpKmsKey: ciphertext, err := ks.encryptWithGcpKms(k.GcpKmsKey, req.Plaintext) if err != nil { return nil, err } response = &EncryptResponse{ Ciphertext: ciphertext, } case *Key_AzureKeyvaultKey: ciphertext, err := ks.encryptWithAzureKeyVault(k.AzureKeyvaultKey, req.Plaintext) if err != nil { return nil, err } response = &EncryptResponse{ Ciphertext: ciphertext, } case *Key_VaultKey: ciphertext, err := ks.encryptWithVault(k.VaultKey, req.Plaintext) if err != nil { return nil, err } response = &EncryptResponse{ Ciphertext: ciphertext, } case *Key_AgeKey: ciphertext, err := ks.encryptWithAge(k.AgeKey, req.Plaintext) if err != nil { return nil, err } response = &EncryptResponse{ Ciphertext: ciphertext, } case nil: return nil, status.Errorf(codes.NotFound, "Must provide a key") default: return nil, status.Errorf(codes.NotFound, "Unknown key type") } if ks.Prompt { err := ks.prompt(key, "encrypt") if err != nil { return nil, err } } return response, nil } func keyToString(key Key) string { switch k := key.KeyType.(type) { case *Key_PgpKey: return fmt.Sprintf("PGP key with fingerprint %s", k.PgpKey.Fingerprint) case *Key_KmsKey: return fmt.Sprintf("AWS KMS key with ARN %s", k.KmsKey.Arn) case *Key_GcpKmsKey: return fmt.Sprintf("GCP KMS key with resource ID %s", k.GcpKmsKey.ResourceId) case *Key_AzureKeyvaultKey: return fmt.Sprintf("Azure Key Vault key with URL %s/keys/%s/%s", k.AzureKeyvaultKey.VaultUrl, k.AzureKeyvaultKey.Name, k.AzureKeyvaultKey.Version) case *Key_VaultKey: return fmt.Sprintf("Hashicorp Vault key with URI %s/v1/%s/keys/%s", k.VaultKey.VaultAddress, k.VaultKey.EnginePath, k.VaultKey.KeyName) default: return fmt.Sprintf("Unknown key type") } } func (ks Server) prompt(key Key, requestType string) error { keyString := keyToString(key) var response string for response != "y" && response != "n" { fmt.Printf("\nReceived %s request using %s. Respond to request? (y/n): ", requestType, keyString) _, err := fmt.Scanln(&response) if err != nil { return err } } if response == "n" { return grpc.Errorf(codes.PermissionDenied, "Request rejected by user") } return nil } // Decrypt takes a decrypt request and decrypts the provided ciphertext with the provided key, returning the decrypted // result func (ks Server) Decrypt(ctx context.Context, req *DecryptRequest) (*DecryptResponse, error) { key := *req.Key var response *DecryptResponse switch k := key.KeyType.(type) { case *Key_PgpKey: plaintext, err := ks.decryptWithPgp(k.PgpKey, req.Ciphertext) if err != nil { return nil, err } response = &DecryptResponse{ Plaintext: plaintext, } case *Key_KmsKey: plaintext, err := ks.decryptWithKms(k.KmsKey, req.Ciphertext) if err != nil { return nil, err } response = &DecryptResponse{ Plaintext: plaintext, } case *Key_GcpKmsKey: plaintext, err := ks.decryptWithGcpKms(k.GcpKmsKey, req.Ciphertext) if err != nil { return nil, err } response = &DecryptResponse{ Plaintext: plaintext, } case *Key_AzureKeyvaultKey: plaintext, err := ks.decryptWithAzureKeyVault(k.AzureKeyvaultKey, req.Ciphertext) if err != nil { return nil, err } response = &DecryptResponse{ Plaintext: plaintext, } case *Key_VaultKey: plaintext, err := ks.decryptWithVault(k.VaultKey, req.Ciphertext) if err != nil { return nil, err } response = &DecryptResponse{ Plaintext: plaintext, } case *Key_AgeKey: plaintext, err := ks.decryptWithAge(k.AgeKey, req.Ciphertext) if err != nil { return nil, err } response = &DecryptResponse{ Plaintext: plaintext, } case nil: return nil, grpc.Errorf(codes.NotFound, "Must provide a key") default: return nil, grpc.Errorf(codes.NotFound, "Unknown key type") } if ks.Prompt { err := ks.prompt(key, "decrypt") if err != nil { return nil, err } } return response, nil } func kmsKeyToMasterKey(key *KmsKey) kms.MasterKey { ctx := make(map[string]*string) for k, v := range key.Context { value := v // Allocate a new string to prevent the pointer below from referring to only the last iteration value ctx[k] = &value } return kms.MasterKey{ Arn: key.Arn, Role: key.Role, EncryptionContext: ctx, AwsProfile: key.AwsProfile, } } 0707010000007F000081A400000000000000000000000162794F9300000A08000000000000000000000000000000000000002500000000sops-3.7.3/keyservice/server_test.gopackage keyservice import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "testing" ) func TestKmsKeyToMasterKey(t *testing.T) { cases := []struct { description string expectedArn string expectedRole string expectedCtx map[string]string expectedAwsProfile string }{ { description: "empty context", expectedArn: "arn:aws:kms:eu-west-1:123456789012:key/d5c90a06-f824-4628-922b-12424571ed4d", expectedRole: "ExampleRole", expectedCtx: map[string]string{}, expectedAwsProfile: "", }, { description: "context with one key-value pair", expectedArn: "arn:aws:kms:eu-west-1:123456789012:key/d5c90a06-f824-4628-922b-12424571ed4d", expectedRole: "", expectedCtx: map[string]string{ "firstKey": "first value", }, expectedAwsProfile: "ExampleProfile", }, { description: "context with three key-value pairs", expectedArn: "arn:aws:kms:eu-west-1:123456789012:key/d5c90a06-f824-4628-922b-12424571ed4d", expectedRole: "", expectedCtx: map[string]string{ "firstKey": "first value", "secondKey": "second value", "thirdKey": "third value", }, expectedAwsProfile: "", }, } for _, c := range cases { t.Run(c.description, func(t *testing.T) { inputCtx := make(map[string]string) for k, v := range c.expectedCtx { inputCtx[k] = v } key := &KmsKey{ Arn: c.expectedArn, Role: c.expectedRole, Context: inputCtx, AwsProfile: c.expectedAwsProfile, } masterKey := kmsKeyToMasterKey(key) foundCtx := masterKey.EncryptionContext for k := range c.expectedCtx { require.Containsf(t, foundCtx, k, "Context does not contain expected key '%s'", k) } for k := range foundCtx { require.Containsf(t, c.expectedCtx, k, "Context contains an unexpected key '%s' which cannot be found from expected map", k) } for k, expected := range c.expectedCtx { foundVal := *foundCtx[k] assert.Equalf(t, expected, foundVal, "Context key '%s' value '%s' does not match expected value '%s'", k, foundVal, expected) } assert.Equalf(t, c.expectedArn, masterKey.Arn, "Expected ARN to be '%s', but found '%s'", c.expectedArn, masterKey.Arn) assert.Equalf(t, c.expectedRole, masterKey.Role, "Expected Role to be '%s', but found '%s'", c.expectedRole, masterKey.Role) assert.Equalf(t, c.expectedAwsProfile, masterKey.AwsProfile, "Expected AWS profile to be '%s', but found '%s'", c.expectedAwsProfile, masterKey.AwsProfile) }) } } 07070100000080000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000000F00000000sops-3.7.3/kms07070100000081000081A400000000000000000000000162794F930000229C000000000000000000000000000000000000001C00000000sops-3.7.3/kms/keysource.go/* Package kms contains an implementation of the go.mozilla.org/sops/v3.MasterKey interface that encrypts and decrypts the data key using AWS KMS with the AWS Go SDK. */ package kms //import "go.mozilla.org/sops/v3/kms" import ( "encoding/base64" "fmt" "os" "regexp" "strings" "time" "go.mozilla.org/sops/v3/logging" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" "github.com/aws/aws-sdk-go/service/kms/kmsiface" "github.com/aws/aws-sdk-go/service/sts" "github.com/sirupsen/logrus" ) var log *logrus.Logger func init() { log = logging.NewLogger("AWSKMS") } // this needs to be a global var for unit tests to work (mockKMS redefines // it in keysource_test.go) var kmsSvc kmsiface.KMSAPI var isMocked bool // MasterKey is a AWS KMS key used to encrypt and decrypt sops' data key. type MasterKey struct { Arn string Role string EncryptedKey string CreationDate time.Time EncryptionContext map[string]*string AwsProfile string } // EncryptedDataKey returns the encrypted data key this master key holds func (key *MasterKey) EncryptedDataKey() []byte { return []byte(key.EncryptedKey) } // SetEncryptedDataKey sets the encrypted data key for this master key func (key *MasterKey) SetEncryptedDataKey(enc []byte) { key.EncryptedKey = string(enc) } // Encrypt takes a sops data key, encrypts it with KMS and stores the result in the EncryptedKey field func (key *MasterKey) Encrypt(dataKey []byte) error { // isMocked is set by unit test to indicate that the KMS service // has already been initialized. it's ugly, but it works. if kmsSvc == nil || !isMocked { sess, err := key.createSession() if err != nil { log.WithField("arn", key.Arn).Info("Encryption failed") return fmt.Errorf("Failed to create session: %w", err) } kmsSvc = kms.New(sess) } out, err := kmsSvc.Encrypt(&kms.EncryptInput{Plaintext: dataKey, KeyId: &key.Arn, EncryptionContext: key.EncryptionContext}) if err != nil { log.WithField("arn", key.Arn).Info("Encryption failed") return fmt.Errorf("Failed to call KMS encryption service: %w", err) } key.EncryptedKey = base64.StdEncoding.EncodeToString(out.CiphertextBlob) log.WithField("arn", key.Arn).Info("Encryption succeeded") return nil } // EncryptIfNeeded encrypts the provided sops' data key and encrypts it if it hasn't been encrypted yet func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { if key.EncryptedKey == "" { return key.Encrypt(dataKey) } return nil } // Decrypt decrypts the EncryptedKey field with AWS KMS and returns the result. func (key *MasterKey) Decrypt() ([]byte, error) { k, err := base64.StdEncoding.DecodeString(key.EncryptedKey) if err != nil { log.WithField("arn", key.Arn).Info("Decryption failed") return nil, fmt.Errorf("Error base64-decoding encrypted data key: %s", err) } // isMocked is set by unit test to indicate that the KMS service // has already been initialized. it's ugly, but it works. if kmsSvc == nil || !isMocked { sess, err := key.createSession() if err != nil { log.WithField("arn", key.Arn).Info("Decryption failed") return nil, fmt.Errorf("Error creating AWS session: %w", err) } kmsSvc = kms.New(sess) } decrypted, err := kmsSvc.Decrypt(&kms.DecryptInput{CiphertextBlob: k, EncryptionContext: key.EncryptionContext}) if err != nil { log.WithField("arn", key.Arn).Info("Decryption failed") return nil, fmt.Errorf("Error decrypting key: %w", err) } log.WithField("arn", key.Arn).Info("Decryption succeeded") return decrypted.Plaintext, nil } // NeedsRotation returns whether the data key needs to be rotated or not. func (key *MasterKey) NeedsRotation() bool { return time.Since(key.CreationDate) > (time.Hour * 24 * 30 * 6) } // ToString converts the key to a string representation func (key *MasterKey) ToString() string { return key.Arn } // NewMasterKey creates a new MasterKey from an ARN, role and context, setting the creation date to the current date func NewMasterKey(arn string, role string, context map[string]*string) *MasterKey { return &MasterKey{ Arn: arn, Role: role, EncryptionContext: context, CreationDate: time.Now().UTC(), } } // NewMasterKeyFromArn takes an ARN string and returns a new MasterKey for that ARN func NewMasterKeyFromArn(arn string, context map[string]*string, awsProfile string) *MasterKey { k := &MasterKey{} arn = strings.Replace(arn, " ", "", -1) roleIndex := strings.Index(arn, "+arn:aws:iam::") if roleIndex > 0 { k.Arn = arn[:roleIndex] k.Role = arn[roleIndex+1:] } else { k.Arn = arn } k.EncryptionContext = context k.CreationDate = time.Now().UTC() k.AwsProfile = awsProfile return k } // MasterKeysFromArnString takes a comma separated list of AWS KMS ARNs and returns a slice of new MasterKeys for those ARNs func MasterKeysFromArnString(arn string, context map[string]*string, awsProfile string) []*MasterKey { var keys []*MasterKey if arn == "" { return keys } for _, s := range strings.Split(arn, ",") { keys = append(keys, NewMasterKeyFromArn(s, context, awsProfile)) } return keys } func (key MasterKey) createStsSession(config aws.Config, sess *session.Session) (*session.Session, error) { hostname, err := os.Hostname() if err != nil { return nil, err } stsRoleSessionNameRe, err := regexp.Compile("[^a-zA-Z0-9=,.@-]+") if err != nil { return nil, fmt.Errorf("Failed to compile STS role session name regex: %w", err) } sanitizedHostname := stsRoleSessionNameRe.ReplaceAllString(hostname, "") stsService := sts.New(sess) name := "sops@" + sanitizedHostname // Make sure the name is no longer than 64 characters (role session name length limit from AWS) roleSessionNameLengthLimit := 64 if len(name) >= roleSessionNameLengthLimit { name = name[:roleSessionNameLengthLimit] } out, err := stsService.AssumeRole(&sts.AssumeRoleInput{ RoleArn: &key.Role, RoleSessionName: &name}) if err != nil { return nil, fmt.Errorf("Failed to assume role %q: %w", key.Role, err) } config.Credentials = credentials.NewStaticCredentials(*out.Credentials.AccessKeyId, *out.Credentials.SecretAccessKey, *out.Credentials.SessionToken) sess, err = session.NewSession(&config) if err != nil { return nil, fmt.Errorf("Failed to create new aws session: %w", err) } return sess, nil } func (key MasterKey) createSession() (*session.Session, error) { re := regexp.MustCompile(`^arn:aws[\w-]*:kms:(.+):[0-9]+:(key|alias)/.+$`) matches := re.FindStringSubmatch(key.Arn) if matches == nil { return nil, fmt.Errorf("No valid ARN found in %q", key.Arn) } config := aws.Config{Region: aws.String(matches[1])} opts := session.Options{ Profile: key.AwsProfile, Config: config, AssumeRoleTokenProvider: stscreds.StdinTokenProvider, SharedConfigState: session.SharedConfigEnable, } sess, err := session.NewSessionWithOptions(opts) if err != nil { return nil, err } if key.Role != "" { return key.createStsSession(config, sess) } return sess, nil } // ToMap converts the MasterKey to a map for serialization purposes func (key MasterKey) ToMap() map[string]interface{} { out := make(map[string]interface{}) out["arn"] = key.Arn if key.Role != "" { out["role"] = key.Role } out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) out["enc"] = key.EncryptedKey if key.EncryptionContext != nil { outcontext := make(map[string]string) for k, v := range key.EncryptionContext { outcontext[k] = *v } out["context"] = outcontext } return out } // ParseKMSContext takes either a KMS context map or a comma-separated list of KMS context key:value pairs and returns a map func ParseKMSContext(in interface{}) map[string]*string { nonStringValueWarning := "Encryption context contains a non-string value, context will not be used" out := make(map[string]*string) switch in := in.(type) { case map[string]interface{}: if len(in) == 0 { return nil } for k, v := range in { value, ok := v.(string) if !ok { log.Warn(nonStringValueWarning) return nil } out[k] = &value } case map[interface{}]interface{}: if len(in) == 0 { return nil } for k, v := range in { key, ok := k.(string) if !ok { log.Warn(nonStringValueWarning) return nil } value, ok := v.(string) if !ok { log.Warn(nonStringValueWarning) return nil } out[key] = &value } case string: if in == "" { return nil } for _, kv := range strings.Split(in, ",") { kv := strings.Split(kv, ":") if len(kv) != 2 { log.Warn(nonStringValueWarning) return nil } out[kv[0]] = &kv[1] } } return out } 07070100000082000081A400000000000000000000000162794F9300001042000000000000000000000000000000000000002100000000sops-3.7.3/kms/keysource_test.gopackage kms import ( "bytes" "testing" "testing/quick" "time" "github.com/aws/aws-sdk-go/service/kms" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "go.mozilla.org/sops/v3/kms/mocks" ) func TestKMS(t *testing.T) { mockKMS := &mocks.KMSAPI{} defer mockKMS.AssertExpectations(t) kmsSvc = mockKMS isMocked = true encryptOutput := &kms.EncryptOutput{} decryptOutput := &kms.DecryptOutput{} mockKMS.On("Encrypt", mock.AnythingOfType("*kms.EncryptInput")).Return(encryptOutput, nil).Run(func(args mock.Arguments) { encryptOutput.CiphertextBlob = args.Get(0).(*kms.EncryptInput).Plaintext }) mockKMS.On("Decrypt", mock.AnythingOfType("*kms.DecryptInput")).Return(decryptOutput, nil).Run(func(args mock.Arguments) { decryptOutput.Plaintext = args.Get(0).(*kms.DecryptInput).CiphertextBlob }) k := MasterKey{Arn: "arn:aws:kms:us-east-1:927034868273:key/e9fc75db-05e9-44c1-9c35-633922bac347", Role: "", EncryptedKey: ""} f := func(x []byte) bool { err := k.Encrypt(x) if err != nil { log.Println(err) } v, err := k.Decrypt() if err != nil { log.Println(err) } return bytes.Equal(v, x) } config := quick.Config{} if testing.Short() { config.MaxCount = 10 } if err := quick.Check(f, &config); err != nil { t.Error(err) } } func TestKMSKeySourceFromString(t *testing.T) { s := "arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e+arn:aws:iam::927034868273:role/sops-dev, arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d" ks := MasterKeysFromArnString(s, nil, "foo") k1 := ks[0] k2 := ks[1] expectedArn1 := "arn:aws:kms:us-east-1:656532927350:key/920aff2e-c5f1-4040-943a-047fa387b27e" expectedRole1 := "arn:aws:iam::927034868273:role/sops-dev" if k1.Arn != expectedArn1 { t.Errorf("ARN mismatch. Expected %s, found %s", expectedArn1, k1.Arn) } if k1.Role != expectedRole1 { t.Errorf("Role mismatch. Expected %s, found %s", expectedRole1, k1.Role) } expectedArn2 := "arn:aws:kms:ap-southeast-1:656532927350:key/9006a8aa-0fa6-4c14-930e-a2dfb916de1d" expectedRole2 := "" if k2.Arn != expectedArn2 { t.Errorf("ARN mismatch. Expected %s, found %s", expectedArn2, k2.Arn) } if k2.Role != expectedRole2 { t.Errorf("Role mismatch. Expected empty role, found %s.", k2.Role) } } func TestParseEncryptionContext(t *testing.T) { value1 := "value1" value2 := "value2" // map from YAML var yamlmap = map[interface{}]interface{}{ "key1": value1, "key2": value2, } assert.Equal(t, ParseKMSContext(yamlmap), map[string]*string{ "key1": &value1, "key2": &value2, }) assert.Nil(t, ParseKMSContext(map[interface{}]interface{}{})) assert.Nil(t, ParseKMSContext(map[interface{}]interface{}{ "key1": 1, })) assert.Nil(t, ParseKMSContext(map[interface{}]interface{}{ 1: "value", })) // map from JSON var jsonmap = map[string]interface{}{ "key1": value1, "key2": value2, } assert.Equal(t, ParseKMSContext(jsonmap), map[string]*string{ "key1": &value1, "key2": &value2, }) assert.Nil(t, ParseKMSContext(map[string]interface{}{})) assert.Nil(t, ParseKMSContext(map[string]interface{}{ "key1": 1, })) // sops 2.0.x formatted encryption context as a comma-separated list of key:value pairs assert.Equal(t, ParseKMSContext("key1:value1,key2:value2"), map[string]*string{ "key1": &value1, "key2": &value2, }) assert.Equal(t, ParseKMSContext("key1:value1"), map[string]*string{ "key1": &value1, }) assert.Nil(t, ParseKMSContext("key1,key2:value2")) assert.Nil(t, ParseKMSContext("key1")) } func TestKeyToMap(t *testing.T) { value1 := "value1" value2 := "value2" key := MasterKey{ CreationDate: time.Date(2016, time.October, 31, 10, 0, 0, 0, time.UTC), Arn: "foo", Role: "bar", EncryptedKey: "this is encrypted", EncryptionContext: map[string]*string{ "key1": &value1, "key2": &value2, }, } assert.Equal(t, map[string]interface{}{ "arn": "foo", "role": "bar", "enc": "this is encrypted", "created_at": "2016-10-31T10:00:00Z", "context": map[string]string{ "key1": value1, "key2": value2, }, }, key.ToMap()) } 07070100000083000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001500000000sops-3.7.3/kms/mocks07070100000084000081A400000000000000000000000162794F930001B9D8000000000000000000000000000000000000001F00000000sops-3.7.3/kms/mocks/KMSAPI.go// Code generated by mockery v1.0.0. DO NOT EDIT. package mocks import ( context "context" kms "github.com/aws/aws-sdk-go/service/kms" mock "github.com/stretchr/testify/mock" request "github.com/aws/aws-sdk-go/aws/request" ) // KMSAPI is an autogenerated mock type for the KMSAPI type type KMSAPI struct { mock.Mock } // CancelKeyDeletion provides a mock function with given fields: _a0 func (_m *KMSAPI) CancelKeyDeletion(_a0 *kms.CancelKeyDeletionInput) (*kms.CancelKeyDeletionOutput, error) { ret := _m.Called(_a0) var r0 *kms.CancelKeyDeletionOutput if rf, ok := ret.Get(0).(func(*kms.CancelKeyDeletionInput) *kms.CancelKeyDeletionOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CancelKeyDeletionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.CancelKeyDeletionInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // CancelKeyDeletionRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) CancelKeyDeletionRequest(_a0 *kms.CancelKeyDeletionInput) (*request.Request, *kms.CancelKeyDeletionOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.CancelKeyDeletionInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.CancelKeyDeletionOutput if rf, ok := ret.Get(1).(func(*kms.CancelKeyDeletionInput) *kms.CancelKeyDeletionOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.CancelKeyDeletionOutput) } } return r0, r1 } // CancelKeyDeletionWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) CancelKeyDeletionWithContext(_a0 context.Context, _a1 *kms.CancelKeyDeletionInput, _a2 ...request.Option) (*kms.CancelKeyDeletionOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.CancelKeyDeletionOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.CancelKeyDeletionInput, ...request.Option) *kms.CancelKeyDeletionOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CancelKeyDeletionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.CancelKeyDeletionInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ConnectCustomKeyStore provides a mock function with given fields: _a0 func (_m *KMSAPI) ConnectCustomKeyStore(_a0 *kms.ConnectCustomKeyStoreInput) (*kms.ConnectCustomKeyStoreOutput, error) { ret := _m.Called(_a0) var r0 *kms.ConnectCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(*kms.ConnectCustomKeyStoreInput) *kms.ConnectCustomKeyStoreOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ConnectCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ConnectCustomKeyStoreInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ConnectCustomKeyStoreRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ConnectCustomKeyStoreRequest(_a0 *kms.ConnectCustomKeyStoreInput) (*request.Request, *kms.ConnectCustomKeyStoreOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ConnectCustomKeyStoreInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ConnectCustomKeyStoreOutput if rf, ok := ret.Get(1).(func(*kms.ConnectCustomKeyStoreInput) *kms.ConnectCustomKeyStoreOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ConnectCustomKeyStoreOutput) } } return r0, r1 } // ConnectCustomKeyStoreWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ConnectCustomKeyStoreWithContext(_a0 context.Context, _a1 *kms.ConnectCustomKeyStoreInput, _a2 ...request.Option) (*kms.ConnectCustomKeyStoreOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ConnectCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ConnectCustomKeyStoreInput, ...request.Option) *kms.ConnectCustomKeyStoreOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ConnectCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ConnectCustomKeyStoreInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // CreateAlias provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateAlias(_a0 *kms.CreateAliasInput) (*kms.CreateAliasOutput, error) { ret := _m.Called(_a0) var r0 *kms.CreateAliasOutput if rf, ok := ret.Get(0).(func(*kms.CreateAliasInput) *kms.CreateAliasOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateAliasOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.CreateAliasInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // CreateAliasRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateAliasRequest(_a0 *kms.CreateAliasInput) (*request.Request, *kms.CreateAliasOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.CreateAliasInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.CreateAliasOutput if rf, ok := ret.Get(1).(func(*kms.CreateAliasInput) *kms.CreateAliasOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.CreateAliasOutput) } } return r0, r1 } // CreateAliasWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) CreateAliasWithContext(_a0 context.Context, _a1 *kms.CreateAliasInput, _a2 ...request.Option) (*kms.CreateAliasOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.CreateAliasOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.CreateAliasInput, ...request.Option) *kms.CreateAliasOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateAliasOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.CreateAliasInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // CreateCustomKeyStore provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateCustomKeyStore(_a0 *kms.CreateCustomKeyStoreInput) (*kms.CreateCustomKeyStoreOutput, error) { ret := _m.Called(_a0) var r0 *kms.CreateCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(*kms.CreateCustomKeyStoreInput) *kms.CreateCustomKeyStoreOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.CreateCustomKeyStoreInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // CreateCustomKeyStoreRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateCustomKeyStoreRequest(_a0 *kms.CreateCustomKeyStoreInput) (*request.Request, *kms.CreateCustomKeyStoreOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.CreateCustomKeyStoreInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.CreateCustomKeyStoreOutput if rf, ok := ret.Get(1).(func(*kms.CreateCustomKeyStoreInput) *kms.CreateCustomKeyStoreOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.CreateCustomKeyStoreOutput) } } return r0, r1 } // CreateCustomKeyStoreWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) CreateCustomKeyStoreWithContext(_a0 context.Context, _a1 *kms.CreateCustomKeyStoreInput, _a2 ...request.Option) (*kms.CreateCustomKeyStoreOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.CreateCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.CreateCustomKeyStoreInput, ...request.Option) *kms.CreateCustomKeyStoreOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.CreateCustomKeyStoreInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // CreateGrant provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateGrant(_a0 *kms.CreateGrantInput) (*kms.CreateGrantOutput, error) { ret := _m.Called(_a0) var r0 *kms.CreateGrantOutput if rf, ok := ret.Get(0).(func(*kms.CreateGrantInput) *kms.CreateGrantOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateGrantOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.CreateGrantInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // CreateGrantRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateGrantRequest(_a0 *kms.CreateGrantInput) (*request.Request, *kms.CreateGrantOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.CreateGrantInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.CreateGrantOutput if rf, ok := ret.Get(1).(func(*kms.CreateGrantInput) *kms.CreateGrantOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.CreateGrantOutput) } } return r0, r1 } // CreateGrantWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) CreateGrantWithContext(_a0 context.Context, _a1 *kms.CreateGrantInput, _a2 ...request.Option) (*kms.CreateGrantOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.CreateGrantOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.CreateGrantInput, ...request.Option) *kms.CreateGrantOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateGrantOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.CreateGrantInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // CreateKey provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateKey(_a0 *kms.CreateKeyInput) (*kms.CreateKeyOutput, error) { ret := _m.Called(_a0) var r0 *kms.CreateKeyOutput if rf, ok := ret.Get(0).(func(*kms.CreateKeyInput) *kms.CreateKeyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.CreateKeyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // CreateKeyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) CreateKeyRequest(_a0 *kms.CreateKeyInput) (*request.Request, *kms.CreateKeyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.CreateKeyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.CreateKeyOutput if rf, ok := ret.Get(1).(func(*kms.CreateKeyInput) *kms.CreateKeyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.CreateKeyOutput) } } return r0, r1 } // CreateKeyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) CreateKeyWithContext(_a0 context.Context, _a1 *kms.CreateKeyInput, _a2 ...request.Option) (*kms.CreateKeyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.CreateKeyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.CreateKeyInput, ...request.Option) *kms.CreateKeyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.CreateKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.CreateKeyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // Decrypt provides a mock function with given fields: _a0 func (_m *KMSAPI) Decrypt(_a0 *kms.DecryptInput) (*kms.DecryptOutput, error) { ret := _m.Called(_a0) var r0 *kms.DecryptOutput if rf, ok := ret.Get(0).(func(*kms.DecryptInput) *kms.DecryptOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DecryptOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DecryptInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DecryptRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DecryptRequest(_a0 *kms.DecryptInput) (*request.Request, *kms.DecryptOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DecryptInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DecryptOutput if rf, ok := ret.Get(1).(func(*kms.DecryptInput) *kms.DecryptOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DecryptOutput) } } return r0, r1 } // DecryptWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DecryptWithContext(_a0 context.Context, _a1 *kms.DecryptInput, _a2 ...request.Option) (*kms.DecryptOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DecryptOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DecryptInput, ...request.Option) *kms.DecryptOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DecryptOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DecryptInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DeleteAlias provides a mock function with given fields: _a0 func (_m *KMSAPI) DeleteAlias(_a0 *kms.DeleteAliasInput) (*kms.DeleteAliasOutput, error) { ret := _m.Called(_a0) var r0 *kms.DeleteAliasOutput if rf, ok := ret.Get(0).(func(*kms.DeleteAliasInput) *kms.DeleteAliasOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DeleteAliasOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DeleteAliasInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DeleteAliasRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DeleteAliasRequest(_a0 *kms.DeleteAliasInput) (*request.Request, *kms.DeleteAliasOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DeleteAliasInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DeleteAliasOutput if rf, ok := ret.Get(1).(func(*kms.DeleteAliasInput) *kms.DeleteAliasOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DeleteAliasOutput) } } return r0, r1 } // DeleteAliasWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DeleteAliasWithContext(_a0 context.Context, _a1 *kms.DeleteAliasInput, _a2 ...request.Option) (*kms.DeleteAliasOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DeleteAliasOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DeleteAliasInput, ...request.Option) *kms.DeleteAliasOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DeleteAliasOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DeleteAliasInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DeleteCustomKeyStore provides a mock function with given fields: _a0 func (_m *KMSAPI) DeleteCustomKeyStore(_a0 *kms.DeleteCustomKeyStoreInput) (*kms.DeleteCustomKeyStoreOutput, error) { ret := _m.Called(_a0) var r0 *kms.DeleteCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(*kms.DeleteCustomKeyStoreInput) *kms.DeleteCustomKeyStoreOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DeleteCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DeleteCustomKeyStoreInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DeleteCustomKeyStoreRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DeleteCustomKeyStoreRequest(_a0 *kms.DeleteCustomKeyStoreInput) (*request.Request, *kms.DeleteCustomKeyStoreOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DeleteCustomKeyStoreInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DeleteCustomKeyStoreOutput if rf, ok := ret.Get(1).(func(*kms.DeleteCustomKeyStoreInput) *kms.DeleteCustomKeyStoreOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DeleteCustomKeyStoreOutput) } } return r0, r1 } // DeleteCustomKeyStoreWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DeleteCustomKeyStoreWithContext(_a0 context.Context, _a1 *kms.DeleteCustomKeyStoreInput, _a2 ...request.Option) (*kms.DeleteCustomKeyStoreOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DeleteCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DeleteCustomKeyStoreInput, ...request.Option) *kms.DeleteCustomKeyStoreOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DeleteCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DeleteCustomKeyStoreInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DeleteImportedKeyMaterial provides a mock function with given fields: _a0 func (_m *KMSAPI) DeleteImportedKeyMaterial(_a0 *kms.DeleteImportedKeyMaterialInput) (*kms.DeleteImportedKeyMaterialOutput, error) { ret := _m.Called(_a0) var r0 *kms.DeleteImportedKeyMaterialOutput if rf, ok := ret.Get(0).(func(*kms.DeleteImportedKeyMaterialInput) *kms.DeleteImportedKeyMaterialOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DeleteImportedKeyMaterialOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DeleteImportedKeyMaterialInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DeleteImportedKeyMaterialRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DeleteImportedKeyMaterialRequest(_a0 *kms.DeleteImportedKeyMaterialInput) (*request.Request, *kms.DeleteImportedKeyMaterialOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DeleteImportedKeyMaterialInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DeleteImportedKeyMaterialOutput if rf, ok := ret.Get(1).(func(*kms.DeleteImportedKeyMaterialInput) *kms.DeleteImportedKeyMaterialOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DeleteImportedKeyMaterialOutput) } } return r0, r1 } // DeleteImportedKeyMaterialWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DeleteImportedKeyMaterialWithContext(_a0 context.Context, _a1 *kms.DeleteImportedKeyMaterialInput, _a2 ...request.Option) (*kms.DeleteImportedKeyMaterialOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DeleteImportedKeyMaterialOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DeleteImportedKeyMaterialInput, ...request.Option) *kms.DeleteImportedKeyMaterialOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DeleteImportedKeyMaterialOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DeleteImportedKeyMaterialInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DescribeCustomKeyStores provides a mock function with given fields: _a0 func (_m *KMSAPI) DescribeCustomKeyStores(_a0 *kms.DescribeCustomKeyStoresInput) (*kms.DescribeCustomKeyStoresOutput, error) { ret := _m.Called(_a0) var r0 *kms.DescribeCustomKeyStoresOutput if rf, ok := ret.Get(0).(func(*kms.DescribeCustomKeyStoresInput) *kms.DescribeCustomKeyStoresOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DescribeCustomKeyStoresOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DescribeCustomKeyStoresInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DescribeCustomKeyStoresRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DescribeCustomKeyStoresRequest(_a0 *kms.DescribeCustomKeyStoresInput) (*request.Request, *kms.DescribeCustomKeyStoresOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DescribeCustomKeyStoresInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DescribeCustomKeyStoresOutput if rf, ok := ret.Get(1).(func(*kms.DescribeCustomKeyStoresInput) *kms.DescribeCustomKeyStoresOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DescribeCustomKeyStoresOutput) } } return r0, r1 } // DescribeCustomKeyStoresWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DescribeCustomKeyStoresWithContext(_a0 context.Context, _a1 *kms.DescribeCustomKeyStoresInput, _a2 ...request.Option) (*kms.DescribeCustomKeyStoresOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DescribeCustomKeyStoresOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DescribeCustomKeyStoresInput, ...request.Option) *kms.DescribeCustomKeyStoresOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DescribeCustomKeyStoresOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DescribeCustomKeyStoresInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DescribeKey provides a mock function with given fields: _a0 func (_m *KMSAPI) DescribeKey(_a0 *kms.DescribeKeyInput) (*kms.DescribeKeyOutput, error) { ret := _m.Called(_a0) var r0 *kms.DescribeKeyOutput if rf, ok := ret.Get(0).(func(*kms.DescribeKeyInput) *kms.DescribeKeyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DescribeKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DescribeKeyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DescribeKeyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DescribeKeyRequest(_a0 *kms.DescribeKeyInput) (*request.Request, *kms.DescribeKeyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DescribeKeyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DescribeKeyOutput if rf, ok := ret.Get(1).(func(*kms.DescribeKeyInput) *kms.DescribeKeyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DescribeKeyOutput) } } return r0, r1 } // DescribeKeyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DescribeKeyWithContext(_a0 context.Context, _a1 *kms.DescribeKeyInput, _a2 ...request.Option) (*kms.DescribeKeyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DescribeKeyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DescribeKeyInput, ...request.Option) *kms.DescribeKeyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DescribeKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DescribeKeyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DisableKey provides a mock function with given fields: _a0 func (_m *KMSAPI) DisableKey(_a0 *kms.DisableKeyInput) (*kms.DisableKeyOutput, error) { ret := _m.Called(_a0) var r0 *kms.DisableKeyOutput if rf, ok := ret.Get(0).(func(*kms.DisableKeyInput) *kms.DisableKeyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DisableKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DisableKeyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DisableKeyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DisableKeyRequest(_a0 *kms.DisableKeyInput) (*request.Request, *kms.DisableKeyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DisableKeyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DisableKeyOutput if rf, ok := ret.Get(1).(func(*kms.DisableKeyInput) *kms.DisableKeyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DisableKeyOutput) } } return r0, r1 } // DisableKeyRotation provides a mock function with given fields: _a0 func (_m *KMSAPI) DisableKeyRotation(_a0 *kms.DisableKeyRotationInput) (*kms.DisableKeyRotationOutput, error) { ret := _m.Called(_a0) var r0 *kms.DisableKeyRotationOutput if rf, ok := ret.Get(0).(func(*kms.DisableKeyRotationInput) *kms.DisableKeyRotationOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DisableKeyRotationOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DisableKeyRotationInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DisableKeyRotationRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DisableKeyRotationRequest(_a0 *kms.DisableKeyRotationInput) (*request.Request, *kms.DisableKeyRotationOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DisableKeyRotationInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DisableKeyRotationOutput if rf, ok := ret.Get(1).(func(*kms.DisableKeyRotationInput) *kms.DisableKeyRotationOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DisableKeyRotationOutput) } } return r0, r1 } // DisableKeyRotationWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DisableKeyRotationWithContext(_a0 context.Context, _a1 *kms.DisableKeyRotationInput, _a2 ...request.Option) (*kms.DisableKeyRotationOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DisableKeyRotationOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DisableKeyRotationInput, ...request.Option) *kms.DisableKeyRotationOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DisableKeyRotationOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DisableKeyRotationInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DisableKeyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DisableKeyWithContext(_a0 context.Context, _a1 *kms.DisableKeyInput, _a2 ...request.Option) (*kms.DisableKeyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DisableKeyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DisableKeyInput, ...request.Option) *kms.DisableKeyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DisableKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DisableKeyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // DisconnectCustomKeyStore provides a mock function with given fields: _a0 func (_m *KMSAPI) DisconnectCustomKeyStore(_a0 *kms.DisconnectCustomKeyStoreInput) (*kms.DisconnectCustomKeyStoreOutput, error) { ret := _m.Called(_a0) var r0 *kms.DisconnectCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(*kms.DisconnectCustomKeyStoreInput) *kms.DisconnectCustomKeyStoreOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DisconnectCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.DisconnectCustomKeyStoreInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // DisconnectCustomKeyStoreRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) DisconnectCustomKeyStoreRequest(_a0 *kms.DisconnectCustomKeyStoreInput) (*request.Request, *kms.DisconnectCustomKeyStoreOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.DisconnectCustomKeyStoreInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.DisconnectCustomKeyStoreOutput if rf, ok := ret.Get(1).(func(*kms.DisconnectCustomKeyStoreInput) *kms.DisconnectCustomKeyStoreOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.DisconnectCustomKeyStoreOutput) } } return r0, r1 } // DisconnectCustomKeyStoreWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) DisconnectCustomKeyStoreWithContext(_a0 context.Context, _a1 *kms.DisconnectCustomKeyStoreInput, _a2 ...request.Option) (*kms.DisconnectCustomKeyStoreOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.DisconnectCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.DisconnectCustomKeyStoreInput, ...request.Option) *kms.DisconnectCustomKeyStoreOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.DisconnectCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.DisconnectCustomKeyStoreInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // EnableKey provides a mock function with given fields: _a0 func (_m *KMSAPI) EnableKey(_a0 *kms.EnableKeyInput) (*kms.EnableKeyOutput, error) { ret := _m.Called(_a0) var r0 *kms.EnableKeyOutput if rf, ok := ret.Get(0).(func(*kms.EnableKeyInput) *kms.EnableKeyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.EnableKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.EnableKeyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // EnableKeyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) EnableKeyRequest(_a0 *kms.EnableKeyInput) (*request.Request, *kms.EnableKeyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.EnableKeyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.EnableKeyOutput if rf, ok := ret.Get(1).(func(*kms.EnableKeyInput) *kms.EnableKeyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.EnableKeyOutput) } } return r0, r1 } // EnableKeyRotation provides a mock function with given fields: _a0 func (_m *KMSAPI) EnableKeyRotation(_a0 *kms.EnableKeyRotationInput) (*kms.EnableKeyRotationOutput, error) { ret := _m.Called(_a0) var r0 *kms.EnableKeyRotationOutput if rf, ok := ret.Get(0).(func(*kms.EnableKeyRotationInput) *kms.EnableKeyRotationOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.EnableKeyRotationOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.EnableKeyRotationInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // EnableKeyRotationRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) EnableKeyRotationRequest(_a0 *kms.EnableKeyRotationInput) (*request.Request, *kms.EnableKeyRotationOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.EnableKeyRotationInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.EnableKeyRotationOutput if rf, ok := ret.Get(1).(func(*kms.EnableKeyRotationInput) *kms.EnableKeyRotationOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.EnableKeyRotationOutput) } } return r0, r1 } // EnableKeyRotationWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) EnableKeyRotationWithContext(_a0 context.Context, _a1 *kms.EnableKeyRotationInput, _a2 ...request.Option) (*kms.EnableKeyRotationOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.EnableKeyRotationOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.EnableKeyRotationInput, ...request.Option) *kms.EnableKeyRotationOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.EnableKeyRotationOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.EnableKeyRotationInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // EnableKeyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) EnableKeyWithContext(_a0 context.Context, _a1 *kms.EnableKeyInput, _a2 ...request.Option) (*kms.EnableKeyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.EnableKeyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.EnableKeyInput, ...request.Option) *kms.EnableKeyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.EnableKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.EnableKeyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // Encrypt provides a mock function with given fields: _a0 func (_m *KMSAPI) Encrypt(_a0 *kms.EncryptInput) (*kms.EncryptOutput, error) { ret := _m.Called(_a0) var r0 *kms.EncryptOutput if rf, ok := ret.Get(0).(func(*kms.EncryptInput) *kms.EncryptOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.EncryptOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.EncryptInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // EncryptRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) EncryptRequest(_a0 *kms.EncryptInput) (*request.Request, *kms.EncryptOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.EncryptInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.EncryptOutput if rf, ok := ret.Get(1).(func(*kms.EncryptInput) *kms.EncryptOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.EncryptOutput) } } return r0, r1 } // EncryptWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) EncryptWithContext(_a0 context.Context, _a1 *kms.EncryptInput, _a2 ...request.Option) (*kms.EncryptOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.EncryptOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.EncryptInput, ...request.Option) *kms.EncryptOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.EncryptOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.EncryptInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKey provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKey(_a0 *kms.GenerateDataKeyInput) (*kms.GenerateDataKeyOutput, error) { ret := _m.Called(_a0) var r0 *kms.GenerateDataKeyOutput if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyInput) *kms.GenerateDataKeyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKeyPair provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKeyPair(_a0 *kms.GenerateDataKeyPairInput) (*kms.GenerateDataKeyPairOutput, error) { ret := _m.Called(_a0) var r0 *kms.GenerateDataKeyPairOutput if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyPairInput) *kms.GenerateDataKeyPairOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyPairOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyPairInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKeyPairRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKeyPairRequest(_a0 *kms.GenerateDataKeyPairInput) (*request.Request, *kms.GenerateDataKeyPairOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyPairInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GenerateDataKeyPairOutput if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyPairInput) *kms.GenerateDataKeyPairOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GenerateDataKeyPairOutput) } } return r0, r1 } // GenerateDataKeyPairWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GenerateDataKeyPairWithContext(_a0 context.Context, _a1 *kms.GenerateDataKeyPairInput, _a2 ...request.Option) (*kms.GenerateDataKeyPairOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GenerateDataKeyPairOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GenerateDataKeyPairInput, ...request.Option) *kms.GenerateDataKeyPairOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyPairOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GenerateDataKeyPairInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKeyPairWithoutPlaintext provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKeyPairWithoutPlaintext(_a0 *kms.GenerateDataKeyPairWithoutPlaintextInput) (*kms.GenerateDataKeyPairWithoutPlaintextOutput, error) { ret := _m.Called(_a0) var r0 *kms.GenerateDataKeyPairWithoutPlaintextOutput if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyPairWithoutPlaintextInput) *kms.GenerateDataKeyPairWithoutPlaintextOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyPairWithoutPlaintextOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyPairWithoutPlaintextInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKeyPairWithoutPlaintextRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKeyPairWithoutPlaintextRequest(_a0 *kms.GenerateDataKeyPairWithoutPlaintextInput) (*request.Request, *kms.GenerateDataKeyPairWithoutPlaintextOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyPairWithoutPlaintextInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GenerateDataKeyPairWithoutPlaintextOutput if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyPairWithoutPlaintextInput) *kms.GenerateDataKeyPairWithoutPlaintextOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GenerateDataKeyPairWithoutPlaintextOutput) } } return r0, r1 } // GenerateDataKeyPairWithoutPlaintextWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GenerateDataKeyPairWithoutPlaintextWithContext(_a0 context.Context, _a1 *kms.GenerateDataKeyPairWithoutPlaintextInput, _a2 ...request.Option) (*kms.GenerateDataKeyPairWithoutPlaintextOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GenerateDataKeyPairWithoutPlaintextOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GenerateDataKeyPairWithoutPlaintextInput, ...request.Option) *kms.GenerateDataKeyPairWithoutPlaintextOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyPairWithoutPlaintextOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GenerateDataKeyPairWithoutPlaintextInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKeyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKeyRequest(_a0 *kms.GenerateDataKeyInput) (*request.Request, *kms.GenerateDataKeyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GenerateDataKeyOutput if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyInput) *kms.GenerateDataKeyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GenerateDataKeyOutput) } } return r0, r1 } // GenerateDataKeyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GenerateDataKeyWithContext(_a0 context.Context, _a1 *kms.GenerateDataKeyInput, _a2 ...request.Option) (*kms.GenerateDataKeyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GenerateDataKeyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GenerateDataKeyInput, ...request.Option) *kms.GenerateDataKeyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GenerateDataKeyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKeyWithoutPlaintext provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKeyWithoutPlaintext(_a0 *kms.GenerateDataKeyWithoutPlaintextInput) (*kms.GenerateDataKeyWithoutPlaintextOutput, error) { ret := _m.Called(_a0) var r0 *kms.GenerateDataKeyWithoutPlaintextOutput if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyWithoutPlaintextInput) *kms.GenerateDataKeyWithoutPlaintextOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyWithoutPlaintextOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyWithoutPlaintextInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateDataKeyWithoutPlaintextRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateDataKeyWithoutPlaintextRequest(_a0 *kms.GenerateDataKeyWithoutPlaintextInput) (*request.Request, *kms.GenerateDataKeyWithoutPlaintextOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GenerateDataKeyWithoutPlaintextInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GenerateDataKeyWithoutPlaintextOutput if rf, ok := ret.Get(1).(func(*kms.GenerateDataKeyWithoutPlaintextInput) *kms.GenerateDataKeyWithoutPlaintextOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GenerateDataKeyWithoutPlaintextOutput) } } return r0, r1 } // GenerateDataKeyWithoutPlaintextWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GenerateDataKeyWithoutPlaintextWithContext(_a0 context.Context, _a1 *kms.GenerateDataKeyWithoutPlaintextInput, _a2 ...request.Option) (*kms.GenerateDataKeyWithoutPlaintextOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GenerateDataKeyWithoutPlaintextOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GenerateDataKeyWithoutPlaintextInput, ...request.Option) *kms.GenerateDataKeyWithoutPlaintextOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateDataKeyWithoutPlaintextOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GenerateDataKeyWithoutPlaintextInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateMac provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateMac(_a0 *kms.GenerateMacInput) (*kms.GenerateMacOutput, error) { ret := _m.Called(_a0) var r0 *kms.GenerateMacOutput if rf, ok := ret.Get(0).(func(*kms.GenerateMacInput) *kms.GenerateMacOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateMacOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GenerateMacInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateMacRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateMacRequest(_a0 *kms.GenerateMacInput) (*request.Request, *kms.GenerateMacOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GenerateMacInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GenerateMacOutput if rf, ok := ret.Get(1).(func(*kms.GenerateMacInput) *kms.GenerateMacOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GenerateMacOutput) } } return r0, r1 } // GenerateMacWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GenerateMacWithContext(_a0 context.Context, _a1 *kms.GenerateMacInput, _a2 ...request.Option) (*kms.GenerateMacOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GenerateMacOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GenerateMacInput, ...request.Option) *kms.GenerateMacOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateMacOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GenerateMacInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateRandom provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateRandom(_a0 *kms.GenerateRandomInput) (*kms.GenerateRandomOutput, error) { ret := _m.Called(_a0) var r0 *kms.GenerateRandomOutput if rf, ok := ret.Get(0).(func(*kms.GenerateRandomInput) *kms.GenerateRandomOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateRandomOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GenerateRandomInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GenerateRandomRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GenerateRandomRequest(_a0 *kms.GenerateRandomInput) (*request.Request, *kms.GenerateRandomOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GenerateRandomInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GenerateRandomOutput if rf, ok := ret.Get(1).(func(*kms.GenerateRandomInput) *kms.GenerateRandomOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GenerateRandomOutput) } } return r0, r1 } // GenerateRandomWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GenerateRandomWithContext(_a0 context.Context, _a1 *kms.GenerateRandomInput, _a2 ...request.Option) (*kms.GenerateRandomOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GenerateRandomOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GenerateRandomInput, ...request.Option) *kms.GenerateRandomOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GenerateRandomOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GenerateRandomInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GetKeyPolicy provides a mock function with given fields: _a0 func (_m *KMSAPI) GetKeyPolicy(_a0 *kms.GetKeyPolicyInput) (*kms.GetKeyPolicyOutput, error) { ret := _m.Called(_a0) var r0 *kms.GetKeyPolicyOutput if rf, ok := ret.Get(0).(func(*kms.GetKeyPolicyInput) *kms.GetKeyPolicyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetKeyPolicyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GetKeyPolicyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GetKeyPolicyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GetKeyPolicyRequest(_a0 *kms.GetKeyPolicyInput) (*request.Request, *kms.GetKeyPolicyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GetKeyPolicyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GetKeyPolicyOutput if rf, ok := ret.Get(1).(func(*kms.GetKeyPolicyInput) *kms.GetKeyPolicyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GetKeyPolicyOutput) } } return r0, r1 } // GetKeyPolicyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GetKeyPolicyWithContext(_a0 context.Context, _a1 *kms.GetKeyPolicyInput, _a2 ...request.Option) (*kms.GetKeyPolicyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GetKeyPolicyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GetKeyPolicyInput, ...request.Option) *kms.GetKeyPolicyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetKeyPolicyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GetKeyPolicyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GetKeyRotationStatus provides a mock function with given fields: _a0 func (_m *KMSAPI) GetKeyRotationStatus(_a0 *kms.GetKeyRotationStatusInput) (*kms.GetKeyRotationStatusOutput, error) { ret := _m.Called(_a0) var r0 *kms.GetKeyRotationStatusOutput if rf, ok := ret.Get(0).(func(*kms.GetKeyRotationStatusInput) *kms.GetKeyRotationStatusOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetKeyRotationStatusOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GetKeyRotationStatusInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GetKeyRotationStatusRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GetKeyRotationStatusRequest(_a0 *kms.GetKeyRotationStatusInput) (*request.Request, *kms.GetKeyRotationStatusOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GetKeyRotationStatusInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GetKeyRotationStatusOutput if rf, ok := ret.Get(1).(func(*kms.GetKeyRotationStatusInput) *kms.GetKeyRotationStatusOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GetKeyRotationStatusOutput) } } return r0, r1 } // GetKeyRotationStatusWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GetKeyRotationStatusWithContext(_a0 context.Context, _a1 *kms.GetKeyRotationStatusInput, _a2 ...request.Option) (*kms.GetKeyRotationStatusOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GetKeyRotationStatusOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GetKeyRotationStatusInput, ...request.Option) *kms.GetKeyRotationStatusOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetKeyRotationStatusOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GetKeyRotationStatusInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GetParametersForImport provides a mock function with given fields: _a0 func (_m *KMSAPI) GetParametersForImport(_a0 *kms.GetParametersForImportInput) (*kms.GetParametersForImportOutput, error) { ret := _m.Called(_a0) var r0 *kms.GetParametersForImportOutput if rf, ok := ret.Get(0).(func(*kms.GetParametersForImportInput) *kms.GetParametersForImportOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetParametersForImportOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GetParametersForImportInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GetParametersForImportRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GetParametersForImportRequest(_a0 *kms.GetParametersForImportInput) (*request.Request, *kms.GetParametersForImportOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GetParametersForImportInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GetParametersForImportOutput if rf, ok := ret.Get(1).(func(*kms.GetParametersForImportInput) *kms.GetParametersForImportOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GetParametersForImportOutput) } } return r0, r1 } // GetParametersForImportWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GetParametersForImportWithContext(_a0 context.Context, _a1 *kms.GetParametersForImportInput, _a2 ...request.Option) (*kms.GetParametersForImportOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GetParametersForImportOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GetParametersForImportInput, ...request.Option) *kms.GetParametersForImportOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetParametersForImportOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GetParametersForImportInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // GetPublicKey provides a mock function with given fields: _a0 func (_m *KMSAPI) GetPublicKey(_a0 *kms.GetPublicKeyInput) (*kms.GetPublicKeyOutput, error) { ret := _m.Called(_a0) var r0 *kms.GetPublicKeyOutput if rf, ok := ret.Get(0).(func(*kms.GetPublicKeyInput) *kms.GetPublicKeyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetPublicKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.GetPublicKeyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // GetPublicKeyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) GetPublicKeyRequest(_a0 *kms.GetPublicKeyInput) (*request.Request, *kms.GetPublicKeyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.GetPublicKeyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.GetPublicKeyOutput if rf, ok := ret.Get(1).(func(*kms.GetPublicKeyInput) *kms.GetPublicKeyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.GetPublicKeyOutput) } } return r0, r1 } // GetPublicKeyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) GetPublicKeyWithContext(_a0 context.Context, _a1 *kms.GetPublicKeyInput, _a2 ...request.Option) (*kms.GetPublicKeyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.GetPublicKeyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.GetPublicKeyInput, ...request.Option) *kms.GetPublicKeyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.GetPublicKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.GetPublicKeyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ImportKeyMaterial provides a mock function with given fields: _a0 func (_m *KMSAPI) ImportKeyMaterial(_a0 *kms.ImportKeyMaterialInput) (*kms.ImportKeyMaterialOutput, error) { ret := _m.Called(_a0) var r0 *kms.ImportKeyMaterialOutput if rf, ok := ret.Get(0).(func(*kms.ImportKeyMaterialInput) *kms.ImportKeyMaterialOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ImportKeyMaterialOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ImportKeyMaterialInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ImportKeyMaterialRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ImportKeyMaterialRequest(_a0 *kms.ImportKeyMaterialInput) (*request.Request, *kms.ImportKeyMaterialOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ImportKeyMaterialInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ImportKeyMaterialOutput if rf, ok := ret.Get(1).(func(*kms.ImportKeyMaterialInput) *kms.ImportKeyMaterialOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ImportKeyMaterialOutput) } } return r0, r1 } // ImportKeyMaterialWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ImportKeyMaterialWithContext(_a0 context.Context, _a1 *kms.ImportKeyMaterialInput, _a2 ...request.Option) (*kms.ImportKeyMaterialOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ImportKeyMaterialOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ImportKeyMaterialInput, ...request.Option) *kms.ImportKeyMaterialOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ImportKeyMaterialOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ImportKeyMaterialInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ListAliases provides a mock function with given fields: _a0 func (_m *KMSAPI) ListAliases(_a0 *kms.ListAliasesInput) (*kms.ListAliasesOutput, error) { ret := _m.Called(_a0) var r0 *kms.ListAliasesOutput if rf, ok := ret.Get(0).(func(*kms.ListAliasesInput) *kms.ListAliasesOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListAliasesOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ListAliasesInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ListAliasesPages provides a mock function with given fields: _a0, _a1 func (_m *KMSAPI) ListAliasesPages(_a0 *kms.ListAliasesInput, _a1 func(*kms.ListAliasesOutput, bool) bool) error { ret := _m.Called(_a0, _a1) var r0 error if rf, ok := ret.Get(0).(func(*kms.ListAliasesInput, func(*kms.ListAliasesOutput, bool) bool) error); ok { r0 = rf(_a0, _a1) } else { r0 = ret.Error(0) } return r0 } // ListAliasesPagesWithContext provides a mock function with given fields: _a0, _a1, _a2, _a3 func (_m *KMSAPI) ListAliasesPagesWithContext(_a0 context.Context, _a1 *kms.ListAliasesInput, _a2 func(*kms.ListAliasesOutput, bool) bool, _a3 ...request.Option) error { _va := make([]interface{}, len(_a3)) for _i := range _a3 { _va[_i] = _a3[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1, _a2) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 error if rf, ok := ret.Get(0).(func(context.Context, *kms.ListAliasesInput, func(*kms.ListAliasesOutput, bool) bool, ...request.Option) error); ok { r0 = rf(_a0, _a1, _a2, _a3...) } else { r0 = ret.Error(0) } return r0 } // ListAliasesRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ListAliasesRequest(_a0 *kms.ListAliasesInput) (*request.Request, *kms.ListAliasesOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ListAliasesInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ListAliasesOutput if rf, ok := ret.Get(1).(func(*kms.ListAliasesInput) *kms.ListAliasesOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ListAliasesOutput) } } return r0, r1 } // ListAliasesWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ListAliasesWithContext(_a0 context.Context, _a1 *kms.ListAliasesInput, _a2 ...request.Option) (*kms.ListAliasesOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ListAliasesOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ListAliasesInput, ...request.Option) *kms.ListAliasesOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListAliasesOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ListAliasesInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ListGrants provides a mock function with given fields: _a0 func (_m *KMSAPI) ListGrants(_a0 *kms.ListGrantsInput) (*kms.ListGrantsResponse, error) { ret := _m.Called(_a0) var r0 *kms.ListGrantsResponse if rf, ok := ret.Get(0).(func(*kms.ListGrantsInput) *kms.ListGrantsResponse); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListGrantsResponse) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ListGrantsInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ListGrantsPages provides a mock function with given fields: _a0, _a1 func (_m *KMSAPI) ListGrantsPages(_a0 *kms.ListGrantsInput, _a1 func(*kms.ListGrantsResponse, bool) bool) error { ret := _m.Called(_a0, _a1) var r0 error if rf, ok := ret.Get(0).(func(*kms.ListGrantsInput, func(*kms.ListGrantsResponse, bool) bool) error); ok { r0 = rf(_a0, _a1) } else { r0 = ret.Error(0) } return r0 } // ListGrantsPagesWithContext provides a mock function with given fields: _a0, _a1, _a2, _a3 func (_m *KMSAPI) ListGrantsPagesWithContext(_a0 context.Context, _a1 *kms.ListGrantsInput, _a2 func(*kms.ListGrantsResponse, bool) bool, _a3 ...request.Option) error { _va := make([]interface{}, len(_a3)) for _i := range _a3 { _va[_i] = _a3[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1, _a2) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 error if rf, ok := ret.Get(0).(func(context.Context, *kms.ListGrantsInput, func(*kms.ListGrantsResponse, bool) bool, ...request.Option) error); ok { r0 = rf(_a0, _a1, _a2, _a3...) } else { r0 = ret.Error(0) } return r0 } // ListGrantsRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ListGrantsRequest(_a0 *kms.ListGrantsInput) (*request.Request, *kms.ListGrantsResponse) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ListGrantsInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ListGrantsResponse if rf, ok := ret.Get(1).(func(*kms.ListGrantsInput) *kms.ListGrantsResponse); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ListGrantsResponse) } } return r0, r1 } // ListGrantsWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ListGrantsWithContext(_a0 context.Context, _a1 *kms.ListGrantsInput, _a2 ...request.Option) (*kms.ListGrantsResponse, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ListGrantsResponse if rf, ok := ret.Get(0).(func(context.Context, *kms.ListGrantsInput, ...request.Option) *kms.ListGrantsResponse); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListGrantsResponse) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ListGrantsInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ListKeyPolicies provides a mock function with given fields: _a0 func (_m *KMSAPI) ListKeyPolicies(_a0 *kms.ListKeyPoliciesInput) (*kms.ListKeyPoliciesOutput, error) { ret := _m.Called(_a0) var r0 *kms.ListKeyPoliciesOutput if rf, ok := ret.Get(0).(func(*kms.ListKeyPoliciesInput) *kms.ListKeyPoliciesOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListKeyPoliciesOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ListKeyPoliciesInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ListKeyPoliciesPages provides a mock function with given fields: _a0, _a1 func (_m *KMSAPI) ListKeyPoliciesPages(_a0 *kms.ListKeyPoliciesInput, _a1 func(*kms.ListKeyPoliciesOutput, bool) bool) error { ret := _m.Called(_a0, _a1) var r0 error if rf, ok := ret.Get(0).(func(*kms.ListKeyPoliciesInput, func(*kms.ListKeyPoliciesOutput, bool) bool) error); ok { r0 = rf(_a0, _a1) } else { r0 = ret.Error(0) } return r0 } // ListKeyPoliciesPagesWithContext provides a mock function with given fields: _a0, _a1, _a2, _a3 func (_m *KMSAPI) ListKeyPoliciesPagesWithContext(_a0 context.Context, _a1 *kms.ListKeyPoliciesInput, _a2 func(*kms.ListKeyPoliciesOutput, bool) bool, _a3 ...request.Option) error { _va := make([]interface{}, len(_a3)) for _i := range _a3 { _va[_i] = _a3[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1, _a2) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 error if rf, ok := ret.Get(0).(func(context.Context, *kms.ListKeyPoliciesInput, func(*kms.ListKeyPoliciesOutput, bool) bool, ...request.Option) error); ok { r0 = rf(_a0, _a1, _a2, _a3...) } else { r0 = ret.Error(0) } return r0 } // ListKeyPoliciesRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ListKeyPoliciesRequest(_a0 *kms.ListKeyPoliciesInput) (*request.Request, *kms.ListKeyPoliciesOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ListKeyPoliciesInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ListKeyPoliciesOutput if rf, ok := ret.Get(1).(func(*kms.ListKeyPoliciesInput) *kms.ListKeyPoliciesOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ListKeyPoliciesOutput) } } return r0, r1 } // ListKeyPoliciesWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ListKeyPoliciesWithContext(_a0 context.Context, _a1 *kms.ListKeyPoliciesInput, _a2 ...request.Option) (*kms.ListKeyPoliciesOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ListKeyPoliciesOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ListKeyPoliciesInput, ...request.Option) *kms.ListKeyPoliciesOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListKeyPoliciesOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ListKeyPoliciesInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ListKeys provides a mock function with given fields: _a0 func (_m *KMSAPI) ListKeys(_a0 *kms.ListKeysInput) (*kms.ListKeysOutput, error) { ret := _m.Called(_a0) var r0 *kms.ListKeysOutput if rf, ok := ret.Get(0).(func(*kms.ListKeysInput) *kms.ListKeysOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListKeysOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ListKeysInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ListKeysPages provides a mock function with given fields: _a0, _a1 func (_m *KMSAPI) ListKeysPages(_a0 *kms.ListKeysInput, _a1 func(*kms.ListKeysOutput, bool) bool) error { ret := _m.Called(_a0, _a1) var r0 error if rf, ok := ret.Get(0).(func(*kms.ListKeysInput, func(*kms.ListKeysOutput, bool) bool) error); ok { r0 = rf(_a0, _a1) } else { r0 = ret.Error(0) } return r0 } // ListKeysPagesWithContext provides a mock function with given fields: _a0, _a1, _a2, _a3 func (_m *KMSAPI) ListKeysPagesWithContext(_a0 context.Context, _a1 *kms.ListKeysInput, _a2 func(*kms.ListKeysOutput, bool) bool, _a3 ...request.Option) error { _va := make([]interface{}, len(_a3)) for _i := range _a3 { _va[_i] = _a3[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1, _a2) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 error if rf, ok := ret.Get(0).(func(context.Context, *kms.ListKeysInput, func(*kms.ListKeysOutput, bool) bool, ...request.Option) error); ok { r0 = rf(_a0, _a1, _a2, _a3...) } else { r0 = ret.Error(0) } return r0 } // ListKeysRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ListKeysRequest(_a0 *kms.ListKeysInput) (*request.Request, *kms.ListKeysOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ListKeysInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ListKeysOutput if rf, ok := ret.Get(1).(func(*kms.ListKeysInput) *kms.ListKeysOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ListKeysOutput) } } return r0, r1 } // ListKeysWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ListKeysWithContext(_a0 context.Context, _a1 *kms.ListKeysInput, _a2 ...request.Option) (*kms.ListKeysOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ListKeysOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ListKeysInput, ...request.Option) *kms.ListKeysOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListKeysOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ListKeysInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ListResourceTags provides a mock function with given fields: _a0 func (_m *KMSAPI) ListResourceTags(_a0 *kms.ListResourceTagsInput) (*kms.ListResourceTagsOutput, error) { ret := _m.Called(_a0) var r0 *kms.ListResourceTagsOutput if rf, ok := ret.Get(0).(func(*kms.ListResourceTagsInput) *kms.ListResourceTagsOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListResourceTagsOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ListResourceTagsInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ListResourceTagsRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ListResourceTagsRequest(_a0 *kms.ListResourceTagsInput) (*request.Request, *kms.ListResourceTagsOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ListResourceTagsInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ListResourceTagsOutput if rf, ok := ret.Get(1).(func(*kms.ListResourceTagsInput) *kms.ListResourceTagsOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ListResourceTagsOutput) } } return r0, r1 } // ListResourceTagsWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ListResourceTagsWithContext(_a0 context.Context, _a1 *kms.ListResourceTagsInput, _a2 ...request.Option) (*kms.ListResourceTagsOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ListResourceTagsOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ListResourceTagsInput, ...request.Option) *kms.ListResourceTagsOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListResourceTagsOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ListResourceTagsInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ListRetirableGrants provides a mock function with given fields: _a0 func (_m *KMSAPI) ListRetirableGrants(_a0 *kms.ListRetirableGrantsInput) (*kms.ListGrantsResponse, error) { ret := _m.Called(_a0) var r0 *kms.ListGrantsResponse if rf, ok := ret.Get(0).(func(*kms.ListRetirableGrantsInput) *kms.ListGrantsResponse); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListGrantsResponse) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ListRetirableGrantsInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ListRetirableGrantsRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ListRetirableGrantsRequest(_a0 *kms.ListRetirableGrantsInput) (*request.Request, *kms.ListGrantsResponse) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ListRetirableGrantsInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ListGrantsResponse if rf, ok := ret.Get(1).(func(*kms.ListRetirableGrantsInput) *kms.ListGrantsResponse); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ListGrantsResponse) } } return r0, r1 } // ListRetirableGrantsWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ListRetirableGrantsWithContext(_a0 context.Context, _a1 *kms.ListRetirableGrantsInput, _a2 ...request.Option) (*kms.ListGrantsResponse, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ListGrantsResponse if rf, ok := ret.Get(0).(func(context.Context, *kms.ListRetirableGrantsInput, ...request.Option) *kms.ListGrantsResponse); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ListGrantsResponse) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ListRetirableGrantsInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // PutKeyPolicy provides a mock function with given fields: _a0 func (_m *KMSAPI) PutKeyPolicy(_a0 *kms.PutKeyPolicyInput) (*kms.PutKeyPolicyOutput, error) { ret := _m.Called(_a0) var r0 *kms.PutKeyPolicyOutput if rf, ok := ret.Get(0).(func(*kms.PutKeyPolicyInput) *kms.PutKeyPolicyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.PutKeyPolicyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.PutKeyPolicyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // PutKeyPolicyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) PutKeyPolicyRequest(_a0 *kms.PutKeyPolicyInput) (*request.Request, *kms.PutKeyPolicyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.PutKeyPolicyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.PutKeyPolicyOutput if rf, ok := ret.Get(1).(func(*kms.PutKeyPolicyInput) *kms.PutKeyPolicyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.PutKeyPolicyOutput) } } return r0, r1 } // PutKeyPolicyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) PutKeyPolicyWithContext(_a0 context.Context, _a1 *kms.PutKeyPolicyInput, _a2 ...request.Option) (*kms.PutKeyPolicyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.PutKeyPolicyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.PutKeyPolicyInput, ...request.Option) *kms.PutKeyPolicyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.PutKeyPolicyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.PutKeyPolicyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ReEncrypt provides a mock function with given fields: _a0 func (_m *KMSAPI) ReEncrypt(_a0 *kms.ReEncryptInput) (*kms.ReEncryptOutput, error) { ret := _m.Called(_a0) var r0 *kms.ReEncryptOutput if rf, ok := ret.Get(0).(func(*kms.ReEncryptInput) *kms.ReEncryptOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ReEncryptOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ReEncryptInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ReEncryptRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ReEncryptRequest(_a0 *kms.ReEncryptInput) (*request.Request, *kms.ReEncryptOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ReEncryptInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ReEncryptOutput if rf, ok := ret.Get(1).(func(*kms.ReEncryptInput) *kms.ReEncryptOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ReEncryptOutput) } } return r0, r1 } // ReEncryptWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ReEncryptWithContext(_a0 context.Context, _a1 *kms.ReEncryptInput, _a2 ...request.Option) (*kms.ReEncryptOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ReEncryptOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ReEncryptInput, ...request.Option) *kms.ReEncryptOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ReEncryptOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ReEncryptInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ReplicateKey provides a mock function with given fields: _a0 func (_m *KMSAPI) ReplicateKey(_a0 *kms.ReplicateKeyInput) (*kms.ReplicateKeyOutput, error) { ret := _m.Called(_a0) var r0 *kms.ReplicateKeyOutput if rf, ok := ret.Get(0).(func(*kms.ReplicateKeyInput) *kms.ReplicateKeyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ReplicateKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ReplicateKeyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ReplicateKeyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ReplicateKeyRequest(_a0 *kms.ReplicateKeyInput) (*request.Request, *kms.ReplicateKeyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ReplicateKeyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ReplicateKeyOutput if rf, ok := ret.Get(1).(func(*kms.ReplicateKeyInput) *kms.ReplicateKeyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ReplicateKeyOutput) } } return r0, r1 } // ReplicateKeyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ReplicateKeyWithContext(_a0 context.Context, _a1 *kms.ReplicateKeyInput, _a2 ...request.Option) (*kms.ReplicateKeyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ReplicateKeyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ReplicateKeyInput, ...request.Option) *kms.ReplicateKeyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ReplicateKeyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ReplicateKeyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // RetireGrant provides a mock function with given fields: _a0 func (_m *KMSAPI) RetireGrant(_a0 *kms.RetireGrantInput) (*kms.RetireGrantOutput, error) { ret := _m.Called(_a0) var r0 *kms.RetireGrantOutput if rf, ok := ret.Get(0).(func(*kms.RetireGrantInput) *kms.RetireGrantOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.RetireGrantOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.RetireGrantInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // RetireGrantRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) RetireGrantRequest(_a0 *kms.RetireGrantInput) (*request.Request, *kms.RetireGrantOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.RetireGrantInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.RetireGrantOutput if rf, ok := ret.Get(1).(func(*kms.RetireGrantInput) *kms.RetireGrantOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.RetireGrantOutput) } } return r0, r1 } // RetireGrantWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) RetireGrantWithContext(_a0 context.Context, _a1 *kms.RetireGrantInput, _a2 ...request.Option) (*kms.RetireGrantOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.RetireGrantOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.RetireGrantInput, ...request.Option) *kms.RetireGrantOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.RetireGrantOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.RetireGrantInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // RevokeGrant provides a mock function with given fields: _a0 func (_m *KMSAPI) RevokeGrant(_a0 *kms.RevokeGrantInput) (*kms.RevokeGrantOutput, error) { ret := _m.Called(_a0) var r0 *kms.RevokeGrantOutput if rf, ok := ret.Get(0).(func(*kms.RevokeGrantInput) *kms.RevokeGrantOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.RevokeGrantOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.RevokeGrantInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // RevokeGrantRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) RevokeGrantRequest(_a0 *kms.RevokeGrantInput) (*request.Request, *kms.RevokeGrantOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.RevokeGrantInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.RevokeGrantOutput if rf, ok := ret.Get(1).(func(*kms.RevokeGrantInput) *kms.RevokeGrantOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.RevokeGrantOutput) } } return r0, r1 } // RevokeGrantWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) RevokeGrantWithContext(_a0 context.Context, _a1 *kms.RevokeGrantInput, _a2 ...request.Option) (*kms.RevokeGrantOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.RevokeGrantOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.RevokeGrantInput, ...request.Option) *kms.RevokeGrantOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.RevokeGrantOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.RevokeGrantInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // ScheduleKeyDeletion provides a mock function with given fields: _a0 func (_m *KMSAPI) ScheduleKeyDeletion(_a0 *kms.ScheduleKeyDeletionInput) (*kms.ScheduleKeyDeletionOutput, error) { ret := _m.Called(_a0) var r0 *kms.ScheduleKeyDeletionOutput if rf, ok := ret.Get(0).(func(*kms.ScheduleKeyDeletionInput) *kms.ScheduleKeyDeletionOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ScheduleKeyDeletionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.ScheduleKeyDeletionInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // ScheduleKeyDeletionRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) ScheduleKeyDeletionRequest(_a0 *kms.ScheduleKeyDeletionInput) (*request.Request, *kms.ScheduleKeyDeletionOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.ScheduleKeyDeletionInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.ScheduleKeyDeletionOutput if rf, ok := ret.Get(1).(func(*kms.ScheduleKeyDeletionInput) *kms.ScheduleKeyDeletionOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.ScheduleKeyDeletionOutput) } } return r0, r1 } // ScheduleKeyDeletionWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) ScheduleKeyDeletionWithContext(_a0 context.Context, _a1 *kms.ScheduleKeyDeletionInput, _a2 ...request.Option) (*kms.ScheduleKeyDeletionOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.ScheduleKeyDeletionOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.ScheduleKeyDeletionInput, ...request.Option) *kms.ScheduleKeyDeletionOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.ScheduleKeyDeletionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.ScheduleKeyDeletionInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // Sign provides a mock function with given fields: _a0 func (_m *KMSAPI) Sign(_a0 *kms.SignInput) (*kms.SignOutput, error) { ret := _m.Called(_a0) var r0 *kms.SignOutput if rf, ok := ret.Get(0).(func(*kms.SignInput) *kms.SignOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.SignOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.SignInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // SignRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) SignRequest(_a0 *kms.SignInput) (*request.Request, *kms.SignOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.SignInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.SignOutput if rf, ok := ret.Get(1).(func(*kms.SignInput) *kms.SignOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.SignOutput) } } return r0, r1 } // SignWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) SignWithContext(_a0 context.Context, _a1 *kms.SignInput, _a2 ...request.Option) (*kms.SignOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.SignOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.SignInput, ...request.Option) *kms.SignOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.SignOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.SignInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // TagResource provides a mock function with given fields: _a0 func (_m *KMSAPI) TagResource(_a0 *kms.TagResourceInput) (*kms.TagResourceOutput, error) { ret := _m.Called(_a0) var r0 *kms.TagResourceOutput if rf, ok := ret.Get(0).(func(*kms.TagResourceInput) *kms.TagResourceOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.TagResourceOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.TagResourceInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // TagResourceRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) TagResourceRequest(_a0 *kms.TagResourceInput) (*request.Request, *kms.TagResourceOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.TagResourceInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.TagResourceOutput if rf, ok := ret.Get(1).(func(*kms.TagResourceInput) *kms.TagResourceOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.TagResourceOutput) } } return r0, r1 } // TagResourceWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) TagResourceWithContext(_a0 context.Context, _a1 *kms.TagResourceInput, _a2 ...request.Option) (*kms.TagResourceOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.TagResourceOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.TagResourceInput, ...request.Option) *kms.TagResourceOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.TagResourceOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.TagResourceInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // UntagResource provides a mock function with given fields: _a0 func (_m *KMSAPI) UntagResource(_a0 *kms.UntagResourceInput) (*kms.UntagResourceOutput, error) { ret := _m.Called(_a0) var r0 *kms.UntagResourceOutput if rf, ok := ret.Get(0).(func(*kms.UntagResourceInput) *kms.UntagResourceOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UntagResourceOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.UntagResourceInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // UntagResourceRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) UntagResourceRequest(_a0 *kms.UntagResourceInput) (*request.Request, *kms.UntagResourceOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.UntagResourceInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.UntagResourceOutput if rf, ok := ret.Get(1).(func(*kms.UntagResourceInput) *kms.UntagResourceOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.UntagResourceOutput) } } return r0, r1 } // UntagResourceWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) UntagResourceWithContext(_a0 context.Context, _a1 *kms.UntagResourceInput, _a2 ...request.Option) (*kms.UntagResourceOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.UntagResourceOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.UntagResourceInput, ...request.Option) *kms.UntagResourceOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UntagResourceOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.UntagResourceInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // UpdateAlias provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdateAlias(_a0 *kms.UpdateAliasInput) (*kms.UpdateAliasOutput, error) { ret := _m.Called(_a0) var r0 *kms.UpdateAliasOutput if rf, ok := ret.Get(0).(func(*kms.UpdateAliasInput) *kms.UpdateAliasOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdateAliasOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.UpdateAliasInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // UpdateAliasRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdateAliasRequest(_a0 *kms.UpdateAliasInput) (*request.Request, *kms.UpdateAliasOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.UpdateAliasInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.UpdateAliasOutput if rf, ok := ret.Get(1).(func(*kms.UpdateAliasInput) *kms.UpdateAliasOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.UpdateAliasOutput) } } return r0, r1 } // UpdateAliasWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) UpdateAliasWithContext(_a0 context.Context, _a1 *kms.UpdateAliasInput, _a2 ...request.Option) (*kms.UpdateAliasOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.UpdateAliasOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.UpdateAliasInput, ...request.Option) *kms.UpdateAliasOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdateAliasOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.UpdateAliasInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // UpdateCustomKeyStore provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdateCustomKeyStore(_a0 *kms.UpdateCustomKeyStoreInput) (*kms.UpdateCustomKeyStoreOutput, error) { ret := _m.Called(_a0) var r0 *kms.UpdateCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(*kms.UpdateCustomKeyStoreInput) *kms.UpdateCustomKeyStoreOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdateCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.UpdateCustomKeyStoreInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // UpdateCustomKeyStoreRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdateCustomKeyStoreRequest(_a0 *kms.UpdateCustomKeyStoreInput) (*request.Request, *kms.UpdateCustomKeyStoreOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.UpdateCustomKeyStoreInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.UpdateCustomKeyStoreOutput if rf, ok := ret.Get(1).(func(*kms.UpdateCustomKeyStoreInput) *kms.UpdateCustomKeyStoreOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.UpdateCustomKeyStoreOutput) } } return r0, r1 } // UpdateCustomKeyStoreWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) UpdateCustomKeyStoreWithContext(_a0 context.Context, _a1 *kms.UpdateCustomKeyStoreInput, _a2 ...request.Option) (*kms.UpdateCustomKeyStoreOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.UpdateCustomKeyStoreOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.UpdateCustomKeyStoreInput, ...request.Option) *kms.UpdateCustomKeyStoreOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdateCustomKeyStoreOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.UpdateCustomKeyStoreInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // UpdateKeyDescription provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdateKeyDescription(_a0 *kms.UpdateKeyDescriptionInput) (*kms.UpdateKeyDescriptionOutput, error) { ret := _m.Called(_a0) var r0 *kms.UpdateKeyDescriptionOutput if rf, ok := ret.Get(0).(func(*kms.UpdateKeyDescriptionInput) *kms.UpdateKeyDescriptionOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdateKeyDescriptionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.UpdateKeyDescriptionInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // UpdateKeyDescriptionRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdateKeyDescriptionRequest(_a0 *kms.UpdateKeyDescriptionInput) (*request.Request, *kms.UpdateKeyDescriptionOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.UpdateKeyDescriptionInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.UpdateKeyDescriptionOutput if rf, ok := ret.Get(1).(func(*kms.UpdateKeyDescriptionInput) *kms.UpdateKeyDescriptionOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.UpdateKeyDescriptionOutput) } } return r0, r1 } // UpdateKeyDescriptionWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) UpdateKeyDescriptionWithContext(_a0 context.Context, _a1 *kms.UpdateKeyDescriptionInput, _a2 ...request.Option) (*kms.UpdateKeyDescriptionOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.UpdateKeyDescriptionOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.UpdateKeyDescriptionInput, ...request.Option) *kms.UpdateKeyDescriptionOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdateKeyDescriptionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.UpdateKeyDescriptionInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // UpdatePrimaryRegion provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdatePrimaryRegion(_a0 *kms.UpdatePrimaryRegionInput) (*kms.UpdatePrimaryRegionOutput, error) { ret := _m.Called(_a0) var r0 *kms.UpdatePrimaryRegionOutput if rf, ok := ret.Get(0).(func(*kms.UpdatePrimaryRegionInput) *kms.UpdatePrimaryRegionOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdatePrimaryRegionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.UpdatePrimaryRegionInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // UpdatePrimaryRegionRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) UpdatePrimaryRegionRequest(_a0 *kms.UpdatePrimaryRegionInput) (*request.Request, *kms.UpdatePrimaryRegionOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.UpdatePrimaryRegionInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.UpdatePrimaryRegionOutput if rf, ok := ret.Get(1).(func(*kms.UpdatePrimaryRegionInput) *kms.UpdatePrimaryRegionOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.UpdatePrimaryRegionOutput) } } return r0, r1 } // UpdatePrimaryRegionWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) UpdatePrimaryRegionWithContext(_a0 context.Context, _a1 *kms.UpdatePrimaryRegionInput, _a2 ...request.Option) (*kms.UpdatePrimaryRegionOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.UpdatePrimaryRegionOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.UpdatePrimaryRegionInput, ...request.Option) *kms.UpdatePrimaryRegionOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.UpdatePrimaryRegionOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.UpdatePrimaryRegionInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // Verify provides a mock function with given fields: _a0 func (_m *KMSAPI) Verify(_a0 *kms.VerifyInput) (*kms.VerifyOutput, error) { ret := _m.Called(_a0) var r0 *kms.VerifyOutput if rf, ok := ret.Get(0).(func(*kms.VerifyInput) *kms.VerifyOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.VerifyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.VerifyInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // VerifyMac provides a mock function with given fields: _a0 func (_m *KMSAPI) VerifyMac(_a0 *kms.VerifyMacInput) (*kms.VerifyMacOutput, error) { ret := _m.Called(_a0) var r0 *kms.VerifyMacOutput if rf, ok := ret.Get(0).(func(*kms.VerifyMacInput) *kms.VerifyMacOutput); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.VerifyMacOutput) } } var r1 error if rf, ok := ret.Get(1).(func(*kms.VerifyMacInput) error); ok { r1 = rf(_a0) } else { r1 = ret.Error(1) } return r0, r1 } // VerifyMacRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) VerifyMacRequest(_a0 *kms.VerifyMacInput) (*request.Request, *kms.VerifyMacOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.VerifyMacInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.VerifyMacOutput if rf, ok := ret.Get(1).(func(*kms.VerifyMacInput) *kms.VerifyMacOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.VerifyMacOutput) } } return r0, r1 } // VerifyMacWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) VerifyMacWithContext(_a0 context.Context, _a1 *kms.VerifyMacInput, _a2 ...request.Option) (*kms.VerifyMacOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.VerifyMacOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.VerifyMacInput, ...request.Option) *kms.VerifyMacOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.VerifyMacOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.VerifyMacInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } // VerifyRequest provides a mock function with given fields: _a0 func (_m *KMSAPI) VerifyRequest(_a0 *kms.VerifyInput) (*request.Request, *kms.VerifyOutput) { ret := _m.Called(_a0) var r0 *request.Request if rf, ok := ret.Get(0).(func(*kms.VerifyInput) *request.Request); ok { r0 = rf(_a0) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*request.Request) } } var r1 *kms.VerifyOutput if rf, ok := ret.Get(1).(func(*kms.VerifyInput) *kms.VerifyOutput); ok { r1 = rf(_a0) } else { if ret.Get(1) != nil { r1 = ret.Get(1).(*kms.VerifyOutput) } } return r0, r1 } // VerifyWithContext provides a mock function with given fields: _a0, _a1, _a2 func (_m *KMSAPI) VerifyWithContext(_a0 context.Context, _a1 *kms.VerifyInput, _a2 ...request.Option) (*kms.VerifyOutput, error) { _va := make([]interface{}, len(_a2)) for _i := range _a2 { _va[_i] = _a2[_i] } var _ca []interface{} _ca = append(_ca, _a0, _a1) _ca = append(_ca, _va...) ret := _m.Called(_ca...) var r0 *kms.VerifyOutput if rf, ok := ret.Get(0).(func(context.Context, *kms.VerifyInput, ...request.Option) *kms.VerifyOutput); ok { r0 = rf(_a0, _a1, _a2...) } else { if ret.Get(0) != nil { r0 = ret.Get(0).(*kms.VerifyOutput) } } var r1 error if rf, ok := ret.Get(1).(func(context.Context, *kms.VerifyInput, ...request.Option) error); ok { r1 = rf(_a0, _a1, _a2...) } else { r1 = ret.Error(1) } return r0, r1 } 07070100000085000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001300000000sops-3.7.3/logging07070100000086000081A400000000000000000000000162794F9300000467000000000000000000000000000000000000001E00000000sops-3.7.3/logging/logging.gopackage logging import ( "fmt" "github.com/fatih/color" "github.com/sirupsen/logrus" ) func init() { Loggers = make(map[string]*logrus.Logger) } // TextFormatter extends the standard logrus TextFormatter and adds a field to specify the logger's name type TextFormatter struct { LoggerName string logrus.TextFormatter } // Format formats a log entry onto bytes func (f *TextFormatter) Format(entry *logrus.Entry) ([]byte, error) { bytes, err := f.TextFormatter.Format(entry) name := color.New(color.Bold).Sprintf("[%s]", f.LoggerName) return []byte(fmt.Sprintf("%s\t %s", name, bytes)), err } // NewLogger is the constructor for a new Logger object with the given name func NewLogger(name string) *logrus.Logger { log := logrus.New() log.SetLevel(logrus.WarnLevel) log.Formatter = &TextFormatter{ LoggerName: name, } Loggers[name] = log return log } // SetLevel sets the given level for all current Loggers func SetLevel(level logrus.Level) { for k := range Loggers { Loggers[k].SetLevel(level) } } // Loggers is the runtime map of logger name to logger object var Loggers map[string]*logrus.Logger 07070100000087000081A400000000000000000000000162794F9300000270000000000000000000000000000000000000002100000000sops-3.7.3/make_download_page.sh#!/usr/bin/env bash [ ! -d dist ] && mkdir dist echo -e "<html>\n<head><title>Sops download page></title>\n<body>\n<h1>Sops download page</h1>\n<h2><a href="https://go.mozilla.org/sops/">go.mozilla.org/sops</a></h2>\n<table>" > index.html IFS=$'\n' for dist in $(aws s3 ls s3://go.mozilla.org/sops/dist/ | grep -P "deb|rpm"); do ts=$(echo $dist|awk '{print $1,$2}') size=$(echo $dist|awk '{print $3}') pkg=$(echo $dist|awk '{print $4}') echo -e "<tr><td>$ts</td><td>$size</td><td><a href=\"https://go.mozilla.org/sops/dist/$pkg\">$pkg</a></td></tr>" >> index.html done echo -e "</table>\n</body>\n</html>" >> index.html 07070100000088000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000000F00000000sops-3.7.3/pgp07070100000089000081A400000000000000000000000162794F930000296E000000000000000000000000000000000000001C00000000sops-3.7.3/pgp/keysource.go/* Package pgp contains an implementation of the go.mozilla.org/sops/v3.MasterKey interface that encrypts and decrypts the data key by first trying with the github.com/ProtonMail/go-crypto/openpgp package and if that fails, by calling the "gpg" binary. */ package pgp //import "go.mozilla.org/sops/v3/pgp" import ( "bytes" "encoding/hex" "fmt" "io/ioutil" "net/http" "os" "os/exec" "os/user" "path" "strings" "time" "github.com/ProtonMail/go-crypto/openpgp" "github.com/ProtonMail/go-crypto/openpgp/armor" "github.com/howeyc/gopass" "github.com/sirupsen/logrus" gpgagent "go.mozilla.org/gopgagent" "go.mozilla.org/sops/v3/logging" ) var log *logrus.Logger func init() { log = logging.NewLogger("PGP") } // MasterKey is a PGP key used to securely store sops' data key by encrypting it and decrypting it type MasterKey struct { Fingerprint string EncryptedKey string CreationDate time.Time } // EncryptedDataKey returns the encrypted data key this master key holds func (key *MasterKey) EncryptedDataKey() []byte { return []byte(key.EncryptedKey) } // SetEncryptedDataKey sets the encrypted data key for this master key func (key *MasterKey) SetEncryptedDataKey(enc []byte) { key.EncryptedKey = string(enc) } func gpgBinary() string { binary := "gpg" if envBinary := os.Getenv("SOPS_GPG_EXEC"); envBinary != "" { binary = envBinary } return binary } func (key *MasterKey) encryptWithGPGBinary(dataKey []byte) error { fingerprint := key.Fingerprint if offset := len(fingerprint) - 16; offset > 0 { fingerprint = fingerprint[offset:] } args := []string{ "--no-default-recipient", "--yes", "--encrypt", "-a", "-r", key.Fingerprint, "--trusted-key", fingerprint, "--no-encrypt-to", } cmd := exec.Command(gpgBinary(), args...) var stdout, stderr bytes.Buffer cmd.Stdin = bytes.NewReader(dataKey) cmd.Stdout = &stdout cmd.Stderr = &stderr err := cmd.Run() if err != nil { return fmt.Errorf("gpg binary failed with error: %s, %s", err, stderr.String()) } key.EncryptedKey = stdout.String() return nil } func getKeyFromKeyServer(fingerprint string) (openpgp.Entity, error) { log.Warn("Deprecation Warning: GPG key fetching from a keyserver within sops will be removed in a future version of sops. See https://github.com/mozilla/sops/issues/727 for more information.") url := fmt.Sprintf("https://keys.openpgp.org/vks/v1/by-fingerprint/%s", fingerprint) resp, err := http.Get(url) if err != nil { return openpgp.Entity{}, fmt.Errorf("error getting key from keyserver: %s", err) } defer resp.Body.Close() if resp.StatusCode != 200 { return openpgp.Entity{}, fmt.Errorf("keyserver returned non-200 status code %s", resp.Status) } ents, err := openpgp.ReadArmoredKeyRing(resp.Body) if err != nil { return openpgp.Entity{}, fmt.Errorf("could not read entities: %s", err) } return *ents[0], nil } func (key *MasterKey) getPubKey() (openpgp.Entity, error) { ring, err := key.pubRing() if err == nil { fingerprints := key.fingerprintMap(ring) entity, ok := fingerprints[key.Fingerprint] if ok { return entity, nil } } entity, err := getKeyFromKeyServer(key.Fingerprint) if err != nil { return openpgp.Entity{}, fmt.Errorf("key with fingerprint %s is not available "+ "in keyring and could not be retrieved from keyserver", key.Fingerprint) } return entity, nil } func (key *MasterKey) encryptWithCryptoOpenPGP(dataKey []byte) error { entity, err := key.getPubKey() if err != nil { return err } encbuf := new(bytes.Buffer) armorbuf, err := armor.Encode(encbuf, "PGP MESSAGE", nil) if err != nil { return err } plaintextbuf, err := openpgp.Encrypt(armorbuf, []*openpgp.Entity{&entity}, nil, &openpgp.FileHints{IsBinary: true}, nil) if err != nil { return err } _, err = plaintextbuf.Write(dataKey) if err != nil { return err } err = plaintextbuf.Close() if err != nil { return err } err = armorbuf.Close() if err != nil { return err } bytes, err := ioutil.ReadAll(encbuf) if err != nil { return err } key.EncryptedKey = string(bytes) return nil } // Encrypt encrypts the data key with the PGP key with the same fingerprint as the MasterKey. It looks for PGP public keys in $PGPHOME/pubring.gpg. func (key *MasterKey) Encrypt(dataKey []byte) error { openpgpErr := key.encryptWithCryptoOpenPGP(dataKey) if openpgpErr == nil { log.WithField("fingerprint", key.Fingerprint).Info("Encryption succeeded") return nil } binaryErr := key.encryptWithGPGBinary(dataKey) if binaryErr == nil { log.WithField("fingerprint", key.Fingerprint).Info("Encryption succeeded") return nil } log.WithField("fingerprint", key.Fingerprint).Info("Encryption failed") return fmt.Errorf( `could not encrypt data key with PGP key: github.com/ProtonMail/go-crypto/openpgp error: %v; GPG binary error: %v`, openpgpErr, binaryErr) } // EncryptIfNeeded encrypts the data key with PGP only if it's needed, that is, if it hasn't been encrypted already func (key *MasterKey) EncryptIfNeeded(dataKey []byte) error { if key.EncryptedKey == "" { return key.Encrypt(dataKey) } return nil } func (key *MasterKey) decryptWithGPGBinary() ([]byte, error) { args := []string{ "--use-agent", "-d", } cmd := exec.Command(gpgBinary(), args...) var stdout, stderr bytes.Buffer cmd.Stdin = strings.NewReader(key.EncryptedKey) cmd.Stdout = &stdout cmd.Stderr = &stderr err := cmd.Run() if err != nil { return nil, err } return stdout.Bytes(), nil } func (key *MasterKey) decryptWithCryptoOpenpgp() ([]byte, error) { ring, err := key.secRing() if err != nil { return nil, fmt.Errorf("Could not load secring: %s", err) } block, err := armor.Decode(strings.NewReader(key.EncryptedKey)) if err != nil { return nil, fmt.Errorf("Armor decoding failed: %s", err) } md, err := openpgp.ReadMessage(block.Body, ring, key.passphrasePrompt(), nil) if err != nil { return nil, fmt.Errorf("Reading PGP message failed: %s", err) } if b, err := ioutil.ReadAll(md.UnverifiedBody); err == nil { return b, nil } return nil, fmt.Errorf("The key could not be decrypted with any of the PGP entries") } // Decrypt uses PGP to obtain the data key from the EncryptedKey store in the MasterKey and returns it func (key *MasterKey) Decrypt() ([]byte, error) { dataKey, openpgpErr := key.decryptWithCryptoOpenpgp() if openpgpErr == nil { log.WithField("fingerprint", key.Fingerprint).Info("Decryption succeeded") return dataKey, nil } dataKey, binaryErr := key.decryptWithGPGBinary() if binaryErr == nil { log.WithField("fingerprint", key.Fingerprint).Info("Decryption succeeded") return dataKey, nil } log.WithField("fingerprint", key.Fingerprint).Info("Decryption failed") return nil, fmt.Errorf( `could not decrypt data key with PGP key: github.com/ProtonMail/go-crypto/openpgp error: %v; GPG binary error: %v`, openpgpErr, binaryErr) } // NeedsRotation returns whether the data key needs to be rotated or not func (key *MasterKey) NeedsRotation() bool { return time.Since(key.CreationDate).Hours() > 24*30*6 } // ToString returns the string representation of the key, i.e. its fingerprint func (key *MasterKey) ToString() string { return key.Fingerprint } func (key *MasterKey) gpgHome() string { dir := os.Getenv("GNUPGHOME") if dir == "" { usr, err := user.Current() if err != nil { return path.Join(os.Getenv("HOME"), "/.gnupg") } return path.Join(usr.HomeDir, ".gnupg") } return dir } // NewMasterKeyFromFingerprint takes a PGP fingerprint and returns a new MasterKey with that fingerprint func NewMasterKeyFromFingerprint(fingerprint string) *MasterKey { return &MasterKey{ Fingerprint: strings.Replace(fingerprint, " ", "", -1), CreationDate: time.Now().UTC(), } } // MasterKeysFromFingerprintString takes a comma separated list of PGP fingerprints and returns a slice of new MasterKeys with those fingerprints func MasterKeysFromFingerprintString(fingerprint string) []*MasterKey { var keys []*MasterKey if fingerprint == "" { return keys } for _, s := range strings.Split(fingerprint, ",") { keys = append(keys, NewMasterKeyFromFingerprint(s)) } return keys } func (key *MasterKey) loadRing(path string) (openpgp.EntityList, error) { f, err := os.Open(path) if err != nil { return openpgp.EntityList{}, err } defer f.Close() keyring, err := openpgp.ReadKeyRing(f) if err != nil { return keyring, err } return keyring, nil } func (key *MasterKey) secRing() (openpgp.EntityList, error) { return key.loadRing(key.gpgHome() + "/secring.gpg") } func (key *MasterKey) pubRing() (openpgp.EntityList, error) { return key.loadRing(key.gpgHome() + "/pubring.gpg") } func (key *MasterKey) fingerprintMap(ring openpgp.EntityList) map[string]openpgp.Entity { fps := make(map[string]openpgp.Entity) for _, entity := range ring { fp := strings.ToUpper(hex.EncodeToString(entity.PrimaryKey.Fingerprint[:])) if entity != nil { fps[fp] = *entity } } return fps } func (key *MasterKey) passphrasePrompt() func(keys []openpgp.Key, symmetric bool) ([]byte, error) { callCounter := 0 maxCalls := 3 return func(keys []openpgp.Key, symmetric bool) ([]byte, error) { if callCounter >= maxCalls { return nil, fmt.Errorf("function passphrasePrompt called too many times") } callCounter++ conn, err := gpgagent.NewConn() if err == gpgagent.ErrNoAgent { log.Infof("gpg-agent not found, continuing with manual passphrase " + "input...") fmt.Print("Enter PGP key passphrase: ") pass, err := gopass.GetPasswd() if err != nil { return nil, err } for _, k := range keys { k.PrivateKey.Decrypt(pass) } return pass, err } if err != nil { return nil, fmt.Errorf("Could not establish connection with gpg-agent: %s", err) } defer conn.Close() for _, k := range keys { req := gpgagent.PassphraseRequest{ CacheKey: k.PublicKey.KeyIdShortString(), Prompt: "Passphrase", Desc: fmt.Sprintf("Unlock key %s to decrypt sops's key", k.PublicKey.KeyIdShortString()), } pass, err := conn.GetPassphrase(&req) if err != nil { return nil, fmt.Errorf("gpg-agent passphrase request errored: %s", err) } k.PrivateKey.Decrypt([]byte(pass)) return []byte(pass), nil } return nil, fmt.Errorf("No key to unlock") } } // ToMap converts the MasterKey into a map for serialization purposes func (key MasterKey) ToMap() map[string]interface{} { out := make(map[string]interface{}) out["fp"] = key.Fingerprint out["created_at"] = key.CreationDate.UTC().Format(time.RFC3339) out["enc"] = key.EncryptedKey return out } 0707010000008A000081A400000000000000000000000162794F93000005F2000000000000000000000000000000000000002100000000sops-3.7.3/pgp/keysource_test.gopackage pgp import ( "bytes" "testing" "testing/quick" "github.com/stretchr/testify/assert" ) func TestPGP(t *testing.T) { key := NewMasterKeyFromFingerprint("FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4") f := func(x []byte) bool { if x == nil || len(x) == 0 { return true } if err := key.Encrypt(x); err != nil { t.Errorf("Failed to encrypt: %#v err: %w", x, err) return false } k, err := key.Decrypt() if err != nil { t.Errorf("Failed to decrypt: %#v err: %w", x, err) return false } return bytes.Equal(x, k) } if err := quick.Check(f, nil); err != nil { t.Error(err) } } func TestPGPKeySourceFromString(t *testing.T) { s := "C8C5 2C0A B2A4 8174 01E8 12C8 F3CC 3233 3FAD 9F1E, C8C5 2C0A B2A4 8174 01E8 12C8 F3CC 3233 3FAD 9F1E" ks := MasterKeysFromFingerprintString(s) expected := "C8C52C0AB2A4817401E812C8F3CC32333FAD9F1E" if ks[0].Fingerprint != expected { t.Errorf("Fingerprint does not match. Got %s, expected %s", ks[0].Fingerprint, expected) } if ks[1].Fingerprint != expected { t.Error("Fingerprint does not match") } } func TestRetrievePGPKey(t *testing.T) { // Requires a key available in https://keys.openpgp.org/ *with identity information* (that is, an email address). // See https://keys.openpgp.org/about/faq#verify-multiple for details about identity information. // We use the key of release@mozilla.com for here. fingerprint := "14F26682D0916CDD81E37B6D61B7B526D98F0353" _, err := getKeyFromKeyServer(fingerprint) assert.NoError(t, err) } 0707010000008B000081A400000000000000000000000162794F9300002861000000000000000000000000000000000000002D00000000sops-3.7.3/pgp/sops_functional_tests_key.asc-----BEGIN PGP PRIVATE KEY BLOCK----- lQOYBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/ 6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl 3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAEAB/0Z8kQSlkzE97QhXm0g /PQuaVCdY9UJeSMBXTvDZhBhAcLf6yZLStq1uz4sIiWm6+ZcX8mXQ9b90fMceoaK sVxiYYaEcCXgu5zcuMTu8xRWK30bzjkARrDjEByZFNLrr/yzO3KKWvdVAToou77N xLxct4df+46vEMs/DOulDUkxBOjlkprlq8xSG/6vuo7rJKUylsS4s5+y+EJCfm0m 8C94IIOt42ANObDUziUHCFNhCKSUs92rL7HXfcMG6L16UrSpJ3yLNvTI34PgRydv ppu6DAFNeqsJ6oINSWXEqjfMHK7Ly9oyF2bkB2VKoapAdz6YGJydrODhFrThcuJk +pY9BADKnXtYvDRPoTsfRYgZewtBxf3ccGUjoS9YCC3salWuPEWnal2yI0YRwZNE iirOFGKH6jh/fxtFZNPXuYb7MJzFqVOcARz6USCvR1va2kMZzQEOKwxOXqIYYMVh Uwz9++QugqcBLHw9YUFmH/DsRaL4zP4H8cX5O1TALFo3aC/EHQQA5VzUDupcpRLP gF6dCgT2GyajgRoUFU7Brq82+HJDBDhHMB+3VWJhsC9DkTMh/RtPOuLb41K0OZ// acoXo0QjsLsBx+hNqWC0oosqaoXiUyhbmEukvlURm5uHThX9n5BZIKhiCft/NYNO yb+OBgYFHN11BMUVyhMR7be2mlJ4EMMD/jd9WQIoHQQ6BKMNOlc6BGu4KsMv/+fF KV4xnJKrWjJxwri0FsOYLS2qkgbSAXjxLqZWx4UylmJh1HSAyjTghY0zQEf2oDKd 0DKN8Y42aawh1AolIfDbYOampw5tBzI2/WYOksGRFCwjCidL3pNd03W9dBmNbBRc tVKLG/kt4JwCL0y0U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMSAoaHR0cHM6 Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+ iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwMFCwkIBwIG FQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJzgbTDcQf7Bp7e2zY9pBBXTgDASQl3 1SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDlobc6O8/06foxWctTUaaciPBo2+je WFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91rvta2wYF1XJBgxpui9aLICsCptFN IRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+ERtmvmisiE/m20UpbYRmkBJy25c89 Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+DZBIpryi0xQqExGAlYqck7G03F+AD 7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo1pp3gBU4swds9yO9wNe12JY/M5A/ BJ0DmARdaEFdAQgAtun8JhSpNAKvOXwWX2nFhnMXTJp4viMhlAZEdmMXEi27B2DM /nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpChvRaGuCOpYqOuSQvD8FnX0NgQULwu TZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUnPgyAIESajPdowEkEjdYt261fGOLL cVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9DveBUBQGdqkgWXjS5BKcae07viC6x Ma9AJS4pizyDALB2k0HQOelZNihOGXYUuvkcs2Fivl0Tk3OCfH9XDvFehbYRHmkR DoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp19QARAQABAAf7BX7YLYi3YLGn9BEv VuSFo7l3fLyzXfsOOjVJ/0iQ2+H12Y3l+ssi4eCntb40IjDMIHv5JwjfKNSfUwkn 5diMk3LGz2d64lTKmrU4yNLaMhMbwmE0/u4JOPoXbJZWLd3lyBeTpTiY3R9pgG8V IGfA+xNDEjUdc5jHU+edtGk37X6l6uL3OANS/MyTRdVNr28Gv/upXmJs/NbvTost 1hsU89gaDjkfsWhdhiuCHR9bqoyot/Vgvpt1NxzfV4SQGVFeph8yCGvSRBS8zXuZ FtmzACs0j2aOMSucAGogEoD158OpXSNfdmZ1nCswlo1yqP6+ir8mr2DTRgMtxPQa N49b4QQAxVTwRZ6+qiSCz/GJPq7qASGG4RIr87gPzxaHmznQhKIx6LEMjX/+NU6c 94A8aZY/oN7f3rr8apIA+cAHbAwFGpbc7ke1Cgy/m/eJZNUxWPT/YBjZ4V+41Uat viGrbmS9B4QulOpF2Ng6LcOc4dggxTPAW/CYd5T2FImr1qYjjWkEAO1Lss00LY5o 5I4QqgM0OeeBEOO8LiSDmjKgOvtsmJ6+dA4x3rYgI8smFMsvtyrcb75k6EdZazgN YSI4sU3WceWbrtdVr1glP38CBMupnFvg8KwbjSFV8vNqVBHCXShUxnHmlOW+UVqy CxjJf0RTOhLEY5DIRwQB0H8P30dYOfatBADaGIbs/6+1RulKpHwW/c3+XOlaTZrT UhNjuccj7Y9IspYD+6crNkQvAri60AoDfIiO5aTk8rSYpGwB1vEmnUVmNPvRF958 GV3pyCOv/pkmnpS+4w+akiJsSHX3jqqp5fb/xd6ukUX95VgSymuJ+ya49G8B0jj6 bw7B4S2M39+Xdkg2iQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1o QV0CGwwACgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFr rydYItTEhxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNH g7VUpSSaiTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNH NfM+kLAiUPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4 ZG6FybJtcjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLD gLk//M3qDixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== =VjGL -----END PGP PRIVATE KEY BLOCK----- -----BEGIN PGP PRIVATE KEY BLOCK----- lQHYBF1oQYgBBADPuVP6Jdk/J/TbNa9dXirp/zzwK18ZqNudNqQGN3H+2aSgxXwL wlRfzy7rB3CU6Ewjzk9EVYeYztTIkGHL0JZ1CCTiBJArlHO0bHQQ7CPeKPkhIhkj eA8yu9dcU77oYC2xbwgf43KYzfMKSGEybg+sBO+bH+Y6paJK54V2cuS3GwARAQAB AAP+Jjf5BXtVP1OAr5xvCYS77JWzhpTUSIpS7dgR0br91GAC9DmhmyBEGeSqwz95 LUyYRbY9y1rZOfpEGCrIc5GLPOQytO9XMIzaS3dpzfGhla/spaKN4vJDvIOl+ruT bInDdCRSmqXCfm2478OhOquc0H0a46eSmoaYeKdE3E8QZiECANxUL/dFk5j8NyPo ZcwXw9Mv0A8UrynRcqht3Scti9k7dbsHylcObM305LFdcoNnSfNAIJhxfjbiXyGW vwT2/qMCAPFatq3gvVjy6wKKylioi5cVwbLv9L+OaRXdR/Dy2bh/t3ujnsliV4+R f7k3rHOQeaMLTnyfcz8AenL5IOe8RSkCANFpBgyzxCcV48Mm+FWDxjrSJ4/msRnN gxqAPRrdpm7e1uebtBkPh4ch4oCW5/lLsRN23LUVIXYJRwyFfRjehCio0rRTU09Q UyBGdW5jdGlvbmFsIFRlc3RzIEtleSAyIChodHRwczovL2dpdGh1Yi5jb20vbW96 aWxsYS9zb3BzLykgPHNlY29wc0Btb3ppbGxhLmNvbT6IzgQTAQgAOBYhBNcikEM4 S8xgMmxvudhyDZV8PTB0BQJdaEGIAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA AAoJENhyDZV8PTB0R2cD/2YwaJ43iGueaAzByFnl+mUEBQJ4HhH4p7BIdx6B9AjE 3yLe8I4dqqYXxyZzaJ9d+KiqxJBT0l1GXt3H5M32yDJZqzXB9PTWP3yx8+Q1CuCs 7EL/bhJD1/sLdumVc77bmQtcI9NSiYyPzN/2ZqtV5RU14Loh24VFEjuHGvO0jI3+ nQHYBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwVZKe1 D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ04Or BjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwARAQAB AAP+L0wUQeOfsD0+gv8khyPJTJZOD1pxQ6NYKLcXF8rG0+vQnECha098YKNKAXTp kfVU8795iQYIKcQQ6Hl2O1fj1AxJE/iZYrqfm7UZz3bQ7ROSsAEPZ5GDOjKfbwsz E6bWVH+PhS1azlvtTs9JezUtK0Wl9s+81FOrZtnUUskmWtECAMNNs9ujUt6GHv/J NXVaSmk1z8QXitPHbAJLDMj4xVDysJWZV95eplC+RUSiLz5HeP2AQgh1D9Rv2bA5 c7OcJ3kCANOEkA0hVpXCI0FKrsihOf0NUOaAtS6CQNFlaIkrLwssJQY8pGYbRfRa 3krNJPyOlXmezV2/CsX3EqA9KXXen5cB/iSmMJO4WndGJTe7YzUEnnY/P2TKg1fN s6v5Lf39j5Ll8V5rVDT7ApAw0IKS8fzpbdHP0HcizutlF6l44YaAXMGfhoi2BBgB CAAgFiEE1yKQQzhLzGAybG+52HINlXw9MHQFAl1oQYgCGwwACgkQ2HINlXw9MHTD HwQAv+ui718AT2hw2pK9JaNuTxjllrH+KPMlrov0P8oXHPCohC5cxM5sJ6tCQ0qH XyeWoDE8V31btqFVAQyrr0wy0gntl1L/trnwMHoP8a/xa0RHNk5C7hmcuhTHbQey JNbiRJZpCIZ1OyrF17+q6u9YBPjwqp8KrJ/0ryy2kyb7ZRM= =+tJ6 -----END PGP PRIVATE KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF1oQV0BCAC1iFfE7H3uu0hbWbRYVMoz5zZ91ACHETCOMVxN8GOG4SV0l8aQ wmK9QWkYxhi52LnicVD3D7Uy75+J3zkvEDQ15C0AZ8UHXp4JlSQuXpFhrOhfYUF/ 6pr/QexT+hQjOacvY4qfnj4xKa/AGdv5vPIygtQumE6r3GhEVAxQ1GSwtCWSU3Zl 3Uqf7S8kDvJTemtR2UkVfpXcMd4AmMKgt7fVhPO8eFotqTLPvz/iClzER+q61fLA d1rP9YlmY46MJp/PffPicWdJiKv2i6ynKcIwkrQyP6V2ZzYi/gAhNJst3ZlMfsiN ekCtcow9Bn44uxW3U8W02FNQSNyn6V6QPDIXABEBAAG0U1NPUFMgRnVuY3Rpb25h bCBUZXN0cyBLZXkgMSAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEE+8e54qT5KJrAwdSEPRbO 5KJzgbQFAl1oQV0CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQPRbO5KJz gbTDcQf7Bp7e2zY9pBBXTgDASQl31SSHp9WkRUV5iqPVC9iPCELggteBGMwIpbDl obc6O8/06foxWctTUaaciPBo2+jeWFTO+DNvB7oXIArqr5673QHLh6jEABBjyt91 rvta2wYF1XJBgxpui9aLICsCptFNIRvHeKUrXBI4fG5z3CDs/EOoY8K/AAYJUF+E RtmvmisiE/m20UpbYRmkBJy25c89Wcn12I1SUJA3H3hGwvZCYp8hY1HPxxQUtU+D ZBIpryi0xQqExGAlYqck7G03F+AD7/csaT1LEdCtWRLNwE8UkvfUF6liF0SgzxFo 1pp3gBU4swds9yO9wNe12JY/M5A/BLkBDQRdaEFdAQgAtun8JhSpNAKvOXwWX2nF hnMXTJp4viMhlAZEdmMXEi27B2DM/nRzldjxGZoNUBSVbJNj2kx5ZUDl0o6eOpCh vRaGuCOpYqOuSQvD8FnX0NgQULwuTZ+MawsaezktJEjDSBM1R6uASeJwDZj4hcUn PgyAIESajPdowEkEjdYt261fGOLLcVoVdtqzOMBkLVdrK/FD1kGR9jnSlKEYDV9D veBUBQGdqkgWXjS5BKcae07viC6xMa9AJS4pizyDALB2k0HQOelZNihOGXYUuvkc s2Fivl0Tk3OCfH9XDvFehbYRHmkRDoMuKUDSzdy6tFBAkL0CPlXAWI6kQklaBEp1 9QARAQABiQE2BBgBCAAgFiEE+8e54qT5KJrAwdSEPRbO5KJzgbQFAl1oQV0CGwwA CgkQPRbO5KJzgbS7zwgAndbf532OXo9HwPH+yQQmzQCLDFL6P4V7LcFrrydYItTE hxqI3tbb96MKXRAt+G5Mw6JjRkWhwzbU3jE7D7XBMHw7GriTTU9QltNHg7VUpSSa iTfVcSNErzsaqbjbA7jMs7VWzOq4LZo6Efy8UDKg5qcqLFaTQrzQZYNHNfM+kLAi UPU8m7vwmz6oJWsjHkQKUhKhHptlpwMwdHkoacqDO0x2H6H91l/PnDm4ZG6FybJt cjr98i+p52/XOo81nLgX7tcFS3nrN9HNdgKg1ZW3yrzg8NOaFCVA8qLDgLk//M3q DixOxiurECkFrMvt/bDxEGpN5GVy550MmyUZQrkuqg== =Zs2s -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- mI0EXWhBiAEEAM+5U/ol2T8n9Ns1r11eKun/PPArXxmo2502pAY3cf7ZpKDFfAvC VF/PLusHcJToTCPOT0RVh5jO1MiQYcvQlnUIJOIEkCuUc7RsdBDsI94o+SEiGSN4 DzK711xTvuhgLbFvCB/jcpjN8wpIYTJuD6wE75sf5jqlokrnhXZy5LcbABEBAAG0 U1NPUFMgRnVuY3Rpb25hbCBUZXN0cyBLZXkgMiAoaHR0cHM6Ly9naXRodWIuY29t L21vemlsbGEvc29wcy8pIDxzZWNvcHNAbW96aWxsYS5jb20+iM4EEwEIADgWIQTX IpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbAwULCQgHAgYVCgkICwIEFgIDAQIe AQIXgAAKCRDYcg2VfD0wdEdnA/9mMGieN4hrnmgMwchZ5fplBAUCeB4R+KewSHce gfQIxN8i3vCOHaqmF8cmc2ifXfioqsSQU9JdRl7dx+TN9sgyWas1wfT01j98sfPk NQrgrOxC/24SQ9f7C3bplXO+25kLXCPTUomMj8zf9marVeUVNeC6IduFRRI7hxrz tIyN/riNBF1oQYgBBAChXi00fmpEs0Jiq0zOyYm9i749VoOsNReoB/5ix1QCimwV ZKe1D37IP5Qqysxy+LIQc4lJ+Q8foNOx1Aev5+TDyv+iU82D9xr9uPLLbA82k3AZ 04OrBjrZ/Yt1NZhuaHzciZCPpmqzF9kqVqAZc+vMiKZL1WZjS7O1FwaidY1vXwAR AQABiLYEGAEIACAWIQTXIpBDOEvMYDJsb7nYcg2VfD0wdAUCXWhBiAIbDAAKCRDY cg2VfD0wdMMfBAC/66LvXwBPaHDakr0lo25PGOWWsf4o8yWui/Q/yhcc8KiELlzE zmwnq0JDSodfJ5agMTxXfVu2oVUBDKuvTDLSCe2XUv+2ufAweg/xr/FrREc2TkLu GZy6FMdtB7Ik1uJElmkIhnU7KsXXv6rq71gE+PCqnwqsn/SvLLaTJvtlEw== =PafV -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF1oQaYBCADsCw223WDj2ISnkZQJ07NS7ER/ft2Tz6FPzsMqz5JmGlwQantH MzjqNGE5du1TBK+yCIuzn+P/iokmOdFjkH20OHHCEmgBQPQ2WxpR4Bc/jDvswoL2 2amknIYStf+SgCwtNPT51RS7/5brN5pVn4GjDYg+IRLk33bxz1kN3933olkMFHJF hrr1rcE1uxt3j2CEPzfKAUyviKXkSl41IAopE2e69zsVg0YaensTnE/hY45r1q0W ABXoJLg4H6UtHZWWGg7vmtQYCpiiUIaWZ3YB449Ur4jxXeIZPUqhliqOoUk8a7En 1ZC1hGLw0jaENeaHywVGi9ZqABmOVYmvItI3ABEBAAG0U1NPUFMgRnVuY3Rpb25h bCBUZXN0cyBLZXkgMyAoaHR0cHM6Ly9naXRodWIuY29tL21vemlsbGEvc29wcy8p IDxzZWNvcHNAbW96aWxsYS5jb20+iQFOBBMBCAA4FiEEthGi+fEdD/glaIBRGfm1 2uqR/4YFAl1oQaYCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQGfm12uqR /4Yc3QgA2WcMlCCUB4uyyvKq1a8ZTBli0YzIxT+KslL+PbOxfhoxglxPRClB0/l6 stG3RD0UXKq9cTe9f5nI96XJRqUzePfKtixSieirNTZswiHIYifYfg460gXYAIsV deztRGxEaMUVq6vajkA69yGbi2nExaQrPQAgcOoyEcGhsQVi5M3rbIGIJtK/K777 lAvWskMWjEL/VIQ3qHJapBwhtyK8pKiQ1U2ssvXSP15RouUU/8PdD6d82dLlLfBm eiyQCeJYQyR/geJAvhyBO+Jy+SS2RNCE6FGirACzRh3SSLpKAvieoMHqYzav8kMh zSMa5230SKpartbsgFu7t39zsc3t6LkBDQRdaEGmAQgA60kJghTuxvZaNjXCZBnj 0+z+NSnfhdPaGgdUStXDCbzsO2l/6kvlWMwwS3VuDwGjx1vLWt9KWxmL85+qLE2H FuRpH4sJFa+0HraY9SP1UxgO5ydommRKdLDw5iQIaJACMSsMAHHOQCJ9VuNE1gt8 gOb5J902gRahgIKpGrrmtI6x3Zmu1ryKrBH9Ln60kYvrU14ANPYtIvOwqCNxeU4C 9q1q4/b73RXg2Gri8alGb2HMIaeK6u7i5MlEOqkQof2FkmGg3nEw/6Cvcnf4jesJ ibKa69vC6n39ZJ0eRhmhr3tw3MP76Laayhqq8T+Ffog68A3Oe+i6+f7PyLe0oaHA uQARAQABiQE2BBgBCAAgFiEEthGi+fEdD/glaIBRGfm12uqR/4YFAl1oQaYCGwwA CgkQGfm12uqR/4b5lwgAmVCa0XYeco6Ec+Iz0CLBvNXDFH/KsP/ypWK5duzZRKeb D30cDwQHUFWH5WivGZ5nJ+Rs9zkD7a07omMTRmCsrjD4I3xDGMTU23l+gBSC5+9R B6bOi81ngH3OLaSbeh2t21PDEf57M94WFNlw2LVgMvZ6S4rs7I4FZgm75h4EGGuY It1l8SqNWcKDm9Kz/qG0lqeSGGFnQqmSBFH0Vb0hus/XErU2r3fQr1lDj0VKpOIO J0Ys9rmI6yEPTi+GhFr1bHKwZMinz5lcHnOl8xye48tsrOtHMGN17/B6hUUGzd+W TphrOfnfTO1YCkg1nEB5E2Raj/KV+ohqPvjE+KhE7Q== =gqhE -----END PGP PUBLIC KEY BLOCK----- 0707010000008C000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001300000000sops-3.7.3/publish0707010000008D000081A400000000000000000000000162794F93000004EC000000000000000000000000000000000000001A00000000sops-3.7.3/publish/gcs.gopackage publish import ( "context" "fmt" "cloud.google.com/go/storage" ) // GCSDestination represents the Google Cloud Storage destination type GCSDestination struct { gcsBucket string gcsPrefix string } // NewGCSDestination is the constructor for a Google Cloud Storage destination func NewGCSDestination(gcsBucket, gcsPrefix string) *GCSDestination { return &GCSDestination{gcsBucket, gcsPrefix} } // Path returns a the GCS path for a file within this GCS Destination func (gcsd *GCSDestination) Path(fileName string) string { return fmt.Sprintf("gcs://%s/%s%s", gcsd.gcsBucket, gcsd.gcsPrefix, fileName) } // Upload uploads contents to a file in GCS func (gcsd *GCSDestination) Upload(fileContents []byte, fileName string) error { ctx := context.Background() client, err := storage.NewClient(ctx) if err != nil { return err } wc := client.Bucket(gcsd.gcsBucket).Object(gcsd.gcsPrefix + fileName).NewWriter(ctx) defer wc.Close() _, err = wc.Write(fileContents) if err != nil { return err } return nil } // Returns NotImplementedError func (gcsd *GCSDestination) UploadUnencrypted(data map[string]interface{}, fileName string) error { return &NotImplementedError{"GCS does not support uploading the unencrypted file contents."} } 0707010000008E000081A400000000000000000000000162794F93000001E4000000000000000000000000000000000000001E00000000sops-3.7.3/publish/publish.gopackage publish import "fmt" // Destination represents actions which all destination types // must implement in order to be used by SOPS type Destination interface { Upload(fileContents []byte, fileName string) error UploadUnencrypted(data map[string]interface{}, fileName string) error Path(fileName string) string } type NotImplementedError struct { message string } func (e *NotImplementedError) Error() string { return fmt.Sprintf("NotImplementedError: %s", e.message) } 0707010000008F000081A400000000000000000000000162794F9300000557000000000000000000000000000000000000001900000000sops-3.7.3/publish/s3.gopackage publish import ( "bytes" "fmt" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/s3" ) // S3Destination is the AWS S3 implementation of the Destination interface type S3Destination struct { s3Bucket string s3Prefix string } // NewS3Destination is the constructor for an S3 Destination func NewS3Destination(s3Bucket, s3Prefix string) *S3Destination { return &S3Destination{s3Bucket, s3Prefix} } // Path returns the S3 path of a file in an S3 Destination (bucket) func (s3d *S3Destination) Path(fileName string) string { return fmt.Sprintf("s3://%s/%s%s", s3d.s3Bucket, s3d.s3Prefix, fileName) } // Upload uploads contents to a file in an S3 Destination (bucket) func (s3d *S3Destination) Upload(fileContents []byte, fileName string) error { sess := session.Must(session.NewSession()) svc := s3.New(sess) input := &s3.PutObjectInput{ Body: aws.ReadSeekCloser(bytes.NewReader(fileContents)), Bucket: aws.String(s3d.s3Bucket), Key: aws.String(s3d.s3Prefix + fileName), } _, err := svc.PutObject(input) if err != nil { return err } return nil } // Returns NotImplementedError func (s3d *S3Destination) UploadUnencrypted(data map[string]interface{}, fileName string) error { return &NotImplementedError{"S3 does not support uploading the unencrypted file contents."} } 07070100000090000081A400000000000000000000000162794F9300000A34000000000000000000000000000000000000001C00000000sops-3.7.3/publish/vault.gopackage publish import ( "fmt" "strings" "github.com/google/go-cmp/cmp" vault "github.com/hashicorp/vault/api" "go.mozilla.org/sops/v3/logging" "github.com/sirupsen/logrus" ) var log *logrus.Logger func init() { log = logging.NewLogger("PUBLISH") } type VaultDestination struct { vaultAddress string vaultPath string kvMountName string kvVersion int } func NewVaultDestination(vaultAddress, vaultPath, kvMountName string, kvVersion int) *VaultDestination { if !strings.HasSuffix(vaultPath, "/") { vaultPath = vaultPath + "/" } if kvMountName == "" { kvMountName = "secret/" } if !strings.HasSuffix(kvMountName, "/") { kvMountName = kvMountName + "/" } if kvVersion != 1 && kvVersion != 2 { kvVersion = 2 } return &VaultDestination{vaultAddress, vaultPath, kvMountName, kvVersion} } func (vaultd *VaultDestination) getAddress() string { if vaultd.vaultAddress != "" { return vaultd.vaultAddress } return vault.DefaultConfig().Address } func (vaultd *VaultDestination) Path(fileName string) string { return fmt.Sprintf("%s/v1/%s", vaultd.getAddress(), vaultd.secretsPath(fileName)) } func (vaultd *VaultDestination) secretsPath(fileName string) string { if vaultd.kvVersion == 1 { return fmt.Sprintf("%s%s%s", vaultd.kvMountName, vaultd.vaultPath, fileName) } return fmt.Sprintf("%sdata/%s%s", vaultd.kvMountName, vaultd.vaultPath, fileName) } // Returns NotImplementedError func (vaultd *VaultDestination) Upload(fileContents []byte, fileName string) error { return &NotImplementedError{"Vault does not support uploading encrypted sops files directly."} } func (vaultd *VaultDestination) UploadUnencrypted(data map[string]interface{}, fileName string) error { client, err := vault.NewClient(nil) if err != nil { return err } if vaultd.vaultAddress != "" { err = client.SetAddress(vaultd.vaultAddress) if err != nil { return err } } secretsPath := vaultd.secretsPath(fileName) existingSecret, err := client.Logical().Read(secretsPath) if err != nil { log.Warnf("Cannot check if destination secret already exists in %s. New version will be created even if the data has not been changed.", secretsPath) } if existingSecret != nil && cmp.Equal(data, existingSecret.Data["data"]) { log.Infof("Secret in %s is already up-to-date.\n", secretsPath) return nil } secretsData := make(map[string]interface{}) if vaultd.kvVersion == 1 { secretsData = data } else if vaultd.kvVersion == 2 { secretsData["data"] = data } _, err = client.Logical().Write(secretsPath, secretsData) if err != nil { return err } return nil } 07070100000091000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001200000000sops-3.7.3/shamir07070100000092000081A400000000000000000000000162794F9300003E31000000000000000000000000000000000000001A00000000sops-3.7.3/shamir/LICENSEMozilla Public License, version 2.0 1. Definitions 1.1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software. 1.2. "Contributor Version" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution. 1.3. "Contribution" means Covered Software of a particular Contributor. 1.4. "Covered Software" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof. 1.5. "Incompatible With Secondary Licenses" means a. that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or b. that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License. 1.6. "Executable Form" means any form of the work other than Source Code Form. 1.7. "Larger Work" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software. 1.8. "License" means this document. 1.9. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License. 1.10. "Modifications" means any of the following: a. any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or b. any new file in Source Code Form that contains any Covered Software. 1.11. "Patent Claims" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version. 1.12. "Secondary License" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses. 1.13. "Source Code Form" means the form of the work preferred for making modifications. 1.14. "You" (or "Your") means an individual or a legal entity exercising rights under this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. License Grants and Conditions 2.1. Grants Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license: a. under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and b. under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version. 2.2. Effective Date The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution. 2.3. Limitations on Grant Scope The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor: a. for any code that a Contributor has removed from Covered Software; or b. for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or c. under Patent Claims infringed by Covered Software in the absence of its Contributions. This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4). 2.4. Subsequent Licenses No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3). 2.5. Representation Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License. 2.6. Fair Use This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents. 2.7. Conditions Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1. 3. Responsibilities 3.1. Distribution of Source Form All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form. 3.2. Distribution of Executable Form If You distribute Covered Software in Executable Form then: a. such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and b. You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License. 3.3. Distribution of a Larger Work You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s). 3.4. Notices You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies. 3.5. Application of Additional Terms You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction. 4. Inability to Comply Due to Statute or Regulation If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Termination 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice. 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination. 6. Disclaimer of Warranty Covered Software is provided under this License on an "as is" basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer. 7. Limitation of Liability Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such party's negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You. 8. Litigation Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims. 9. Miscellaneous This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. 10. Versions of the License 10.1. New Versions Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number. 10.2. Effect of New Versions You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward. 10.3. Modified Versions If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License). 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached. Exhibit A - Source Code Form License Notice This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice. You may add additional accurate notices of copyright ownership. Exhibit B - "Incompatible With Secondary Licenses" Notice This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0. 07070100000093000081A400000000000000000000000162794F9300001685000000000000000000000000000000000000001C00000000sops-3.7.3/shamir/README.mdForked from [Vault](https://github.com/hashicorp/vault/tree/master/shamir) ## How it works We want to split a secret into parts. Any two points on the cartesian plane define a line. Three points define a parabola. Four points define a cubic curve, and so on. In general, `n` points define an function of degree `(n - 1)`. If our secret was somehow an function of degree `(n - 1)`, we could just compute `n` different points of that function and give `n` different people one point each. In order to recover the secret, then we'd need all the `n` points. If we wanted to, we could compute more than n points, but even then still only `n` points out of our whole set of computed points would be required to recover the function. A concrete example: our secret is the function `y = 2x + 1`. This function is of degree 1, so we need at least 2 points to define it. For example, let's set `x = 1`, `x = 2` and `x = 3`. From this follows that `y = 3`, `y = 5` and `y = 7`, respectively. Now, with the information that our secret is of degree 1, we can use any 2 of the 3 points we computed to recover our original function. For example, let's use the points `x = 1; y = 3` and `x = 2; y = 5`. We know that first degree functions are lines, defined by their slope and their intersection point with the y axis. We can easily compute the slope given our two points: it's the change in `y` divided by the change in `x`: `(5 - 3)/(2 - 1) = 2`. Now, knowing the slope we can compute the intersection point with the `y` axis by "working our way back". We know that at `x = 1`, `y` equals `3`, so naturally because the slope is `2`, at `x = 0`, `y` must be `1`. ## Lagrange interpolation The method we've used for this isn't very general: it only works for polynomials of degree 1. Lagrange interpolation is a more general way that lets us obtain the function of degree `(n - 1)` that passes through `n` arbitrary points. Understanding how to perform Lagrange interpolation isn't really necessary to understand Shamir's Secret Sharing: it's enough to know that there's only one function of degree `(n - 1)` that passes through `n` given points and that computing this function given the points is computationally efficient. But for those interested, here's an explanation: Let's say our points are `(x_0, y_0),...,(x_j, y_j),...,(x_(n-1), y_(n-1))`. Then, the Lagrange polynomial `L(x)`, the polynomial we're looking for, is defined as follows: `L(x) = sum from j=0 to j=(n-1) of {y_j * l_j(x)}` and `l_j(x) = product from m=0 to m=(n-1) except when m=j of {(x - x_m)/(x_j - x_m)}` A concrete example, with 3 points: ``` x_0 = 1 y_0 = 1 x_1 = 2 y_1 = 4 x_2 = 3 y_2 = 9 ``` Let's apply the formula: ``` L(x) = y_0 * l_0(x) + y_1 * l_1(x) + y_2 * l_2(x) ``` Substitute `y_j` for the actual value: ``` L(x) = 1 * l_0(x) + 4 * l_1(x) + 9 * l_2(x) ``` Replace `l_j(x)`: ``` l_0(x) = (x - 2)/(1 - 2) * (x - 3)/(1 - 3) = 0.5x^2 - 2.5x + 3 l_1(x) = (x - 1)/(2 - 1) * (x - 3)/(2 - 3) = - x^2 + 4x - 3 l_2(x) = (x - 1)/(3 - 1) * (x - 2)/(3 - 2) = 0.5x^2 - 1.5x + 1 ``` ``` L(x) = 1 * ( 0.5x^2 - 2.5x + 3) + 4 * ( -x^2 + 4x - 3) + 9 * ( 0.5x^2 - 1.5x + 1) ``` ``` L(x) = ( 0.5x^2 - 2.5x + 3) + ( -4x^2 + 16x - 12) + ( 4.5x^2 - 13.5x + 9) = x^2 + 0x + 0 = x^2 ``` So the polynomial we were looking for is `y = x^2`. ## Splitting a secret So we have the ability of splitting a function into parts, but in the context of computing we generally want to split a number, not a function. For this, let's define a function of degree `threshold`. `threshold` is the amount of parts we want to require in order to recover the secret. Let's set the parameter of degree zero to our secret `S` and make the rest of the parameters random: `y = ax^(threshold) + bx^(threshold-1) + ... + zx^1 + S` With `a, b, ...` random. Then, we want to generate our parts. For this, we evaluate our function at as many points as we want parts. For example, say our secret is 123, we want 5 parts and a threshold of 2. Because the threshold is 2, we're going to need a polynomial of degree 2: `y = ax^2 + bx + 123` We randomly set `a = 7` and `b = 1`: `y = 7x^2 + x + 123` Because we want 5 parts, we need to compute 5 points: ``` x = 0 -> y = 123 # woops! This is the secret itself. Let's not use that one. x = 1 -> y = 131 x = 2 -> y = 153 x = 3 -> y = 189 x = 4 -> y = 239 x = 5 -> y = 303 ``` And that's it. Each of the computed points is one part of the secret. ## Combining a secret Now that we have our parts, we have to define a way to recover them. Using the example from the previous section, we only need any two points out of the five we created to recover the secret, because we set the threshold to two. So with any two of the five points we created, we can recover the original polynomial, and because the secret is the free term in the polynomial, we can recover the secret. ## Finite fields In the previous examples we've only used integers, and this unfortunately has a flaw. First of all, it's impossible to uniformly sample integers to get random coefficients for our generated polynomial. Additionally, if we don't operate in a finite field, information about the secret is leaked for every part someone recovers. For these reasons, Vault's implementation of Shamir's Secret Sharing uses finite field arithmetic, specifically in GF(2^8), with 229 as the generator. GF(2^8) has 256 elements, so using this we can only split one byte at a time. This is not a problem, though, as we can just split each byte in our secret independently. This implementation uses tables to speed up the execution of finite field arithmetic. 07070100000094000081A400000000000000000000000162794F93000020C6000000000000000000000000000000000000001C00000000sops-3.7.3/shamir/shamir.gopackage shamir // Some comments in this file were written by @autrilla // The code was written by HashiCorp as part of Vault. // This implementation of Shamir's Secret Sharing matches the definition // of the scheme. Other tools used, such as GF(2^8) arithmetic, Lagrange // interpolation and Horner's method also match their definitions and should // therefore be correct. // More information about Shamir's Secret Sharing and Lagrange interpolation // can be found in README.md import ( "crypto/rand" "crypto/subtle" "fmt" mathrand "math/rand" "time" ) const ( // ShareOverhead is the byte size overhead of each share // when using Split on a secret. This is caused by appending // a one byte tag to the share. ShareOverhead = 1 ) // polynomial represents a polynomial of arbitrary degree type polynomial struct { coefficients []uint8 } // makePolynomial constructs a random polynomial of the given // degree but with the provided intercept value. func makePolynomial(intercept, degree uint8) (polynomial, error) { // Create a wrapper p := polynomial{ coefficients: make([]byte, degree+1), } // Ensure the intercept is set p.coefficients[0] = intercept // Assign random co-efficients to the polynomial if _, err := rand.Read(p.coefficients[1:]); err != nil { return p, err } return p, nil } // evaluate returns the value of the polynomial for the given x // Uses Horner's method <https://en.wikipedia.org/wiki/Horner%27s_method> to // evaluate the polynomial at point x func (p *polynomial) evaluate(x uint8) uint8 { // Special case the origin if x == 0 { return p.coefficients[0] } // Compute the polynomial value using Horner's method. degree := len(p.coefficients) - 1 out := p.coefficients[degree] for i := degree - 1; i >= 0; i-- { coeff := p.coefficients[i] out = add(mult(out, x), coeff) } return out } // interpolatePolynomial takes N sample points and returns // the value at a given x using a lagrange interpolation. // An implementation of Lagrange interpolation // <https://en.wikipedia.org/wiki/Lagrange_polynomial> // For this particular implementation, x is always 0 func interpolatePolynomial(xSamples, ySamples []uint8, x uint8) uint8 { limit := len(xSamples) var result, basis uint8 for i := 0; i < limit; i++ { basis = 1 for j := 0; j < limit; j++ { if i == j { continue } num := add(x, xSamples[j]) denom := add(xSamples[i], xSamples[j]) term := div(num, denom) basis = mult(basis, term) } group := mult(ySamples[i], basis) result = add(result, group) } return result } // div divides two numbers in GF(2^8) // GF(2^8) division using log/exp tables func div(a, b uint8) uint8 { if b == 0 { // leaks some timing information but we don't care anyways as this // should never happen, hence the panic panic("divide by zero") } var goodVal, zero uint8 logA := logTable[a] logB := logTable[b] diff := (int(logA) - int(logB)) % 255 if diff < 0 { diff += 255 } ret := expTable[diff] // Ensure we return zero if a is zero but aren't subject to timing attacks goodVal = ret if subtle.ConstantTimeByteEq(a, 0) == 1 { ret = zero } else { ret = goodVal } return ret } // mult multiplies two numbers in GF(2^8) // GF(2^8) multiplication using log/exp tables func mult(a, b uint8) (out uint8) { var goodVal, zero uint8 log_a := logTable[a] log_b := logTable[b] sum := (int(log_a) + int(log_b)) % 255 ret := expTable[sum] // Ensure we return zero if either a or b are zero but aren't subject to // timing attacks goodVal = ret if subtle.ConstantTimeByteEq(a, 0) == 1 { ret = zero } else { ret = goodVal } if subtle.ConstantTimeByteEq(b, 0) == 1 { ret = zero } else { // This operation does not do anything logically useful. It // only ensures a constant number of assignments to thwart // timing attacks. goodVal = zero } return ret } // add combines two numbers in GF(2^8) // This can also be used for subtraction since it is symmetric. func add(a, b uint8) uint8 { return a ^ b } // Split takes an arbitrarily long secret and generates a `parts` // number of shares, `threshold` of which are required to reconstruct // the secret. The parts and threshold must be at least 2, and less // than 256. The returned shares are each one byte longer than the secret // as they attach a tag used to reconstruct the secret. func Split(secret []byte, parts, threshold int) ([][]byte, error) { // Sanity check the input if parts < threshold { return nil, fmt.Errorf("parts cannot be less than threshold") } if parts > 255 { return nil, fmt.Errorf("parts cannot exceed 255") } if threshold < 2 { return nil, fmt.Errorf("threshold must be at least 2") } if threshold > 255 { return nil, fmt.Errorf("threshold cannot exceed 255") } if len(secret) == 0 { return nil, fmt.Errorf("cannot split an empty secret") } // Generate random x coordinates for computing points. I don't know // why random x coordinates are used, and I also don't know why // a non-cryptographically secure source of randomness is used. // As far as I know the x coordinates do not need to be random. mathrand.Seed(time.Now().UnixNano()) xCoordinates := mathrand.Perm(255) // Allocate the output array, initialize the final byte // of the output with the offset. The representation of each // output is {y1, y2, .., yN, x}. out := make([][]byte, parts) for idx := range out { // Store the x coordinate for each part as its last byte // Add 1 to the xCoordinate because if the x coordinate is 0, // then the result of evaluating the polynomial at that point // will be our secret out[idx] = make([]byte, len(secret)+1) out[idx][len(secret)] = uint8(xCoordinates[idx]) + 1 } // Construct a random polynomial for each byte of the secret. // Because we are using a field of size 256, we can only represent // a single byte as the intercept of the polynomial, so we must // use a new polynomial for each byte. for idx, val := range secret { // Create a random polynomial for each point. // This polynomial crosses the y axis at `val`. p, err := makePolynomial(val, uint8(threshold-1)) if err != nil { return nil, fmt.Errorf("failed to generate polynomial: %w", err) } // Generate a `parts` number of (x,y) pairs // We cheat by encoding the x value once as the final index, // so that it only needs to be stored once. for i := 0; i < parts; i++ { // Add 1 to the xCoordinate because if it's 0, // then the result of p.evaluate(x) will be our secret x := uint8(xCoordinates[i]) + 1 // Evaluate the polynomial at x y := p.evaluate(x) out[i][idx] = y } } // Return the encoded secrets return out, nil } // Combine is used to reverse a Split and reconstruct a secret // once a `threshold` number of parts are available. func Combine(parts [][]byte) ([]byte, error) { // Verify enough parts provided if len(parts) < 2 { return nil, fmt.Errorf("less than two parts cannot be used to reconstruct the secret") } // Verify the parts are all the same length firstPartLen := len(parts[0]) if firstPartLen < 2 { return nil, fmt.Errorf("parts must be at least two bytes") } for i := 1; i < len(parts); i++ { if len(parts[i]) != firstPartLen { return nil, fmt.Errorf("all parts must be the same length") } } // Create a buffer to store the reconstructed secret secret := make([]byte, firstPartLen-1) // Buffer to store the samples xSamples := make([]uint8, len(parts)) ySamples := make([]uint8, len(parts)) // Set the x value for each sample and ensure no x_sample values are the same, // otherwise div() can be unhappy // Check that we don't have any duplicate parts, that is, two or // more parts with the same x coordinate. checkMap := map[byte]bool{} for i, part := range parts { samp := part[firstPartLen-1] if exists := checkMap[samp]; exists { return nil, fmt.Errorf("duplicate part detected") } checkMap[samp] = true xSamples[i] = samp } // Reconstruct each byte for idx := range secret { // Set the y value for each sample for i, part := range parts { ySamples[i] = part[idx] } // Use Lagrange interpolation to retrieve the free term // of the original polynomial val := interpolatePolynomial(xSamples, ySamples, 0) // Evaluate the 0th value to get the intercept secret[idx] = val } return secret, nil } 07070100000095000081A400000000000000000000000162794F9300000E01000000000000000000000000000000000000002100000000sops-3.7.3/shamir/shamir_test.gopackage shamir import ( "bytes" "testing" ) func TestSplit_invalid(t *testing.T) { secret := []byte("test") if _, err := Split(secret, 0, 0); err == nil { t.Fatalf("expect error") } if _, err := Split(secret, 2, 3); err == nil { t.Fatalf("expect error") } if _, err := Split(secret, 1000, 3); err == nil { t.Fatalf("expect error") } if _, err := Split(secret, 10, 1); err == nil { t.Fatalf("expect error") } if _, err := Split(nil, 3, 2); err == nil { t.Fatalf("expect error") } } func TestSplit(t *testing.T) { secret := []byte("test") out, err := Split(secret, 5, 3) if err != nil { t.Fatalf("err: %v", err) } if len(out) != 5 { t.Fatalf("bad: %v", out) } for _, share := range out { if len(share) != len(secret)+1 { t.Fatalf("bad: %v", out) } } } func TestCombine_invalid(t *testing.T) { // Not enough parts if _, err := Combine(nil); err == nil { t.Fatalf("should err") } // Mis-match in length parts := [][]byte{ []byte("foo"), []byte("ba"), } if _, err := Combine(parts); err == nil { t.Fatalf("should err") } //Too short parts = [][]byte{ []byte("f"), []byte("b"), } if _, err := Combine(parts); err == nil { t.Fatalf("should err") } parts = [][]byte{ []byte("foo"), []byte("foo"), } if _, err := Combine(parts); err == nil { t.Fatalf("should err") } } func TestCombine(t *testing.T) { secret := []byte("test") out, err := Split(secret, 5, 3) if err != nil { t.Fatalf("err: %v", err) } // There is 5*4*3 possible choices, // we will just brute force try them all for i := 0; i < 5; i++ { for j := 0; j < 5; j++ { if j == i { continue } for k := 0; k < 5; k++ { if k == i || k == j { continue } parts := [][]byte{out[i], out[j], out[k]} recomb, err := Combine(parts) if err != nil { t.Fatalf("err: %v", err) } if !bytes.Equal(recomb, secret) { t.Errorf("parts: (i:%d, j:%d, k:%d) %v", i, j, k, parts) t.Fatalf("bad: %v %v", recomb, secret) } } } } } func TestField_Add(t *testing.T) { if out := add(16, 16); out != 0 { t.Fatalf("Bad: %v 16", out) } if out := add(3, 4); out != 7 { t.Fatalf("Bad: %v 7", out) } } func TestField_Mult(t *testing.T) { if out := mult(3, 7); out != 9 { t.Fatalf("Bad: %v 9", out) } if out := mult(3, 0); out != 0 { t.Fatalf("Bad: %v 0", out) } if out := mult(0, 3); out != 0 { t.Fatalf("Bad: %v 0", out) } } func TestField_Divide(t *testing.T) { if out := div(0, 7); out != 0 { t.Fatalf("Bad: %v 0", out) } if out := div(3, 3); out != 1 { t.Fatalf("Bad: %v 1", out) } if out := div(6, 3); out != 2 { t.Fatalf("Bad: %v 2", out) } } func TestPolynomial_Random(t *testing.T) { p, err := makePolynomial(42, 2) if err != nil { t.Fatalf("err: %v", err) } if p.coefficients[0] != 42 { t.Fatalf("bad: %v", p.coefficients) } } func TestPolynomial_Eval(t *testing.T) { p, err := makePolynomial(42, 1) if err != nil { t.Fatalf("err: %v", err) } if out := p.evaluate(0); out != 42 { t.Fatalf("bad: %v", out) } out := p.evaluate(1) exp := add(42, mult(1, p.coefficients[1])) if out != exp { t.Fatalf("bad: %v %v %v", out, exp, p.coefficients) } } func TestInterpolate_Rand(t *testing.T) { for i := 0; i < 256; i++ { p, err := makePolynomial(uint8(i), 2) if err != nil { t.Fatalf("err: %v", err) } xVals := []uint8{1, 2, 3} yVals := []uint8{p.evaluate(1), p.evaluate(2), p.evaluate(3)} out := interpolatePolynomial(xVals, yVals, 0) if out != uint8(i) { t.Fatalf("Bad: %v %d", out, i) } } } 07070100000096000081A400000000000000000000000162794F9300000DB9000000000000000000000000000000000000001C00000000sops-3.7.3/shamir/tables.gopackage shamir // Tables taken from http://www.samiam.org/galois.html // They use 0xe5 (229) as the generator var ( // logTable provides the log(X)/log(g) at each index X logTable = [256]uint8{ 0x00, 0xff, 0xc8, 0x08, 0x91, 0x10, 0xd0, 0x36, 0x5a, 0x3e, 0xd8, 0x43, 0x99, 0x77, 0xfe, 0x18, 0x23, 0x20, 0x07, 0x70, 0xa1, 0x6c, 0x0c, 0x7f, 0x62, 0x8b, 0x40, 0x46, 0xc7, 0x4b, 0xe0, 0x0e, 0xeb, 0x16, 0xe8, 0xad, 0xcf, 0xcd, 0x39, 0x53, 0x6a, 0x27, 0x35, 0x93, 0xd4, 0x4e, 0x48, 0xc3, 0x2b, 0x79, 0x54, 0x28, 0x09, 0x78, 0x0f, 0x21, 0x90, 0x87, 0x14, 0x2a, 0xa9, 0x9c, 0xd6, 0x74, 0xb4, 0x7c, 0xde, 0xed, 0xb1, 0x86, 0x76, 0xa4, 0x98, 0xe2, 0x96, 0x8f, 0x02, 0x32, 0x1c, 0xc1, 0x33, 0xee, 0xef, 0x81, 0xfd, 0x30, 0x5c, 0x13, 0x9d, 0x29, 0x17, 0xc4, 0x11, 0x44, 0x8c, 0x80, 0xf3, 0x73, 0x42, 0x1e, 0x1d, 0xb5, 0xf0, 0x12, 0xd1, 0x5b, 0x41, 0xa2, 0xd7, 0x2c, 0xe9, 0xd5, 0x59, 0xcb, 0x50, 0xa8, 0xdc, 0xfc, 0xf2, 0x56, 0x72, 0xa6, 0x65, 0x2f, 0x9f, 0x9b, 0x3d, 0xba, 0x7d, 0xc2, 0x45, 0x82, 0xa7, 0x57, 0xb6, 0xa3, 0x7a, 0x75, 0x4f, 0xae, 0x3f, 0x37, 0x6d, 0x47, 0x61, 0xbe, 0xab, 0xd3, 0x5f, 0xb0, 0x58, 0xaf, 0xca, 0x5e, 0xfa, 0x85, 0xe4, 0x4d, 0x8a, 0x05, 0xfb, 0x60, 0xb7, 0x7b, 0xb8, 0x26, 0x4a, 0x67, 0xc6, 0x1a, 0xf8, 0x69, 0x25, 0xb3, 0xdb, 0xbd, 0x66, 0xdd, 0xf1, 0xd2, 0xdf, 0x03, 0x8d, 0x34, 0xd9, 0x92, 0x0d, 0x63, 0x55, 0xaa, 0x49, 0xec, 0xbc, 0x95, 0x3c, 0x84, 0x0b, 0xf5, 0xe6, 0xe7, 0xe5, 0xac, 0x7e, 0x6e, 0xb9, 0xf9, 0xda, 0x8e, 0x9a, 0xc9, 0x24, 0xe1, 0x0a, 0x15, 0x6b, 0x3a, 0xa0, 0x51, 0xf4, 0xea, 0xb2, 0x97, 0x9e, 0x5d, 0x22, 0x88, 0x94, 0xce, 0x19, 0x01, 0x71, 0x4c, 0xa5, 0xe3, 0xc5, 0x31, 0xbb, 0xcc, 0x1f, 0x2d, 0x3b, 0x52, 0x6f, 0xf6, 0x2e, 0x89, 0xf7, 0xc0, 0x68, 0x1b, 0x64, 0x04, 0x06, 0xbf, 0x83, 0x38} // expTable provides the anti-log or exponentiation value // for the equivalent index expTable = [256]uint8{ 0x01, 0xe5, 0x4c, 0xb5, 0xfb, 0x9f, 0xfc, 0x12, 0x03, 0x34, 0xd4, 0xc4, 0x16, 0xba, 0x1f, 0x36, 0x05, 0x5c, 0x67, 0x57, 0x3a, 0xd5, 0x21, 0x5a, 0x0f, 0xe4, 0xa9, 0xf9, 0x4e, 0x64, 0x63, 0xee, 0x11, 0x37, 0xe0, 0x10, 0xd2, 0xac, 0xa5, 0x29, 0x33, 0x59, 0x3b, 0x30, 0x6d, 0xef, 0xf4, 0x7b, 0x55, 0xeb, 0x4d, 0x50, 0xb7, 0x2a, 0x07, 0x8d, 0xff, 0x26, 0xd7, 0xf0, 0xc2, 0x7e, 0x09, 0x8c, 0x1a, 0x6a, 0x62, 0x0b, 0x5d, 0x82, 0x1b, 0x8f, 0x2e, 0xbe, 0xa6, 0x1d, 0xe7, 0x9d, 0x2d, 0x8a, 0x72, 0xd9, 0xf1, 0x27, 0x32, 0xbc, 0x77, 0x85, 0x96, 0x70, 0x08, 0x69, 0x56, 0xdf, 0x99, 0x94, 0xa1, 0x90, 0x18, 0xbb, 0xfa, 0x7a, 0xb0, 0xa7, 0xf8, 0xab, 0x28, 0xd6, 0x15, 0x8e, 0xcb, 0xf2, 0x13, 0xe6, 0x78, 0x61, 0x3f, 0x89, 0x46, 0x0d, 0x35, 0x31, 0x88, 0xa3, 0x41, 0x80, 0xca, 0x17, 0x5f, 0x53, 0x83, 0xfe, 0xc3, 0x9b, 0x45, 0x39, 0xe1, 0xf5, 0x9e, 0x19, 0x5e, 0xb6, 0xcf, 0x4b, 0x38, 0x04, 0xb9, 0x2b, 0xe2, 0xc1, 0x4a, 0xdd, 0x48, 0x0c, 0xd0, 0x7d, 0x3d, 0x58, 0xde, 0x7c, 0xd8, 0x14, 0x6b, 0x87, 0x47, 0xe8, 0x79, 0x84, 0x73, 0x3c, 0xbd, 0x92, 0xc9, 0x23, 0x8b, 0x97, 0x95, 0x44, 0xdc, 0xad, 0x40, 0x65, 0x86, 0xa2, 0xa4, 0xcc, 0x7f, 0xec, 0xc0, 0xaf, 0x91, 0xfd, 0xf7, 0x4f, 0x81, 0x2f, 0x5b, 0xea, 0xa8, 0x1c, 0x02, 0xd1, 0x98, 0x71, 0xed, 0x25, 0xe3, 0x24, 0x06, 0x68, 0xb3, 0x93, 0x2c, 0x6f, 0x3e, 0x6c, 0x0a, 0xb8, 0xce, 0xae, 0x74, 0xb1, 0x42, 0xb4, 0x1e, 0xd3, 0x49, 0xe9, 0x9c, 0xc8, 0xc6, 0xc7, 0x22, 0x6e, 0xdb, 0x20, 0xbf, 0x43, 0x51, 0x52, 0x66, 0xb2, 0x76, 0x60, 0xda, 0xc5, 0xf3, 0xf6, 0xaa, 0xcd, 0x9a, 0xa0, 0x75, 0x54, 0x0e, 0x01} ) 07070100000097000081A400000000000000000000000162794F93000000E4000000000000000000000000000000000000002100000000sops-3.7.3/shamir/tables_test.gopackage shamir import "testing" func TestTables(t *testing.T) { for i := 1; i < 256; i++ { logV := logTable[i] expV := expTable[logV] if expV != uint8(i) { t.Fatalf("bad: %d log: %d exp: %d", i, logV, expV) } } } 07070100000098000081A400000000000000000000000162794F9300005E78000000000000000000000000000000000000001300000000sops-3.7.3/sops.go/* Package sops manages JSON, YAML and BINARY documents to be encrypted or decrypted. This package should not be used directly. Instead, Sops users should install the command line client via `go get -u go.mozilla.org/sops/v3/cmd/sops`, or use the decryption helper provided at `go.mozilla.org/sops/v3/decrypt`. We do not guarantee API stability for any package other than `go.mozilla.org/sops/v3/decrypt`. A Sops document is a Tree composed of a data branch with arbitrary key/value pairs and a metadata branch with encryption and integrity information. In JSON and YAML formats, the structure of the cleartext tree is preserved, keys are stored in cleartext and only values are encrypted. Keeping the values in cleartext provides better readability when storing Sops documents in version controls, and allows for merging competing changes on documents. This is a major difference between Sops and other encryption tools that store documents as encrypted blobs. In BINARY format, the cleartext data is treated as a single blob and the encrypted document is in JSON format with a single `data` key and a single encrypted value. Sops allows operators to encrypt their documents with multiple master keys. Each of the master key defined in the document is able to decrypt it, allowing users to share documents amongst themselves without sharing keys, or using a PGP key as a backup for KMS. In practice, this is achieved by generating a data key for each document that is used to encrypt all values, and encrypting the data with each master key defined. Being able to decrypt the data key gives access to the document. The integrity of each document is guaranteed by calculating a Message Authentication Code (MAC) that is stored encrypted by the data key. When decrypting a document, the MAC should be recalculated and compared with the MAC stored in the document to verify that no fraudulent changes have been applied. The MAC covers keys and values as well as their ordering. */ package sops //import "go.mozilla.org/sops/v3" import ( "crypto/rand" "crypto/sha512" "fmt" "reflect" "regexp" "strconv" "strings" "time" "github.com/sirupsen/logrus" "go.mozilla.org/sops/v3/audit" "go.mozilla.org/sops/v3/keys" "go.mozilla.org/sops/v3/keyservice" "go.mozilla.org/sops/v3/logging" "go.mozilla.org/sops/v3/shamir" "golang.org/x/net/context" ) // DefaultUnencryptedSuffix is the default suffix a TreeItem key has to end with for sops to leave its Value unencrypted const DefaultUnencryptedSuffix = "_unencrypted" type sopsError string func (e sopsError) Error() string { return string(e) } // MacMismatch occurs when the computed MAC does not match the expected ones const MacMismatch = sopsError("MAC mismatch") // MetadataNotFound occurs when the input file is malformed and doesn't have sops metadata in it const MetadataNotFound = sopsError("sops metadata not found") var log *logrus.Logger func init() { log = logging.NewLogger("SOPS") } // Cipher provides a way to encrypt and decrypt the data key used to encrypt and decrypt sops files, so that the // data key can be stored alongside the encrypted content. A Cipher must be able to decrypt the values it encrypts. type Cipher interface { // Encrypt takes a plaintext, a key and additional data and returns the plaintext encrypted with the key, using the // additional data for authentication Encrypt(plaintext interface{}, key []byte, additionalData string) (ciphertext string, err error) // Encrypt takes a ciphertext, a key and additional data and returns the ciphertext encrypted with the key, using // the additional data for authentication Decrypt(ciphertext string, key []byte, additionalData string) (plaintext interface{}, err error) } // Comment represents a comment in the sops tree for the file formats that actually support them. type Comment struct { Value string } // TreeItem is an item inside sops's tree type TreeItem struct { Key interface{} Value interface{} } // TreeBranch is a branch inside sops's tree. It is a slice of TreeItems and is therefore ordered type TreeBranch []TreeItem // TreeBranches is a collection of TreeBranch // Trees usually have more than one branch type TreeBranches []TreeBranch func valueFromPathAndLeaf(path []interface{}, leaf interface{}) interface{} { switch component := path[0].(type) { case int: if len(path) == 1 { return []interface{}{ leaf, } } return []interface{}{ valueFromPathAndLeaf(path[1:], leaf), } default: if len(path) == 1 { return TreeBranch{ TreeItem{ Key: component, Value: leaf, }, } } return TreeBranch{ TreeItem{ Key: component, Value: valueFromPathAndLeaf(path[1:], leaf), }, } } } func set(branch interface{}, path []interface{}, value interface{}) interface{} { switch branch := branch.(type) { case TreeBranch: for i, item := range branch { if item.Key == path[0] { if len(path) == 1 { branch[i].Value = value } else { branch[i].Value = set(item.Value, path[1:], value) } return branch } } // Not found, need to add the next path entry to the branch if len(path) == 1 { return append(branch, TreeItem{Key: path[0], Value: value}) } return valueFromPathAndLeaf(path, value) case []interface{}: position := path[0].(int) if len(path) == 1 { if position >= len(branch) { return append(branch, value) } branch[position] = value } else { if position >= len(branch) { branch = append(branch, valueFromPathAndLeaf(path[1:], value)) } branch[position] = set(branch[position], path[1:], value) } return branch default: return valueFromPathAndLeaf(path, value) } } // Set sets a value on a given tree for the specified path func (branch TreeBranch) Set(path []interface{}, value interface{}) TreeBranch { return set(branch, path, value).(TreeBranch) } // Tree is the data structure used by sops to represent documents internally type Tree struct { Metadata Metadata Branches TreeBranches // FilePath is the path of the file this struct represents FilePath string } // Truncate truncates the tree to the path specified func (branch TreeBranch) Truncate(path []interface{}) (interface{}, error) { log.WithField("path", path).Info("Truncating tree") var current interface{} = branch for _, component := range path { switch component := component.(type) { case string: found := false for _, item := range current.(TreeBranch) { if item.Key == component { current = item.Value found = true break } } if !found { return nil, fmt.Errorf("component ['%s'] not found", component) } case int: if reflect.ValueOf(current).Kind() != reflect.Slice { return nil, fmt.Errorf("component [%d] is integer, but tree part is not a slice", component) } if reflect.ValueOf(current).Len() <= component { return nil, fmt.Errorf("component [%d] accesses out of bounds", component) } current = reflect.ValueOf(current).Index(component).Interface() } } return current, nil } func (branch TreeBranch) walkValue(in interface{}, path []string, onLeaves func(in interface{}, path []string) (interface{}, error)) (interface{}, error) { switch in := in.(type) { case string: return onLeaves(in, path) case []byte: return onLeaves(string(in), path) case int: return onLeaves(in, path) case bool: return onLeaves(in, path) case float64: return onLeaves(in, path) case Comment: return onLeaves(in, path) case TreeBranch: return branch.walkBranch(in, path, onLeaves) case []interface{}: return branch.walkSlice(in, path, onLeaves) case nil: // the value returned remains the same since it doesn't make // sense to encrypt or decrypt a nil value return nil, nil default: return nil, fmt.Errorf("Cannot walk value, unknown type: %T", in) } } func (branch TreeBranch) walkSlice(in []interface{}, path []string, onLeaves func(in interface{}, path []string) (interface{}, error)) ([]interface{}, error) { for i, v := range in { newV, err := branch.walkValue(v, path, onLeaves) if err != nil { return nil, err } in[i] = newV } return in, nil } func (branch TreeBranch) walkBranch(in TreeBranch, path []string, onLeaves func(in interface{}, path []string) (interface{}, error)) (TreeBranch, error) { for i, item := range in { if _, ok := item.Key.(Comment); ok { enc, err := branch.walkValue(item.Key, path, onLeaves) if err != nil { return nil, err } if encComment, ok := enc.(Comment); ok { in[i].Key = encComment continue } else if comment, ok := enc.(string); ok { in[i].Key = Comment{Value: comment} continue } else { return nil, fmt.Errorf("walkValue of Comment should be either Comment or string, was %T", enc) } } key, ok := item.Key.(string) if !ok { return nil, fmt.Errorf("Tree contains a non-string key (type %T): %s. Only string keys are"+ "supported", item.Key, item.Key) } newV, err := branch.walkValue(item.Value, append(path, key), onLeaves) if err != nil { return nil, err } in[i].Value = newV } return in, nil } // Encrypt walks over the tree and encrypts all values with the provided cipher, // except those whose key ends with the UnencryptedSuffix specified on the // Metadata struct, those not ending with EncryptedSuffix, if EncryptedSuffix // is provided (by default it is not), those not matching EncryptedRegex, // if EncryptedRegex is provided (by default it is not) or those matching // UnencryptedRegex, if UnencryptedRegex is provided (by default it is not). // If encryption is successful, it returns the MAC for the encrypted tree. func (tree Tree) Encrypt(key []byte, cipher Cipher) (string, error) { audit.SubmitEvent(audit.EncryptEvent{ File: tree.FilePath, }) hash := sha512.New() walk := func(branch TreeBranch) error { _, err := branch.walkBranch(branch, make([]string, 0), func(in interface{}, path []string) (interface{}, error) { // Only add to MAC if not a comment if _, ok := in.(Comment); !ok { bytes, err := ToBytes(in) if err != nil { return nil, fmt.Errorf("Could not convert %s to bytes: %s", in, err) } hash.Write(bytes) } encrypted := true if tree.Metadata.UnencryptedSuffix != "" { for _, v := range path { if strings.HasSuffix(v, tree.Metadata.UnencryptedSuffix) { encrypted = false break } } } if tree.Metadata.EncryptedSuffix != "" { encrypted = false for _, v := range path { if strings.HasSuffix(v, tree.Metadata.EncryptedSuffix) { encrypted = true break } } } if tree.Metadata.UnencryptedRegex != "" { for _, p := range path { matched, _ := regexp.Match(tree.Metadata.UnencryptedRegex, []byte(p)) if matched { encrypted = false break } } } if tree.Metadata.EncryptedRegex != "" { encrypted = false for _, p := range path { matched, _ := regexp.Match(tree.Metadata.EncryptedRegex, []byte(p)) if matched { encrypted = true break } } } if encrypted { var err error pathString := strings.Join(path, ":") + ":" in, err = cipher.Encrypt(in, key, pathString) if err != nil { return nil, fmt.Errorf("Could not encrypt value: %s", err) } } return in, nil }) return err } for _, branch := range tree.Branches { err := walk(branch) if err != nil { return "", fmt.Errorf("Error walking tree: %s", err) } } return fmt.Sprintf("%X", hash.Sum(nil)), nil } // Decrypt walks over the tree and decrypts all values with the provided cipher, // except those whose key ends with the UnencryptedSuffix specified on the Metadata struct, // those not ending with EncryptedSuffix, if EncryptedSuffix is provided (by default it is not), // those not matching EncryptedRegex, if EncryptedRegex is provided (by default it is not), // or those matching UnencryptedRegex, if UnencryptedRegex is provided (by default it is not). // If decryption is successful, it returns the MAC for the decrypted tree. func (tree Tree) Decrypt(key []byte, cipher Cipher) (string, error) { log.Debug("Decrypting tree") audit.SubmitEvent(audit.DecryptEvent{ File: tree.FilePath, }) hash := sha512.New() walk := func(branch TreeBranch) error { _, err := branch.walkBranch(branch, make([]string, 0), func(in interface{}, path []string) (interface{}, error) { encrypted := true if tree.Metadata.UnencryptedSuffix != "" { for _, p := range path { if strings.HasSuffix(p, tree.Metadata.UnencryptedSuffix) { encrypted = false break } } } if tree.Metadata.EncryptedSuffix != "" { encrypted = false for _, p := range path { if strings.HasSuffix(p, tree.Metadata.EncryptedSuffix) { encrypted = true break } } } if tree.Metadata.UnencryptedRegex != "" { for _, p := range path { matched, _ := regexp.Match(tree.Metadata.UnencryptedRegex, []byte(p)) if matched { encrypted = false break } } } if tree.Metadata.EncryptedRegex != "" { encrypted = false for _, p := range path { matched, _ := regexp.Match(tree.Metadata.EncryptedRegex, []byte(p)) if matched { encrypted = true break } } } var v interface{} if encrypted { var err error pathString := strings.Join(path, ":") + ":" if c, ok := in.(Comment); ok { v, err = cipher.Decrypt(c.Value, key, pathString) if err != nil { // Assume the comment was not encrypted in the first place log.WithField("comment", c.Value). Warn("Found possibly unencrypted comment in file. " + "This is to be expected if the file being " + "decrypted was created with an older version of " + "SOPS.") v = c } } else { v, err = cipher.Decrypt(in.(string), key, pathString) if err != nil { return nil, fmt.Errorf("Could not decrypt value: %s", err) } } } else { v = in } // Only add to MAC if not a comment if _, ok := v.(Comment); !ok { bytes, err := ToBytes(v) if err != nil { return nil, fmt.Errorf("Could not convert %s to bytes: %s", in, err) } hash.Write(bytes) } return v, nil }) return err } for _, branch := range tree.Branches { err := walk(branch) if err != nil { return "", fmt.Errorf("Error walking tree: %s", err) } } return fmt.Sprintf("%X", hash.Sum(nil)), nil } // GenerateDataKey generates a new random data key and encrypts it with all MasterKeys. func (tree Tree) GenerateDataKey() ([]byte, []error) { newKey := make([]byte, 32) _, err := rand.Read(newKey) if err != nil { return nil, []error{fmt.Errorf("Could not generate random key: %s", err)} } return newKey, tree.Metadata.UpdateMasterKeys(newKey) } // GenerateDataKeyWithKeyServices generates a new random data key and encrypts it with all MasterKeys. func (tree *Tree) GenerateDataKeyWithKeyServices(svcs []keyservice.KeyServiceClient) ([]byte, []error) { newKey := make([]byte, 32) _, err := rand.Read(newKey) if err != nil { return nil, []error{fmt.Errorf("Could not generate random key: %s", err)} } return newKey, tree.Metadata.UpdateMasterKeysWithKeyServices(newKey, svcs) } // Metadata holds information about a file encrypted by sops type Metadata struct { LastModified time.Time UnencryptedSuffix string EncryptedSuffix string UnencryptedRegex string EncryptedRegex string MessageAuthenticationCode string Version string KeyGroups []KeyGroup // ShamirThreshold is the number of key groups required to recover the // original data key ShamirThreshold int // DataKey caches the decrypted data key so it doesn't have to be decrypted with a master key every time it's needed DataKey []byte } // KeyGroup is a slice of SOPS MasterKeys that all encrypt the same part of the data key type KeyGroup []keys.MasterKey // EncryptedFileLoader is the interface for loading of encrypted files. It provides a // way to load encrypted SOPS files into the internal SOPS representation. Because it // loads encrypted files, the returned data structure already contains all SOPS // metadata. type EncryptedFileLoader interface { LoadEncryptedFile(in []byte) (Tree, error) } // PlainFileLoader is the interface for loading of plain text files. It provides a // way to load unencrypted files into SOPS. Because the files it loads are // unencrypted, the returned data structure does not contain any metadata. type PlainFileLoader interface { LoadPlainFile(in []byte) (TreeBranches, error) } // EncryptedFileEmitter is the interface for emitting encrypting files. It provides a // way to emit encrypted files from the internal SOPS representation. type EncryptedFileEmitter interface { EmitEncryptedFile(Tree) ([]byte, error) } // PlainFileEmitter is the interface for emitting plain text files. It provides a way // to emit plain text files from the internal SOPS representation so that they can be // shown type PlainFileEmitter interface { EmitPlainFile(TreeBranches) ([]byte, error) } // ValueEmitter is the interface for emitting a value. It provides a way to emit // values from the internal SOPS representation so that they can be shown type ValueEmitter interface { EmitValue(interface{}) ([]byte, error) } // Store is used to interact with files, both encrypted and unencrypted. type Store interface { EncryptedFileLoader PlainFileLoader EncryptedFileEmitter PlainFileEmitter ValueEmitter } // MasterKeyCount returns the number of master keys available func (m *Metadata) MasterKeyCount() int { count := 0 for _, group := range m.KeyGroups { count += len(group) } return count } // UpdateMasterKeysWithKeyServices encrypts the data key with all master keys using the provided key services func (m *Metadata) UpdateMasterKeysWithKeyServices(dataKey []byte, svcs []keyservice.KeyServiceClient) (errs []error) { if len(svcs) == 0 { return []error{ fmt.Errorf("no key services provided, cannot update master keys"), } } var parts [][]byte if len(m.KeyGroups) == 1 { // If there's only one key group, we can't do Shamir. All keys // in the group encrypt the whole data key. parts = append(parts, dataKey) } else { var err error if m.ShamirThreshold == 0 { m.ShamirThreshold = len(m.KeyGroups) } log.WithFields(logrus.Fields{ "quorum": m.ShamirThreshold, "parts": len(m.KeyGroups), }).Info("Splitting data key with Shamir Secret Sharing") parts, err = shamir.Split(dataKey, len(m.KeyGroups), int(m.ShamirThreshold)) if err != nil { errs = append(errs, fmt.Errorf("could not split data key into parts for Shamir: %s", err)) return } if len(parts) != len(m.KeyGroups) { errs = append(errs, fmt.Errorf("not enough parts obtained from Shamir: need %d, got %d", len(m.KeyGroups), len(parts))) return } } for i, group := range m.KeyGroups { part := parts[i] for _, key := range group { svcKey := keyservice.KeyFromMasterKey(key) var keyErrs []error encrypted := false for _, svc := range svcs { rsp, err := svc.Encrypt(context.Background(), &keyservice.EncryptRequest{ Key: &svcKey, Plaintext: part, }) if err != nil { keyErrs = append(keyErrs, fmt.Errorf("failed to encrypt new data key with master key %q: %w", key.ToString(), err)) continue } key.SetEncryptedDataKey(rsp.Ciphertext) encrypted = true // Only need to encrypt the key successfully with one service break } if !encrypted { errs = append(errs, keyErrs...) } } } m.DataKey = dataKey return } // UpdateMasterKeys encrypts the data key with all master keys func (m *Metadata) UpdateMasterKeys(dataKey []byte) (errs []error) { return m.UpdateMasterKeysWithKeyServices(dataKey, []keyservice.KeyServiceClient{ keyservice.NewLocalClient(), }) } // GetDataKeyWithKeyServices retrieves the data key, asking KeyServices to decrypt it with each // MasterKey in the Metadata's KeySources until one of them succeeds. func (m Metadata) GetDataKeyWithKeyServices(svcs []keyservice.KeyServiceClient) ([]byte, error) { if m.DataKey != nil { return m.DataKey, nil } getDataKeyErr := getDataKeyError{ RequiredSuccessfulKeyGroups: m.ShamirThreshold, GroupResults: make([]error, len(m.KeyGroups)), } var parts [][]byte for i, group := range m.KeyGroups { part, err := decryptKeyGroup(group, svcs) if err == nil { parts = append(parts, part) } getDataKeyErr.GroupResults[i] = err } var dataKey []byte if len(m.KeyGroups) > 1 { if len(parts) < m.ShamirThreshold { return nil, &getDataKeyErr } var err error dataKey, err = shamir.Combine(parts) if err != nil { return nil, fmt.Errorf("could not get data key from shamir parts: %s", err) } } else { if len(parts) != 1 { return nil, &getDataKeyErr } dataKey = parts[0] } log.Info("Data key recovered successfully") m.DataKey = dataKey return dataKey, nil } // decryptKeyGroup tries to decrypt the contents of the provided KeyGroup with // any of the MasterKeys in the KeyGroup with any of the provided key services, // returning as soon as one key service succeeds. func decryptKeyGroup(group KeyGroup, svcs []keyservice.KeyServiceClient) ([]byte, error) { var keyErrs []error for _, key := range group { part, err := decryptKey(key, svcs) if err != nil { keyErrs = append(keyErrs, err) } else { return part, nil } } return nil, decryptKeyErrors(keyErrs) } // decryptKey tries to decrypt the contents of the provided MasterKey with any // of the key services, returning as soon as one key service succeeds. func decryptKey(key keys.MasterKey, svcs []keyservice.KeyServiceClient) ([]byte, error) { svcKey := keyservice.KeyFromMasterKey(key) var part []byte decryptErr := decryptKeyError{ keyName: key.ToString(), } for _, svc := range svcs { // All keys in a key group encrypt the same part, so as soon // as we decrypt it successfully with one key, we need to // proceed with the next group var err error if part == nil { var rsp *keyservice.DecryptResponse rsp, err = svc.Decrypt( context.Background(), &keyservice.DecryptRequest{ Ciphertext: key.EncryptedDataKey(), Key: &svcKey, }) if err == nil { part = rsp.Plaintext } } decryptErr.errs = append(decryptErr.errs, err) } if part != nil { return part, nil } return nil, &decryptErr } // GetDataKey retrieves the data key from the first MasterKey in the Metadata's KeySources that's able to return it, // using the local KeyService func (m Metadata) GetDataKey() ([]byte, error) { return m.GetDataKeyWithKeyServices([]keyservice.KeyServiceClient{ keyservice.NewLocalClient(), }) } // ToBytes converts a string, int, float or bool to a byte representation. func ToBytes(in interface{}) ([]byte, error) { switch in := in.(type) { case string: return []byte(in), nil case int: return []byte(strconv.Itoa(in)), nil case float64: return []byte(strconv.FormatFloat(in, 'f', -1, 64)), nil case bool: return []byte(strings.Title(strconv.FormatBool(in))), nil case []byte: return in, nil case Comment: return ToBytes(in.Value) default: return nil, fmt.Errorf("Could not convert unknown type %T to bytes", in) } } // EmitAsMap will emit the tree branches as a map. This is used by the publish // command for writing decrypted trees to various destinations. Should only be // used for outputting to data structures in code. func EmitAsMap(in TreeBranches) (map[string]interface{}, error) { data := map[string]interface{}{} for _, branch := range in { for _, item := range branch { if _, ok := item.Key.(Comment); ok { continue } val, err := encodeValueForMap(item.Value) if err != nil { return nil, err } data[item.Key.(string)] = val } } return data, nil } func encodeValueForMap(v interface{}) (interface{}, error) { switch v := v.(type) { case TreeBranch: return EmitAsMap([]TreeBranch{v}) default: return v, nil } } 07070100000099000081A400000000000000000000000162794F930000377F000000000000000000000000000000000000001800000000sops-3.7.3/sops_test.gopackage sops import ( "bytes" "fmt" "reflect" "testing" "github.com/stretchr/testify/assert" ) type reverseCipher struct{} // reverse returns its argument string reversed rune-wise left to right. func reverse(s string) string { r := []rune(s) for i, j := 0, len(r)-1; i < len(r)/2; i, j = i+1, j-1 { r[i], r[j] = r[j], r[i] } return string(r) } func (c reverseCipher) Encrypt(value interface{}, key []byte, path string) (string, error) { b, err := ToBytes(value) if err != nil { return "", err } return reverse(string(b)), nil } func (c reverseCipher) Decrypt(value string, key []byte, path string) (plaintext interface{}, err error) { if value == "error" { return nil, fmt.Errorf("Error") } return reverse(value), nil } func TestUnencryptedSuffix(t *testing.T) { branches := TreeBranches{ TreeBranch{ TreeItem{ Key: "foo_unencrypted", Value: "bar", }, TreeItem{ Key: "bar_unencrypted", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, }, } tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedSuffix: "_unencrypted"}} expected := TreeBranch{ TreeItem{ Key: "foo_unencrypted", Value: "bar", }, TreeItem{ Key: "bar_unencrypted", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, } cipher := reverseCipher{} _, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Encrypting the tree failed: %s", err) } if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected) } _, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Decrypting the tree failed: %s", err) } if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected) } } func TestEncryptedSuffix(t *testing.T) { branches := TreeBranches{ TreeBranch{ TreeItem{ Key: "foo_encrypted", Value: "bar", }, TreeItem{ Key: "bar", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, }, } tree := Tree{Branches: branches, Metadata: Metadata{EncryptedSuffix: "_encrypted"}} expected := TreeBranch{ TreeItem{ Key: "foo_encrypted", Value: "rab", }, TreeItem{ Key: "bar", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, } cipher := reverseCipher{} _, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Encrypting the tree failed: %s", err) } if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected) } _, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Decrypting the tree failed: %s", err) } expected[0].Value = "bar" if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected) } } func TestEncryptedRegex(t *testing.T) { branches := TreeBranches{ TreeBranch{ TreeItem{ Key: "enc:foo", Value: "bar", }, TreeItem{ Key: "bar", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, }, } tree := Tree{Branches: branches, Metadata: Metadata{EncryptedRegex: "^enc:"}} expected := TreeBranch{ TreeItem{ Key: "enc:foo", Value: "rab", }, TreeItem{ Key: "bar", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, } cipher := reverseCipher{} _, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Encrypting the tree failed: %s", err) } if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected) } _, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Decrypting the tree failed: %s", err) } expected[0].Value = "bar" if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected) } } func TestUnencryptedRegex(t *testing.T) { branches := TreeBranches{ TreeBranch{ TreeItem{ Key: "dec:foo", Value: "bar", }, TreeItem{ Key: "dec:bar", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, }, } tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedRegex: "^dec:"}} expected := TreeBranch{ TreeItem{ Key: "dec:foo", Value: "bar", }, TreeItem{ Key: "dec:bar", Value: TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, }, }, } cipher := reverseCipher{} _, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Encrypting the tree failed: %s", err) } // expected[1].Value[] = "bar" if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot \t\t%+v,\n expected \t\t%+v", tree.Branches[0], expected) } _, err = tree.Decrypt(bytes.Repeat([]byte("f"), 32), cipher) if err != nil { t.Errorf("Decrypting the tree failed: %s", err) } if !reflect.DeepEqual(tree.Branches[0], expected) { t.Errorf("Trees don't match: \ngot\t\t\t%+v,\nexpected\t\t%+v", tree.Branches[0], expected) } } type MockCipher struct{} func (m MockCipher) Encrypt(value interface{}, key []byte, path string) (string, error) { return "a", nil } func (m MockCipher) Decrypt(value string, key []byte, path string) (interface{}, error) { return "a", nil } func TestEncrypt(t *testing.T) { branches := TreeBranches{ TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, TreeItem{ Key: "baz", Value: TreeBranch{ TreeItem{ Key: "bar", Value: 5, }, }, }, TreeItem{ Key: "bar", Value: false, }, TreeItem{ Key: "foobar", Value: 2.12, }, TreeItem{ Key: "barfoo", Value: nil, }, }, TreeBranch{ TreeItem{ Key: "foo2", Value: "bar", }, }, TreeBranch{ TreeItem{ Key: "foo3", Value: "bar", }, }, } expected := TreeBranches{ TreeBranch{ TreeItem{ Key: "foo", Value: "a", }, TreeItem{ Key: "baz", Value: TreeBranch{ TreeItem{ Key: "bar", Value: "a", }, }, }, TreeItem{ Key: "bar", Value: "a", }, TreeItem{ Key: "foobar", Value: "a", }, TreeItem{ Key: "barfoo", Value: nil, }, }, TreeBranch{ TreeItem{ Key: "foo2", Value: "a", }, }, TreeBranch{ TreeItem{ Key: "foo3", Value: "a", }, }, } tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedSuffix: DefaultUnencryptedSuffix}} tree.Encrypt(bytes.Repeat([]byte{'f'}, 32), MockCipher{}) if !reflect.DeepEqual(tree.Branches, expected) { t.Errorf("%s does not equal expected tree: %s", tree.Branches, expected) } } func TestDecrypt(t *testing.T) { branches := TreeBranches{ TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, TreeItem{ Key: "baz", Value: TreeBranch{ TreeItem{ Key: "bar", Value: "5", }, }, }, TreeItem{ Key: "bar", Value: "false", }, TreeItem{ Key: "foobar", Value: "2.12", }, TreeItem{ Key: "barfoo", Value: nil, }, }, TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, TreeItem{ Key: "baz", Value: TreeBranch{ TreeItem{ Key: "bar", Value: "6", }, }, }, }, TreeBranch{ TreeItem{ Key: "foo3", Value: "bar", }, }, } expected := TreeBranches{ TreeBranch{ TreeItem{ Key: "foo", Value: "a", }, TreeItem{ Key: "baz", Value: TreeBranch{ TreeItem{ Key: "bar", Value: "a", }, }, }, TreeItem{ Key: "bar", Value: "a", }, TreeItem{ Key: "foobar", Value: "a", }, TreeItem{ Key: "barfoo", Value: nil, }, }, TreeBranch{ TreeItem{ Key: "foo", Value: "a", }, TreeItem{ Key: "baz", Value: TreeBranch{ TreeItem{ Key: "bar", Value: "a", }, }, }, }, TreeBranch{ TreeItem{ Key: "foo3", Value: "a", }, }, } tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedSuffix: DefaultUnencryptedSuffix}} tree.Decrypt(bytes.Repeat([]byte{'f'}, 32), MockCipher{}) if !reflect.DeepEqual(tree.Branches, expected) { t.Errorf("%s does not equal expected tree: %s", tree.Branches[0], expected) } } func TestTruncateTree(t *testing.T) { tree := TreeBranch{ TreeItem{ Key: "foo", Value: 2, }, TreeItem{ Key: "bar", Value: TreeBranch{ TreeItem{ Key: "foobar", Value: []int{ 1, 2, 3, 4, }, }, }, }, } expected := 3 result, err := tree.Truncate([]interface{}{ "bar", "foobar", 2, }) assert.Equal(t, nil, err) assert.Equal(t, expected, result) } func TestEncryptComments(t *testing.T) { tree := Tree{ Branches: TreeBranches{ TreeBranch{ TreeItem{ Key: Comment{"foo"}, Value: nil, }, TreeItem{ Key: "list", Value: []interface{}{ "1", Comment{"bar"}, "2", }, }, }, }, Metadata: Metadata{ UnencryptedSuffix: DefaultUnencryptedSuffix, }, } tree.Encrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{}) assert.Equal(t, "oof", tree.Branches[0][0].Key.(Comment).Value) assert.Equal(t, "rab", tree.Branches[0][1].Value.([]interface{})[1]) } func TestDecryptComments(t *testing.T) { tree := Tree{ Branches: TreeBranches{ TreeBranch{ TreeItem{ Key: Comment{"oof"}, Value: nil, }, TreeItem{ Key: "list", Value: []interface{}{ "1", Comment{"rab"}, "2", }, }, TreeItem{ Key: "list", Value: nil, }, }, }, Metadata: Metadata{ UnencryptedSuffix: DefaultUnencryptedSuffix, }, } tree.Decrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{}) assert.Equal(t, "foo", tree.Branches[0][0].Key.(Comment).Value) assert.Equal(t, "bar", tree.Branches[0][1].Value.([]interface{})[1]) } func TestDecryptUnencryptedComments(t *testing.T) { tree := Tree{ Branches: TreeBranches{ TreeBranch{ TreeItem{ // We use `error` to simulate an error decrypting, the fake cipher will error in this case Key: Comment{"error"}, Value: nil, }, }, }, Metadata: Metadata{}, } tree.Decrypt(bytes.Repeat([]byte{'f'}, 32), reverseCipher{}) assert.Equal(t, "error", tree.Branches[0][0].Key.(Comment).Value) } func TestSetNewKey(t *testing.T) { branch := TreeBranch{ TreeItem{ Key: "foo", Value: TreeBranch{ TreeItem{ Key: "bar", Value: TreeBranch{ TreeItem{ Key: "baz", Value: "foobar", }, }, }, }, }, } set := branch.Set([]interface{}{"foo", "bar", "foo"}, "hello") assert.Equal(t, "hello", set[0].Value.(TreeBranch)[0].Value.(TreeBranch)[1].Value) } func TestSetArrayDeepNew(t *testing.T) { branch := TreeBranch{ TreeItem{ Key: "foo", Value: []interface{}{ "one", "two", }, }, } set := branch.Set([]interface{}{"foo", 2, "bar"}, "hello") assert.Equal(t, "hello", set[0].Value.([]interface{})[2].(TreeBranch)[0].Value) } func TestSetNewKeyDeep(t *testing.T) { branch := TreeBranch{ TreeItem{ Key: "foo", Value: "bar", }, } set := branch.Set([]interface{}{"foo", "bar", "baz"}, "hello") assert.Equal(t, "hello", set[0].Value.(TreeBranch)[0].Value.(TreeBranch)[0].Value) } func TestSetNewKeyOnEmptyBranch(t *testing.T) { branch := TreeBranch{} set := branch.Set([]interface{}{"foo", "bar", "baz"}, "hello") assert.Equal(t, "hello", set[0].Value.(TreeBranch)[0].Value.(TreeBranch)[0].Value) } func TestSetArray(t *testing.T) { branch := TreeBranch{ TreeItem{ Key: "foo", Value: []interface{}{ "one", "two", "three", }, }, } set := branch.Set([]interface{}{"foo", 0}, "uno") assert.Equal(t, "uno", set[0].Value.([]interface{})[0]) } func TestSetArrayNew(t *testing.T) { branch := TreeBranch{} set := branch.Set([]interface{}{"foo", 0, 0}, "uno") assert.Equal(t, "uno", set[0].Value.([]interface{})[0].([]interface{})[0]) } func TestSetExisting(t *testing.T) { branch := TreeBranch{ TreeItem{ Key: "foo", Value: "foobar", }, } set := branch.Set([]interface{}{"foo"}, "bar") assert.Equal(t, "bar", set[0].Value) } func TestSetArrayLeafNewItem(t *testing.T) { branch := TreeBranch{ TreeItem{ Key: "array", Value: []interface{}{}, }, } set := branch.Set([]interface{}{"array", 2}, "hello") assert.Equal(t, TreeBranch{ TreeItem{ Key: "array", Value: []interface{}{ "hello", }, }, }, set) } func TestSetArrayNonLeaf(t *testing.T) { branch := TreeBranch{ TreeItem{ Key: "array", Value: []interface{}{ 1, }, }, } set := branch.Set([]interface{}{"array", 0, "hello"}, "hello") assert.Equal(t, TreeBranch{ TreeItem{ Key: "array", Value: []interface{}{ TreeBranch{ TreeItem{ Key: "hello", Value: "hello", }, }, }, }, }, set) } func TestEmitAsMap(t *testing.T) { expected := map[string]interface{}{ "foobar": "barfoo", "number": 42, "foo": map[string]interface{}{ "bar": map[string]interface{}{ "baz": "foobar", }, }, } branches := TreeBranches{ TreeBranch{ TreeItem{ Key: "foobar", Value: "barfoo", }, TreeItem{ Key: "number", Value: 42, }, }, TreeBranch{ TreeItem{ Key: "foo", Value: TreeBranch{ TreeItem{ Key: "bar", Value: TreeBranch{ TreeItem{ Key: "baz", Value: "foobar", }, }, }, }, }, }, } data, err := EmitAsMap(branches) if assert.NoError(t, err) { assert.Equal(t, expected, data) } } 0707010000009A000041ED00000000000000000000000662794F9300000000000000000000000000000000000000000000001200000000sops-3.7.3/stores0707010000009B000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001900000000sops-3.7.3/stores/dotenv0707010000009C000081A400000000000000000000000162794F9300001278000000000000000000000000000000000000002200000000sops-3.7.3/stores/dotenv/store.gopackage dotenv //import "go.mozilla.org/sops/v3/stores/dotenv" import ( "bytes" "encoding/json" "fmt" "strings" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/stores" ) // SopsPrefix is the prefix for all metadatada entry keys const SopsPrefix = "sops_" // Store handles storage of dotenv data type Store struct { } // LoadEncryptedFile loads an encrypted file's bytes onto a sops.Tree runtime object func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) { branches, err := store.LoadPlainFile(in) if err != nil { return sops.Tree{}, err } var resultBranch sops.TreeBranch mdMap := make(map[string]interface{}) for _, item := range branches[0] { switch key := item.Key.(type) { case string: if strings.HasPrefix(key, SopsPrefix) { key = key[len(SopsPrefix):] mdMap[key] = item.Value } else { resultBranch = append(resultBranch, item) } case sops.Comment: resultBranch = append(resultBranch, item) default: panic(fmt.Sprintf("Unexpected type: %T (value %#v)", key, key)) } } metadata, err := mapToMetadata(mdMap) if err != nil { return sops.Tree{}, err } internalMetadata, err := metadata.ToInternal() if err != nil { return sops.Tree{}, err } return sops.Tree{ Branches: sops.TreeBranches{ resultBranch, }, Metadata: internalMetadata, }, nil } // LoadPlainFile returns the contents of a plaintext file loaded onto a // sops runtime object func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) { var branches sops.TreeBranches var branch sops.TreeBranch for _, line := range bytes.Split(in, []byte("\n")) { if len(line) == 0 { continue } if line[0] == '#' { branch = append(branch, sops.TreeItem{ Key: sops.Comment{string(line[1:])}, Value: nil, }) } else { pos := bytes.Index(line, []byte("=")) if pos == -1 { return nil, fmt.Errorf("invalid dotenv input line: %s", line) } branch = append(branch, sops.TreeItem{ Key: string(line[:pos]), Value: strings.Replace(string(line[pos+1:]), "\\n", "\n", -1), }) } } branches = append(branches, branch) return branches, nil } // EmitEncryptedFile returns the encrypted file's bytes corresponding to a sops // runtime object func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { metadata := stores.MetadataFromInternal(in.Metadata) mdItems, err := metadataToMap(metadata) if err != nil { return nil, err } for key, value := range mdItems { if value == nil { continue } in.Branches[0] = append(in.Branches[0], sops.TreeItem{Key: SopsPrefix + key, Value: value}) } return store.EmitPlainFile(in.Branches) } // EmitPlainFile returns the plaintext file's bytes corresponding to a sops // runtime object func (store *Store) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { buffer := bytes.Buffer{} for _, item := range in[0] { if isComplexValue(item.Value) { return nil, fmt.Errorf("cannot use complex value in dotenv file: %s", item.Value) } var line string if comment, ok := item.Key.(sops.Comment); ok { line = fmt.Sprintf("#%s\n", comment.Value) } else { value := strings.Replace(item.Value.(string), "\n", "\\n", -1) line = fmt.Sprintf("%s=%s\n", item.Key, value) } buffer.WriteString(line) } return buffer.Bytes(), nil } // EmitValue returns a single value as bytes func (Store) EmitValue(v interface{}) ([]byte, error) { if s, ok := v.(string); ok { return []byte(s), nil } return nil, fmt.Errorf("the dotenv store only supports emitting strings, got %T", v) } // EmitExample returns the bytes corresponding to an example Flat Tree runtime object func (store *Store) EmitExample() []byte { bytes, err := store.EmitPlainFile(stores.ExampleFlatTree.Branches) if err != nil { panic(err) } return bytes } func metadataToMap(md stores.Metadata) (map[string]interface{}, error) { var mdMap map[string]interface{} inrec, err := json.Marshal(md) if err != nil { return nil, err } err = json.Unmarshal(inrec, &mdMap) if err != nil { return nil, err } flat := stores.Flatten(mdMap) for k, v := range flat { if s, ok := v.(string); ok { flat[k] = strings.Replace(s, "\n", "\\n", -1) } } return flat, nil } func mapToMetadata(m map[string]interface{}) (stores.Metadata, error) { for k, v := range m { if s, ok := v.(string); ok { m[k] = strings.Replace(s, "\\n", "\n", -1) } } m = stores.Unflatten(m) var md stores.Metadata inrec, err := json.Marshal(m) if err != nil { return md, err } err = json.Unmarshal(inrec, &md) return md, err } func isComplexValue(v interface{}) bool { switch v.(type) { case []interface{}: return true case sops.TreeBranch: return true } return false } 0707010000009D000081A400000000000000000000000162794F930000048A000000000000000000000000000000000000002700000000sops-3.7.3/stores/dotenv/store_test.gopackage dotenv import ( "strings" "testing" "github.com/stretchr/testify/assert" "go.mozilla.org/sops/v3" ) var PLAIN = []byte(strings.TrimLeft(` VAR1=val1 VAR2=val2 #comment VAR3_unencrypted=val3 VAR4=val4\nval4 `, "\n")) var BRANCH = sops.TreeBranch{ sops.TreeItem{ Key: "VAR1", Value: "val1", }, sops.TreeItem{ Key: "VAR2", Value: "val2", }, sops.TreeItem{ Key: sops.Comment{"comment"}, Value: nil, }, sops.TreeItem{ Key: "VAR3_unencrypted", Value: "val3", }, sops.TreeItem{ Key: "VAR4", Value: "val4\nval4", }, } func TestLoadPlainFile(t *testing.T) { branches, err := (&Store{}).LoadPlainFile(PLAIN) assert.Nil(t, err) assert.Equal(t, BRANCH, branches[0]) } func TestEmitPlainFile(t *testing.T) { branches := sops.TreeBranches{ BRANCH, } bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, PLAIN, bytes) } func TestEmitValueString(t *testing.T) { bytes, err := (&Store{}).EmitValue("hello") assert.Nil(t, err) assert.Equal(t, []byte("hello"), bytes) } func TestEmitValueNonstring(t *testing.T) { _, err := (&Store{}).EmitValue(BRANCH) assert.NotNil(t, err) } 0707010000009E000081A400000000000000000000000162794F93000013C4000000000000000000000000000000000000001D00000000sops-3.7.3/stores/flatten.gopackage stores import ( "fmt" "strconv" "strings" ) const mapSeparator = "__map_" const listSeparator = "__list_" // flattenAndMerge flattens the provided value and merges into the // into map using prefix func flattenAndMerge(into map[string]interface{}, prefix string, value interface{}) { flattenedValue := flattenValue(value) if flattenedValue, ok := flattenedValue.(map[string]interface{}); ok { for flatK, flatV := range flattenedValue { into[prefix+flatK] = flatV } } else { into[prefix] = value } } func flattenValue(value interface{}) interface{} { var output interface{} switch value := value.(type) { case map[string]interface{}: newMap := make(map[string]interface{}) for k, v := range value { flattenAndMerge(newMap, mapSeparator+k, v) } output = newMap case []interface{}: newMap := make(map[string]interface{}) for i, v := range value { flattenAndMerge(newMap, listSeparator+fmt.Sprintf("%d", i), v) } output = newMap default: output = value } return output } // Flatten flattens a map with potentially nested maps into a flat // map. Only string keys are allowed on both the top-level map and // child maps. func Flatten(in map[string]interface{}) map[string]interface{} { newMap := make(map[string]interface{}) for k, v := range in { if flat, ok := flattenValue(v).(map[string]interface{}); ok { for flatK, flatV := range flat { newMap[k+flatK] = flatV } } else { newMap[k] = v } } return newMap } type token interface{} type mapToken struct { key string } type listToken struct { position int } // tokenize converts a path generated by Flatten to be used as a key // in the flattened map, and converts it to a slice of tokens func tokenize(path string) []token { const ( StateNormal = 0 StateMap = iota StateList = iota ) var tokens []token state := StateNormal lastTokenEnd := 0 i := 0 finishPrevToken := func() { var t token switch state { case StateNormal: t = mapToken{path[lastTokenEnd:i]} case StateMap: t = mapToken{path[lastTokenEnd+len(mapSeparator) : i]} case StateList: pos, _ := strconv.Atoi(path[lastTokenEnd+len(listSeparator) : i]) t = listToken{pos} } lastTokenEnd = i tokens = append(tokens, t) } for i < len(path) { if strings.HasPrefix(path[i:], mapSeparator) { finishPrevToken() state = StateMap i += len(mapSeparator) } else if strings.HasPrefix(path[i:], listSeparator) { finishPrevToken() state = StateList i += len(listSeparator) } else { i++ } } finishPrevToken() return tokens } // unflatten takes the currentNode, currentToken, nextToken and value // and populates currentNode such that currentToken can be considered // processed. It inspects nextToken to decide what type to allocate // and assign under currentNode. func unflatten(currentNode interface{}, currentToken, nextToken token, value interface{}) interface{} { switch currentToken := currentToken.(type) { case mapToken: currentNode := currentNode.(map[string]interface{}) switch nextToken := nextToken.(type) { case mapToken: if _, ok := currentNode[currentToken.key]; !ok { currentNode[currentToken.key] = make(map[string]interface{}) } next := currentNode[currentToken.key].(map[string]interface{}) return next case listToken: if _, ok := currentNode[currentToken.key]; !ok { currentNode[currentToken.key] = make([]interface{}, nextToken.position+1) } next := currentNode[currentToken.key].([]interface{}) if nextToken.position >= len(next) { // Grow the slice and reassign it newNext := make([]interface{}, nextToken.position+1) copy(newNext, next) next = newNext currentNode[currentToken.key] = next } return next default: currentNode[currentToken.key] = value } case listToken: currentNode := currentNode.([]interface{}) switch nextToken := nextToken.(type) { case mapToken: if currentNode[currentToken.position] == nil { currentNode[currentToken.position] = make(map[string]interface{}) } next := currentNode[currentToken.position].(map[string]interface{}) return next case listToken: if currentNode[currentToken.position] == nil { currentNode[currentToken.position] = make([]interface{}, nextToken.position+1) } next := currentNode[currentToken.position].([]interface{}) if nextToken.position >= len(next) { // Grow the slice and reassign it newNext := make([]interface{}, nextToken.position+1) copy(newNext, next) next = newNext currentNode[currentToken.position] = next } return next default: currentNode[currentToken.position] = value } } return nil } // Unflatten unflattens a map flattened by Flatten func Unflatten(in map[string]interface{}) map[string]interface{} { newMap := make(map[string]interface{}) for k, v := range in { var current interface{} = newMap tokens := append(tokenize(k), nil) for i := 0; i < len(tokens)-1; i++ { current = unflatten(current, tokens[i], tokens[i+1], v) } } return newMap } 0707010000009F000081A400000000000000000000000162794F9300000D66000000000000000000000000000000000000002200000000sops-3.7.3/stores/flatten_test.gopackage stores import ( "testing" "github.com/stretchr/testify/assert" ) func TestFlat(t *testing.T) { input := map[string]interface{}{ "foo": "bar", } expected := map[string]interface{}{ "foo": "bar", } flattened := Flatten(input) assert.Equal(t, expected, flattened) unflattened := Unflatten(flattened) assert.Equal(t, input, unflattened) } func TestMap(t *testing.T) { input := map[string]interface{}{ "foo": map[string]interface{}{ "bar": 0, "baz": 0, }, } expected := map[string]interface{}{ "foo" + mapSeparator + "bar": 0, "foo" + mapSeparator + "baz": 0, } flattened := Flatten(input) assert.Equal(t, expected, flattened) unflattened := Unflatten(flattened) assert.Equal(t, input, unflattened) } func TestFlattenMapMoreNesting(t *testing.T) { input := map[string]interface{}{ "foo": map[string]interface{}{ "bar": map[string]interface{}{ "baz": 0, }, }, } expected := map[string]interface{}{ "foo" + mapSeparator + "bar" + mapSeparator + "baz": 0, } flattened := Flatten(input) assert.Equal(t, expected, flattened) unflattened := Unflatten(flattened) assert.Equal(t, input, unflattened) } func TestFlattenList(t *testing.T) { input := map[string]interface{}{ "foo": []interface{}{ 0, }, } expected := map[string]interface{}{ "foo" + listSeparator + "0": 0, } flattened := Flatten(input) assert.Equal(t, expected, flattened) unflattened := Unflatten(flattened) assert.Equal(t, input, unflattened) } func TestFlattenListWithMap(t *testing.T) { input := map[string]interface{}{ "foo": []interface{}{ map[string]interface{}{ "bar": 0, }, }, } expected := map[string]interface{}{ "foo" + listSeparator + "0" + mapSeparator + "bar": 0, } flattened := Flatten(input) assert.Equal(t, expected, flattened) unflattened := Unflatten(flattened) assert.Equal(t, input, unflattened) } func TestFlatten(t *testing.T) { input := map[string]interface{}{ "foo": "bar", "baz": map[string]interface{}{ "foo": 2, "bar": map[string]interface{}{ "foo": 2, }, }, "qux": []interface{}{ "hello", 1, 2, }, } expected := map[string]interface{}{ "foo": "bar", "baz" + mapSeparator + "foo": 2, "baz" + mapSeparator + "bar" + mapSeparator + "foo": 2, "qux" + listSeparator + "0": "hello", "qux" + listSeparator + "1": 1, "qux" + listSeparator + "2": 2, } flattened := Flatten(input) assert.Equal(t, expected, flattened) unflattened := Unflatten(flattened) assert.Equal(t, input, unflattened) } func TestTokenizeFlat(t *testing.T) { input := "bar" expected := []token{mapToken{"bar"}} tokenized := tokenize(input) assert.Equal(t, expected, tokenized) } func TestTokenizeMap(t *testing.T) { input := "bar" + mapSeparator + "foo" expected := []token{mapToken{"bar"}, mapToken{"foo"}} tokenized := tokenize(input) assert.Equal(t, expected, tokenized) } func TestTokenizeList(t *testing.T) { input := "bar" + listSeparator + "10" expected := []token{mapToken{"bar"}, listToken{10}} tokenized := tokenize(input) assert.Equal(t, expected, tokenized) } func TestTokenizeNested(t *testing.T) { input := "bar" + listSeparator + "10" + mapSeparator + "baz" expected := []token{mapToken{"bar"}, listToken{10}, mapToken{"baz"}} tokenized := tokenize(input) assert.Equal(t, expected, tokenized) } 070701000000A0000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000001600000000sops-3.7.3/stores/ini070701000000A1000081A400000000000000000000000162794F9300001C7E000000000000000000000000000000000000001F00000000sops-3.7.3/stores/ini/store.gopackage ini //import "go.mozilla.org/sops/v3/stores/ini" import ( "bytes" "encoding/json" "fmt" "strconv" "strings" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/stores" "gopkg.in/ini.v1" ) // Store handles storage of ini data. type Store struct { } func (store Store) encodeTree(branches sops.TreeBranches) ([]byte, error) { iniFile := ini.Empty() for _, branch := range branches { for _, item := range branch { if _, ok := item.Key.(sops.Comment); ok { continue } section, err := iniFile.NewSection(item.Key.(string)) if err != nil { return nil, fmt.Errorf("Error encoding section %s: %s", item.Key, err) } itemTree, ok := item.Value.(sops.TreeBranch) if !ok { return nil, fmt.Errorf("Error encoding section: Section values should always be TreeBranches") } first := 0 if len(itemTree) > 0 { if sectionComment, ok := itemTree[0].Key.(sops.Comment); ok { section.Comment = sectionComment.Value first = 1 } } var lastItem *ini.Key for i := first; i < len(itemTree); i++ { keyVal := itemTree[i] if comment, ok := keyVal.Key.(sops.Comment); ok { if lastItem != nil { lastItem.Comment = comment.Value } } else { lastItem, err = section.NewKey(keyVal.Key.(string), store.valToString(keyVal.Value)) if err != nil { return nil, fmt.Errorf("Error encoding key: %s", err) } } } } } var buffer bytes.Buffer iniFile.WriteTo(&buffer) return buffer.Bytes(), nil } func (store Store) stripCommentChar(comment string) string { if strings.HasPrefix(comment, ";") { comment = strings.TrimLeft(comment, "; ") } else if strings.HasPrefix(comment, "#") { comment = strings.TrimLeft(comment, "# ") } return comment } func (store Store) valToString(v interface{}) string { switch v := v.(type) { case fmt.Stringer: return v.String() case float64: return strconv.FormatFloat(v, 'f', 6, 64) case bool: return strconv.FormatBool(v) default: return fmt.Sprintf("%s", v) } } func (store Store) iniFromTreeBranches(branches sops.TreeBranches) ([]byte, error) { return store.encodeTree(branches) } func (store Store) treeBranchesFromIni(in []byte) (sops.TreeBranches, error) { iniFile, err := ini.Load(in) if err != nil { return nil, err } var branch sops.TreeBranch for _, section := range iniFile.Sections() { item, err := store.treeItemFromSection(section) if err != nil { return sops.TreeBranches{branch}, err } branch = append(branch, item) } return sops.TreeBranches{branch}, nil } func (store Store) treeItemFromSection(section *ini.Section) (sops.TreeItem, error) { var sectionItem sops.TreeItem sectionItem.Key = section.Name() var items sops.TreeBranch if section.Comment != "" { items = append(items, sops.TreeItem{ Key: sops.Comment{ Value: store.stripCommentChar(section.Comment), }, Value: nil, }) } for _, key := range section.Keys() { item := sops.TreeItem{Key: key.Name(), Value: key.Value()} items = append(items, item) if key.Comment != "" { items = append(items, sops.TreeItem{ Key: sops.Comment{ Value: store.stripCommentChar(key.Comment), }, Value: nil, }) } } sectionItem.Value = items return sectionItem, nil } // LoadEncryptedFile loads encrypted INI file's bytes onto a sops.Tree runtime object func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) { iniFileOuter, err := ini.Load(in) if err != nil { return sops.Tree{}, err } sopsSection, err := iniFileOuter.GetSection("sops") if err != nil { return sops.Tree{}, sops.MetadataNotFound } metadataHolder, err := store.iniSectionToMetadata(sopsSection) if err != nil { return sops.Tree{}, err } metadata, err := metadataHolder.ToInternal() if err != nil { return sops.Tree{}, err } // After that, we load the whole file into a map. branches, err := store.treeBranchesFromIni(in) if err != nil { return sops.Tree{}, fmt.Errorf("Could not unmarshal input data: %s", err) } // Discard metadata, as we already loaded it. for bi, branch := range branches { for s, sectionBranch := range branch { if sectionBranch.Key == "sops" { branch = append(branch[:s], branch[s+1:]...) branches[bi] = branch } } } return sops.Tree{ Branches: branches, Metadata: metadata, }, nil } func (store *Store) iniSectionToMetadata(sopsSection *ini.Section) (stores.Metadata, error) { metadataHash := make(map[string]interface{}) for k, v := range sopsSection.KeysHash() { metadataHash[k] = strings.Replace(v, "\\n", "\n", -1) } m := stores.Unflatten(metadataHash) var md stores.Metadata inrec, err := json.Marshal(m) if err != nil { return md, err } err = json.Unmarshal(inrec, &md) return md, err } // LoadPlainFile loads a plaintext INI file's bytes onto a sops.TreeBranches runtime object func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) { branches, err := store.treeBranchesFromIni(in) if err != nil { return branches, fmt.Errorf("Could not unmarshal input data: %s", err) } return branches, nil } // EmitEncryptedFile returns encrypted INI file bytes corresponding to a sops.Tree // runtime object func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { metadata := stores.MetadataFromInternal(in.Metadata) newBranch, err := store.encodeMetadataToIniBranch(metadata) if err != nil { return nil, err } sectionItem := sops.TreeItem{Key: "sops", Value: newBranch} branch := sops.TreeBranch{sectionItem} in.Branches = append(in.Branches, branch) out, err := store.iniFromTreeBranches(in.Branches) if err != nil { return nil, fmt.Errorf("Error marshaling to ini: %s", err) } return out, nil } func (store *Store) encodeMetadataToIniBranch(md stores.Metadata) (sops.TreeBranch, error) { var mdMap map[string]interface{} inrec, err := json.Marshal(md) if err != nil { return nil, err } err = json.Unmarshal(inrec, &mdMap) if err != nil { return nil, err } flat := stores.Flatten(mdMap) for k, v := range flat { if s, ok := v.(string); ok { flat[k] = strings.Replace(s, "\n", "\\n", -1) } } if err != nil { return nil, err } branch := sops.TreeBranch{} for key, value := range flat { if value == nil { continue } branch = append(branch, sops.TreeItem{Key: key, Value: value}) } return branch, nil } // EmitPlainFile returns the plaintext INI file bytes corresponding to a sops.TreeBranches object func (store *Store) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { out, err := store.iniFromTreeBranches(in) if err != nil { return nil, fmt.Errorf("Error marshaling to ini: %s", err) } return out, nil } func (store Store) encodeValue(v interface{}) ([]byte, error) { switch v := v.(type) { case sops.TreeBranches: return store.encodeTree(v) default: return json.Marshal(v) } } // EmitValue returns a single value encoded in a generic interface{} as bytes func (store *Store) EmitValue(v interface{}) ([]byte, error) { return store.encodeValue(v) } // EmitExample returns the plaintext INI file bytes corresponding to the SimpleTree example func (store *Store) EmitExample() []byte { bytes, err := store.EmitPlainFile(stores.ExampleSimpleTree.Branches) if err != nil { panic(err) } return bytes } 070701000000A2000081A400000000000000000000000162794F9300000ABD000000000000000000000000000000000000002400000000sops-3.7.3/stores/ini/store_test.gopackage ini import ( "testing" "github.com/stretchr/testify/assert" "go.mozilla.org/sops/v3" ) func TestDecodeIni(t *testing.T) { in := ` ; last modified 1 April 2001 by John Doe [owner] name=John Doe organization=Acme Widgets Inc. [database] ; use IP address in case network name resolution is not working server=192.0.2.62 port=143 file="payroll.dat" ` expected := sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "DEFAULT", Value: sops.TreeBranch(nil), }, sops.TreeItem{ Key: "owner", Value: sops.TreeBranch{ sops.TreeItem{ Key: sops.Comment{Value: "last modified 1 April 2001 by John Doe"}, Value: nil, }, sops.TreeItem{ Key: "name", Value: "John Doe", }, sops.TreeItem{ Key: "organization", Value: "Acme Widgets Inc.", }, }, }, sops.TreeItem{ Key: "database", Value: sops.TreeBranch{ sops.TreeItem{ Key: "server", Value: "192.0.2.62", }, sops.TreeItem{ Key: sops.Comment{Value: "use IP address in case network name resolution is not working"}, Value: nil, }, sops.TreeItem{ Key: "port", Value: "143", }, sops.TreeItem{ Key: "file", Value: "payroll.dat", }, }, }, }, } branch, err := Store{}.treeBranchesFromIni([]byte(in)) assert.Nil(t, err) assert.Equal(t, expected, branch) } func TestEncodeSimpleIni(t *testing.T) { branches := sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "DEFAULT", Value: sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: "bar", }, sops.TreeItem{ Key: "baz", Value: "3.0", }, sops.TreeItem{ Key: "qux", Value: "false", }, }, }, }, } out, err := Store{}.iniFromTreeBranches(branches) assert.Nil(t, err) expected, _ := Store{}.treeBranchesFromIni(out) assert.Equal(t, expected, branches) } func TestEncodeIniWithEscaping(t *testing.T) { branches := sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "DEFAULT", Value: sops.TreeBranch{ sops.TreeItem{ Key: "foo\\bar", Value: "value", }, sops.TreeItem{ Key: "a_key_with\"quotes\"", Value: "4.0", }, sops.TreeItem{ Key: "baz\\\\foo", Value: "2.0", }, }, }, }, } out, err := Store{}.iniFromTreeBranches(branches) assert.Nil(t, err) expected, _ := Store{}.treeBranchesFromIni(out) assert.Equal(t, expected, branches) } func TestUnmarshalMetadataFromNonSOPSFile(t *testing.T) { data := []byte(`hello=2`) store := Store{} _, err := store.LoadEncryptedFile(data) assert.Equal(t, sops.MetadataNotFound, err) } 070701000000A3000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002500000000sops-3.7.3/stores/ini/test_resources070701000000A4000081A400000000000000000000000162794F9300000C03000000000000000000000000000000000000003200000000sops-3.7.3/stores/ini/test_resources/example.json{ "example_key": "ENC[AES256_GCM,data:Xjen3YMQYCBfTU8VjA==,iv:1NUKversqeQiuTmAkZuyd6UY2AWiBS4owa4QHnwKOBM=,tag:ZO+Aln5DQ5Qm/QV2uBdahA==,type:str]", "example_array": [ "ENC[AES256_GCM,data:XJR0qvZuifm8j1TIQB8=,iv:QUkwy1dp0RU0PKEAw/VxVe1ZsQ972c8gPMJoVKgMfuw=,tag:LGdwC5nTua4rSe0dLbbA1Q==,type:str]", "ENC[AES256_GCM,data:7bhghzi5GN/mMqh1vHU=,iv:X5vrd9X7ItIG/RVCn0T7RFhUrTb2YItr3i97EVk9nOY=,tag:vrM058PPOGmWOGPThOP5Ew==,type:str]" ], "example_number": "ENC[AES256_GCM,data:w9etQN5r8iCz,iv:YF+1uUlMa4I1C7A0ELpVuMa1yK042uEMhp8y6HiCTDE=,tag:Dmh+AV9sh+ir0M1Txe+v2A==,type:float]", "example_booleans": [ "ENC[AES256_GCM,data:/hltsg==,iv:pbAtZ9i8rxFpaFlbwE1KOA+k/TVx5dm0tDtH94GCEVc=,tag:yz3d1pQu9zy5Ra9z2kDcoA==,type:bool]", "ENC[AES256_GCM,data:HEei0+s=,iv:hgKT5eiYdHn5AqWdNji7vRKfabln90VbLmJqt7A480E=,tag:6pfezzTX/eULebF+32Z2+w==,type:bool]" ], "sops": { "lastmodified": "2016-08-04T23:30:35Z", "attention": "This section contains key material that should only be modified with extra care. See `sops -h`.", "unencrypted_suffix": "_unencrypted", "mac": "ENC[AES256_GCM,data:EK1LkVgW5CBEsGgGc7RkfZlzqWrP2fZe3kG7HbkJ5JFd591oUkbQ6I2uPImkcxf7HjiEHzKPPF5QvNg3+rUxgw6S8pQtumhDbFrfDi8GDS2VVvPR+0fnc2fR5PMGm36bOaQFDNSmgyJzKhMmNL+MtRhH+fMUnHhrnxuN3wfLr4w=,iv:xbNK6wRDVT4xhrP+vP2RIy+uNjZSSzqEJZPOdShn96o=,tag:vT4akR5X6qx5/wJ4dncxtg==,type:str]", "version": "1.13", "kms": [ { "created_at": "2016-08-04T23:30:35Z", "enc": "AQECAHgFEiO2dNygC3Rz8PhERCc8Sfhak4g81FUPqQJ0OBcAKgAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDPKe5R67LMN3+xAkygIBEIA7F8noZukawV3VLQ/yH3Ep7Ptx8weLFUgVf/ZI6xqSMNvEHIr4+vf2xjBiAyrEF8u/n9nm9PWAdKHszFM=", "arn": "arn:aws:kms:us-east-1:927034868273:key/e9fc75db-05e9-44c1-9c35-633922bac347" } ], "pgp": [ { "fp": "E5297818703249D0C60E19E6824612478D1A4CCD", "created_at": "2016-08-04T23:30:35Z", "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhQIMA2X8rvoeiASBARAAurTEVS82kqadk68f5ZlwR176S148WYTYxFp5oMC7cVD7\n42+Eo9RzaxbHeO5n7XKX0SDOUUeCucFl8fwuDUV1iDIx4/u5HgWXxDuvWoNe5cAL\n4LBS1Er2ZBVAdU0WHZ/8USuZLhSu7ucAHOvqNpHzPT6gkuBUYLQKOu0c+onWHqVO\n1DhfkTtvphotZ0ZBBR099t5N8ofD0W2+SM268A9/bB5yQcK9Ig/KxZBrfmMQm7zx\n9hLVQhcBmj0OQG37K4/SXGwjrQFarh6lm+FuZM0Q+GI+OARoAKdpZOnPEhXKE6un\nSEa69rh5FKVM/XRp2/QVZEakzRtq3gi9CtYL2sNr7KEnCvxt/v2pEc6evfIvxWTc\nT8MWdk48FkVjdsJ34sNiIM8msstnYorse8RZny9gcLE+A5lsRavo2QPL4GADyHF8\n7kwijSVDd08nByTBMMEPpMozUFhzF8QuVZPD+siuUvi+Bned9MmqgGMfvhS0Kf38\nMZFy5C6e38VGEX3IrWChvzbBm/M3fjs1fPVDShHfk1MYsCU9sXNQMQVewWE0s/em\nklycIL3hywd4N9z1MVW2hBpRrC247PtGQRKGoB9qbKtSgjTtgM7bo1vYekeY1tjr\nBGTHNFV+FBqFih16u/rGVzIaBsf5lLL/RtpaFZx1OWHMd9XjQpRrHhjOMpQ8tjvS\nXgGH59vv/9GNZ+Rix1QF+iMD84sfkyyguGKwg+TC3m275v+HIO1NvNdU6oS3O/Xq\nBCBV3yYAUwcrWUPWCuSUHJbuHKJEI1ymXUu8+RUElPyi/5JEhW+J1WlVPvnG1Xk=\n=Q/XA\n-----END PGP MESSAGE-----\n" } ] } }070701000000A5000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000001700000000sops-3.7.3/stores/json070701000000A6000081A400000000000000000000000162794F93000022AF000000000000000000000000000000000000002000000000sops-3.7.3/stores/json/store.gopackage json //import "go.mozilla.org/sops/v3/stores/json" import ( "bytes" "encoding/json" "fmt" "io" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/stores" ) // Store handles storage of JSON data. type Store struct { } // BinaryStore handles storage of binary data in a JSON envelope. type BinaryStore struct { store Store } // LoadEncryptedFile loads an encrypted json file onto a sops.Tree object func (store BinaryStore) LoadEncryptedFile(in []byte) (sops.Tree, error) { return store.store.LoadEncryptedFile(in) } // LoadPlainFile loads a plaintext json file onto a sops.Tree encapsulated // within a sops.TreeBranches object func (store BinaryStore) LoadPlainFile(in []byte) (sops.TreeBranches, error) { return sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "data", Value: string(in), }, }, }, nil } // EmitEncryptedFile produces an encrypted json file's bytes from its corresponding sops.Tree object func (store BinaryStore) EmitEncryptedFile(in sops.Tree) ([]byte, error) { return store.store.EmitEncryptedFile(in) } // EmitPlainFile produces plaintext json file's bytes from its corresponding sops.TreeBranches object func (store BinaryStore) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { // JSON stores a single object per file for _, item := range in[0] { if item.Key == "data" { return []byte(item.Value.(string)), nil } } return nil, fmt.Errorf("No binary data found in tree") } // EmitValue extracts a value from a generic interface{} object representing a structured set // of binary files func (store BinaryStore) EmitValue(v interface{}) ([]byte, error) { return nil, fmt.Errorf("Binary files are not structured and extracting a single value is not possible") } // EmitExample returns the example's plaintext json file bytes func (store BinaryStore) EmitExample() []byte { return []byte("Welcome to SOPS! Edit this file as you please!") } func (store Store) sliceFromJSONDecoder(dec *json.Decoder) ([]interface{}, error) { var slice []interface{} for { t, err := dec.Token() if err != nil { return slice, err } if delim, ok := t.(json.Delim); ok && delim.String() == "]" { return slice, nil } else if ok && delim.String() == "{" { item, err := store.treeBranchFromJSONDecoder(dec) if err != nil { return slice, err } slice = append(slice, item) } else if ok && delim.String() == "[" { item, err := store.sliceFromJSONDecoder(dec) if err != nil { return slice, err } slice = append(slice, item) } else { slice = append(slice, t) } } } var errEndOfObject = fmt.Errorf("End of object") func (store Store) treeItemFromJSONDecoder(dec *json.Decoder) (sops.TreeItem, error) { var item sops.TreeItem key, err := dec.Token() if err != nil && err != io.EOF { return item, err } if k, ok := key.(string); ok { item.Key = k } else if d, ok := key.(json.Delim); ok && d.String() == "}" { return item, errEndOfObject } else { return item, fmt.Errorf("Expected JSON object key, got %s of type %T instead", key, key) } value, err := dec.Token() if err != nil { return item, err } if delim, ok := value.(json.Delim); ok { if delim.String() == "[" { v, err := store.sliceFromJSONDecoder(dec) if err != nil { return item, err } item.Value = v } if delim.String() == "{" { v, err := store.treeBranchFromJSONDecoder(dec) if err != nil { return item, err } item.Value = v } } else { item.Value = value } return item, nil } func (store Store) treeBranchFromJSONDecoder(dec *json.Decoder) (sops.TreeBranch, error) { var tree sops.TreeBranch for { item, err := store.treeItemFromJSONDecoder(dec) if err == io.EOF { return tree, nil } if err == errEndOfObject { return tree, nil } if err != nil { return tree, err } tree = append(tree, item) } } func (store Store) encodeValue(v interface{}) ([]byte, error) { switch v := v.(type) { case sops.TreeBranch: return store.encodeTree(v) case []interface{}: return store.encodeArray(v) default: return json.Marshal(v) } } func (store Store) encodeArray(array []interface{}) ([]byte, error) { out := "[" for i, item := range array { if _, ok := item.(sops.Comment); ok { continue } v, err := store.encodeValue(item) if err != nil { return nil, err } out += string(v) if i != len(array)-1 { out += "," } } out += "]" return []byte(out), nil } func (store Store) encodeTree(tree sops.TreeBranch) ([]byte, error) { out := "{" for i, item := range tree { if _, ok := item.Key.(sops.Comment); ok { continue } v, err := store.encodeValue(item.Value) if err != nil { return nil, fmt.Errorf("Error encoding value %s: %s", v, err) } k, err := json.Marshal(item.Key.(string)) if err != nil { return nil, fmt.Errorf("Error encoding key %s: %s", k, err) } out += string(k) + `: ` + string(v) if i != len(tree)-1 { out += "," } } return []byte(out + "}"), nil } func (store Store) jsonFromTreeBranch(branch sops.TreeBranch) ([]byte, error) { out, err := store.encodeTree(branch) if err != nil { return nil, err } return store.reindentJSON(out) } func (store Store) treeBranchFromJSON(in []byte) (sops.TreeBranch, error) { dec := json.NewDecoder(bytes.NewReader(in)) dec.Token() return store.treeBranchFromJSONDecoder(dec) } func (store Store) reindentJSON(in []byte) ([]byte, error) { var out bytes.Buffer err := json.Indent(&out, in, "", "\t") return out.Bytes(), err } // LoadEncryptedFile loads an encrypted secrets file onto a sops.Tree object func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) { // Because we don't know what fields the input file will have, we have to // load the file in two steps. // First, we load the file's metadata, the structure of which is known. metadataHolder := stores.SopsFile{} err := json.Unmarshal(in, &metadataHolder) if err != nil { if err, ok := err.(*json.UnmarshalTypeError); ok { if err.Value == "number" && err.Struct == "Metadata" && err.Field == "version" { return sops.Tree{}, fmt.Errorf("SOPS versions higher than 2.0.10 can not automatically decrypt JSON files " + "created with SOPS 1.x. In order to be able to decrypt this file, you can either edit it " + "manually and make sure the JSON value under `sops -> version` is a string and not a " + "number, or you can rotate the file's key with any version of SOPS between 2.0 and 2.0.10 " + "using `sops -r your_file.json`") } } return sops.Tree{}, fmt.Errorf("Error unmarshalling input json: %s", err) } if metadataHolder.Metadata == nil { return sops.Tree{}, sops.MetadataNotFound } metadata, err := metadataHolder.Metadata.ToInternal() if err != nil { return sops.Tree{}, err } // After that, we load the whole file into a map. branch, err := store.treeBranchFromJSON(in) if err != nil { return sops.Tree{}, fmt.Errorf("Could not unmarshal input data: %s", err) } // Discard metadata, as we already loaded it. for i, item := range branch { if item.Key == "sops" { branch = append(branch[:i], branch[i+1:]...) } } return sops.Tree{ Branches: sops.TreeBranches{ branch, }, Metadata: metadata, }, nil } // LoadPlainFile loads plaintext json file bytes onto a sops.TreeBranches object func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) { branch, err := store.treeBranchFromJSON(in) if err != nil { return nil, fmt.Errorf("Could not unmarshal input data: %s", err) } return sops.TreeBranches{ branch, }, nil } // EmitEncryptedFile returns the encrypted bytes of the json file corresponding to a // sops.Tree runtime object func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { tree := append(in.Branches[0], sops.TreeItem{Key: "sops", Value: stores.MetadataFromInternal(in.Metadata)}) out, err := store.jsonFromTreeBranch(tree) if err != nil { return nil, fmt.Errorf("Error marshaling to json: %s", err) } return out, nil } // EmitPlainFile returns the plaintext bytes of the json file corresponding to a // sops.TreeBranches runtime object func (store *Store) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { out, err := store.jsonFromTreeBranch(in[0]) if err != nil { return nil, fmt.Errorf("Error marshaling to json: %s", err) } return out, nil } // EmitValue returns bytes corresponding to a single encoded value // in a generic interface{} object func (store *Store) EmitValue(v interface{}) ([]byte, error) { s, err := store.encodeValue(v) if err != nil { return nil, err } return store.reindentJSON(s) } // EmitExample returns the bytes corresponding to an example complex tree func (store *Store) EmitExample() []byte { bytes, err := store.EmitPlainFile(stores.ExampleComplexTree.Branches) if err != nil { panic(err) } return bytes } 070701000000A7000081A400000000000000000000000162794F9300001B0E000000000000000000000000000000000000002500000000sops-3.7.3/stores/json/store_test.gopackage json import ( "testing" "github.com/stretchr/testify/assert" "go.mozilla.org/sops/v3" ) func TestDecodeJSON(t *testing.T) { in := ` { "glossary":{ "title":"example glossary", "GlossDiv":{ "title":"S", "GlossList":{ "GlossEntry":{ "ID":"SGML", "SortAs":"SGML", "GlossTerm":"Standard Generalized Markup Language", "Acronym":"SGML", "Abbrev":"ISO 8879:1986", "GlossDef":{ "para":"A meta-markup language, used to create markup languages such as DocBook.", "GlossSeeAlso":[ "GML", "XML" ] }, "GlossSee":"markup" } } } } }` expected := sops.TreeBranch{ sops.TreeItem{ Key: "glossary", Value: sops.TreeBranch{ sops.TreeItem{ Key: "title", Value: "example glossary", }, sops.TreeItem{ Key: "GlossDiv", Value: sops.TreeBranch{ sops.TreeItem{ Key: "title", Value: "S", }, sops.TreeItem{ Key: "GlossList", Value: sops.TreeBranch{ sops.TreeItem{ Key: "GlossEntry", Value: sops.TreeBranch{ sops.TreeItem{ Key: "ID", Value: "SGML", }, sops.TreeItem{ Key: "SortAs", Value: "SGML", }, sops.TreeItem{ Key: "GlossTerm", Value: "Standard Generalized Markup Language", }, sops.TreeItem{ Key: "Acronym", Value: "SGML", }, sops.TreeItem{ Key: "Abbrev", Value: "ISO 8879:1986", }, sops.TreeItem{ Key: "GlossDef", Value: sops.TreeBranch{ sops.TreeItem{ Key: "para", Value: "A meta-markup language, used to create markup languages such as DocBook.", }, sops.TreeItem{ Key: "GlossSeeAlso", Value: []interface{}{ "GML", "XML", }, }, }, }, sops.TreeItem{ Key: "GlossSee", Value: "markup", }, }, }, }, }, }, }, }, }, } branch, err := Store{}.treeBranchFromJSON([]byte(in)) assert.Nil(t, err) assert.Equal(t, expected, branch) } func TestDecodeSimpleJSONObject(t *testing.T) { in := `{"foo": "bar", "baz": 2}` expected := sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: "bar", }, sops.TreeItem{ Key: "baz", Value: 2.0, }, } branch, err := Store{}.treeBranchFromJSON([]byte(in)) assert.Nil(t, err) assert.Equal(t, expected, branch) } func TestDecodeNumber(t *testing.T) { in := `42` _, err := Store{}.treeBranchFromJSON([]byte(in)) assert.NotNil(t, err) } func TestDecodeNestedJSONObject(t *testing.T) { in := `{"foo": {"foo": "bar"}}` expected := sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: "bar", }, }, }, } branch, err := Store{}.treeBranchFromJSON([]byte(in)) assert.Nil(t, err) assert.Equal(t, expected, branch) } func TestDecodeJSONWithArray(t *testing.T) { in := `{"foo": {"foo": [1, 2, 3]}, "bar": "baz"}` expected := sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: []interface{}{1.0, 2.0, 3.0}, }, }, }, sops.TreeItem{ Key: "bar", Value: "baz", }, } branch, err := Store{}.treeBranchFromJSON([]byte(in)) assert.Nil(t, err) assert.Equal(t, expected, branch) } func TestDecodeJSONArrayOfObjects(t *testing.T) { in := `{"foo": [{"bar": "foo"}, {"foo": "bar"}]}` expected := sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: []interface{}{ sops.TreeBranch{ sops.TreeItem{ Key: "bar", Value: "foo", }, }, sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: "bar", }, }, }, }, } branch, err := Store{}.treeBranchFromJSON([]byte(in)) assert.Nil(t, err) assert.Equal(t, expected, branch) } func TestDecodeJSONArrayOfArrays(t *testing.T) { in := `{"foo": [[["foo", {"bar": "foo"}]]]}` expected := sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: []interface{}{ []interface{}{ []interface{}{ "foo", sops.TreeBranch{ sops.TreeItem{ Key: "bar", Value: "foo", }, }, }, }, }, }, } branch, err := Store{}.treeBranchFromJSON([]byte(in)) assert.Nil(t, err) assert.Equal(t, expected, branch) } func TestEncodeSimpleJSON(t *testing.T) { branch := sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: "bar", }, sops.TreeItem{ Key: "foo", Value: 3.0, }, sops.TreeItem{ Key: "bar", Value: false, }, } out, err := Store{}.jsonFromTreeBranch(branch) assert.Nil(t, err) expected, _ := Store{}.treeBranchFromJSON(out) assert.Equal(t, expected, branch) } func TestEncodeJSONWithEscaping(t *testing.T) { branch := sops.TreeBranch{ sops.TreeItem{ Key: "foo\\bar", Value: "value", }, sops.TreeItem{ Key: "a_key_with\"quotes\"", Value: 4.0, }, sops.TreeItem{ Key: "baz\\\\foo", Value: 2.0, }, } out, err := Store{}.jsonFromTreeBranch(branch) assert.Nil(t, err) expected, _ := Store{}.treeBranchFromJSON(out) assert.Equal(t, expected, branch) } func TestEncodeJSONArrayOfObjects(t *testing.T) { tree := sops.Tree{ Branches: sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: []interface{}{ sops.TreeBranch{ sops.TreeItem{ Key: "foo", Value: 3, }, sops.TreeItem{ Key: "bar", Value: false, }, }, 2, }, }, }, }, } expected := `{ "foo": [ { "foo": 3, "bar": false }, 2 ] }` store := Store{} out, err := store.EmitPlainFile(tree.Branches) assert.Nil(t, err) assert.Equal(t, expected, string(out)) } func TestUnmarshalMetadataFromNonSOPSFile(t *testing.T) { data := []byte(`{"hello": 2}`) store := Store{} _, err := store.LoadEncryptedFile(data) assert.Equal(t, sops.MetadataNotFound, err) } func TestLoadJSONFormattedBinaryFile(t *testing.T) { // This is JSON data, but we want SOPS to interpret it as binary, // e.g. because the --input-type binary flag was provided. data := []byte(`{"hello": 2}`) store := BinaryStore{} branches, err := store.LoadPlainFile(data) assert.Nil(t, err) assert.Equal(t, "data", branches[0][0].Key) } func TestEmitValueString(t *testing.T) { bytes, err := (&Store{}).EmitValue("hello") assert.Nil(t, err) assert.Equal(t, []byte("\"hello\""), bytes) } 070701000000A8000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000002600000000sops-3.7.3/stores/json/test_resources070701000000A9000081A400000000000000000000000162794F9300000C03000000000000000000000000000000000000003300000000sops-3.7.3/stores/json/test_resources/example.json{ "example_key": "ENC[AES256_GCM,data:Xjen3YMQYCBfTU8VjA==,iv:1NUKversqeQiuTmAkZuyd6UY2AWiBS4owa4QHnwKOBM=,tag:ZO+Aln5DQ5Qm/QV2uBdahA==,type:str]", "example_array": [ "ENC[AES256_GCM,data:XJR0qvZuifm8j1TIQB8=,iv:QUkwy1dp0RU0PKEAw/VxVe1ZsQ972c8gPMJoVKgMfuw=,tag:LGdwC5nTua4rSe0dLbbA1Q==,type:str]", "ENC[AES256_GCM,data:7bhghzi5GN/mMqh1vHU=,iv:X5vrd9X7ItIG/RVCn0T7RFhUrTb2YItr3i97EVk9nOY=,tag:vrM058PPOGmWOGPThOP5Ew==,type:str]" ], "example_number": "ENC[AES256_GCM,data:w9etQN5r8iCz,iv:YF+1uUlMa4I1C7A0ELpVuMa1yK042uEMhp8y6HiCTDE=,tag:Dmh+AV9sh+ir0M1Txe+v2A==,type:float]", "example_booleans": [ "ENC[AES256_GCM,data:/hltsg==,iv:pbAtZ9i8rxFpaFlbwE1KOA+k/TVx5dm0tDtH94GCEVc=,tag:yz3d1pQu9zy5Ra9z2kDcoA==,type:bool]", "ENC[AES256_GCM,data:HEei0+s=,iv:hgKT5eiYdHn5AqWdNji7vRKfabln90VbLmJqt7A480E=,tag:6pfezzTX/eULebF+32Z2+w==,type:bool]" ], "sops": { "lastmodified": "2016-08-04T23:30:35Z", "attention": "This section contains key material that should only be modified with extra care. See `sops -h`.", "unencrypted_suffix": "_unencrypted", "mac": "ENC[AES256_GCM,data:EK1LkVgW5CBEsGgGc7RkfZlzqWrP2fZe3kG7HbkJ5JFd591oUkbQ6I2uPImkcxf7HjiEHzKPPF5QvNg3+rUxgw6S8pQtumhDbFrfDi8GDS2VVvPR+0fnc2fR5PMGm36bOaQFDNSmgyJzKhMmNL+MtRhH+fMUnHhrnxuN3wfLr4w=,iv:xbNK6wRDVT4xhrP+vP2RIy+uNjZSSzqEJZPOdShn96o=,tag:vT4akR5X6qx5/wJ4dncxtg==,type:str]", "version": "1.13", "kms": [ { "created_at": "2016-08-04T23:30:35Z", "enc": "AQECAHgFEiO2dNygC3Rz8PhERCc8Sfhak4g81FUPqQJ0OBcAKgAAAH4wfAYJKoZIhvcNAQcGoG8wbQIBADBoBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDPKe5R67LMN3+xAkygIBEIA7F8noZukawV3VLQ/yH3Ep7Ptx8weLFUgVf/ZI6xqSMNvEHIr4+vf2xjBiAyrEF8u/n9nm9PWAdKHszFM=", "arn": "arn:aws:kms:us-east-1:927034868273:key/e9fc75db-05e9-44c1-9c35-633922bac347" } ], "pgp": [ { "fp": "E5297818703249D0C60E19E6824612478D1A4CCD", "created_at": "2016-08-04T23:30:35Z", "enc": "-----BEGIN PGP MESSAGE-----\nVersion: GnuPG v1\n\nhQIMA2X8rvoeiASBARAAurTEVS82kqadk68f5ZlwR176S148WYTYxFp5oMC7cVD7\n42+Eo9RzaxbHeO5n7XKX0SDOUUeCucFl8fwuDUV1iDIx4/u5HgWXxDuvWoNe5cAL\n4LBS1Er2ZBVAdU0WHZ/8USuZLhSu7ucAHOvqNpHzPT6gkuBUYLQKOu0c+onWHqVO\n1DhfkTtvphotZ0ZBBR099t5N8ofD0W2+SM268A9/bB5yQcK9Ig/KxZBrfmMQm7zx\n9hLVQhcBmj0OQG37K4/SXGwjrQFarh6lm+FuZM0Q+GI+OARoAKdpZOnPEhXKE6un\nSEa69rh5FKVM/XRp2/QVZEakzRtq3gi9CtYL2sNr7KEnCvxt/v2pEc6evfIvxWTc\nT8MWdk48FkVjdsJ34sNiIM8msstnYorse8RZny9gcLE+A5lsRavo2QPL4GADyHF8\n7kwijSVDd08nByTBMMEPpMozUFhzF8QuVZPD+siuUvi+Bned9MmqgGMfvhS0Kf38\nMZFy5C6e38VGEX3IrWChvzbBm/M3fjs1fPVDShHfk1MYsCU9sXNQMQVewWE0s/em\nklycIL3hywd4N9z1MVW2hBpRrC247PtGQRKGoB9qbKtSgjTtgM7bo1vYekeY1tjr\nBGTHNFV+FBqFih16u/rGVzIaBsf5lLL/RtpaFZx1OWHMd9XjQpRrHhjOMpQ8tjvS\nXgGH59vv/9GNZ+Rix1QF+iMD84sfkyyguGKwg+TC3m275v+HIO1NvNdU6oS3O/Xq\nBCBV3yYAUwcrWUPWCuSUHJbuHKJEI1ymXUu8+RUElPyi/5JEhW+J1WlVPvnG1Xk=\n=Q/XA\n-----END PGP MESSAGE-----\n" } ] } }070701000000AA000081A400000000000000000000000162794F9300003E2A000000000000000000000000000000000000001C00000000sops-3.7.3/stores/stores.go/* Package stores acts as a layer between the internal representation of encrypted files and the encrypted files themselves. Subpackages implement serialization and deserialization to multiple formats. This package defines the structure SOPS files should have and conversions to and from the internal representation. Part of the purpose of this package is to make it easy to change the SOPS file format while remaining backwards-compatible. */ package stores import ( "time" "fmt" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/age" "go.mozilla.org/sops/v3/azkv" "go.mozilla.org/sops/v3/gcpkms" "go.mozilla.org/sops/v3/hcvault" "go.mozilla.org/sops/v3/kms" "go.mozilla.org/sops/v3/pgp" ) // SopsFile is a struct used by the stores as a helper to unmarshal the SOPS metadata type SopsFile struct { // Metadata is a pointer so we can easily tell when the field is not present // in the SOPS file by checking for nil. This way we can show the user a // helpful error message indicating that the metadata wasn't found, instead // of showing a cryptic parsing error Metadata *Metadata `yaml:"sops" json:"sops" ini:"sops"` } // Metadata is stored in SOPS encrypted files, and it contains the information necessary to decrypt the file. // This struct is just used for serialization, and SOPS uses another struct internally, sops.Metadata. It exists // in order to allow the binary format to stay backwards compatible over time, but at the same time allow the internal // representation SOPS uses to change over time. type Metadata struct { ShamirThreshold int `yaml:"shamir_threshold,omitempty" json:"shamir_threshold,omitempty"` KeyGroups []keygroup `yaml:"key_groups,omitempty" json:"key_groups,omitempty"` KMSKeys []kmskey `yaml:"kms" json:"kms"` GCPKMSKeys []gcpkmskey `yaml:"gcp_kms" json:"gcp_kms"` AzureKeyVaultKeys []azkvkey `yaml:"azure_kv" json:"azure_kv"` VaultKeys []vaultkey `yaml:"hc_vault" json:"hc_vault"` AgeKeys []agekey `yaml:"age" json:"age"` LastModified string `yaml:"lastmodified" json:"lastmodified"` MessageAuthenticationCode string `yaml:"mac" json:"mac"` PGPKeys []pgpkey `yaml:"pgp" json:"pgp"` UnencryptedSuffix string `yaml:"unencrypted_suffix,omitempty" json:"unencrypted_suffix,omitempty"` EncryptedSuffix string `yaml:"encrypted_suffix,omitempty" json:"encrypted_suffix,omitempty"` UnencryptedRegex string `yaml:"unencrypted_regex,omitempty" json:"unencrypted_regex,omitempty"` EncryptedRegex string `yaml:"encrypted_regex,omitempty" json:"encrypted_regex,omitempty"` Version string `yaml:"version" json:"version"` } type keygroup struct { PGPKeys []pgpkey `yaml:"pgp,omitempty" json:"pgp,omitempty"` KMSKeys []kmskey `yaml:"kms,omitempty" json:"kms,omitempty"` GCPKMSKeys []gcpkmskey `yaml:"gcp_kms,omitempty" json:"gcp_kms,omitempty"` AzureKeyVaultKeys []azkvkey `yaml:"azure_kv,omitempty" json:"azure_kv,omitempty"` VaultKeys []vaultkey `yaml:"hc_vault" json:"hc_vault"` AgeKeys []agekey `yaml:"age" json:"age"` } type pgpkey struct { CreatedAt string `yaml:"created_at" json:"created_at"` EncryptedDataKey string `yaml:"enc" json:"enc"` Fingerprint string `yaml:"fp" json:"fp"` } type kmskey struct { Arn string `yaml:"arn" json:"arn"` Role string `yaml:"role,omitempty" json:"role,omitempty"` Context map[string]*string `yaml:"context,omitempty" json:"context,omitempty"` CreatedAt string `yaml:"created_at" json:"created_at"` EncryptedDataKey string `yaml:"enc" json:"enc"` AwsProfile string `yaml:"aws_profile" json:"aws_profile"` } type gcpkmskey struct { ResourceID string `yaml:"resource_id" json:"resource_id"` CreatedAt string `yaml:"created_at" json:"created_at"` EncryptedDataKey string `yaml:"enc" json:"enc"` } type vaultkey struct { VaultAddress string `yaml:"vault_address" json:"vault_address"` EnginePath string `yaml:"engine_path" json:"engine_path"` KeyName string `yaml:"key_name" json:"key_name"` CreatedAt string `yaml:"created_at" json:"created_at"` EncryptedDataKey string `yaml:"enc" json:"enc"` } type azkvkey struct { VaultURL string `yaml:"vault_url" json:"vault_url"` Name string `yaml:"name" json:"name"` Version string `yaml:"version" json:"version"` CreatedAt string `yaml:"created_at" json:"created_at"` EncryptedDataKey string `yaml:"enc" json:"enc"` } type agekey struct { Recipient string `yaml:"recipient" json:"recipient"` EncryptedDataKey string `yaml:"enc" json:"enc"` } // MetadataFromInternal converts an internal SOPS metadata representation to a representation appropriate for storage func MetadataFromInternal(sopsMetadata sops.Metadata) Metadata { var m Metadata m.LastModified = sopsMetadata.LastModified.Format(time.RFC3339) m.UnencryptedSuffix = sopsMetadata.UnencryptedSuffix m.EncryptedSuffix = sopsMetadata.EncryptedSuffix m.UnencryptedRegex = sopsMetadata.UnencryptedRegex m.EncryptedRegex = sopsMetadata.EncryptedRegex m.MessageAuthenticationCode = sopsMetadata.MessageAuthenticationCode m.Version = sopsMetadata.Version m.ShamirThreshold = sopsMetadata.ShamirThreshold if len(sopsMetadata.KeyGroups) == 1 { group := sopsMetadata.KeyGroups[0] m.PGPKeys = pgpKeysFromGroup(group) m.KMSKeys = kmsKeysFromGroup(group) m.GCPKMSKeys = gcpkmsKeysFromGroup(group) m.VaultKeys = vaultKeysFromGroup(group) m.AzureKeyVaultKeys = azkvKeysFromGroup(group) m.AgeKeys = ageKeysFromGroup(group) } else { for _, group := range sopsMetadata.KeyGroups { m.KeyGroups = append(m.KeyGroups, keygroup{ KMSKeys: kmsKeysFromGroup(group), PGPKeys: pgpKeysFromGroup(group), GCPKMSKeys: gcpkmsKeysFromGroup(group), VaultKeys: vaultKeysFromGroup(group), AzureKeyVaultKeys: azkvKeysFromGroup(group), AgeKeys: ageKeysFromGroup(group), }) } } return m } func pgpKeysFromGroup(group sops.KeyGroup) (keys []pgpkey) { for _, key := range group { switch key := key.(type) { case *pgp.MasterKey: keys = append(keys, pgpkey{ Fingerprint: key.Fingerprint, EncryptedDataKey: key.EncryptedKey, CreatedAt: key.CreationDate.Format(time.RFC3339), }) } } return } func kmsKeysFromGroup(group sops.KeyGroup) (keys []kmskey) { for _, key := range group { switch key := key.(type) { case *kms.MasterKey: keys = append(keys, kmskey{ Arn: key.Arn, CreatedAt: key.CreationDate.Format(time.RFC3339), EncryptedDataKey: key.EncryptedKey, Context: key.EncryptionContext, Role: key.Role, AwsProfile: key.AwsProfile, }) } } return } func gcpkmsKeysFromGroup(group sops.KeyGroup) (keys []gcpkmskey) { for _, key := range group { switch key := key.(type) { case *gcpkms.MasterKey: keys = append(keys, gcpkmskey{ ResourceID: key.ResourceID, CreatedAt: key.CreationDate.Format(time.RFC3339), EncryptedDataKey: key.EncryptedKey, }) } } return } func vaultKeysFromGroup(group sops.KeyGroup) (keys []vaultkey) { for _, key := range group { switch key := key.(type) { case *hcvault.MasterKey: keys = append(keys, vaultkey{ VaultAddress: key.VaultAddress, EnginePath: key.EnginePath, KeyName: key.KeyName, CreatedAt: key.CreationDate.Format(time.RFC3339), EncryptedDataKey: key.EncryptedKey, }) } } return } func azkvKeysFromGroup(group sops.KeyGroup) (keys []azkvkey) { for _, key := range group { switch key := key.(type) { case *azkv.MasterKey: keys = append(keys, azkvkey{ VaultURL: key.VaultURL, Name: key.Name, Version: key.Version, CreatedAt: key.CreationDate.Format(time.RFC3339), EncryptedDataKey: key.EncryptedKey, }) } } return } func ageKeysFromGroup(group sops.KeyGroup) (keys []agekey) { for _, key := range group { switch key := key.(type) { case *age.MasterKey: keys = append(keys, agekey{ Recipient: key.Recipient, EncryptedDataKey: key.EncryptedKey, }) } } return } // ToInternal converts a storage-appropriate Metadata struct to a SOPS internal representation func (m *Metadata) ToInternal() (sops.Metadata, error) { lastModified, err := time.Parse(time.RFC3339, m.LastModified) if err != nil { return sops.Metadata{}, err } groups, err := m.internalKeygroups() if err != nil { return sops.Metadata{}, err } cryptRuleCount := 0 if m.UnencryptedSuffix != "" { cryptRuleCount++ } if m.EncryptedSuffix != "" { cryptRuleCount++ } if m.UnencryptedRegex != "" { cryptRuleCount++ } if m.EncryptedRegex != "" { cryptRuleCount++ } if cryptRuleCount > 1 { return sops.Metadata{}, fmt.Errorf("Cannot use more than one of encrypted_suffix, unencrypted_suffix, encrypted_regex or unencrypted_regex in the same file") } if cryptRuleCount == 0 { m.UnencryptedSuffix = sops.DefaultUnencryptedSuffix } return sops.Metadata{ KeyGroups: groups, ShamirThreshold: m.ShamirThreshold, Version: m.Version, MessageAuthenticationCode: m.MessageAuthenticationCode, UnencryptedSuffix: m.UnencryptedSuffix, EncryptedSuffix: m.EncryptedSuffix, UnencryptedRegex: m.UnencryptedRegex, EncryptedRegex: m.EncryptedRegex, LastModified: lastModified, }, nil } func internalGroupFrom(kmsKeys []kmskey, pgpKeys []pgpkey, gcpKmsKeys []gcpkmskey, azkvKeys []azkvkey, vaultKeys []vaultkey, ageKeys []agekey) (sops.KeyGroup, error) { var internalGroup sops.KeyGroup for _, kmsKey := range kmsKeys { k, err := kmsKey.toInternal() if err != nil { return nil, err } internalGroup = append(internalGroup, k) } for _, gcpKmsKey := range gcpKmsKeys { k, err := gcpKmsKey.toInternal() if err != nil { return nil, err } internalGroup = append(internalGroup, k) } for _, azkvKey := range azkvKeys { k, err := azkvKey.toInternal() if err != nil { return nil, err } internalGroup = append(internalGroup, k) } for _, vaultKey := range vaultKeys { k, err := vaultKey.toInternal() if err != nil { return nil, err } internalGroup = append(internalGroup, k) } for _, pgpKey := range pgpKeys { k, err := pgpKey.toInternal() if err != nil { return nil, err } internalGroup = append(internalGroup, k) } for _, ageKey := range ageKeys { k, err := ageKey.toInternal() if err != nil { return nil, err } internalGroup = append(internalGroup, k) } return internalGroup, nil } func (m *Metadata) internalKeygroups() ([]sops.KeyGroup, error) { var internalGroups []sops.KeyGroup if len(m.PGPKeys) > 0 || len(m.KMSKeys) > 0 || len(m.GCPKMSKeys) > 0 || len(m.AzureKeyVaultKeys) > 0 || len(m.VaultKeys) > 0 || len(m.AgeKeys) > 0 { internalGroup, err := internalGroupFrom(m.KMSKeys, m.PGPKeys, m.GCPKMSKeys, m.AzureKeyVaultKeys, m.VaultKeys, m.AgeKeys) if err != nil { return nil, err } internalGroups = append(internalGroups, internalGroup) return internalGroups, nil } else if len(m.KeyGroups) > 0 { for _, group := range m.KeyGroups { internalGroup, err := internalGroupFrom(group.KMSKeys, group.PGPKeys, group.GCPKMSKeys, group.AzureKeyVaultKeys, group.VaultKeys, group.AgeKeys) if err != nil { return nil, err } internalGroups = append(internalGroups, internalGroup) } return internalGroups, nil } else { return nil, fmt.Errorf("No keys found in file") } } func (kmsKey *kmskey) toInternal() (*kms.MasterKey, error) { creationDate, err := time.Parse(time.RFC3339, kmsKey.CreatedAt) if err != nil { return nil, err } return &kms.MasterKey{ Role: kmsKey.Role, EncryptionContext: kmsKey.Context, EncryptedKey: kmsKey.EncryptedDataKey, CreationDate: creationDate, Arn: kmsKey.Arn, AwsProfile: kmsKey.AwsProfile, }, nil } func (gcpKmsKey *gcpkmskey) toInternal() (*gcpkms.MasterKey, error) { creationDate, err := time.Parse(time.RFC3339, gcpKmsKey.CreatedAt) if err != nil { return nil, err } return &gcpkms.MasterKey{ ResourceID: gcpKmsKey.ResourceID, EncryptedKey: gcpKmsKey.EncryptedDataKey, CreationDate: creationDate, }, nil } func (azkvKey *azkvkey) toInternal() (*azkv.MasterKey, error) { creationDate, err := time.Parse(time.RFC3339, azkvKey.CreatedAt) if err != nil { return nil, err } return &azkv.MasterKey{ VaultURL: azkvKey.VaultURL, Name: azkvKey.Name, Version: azkvKey.Version, EncryptedKey: azkvKey.EncryptedDataKey, CreationDate: creationDate, }, nil } func (vaultKey *vaultkey) toInternal() (*hcvault.MasterKey, error) { creationDate, err := time.Parse(time.RFC3339, vaultKey.CreatedAt) if err != nil { return nil, err } return &hcvault.MasterKey{ VaultAddress: vaultKey.VaultAddress, EnginePath: vaultKey.EnginePath, KeyName: vaultKey.KeyName, CreationDate: creationDate, EncryptedKey: vaultKey.EncryptedDataKey, }, nil } func (pgpKey *pgpkey) toInternal() (*pgp.MasterKey, error) { creationDate, err := time.Parse(time.RFC3339, pgpKey.CreatedAt) if err != nil { return nil, err } return &pgp.MasterKey{ EncryptedKey: pgpKey.EncryptedDataKey, CreationDate: creationDate, Fingerprint: pgpKey.Fingerprint, }, nil } func (ageKey *agekey) toInternal() (*age.MasterKey, error) { return &age.MasterKey{ EncryptedKey: ageKey.EncryptedDataKey, Recipient: ageKey.Recipient, }, nil } // ExampleComplexTree is an example sops.Tree object exhibiting complex relationships var ExampleComplexTree = sops.Tree{ Branches: sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "hello", Value: `Welcome to SOPS! Edit this file as you please!`, }, sops.TreeItem{ Key: "example_key", Value: "example_value", }, sops.TreeItem{ Key: sops.Comment{Value: " Example comment"}, Value: nil, }, sops.TreeItem{ Key: "example_array", Value: []interface{}{ "example_value1", "example_value2", }, }, sops.TreeItem{ Key: "example_number", Value: 1234.56789, }, sops.TreeItem{ Key: "example_booleans", Value: []interface{}{true, false}, }, }, }, } // ExampleSimpleTree is an example sops.Tree object exhibiting only simple relationships // with only one nested branch and only simple string values var ExampleSimpleTree = sops.Tree{ Branches: sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "Welcome!", Value: sops.TreeBranch{ sops.TreeItem{ Key: sops.Comment{Value: " This is an example file."}, Value: nil, }, sops.TreeItem{ Key: "hello", Value: "Welcome to SOPS! Edit this file as you please!", }, sops.TreeItem{ Key: "example_key", Value: "example_value", }, }, }, }, }, } // ExampleFlatTree is an example sops.Tree object exhibiting only simple relationships // with no nested branches and only simple string values var ExampleFlatTree = sops.Tree{ Branches: sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: sops.Comment{Value: " This is an example file."}, Value: nil, }, sops.TreeItem{ Key: "hello", Value: "Welcome to SOPS! Edit this file as you please!", }, sops.TreeItem{ Key: "example_key", Value: "example_value", }, sops.TreeItem{ Key: "example_multiline", Value: "foo\nbar\nbaz", }, }, }, } 070701000000AB000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001700000000sops-3.7.3/stores/yaml070701000000AC000081A400000000000000000000000162794F9300002C07000000000000000000000000000000000000002000000000sops-3.7.3/stores/yaml/store.gopackage yaml //import "go.mozilla.org/sops/v3/stores/yaml" import ( "bytes" "fmt" "io" "strings" "gopkg.in/yaml.v3" "go.mozilla.org/sops/v3" "go.mozilla.org/sops/v3/stores" ) // Store handles storage of YAML data type Store struct { } func (store Store) appendCommentToList(comment string, list []interface{}) []interface{} { if comment != "" { for _, commentLine := range strings.Split(comment, "\n") { if commentLine != "" { list = append(list, sops.Comment{ Value: commentLine[1:], }) } } } return list } func (store Store) appendCommentToMap(comment string, branch sops.TreeBranch) sops.TreeBranch { if comment != "" { for _, commentLine := range strings.Split(comment, "\n") { if commentLine != "" { branch = append(branch, sops.TreeItem{ Key: sops.Comment{ Value: commentLine[1:], }, Value: nil, }) } } } return branch } func (store Store) nodeToTreeValue(node *yaml.Node, commentsWereHandled bool) (interface{}, error) { switch node.Kind { case yaml.DocumentNode: panic("documents should never be passed here") case yaml.SequenceNode: var result []interface{} if !commentsWereHandled { result = store.appendCommentToList(node.HeadComment, result) result = store.appendCommentToList(node.LineComment, result) } for _, item := range node.Content { result = store.appendCommentToList(item.HeadComment, result) result = store.appendCommentToList(item.LineComment, result) val, err := store.nodeToTreeValue(item, true) if err != nil { return nil, err } result = append(result, val) result = store.appendCommentToList(item.FootComment, result) } if !commentsWereHandled { result = store.appendCommentToList(node.FootComment, result) } return result, nil case yaml.MappingNode: branch := make(sops.TreeBranch, 0) return store.appendYamlNodeToTreeBranch(node, branch, commentsWereHandled) case yaml.ScalarNode: var result interface{} node.Decode(&result) return result, nil case yaml.AliasNode: return store.nodeToTreeValue(node.Alias, false); } return nil, nil } func (store Store) appendYamlNodeToTreeBranch(node *yaml.Node, branch sops.TreeBranch, commentsWereHandled bool) (sops.TreeBranch, error) { var err error if !commentsWereHandled { branch = store.appendCommentToMap(node.HeadComment, branch) branch = store.appendCommentToMap(node.LineComment, branch) } switch node.Kind { case yaml.DocumentNode: for _, item := range node.Content { branch, err = store.appendYamlNodeToTreeBranch(item, branch, false) if err != nil { return nil, err } } case yaml.SequenceNode: return nil, fmt.Errorf("YAML documents that are sequences are not supported") case yaml.MappingNode: for i := 0; i < len(node.Content); i += 2 { key := node.Content[i] value := node.Content[i + 1] branch = store.appendCommentToMap(key.HeadComment, branch) branch = store.appendCommentToMap(key.LineComment, branch) handleValueComments := value.Kind == yaml.ScalarNode || value.Kind == yaml.AliasNode if handleValueComments { branch = store.appendCommentToMap(value.HeadComment, branch) branch = store.appendCommentToMap(value.LineComment, branch) } var keyValue interface{} key.Decode(&keyValue) valueTV, err := store.nodeToTreeValue(value, handleValueComments) if err != nil { return nil, err } branch = append(branch, sops.TreeItem{ Key: keyValue, Value: valueTV, }) if handleValueComments { branch = store.appendCommentToMap(value.FootComment, branch) } branch = store.appendCommentToMap(key.FootComment, branch) } case yaml.ScalarNode: // A empty document with a document start marker without comments results in null if node.ShortTag() == "!!null" { return branch, nil } return nil, fmt.Errorf("YAML documents that are values are not supported") case yaml.AliasNode: branch, err = store.appendYamlNodeToTreeBranch(node.Alias, branch, false) } if !commentsWereHandled { branch = store.appendCommentToMap(node.FootComment, branch) } return branch, nil } func (store Store) yamlDocumentNodeToTreeBranch(in yaml.Node) (sops.TreeBranch, error) { branch := make(sops.TreeBranch, 0) return store.appendYamlNodeToTreeBranch(&in, branch, false) } func (store *Store) addCommentsHead(node *yaml.Node, comments []string) []string { if len(comments) > 0 { comment := "#" + strings.Join(comments, "\n#") if len(node.HeadComment) > 0 { node.HeadComment = comment + "\n" + node.HeadComment } else { node.HeadComment = comment } } return nil } func (store *Store) addCommentsFoot(node *yaml.Node, comments []string) []string { if len(comments) > 0 { comment := "#" + strings.Join(comments, "\n#") if len(node.FootComment) > 0 { node.FootComment += "\n" + comment } else { node.FootComment = comment } } return nil } func (store *Store) treeValueToNode(in interface{}) *yaml.Node { switch in := in.(type) { case sops.TreeBranch: var mapping = &yaml.Node{} mapping.Kind = yaml.MappingNode store.appendTreeBranch(in, mapping) return mapping case []interface{}: var sequence = &yaml.Node{} sequence.Kind = yaml.SequenceNode store.appendSequence(in, sequence) return sequence default: var valueNode = &yaml.Node{} valueNode.Encode(in) return valueNode } } func (store *Store) appendSequence(in []interface{}, sequence *yaml.Node) { var comments []string var beginning bool = true for _, item := range in { if comment, ok := item.(sops.Comment); ok { comments = append(comments, comment.Value) } else { if beginning { comments = store.addCommentsHead(sequence, comments) beginning = false } itemNode := store.treeValueToNode(item) comments = store.addCommentsHead(itemNode, comments) sequence.Content = append(sequence.Content, itemNode) } } if len(comments) > 0 { if beginning { comments = store.addCommentsHead(sequence, comments) } else { comments = store.addCommentsFoot(sequence.Content[len(sequence.Content) - 1], comments) } } } func (store *Store) appendTreeBranch(branch sops.TreeBranch, mapping *yaml.Node) { var comments []string var beginning bool = true for _, item := range branch { if comment, ok := item.Key.(sops.Comment); ok { comments = append(comments, comment.Value) } else { if beginning { comments = store.addCommentsHead(mapping, comments) beginning = false } var keyNode = &yaml.Node{} keyNode.Encode(item.Key) comments = store.addCommentsHead(keyNode, comments) valueNode := store.treeValueToNode(item.Value) mapping.Content = append(mapping.Content, keyNode, valueNode) } } if len(comments) > 0 { if beginning { comments = store.addCommentsHead(mapping, comments) } else { comments = store.addCommentsFoot(mapping.Content[len(mapping.Content) - 1], comments) } } } // LoadEncryptedFile loads the contents of an encrypted yaml file onto a // sops.Tree runtime object func (store *Store) LoadEncryptedFile(in []byte) (sops.Tree, error) { // Because we don't know what fields the input file will have, we have to // load the file in two steps. // First, we load the file's metadata, the structure of which is known. metadataHolder := stores.SopsFile{} err := yaml.Unmarshal(in, &metadataHolder) if err != nil { return sops.Tree{}, fmt.Errorf("Error unmarshalling input yaml: %s", err) } if metadataHolder.Metadata == nil { return sops.Tree{}, sops.MetadataNotFound } metadata, err := metadataHolder.Metadata.ToInternal() if err != nil { return sops.Tree{}, err } var data yaml.Node if err := yaml.Unmarshal(in, &data); err != nil { return sops.Tree{}, fmt.Errorf("Error unmarshaling input YAML: %s", err) } var branches sops.TreeBranches d := yaml.NewDecoder(bytes.NewReader(in)) for true { var data yaml.Node err := d.Decode(&data) if err == io.EOF { break } if err != nil { return sops.Tree{}, fmt.Errorf("Error unmarshaling input YAML: %s", err) } branch, err := store.yamlDocumentNodeToTreeBranch(data) if err != nil { return sops.Tree{}, fmt.Errorf("Error unmarshaling input YAML: %s", err) } for i, elt := range branch { if elt.Key == "sops" { // Erase branch = append(branch[:i], branch[i+1:]...) } } branches = append(branches, branch) } return sops.Tree{ Branches: branches, Metadata: metadata, }, nil } // LoadPlainFile loads the contents of a plaintext yaml file onto a // sops.Tree runtime object func (store *Store) LoadPlainFile(in []byte) (sops.TreeBranches, error) { var branches sops.TreeBranches d := yaml.NewDecoder(bytes.NewReader(in)) for true { var data yaml.Node err := d.Decode(&data) if err == io.EOF { break } if err != nil { return nil, fmt.Errorf("Error unmarshaling input YAML: %s", err) } branch, err := store.yamlDocumentNodeToTreeBranch(data) if err != nil { return nil, fmt.Errorf("Error unmarshaling input YAML: %s", err) } branches = append(branches, branch) } return branches, nil } // EmitEncryptedFile returns the encrypted bytes of the yaml file corresponding to a // sops.Tree runtime object func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { var b bytes.Buffer e := yaml.NewEncoder(io.Writer(&b)) e.SetIndent(4) for _, branch := range in.Branches { // Document root var doc = yaml.Node{} doc.Kind = yaml.DocumentNode // Add global mapping var mapping = yaml.Node{} mapping.Kind = yaml.MappingNode doc.Content = append(doc.Content, &mapping) // Create copy of branch with metadata appended branch = append(sops.TreeBranch(nil), branch...) branch = append(branch, sops.TreeItem{ Key: "sops", Value: stores.MetadataFromInternal(in.Metadata), }) // Marshal branch to global mapping node store.appendTreeBranch(branch, &mapping) // Encode YAML err := e.Encode(&doc) if err != nil { return nil, fmt.Errorf("Error marshaling to yaml: %s", err) } } e.Close() return b.Bytes(), nil } // EmitPlainFile returns the plaintext bytes of the yaml file corresponding to a // sops.TreeBranches runtime object func (store *Store) EmitPlainFile(branches sops.TreeBranches) ([]byte, error) { var b bytes.Buffer e := yaml.NewEncoder(io.Writer(&b)) e.SetIndent(4) for _, branch := range branches { // Document root var doc = yaml.Node{} doc.Kind = yaml.DocumentNode // Add global mapping var mapping = yaml.Node{} mapping.Kind = yaml.MappingNode // Marshal branch to global mapping node store.appendTreeBranch(branch, &mapping) doc.Content = append(doc.Content, &mapping) // Encode YAML err := e.Encode(&doc) if err != nil { return nil, fmt.Errorf("Error marshaling to yaml: %s", err) } } e.Close() return b.Bytes(), nil } // EmitValue returns bytes corresponding to a single encoded value // in a generic interface{} object func (store *Store) EmitValue(v interface{}) ([]byte, error) { n := store.treeValueToNode(v) return yaml.Marshal(n) } // EmitExample returns the bytes corresponding to an example complex tree func (store *Store) EmitExample() []byte { bytes, err := store.EmitPlainFile(stores.ExampleComplexTree.Branches) if err != nil { panic(err) } return bytes } 070701000000AD000081A400000000000000000000000162794F930000170C000000000000000000000000000000000000002500000000sops-3.7.3/stores/yaml/store_test.gopackage yaml import ( "testing" "github.com/stretchr/testify/assert" "go.mozilla.org/sops/v3" ) var PLAIN = []byte(`--- # comment 0 key1: value key1_a: value # ^ comment 1 --- key2: value2`) var PLAIN_0 = []byte(`# comment 0 key1: value key1_a: value # ^ comment 1 `) var BRANCHES = sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: sops.Comment{" comment 0"}, Value: nil, }, sops.TreeItem{ Key: "key1", Value: "value", }, sops.TreeItem{ Key: "key1_a", Value: "value", }, sops.TreeItem{ Key: sops.Comment{" ^ comment 1"}, Value: nil, }, }, sops.TreeBranch{ sops.TreeItem{ Key: "key2", Value: "value2", }, }, } var COMMENT_1 = []byte(`# test a: b: null # foo `) var COMMENT_2 = []byte(`a: # foo b: null `) var COMMENT_3_IN = []byte(`## Configuration for prometheus-node-exporter subchart ## prometheus-node-exporter: podLabels: ## Add the 'node-exporter' label to be used by serviceMonitor to match standard common usage in rules and grafana dashboards ## jobLabel: node-exporter extraArgs: - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+)($|/) - --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$ `) var COMMENT_3_OUT = []byte(`## Configuration for prometheus-node-exporter subchart ## prometheus-node-exporter: podLabels: ## Add the 'node-exporter' label to be used by serviceMonitor to match standard common usage in rules and grafana dashboards ## jobLabel: node-exporter extraArgs: - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+)($|/) - --collector.filesystem.ignored-fs-types=^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$ `) var COMMENT_4 = []byte(`# foo `) var COMMENT_5 = []byte(`# foo --- key: value `) // The following is a regression test for https://github.com/mozilla/sops/issues/865 var COMMENT_6 = []byte(`a: - a # I no longer get duplicated - {} `) var COMMENT_6_BRANCHES = sops.TreeBranches{ sops.TreeBranch{ sops.TreeItem{ Key: "a", Value: []interface{}{ "a", sops.Comment{" I no longer get duplicated"}, sops.TreeBranch{}, }, }, }, } func TestUnmarshalMetadataFromNonSOPSFile(t *testing.T) { data := []byte(`hello: 2`) _, err := (&Store{}).LoadEncryptedFile(data) assert.Equal(t, sops.MetadataNotFound, err) } func TestLoadPlainFile(t *testing.T) { branches, err := (&Store{}).LoadPlainFile(PLAIN) assert.Nil(t, err) assert.Equal(t, BRANCHES, branches) } func TestComment1(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile(COMMENT_1) assert.Nil(t, err) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, string(COMMENT_1), string(bytes)) assert.Equal(t, COMMENT_1, bytes) } func TestComment2(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile(COMMENT_2) assert.Nil(t, err) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, string(COMMENT_2), string(bytes)) assert.Equal(t, COMMENT_2, bytes) } func TestComment3(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile(COMMENT_3_IN) assert.Nil(t, err) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, string(COMMENT_3_OUT), string(bytes)) assert.Equal(t, COMMENT_3_OUT, bytes) } /* TODO: re-enable once https://github.com/go-yaml/yaml/pull/690 is merged func TestComment4(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile(COMMENT_4) assert.Nil(t, err) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, string(COMMENT_4), string(bytes)) assert.Equal(t, COMMENT_4, bytes) } func TestComment5(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile(COMMENT_5) assert.Nil(t, err) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, string(COMMENT_5), string(bytes)) assert.Equal(t, COMMENT_5, bytes) } */ func TestEmpty(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile([]byte(``)) assert.Nil(t, err) assert.Equal(t, len(branches), 0) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, ``, string(bytes)) } /* TODO: re-enable once https://github.com/go-yaml/yaml/pull/690 is merged func TestEmpty2(t *testing.T) { // First iteration: load and store branches, err := (&Store{}).LoadPlainFile([]byte(`---`)) assert.Nil(t, err) assert.Equal(t, len(branches), 1) assert.Equal(t, len(branches[0]), 0) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, ``, string(bytes)) } */ func TestEmpty3(t *testing.T) { branches, err := (&Store{}).LoadPlainFile([]byte("{}\n")) assert.Nil(t, err) assert.Equal(t, len(branches), 1) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, "{}\n", string(bytes)) } func TestComment6(t *testing.T) { branches, err := (&Store{}).LoadPlainFile(COMMENT_6) assert.Nil(t, err) assert.Equal(t, COMMENT_6_BRANCHES, branches) bytes, err := (&Store{}).EmitPlainFile(branches) assert.Nil(t, err) assert.Equal(t, string(COMMENT_6), string(bytes)) assert.Equal(t, COMMENT_6, bytes) } func TestEmitValue(t *testing.T) { // First iteration: load and store bytes, err := (&Store{}).EmitValue(BRANCHES[0]) assert.Nil(t, err) assert.Equal(t, string(PLAIN_0), string(bytes)) assert.Equal(t, PLAIN_0, bytes) } 070701000000AE000081ED00000000000000000000000162794F930000016D000000000000000000000000000000000000001300000000sops-3.7.3/test.sh#!/usr/bin/env bash set -e echo "" > coverage.txt failed=0 for d in $(go list ./... | grep -v vendor); do go test -race -coverprofile=profile.out -covermode=atomic $d && true rc=$? if [ $rc != 0 ]; then failed=$rc fi if [ -f profile.out ]; then cat profile.out >> coverage.txt rm profile.out fi done exit ${failed} 070701000000AF000081A400000000000000000000000162794F930000115E000000000000000000000000000000000000001900000000sops-3.7.3/usererrors.gopackage sops import ( "fmt" "io/ioutil" "strings" "github.com/fatih/color" "github.com/goware/prefixer" wordwrap "github.com/mitchellh/go-wordwrap" ) // UserError is a well-formatted error for the purpose of being displayed to // the end user. type UserError interface { error UserError() string } var statusSuccess = color.New(color.FgGreen).Sprint("SUCCESS") var statusFailed = color.New(color.FgRed).Sprint("FAILED") type getDataKeyError struct { RequiredSuccessfulKeyGroups int GroupResults []error } func (err *getDataKeyError) successfulKeyGroups() int { n := 0 for _, r := range err.GroupResults { if r == nil { n++ } } return n } func (err *getDataKeyError) Error() string { return fmt.Sprintf("Error getting data key: %d successful groups "+ "required, got %d", err.RequiredSuccessfulKeyGroups, err.successfulKeyGroups()) } func (err *getDataKeyError) UserError() string { var groupErrs []string for i, res := range err.GroupResults { groupErr := decryptGroupError{ err: res, groupName: fmt.Sprintf("%d", i), } groupErrs = append(groupErrs, groupErr.UserError()) } var trailer string if err.RequiredSuccessfulKeyGroups == 0 { trailer = "Recovery failed because no master key was able to decrypt " + "the file. In order for SOPS to recover the file, at least one key " + "has to be successful, but none were." } else { trailer = fmt.Sprintf("Recovery failed because the file was "+ "encrypted with a Shamir threshold of %d, but only %d part(s) "+ "were successfully recovered, one for each successful key group. "+ "In order for SOPS to recover the file, at least %d groups have "+ "to be successful. In order for a group to be successful, "+ "decryption has to succeed with any of the keys in that key group.", err.RequiredSuccessfulKeyGroups, err.successfulKeyGroups(), err.RequiredSuccessfulKeyGroups) } trailer = wordwrap.WrapString(trailer, 75) return fmt.Sprintf("Failed to get the data key required to "+ "decrypt the SOPS file.\n\n%s\n\n%s", strings.Join(groupErrs, "\n\n"), trailer) } type decryptGroupError struct { groupName string err error } func (r *decryptGroupError) Error() string { return fmt.Sprintf("could not decrypt group %s: %s", r.groupName, r.err) } func (r *decryptGroupError) UserError() string { var status string if r.err == nil { status = statusSuccess } else { status = statusFailed } header := fmt.Sprintf(`Group %s: %s`, r.groupName, status) if r.err == nil { return header } message := r.err.Error() if userError, ok := r.err.(UserError); ok { message = userError.UserError() } reader := prefixer.New(strings.NewReader(message), " ") // Safe to ignore this error, as reading from a strings.Reader can't fail errMsg, _ := ioutil.ReadAll(reader) return fmt.Sprintf("%s\n%s", header, string(errMsg)) } type decryptKeyErrors []error func (e decryptKeyErrors) Error() string { return fmt.Sprintf("error decrypting key: %s", []error(e)) } func (e decryptKeyErrors) UserError() string { var errStrs []string for _, err := range []error(e) { if userErr, ok := err.(UserError); ok { errStrs = append(errStrs, userErr.UserError()) } else { errStrs = append(errStrs, err.Error()) } } return strings.Join(errStrs, "\n\n") } type decryptKeyError struct { keyName string errs []error } func (e *decryptKeyError) isSuccessful() bool { for _, err := range e.errs { if err == nil { return true } } return false } func (e *decryptKeyError) Error() string { return fmt.Sprintf("error decrypting key %s: %s", e.keyName, e.errs) } func (e *decryptKeyError) UserError() string { var status string if e.isSuccessful() { status = statusSuccess } else { status = statusFailed } header := fmt.Sprintf("%s: %s", e.keyName, status) if e.isSuccessful() { return header } var errMessages []string for _, err := range e.errs { wrappedErr := wordwrap.WrapString(err.Error(), 60) reader := prefixer.New(strings.NewReader(wrappedErr), " | ") // Safe to ignore this error, as reading from a strings.Reader can't fail errMsg, _ := ioutil.ReadAll(reader) errMsg[0] = '-' errMessages = append(errMessages, string(errMsg)) } joinedMsgs := strings.Join(errMessages, "\n\n") reader := prefixer.New(strings.NewReader(joinedMsgs), " ") errMsg, _ := ioutil.ReadAll(reader) return fmt.Sprintf("%s\n%s", header, string(errMsg)) } 070701000000B0000041ED00000000000000000000000362794F9300000000000000000000000000000000000000000000001600000000sops-3.7.3/validation070701000000B1000081A400000000000000000000000162794F93000000A0000000000000000000000000000000000000002100000000sops-3.7.3/validation/Cargo.toml[package] name = "validation" version = "0.1.0" authors = ["Adrian Utrilla <adrianutrilla@gmail.com>"] [dependencies] serde_json = "0.8.0" yaml-rust = "0.3.3" 070701000000B2000081A400000000000000000000000162794F9300000314000000000000000000000000000000000000002300000000sops-3.7.3/validation/example.json{ "glossary": { "title": "example glossary", "GlossDiv": { "title": "S", "GlossList": { "GlossEntry": { "ID": "SGML", "SortAs": "SGML", "GlossTerm": "Standard Generalized Markup Language", "Acronym": "SGML", "Abbrev": "ISO 8879:1986", "GlossDef": { "para": "A meta-markup language, used to create markup languages such as DocBook.", "GlossSeeAlso": [ "GML", "XML" ] }, "GlossSee": "markup" } } } } } 070701000000B3000081A400000000000000000000000162794F93000000B7000000000000000000000000000000000000002300000000sops-3.7.3/validation/example.yamlname: Martin job: Developer skill: Elite foods: - Apple - Orange - Strawberry - Mango languages: perl: Elite python: Elite pascal: Lame foo: | bar baz 070701000000B4000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001A00000000sops-3.7.3/validation/src070701000000B5000081A400000000000000000000000162794F9300000E76000000000000000000000000000000000000002200000000sops-3.7.3/validation/src/main.rsuse std::rc::Rc; use std::process::{Stdio, Command}; use std::io::{Write, Read}; use std::fs::{OpenOptions, File}; use std::str; use std::env; extern crate serde_json; use serde_json::Value; extern crate yaml_rust; use yaml_rust::{YamlLoader, YamlEmitter}; fn main() {} fn run_sops_and_return_output(command: &mut Command, filename: &str) -> String { let mut child = command.stdout(Stdio::piped()) .arg(filename) .spawn() .expect("Could not start sops python process"); let output = child.wait_with_output().expect("Could not retrieve sops's output"); if !output.status.success() { panic!("sops did not exit successfully!"); } return String::from_utf8(output.stdout).expect("Could not decode sops's output as utf-8"); } fn get_sops_python() -> Command { let sops_python_path = env::var("SOPS_PYTHON_PATH") .expect("SOPS_PYTHON_PATH environment variable missing"); let mut cmd = Command::new("python"); cmd.arg(sops_python_path); cmd } fn encrypt_with_sops_python(plaintext: &str) -> String { let mut child = get_sops_python(); let child = child.arg("-e"); return run_sops_and_return_output(child, plaintext); } fn decrypt_with_sops_python(ciphertext: &str) -> String { let mut child = get_sops_python(); let child = child.arg("-d"); return run_sops_and_return_output(child, ciphertext); } fn validate_json_file(input_file_name: &str, encrypt: fn(&str) -> String, decrypt: fn(&str) -> String) { let output_file_name = "temp.json"; let mut input = String::new(); File::open(input_file_name).unwrap().read_to_string(&mut input); let input_value: Value = serde_json::from_str(&input).expect("Could not decode input json"); let encrypted_output = encrypt(input_file_name); let mut output_file = OpenOptions::new() .write(true) .create(true) .open(output_file_name) .expect("Could not open output file"); output_file.write_all(encrypted_output.as_bytes()).expect("Could not write to output file"); let decryption = decrypt(output_file_name); let output_value: Value = serde_json::from_str(&decryption).unwrap(); std::fs::remove_file(output_file_name).expect("Could not remove output file"); assert_eq!(input_value, output_value); } fn validate_yaml_file(input_file_name: &str, encrypt: fn(&str) -> String, decrypt: fn(&str) -> String) { let output_file_name = "temp.yaml"; let mut input = String::new(); File::open(input_file_name).unwrap().read_to_string(&mut input); let input_value = YamlLoader::load_from_str(&input).expect("Could not decode input yaml"); let encrypted_output = encrypt(input_file_name); let mut output_file = OpenOptions::new() .write(true) .create(true) .open(output_file_name) .expect("Could not open output file"); output_file.write_all(encrypted_output.as_bytes()).expect("Could not write to output file"); let decryption = decrypt(output_file_name); let output_value = YamlLoader::load_from_str(&decryption) .expect("Could not decode output yaml"); std::fs::remove_file(output_file_name).expect("Could not remove output file"); assert_eq!(input_value, output_value); } #[test] fn validate_python_json() { validate_json_file("example.json", encrypt_with_sops_python, decrypt_with_sops_python); } #[test] fn validate_python_yaml() { validate_yaml_file("example.yaml", encrypt_with_sops_python, decrypt_with_sops_python); } 070701000000B6000041ED00000000000000000000000262794F9300000000000000000000000000000000000000000000001300000000sops-3.7.3/version070701000000B7000081A400000000000000000000000162794F93000009AF000000000000000000000000000000000000001E00000000sops-3.7.3/version/version.gopackage version import ( "bufio" "fmt" "net/http" "strings" "github.com/blang/semver" "gopkg.in/urfave/cli.v1" ) // Version represents the value of the current semantic version const Version = "3.7.3" // PrintVersion handles the version command for sops func PrintVersion(c *cli.Context) { out := fmt.Sprintf("%s %s", c.App.Name, c.App.Version) upstreamVersion, err := RetrieveLatestVersionFromUpstream() if err != nil { out += fmt.Sprintf("\n[warning] failed to retrieve latest version from upstream: %v\n", err) } outdated, err := AIsNewerThanB(upstreamVersion, Version) if err != nil { out += fmt.Sprintf("\n[warning] failed to compare current version with latest: %v\n", err) } if outdated { out += fmt.Sprintf("\n[info] sops %s is available, update with `go get -u go.mozilla.org/sops/v3/cmd/sops`\n", upstreamVersion) } else { out += " (latest)\n" } fmt.Fprintf(c.App.Writer, "%s", out) } // AIsNewerThanB takes 2 semver strings are returns true // is the A is newer than B, false otherwise func AIsNewerThanB(A, B string) (bool, error) { if strings.HasPrefix(B, "1.") { // sops 1.0 doesn't use the semver format, which will // fail the call to `make` below. Since we now we're // more recent than 1.X anyway, return true right away return true, nil } vA, err := semver.Make(A) if err != nil { return false, err } vB, err := semver.Make(B) if err != nil { return false, err } if vA.Compare(vB) > 0 { // vA is newer than vB return true, nil } return false, nil } // RetrieveLatestVersionFromUpstream gets the latest version from the source code at Github func RetrieveLatestVersionFromUpstream() (string, error) { resp, err := http.Get("https://raw.githubusercontent.com/mozilla/sops/master/version/version.go") if err != nil { return "", err } defer resp.Body.Close() scanner := bufio.NewScanner(resp.Body) for scanner.Scan() { line := scanner.Text() if strings.HasPrefix(line, `const Version = "`) { comps := strings.Split(line, `"`) if len(comps) < 2 { return "", fmt.Errorf("Failed to parse version from upstream source") } // try to parse the version as semver _, err := semver.Make(comps[1]) if err != nil { return "", fmt.Errorf("Retrieved version %q does not match semver format: %w", comps[1], err) } return comps[1], nil } } if err := scanner.Err(); err != nil { return "", err } return "", fmt.Errorf("Version information not found in upstream file") } 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!1674 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
